Internal Audit & Assurance Plan 2022/23





Maidstone Borough Council


1.             This risk-based internal Audit Plan for 2022/23 provides adequate coverage to enable an annual Head of Audit Opinion to be made at the end of the financial year.

2.             Planning during a period of uncertainty and change is problematic. It is therefore important that this Audit Plan has the flexibility to adapt and adopt to the changes as they develop during the forthcoming financial year.

Risk Assessments

3.             The Public Sector Internal Audit Standards direct that audit planning is built upon a risk assessment.  This assessment must consider internal and external risks, including those relevant to the sector or global risk issues.  This Plan for 2022/23 represents the current views now, but it will be necessary to continue to reflect and consider the audit response as risks and priorities change across the year. A specific update report will be provided to Members midway through the year.

          Global and Sector Risks

4.             In considering global and sector risks the risk assessment draws on various sources such as the IIA and CIPFA. 

5.             This year will continue to be another challenging year for Local Government in terms of funding, managing additional recruitment and technological advancement, which in turn may impact on the adequacy and effectiveness of the governance, risk and control framework of the Council.  A number of key areas which require consideration when planning the internal audit coverage are set out below. These areas cut across many of the activities carried out by the Council. These areas are not a full listing, nor are they in any priority order. Indeed many are not mutually exclusive of each other.

“Multi-channel” customer engagement: Partly as a result of COVID-19 but also as process changes through improved technology, councils will need to embrace cutting edge technology. Adopting a multi-channel approach to customer engagement will enable council services to be more readily available, more accessible and more transparent.

Commercialisation: Councils are being driven towards being more self-sufficient and cost effective, with pressure to close funding gaps and rebalance budgets. Councils will already be operating in different financial and more commercial environments which have been tested by the business disruption associated with the COVID Pandemic.

Cyber Security: As more services move on-line, risks and vulnerabilities are likely to increase. Cyber security is as much about awareness and behaviours as it is about network security. Resilience needs to be regularly and stringently stress tested across the organisation to ensure it is operating effectively.

Financial Viability: As the UK emerges from the clutches of the pandemic and some degree of normality returns Councils will be faced with the reality of unbalanced medium term financial plans without including significant potential savings.  Realisation of these savings could be challenging and if not achieved at the outset will fail to provide the funds needed to ensure a balanced budget.

Staff Wellbeing: COVID-19 has led to mental health declines, increased work demands and feelings of loneliness due to remote working. Staff turnover is at an all-time high. Managing the wellbeing and associated risks is crucial to ensure a stable workforce.

Climate Change: Councils are taking action to reduce their own carbon emissions and working with partners and local communities to tackle the impact of climate change on their local area.

Inflation: The forecast rises in inflation after a long period of stability is likely to impact upon term contracts as well as budget management.

Council specific Audit Risk Review

6.             This risk review incorporates two elements. The first element is the service’s relative materiality to the Council’s overall objectives and controls. The assessment includes consideration of:

Finance Risk: The value of funds flowing through the service. 

Priority Risk: The strategic importance of the service in delivering Council priorities. 

Support Service Risk: The extent of interdependencies between Council departments.

7.             The Council’s external auditor was requested to advise if there were any areas that internal audit should include in the Audit Plan, and the two suggested areas, Capital Project Management and Asset Register are included in the Plan, below.

8.             The second element considers the reputational aspects of a failure of the effective operation of the internal control arrangements. The assessment includes consideration of:

Oversight Risk: Considering where other agencies regulate or inspect the service. 

Change Risk: Considering the extent of change the service faces or has recently experienced. 

Audit Knowledge: Considering the outcomes not just the last internal review, but any other information that has been gathered from, for example, following up agreed actions. 

Fraud Risk: Considering the susceptibility of the service to fraud loss. 

Audit Risk Prioritisation

9.             The results of these various risk assessments provide a provisional Audit Plan.  The provisional Plan is consulted on with the Managers, Heads of Service and Corporate Leadership Team to get their perspective on the audit assessment and from this the Risk Based Audit Plan for the financial year is produced.

Risk Based Audit: 280 Days

10.         The primary part of Audit Plan is delivering risk based audit engagements. This work is classified into High and Medium priority engagements in the Audit Plan. The lists below are in alphabetical and do not imply any ranking within the group or intended delivery order. The timings for the individual reviews will be agreed with a suitable officer sponsor once the Plan has been approved.

11.         The Audit Plan has been prepared in advance of the appointment of the substantive Head of Audit for MKA. The new Head of Audit may wish to propose changes to the audit coverage and so may review the Plan will after their appointment. Any proposed changes and the rationale for such changes will be communicated to Senior Management Teams and Audit Committee Members.


          High Priority Engagements

12.         These are the 10 engagements that require to been undertaken to support a robust opinion at year end.

High Priority Engagement Title & Draft Objectives

1. Business Continuity

To seek assurance on arrangements for responding to business disruption events, including unexpected network down time.

2. Capital Projects Funding

To seek assurance on arrangements for funding capital projects.

3. Economic Development

To seek assurance on progress against actions within the Economic Development Strategy.

4. IT Back-Up & Recovery[1]

To seek assurance on the effectiveness of controls to back up the Council's data

To seek assurance on recovery of the Council's data after a loss event.

5. Member Development

To seek assurance on the effectiveness of training and development provided to Members.

6. Network Security1

To seek assurance on management of the security of Network controls, including remote access control.

7. Property Acquisition & Disposal

To seek assurance that decisions made in relation to property purchases and disposals are in line with Council's strategy and scheme of delegations.

8. Residential Property Repairs & Maintenance

To seek assurance on effective management of the residential property repair contract.

9. Subsidiary Company Governance

To seek assurance on arrangements for maintaining good governance at Maidstone Property Holdings.

