Internal Audit Report & Annual Audit Opinion 2022/23
Maidstone Borough Council
Introduction
1. This is the 2022/23 Annual Report by Mid Kent Audit on the internal control environment at Maidstone Borough Council (‘the Council’). The annual internal audit report summaries the outcomes of the reviews that have carried out on the Council’s framework of governance, risk management and internal control and is designed to assist the Council making its annual governance statement.
2. This report provides the annual head of audit opinion (‘Opinion statement’) and a summary of the key factors taken into consideration in arriving at the Head of Audit Opinion statement, as at 31 May 2023.
Head of Internal Audit Opinion statement
3. The Head of Audit Opinion draws on the work carried out by Mid Kent Audit during the year on the effectiveness of managing those risks identified by the Council and covered by the audit programme or associated assurance. Not all risks fall within the agreed work programme. For risks not directly examined reliance has been taken, where appropriate, from other associated sources of assurance to support the Opinion statement (an explanatory note is included at Annex A).
4. The Head of Audit Opinion statement for 2022/23 is:
The planned programme of work delivered by internal audit was constrained by significant staffing vacancies and changes within the internal audit team. The results of the reduced level of internal audit work concluded during the year required me to seek additional assurances to form my opinion. A summary of where it has been possible to place reliance on the work of other assurance providers is presented in the annual internal audit report. Utilising all these forms of assurance I am able to draw a positive conclusion as to the adequacy and effectiveness of Maidstone Borough Council’s risk management, control and governance processes. In my opinion, Maidstone Borough Council has adequate and effective management, control and governance processes in place to manage the achievement of their objectives.
Matters impacting upon the Opinion statement
5. Organisations design internal controls to manage to an acceptable level rather than remove the risk of failing to achieve objectives. Consequently, internal controls can only provide reasonable and not complete assurance of effectiveness. Designing internal controls is a continuing exercise designed to identify and set priorities around the risks to the Council achieving its objectives. The work of designing internal controls also evaluates the likelihood of those risks coming about and managing the impact should they do so.
6. Mid Kent Audit recognises the considerable financial challenges and the difficult decisions that the Council had to deal with during 2022/23, however, the professional and regulatory expectations on public bodies to ensure that their internal audit arrangements, including providing the annual Opinion statement, conform with the Public Sector Internal Audit Standards (PSIAS) have not changed.
7. Factors that need to be taken in to account in reaching the Opinion statement include:
· Changes in ways of working: Have these led to gaps in the governance, risk management and control arrangements?
· Independence of internal audit: Have any limitations in the scope of individual audit assignments resulted in it only being possible to place partial assurance on the outcome?
· Internal audit coverage: Has any reduction in internal audit coverage compared to what was planned resulted in insufficient assurance work?
Changes in ways of working
8. The following are the main considerations which impacted upon the provision of the Opinion statement for 2022/23. These are not in any priority order and in a number of cases there is an inter-relationship between two or more of these considerations.
· Remote working and greater use of digital forms of operation and communication has now been in place for two years following the rapid introduction during the pandemic. This change in ways of working is now becoming normalised and adaptions are being managed.
· Diverting staff resources and changing priorities during the pandemic has had an impact in the subsequent years on service delivery. Recovery plans have been effective, but some areas have required a longer period of recovery than others.
· The significant increase in cyber-attacks against all organisations to obtain unauthorised access to data and the consequential need for ongoing updating and vigilance in terms of security of data held.
Independence of internal audit
9. Mid Kent Audit works as a shared service between Ashford, Maidstone, Swale and Tunbridge Wells Borough Councils. A Shared Service Board including representatives from each Council supervises the service under a collaboration agreement.
10. Within the Council during 2022/23 Mid Kent Audit has continued to enjoy complete and unfettered access to officers and records to complete its work. On no occasion have officers or Members sought or gained undue influence over the scope or findings of any of the work carried out.
Internal audit coverage
11. Mid Kent Audit has experienced significant turnover of staff throughout the financial year, including the appointment of an interim Head of Audit and an interim Deputy Head of Audit for part of the year. There was also the departure of both Audit Managers towards the end of the year. The permanent Head of Audit Partnership started in December 2022 and no further recruitment was undertaken until very recently while an assessment of the current structure was undertaken. It is acknowledged that a significant level of local knowledge and experience of the Council was lost during the year.
12. The Council’s Audit Committee approved the 2022/23 Audit & Assurance Plan on 14 March 2022. The selection, prioritising and scoping of the audit reviews in this Plan was overseen by the Interim Head of the Audit Partnership.
