Annual Internal Audit Report and Opinion 2019/20

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

July 2020
Maidstone Borough Council

 

 

 

 

 

 

 

 

 


Introduction

1.             The IIA gives the mission of internal audit: to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight.

2.             The mission and its associated code of ethics and Standards govern over 200,000 professionals in businesses and organisations around the world.  Within UK Local Government, authority for internal audit stems from the Accounts and Audit Regulations 2015.  The Regulations state services must follow the Public Sector Internal Audit Standards – an adapted and more demanding version of the global standards.  Those Standards set demands for our annual reporting:

Independence of internal audit

3.             Mid Kent Audit works as a shared service between Ashford, Maidstone, Swale and Tunbridge Wells Borough Councils. A Shared Service Board including representatives from each council supervises our work based on our collaboration agreement.

4.             Within Maidstone BC during 2019/20 we have continued to enjoy complete and unfettered access to officers and records to complete our work.  On no occasion have officers or Members sought or gained undue influence over our scope or findings.

5.             I confirm we have worked with full independence as defined in our Audit Charter and Standard 1100.

The Impact of Covid-19

6.             As soon as the Covid Emergency hit in Mid-March we activated our part of the emergency plan. This essentially recognised audit as a ‘back office’ service. We suspended our audit plan save for work sought specifically by officers and instead made our team available for redeployment across the four partner authorities. I’m pleased to report the audit team was in high demand: we have supported the authorities with more than 300 days’ redeployed work, helping support community hubs and manage grants to local businesses.

Effect on 2019/20 Audit Plan

7.             At the Mid-March point we suspended work on the audit plans, they were some way short of completion. We would normally plan a reasonable chunk of work in the final quarter to allow for full-year coverage of key systems. However a disrupted year with vacancies and secondments meant we had more than usual outstanding. We had a plan to complete the remaining work, including confirming a large order with our main contract audit supplier that we had to postpone when they placed their public audit staff on furlough following a collapse in demand across the country.

8.              The audit team began to return from late May onwards. At this point we began to think how we could reconfigure the remaining work to produce enough quantity and quality for a robust year end opinion. This was especially challenging at Maidstone BC who chose to keep the originally circulated accounts deadlines.

9.             The plan we developed included some temporary changes to our audit approach, which we felt was a better way of preserving audit coverage rather than dropping individual engagements. However we have elected to remove the following:

·         M20-AR08: Business Continuity – We are content that the current situation provides us with evidence on the efficacy of the Council’s Business Continuity arrangements.

·         M20-AR11: Budget Setting – Put back to help ease pressure on the finance department working to similar deadlines as audit.

·         X20-AR01: Information Management – Cancelled because of the assurance we gained through participation in the Council’s information governance groups.

·         X20-AR02: Network Security – We received a report from external specialists in October 2019 and felt repeating the work this spring was too soon. We have this as an area to address in the 2020/21 plan.

·         X20-AR09: IT Project Management – Postponed to 2020/21 to ease pressure on Mid Kent ICT. We will revisit this work later in the year with specialist support.

10.         We made the changes to our audit plan and approach after discussion and with the support of the Council’s s151 Officer. We also shared details with the Chair and Vice Chair of this Committee in mid-June.

11.         The two key temporary changes we have made to our service are:

·         Assurance Ratings – Condensing over 100 hours work into a 15-20 page report is challenge enough, but further summarising in a single word (e.g. “Sound”) can lead inevitably to extended discussions between auditors and officers. With officer time at a premium we decided to focus instead on the narrative conclusion as a summary, and our recommendations for improvement. Therefore engagements completed later in the year have “N/A” as an assurance rating, though we still include the full executive summary in this report.

·         Risk Focus – In planning our work we are always responsive to officer needs to help shape the focus of our work to where we can deliver improvement. However, with reduced timescales, we have decided to focus on only the controls that present the highest risk using work programmes with a less tailored, more generic approach. This means the audit, temporarily, becomes more ‘tick box’ but does allow us to better support the overall opinion. Where there are topics of lower risk highlighted, we may return to them as part of next year’s plan.

12.         By working in this way we have been able to conclude the audit plan sufficiently to support the Head of Internal Audit’s Opinion.

2020/21 Plan

13.         We presented our 2020/21 audit plan to Members on 16 March based on a then-current view of the risks faced by the authority. Clearly since then the risk landscape has changed substantially. We must also reflect our reduced capacity given the extended overhang of 2019/20 plan completion arising from staff redeployment.

14.         We intend to draw up an updated plan during July and August and will re-present to Members in the Autumn.

Head of Internal Audit Opinion

Scope and time period

15.         I provide this opinion to Maidstone Borough Council (the Council) to include in its Annual Governance Statement, as published alongside its financial statements for the year ended 31 March 2020.

