Your Councillors

Appendix 1

Annual Internal Audit Report and Opinion 2018/19

 

 

 

 

 

 

 

 

 

July 2019

 

 

 


Maidstone Borough Council

 


Introduction

1.             The IIA gives the mission of internal audit: to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight.

2.             The mission and its associated code of ethics and Standards govern over 200,000 professionals in businesses and organisations around the world.  Within UK Local Government, authority for internal audit stems from the Accounts and Audit Regulations 2015.  The Regulations state services must follow the Public Sector Internal Audit Standards – an adapted and more demanding version of the global standards.  Those Standards set demands for our annual reporting:

Independence of internal audit

3.             Mid Kent Audit works as a shared service between Ashford, Maidstone, Swale and Tunbridge Wells Borough Councils. A Shared Service Board including representatives from each council supervises our work based on our collaboration agreement.

4.             Within Maidstone BC during 2018/19 we have continued to enjoy complete and unfettered access to officers and records to complete our work.  On no occasion have officers or Members sought or gained undue influence over our scope or findings.

5.             I confirm we have worked with full independence as defined in our Audit Charter and Standard 1100.

Head of Internal Audit Opinion

Scope and time period

6.             I provide this opinion to Maidstone Borough Council (the Council) to include in its Annual Governance Statement, as published alongside its financial statements for the year ended 31 March 2019.

Scope limits

7.             The role of internal audit need not cover only assurance and may extend towards consultancy, advice and strategic support.  We have agreed with the Committee the overall scope of our work in our Internal Audit Charter and the specific scope of our work this year in our approved Internal Audit & Assurance Plan 2018/19.

8.             However our audit plan cannot address all risks across the Council and represents our best use of inevitably limited capacity.  In approving the plan, the Committee recognised this limit.  Beyond this general disclaimer, I have no specific limits of our scope to report to the Committee.

Consideration of work completed and reliance on others

9.             I have drawn my opinion from the work completed during the year. I first set out the work in the plan approved by Members on 19 March 2018 and later developed it in line with emerging risks and priorities.  I set out in this report the extent and findings from our work in greater detail. 

10.         In completing my work I have placed no specific reliance on external sources.

Information supporting the opinion

11.         The rest of this report summarises the work completed in delivering the internal audit plan through 2018/19.

12.         My opinion draws on the work carried out by Mid Kent Audit during the year on the effectiveness of managing those risks identified by the Council and covered by the audit programme or associated assurance.  Not all risks fall within our work programme. For risks not directly examined I am satisfied an assurance approach exists to provide reasonable assurance on effective management.

Risk and control

13.         The Council is responsible for ensuring it undertakes its business within the law and proper practices. The Council must also ensure it safeguards and properly accounts for its resources, using them economically, efficiently and effectively.  The Council also has a duty under the Local Government Act 1999 to seek continuous improvement in exercising its roles.

14.         The Council has described key parts of its internal control and risk management within the Local Code of Governance and Risk Management Framework.

15.         Organisations design internal controls to manage to an acceptable level rather than remove the risk of failing to achieve objectives.  So, internal controls can only provide reasonable and not complete assurance of effectiveness.  Designing internal controls is a continuing exercise designed to identify and set priorities around the risks to the Council achieving its objectives. The work of designing internal controls also evaluates the likelihood of those risks coming about and managing the impact should they do so.

16.         In completing our work we have considered the control environment and objectives in place at the Council.

Conformance with standards

17.         Mid Kent Audit has conducted its work following the Standards and good practice as represented in our internal quality assurance. This includes working to an agreed audit manual with satisfactory supervision and review.

18.         Our annual review confirms the service remains in full conformance with the Standards, as advised by our external quality assessment from the Institute of Internal Audit in 2015. We are next due an external quality assessment during the year 2019/20.

19.         We describe later in this report our efforts towards continuing improvement and the results of our Quality and Improvement work.


 

Overall conclusion

Internal Control

20.         I am satisfied that during the year ended 31 March 2019 the Council managed its internal controls to offer sound assurance on control effectiveness.

Governance

21.         I am satisfied that Council’s corporate governance arrangements for the year ended 31 March 2019 comply in all material respects with guidance on proper practices[1].

Risk Management

22.         I am satisfied the risk management arrangements at the Council for the year ended 31 March 2019 are effective and provide sound assurance, but note forthcoming revisions to the strategic risk register and recent updates to operational risk approach.