13. There has been impairment in terms of the planned internal audit coverage for 2022/23. This has been due to the knock-on effect of the late completion of the 2021/22 planned work and the significant churn in terms of staff within Mid Kent Audit. There were also a number of reviews which have either been deferred or cancelled. As a consequence a number of the audit reviews set out in the 2022/23 Internal Audit Plan have not been completed in time to inform the 2022/23 Opinion Statement. This is a timing matter, rather than systematic of any issue in respect to the Council’s governance, risk and control framework. The team at Mid Kent Audit has worked diligently at the delivering the work and this timing issue is not a reflection upon the efforts of the current team.
Arriving at the Opinion statement
Reliance on internal audit work performed
14. Audit evidence to support the Opinion statement on internal control is derived principally through completing the reviews set out within the agreed Audit Plan. The 2022/23 Audit & Assurance Plan provided for 17 reviews to be carried out.
15. For the reasons explained in paragraph 13, above, only 8 of these reviews were completed in time to inform the 2022/23 Opinion statement. Five reviews are currently underway. These reviews are shown in the table below. There were no Priority 1 (Critical) Actions which affects (negatively) the risk rating assigned to a Council strategic risk or seriously impairs its ability to achieve a key priority.
16. A summary of the Assurance and Action priority level definitions is provided in Annex B.
17. An overview of the key findings from each of the finalised reviews for which details have not been previously provided in the 2022/23 Progress Report to the Audit Committee is provided in Annex C. These finding do not indicate any significant Council-wide weaknesses in the corporate governance, risk or control framework.
18. A reconciliation to the work performed to the approved Audit & Assurance Plan for 2022/23 is provided in Annex D.
19. Where appropriate, reliance has been placed upon previous internal audit work and other work performed by Mid Kent Audit, including:
· The unqualified 2021/22 Head of Audit Opinion and the findings of previous years’ internal audit work carried out (paras 20 below refers).
· The outcomes of the follow up work carried out to confirm control weaknesses identified by internal audit have been effectively mitigated (paras 21 - 22 below refers).
· The outcomes of other work performed by Mid Kent Audit for the Council (para 23 below refers).
20. Previous years’ internal audit work: The unqualified opinion Internal Audit Report for 2021/22 advised that there were three audit review carried out by Mid Kent Audit during the financial year where there were assurance assessments of ‘Weak’ or ‘Poor’.
21. Following up Actions: Actions are made in the audit reports to further strengthen the control environment in the area reviewed. Management provide responses as to how the risk identified is to be mitigated. Throughout the year Mid Kent Audit carried out checks to ascertain the extent to which the agreed Actions had been addressed by management and that the risk exposure identified has been mitigated.
22. During 2022/23, 37 Actions were followed up and the table below summarises the extent to which the identified risk exposure have been mitigated. These 37 Actions include all those either made in 2021/22, or carried forward from a previous financial year. There were no Priority 1 (Critical) and 6 Priority 2 (High) Actions and as set out below.
|
Extent of control risk mitigation |
Number of Actions by Priority Rating |
|||
|
Critical |
High |
Medium |
Low |
|
|
Opening Number |
- |
6 |
20 |
25 |
|
Current Status: Cleared |
|
5 |
9 |
23 |
|
Not yet actioned |
|
1 |
11 |
2 |
23. Outcomes of other work carried out by Mid Kent Audit: Work was carried out on the Section 31 Grant Determination 31/6499 Biodiversity Net Gain certification. The Head of the Audit Partnership reviewed the certification completed by the council on grant spend and provided a signed assurance confirming it was in line with the guidance.
Reliance on other sources of assurance
24. For the reasons set out earlier in the Report it has been necessary for 2022/23 to place some reliance upon a number of ‘other assurance providers’ and these are summarised below:
· Cyber Health Check undertaken by Zurich (para 25 refers.
· Covid 19 Business Grant assurance schemes (para 26 refers)
· Environment Agency Audit of Hazardous Waste and Environmental permits (para 27 refers).
· Federation of Burial and Cremation Authorities inspection and Emissions testing report (para 28 refers)
27. The Environment Agency conduct Annual inspection audits based on the Hazardous Waste Regulations 2005 and the Environmental Permitting Regulations to ensure compliance of how we store and dispose of waste materials. There were no areas of noncompliance identified during these audits.
28. The Federation of Burial and cremation Authorities have conducted an inspection and Emissions testing review which is undertaken every 5 years.
The Crematorium scored a 92% Compliance score and a 71% Environmental Awareness score which are both in line with industry standards. An improvement plan has been created which Internal audit will monitor the progress of improvements throughout the course of the year.