Scope limits

16.         The role of internal audit need not cover only assurance and may extend towards consultancy, advice and strategic support.  We have agreed with the Committee the overall scope of our work in our Internal Audit Charter and the specific scope of our work this year in our approved Internal Audit & Assurance Plan 2019/20.

17.         However our audit plan cannot address all risks across the Council and represents our best use of inevitably limited capacity.  In approving the plan, the Committee recognised this limit.  Beyond this general disclaimer, I have no specific limits of our scope to report to the Committee.

Consideration of work completed and reliance on others

18.         I have drawn my opinion from the work completed during the year. I first set out the work in the plan approved by Members on 18 March 2019 and later developed it in line with emerging risks and priorities.  I particularly ask that Members note the adjustments set out above following on from the Covid-19 pandemic. I set out in this report the extent and findings from our work in greater detail. 

19.         In completing my work I have placed no specific reliance on external sources.

Information supporting the opinion

20.         The rest of this report summarises the work completed in delivering the internal audit plan through 2019/20.

21.         My opinion draws on the work carried out by Mid Kent Audit during the year on the effectiveness of managing those risks identified by the Council and covered by the audit programme or associated assurance.  Not all risks fall within our work programme. For risks not directly examined I am satisfied an assurance approach exists to provide reasonable assurance on effective management.

Risk and control

22.         The Council is responsible for ensuring it undertakes its business within the law and proper practices. The Council must also ensure it safeguards and properly accounts for its resources, using them economically, efficiently and effectively.  The Council also has a duty under the Local Government Act 1999 to seek continuous improvement in exercising its roles.

23.         The Council has described key parts of its internal control and risk management within the Local Code of Governance and Risk Management Framework.

24.         Organisations design internal controls to manage to an acceptable level rather than remove the risk of failing to achieve objectives.  So, internal controls can only provide reasonable and not complete assurance of effectiveness.  Designing internal controls is a continuing exercise designed to identify and set priorities around the risks to the Council achieving its objectives. The work of designing internal controls also evaluates the likelihood of those risks coming about and managing the impact should they do so.

25.         In completing our work we have considered the control environment and objectives in place at the Council.

Conformance with standards

26.         Mid Kent Audit has conducted its work following the Standards and good practice as represented in our internal quality assurance. This includes working to an agreed audit manual with satisfactory supervision and review.

27.         During 2019/20, as the Standards demand, we undertook an external quality assessment. After a competitive procurement we commissioned an external assessor from the Chartered Institute of Public Finance and Accountancy (CIPFA) to report on our conformance with the Standards and the quality of the service more generally.

28.         The assessor concluded that Mid Kent Audit works in full conformance with the Standards. We include the full report as an appendix and summarise its findings later in this report.

29.         We also describe later in this report our efforts towards continuing improvement and the results of our Quality and Improvement work.


 

Overall conclusion

Internal Control

30.         I am satisfied that during the year ended 31 March 2020 the Council managed its internal controls to offer sound assurance on control effectiveness.

Governance

31.         I am satisfied that Council’s corporate governance arrangements for the year ended 31 March 2020 comply in all material respects with guidance on proper practices[1].

Risk Management

32.         I am satisfied the risk management arrangements at the Council for the year ended 31 March 2020 are effective and provide sound assurance.

Other Matters

33.         I have no other matters to report as part of my opinion.

 

Rich Clarke CPFA ACFS
Head of Audit Partnership

20 July 2020


 

Internal Control

34.         Internal control is how the Council ensures achievement of its objectives with effectiveness and efficiency; achieving reliable financial reporting and compliance with laws, regulations and policies.  It covers financial and non-financial controls. 

35.         We gain audit evidence to support the Head of Audit opinion on internal control principally through completing the reviews set out within our agreed audit plan.

Maidstone Audit Plan Work 2019/20

36.         This Committee approved our Internal Audit & Assurance Plan 2019/20 on 18 March 2019.  The plan set out an intended number of days devoted to each of various tasks.  We began work on the plan during April 2019 and continued working through to March 2020. After a period of suspension due to the Covid-19 pandemic we resumed work in May and concluded in July 2020.

37.         The table below shows progress in total number of days delivered against the original plan, and the revisions we made to account for staff redeployment.


Category

2019/20 Original Plan

2019/20 Revised Plan

2019/20 Outturn

2019/20 Engagements

331

185

176

Non-Project Assurance Work

159

140

138

Unallocated Contingency

50

60

58

Total

540

385

372

Concluding 2018/19 work

0

0

58

 

38.         Our final delivery was 372 audit days.  This represents, accounting for revisions and changes to approach and risk, approximately 95% completion of the plan.

