Internal Audit & Assurance Plan 2021/22





Maidstone Borough Council


1.             Our mission as an Internal Audit service is to enhance and protect organisational value. We achieve this by bringing a systematic and disciplined approach to evaluate and improve effectiveness of risk management, control and governance. We work within statutory rules drawn from the Accounts and Audit Regulations 2015 and the Public Sector Internal Audit Standards (the “Standards”).

2.             The Standards set out how we must approach audit planning. The checklist below aims to provide immediate assurance to Members on our compliance with Standards and act as an index.




A risk-based plan, setting out audit priorities consistent with the goals of the organisation.


2010 (PS)[1]

Linked to annual opinion need and internal audit Charter.

ž see paragraph 5


Based on documented risk assessment, updated at least yearly and consulting Senior Management and Members.

ž see paragraphs 8 to 17


Reflect expectations of Senior Management, Members and other stakeholders.

ž see paragraphs 10-12


Communicated to Senior Management for review and to Members for approval.

ž see paragraph 16


Ensure internal audit’s resources are fit and effectively used.

ž see paragraphs 18-28

2030 (PS)1

Must explain how resource adequacy assessed, and set out results of any limits.


Must set up policies and procedures to ensure effective delivery.

ž see Appendix I


3.             In spring 2020 the Chartered Institute of Public Finance and Accounting (CIPFA) completed an External Quality Assessment (EQA) considering our compliance with the Standards. As reported to Members last summer, CIPFA decided we perform in Full Conformance with the Standards. This conclusion preserves the outstanding result of our previous EQA in 2015 from the Institute of Internal Audit (IIA). We believe we are the only audit service to have received ‘Fully Conforming’ assessments from both major professional bodies charged with overseeing public sector audit.

4.             CIPFA’s report included some advisory recommendations to consider in further developing the audit service. We describe progress towards fulfilling those recommendations at paragraph 48. 

5.             To protect the independence and objectivity of our service, we work to an Audit Charter. The Charter sets out the local context for audit, including granting right of access to systems, records and personnel.  At this Council, the Audit, Governance & Standards Committee approved the Charter in September 2019.

6.             Our plan includes assurance and other work, such as consultancy engagements.  We can accept advisory work where it is the best way to support the Council.  The Audit Charter sets out how we consider such engagements, including how we safeguard our independence.

7.             We must also clarify that our audit plan cannot address all risks across the Council and represents our best use of the resources we have available.  In approving the plan, the Committee recognises this limit. To that end, we constantly keep the plan under review to be live to risks and issues as they emerge.

Risk Assessments

8.             The Standards direct us to begin our audit planning with a risk assessment.  This assessment must consider internal and external risks, including those relevant to the sector or global risk issues.  This plan for 2021/22 represents our views now, but we will continue to reflect and consider our response as risks and priorities change across the year. We will report a specific update to Members midway through the year. We may also consult the Committee (or its Chair) on significant changes.

Global and Sector Risks

9.             In considering global and sector risks we draw on various sources.  These include updates provided by relevant professional bodies, such as the IIA and CIPFA.  We also consult colleagues in local government audit both direct through groups such as London and Kent Audit Groups and through review of all other published audit plans in the South-East.

Council Perspective and Expectations

10.         The Council has set out its governance expectations in a Local Code of Corporate Governance. This Code, based on the CIPFA/SOLACE Framework, commits the Council to seven principles of good governance:

·         Behaving with integrity, displaying commitment to ethical values and respecting the rule of law.

·         Ensuring openness and comprehensive stakeholder engagement.

·         Defining outcomes with sustainable economic, social and environmental benefits.

·         Deciding the interventions necessary to optimise achieving intended outcomes.

·         Developing the entity’s capacity including the ability of its leadership and the individuals within it.

·         Managing risks and performance through robust internal control and strong public financial management.

·         Carrying out good practices in transparency, reporting and audit to deliver effective accountability.

11.         In its Code of Audit Practice the National Audit Office sets out the expectations external auditors should have when considering how an authority complies with its statutory duties. The relevant section is at 3.2 of the Code:

[Local authorities must] maintain an effective system of internal control that supports the achievement of their policies, aims and objectives while safeguarding and securing value for money from the public funds and other resources at their disposal”.

12.         We plan and deliver our work with these expectations in mind. Specifically they make plain to us that every part of the Council should aim to have effective internal control. Each part must work in line with strong ethical values and focused on achieving efficient use of public funds. Our role is to examine the Council’s work against these expectations, providing assurance on success where we find it and working with officers to identify responses where we do not.