Other Matters

23.         I have no other matters to report as part of my opinion.

 

Rich Clarke CPFA ACFS
Head of Audit Partnership

19 July 2019


 

Internal Control

24.         Internal control is how the Council ensures achievement of its objectives with effectiveness and efficiency; achieving reliable financial reporting and compliance with laws, regulations and policies.  It covers financial and non-financial controls. 

25.         We gain audit evidence to support the Head of Audit opinion on internal control principally through completing the reviews set out within our agreed audit plan.

Maidstone Audit Plan Work 2018/19

26.         This Committee approved our Annual Audit & Assurance Plan 2018/19 on 19 March 2018.  The plan set out an intended number of days devoted to each of various tasks.  We began work on the plan during April 2018 and will close later this month. Although we have some matters to finish, I am satisfied we have advanced our work enough to enable delivery of a robust opinion.  We will provide updates on any work awaiting completion in our interim reporting.

27.         The table below shows progress in total number of days delivered against the plan (with a forecast of final position).


Category

2018/19 Plan Days

Forecast total

Balance

2018/19 Assurance Projects

380

277

-103

Non-Project Assurance Work

120

210

+90

Unallocated Contingency

30

58

+28

Total

530

545

+15

Concluding 2017/18 projects

n/a

80

n/a

 

28.         We forecast final delivery of around 545 audit days.  This is 103% of planned days. We detail the specifics, and results, of this progress further in this report.


Results of Audit Work

29.         The tables below summarise audit project findings up to the date of this report.  Where there are material matters finished before the committee meeting we will provide a verbal update.  (* = Days split between partners, MBC only shown).

Completed Assurance Projects

 

Title

Plan Days

Actual Days

Report Issue

Rating

Notes

2017/18 Assurance Projects Completed After 1 April 2018

 

Food Safety

n/a*

n/a*

Apr-18

Sound

Reported to Members in Jul-18

 

Parking Income

n/a*

n/a*

Apr-18

Sound

Reported to Members in Jul-18

 

Promotion & Marketing

n/a

n/a

May-18

Sound

Reported to Members in Jul-18

 

Insurance

n/a

n/a

May-18

Sound

Reported to Members in Jul-18

 

Legal Services

n/a*

n/a*

Jun-18

Sound

Reported to Members in Jul-18

 

Street Scene

n/a

n/a

Jul-18

Sound

Reported to Members in Nov-18

 

HR Policy Compliance

n/a*

n/a*

Jul-18

Sound

Reported to Members in Nov-18

 

Member Training & Induction

n/a

n/a

Aug-18

Sound

Reported to Members in Nov-18

 

Complaints

n/a

n/a

Aug-18

Sound

Reported to Members in Nov-18

 

Contract Management

n/a

n/a

Nov-18

Weak

Reported to Members in Nov-18

 

Animal Welfare Control

n/a

n/a

Nov-18

Weak

Reported to Members in Nov-18

Planned 2018/19 Assurance Projects Completed so far

I

Housing Allocations

15

15

Aug-18

Sound

Reported to Members in Nov-18

II

CIPFA Financial Resilience Index

5*

4*

Sep-18

N/A

Reported to Members in Nov-18

III

Budgetary Control

15

16

Nov-18

Sound

Reported to Members in Nov-18

IV

Museum Income Collection

16

15

Nov-18

Sound

Reported to Members in Nov-18

V

Absence Management

11*

11*

Apr-19

Sound

 

VI

Accounts Payable

15

15

Apr-19

Sound

 

VII

Markets

18

19

May-19

Sound

 

VIII

Licensing Administration

8*

8*

Jun-19

Sound

 

IX

Building Control

18

25

Jun-19

Sound

 

X

Revenues & Benefits Compliance Team

6*

8*

Jul-19

Sound

 

XI

Council Tax Reduction Scheme

10*

10*

Jul-19

Sound

 

XII

Declarations of Interest

15

15

Jul-19

Weak

 

XIII

General Data Protection Regulations

5*

5*

Jul-19

N/A

 

 

Transformation

18

25

Jul-19

tbc

Draft report issued

 

Planning Enforcement

15

15

Jul-19

tbc

Draft report issued

 

Cyber Security

8*

8*

Aug-19

tbc

Draft report issued

 

Commercial Waste

16

17

Sep-19

tbc

Fieldwork complete

                       


 

Assurance Projects Removed from 2018/19 Plan

Title

Days Spent

Rationale and alternative assurance sources

Air Quality

0

Delayed to allow development of new air quality strategy.

Business Rate Liabilities

1

Rescheduled to 2019/20 owing to audit resource issues.