39.         In our original plan we detailed 30 audit potential engagements, 9 High and 21 Medium priority. Our aim was to complete all the High priority engagements and half of the Medium priority engagements. We have actually completed 7/9 High Priority and 10/21 Medium priority (the 18/19 Network security work spanned two years).

40.         Taking into account the broader assurance sources described in this report, I am satisfied this provides sufficient evidence to support a robust year end opinion.

41.         We detail the specifics, and results, of this progress further in this report.


Results of Audit Work

42.         The tables below summarise audit engagement findings up to the date of this report.  Where there are material matters finished before the committee meeting we will provide a verbal update.  (* = Shared service involving the Council).

Completed Assurance Engagements

 

Title

Priority-Rated Agreed Actions

Report Issue

Rating

Notes

2018/19 Assurance Engagements Completed After 1 April 2019

 

Absence Management*

6 x Med, 3 x Low

Apr-19

Sound

As reported in our 2018/19 Annual Report (July 2019)

 

Accounts Payable

3 x Hi, 3 x Med, 1 x Low

Apr-19

Sound

 

Markets

2 x Med, 1 x Low

May-19

Sound

 

Licensing Administration*

1 x Hi, 2 x Med, 1 x Low

Jun-19

Sound

 

Building Control

1 x Med, 1 x Low

Jun-19

Sound

 

Revenues & Benefits Compliance Team*

3 x Med

Jul-19

Sound

 

Declarations of Interest

4 x Hi, 2 x Med, 8 x Low

Jul-19

Weak

 

General Data Protection Regulations*

None

Jul-19

N/A

 

Council Tax Reduction Scheme*

1 x Med

Aug-19

Sound

 

Transformation

10 x Low

Aug-19

Sound

As reported in out 2019/20 Interim Report (November 2019). Not repeated in this report.

 

Cyber Security*

3 x Med

Oct-19

Sound

 

Planning Enforcement

2 x Hi, 3 x Med, 3 x Low

Nov-19

Weak

I

Commercial Waste

1 x Med, 3 x Low

Dec-19

Sound

2018/19 work completed after our interim report. This is the first summary report to Members.

 

 

Planned 2019/20 Assurance Engagements Completed

II

Corporate Credit Cards

3 x Low

Oct-19

Sound

In 2019/20 Interim Update December 2019 but repeated in this report

III

Recruitment*

1 x Med, 1 x Low

Nov-19

Sound

IV

Civil Parking Enforcement*

2 x Med, 4 x Low

Dec-19

Sound

 

V

Parks

1 x Med, 6 x Low

Dec-19

Sound

 

VI

Council Tax Billing*

1 x Low

Apr-20

Strong

 

VII

Health & Safety

3 x Hi, 4 x Med, 10 x Low

May-20

Weak

 

VIII

Discretionary Housing Payments*

2 x Low

May-20

Sound

 

IX

ICT Technical Support*

4 x Low

Jul-20

N/A

 

X

Social Media

2 x Med, 4 x Low

Jul-20

N/A

 

XI

Treasury Management

None

Jul-20

N/A

 

XII

Universal Credit*

None

Jul-20

N/A

 

XIII

Customer Services

1 x Med, 1 x Low

Jul-20

N/A

 

XIV

Noise Nuisance

1 x Hi

Jul-20

Draft

Final report expected by end of July

XV

Planning Discharge Conditions

3 x Med

Jul-20

Draft

XVI

Waste Crime Team

1 x Hi, 4 x Low

Jul-20

Draft

 

Members’ Allowances

[to be confirmed]

Aug-20

Draft

Final report expected early August

 


 

Assurance Engagements Removed from 2019/20 Plan

Title

Rationale and alternative assurance sources

(1) Developer Contributions

We took the decision to postpone this work pre-covid emergency following a change in delivery model within the service.

(2) Business Continuity, (3) Budget Setting, (4) Information Management, (5) Network Security, (6) IT Project Management

As set out in Impact of Covid-19 section above.

(7) General Ledger, (8) Subsidiary Company Governance, (9) Economic Development, (10) Residents’ Parking, (11) IT Asset Management, (12) IT Backup & Recovery, (13) Workforce Planning

Medium Priority projects not taken up in 2019/20.

,


I: Commercial Waste (2018/19 Plan work reported Dec 19)

43.         The service has recently updated its customer strategy to set out fitting objectives.  We found the service properly considers staffing and vehicle resilience with controls in place to manage any shortages without customer disruption.  The service manages its health and safety requirements well, although we suggest reintroducing unannounced spot checks to provide positive assurance.