Audit Risk Review and Consultation

13.         Beyond keeping an awareness of Sector and local risk issues, we conduct our own assessment. We consider all possible audit entities across the Council (the “audit universe”) on one specific risk:

What is the risk we offer a mistaken opinion because we don’t understand the service?

14.         As with a typical risk assessment there are two main parts to consider.  The first: the service’s relative importance to the Council’s overall objectives and controls and how errors would impact our opinion.  Here we consider:

Finance Risk: The value of funds flowing through the service.  High value and high-volume services (such as Council Tax) represent a higher risk than low value services with regular and predictable costs and income.

Priority Risk: The strategic importance of the service in delivering Council priorities.  For example, Planning and Climate Change will be higher risk owing to the direct link with the Council’s objectives.

Support Service Risk: The extent interdependencies between Council departments. For example, many services rely on effective ICT.

15.         The second part is the likelihood we might hold (or gain) a mistaken view of the service.  Here we consider:

Oversight Risk: Considering where other agencies regulate or inspect the service.  For example, Mid Kent Legal Services receive regular inspections from the Law Society to keep Lexcel accreditation and so have relatively low risk.

Change Risk: Considering the extent of change the service faces or has recently experienced.  This might be voluntary (a restructure, for example) or imposed (like new legislation).

Audit Knowledge: What do we know about the service?  This considers not just our last formal review, but any other information we have gathered from, for example, following up agreed actions.  We also consider the currency of our knowledge, with an aim to conduct a full review in each service at least every five years if possible.

Fraud Risk: The susceptibility of the service to fraud loss.  High volume services that deal direct with the public and handle cash, for example licensing, are higher risk.

16.         The results of these various risk assessments provide a provisional audit plan.  We then take this provisional plan out to consultation. We meet Mangers, Heads of Service and Corporate Leadership Team to get their perspective on our assessment and give us updates on their sections. We set out that consultation below. We thank these officers for their time and insight in helping to support our planning.






Head of Policy, Communications & Governance

25 Jan

Mid Kent Environmental Health Manager

8 Feb

Head of Finance

26 Jan

Parking Services Manager

9 Feb

Head of Commissioning & Business Improvement

26 Jan

Head of Mid Kent ICT

10 Feb

Head of Housing & Community Services

27 Jan

Head of Revenues & Benefits Shared Service

10 Feb

Chief Executive

28 Jan

Head of Planning

11 Feb

Director of Finance & Business Improvement

28 Jan

Head of Mid Kent HR

12 Feb

Director of Regeneration & Place

28 Jan

Street Scene Operations Manager

12 Feb

Mid Kent Services Director

28 Jan

Corporate Leadership Team
(CLT, meeting as a group)

16 Feb

Head of Regeneration & Economic Development

28 Jan




17.         We set out the full audit universe and audit history in Appendix II.


18.         Having gained a perspective on the key issues for audit attention in the coming year we then consider the quantity and quality of our resources.

19.         We calculate an overall resource level based on the audit team establishment and a chargeability for each grade. Chargeability is the proportion of auditors’ time we estimate they will spend engaged in work towards fulfilling the plan. This excludes, for example, management time, training, sickness and general administration. The chargeability assumption varies between grades from 60% (apprentices) up to 80% (for qualified auditors). This calculation produces an available number of days across the partnership of 1,760 days.

20.         This is slightly less than the 1,810 days expected in 2020/21. Although we do have increased efficiency in the team, we are also carrying vacancies. While we can use the money saved to source contract auditor support this will be at a more expensive day rate than an in-house employee. Subject to approval, we hope to fill both vacancies during mid-2021.

21.         Each authority receives a share in keeping with their contribution to the overall partnership budget. For Maidstone this means the 2021/22 audit plan has 500 days to assign.

22.         Standards oblige us to comment on resource adequacy. We do so considering:

·         Whether we had enough to complete our prior year plan.

·         How the size and complexity of the organisation has changed.

·         How the organisation’s risk appetite and profile have changed.

·         How the organisation’s control environment has changed, including how it has responded to our audit findings.

·         Whether there have been significant changes to professional standards.

23.         I am, in general, satisfied that we can deliver a robust Head of Audit opinion in Spring 2022. However, a note of caution. Typically, the list of audit engagements suggested as due by our general risk assessment is longer than we have capacity to deliver. This is not an inherent problem. Having a longer list for consultation helps achieve a broad discussion. However, for 2021/22 this ‘gap’ has increased and is growing.