Cobtree Trust

1

Removed from plan following changes to arrangements led by Maidstone BC.

Community Protection

0

Rescheduled to 2019/20 owing to audit resource issues.

Homelessness Reduction Act

0*

Replaced by individual reviews in 2019/20

IT Technical Support

1*

Rescheduled to 2019/20 to allow service to focus on laptop upgrade project.

Property Management

1

Delayed to allow completion of non-plan work.

Public Consultations

0

Delayed to allow completion of non-plan work.

Recruitment

2*

Rescheduled to 2019/20 owing to audit resource issues.

Waste Contract

2*

Replaced by ad hoc advice support following developments with contractor.

,


I: Housing Allocations (August 2018)

30.         Our testing has concluded applicants entered onto the housing register are suitably scrutinised to establish their eligibility. The housing need and local connection are properly determined, and allocation decisions are transparent.

31.         However, due to a recent lack of resources all areas of the Scheme are not being enforced.  In particular rules around the frequency of bidding and review timescales aren’t being met. Furthermore, there are limited controls in place to prevent MBC Officers from accessing and updating their own housing register accounts.

32.         The Council completed all agreed actions before the end of January 2019.  We have now closed this review.

II: Financial Resilience Index (September 2018)

33.         CIPFA closed its consultation on a proposed Resilience Index (the “Index”) on 24 August 2018.  The stated aim of the index, according to CIPFA is:

“…to be an authoritative measure of council’s financial resilience, drawing on publicly available information, intended to provide an early warning system where it is needed so that action can be taken at a local level in a timely manner.”

34.         CIPFA published a reasonably detailed explanation of its intended method alongside the consultation on its overall proposal.  The core of the method is to take accounts data focusing on RSG reliance, reserve levels and auditor opinions and combine them into a single weighted score.  CIPFA will then adjust the scores to set the median at 100.  Authorities with a score of greater than 100 show signs associated with greater financial resilience than their peers.

35.         Based on the method set out in the consultation, we found all four authorities in the partnership comfortably into or beyond the mid-range with index scores between 98 and 125.   However, there is notable range among districts. The top of the index is 190, far above the median level, with scores falling down to 55.  Across Kent we found a range between 87 and 166.

36.         In December 2018 CIPFA announced plans to move away from a single index and instead publish to authorities a range of financial resilience indicators.  CIPFA will publish the first set of indicators following conclusion of the 2018/19 financial statement audit opinions.

III: Budgetary Control (November 2018)

37.         The Council's budgetary control process is defined within its Financial Procedure Rules. There are no budget monitoring procedure notes to support the process. These should be introduced to provide guidance and ensure a consistent approach.

38.         Training was provided to budget managers in 2017 and this was supplemented by a detailed budget management pack. The Finance team also provide ongoing individual support. However our testing identified staff who hadn't received training and staff who required additional training. Budget managers also made suggestions for improvement to the support provided by Finance in response to our survey.

39.         Our virement testing concluded they were processed and authorised in line with the Financial Procedure Rules.  However the Service needs to better document where the authorisation for the virement has come from.

40.         The final agreed actions, related to budget management training for managers across the Council, fall due for action this month.  We will follow up progress and report to Members later in the year.

IV: Museum Income Collection (November 2018)

41.         Our review concludes that controls are generally operating as designed to ensure that income is appropriately collected, banked and coded. Detailed procedures are in place to help ensure cash is collected, stored and banked accurately and securely. However, our testing found that some invoices sent to schools are not being raised in a timely manner. Combined with ineffective credit control, this has resulted in several late payments. This can be partially attributed a lack of sufficient cover within the team to undertake this task.

42.         The Museum’s income targets have been set as part of the annual budget setting process.  At the time of audit, income (excluding grants) was 19% short of the budgeted year to date target. However this was found to be due to targets not being profiled over the year. There are appropriate mechanisms to monitor income levels.

43.         The Council completed all agreed actions by April 2019.  We have now closed this review.

V: Absence Management (April 2019)

InsertRichText(GetProperty(“Audit.Conclusion”))

<rt>

44.         Our testing found good controls and support available to help both Maidstone and Swale councils track sickness absence and mitigate its impact.  We identified good levels of understanding and conformance among managers on both process and purpose.  The Shared HR Service regularly reports sickness absence levels to senior management and we found evidence of suitable support and action in response.  We highlighted a few minor improvements needed, but our most significant finding concerns training.  The Sickness Toolkit Training is good quality and comprehensive but has low take-up rates. We encourage the councils to consider how to improve engagement with training on absence management.