44.         The service encourages customers to use prepaid sacks to limit the risk of bad debt.  However, stock control around the prepaid sacks needs improvement with over a quarter unaccounted for at year end during 2016 with no controls introduced since to prevent recurrence

II: Corporate Credit Cards (Oct 19)

45.         It is the responsibility of Finance to provide oversight of the corporate credit card process, and for cardholders to uphold the conditions outlined in the Council’s Corporate Credit Card (CCC) policy, which was last refreshed in November 2018.  The CCC policy must be upheld in conjunction with the Council’s Financial Procedures, Gifts & Hospitality, Travel & Subsistence, and Non-Cash Reward Policies.

46.         The audit confirmed that generally the CCC policy is followed with effective controls in place which ensure segregation of duties and to detect contravention.  Our testing returned largely positive results but did identify a few minor findings with opportunities to tighten application of the controls.  These include reminding cardholders to provide receipts or to complete a ‘Card Purchase – No Receipt’ form to substantiate all credit card transactions and periodically reviewing cardholder limits to ensure they are appropriate. 

III: Recruitment (Nov 19)

47.         We found the majority of the council's controls, to mitigate the risk of being unable to recruit staff with the right skills to deliver priorities, are well designed and fully operating.

48.         Our testing established the service maintains a workforce strategy at each council and joint recruitment and selection policy/procedures, which are regularly reviewed. These key documents provide a framework upon which the recruitment process is based.

49.         Recruitment roles are clearly defined and both Council’s offer extensive staff rewards, which are continuously reviewed for appropriateness and adequacy.

50.         Our testing of the recruitment process established compliance with procedures in all areas apart from training and retention of interview notes. Not all interview panels have an officer who has received recruitment and selection training. It is also unclear if they have instead satisfied the training requirement based on their experience.

51.         Evidence of interview notes were not always saved, without these we could not establish if the selection process was completely fair and transparent. We have made recommendations to address these areas.

IV: Civil Parking Enforcement (Dec 19)

52.         We found the majority of controls mitigating the risks surrounding parking enforcement are well designed and fully operating for both Maidstone and Swale.

53.         The service is undertaking all functions as specified by the agency agreement with Kent County Council to provide on-street enforcement and the contract with Apcoa ensures adequate coverage. Our testing also confirmed that parking enforcement activities comply with the Traffic Management Act 2004.

54.         There is a known compatibility issue between the cash receipting system at Maidstone and the parking system which increases the risk of enforcement action being taken when PCNs have been paid. The service has implemented reconciliation controls to promptly identify errors between the systems but there are no such controls in place at Swale. We recommend controls are adopted at Swale to ensure all income due is received and accounted for.

55.         We have also identified some actions that will improve existing arrangements. These include implementing procedure notes to support processes and reviewing workflow functionality to ensure all correspondence is handled.


 

V: Parks (Dec 19)

56.         We found there are management plans in place for the key parks and open spaces in the Borough, which conform with the broad format recommended by best practice. The Grounds Maintenance team have flexible maintenance schedules in place to ensure the parks are appropriately kept and our testing found maintenance took place as expected. There are sound processes in place to generate income via football pitch hire and park events, although we note some minor issues regarding the accuracy of charges.

57.         Our testing highlights some necessary improvements regarding the tree surveys. In particular, the service has not updated its database to reflect the current condition of the Borough's trees, following works arising from consultants' recommendations.

VI: Council Tax Billing (Apr 20)

58.         There are effective controls in place to manage the Council Tax billing process.  We found that procedure notes and training are available to staff involved in the process which is designed in such a way as to prevent technical errors.  Reconciliations and test runs ensure that the information required is accurate.  Sample testing found that precepts, bands and discounts are applied correctly meaning bills sampled were accurate.  The process is managed by a timetable which reflects key milestones and considers contact with staff outside of the Revenues team. 

VII: Health & Safety (May 20)

59.         We found the Council has adequate Health and Safety policies and procedures, which help to provide a framework for all staff to adhere to Health and Safety Regulations/guidance. Controls around accident/incident reporting and lone working are also sound. However, the second line of defence is weak and there is little to no assurance sought over compliance with health and safety procedures which has led to several gaps in control.

60.         Currently the Council does not know how many of its staff have undertaken a DSE risk assessment. We found only three of the ten officers sampled had completed one. The Council is therefore at risk of failing to protect workers from the health risks of working with display screen equipment.


 

61.         Arrangements around fire safety need improving. The fire doors at the Crematorium were identified as needing replacement in 2010 but were not ordered until August 2019.  Also, we found fire alarm and evacuation tests are not being conducted in accordance with the Council's policy.

62.         The Council’s mandatory health and safety training modules have been completed by 62%-84% of officers.  The highest rate of non-completion is at senior manager level, with no head of service or above having completed all the courses and two having completed none.  The overall completion rate at this level is 39%.