24.         In 2021/22 we will focus on how we can provide assurance in more efficient ways in future. This is a developing discussion within the profession. We will examine possibilities such as:

·      Assurance mapping,

·      Efficiencies in our audit approach,

·      Smaller, more focused audits,

·      Cross-cutting audits.

25.         We provide more information on these approaches in our Quality and Improvement Plan at Appendix I.

26.         We must also consider the skills, expertise and experience of our team. Following the exam success reported to Members during 2020/21, we now have every member of the audit management team holding either a Chartered Auditor or Accountant qualification[2]. This is the qualification level precondition for service as Head of Audit. In the wider team, every auditor holds at least a Certified Auditor qualification or, with our two apprentices, is wording towards its achievement. We also have within the team several specialist qualifications in both risk management and counter fraud. This gives us a wealth of relevant technical expertise to undertake the various specialist matters identified on our audit plan.

27.         We also have access to sources of specialist expertise through framework agreements with audit firms, which includes access to subject matter experts. While this access is less than in previous years (with Maidstone choosing to use some of these days to provide savings) access to specialist resources is still available.

28.         Based on the above, we believe we also have skills and expertise to deliver the 2021/22 audit plan.


Risk Based Audit: 300 Days

29.         The primary part of our audit plan is delivering risk based audit engagements. We classify these into High and Medium priority engagements in our plan.

High Priority Engagements

30.         These are the 10 engagements we believe we must undertake to support a robust opinion at year end. We will typically only remove a High Priority engagement from a plan agreed with Members after consulting with the Chair of the Audit, Governance & Standards Committee. The list below is alphabetical and doesn’t suggest a ranking within the group or intended delivery order. We will agree timings with a suitable officer sponsor once we have a Member approved plan.

High Priority Engagement Title & Draft Objectives

1. Climate Emergency Response

 - To seek assurance on arrangements for tracking delivery of the Climate Emergency Response Action Plan

2. Financial Planning

 - To seek assurance on the viability and achievability of service savings targets
 -  To seek assurance on the process of compiling financial forecasts

3. Home Finder Scheme

 - To seek assurance on the operation of the Scheme in line with requirements.
 - To seek assurance on accuracy of performance and financial information.

4. IT Development[3]

 - To seek assurance the arrangement for accepting development projects works in line with procedure and equitably between partners.
 - To seek assurance that IT development projects advance efficiently and effectively

5. Phishing Response3

 - To seek assurance on anti-phishing awareness, training and recording.
 - To seek assurance on compliance with procedure for dealing with phishing emails once received by end users (both user compliance and IT team response).

6. Pre-Application Planning

 - To seek assurance the Council fully accounts for Planning Performance Agreements (PPAs) to ensure they remain cost neutral.
 - To seek assurance on arrangements for checking content of PPAs to ensure they provide extra services.
 - To seek assurance on arrangements for ensuring independence and objectivity.


7. Procurement[4]

 - To seek assurance on compliance with Contract Standing Orders in procurement
 - To seek assurance on monitoring information provided to partner authorities

8. Property Income (Commercial)

 - To seek assurance on arrangements for collecting and managing commercial property income.
 - To seek assurance on arrangements for managing commercial property occupancy (inc. re-lets/voids).

9. Property Income (Residential)

 - To seek assurance on arrangements for collecting and managing residential property income.
 - To seek assurance on arrangements for managing residential property accommodation (inc. re-lets/voids).

10. Residents’ Parking[5]

 - To seek assurance that the Council administers residents' parking permits in accordance with relevant legislation and council procedure.
 - To seek assurance that income received from residents' parking permits is properly accounted for and recorded.
 - To seek assurance that any refunds or discounts to residents' parking permits are appropriately managed.

Medium Priority Engagements

31.         These are engagements that earn a place in our plan, but where completion could wait for a future year if needed. This level also incorporates some ‘either/or’ engagements. We are aware of the impact on officers of supporting an audit and so – typically – aim to have a maximum of three per lead officer per year. With medium priority engagements we will select the specific matters for review based on in-year risk assessments and in consultation with relevant officers. We will not typically consult Members before deciding which Medium Priority Engagements to take forward for delivery.

32.         We have 19 engagements on this list and aim to deliver at least 8. Any engagements we do not take forward for 2021/22 we will automatically consider as candidates for 2022/23. The list below is (nearly) alphabetical and doesn’t suggest ranking within the group or intended delivery order. We will agree timings with a suitable officer sponsor once we have a Member approved plan.