45.         The actions fall due at the end of September.  We will follow up later in the year and detail progress to Members in our interim report.


 

VI: Accounts Payable (April 2019)

46.         We found that key accounts payable processes are not supported by comprehensive procedure notes.

47.         Our testing has established that access to add and amend suppliers is appropriately restricted, and that new suppliers added and changes to existing suppliers are processed correctly and in a timely manner.  However, there is no evidence that amendments to the supplier master-file are checked and approved by a second officer.

48.         There is good segregation of duties in the invoice payment process and requisitions were authorised, in accordance with the Council's authorised signatory list.   However, we identified one instance where a payment was made prior to the relevant goods being received.  We also identified two instances of late payments, outside the 30-day target.

49.         Credit notes are approved in accordance with the Council's authorised signatory list, with good segregation of duties.  However, three instances were noted where credit notes were not processed in a timely manner.

50.         There is good segregation of duties in the processing of urgent payment transactions.  However, the date the payment request is received is not always recorded.

51.         Invoice payments are not always posted to the ledger in a timely manner.

52.         BACS payments are processed on a weekly basis, prior to the relevant payment run and remittance proposal and remittance confirmation reports are generated and authorised.

53.         System reconciliations were completed but not fully recorded and there was no evidence of reconciliations being independently reviewed or approved.

54.         The agreed actions fall due later in the year.  If all proceeds as planned, the actions will all be complete by October 2019.  We will report progress to Members later this year.


 

VII: Markets (May 2019)

55.         Our review concludes that controls are operating as designed to ensure that income is securely collected, stored and banked. Our testing found that income is appropriately documented and is accurately reconciled and recorded on the financial system.

56.         Sufficient health & safety measures are in place although, there is currently no permanent member of staff on site that is first aid trained.

57.         The service has been extremely proactive in promoting the Market and staff show an exceptional level of commitment to their roles. However, improving resilience and succession planning should be considered to ensure that the Market continues to operate effectively.

58.         The agreed actions fall due this summer and will conclude by September if proceed as planned.  We will follow up and report to Members later this year.

VIII: Licensing Administration (June 2019)

59.         We found the Licensing Partnership prepared suitably for the introduction of the new Animal Licensing legislation, although the changes still added to the staff workload. The service brought in additional resources and prioritised work well, however there are still other tasks that need attention, such as updating procedures.

60.         Our testing found the service process applications inconsistently with several issues that require action. All income is accounted for and there are sound arrangements to ensure continuing service delivery in the event IT resources become unavailable.

61.         The agreed actions fall due this summer and will conclude by end of July if proceed as planned.  We will follow up and report to Members later this year.

IX: Building Control (June 2019)

62.         The Council has effective and embedded processes to ensure that building control applications are processed promptly, consistently and in line with statutory requirements.

63.         From our testing, we are satisfied that there are sound procedures for the setting and collection of fees. We found there to be a good quality of record keeping and noted that solid progress is being made on scanning historic hard copy records.

64.         Areas for improvement are the need to introduce a periodic reconciliation of income charged to income received and for the procedures to be documented.

65.         The agreed actions fall due for completion at the end of 2019.  We will follow up early in the new year and report to Members as part of our 2019/20 Annual Report.

X: Revenues & Benefits Compliance Team (July 2019)

InsertRichText(GetProperty(“Audit.Conclusion”))

<rt>

InsertRichText(GetProperty(“Audit.Conclusion”))

<rt>

Our review found the Council's approach to receiving and dealing with data matches is sound. Procedure notes are in place to support the team, who have clearly defined roles and responsibilities. Our testing confirmed the service generally follows correct procedure and accurately removes and recovers discounts from relevant accounts.

 

66.         We have identified some actions that will improve existing arrangements. These include introducing quality assurance checks on work completed and clear service performance reporting.

67.         The actions fall due at the end of September.  We will follow up later in the year and detail progress to Members in our interim report. 

XI: Council Tax Reduction Scheme (July 2019)

68.         The council tax reduction scheme has been appropriately approved and is being monitored through appropriate performance indicators which are regularly reported to appropriate levels within both Councils. 

69.         Our testing found that all claims sampled were verified, assessed and awarded in line with the scheme.  However, the Data Protection declaration present on the Council Tax Support application form did not include all required text recommended by the Information Commissioners Office in the most recent guidance on privacy statements.

70.         Management have already addressed the sole action arising from our report.  We have therefore closed this review.