VIII: Discretionary Housing Payments (May 20)

63.         The Discretionary Housing Payments policy provides an outline to how the Councils operate the DHP scheme. Although the policy provides the specification, it is ultimately up to the discretion of the business support team’s officers to process and award claims based on eligibility criteria. Staff have high levels of autonomy when processing claims; there is no system of management authorisation of claims, even for those of higher value. Audit testing confirmed that all necessary forms of supporting documentation were retained on the document filing system, Anite.

64.         A budget report is run from the Academy system on a monthly basis, however, through testing a sample of six months only two months’ worth of budget reports could be provided. Furthermore, the budget reports available displayed no indication of management sign-off or meaningful analysis.

IX: ICT Technical Support (Jul 20)

65.         Mid Kent ICT’s qualified and trained staff support the organisation by resolving IT related problems promptly.  Tickets are prioritised upon receipt, tracked using status classifications and there is a protocol for following up closed tickets to ensure a satisfactory resolution.  There are two targets, first response time and resolution time for each category of response.  Between the introduction Freshdesk on 20th January and 29th February 2020, 98% of tickets have achieved both targets.

66.         There are some controls around training and monitoring open cases which could benefit from minor improvements.


 

X: Social Media (Jul 20)

67.         The Council is engaging well with residents and businesses on social media to help raise awareness of services, strategies and campaigns. We found the Communications Team are posting content across channels in accordance with the Council’s policy and are responding to customers promptly.

68.         However, we have identified some minor areas for improvement, including updating the social media policy and ensuring all social media accounts are managed in line with the policy.

XI: Treasury Management (Jul 20)

69.         We found the Council’s Treasury Management function operates in compliance with the CIPFA Code of Practice. Regular advice is also sought and acted on from independent qualified consultants.

70.         Our testing confirmed transactions are appropriately authorised, in accordance with the Council’s Treasury Management Strategy.

XII: Universal Credit (Jul 20)

71.         The focus of our testing has been on the risk of improper transfer of information to the Department for Work and Pensions (DWP).  Our testing in this area did not identify any weaknesses in control so the risk is maintained at an acceptably low level.

72.         Requests for information from the DWP are appropriately vetted to ensure that they come from a valid source.  There is no standard template for transferring information to the DWP, however given the low level of requests received (around 6 a year) this control is considered unnecessary.  A DWP escalation process is in place and includes a list of DWP contacts.  This ensures that information is sent to an appropriate DWP account.

73.         As a result of the low level of requests received from the DWP, and difficulties in identifying those requests, we have been unable to undertake testing as planned.  We are however, satisfied with the design of the controls.

74.         The risk of inappropriate advice being given to the public was not tested as part of this audit.  Very few requests are received and there is a wide variety of information available from other sources which individuals can access.  As such the risk to the Maidstone and Tunbridge Wells Borough Councils is low.

XIII: Customer Services (Jul 20)

75.         We conclude based on our audit work that Customer Services has effective controls in place to manage the risks and support the delivery of objectives regarding customer service enquiries.

76.         Our testing confirmed Customer Service Advisers (CSA's) adequately record customer enquiries on the CRM system.  They have been provided with appropriate access to systems used in other service areas supported by Customer Services. CSA’s receive appropriate training on all systems and the Service maintains an up to date training record.

77.         However, service level agreements, which detail the expectations placed on Customer Services by supported Council services do not specify performance indicators to be used and have not been finalised.

XIV: Noise Nuisance (Jul 20)
Currently in draft but executive summary agreed for release

78.         There is a policy and framework in place to receive and investigate complaints of statutory noise nuisance and these are in line with the Environmental Protection Act 1990.

79.         We found for eight out of ten investigations tested, the original complaint had been risk assessed prior to being investigated. However, three investigations were not adequately documented so we have been unable to establish whether the correct procedure was followed. There is a lack of clarity in relation to two particular cases which has resulted in the service being unaware of whether noise recording equipment has been collected from a property and what actions have been taken to investigate and resolve these cases.

XV: Planning Discharge Conditions (Jul 20)
Currently in draft but executive summary agreed for release

80.         Planning conditions are agreed when an application for planning permission is approved. As such, applicants and officers are aware of the criteria that must be met so that conditions can be discharged. The 'conditions' element of the planning process is seen as 'low risk', and the Council only deals with applications to discharge conditions when they are received. There is no monitoring process in place to follow up on conditions imposed where an application is not received.

81.         Our testing found that the arrangements in place for discharging conditions are soundly based. The validation of applications is in line with the prescribed performance target, and the decisions of Planning Officers are underpinned through a raft of guidance and training.