Medium Priority Engagement Title & Draft Objectives

1. Apprenticeships[6]

 - To seek assurance on managing the apprenticeship levy.

Either 2. Conservation & Heritage

 - To seek assurance on arrangements for achieving conservation plan targets.
 - To seek assurance that the Council manages conservation & heritage issues in planning in line with regulatory and statutory obligations.

Or 3. Local Plan Budget & Spending

 - To seek assurance on arrangements for monitoring and managing spend related to local plan formulation.

4. Contract Management

 - To seek assurance on how the Council has set out its expectations.
 - To seek assurance on compliance with Council expectations.

5. Development Capital Projects

 - To seek assurance on adherence to required project management approaches for major development projects (e.g. Innovation Centre, Mote Park Visitors' Centre).

6. Electoral Registration

 - To seek assurance on compliance on Electoral Commission requirements in compiling and maintaining the electoral register.

Either 7. Environmental Enforcement

 - To seek assurance on arrangements for complying with relevant policies when conducting enforcement action.
 - To seek assurance the Council has evaluated the appropriate level of enforcement action, and arrangements for meeting that assessed level.

Or 8. Licensing Enforcement

 - To seek assurance on arrangements for complying with relevant policies when conducting enforcement action.
 - To seek assurance the Council has evaluated the appropriate level of enforcement action, and arrangements for meeting that assessed level.

9. Housing Benefit[7]

 - To seek assurance on arrangements for quality assurance.

10. Internal Communications

 - To seek assurance on how the Council monitors its internal communications.
 - To seek assurance on compliance with procedures for internal communications.

Either 11. Leisure Services
 - To seek assurance on arrangements for managing delivery of the leisure contract.
 - To seek assurance on spending and arrangements for post-covid re-opening.


Or 12. Theatre Operations

 - To seek assurance on arrangements for managing delivery of the Hazlitt Contract.
 - To seek assurance on spending and arrangements for post-covid re-opening

13. Markets

 - To seek assurance that market finances work in line with SFIs.

14. Payroll & Expenses[8]

 - To seek assurance the Council amends payroll (including starters and leavers) accurately and in line with procedure.
 - To seek assurance the Council manages expense claims properly.
 - To seek assurance that information accurately links with other systems.

15. Performance Management

 - To seek assurance on the quality of data used to build performance dashboards

16. Planning Administration8

 - To seek assurance on the planning administration process' effectiveness and efficiency in complying with statutory and service demands.
 - To seek assurance on the accuracy of financial and performance recording.

17. Street Scene

 - To seek assurance on monitoring compliance with cleansing standards.
 - To seek assurance on efficacy of process to manage and respond to street cleansing or repair notifications

18. Talent Management8

 - To seek assurance on compliance with approach to identify high performing staff.
 - To seek assurance on compliance with and effectiveness of policy to manage such staff once identified.

19. Voluntary Sector Liaison

 - To seek assurance on how the Council manages relationships with voluntary sector organisations, including adherence to Voluntary Sector Compact.



Follow-up of Agreed Actions

33.         As part of closing an audit engagement we will typically agree actions with officers to put right any faults found and minimise risk. We dedicate around 29 days each year to following up these actions, reporting results to Senior Officers and Members as part of our routine reporting.

34.         Where an action is significantly overdue or poses significant risk we will highlight this to the Corporate Leadership Team. We may also report seriously delinquent actions to this Committee and ask that Members invite the responsible officer to explain and account for delays.

Consultancy & Member Support: 70 days

35.         We aim to keep around 10% of the audit plan days as a consultancy fund to provide general and specific extra advice or training to the Council. This will also include attendance and contribution to officer groups, such as the procurement group.

36.         We also use consultancy days when we must expand an audit scope to cover specific concerns or findings identified during an audit. This effectively allows us to have some contingency to avoid having to cut short engagements and allow full exploration of significant findings.

37.         We also use this budget to deliver specific extra work for the Council. In 2020/21 this involved, for example, redeployment to help the Council manage Covid-19 grant support to local businesses. In 2021/22 it might involve undertaking any post-payment checks the Government may need. We would conduct such work using different members of the audit team to ensure independence.

38.         Finally we also use this budget to support Members, through attendance at and reporting to Committees. We also provide extra briefings and specific Member training as sought.

Risk Management: 67 days

39.         At Maidstone our responsibility encompasses tasks such as leading the risk management framework, keeping and updating strategic and operational risk registers. We also compile risk reporting to Senior Officers and Members, including an annual report to this Committee.