XII: Declarations of Interest (July 2019)

71.         This audit focused on the following declarations:

·         Members Declarations of Interest

·         Members & Officers Related-Party Transactions

·         Officer Declarations of Interest

·         Member and Officer Gifts & Hospitality Interests

72.         The Council’s Constitution sets out the requirements in relation to declaration of interests for both Members and Officers and allocates overall responsibility to the Council’s Monitoring Officer.

73.         Our testing established that the processes in place in relation to Member declarations of interest, Member Related Party Transactions and Officer and Member Gifts & Hospitality are generally effective, with some areas for minor improvement.

74.         Our testing also established that all new employees are asked to submit their declaration of interests to HR as part of the corporate induction process and these forms are stored on the employee’s personnel file.  However, these forms are not reviewed by line managers or the Council’s Monitoring Officer.  Additionally there is no effective declaration of interest process in place for existing Council employees.  This is a repeated finding from our last internal audit review of Declaration of Interests, which we completed in March 2015.

75.         Due the lack of consistent procedures in place in relation to officer declarations, we were unable to determine whether officer declarations are assessed as part of the Council’s procurement decision making process.

76.         The assurance rating reflects that despite the previous audit review, there is still no declaration of interest process in place for existing Council officers.  This is a core weakness of control that leaves the Council exposed to uncontrolled risk.

77.         The agreed actions fall due before the end of 2019.  We will follow them up through the remainder of this year and into next and report to Members in our Annual Report.

XIII: General Data Protection Regulations (July 2019)

78.         Our review found the Policy team were thorough in their preparations to help ensure the Council were ready for the new GDPR requirements. This included some actions unique to the 4 partner authorities, such as maintaining a GDPR risk register. The team demonstrated the Council collects and processes data fairly, lawfully and transparently and privacy notices are in line with ICO requirements.

79.         The Council has also justified why and how long it retains personal data, in line with best practice guidance. However, testing found non-compliance with the retention policy, which is not centrally enforced. Along with their Mid Kent partners, the Council has yet to take a decision on how long to retain e-mails for.

 

 


 

Following Up Actions

80.         Our approach to agreed actions is that we follow up each quarter, examining those that fell due in the previous three months.  We take due dates from the action plan agreed with management when we finish our reporting.  We report progress on implementation to Corporate Leadership Team each quarter. Our report includes matters of continuing concern and where we have revisited an assurance rating (typically after action to address key findings).

81.         We summarise the current position below.  The chart shows low priority actions (at the foot of each bar) in green, medium priority in amber (in the middle) and high priority in red (at the top of the bars), with the sole critical action in black. 

82.         We are largely content with officers’ progress on acting to address findings we raise but we note actions often happen a little after originally agreed dates. 

83.         The actions marked as overdue stem chiefly from three specific projects reported originally as part our of 2017/18 audit programme:


 

Emergency Planning (Originally reported March 2018)

84.         The outstanding actions comprise one high priority, two medium priority and one low priority.  The originally agreed action dates fell between June and September 2018 with the high priority action – confirming emergency planning responsibilities – due at the end of June 2018.

85.         The Council first deferred this key agreed action because of administrative issues around changing the job description of the officer appointed to the role.  However, later in the year the officer left the Council during a broader restructure.  Since April the Council has temporarily earmarked the role within the Commissioning and Business Improvement directorate but intends to consider a more permanent solution.  We are continuing to note discussions and will update Members in our interim reporting.

Contract Management (Originally reported November 2018)

86.         The outstanding actions comprise two high priority and two medium priority.  The originally agreed action dates fell at the end of March 2019.

87.         Officers have kept Members of this Committee up-to-date on progress and delays in contract management with separate updates.  We plan currently to revisit these actions early in the autumn and will update Members in our interim reporting.

Animal Welfare Control (Originally reported November 2018)

88.         The two outstanding actions are both high priority with originally agreed action dates at the end of December 2018.  Members will recall this review contained a Critical level action on formalising arrangements with its supplier. The Council has addressed this risk by signing a Service Level Agreement (SLA).  The remaining high priority actions aim to put this formalisation on a secure footing by looking longer term at procurement of the service and its associated financial arrangements.

89.         The delays here partly arise from difficulties in agreeing the SLA with the supplier. However, the service has also experienced key officer departure; the same officer mentioned above.  We plan currently to revisit these actions early in the autumn and will update Members in our interim reporting.