82.         We make one recommendation where our testing has shown that target decision times are not being met.   The cause of this issue is not new and centres on how applications are received and recorded.  Currently applications can include an indeterminate number of conditions with no distinction in terms of the condition’s complexity (or if they relate to a minor or major application).  All are subject to determination within 8 weeks and our testing of nine cases found that this target was only met on two occasions.  We recommend that the service uses the facility to amend target decision timescales where applicable and also revisit the concept of splitting up conditions on applications where it is appropriate.

XV: Waste Crime Team (Jul 20)
Currently in draft but executive summary agreed for release

83.         We found the Council is generally controlling its risks in order to help try to reduce fly-tipping and littering in the Borough. Fixed penalty notices (FPNs) for waste crime offences are being issued in accordance with relevant legislation and guidance. The service is monitoring levels of income and there are proportionate measures in place to publicise waste crime successes and discourage offences.

84.         However, we found that because of limited resources, unpaid FPNs for some waste crimes are not routinely prosecuted, which means the Council is non-compliant with DEFRA’s Code of Practice for litter and refuse. We have also identified some other minor areas for improvement for the service to consider, relating to staff cover and procedure notes.

 


 

Following Up Actions

85.         Our approach to agreed actions is that we follow up each quarter, examining those that fell due in the previous three months.  We take due dates from the action plan agreed with management when we finish our reporting.  We report progress on implementation to Corporate Leadership Team each quarter. Our report includes matters of continuing concern and where we have revisited an assurance rating (typically after action to address key findings).

86.         We were due to undertake our examination of actions falling due in the final quarter of 2019/20 during April and May 2020. We postponed that work to allow staff redeployment and have prioritised completion of audit engagements since their return. We will track progress on Q4 agreed actions alongside those falling due at the end of Q1 2020/21 and will report results to Members later in the year.

87.         We summarise the current position below.  The chart shows low priority actions (at the foot of each bar) in green, medium priority in amber (in the middle) and high priority in red (at the top of the bars). 

88.         Overall we are content with officers’ progress on acting to address findings we raise in our reviews. 


Corporate Governance

89.         Corporate governance is the rules, practices and processes that direct and control the Council. 

90.         We gain audit evidence to support the Head of Audit Opinion through completion of relevant reviews in the audit plan, as well as specific roles on key project and management groups.  We also consider matters brought to our attention by Members or staff through whistleblowing and the Council’s counter fraud and corruption arrangements.

91.         We attend the Council’s Information Governance Group and Corporate Governance Working Group.  We also help in upholding good governance by providing advice and training to both officers and Members.

Counter Fraud & Corruption

92.         We consider counter fraud and corruption risks in all of our audit engagements when considering the effectiveness of control.  We also undertake distinct work to assess and support the Council’s arrangements.

Whistleblowing, money laundering and investigations

93.         The Council’s whistleblowing policy names internal audit as one route for Members and officers to safely raise concerns on inappropriate or even criminal behaviour.

94.         We have had no matters raised with us for investigation as whistleblowing complaints that it is appropriate to report at this time.

95.         We have also had no matters raised with us noting concerns that may indicate a breach of money laundering regulations.

Investigations

96.         In November we reported we had liaised with a specialist division of the Police Service, the National Investigation Service (NATIS) concerning a long running investigation. Following NATIS’ advice the investigation was closed. We are in discussion with CLT about how best to take forward the learning for the Council arising from the investigation.

97.         We also noted in our interim report that we had investigated a specific allegation from a member of the public concerning bribery and corruption within the Council’s planning service. We found no evidence to substantiate the allegation. We invited the complainant to provide any additional evidence held. We received no response and so have closed the investigation.

98.         We have also contributed advice and support to investigations led by other sections of the Council.

National Fraud Initiative

99.          We continue to coordinate the Council’s response to the National Fraud Initiative (NFI).  NFI is a statutory data matching project and we must send in various forms of data to the Cabinet Office who manage the exercise.

100.       During 2019/20 we investigated 177 matches across 5 datasets (Creditors, Payroll, Procurement, Licensing and Housing Waiting List). We found:

·         No instances of fraud.

·         4 errors in the Waiting List dataset, resulting in an estimated saving[2] of £12,960.

Risk Management

101.     The Council keeps a corporate risk register. These risks draw from the service level risk profile and cover matters that threaten the Council’s strategic objectives. The Corporate Leadership Team (CLT) oversee these risks collectively owing to their severity or breadth of impact across several services. We also regularly report the corporate risk register to the Policy and Resources Committee.

102.     We published the most recent update in June 2020. This included adjustments and additions to reflect risks issues related to Covid19 and wider crisis (emergency) management.

103.     The Audit, Governance & Standards Committee oversee the risk management framework. This Committee also receives an annual report on the effectiveness of the risk management arrangements.