40.         We must note responsibility for managing the identified risks remains with the relevant risk owners. However, we can and do provide advice, support and training.

41.         We set out our plans for developing risk management in 2021/22 in the Annual Risk Management Report, also on this meeting’s agenda.

Planning: 35 days

42.         We use this time to keep current with risks and issues across the Council, the wider public sector and the audit profession. This ensures our plan can remain dynamic and responsive to risk through the year. We also use it to manage delivery of the audit plan across the year and co-ordinate any extra support or advice. Finally, we use this time to complete the major part of our annual planning exercise, including updating risk assessments and consultation across the Council.

Counter Fraud Support: 28 days

43.         At Maidstone our responsibilities include writing and updating Counter Fraud and Whistleblowing policies, providing a channel for officers to raise concerns under the Public Interest Disclosure Act. We also act as lead contact for the National Fraud Initiative, a data matching exercise co-ordinated by the Cabinet Office.

44.         As well as these routine roles, we also use this time to conduct investigations on matters of concern. Although we do not have police powers to compel attendance, this has included conducting interviews under caution and handling evidence to a criminal standard.

45.         For 2021/22 we hope to compile more detailed procedures for investigations, drawing on Cabinet Officer Standards. We also aim to draw up training to support compliance with the Bribery Act and make clear where people should report any matters of concern.


Delivering the Audit & Assurance Plan

46.         We work in full conformance with the Public Sector Internal Audit Standards and relevant Codes of Ethics.  The sections below include more detail on how we intend to preserve conformance.

External Quality Assessment

47.         In July we reported to Members we had achieved a second successive fully conforming conclusion in an External Quality Assessment. The Assessment included a few recommendations for us to consider. The table below summarises our progress:


Current Position

Statement limiting distribution and use of audit reports and clarifying conformance to IPPF

We’ve included a statement (wording agreed with CIPFA) on our standard 20/21 reporting template.


Enhance declaration of interest forms for audit staff

We have expanded our compliance and declaration approach, including a new online form. All staff in the service completed a fresh declaration in early 2021.


Expand use of data analytics

We have opened discussion with some suppliers and neighbouring audit services on possible subjects for expansion. We will follow this further as part of our 21/22 improvements (see ‘Quality and Improvement Plan’, below)

In progress

Provide greater comparative insight for clients

We have identified joint audits for 21/22 and will look to publish cross-partnership reports on select topics.

In progress

Renew internal audit collaboration agreement that expired in 2019

Have restarted discussions among partners to clarify expectations of any new agreement.

In progress



Quality Assurance & Improvement Programme

48.         Standard 1300 directs the Head of Audit to set up and keep a quality assurance and improvement programme. There are two key objectives of the programme. First to document and clarify how we upholds the quality and integrity of our work. Second to make plain our commitment to self-reflection on reviewing and improving how we plan and deliver our work. The Standards encourage Member engagement with and oversight of the Programme.

49.         We could show conformance in our External Quality Review. However our reviewer commented we could bring together and summarise our approach in a single document for Members.

50.         We provide that document at Appendix I. It sets out:

·         Our ambitions on upholding a commitment to excellent quality audit work.

·         How we exercise oversight, review and uphold that quality.

·         How we will review our work over the coming months and years to revisit and consider how we might further improve.

Next Steps

51.         We will begin planning the delivery of this plan as soon as it receives Member approval. We expect to begin fieldwork on the earliest 2021/22 engagements in late May/early June and start reporting results in July or August.

52.         In November we will provide an Interim report to Members. This will summarise work completed up to then, with any significant findings and actions. We will also update Members on the progress of our Quality Assurance and Improvement Programme.

53.         We aim to complete the plan in late Spring 2022 and will form our conclusions into a Head of Internal Audit Opinion to support the 2021/22 Annual Governance Statement. We reserve the right, as set out in the Audit Charter, to report significant findings to Members outside these scheduled reports. This includes seeking to meet privately with Members if needed.


Appendix I: Quality Assurance & Improvement Programme

1.              Continuous improvement sits at the heart of internal audit as a profession. Both for the auditors who work within it and for the contribution it makes to organisations. 

2.              The Code of Ethics for auditors states: “[auditors] shall continually improve their proficiency and the effectiveness and quality of their services”.

3.              The IIA’s Mission of Internal Audit talks about “enhancing organisational value”.  With the definition of internal auditing being: “an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations”. These are not new ideals. The IIA’s founding statement published 15 July 1947 dedicated internal audit to: “protecting the interests of the organisation, including pointing out existing deficiencies to provide a basis for appropriate corrective action”.