 

Corporate Governance

90.         Corporate governance is the rules, practices and processes that direct and control the Council. 

91.         We gain audit evidence to support the Head of Audit Opinion through completion of relevant reviews in the audit plan, as well as specific roles on key project and management groups.  We also consider matters brought to our attention by Members or staff through whistleblowing and the Council’s counter fraud and corruption arrangements.

92.         We attend the Council’s Information Governance and Corporate Governance Groups.  We also help in upholding good governance by providing advice and training to both officers and Members.

Counter Fraud & Corruption

93.         We consider counter fraud and corruption risks in all of our audit engagements when considering the effectiveness of control.  We also undertake distinct work to assess and support the Council’s arrangements.

94.         During 2018/19 we have completed three longer investigations and a number of preliminary enquiries and ad hoc responses to queries.  One of these investigations, summarised to Members in November 2018, involved a former member of staff receiving a police caution.   We also continue to help managers at the Council with disciplinary and other investigations.

95.         The Council’s whistleblowing policy names internal audit as one route for Members and officers to safely raise concerns on inappropriate or even criminal behaviour.

96.         We have had no matters raised with us for investigation as whistleblowing complaints.

National Fraud Initiative

97.         We continue to coordinate the Council’s response to the National Fraud Initiative (NFI).  NFI is a statutory data matching project and we must send in various forms of data to the Cabinet Office who manage the exercise.

98.         The Cabinet Office released the 2018-19 matches in January 2019 as reported to this Committee in June 2019.  Most matches (66%) fall to the MKS Revenues & Benefits Compliance team to look into. As of June 2019, the team have examined 90% of all matches and have identified 115 errors with a total value of over £42,000.

99.         The remaining matches cover datasets such as creditors, procurement, payroll and housing waiting list.  As of June 2019 we have not yet begun examining the matches as we are currently finalising our testing strategy. The NFI has replaced recommended matches with a fraud risk score, which we will use to guide our investigations.

Risk Management

100.     Earlier in the year we reported to this Committee a summary of risk management work at the Council through the year.  This included a then current look at the Council’s strategic risks.  We have continued to advise on risk management at the Council including a revision of the overarching framework and policy at the beginning of the year.

101.     In January 2019 we also led a risk identification workshop aiming to refresh the Council’s strategic risk register.  We presented a revised analysis of strategic risks, developed from this workshop, to the Policy and Resource Committee in April 2019. 

Other Audit and Advice Work

102.     We also continue to undertake a broad range of special and scheduled consultancy and advice work for the Council. 

103.     A significant component of this work has become completing independent Reviews commissioned by Kent’s Safeguarding Boards.  These follow on from serious incidents and seek to get a view from all local public sector agencies on contact with the relevant individuals, combining to create an overall report aiming to learn and improve services.

104.     During 2018/19 we completed two such reviews - Child H and Child K – following safeguarding incidents concerning children resident in the borough.  These will form a larger part of our work in the new-year as we take on responsibility for all such reviews commissioned to the Council.

105.     We remain engaged and flexible in seeking to meet the assurance needs of the Council. We are happy to discuss opportunities large and small where the Council can usefully employ the experience and expertise of the audit team.

Audit Quality & Improvement

Standards and ethical compliance

106.     Government sets out the professional standards we must work to in the Public Sector Internal Audit Standards (the “Standards”).  These Standards are a strengthened version of the Institute of Internal Audit’s global internal audit standards, which apply across public, private and voluntary sectors in more than 170 countries around the world.

107.     The Standards include a specific demand for reporting to Senior Management and Audit Committee on our conformance with the Code of Ethics as well as the Standards themselves.

108.     We include a short summary of the duties placed on us by the Code as an appendix to this report.  We have included the Code within our Audit Manual and training for some years. We can report to Members we remain in conformance with the Code.

109.     We underwent an external independent assessment in 2015 that reported the service in full conformance with the Standards. During 2019/20 we must undergo a fresh assessment.  We include more details in the next section.

110.     In 2019 we undertook a self-assessment against the Standards and confirm to Members we remain in full conformance.  We include a summary of that assessment on the next few pages, based around the headline Principles which underpin the Standards:


 

External Quality Assessment

111.     Our 2019/20 Audit Plan included full wording from Standard 1312.  That Standard demands all internal audit services seek an external quality assessment at least every five years.  In that plan we set out some headline principles to guide our assessment.

·         A properly qualified and experienced external assessor.

·         A paid review rather than reciprocal or peer arrangement.

·         To consider best practice as well as simple conformance. 

·         One assessment across the whole partnership.

·         Published terms of reference before fieldwork begins.

·         Publish the final report in full to Members, including response to any action plan for improvements.