 

104.     We provide below a summary of the current corporate risk issues and scores are with the recent change. This shows the expected risk score following the Council’s response to take action to address the risk. Our audit work during the year aligns to these key risk issues.

Corporate Risk Title

Current Risk Assessment

(existing controls)

Target Risk Assessment

(planned controls)

Direction of travel

Major Emergency

15

15

-

Resurgence of Covid-19

20

16

Reduce

Climate Change

16

16

-

Partnerships

16

12

Reduce

Financial Uncertainties

20

12

Reduce

ICT Security

12

12

-

Community Engagement

12

6

Reduce

Housing Pressures

12

9

Reduce

105.     We gain assurance on arrangements to manage risks through our active role in the risk management framework. Our role includes drawing together risk information from across the corporate and operational risk profiles and reporting results to Management. In addition, we track progress of risk responses and actions. We plan to set up new risk management software this year to help make this tracking more efficient.

Other Audit and Advice Work

106.     We also continue to undertake a broad range of special and scheduled consultancy and advice work for the Council. 

107.     As reported to Members in November 2019, during the year we undertook two serious case reviews for the Council after commissions from the Kent Safeguarding Board. 

108.     We also, after reaching agreement with the Council’s external auditors, took on a significant proportion of the testing the Council would otherwise have paid Grant Thornton to complete on Housing Benefit Certification.

109.     We have also led and contributed to a series of Member briefings at the Council on issues of governance interest. We are keen to hear from Members on any other areas of interest which may form future briefing sessions.

110.     We remain engaged and flexible in seeking to meet the assurance needs of the Council. We are happy to discuss opportunities large and small where the Council can usefully employ the experience and expertise of the audit team.

Audit Quality & Improvement

Standards and ethical compliance

111.     Government sets out the professional standards we must work to in the Public Sector Internal Audit Standards (the “Standards”).  These Standards are a strengthened version of the Institute of Internal Audit’s global internal audit standards, which apply across public, private and voluntary sectors in more than 170 countries around the world.

112.     The Standards include a specific demand for reporting to Senior Management and Audit Committee on our conformance with the Code of Ethics as well as the Standards themselves.

113.     We include a short summary of the duties placed on us by the Code as an appendix to this report.  We have included the Code within our Audit Manual and training for some years. We can report to Members we remain in conformance with the Code.

External Quality Assessment

114.     Our 2019/20 Audit Plan included full wording from Standard 1312.  That Standard demands all internal audit services seek an external quality assessment at least every five years.  In that plan we set out some headline principles to guide our assessment.

·         A properly qualified and experienced external assessor.

·         A paid review rather than reciprocal or peer arrangement.

·         To consider best practice as well as simple conformance. 

·         One assessment across the whole partnership.

·         Published terms of reference before fieldwork begins.

·         Publish the final report in full to Members, including response to any action plan for improvements.

115.     Members from all four authorities in the partnership supported these principles.  In late 2019 we undertook a competitive procurement to appoint an assessor. We consulted Members on the procurements and had non-audit team members included in bid scoring representing Directors at all four partner authorities.

116.     We include the report in full as an appendix to the annual report but reproduce here the conclusion by way of overall summary:

117.     We believe this makes us the first audit service to have received Fully Conforms assessments from both major relevant professional bodies: the Institute of Internal Audit (in 2015) and CIPFA (2020).

Training and Qualifications

118.     We continue to offer strong support to the audit team in continuing development and upholding professional competence.  In 2019/20 this involved providing individual training budgets and supporting people to follow avenues for development suitable for their career position and ambitions.

119.     A key but far from sole part of this approach is supporting professional qualifications.  During 2019/20 we supported several of the team through professional studies and remain pleased with their progress and success.  We would like to highlight:

·         Louise Taylor: Completed her traineeship with Mid Kent Audit by passing the final exams with the Institute of Internal Audit to become a Certified Internal Auditor (CIA). We are pleased to confirm Louise will stay with the Partnership as a qualified auditor.

·         Mark Goodwin: Completed his qualification with CIPFA to become an Accredited Counter Fraud Specialist.

·         Rich Clarke: Completed the written assessment to achieve the full Chartered qualification from the Institute of Internal Audit (to go alongside his already held full Chartered qualification from CIPFA). The final interview stage is on 21 July.

·         Russell Heppleston: Completed his qualification with the Institute of Risk Management to become a Certified Member of that institute.

·         Andy Billingham: Completed stage two of three in his journey towards the CIA qualification. Andy will sit the stage 3 (final) exam later this year.