4.              As this drive applies to the services we audit, the need to reflect and seek improvement applies no less to us in Mid Kent Audit. This Plan has two principal parts:


Setting out the standards we apply to our work, how we guarantee and uphold them.


Setting out how we examine our work, to consider its efficiency, effectiveness and place in industry best practice.

5.              These features sit within the context of Mid Kent Audit’s overall vision:

“To be the highest quality local authority audit service in the UK”.

6.              We will update this plan regularly, no less than once each year. In particular we will form the “Improvement” section into a rolling programme to ensure our internal ‘universe’ receives no less review in search of improvement than we apply to our partner authorities.

7.              The Mid Kent Audit team fully embraces the professionalism and high standards inherent to the modern auditor. We remain grateful for the support, encouragement and challenge of members and officers in our partner authorities to help achieve this goal.



Mid Kent Audit’s last two external quality assessments confirmed we work in full conformance with the Public Sector Internal Audit Standards and the International Professional Practices Framework.

This is the standard we seek to uphold. We do so in four main ways:

Team Expectations and Approach

8.              We expect our team to uphold the IIA Code of Ethics, ensuring they work with Integrity, Objectivity, Confidentiality and Competency always. This means working as a professional auditor, supporting colleagues and clients as part of the audit team.

9.              We recognise the markers of quality work listed in Standard 2420 (Quality of Communications). These state that we must be accurate, objective, clear, concise, constructive, complete and timely. We recognise our overall goal in helping our clients by providing assurance and supporting improvement across their control environment and service delivery.

Training and Development

10.          We have consistently preserved strong financial and budgetary support for training and development throughout the team. Our ambition is to support every member of Mid Kent Audit in earning and keeping a suitable professional qualification.

11.          This is why we, as well as compulsory training demanded as part of our employment with Maidstone Borough Council, set aside at least 40 hours each year for training. The 40 hours level is consistent with keeping qualification as a Certified Internal Auditor, but where other qualifications have different needs we will typically support these too. We also keep a financial budget equal to supporting that volume of training.

12.          Our starting position is to support all further training and development where there is benefit to the Partnership and the individual. Naturally we will face practical and budgetary restraints that may vary over time. Nevertheless if we can find a way to support development, we will seek to do so. We also celebrate the team’s training and achievement in our reporting to Members and others.

13.          We are also a service keen to look outside our borders for development and best practice. While ensuring we continue to deliver our core service, we welcome opportunities to engage with and learn from the broader audit profession.

Tools and Guidance

14.          We use Ideagen’s Pentana Audit Management Software. This is an industry leading software package, tailored for use in Mid Kent Audit. Pentana is online, ensuring our team can work collaboratively and electronically from any location with an Internet connection. Pentana guides an auditor step-by-step through completing an audit engagement. If followed, that guidance will ensure our work remains fully conforming with the Standards.

15.          The guidance is available within Pentana using ‘mouse over’ and document libraries. We also keep a shared drive accessible to the whole audit team with library versions of guidance and copies of relevant rules and publications (for example, the Standards themselves).

16.          We have a group membership of the Institute of Internal Audit. This gives every member of the audit team access to online support and guidance from the internal audit profession.

17.          We aim to introduce new versions of Pentana within three months of their release. This will ensure we remain current in using the latest software, while also giving the time and opportunity to consider how best to use any new or amended features.

18.          We have within Pentana a library of templates (including report and brief templates) for auditors to use in engagements. These ensure consistency in approach and presentation, but also allow for variation and innovation to support quality work.

Supervision, Review and Coaching

19.          As required by Standards 2340, all work we complete is supervised. We embrace the three objectives of that supervision set out in the standard:

·         Objectives are achieved: Each engagement sets objectives in its brief. The engagement reviewer(s) will ensure the final report is clear in fulfilment of those objectives and reporting of results.

·         Quality is assured: The engagement reviewer(s) will ensure files contain documentation in line with Standard 2330 (sufficient, reliable, relevant and useful to support engagement results). They will also ensure auditors follow all relevant guidance with variance clearly set out.

·         Staff are developed: The engagement reviewer(s) will ensure the team fully consider their own development goals and will support them in their achievement.

20.          We save evidence of review through use of Pentana’s ‘Completed’ and ‘Approved’ markers. We may raise review notes during an engagement, but will often not save them when closing a file. Similarly, we will not typically keep interim drafts of work in Pentana after completing an engagement, but auditors may extract and file separately to aid their personal development.