MKA
29. Information on Mid Kent Audit which supports the delivery of the internal audit and other work carried out in the financial year is summarised in Annex E. Overall, despite the significant staffing changes during the year, Mid Kent Audit has maintained a PSIAS compliant service and there has been no diminution in the robustness of the work performed.
Acknowledgements
30. Managers, Officers and Members are thanked for their continued support throughout the year which has assisted in the efficient delivery of the audit work
Annex A
Other Sources of assurance for 2022/23
The corporate governance, risk and control framework
The corporate governance, risk and control framework for the Council is dynamic and there will be changes to the processes throughout the year. The key consideration for arriving at the annual Head of Audit Opinion is the materially of any changes in terms of possibly increasing the exposure of the Council to activities and decisions which do not conform with the approved strategies and policies.
Obtaining additional sources of assurance
During the COVID Pandemic CIPFA provided guidance on utilising other forms of assurance to support arriving at a Head of Audit Opinion. This means that where the agreed internal audit plan of work has not been fully carried out additional assurances can be obtained from ‘other assurance providers’ (this being the CIPFA terminology).
Three lines of defence
The three lines of defence model, below, explains how the level of assurance that can be taken by the Head of Audit reduces if the source of assurance is from the second line of defence and reduces even further if it is from the third line of defence.
As a consequence the additional assurance utilised to assist in supporting the 2022/23 Head of Audit Opinion has only relied upon second line of defence sources of assurance (i.e. where the author is not directly involved in the day-to-day operation of the corporate governance, risk and control arrangements they are reporting upon.
Reduction in reliance due to passage of time
Due to the dynamic nature of the corporate governance, risk and control framework for the Council the reliance which can be placed on forms of assurance reduces as time passes. This has particularly been the case over the last two financial years with all the short-notice changes that were made to respond to the business disruption due to the COVID 19 pandemic. As a consequence the additional assurance placed on work carried out prior to the start of 2022/23 has been kept to a minimum.
Annex B
Assurance and priority level definitions
|
Full Definition |
Short Description |
|
Strong – Controls within the service are well designed and operating as intended, exposing the service to no uncontrolled risk. Reports with this rating will have few, if any, recommendations and those will generally be priority 4. |
Service/system is performing well |
|
Sound – Controls within the service are generally well designed and operated but there are some opportunities for improvement, particularly with regard to efficiency or to address less significant uncontrolled operational risks. Reports with this rating will have some priority 3 and 4 recommendations, and occasionally priority 2 recommendations where they do not speak to core elements of the service. |
Service/system is operating effectively |
|
Weak – Controls within the service have deficiencies in their design and/or operation that leave it exposed to uncontrolled operational risk and/or failure to achieve key service aims. Reports with this rating will have mainly priority 2 and 3 recommendations which will often describe weaknesses with core elements of the service. |
Service/system requires support to consistently operate effectively |
|
Poor – Controls within the service are deficient to the extent that the service is exposed to actual failure or significant risk and these failures and risks are likely to affect the Council as a whole. Reports with this rating will have priority 1 and/or a range of priority 2 recommendations which, taken together, will or are preventing from achieving its core objectives. |
Service/system is not operating effectively |
Finding, Recommendation and Action Ratings
Priority 1 (Critical) – To address a finding which affects (negatively) the risk rating assigned to a Council strategic risk or seriously impairs its ability to achieve a key priority. Priority 1 recommendations are likely to require immediate remedial action. Priority 1 recommendations also describe actions the authority must take without delay.
Priority 2 (High) – To address a finding which impacts a strategic risk or key priority, which makes achievement of the Council’s aims more challenging but not necessarily cause severe impediment. This would also normally be the priority assigned to recommendations that address a finding that the Council is in (actual or potential) breach of a legal responsibility, unless the consequences of non-compliance are severe. Priority 2 recommendations are likely to require remedial action at the next available opportunity, or as soon as is practical. Priority 2 recommendations also describe actions the authority must take.
Priority 3 (Medium) – To address a finding where the Council is in (actual or potential) breach of its own policy or a less prominent legal responsibility but does not impact directly on a strategic risk or key priority. There will often be mitigating controls that, at least to some extent, limit impact. Priority 3 recommendations are likely to require remedial action within six months to a year. Priority 3 recommendations describe actions the authority should take.