To seek assurance on arrangements for maintaining appropriate control of Maidstone Property Holding's operations.

10. Workforce Planning

To seek assurance on the Council's plans and strategies for ensuring they are able to attract and retain the workforce needed.


Medium Priority Engagements

13.         We have 17 engagements on this list and aim to deliver at least 7. Any engagements we do not take forward for 2022/23 we will automatically consider as candidates for 2023/24. The list below is alphabetical and doesn’t suggest ranking within the group or intended delivery order. We will agree timings with a suitable officer sponsor once we have a Member approved plan.

External Audit Priority Engagement Title & Draft Objectives

1. Asset Register

To seek assurance on system for maintaining the accuracy and completeness of the Council's Asset register.

Medium Priority Engagement Title & Draft Objectives

2. Budgetary Control

To seek assurance on the effectiveness of controls seeking to maintain oversight of Council finances against budgets.

3. Building Control

To seek assurance on appropriate accounting for Building Control Income.

To seek assurance on arrangements for ensuring Building Control complies with relevant quality standards in undertaking its work.

4. CCTV Monitoring

To seek assurance on arrangements for maintaining compliance with the CCTV Code of Practice and other relevant Council procedures.

5. Complaint Handling

To seek assurance on compliance with complaint handling process

To seek assurance that the Council responds appropriately to information (both general and specific) from the Local Government Ombudsman

6. Crematorium

To seek assurance on compliance with Crematorium Regulations, and

To seek assurance on income collection controls

7. Discretionary Housing Payments[2]

To seek assurance on the management and delivery of the Discretionary Housing Payments scheme

8. Electoral Registration

To seek assurance on compliance on Electoral Commission requirements in compiling and maintaining the electoral register.

9. Facilities Management

To seek assurance on managing routine maintenance and responsive repairs across the Council's buildings

To seek assurance on maintaining the security of Maidstone House


Medium Priority Engagement Title & Draft Objectives

10. Food Safety2

To seek assurance on completion of food safety inspections in compliance with Food Safety Act 1990

11. Garden Waste

To seek assurance on management of the Garden Waste subscription service

12. Health Team

To seek assurance that the Council has set out and accurately monitors expectations of Health Living Co-ordinators and Every Contact Counts schemes.

13. Markets
To seek assurance that market finances work in line with SFIs.

14. Planning Enforcement

To seek assurance on arrangements for responding to planning breach reports in keeping with relevant legislation, Council policy and procedure.

15. Private Water Supply

To seek assurance on completion of private water supply inspections in compliance with The Private Water Supplies Regulations 2016

16. Staff Performance Management

To seek assurance on compliance with the Council's staff performance management procedures.

To consider how the Council monitor success of its staff performance management approach.

17. Theatre Operations

To seek assurance on arrangements for managing delivery of the Hazlitt Theatre Contract

Follow-up of Agreed Actions: 30 days

14.         Time has been allocated to following up the actions arising from internal audit recommendations made and reporting the results to Senior Officers and Members.

Consultancy & Member Support: 70 days

15.         A consultancy allocation provides general and specific extra advice or training to the Council. This allocation also provides support to Members, through attendance at and reporting to Committees.

16.         This fund also provides a contingency to avoid having to cut short engagements and allow full exploration of significant findings.


Risk Management: 58 days

17.         At Maidstone MKA’s responsibility encompasses tasks such as leading the risk management framework, keeping and updating strategic and operational risk registers. The responsibility for managing the identified risks remains with the relevant risk owners. MKA also compiles risk reporting to Senior Officers and Members, including an annual report to this Committee.

18.         The plans for developing risk management in 2022/23 are set out in the Annual Risk Management Report.

Planning: 24 days

19.         This time is allocated to complete the major part of the annual planning exercise, including updating risk assessments and consultation across the Council. The time is also used for identification of risks and issues across the Council, the wider public sector and the audit profession. This ensures the Audit Plan can remain dynamic and responsive to risk through the year.

Counter Fraud Support: 28 days

20.         At Maidstone MKA’S responsibilities include writing and updating Counter Fraud and Whistleblowing policies, providing a channel for officers to raise concerns under the Public Interest Disclosure Act. MKA also acts as lead contact for the National Fraud Initiative, a data matching exercise co-ordinated by the Cabinet Office.

21.         For 2022/23 it is intended to compile more detailed procedures for investigations, drawing on Cabinet Office Standards. We also aim to draw up training to support compliance with the Bribery Act and make clear where people should report any matters of concern.

22.         The counter fraud support role also includes conducting investigations on matters of concern. Additional time may be required for such work and this will be drawn from the consultancy budget above.

Resourcing the Audit Plan

23.         MKA is currently going through a period of significant staffing change. A number of senior posts are currently filled on an interim basis and it is likely to be November 2022 at the earliest before all the substantive posts are filled.

24.         MKA also have access to sources of specialist expertise through framework agreements with audit firms, which includes access to subject matter experts.

25.         The overall resource level is therefore based on the current audit team establishment and the chargeability for each grade. This calculation produces an available number of days across the four Councils to which MKA provides the internal audit service of 1,740 days. 

26.         Each Council receives a share in keeping with their contribution to the overall partnership budget. The Collaboration Agreement is planned to be subject to a comprehensive review during 2022/23. Based on the current Agreement Maidstone 2022/23 Audit Plan has 490 days to assign. This includes time to complete work carried forward from 2021/22.

27.         MKA has the skills and expertise to deliver the 2022/23 Audit Plan and it is confirmed that planned audit work will enable a Head of Audit opinion for 2022/23 to be delivered in Spring 2023.


[1] Shared Service with Swale & Tunbridge Wells

[2] Shared Service with Tunbridge Wells