21.          Review is not directive on matters of professional judgement. Each auditor is a professional in their own right, bound by the Code of Ethics to act with integrity. This includes a responsibility for auditors to not follow audit approaches or findings that conflict with their professional judgement. We have in place a Professional Judgement Policy setting out how we deal with differences of judgement that arise within audit teams. However as set out in Standard 2340, the Chief Audit Executive holds overall responsibility.

22.          Depending on the risk associated with the audit and team experience, engagements may have either or both an ‘A’ or ‘B’ Reviewer. Their different standard roles are:

·         A Reviewer: Responsible for direct supervision of the lead auditor(s) including detailed review of fieldwork. Will read draft client communications to ensure consistency with the documented engagement findings. The A Reviewer will typically have a more ‘hands on’ or coaching style engagement with the lead auditor(s), so will play a key role in development. An A Reviewer could be a Manager or Senior Auditor.

·         B Reviewer: Responsible for overall quality assurance and issuing formal client communications. The ‘B’ Reviewer will always be a Manager.

23.          Where an engagement has a single reviewer, that reviewer will always be a Manager combining both ‘A’ and ‘B’ roles.

24.          Deciding whether to have a single or dual review rests with the manager who has responsibility for the relevant audit plan. Typically, engagements led by a Senior Auditor will have a single reviewer and those led by an Apprentice will have dual review. The Manager should set out the early review rationale at Step P0 and affirm after planning is complete at Step P6. Where circumstances of the engagement need a later decision to expand the review team, the decision and reasoning will feature in at Step F1.

25.          An Issuing Managers’ Guide sets out considerations for Managers when issuing formal client communication. This Guide also includes the conditions under which the Chief Audit Executive has delegated his responsibilities under Standard 2440 (Disseminating Results).

26.          Besides review of individual engagements we also undertake periodic Cold Reviews. These take place after completing the engagement file and seek to look back on the work to assess quality and conformance with Standards. Twice a year we will undertake a Cold Review of a sample of files using the checklist and approach set out in the appendix to this plan.


27.          An important feature of our Improvement plan is to ensure we take a comprehensive look at our approach. Just like an audit universe must eventually touch on every part of our work. The examination won’t necessarily result in change, but we ought not assume anything is perfect and could not bear improvement. At the appendix we show the internal ‘audit universe’.

28.          Deciding where to focus will draw on three principal sources of information:

-          Professional Updates: Information produced by the profession, for example IIA Position Papers. We have a specific approach to considering these, set out below.

-          External Feedback: Information from our partner authorities on the strengths and weaknesses of the service and where we might develop.

-          Internal Feedback: Information drawn from review (including cold review) as well as comments from the audit team on how they find working with our approach.

Professional Updates

Professional institutes such as the IIA and CIPFA sometimes issue guidance for internal auditors to consider. For the IIA, such guidance may also feature in the International Professional Practices Framework. The IIA publishes its updates (available to members only) at this link. We will also receive updates through bodies such as the Internal Audit Standards Advisory Board, the Local Authority Chief Auditors’ Network and Kent and London Audit Groups.

29.          We will consider relevant updates through the Management Team. As well as influencing the QAIP, we may put updates to more immediate use, for example by informing training.

30.          We will go through a similar approach when considering whether and how to adopt significant updates to our audit management software.


Building the Improvement Plan

One key point is that this approach exists to preserve structure, ensure quality and treat issues consistently. It is not a barrier to innovation. We welcome people’s ideas on how to improve our work, in big and small ways. We will continue to innovate outside this formal structure where doing so improves the service we offer.

The Improvement Plan

We aim to keep a two-year rolling programme of matters to examine within the audit universe. Below is the current draft. We will keep a current version in the audit team shared drive. We will also publish a report each year to Members.


Focus Area

Draft Objectives



Assurance Ratings & Finding Priorities

Clarify the purpose of our use of assurance ratings and findings priorities. Consider whether the current definitions remain fit for that purpose and propose alternatives for consultation with officers and members.

Proposal for consultation by Christmas 2020. Consult and pilot through 2021/22 & introduce 2022.


Fulfil EQA recommendation of improved declarations of interest within the audit team.

Proposal by early 2021 to go live alongside Spring 2021 appraisals.

Client Liaison

Review our approach to engaging with audit contacts to explain the process and purpose of audit.

Proposal by Spring 2021 to go live when introducing 21/22 plan engagements.


Review Process

Consider our approach to completing file reviews and ensuring it supports consistency, quality and development.