Priority 4 (Low) – To address a finding where the Council is in (actual or potential) breach of its own policy but no legal responsibility and where there is trivial, if any, impact on strategic risks or key priorities. There will usually be mitigating controls to limit impact. Priority 4 recommendations are likely to require remedial action within the year. Priority 4 recommendations generally describe actions the authority could take.
Advisory – We will include in the report notes drawn from our experience across the partner authorities where the service has opportunities to improve. These will be included for the service to consider and not be subject to formal follow up process.
Annex C
Summary of Audit Findings
Sound
We found that Workforce Strategies for both Councils (Swale and Maidstone) reflect strategic and corporate plans, and that their development and content reflect current best practice. This included effective liaison with officers to determine current and future workforce needs. That said, Maidstone Borough Council's workforce strategy needs updating, having covered the period 2016-20.
Actions defined within workforce strategies and those taken to support the workforce are based on sound information from a variety of sources. This includes provision of a comprehensive Learning & Development Plan aimed at supporting the workforce and cultivating talent so that future workforce needs can be met from within. We could see progress against defined actions, as well as reactive workforce planning taken in response to changes to the internal and external environment. This demonstrates that actions are not limited to those documented in long term strategies.
We note that while workforce strategies are approved at Committee level, reports around progress are not required at this level for either Council. Current oversight is achieved through quarterly reporting to, and regular liaison with senior management.
Strong
Our audit looked at the project management governance and procedures that are in place for ICT Project Management. This included assessing the terms of reference and operation of the JCG as well as assessing how arising actions are tracked. As part of this, we assessed two of the meeting minutes from July 2022 and September 2022 and noted that the JCG is operating effectively with regards to tracking actions arising from ICT projects.
Proceeding with a project must go through both an acknowledgement and approval process. Acknowledgment of a project is done to demonstrate that the relevant request is a project and not an aspirational idea. This is done by having a set of achievable outcomes in addition to having a set series of tasks associated with the project. Approval of the project is done when the relevant delivery plan is in place within Wrike and is displayed through a Gantt chart detailing the necessary steps for the delivery of the project. While acknowledgement and approval was conducted for customer facing projects, this was not the case for infrastructure projects which go through a more streamlined process due to the type of work involved.
As part of our testing, we assessed a sample of five ICT projects to determine whether they were commissioned and monitored in line with expectations. This included assessing whether value for money was being achieved. During our testing we noted that these projects were commissioned and monitored in line with expectations and any cost implications of a project would be assessed during the initial stages through ensuring that it had the appropriate level of funding and financial backing from the project sponsor. Furthermore, infrastructure projects bring value through the work that is conducted, for instance the Outlook mailbox migration allows for a better end user experience.
Discretionary Housing Payments
Sound
Discretionary Housing Payments (DHPs) are administered by the Revenues and Benefits Team. This operates across Maidstone and Tunbridge Wells Borough Councils.
Our testing found that controls were generally well designed and operated. However, we found a lack of internal procedure notes around two key areas of Quality Assurance, and Management Approval of High Value Claims (over £2,000).
In relation to Quality Assurance the Service had no written guidelines explaining the purpose, parameters and method of quality assurance checks. Where parameter changes had taken place, we were unable to obtain written senior management approvals of such.
For High Value Claims, whilst an operational procedure for the management approval of these claims was verbally recognised within the team, we found approvals were not always sought in practice. Where approvals had been sought, information evidencing these was not retained in a shared area, as per the procedure.
Policy, recommended guidance, and established operational processes, were generally followed. However, minor administrative inconsistencies - presenting opportunity for improvement - were noted across all controls.
Food Safety
Sound
The audit confirmed that the team have sufficient controls in place to implement the food hygiene rating system in accordance with the Food law code of practice (England). We confirmed that the service followed the FSA Local Authority Recovery Plan guidance to prioritise inspections during the recovery phase and review of an outstanding inspections report verified that the team are now caught up with routine inspections. Testing confirmed that the majority or newly registered business had been inspected within the required time scales. Officers are suitably trained and ongoing CPD arrangements are in place to maintain competencies. In addition there are adequate procedures in place to deal with complaints and appeals.
However, there are areas where improvements could be made, particularly around record keeping. In addition there is a need for standard operating procedures be reviewed and updated as the audit identified instances where documented procedures do not align to current working practices.
Business Continuity
Sound
The Council has an approved and up-to-date Business Continuity Management Policy, which the service is collaborating with the Digital Team to make available to staff via the Intranet.
We found the Council’s Overarching Business Continuity Plan has not been revised since its inception in 2016. We have been informed that a review is underway.