112.     Members from all four authorities in the partnership supported these principles.  We will therefore go forward to appoint a suitably qualified assessor this autumn, aiming to complete the review late in the year.  We hope to report to Members in spring 2020.

113.     We welcome further discussions from Members, especially Audit Committee Chairs, who wish to engage with the Assessment.  Such engagement could be reviewing bids, being part of interview panels to speak with the Assessors or contributing to surveys.  Please discuss further with the Head of Audit Partnership on how Members can best support the assessment and ensure it gives proper weight to your views on the objectives and quality of the audit service.

Training and Qualifications

114.     We continue to offer strong support to the audit team in continuing development and upholding professional competence.  In 2018/19 this involved providing individual training budgets and supporting people to follow avenues for development suitable for their career position and ambitions.

115.     A key but far from sole part of this approach is supporting professional qualifications.  During 2018/19 we supported several of the team through professional studies and remain pleased with their progress and success.  We would like to highlight:

·         Ben Davis, Auditor, completed the full professional qualification of the Chartered Institute of Public Finance and Accounting (CIPFA).  In doing so, Ben became the first full graduate of our trainee programme begun in 2015.

·         Andy Billingham, Auditor, and Louise Taylor, Trainee Auditor, both completed the second of three stages in the Certificate of Internal Audit (CIA) qualification awarded by the IIA.  We hope to see both complete the full qualification in 2019/20.

·         Jen Warrillow, Audit Manager, passed the second of three stages towards achieving the full Chartered qualification of the Institute of Internal Audit.

116.     For the year ahead we are now working to a new structure which has enabled us to create two Audit Apprentice roles.  These apprentices will follow the full Level 7 Apprenticeship approved by the Government, leading to postgraduate qualifications and everything needed (on paper, at least) to take up a role as Head of Internal Audit.  These apprentice schemes will run until 2022.

117.     We have also continued to work closely with neighbouring authorities. Most notably in a continuing secondment for our Deputy Head of Audit Partnership, Russell Heppleston, as Head of Audit for Dartford and Sevenoaks Councils.  We have renewed this secondment through 2019/20 during which period the authorities will decide on the future shape of their audit service.

118.     Russell’s secondment, and the absence on maternity leave of another manager, have created opportunities within the team for people to gain experience in more senior roles.  Currently, Jen Warrillow is acting manager with responsibility for Maidstone BC and Mark Goodwin at Ashford.  Ben Davis and Andy Billingham, whose qualification achievements we mention above, are both in Senior Auditor roles.

119.     Through regional and national roles, the Head of Audit Partnership continues to represent the service in gaining opportunities for professional development.  This includes developing training with the London Audit Group aimed at supporting aspiring Audit Managers, as well as speaking engagements at national events such as CIPFA Audit Conference.

Performance Indicators

120.     Aside from the progress against our audit plan we also report against some specific performance measures designed to oversee the quality of service we deliver to partner authorities.  We have monthly update meetings with management to discuss service performance and audit results.


 

121.     Note that all figures are for performance across the Partnership.  Given how closely we work together as one team, as well as the fact we examine services shared across authorities, it is not practical to present authority by authority data.  We have changed the set of measures we present to more closely focus on the priorities identified by Members and officers in our 2017/18 Mid Term Review of the service.

Measure

17/18

Final

18/19

Q1/2

18/19

Q3/4

18/19

Final

Overall Plan Progress

-       The percentage of planned audit days delivered

91%

42%

52%

94%

Training Take Up

-       Number of training days per full time equivalent employee (we aim for 15 to 20)

12.3

10.0

10.4

20.4

Audit Feedback

-       The percentage of respondents ‘satisfied’ with their audit engagement

97%

100%

100%

100%

Prompt Reporting

-       Median number of days between fieldwork end and final report issue (we try and keep this under 40)

45

53

37

43

 

122.     While overall performance in the service is good, especially on client satisfaction, our focus in 2019/20 will be on productivity and quicker turnaround of audit reports.  In the latter we are working with audit clients in particular in supporting them to understand and respond to our draft reports promptly to ensure findings remain current.

Acknowledgements

123.     We achieve these results through the hard work and dedication of our team and the resilience that comes from working a shared service across four authorities.

124.     As a management team in Mid Kent Audit, we wish to send our public thanks to the team for their work through the year so far.

125.     We would also like to thank Managers, Officers and Members for their continued support as we complete our audit work during the year.