Proposal by Summer 2021 for introduction across Autumn

Assurance Mapping

Using anticipated new Pentana feature, draw up an approach to creating assurance maps across authorities.

Proposal by Christmas 2021 for incorporation into 22/23 audit planning.

Test Completion

Following on from looking at file reviews, consider approach to testing. In particular scope for greater use of computer assisted audit tools.

Proposal by early 2022 for implementation in 22/23 audit year.

Risks & Controls

Review our guidance to support auditors in identifying and documenting risks and controls

Proposal by spring 2022 for 22/23 year engagements.

Annex I: Mid Kent Audit Process Universe

Planning Processes

·         Background Research & Intelligence: How we research businesses and systems.

·         Client Liaison: The information we provide to clients. 2020/21 Plan

·         Budget Planning: How we draw up and monitor budgets.

·         Risks & Controls: Identifying, documenting and assessing. 2021/22 Plan

·         Test Creation: Drawing up efficient and effective tests

Fieldwork Processes

·         Documentation: What we keep on file and how it is presented.

·         Test Completion: Approaches including tools such as CAATs. 2021/22 Plan

·         Sampling: Selection apt samples and documenting rationale for selection.

·         Findings/Causes/Effects: Identifying findings and ascribing causes and effects.

·         Amending Work Programmes: How and when to amend and documenting any changes.

Reporting Processes

·         Assurance & Finding Ratings: Is our system of ranking fit for purpose? 2020/21 Plan

·         Follow-Up: Is our approach effective at efficiently supporting improvement?

·         Report Formats: Considering templates and standard content.

·         Review Process: Does it ensure quality and support team development. 2021/22 Plan

Other Processes

·         Annual Planning: Process to support developing the plan for Members

·         Ethics: Ensuring and documenting adherence to code. 2020/21 Plan

·         Audit Management Software: What package we use and when to upgrade.

·         Assurance Mapping: How we consolidate information on assurance. 2021/22 Plan

·         Consolidated Reporting: Reporting results of our work at an authority level to Senior Officers and Members.

Annex II: Cold Review Process and Checklist

We will be piloting cold reviews in Spring 2021. We will add the final approved checklist arising from those pilots in the Quality and Improvement Plan from mid-2021/22 onwards.

Appendix II: Audit Universe

The “Audit Universe” is our running record of all processes at the Council we might examine.  The list below shows Maidstone specific entities on our current audit universe, followed by a record of audit audit history: (Key: D = Delivered Engagement, P = Planned Engagement in 2020/21, H = High Priority on 2021/22 Plan, M = Medium Priority on 2021/22 Plan)

Process Type










Accounting & Finance

Budgetary Control



























Financial Planning









General Ledger


















Payroll & Expenses









Treasury Management










Internal Communications









Public Consultations









Social Media/Website









Community Safety

CCTV & Monitoring


















Public Health & Wellbeing









Safety Partnerships










Business Continuity









Climate Emergency









Complaint Handling









Contract Management









Counter Fraud









Customer Services









Declarations of Interest









Emergency Planning









Information Management









Internal Audit









Legal Services









Performance Management


















Project Management









Risk Management


















Subsidiary Company









Culture & Economy

Economic Development









Leisure Services













































Visitor Economy










Election Management









Electoral Registration









Member Development









Members’ Allowances










Cemeteries & Crematoria









Environmental Enforcement









Grounds Maintenance









Street Scene









Waste Collection









Environmental Health

Air Quality









Food Safety









Estatement Management

Facilities Management









Property Acquisition









Property Income










Home Improvement Grants


















Home Finder Scheme









Human Resources

Absence Management









Health & Safety









HR Policy


















Staff Performance Mgmt









Training & Development









Workforce Planning









Information Technology

IT Asset Management









IT Backup & Recovery









IT Development









Network Security









Technical Support










Parking Enforcement









Parking Income









Residents’ Parking










Building Control









Conservation & Heritage









Development Management









Land Charges









Local Plans









Planning Administration









Planning Enforcement









Pre-Application Planning









Section 106/Developer Income









Revenues & Benefits

Business Rates









Council Tax









Council Tax Reduction Scheme









Disc. Housing Payments









Housing Benefit









Universal Credit










[1] The public sector variant of the Standards imposes additional obligations beyond the global IIA Standards.

[2] Or, for the Head of Audit Partnership, both.

[3] Shared service with Swale and Tunbridge Wells

[4] Shared service with Tunbridge Wells

[5] Shared service with Swale

[6] Shared service with Swale

[7] Shared service with Tunbridge Wells

[8] Shared service with Swale