·         Cath Byford & Katie Bucklow: Our two apprentices have made good starts on their Level 7 Apprenticeship schemes. These include exams set both by the University (Birmingham City University) and the IIA. Cath has completed the first two University Exams and also stage one of the CIA qualification. Katie, who joined us in August, was successful in her first University Exam earlier this year.


 

120.     Also during 2019/20 we have worked closely with neighbouring authorities. Most notably in seconding our Deputy Head of Audit Partnership, Russell Heppleston, as Head of Audit for Dartford and Sevenoaks Councils.  That secondment ran from August 2018 until January 2020, after which Russell returned to Mid Kent Audit to a revised and expanded Deputy Head of Audit Partnership role.

121.     Through regional and national roles, the Head of Audit Partnership continues to represent the service in gaining opportunities for professional development.  This includes developing training with the London Audit Group aimed at supporting aspiring Audit Managers, as well as speaking engagements at national events such as CIPFA Audit Conference.

Acknowledgements

122.     We achieve these results through the hard work and dedication of our team and the resilience that comes from working a shared service across four authorities.

123.     As a management team in Mid Kent Audit, we wish to send our public thanks to the team for their work through the year so far.

124.     We would also like to thank Managers, Officers and Members for their continued support as we complete our audit work during the year.


 

Annex 1: Assurance & Priority level definitions

Assurance Ratings 2019/20 (Unchanged from 2014/15, save for addition during COVID-19 Emergency)

Full Definition

Short Description

Strong – Controls within the service are well designed and operating as intended, exposing the service to no uncontrolled risk.  There will also often be elements of good practice or value for money efficiencies which may be instructive to other authorities.  Reports with this rating will have few, if any; recommendations and those will generally be priority 4.

Service/system is performing well

Sound – Controls within the service are generally well designed and operated but there are some opportunities for improvement, particularly with regard to efficiency or to address less significant uncontrolled operational risks.  Reports with this rating will have some priority 3 and 4 recommendations, and occasionally priority 2 recommendations where they do not speak to core elements of the service.

Service/system is operating effectively

WeakControls within the service have deficiencies in their design and/or operation that leave it exposed to uncontrolled operational risk and/or failure to achieve key service aims.  Reports with this rating will have mainly priority 2 and 3 recommendations which will often describe weaknesses with core elements of the service.

Service/system requires support to consistently operate effectively

Poor – Controls within the service are deficient to the extent that the service is exposed to actual failure or significant risk and these failures and risks are likely to affect the Council as a whole. Reports with this rating will have priority 1 and/or a range of priority 2 recommendations which, taken together, will or are preventing from achieving its core objectives.

Service/system is not operating effectively

Note for reports issued during the COVID-19 Emergency

 

During this period we have temporarily moved away from giving a single word assurance rating back to a narrative conclusion balancing the strengths and weaknesses of controls in a service. The aim is to streamline discussion at the point of closing a review and allow the discussion to move swiftly on to implementing the agreed actions.

 


Recommendation Ratings 2019/20 (unchanged from 2014/15)

Priority 1 (Critical) To address a finding which affects (negatively) the risk rating assigned to a Council strategic risk or seriously impairs its ability to achieve a key priority.  Priority 1 recommendations are likely to require immediate remedial action.  Priority 1 recommendations also describe actions the authority must take without delay.

Priority 2 (High) – To address a finding which impacts a strategic risk or key priority, which makes achievement of the Council’s aims more challenging but not necessarily cause severe impediment.  This would also normally be the priority assigned to recommendations that address a finding that the Council is in (actual or potential) breach of a legal responsibility, unless the consequences of non-compliance are severe. Priority 2 recommendations are likely to require remedial action at the next available opportunity, or as soon as is practical.  Priority 2 recommendations also describe actions the authority must take.

Priority 3 (Medium) – To address a finding where the Council is in (actual or potential) breach of its own policy or a less prominent legal responsibility but does not impact directly on a strategic risk or key priority.  There will often be mitigating controls that, at least to some extent, limit impact.  Priority 3 recommendations are likely to require remedial action within six months to a year.  Priority 3 recommendations describe actions the authority should take.

Priority 4 (Low) – To address a finding where the Council is in (actual or potential) breach of its own policy but no legal responsibility and where there is trivial, if any, impact on strategic risks or key priorities.  There will usually be mitigating controls to limit impact.  Priority 4 recommendations are likely to require remedial action within the year.  Priority 4 recommendations generally describe actions the authority could take.

Advisory – We will include in the report notes drawn from our experience across the partner authorities where the service has opportunities to improve.  These will be included for the service to consider and not be subject to formal follow up process.

 



[1] “Proper practices” are defined by CIPFA/SOLACE and set out in Delivering Good Governance in Local Government Framework (2016).

[2] The NFI website estimates the value of removing an applicant from the Housing waiting list to be £3,240.