 

Annex A: Assurance & Priority level definitions

Assurance Ratings 2018/19 (Unchanged from 2014/15)

Full Definition

Short Description

Strong – Controls within the service are well designed and operating as intended, exposing the service to no uncontrolled risk.  There will also often be elements of good practice or value for money efficiencies which may be instructive to other authorities.  Reports with this rating will have few, if any; recommendations and those will generally be priority 4.

Service/system is performing well

Sound – Controls within the service are generally well designed and operated but there are some opportunities for improvement, particularly with regard to efficiency or to address less significant uncontrolled operational risks.  Reports with this rating will have some priority 3 and 4 recommendations, and occasionally priority 2 recommendations where they do not speak to core elements of the service.

Service/system is operating effectively

WeakControls within the service have deficiencies in their design and/or operation that leave it exposed to uncontrolled operational risk and/or failure to achieve key service aims.  Reports with this rating will have mainly priority 2 and 3 recommendations which will often describe weaknesses with core elements of the service.

Service/system requires support to consistently operate effectively

Poor – Controls within the service are deficient to the extent that the service is exposed to actual failure or significant risk and these failures and risks are likely to affect the Council as a whole. Reports with this rating will have priority 1 and/or a range of priority 2 recommendations which, taken together, will or are preventing from achieving its core objectives.

Service/system is not operating effectively

 


Recommendation Ratings 2018/19 (unchanged from 2014/15)

Priority 1 (Critical) To address a finding which affects (negatively) the risk rating assigned to a Council strategic risk or seriously impairs its ability to achieve a key priority.  Priority 1 recommendations are likely to require immediate remedial action.  Priority 1 recommendations also describe actions the authority must take without delay.

Priority 2 (High) – To address a finding which impacts a strategic risk or key priority, which makes achievement of the Council’s aims more challenging but not necessarily cause severe impediment.  This would also normally be the priority assigned to recommendations that address a finding that the Council is in (actual or potential) breach of a legal responsibility, unless the consequences of non-compliance are severe. Priority 2 recommendations are likely to require remedial action at the next available opportunity, or as soon as is practical.  Priority 2 recommendations also describe actions the authority must take.

Priority 3 (Medium) – To address a finding where the Council is in (actual or potential) breach of its own policy or a less prominent legal responsibility but does not impact directly on a strategic risk or key priority.  There will often be mitigating controls that, at least to some extent, limit impact.  Priority 3 recommendations are likely to require remedial action within six months to a year.  Priority 3 recommendations describe actions the authority should take.

Priority 4 (Low) – To address a finding where the Council is in (actual or potential) breach of its own policy but no legal responsibility and where there is trivial, if any, impact on strategic risks or key priorities.  There will usually be mitigating controls to limit impact.  Priority 4 recommendations are likely to require remedial action within the year.  Priority 4 recommendations generally describe actions the authority could take.

Advisory – We will include in the report notes drawn from our experience across the partner authorities where the service has opportunities to improve.  These will be included for the service to consider and not be subject to formal follow up process.

 

 

 

 

 


 

Annex B: Internal Audit Code of Ethics

Annex C: Update on Progress Towards 2019/20 Plan

19/20 plan

126.     Our 19/20 plan runs from 1 June 2019 to 31 May 2020 with quarter 1 running up to 1 September.  We aim to have fieldwork for the following audits nearing completion by the end of the quarter.

·         Council Tax Billing

·         Recruitment

·         Health & Safety

·         Corporate Credit Cards

·         Developer Contributions

Other work and changes to the plan

127.     We are currently completing work following up the 29 agreed actions for Maidstone that fell due during the first quarter of 2019/20.  We will report to Members in full on the outcomes of that work in our interim reporting later in the year.

128.     In line with our charter, Internal Audit are often involved in non-assurance pieces of work.  Examples of this include undertaking a preliminary investigation into allegations of fraud/misconduct and providing consultancy work as requested by services among others. 

129.     Based on continuing assessment of the risks facing the Council we have undertaken the following additional work since June 2019:

·         A preliminary investigation has been completed following an allegation from a member of the public;

·         The Council has identified that the risk to staff personal safety is of increasing concern. Internal Audit have therefore undertaken a risk review and reported their findings to Corporate Leadership Team;

·         We have recently taken on responsibility for serious case reviews to help support the integrity and independence of that process.  The first one under these newly formed arrangements has now been reported.

·         Using the expertise within the team, we will be doing Housing Benefit case testing in order to support certification and reduce external audit fees.



[1] “Proper practices” are defined by CIPFA/SOLACE and set out in Delivering Good Governance in Local Government Framework (2016).