Our testing highlighted that critical services Business Continuity Plans are out of date. The majority were last updated in October 2020, but one has not been updated since December 2016. As a result, we found officer roles and responsibilities have changed during this period with some having left the Council. We also noted a disparity between the type and level of information recorded within the critical service Business Continuity Plans, which also included missing appendices.
The service has worked to update all 18 critical Business Continuity Plans through the issuing of a Business Impact Analysis Questionnaire (BIAQ) (April 2022). Our testing found that 10/18 critical services returned their questionnaire. Four critical services updated their Business Continuity without returning their BIAQ, and four critical services failed to return their (BIAQ) or update their Business Continuity Plan.
Staff responsible for Business Continuity delivery are suitably qualified and trained. Likewise, Business Continuity is promoted to local businesses and the voluntary sector through the parish meetings
Annex D
Reconciliation of the approved 2022/23 Internal Audit Plan
The Position column provides the position as at 31 May 2022 and with the exception of the shaded reviews, does not warrant that this will be the final position for any of these reviews. The highlighted rows, below, are the reviews which informed the 2022/23 Head of Audit Opinion statement.
It was acknowledged that there can be a time-lag between issue of the draft report and the subsequent finalisation of an audit report. The ‘Agreed Draft’ status signifies that management has accepted the assurance grading provided for the review and is substantially in agreement with the detailed findings. The management responses to the Actions have not yet been provided. Consequently, for the purposes of providing the Head of Audit Opinion audit reviews which have reached Agreed Draft have been included.
|
Audit Review |
Po Position at 31 May 2023 |
|
Planning Performance Agreements |
Finalised |
|
IT Project Management |
Finalised |
|
Property Acquisition and Disposals |
Finalised |
|
Crematorium |
Finalised |
|
Workforce Planning |
Finalised |
|
Discretionary Housing Payments |
Finalised |
|
Capital Projects Funding |
Work in progress |
|
Member Development |
Work in progress |
|
Property Income |
Work in progress |
|
Facilities Management |
Work in progress |
|
Food Safety |
Agreed Draft |
|
Private Water Supply |
Work in progress |
|
Business Continuity |
Agreed Draft |
|
IT Backup and Recovery |
Postponed until 2023/24 |
|
Network Security |
Dropped - replaced by Cyber security audit in 2023/24 |
|
CCTV Monitoring |
Postponed until 2024/25 |
|
Theatre Operations |
Postponed until 2024/25 |
Annex E
About Mid Kent Audit
Standards and ethical compliance
A. Government sets out the professional standards that Mid Kent Audit must work to in the Public Sector Internal Audit Standards (PSIAS). These Standards are a strengthened version of the Institute of Internal Audit’s global internal audit standards, which apply across public, private and voluntary sectors in more than 170 countries around the world.
B. The Standards include a specific demand for reporting to Senior Management and the Audit Committee on Mid Kent Audit’s conformance with the Standards.
Conformance with the PSIAS
C. CIPFA carried out a comprehensive External Quality Assessment (EQA) in May 2020 which confirmed that MKA was in full conformance with the Standards and the CIPFA Local Government Application Note (LGAN). The Standards requires an EQA to be carried out at least once every five years, but does not stipulate specific time intervals for Internal Quality Self-Assessments (ISA) in the intervening period.
D. In February 2021 the interim Head of Audit for Mid Kent Audit carried out an ISA of conformance with the PSIAS. This review confirmed conformance with the PSIAS and raised 13 advisory or low priority action points. These points are currently being reviewed and managed by the substantive Head of Mid Kent Audit.
E. The scope of this ISA did not include consideration of either the risk management or counter fraud work carried out by MKA. The scope did not include consideration of the resourcing of MKA, the audit risk prioritisation process or the appropriateness of the times allocated to the different stages of individual audit assignments.
Resources
F. 2022/23 was a year of unprecedented staff change within Mid Kent Audit. Details of a number of these changes have previously been reported to the Audit Committee in the reports submitted by Mid Kent Audit. At the end of the financial year there were significant vacancies in the management of the partnership and the substantive Head of Mid Kent Audit has been undertaking a review of the staffing requirements to ensure the service is future proofed and fit for purpose to deliver the service required by our partners. This review has now been completed and recruitment is underway. There will still be an impact during 2023/24, but the position will improve over the course of the year.
Use of an external provider to assist with audit reviews
G. In September 2022, following a procurement process, Veritau was appointed to carry out a number of the audit reviews for which Mid Kent Audit did not have the available resources in-house. This reflects that Mid Kent Audit has ensured the difficulties with staffing experienced during the year have been partially mitigated.