Interim Internal Audit & Assurance Report

 

[i]

 

November 2019
Maidstone Borough Council


Introduction

1.             The Institute of Internal Audit gives the mission of internal audit: to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight.

2.             The mission and its associated code of ethics and Standards govern over 200,000 professionals in businesses and organisations around the world.  Within UK Local Government, authority for internal audit stems from the Accounts and Audit Regulations 2015.  The Regulations state services must follow the Public Sector Internal Audit Standards – an adapted and more demanding version of the global standards.  Those Standards set demands for our reporting:

Audit Charter

3.             This Committee approved our Audit Charter in September 2019 and it remains in place through the audit year.


 

Independence of internal audit

4.             Mid Kent Audit works as a shared service between Ashford, Maidstone, Swale and Tunbridge Wells Borough Councils. A Shared Service Board including representatives from each council supervises our work based on our collaboration agreement.

5.             Within Maidstone BC during 2019/20 we have continued to enjoy complete and unfettered access to officers and records to complete our work.  On no occasion have officers or Members sought or gained undue influence over our scope or findings.

6.             I confirm we have worked with full independence as defined in our Audit Charter and Standard 1100.

Management response to risk

7.             We include the results of our work in the year so far later in this report.  In our work we often raise recommendations for management action.  During the year so far management have agreed to act on all recommendations we have raised.  We report on progress towards implementation in the section titled Recommendation Follow Up Results.

8.             There are no risks we have identified in our work that we believe management have unreasonably accepted.

Resource Requirements

9.             We reported in our plan presented to this Committee in March 2019 an assessment on the resources available to the audit partnership for completing work at the Council.  That review decided:

…we believe we have enough resource to deliver the 2019/20 plan

10.         Since that plan we have had considerable changes in staffing, including losing two (and possibly three) members of the team to other internal audit services in Kent.  However, considering extra contractor support available to us through the Apex Contract managed by LB Croydon, new recruits to the team and people returning from maternity leave we remain content we have enough resource to deliver the plan.


 

Audit Plan Progress

11.         This Committee approved our Annual Audit & Assurance Plan 2019/20 on 18 March 2019.  The plan set out an intended number of days devoted to each of various tasks.  We began work on the plan during May 2019 and expect completing enough to form our Annual Opinion by June 2020.

12.         The table below shows progress in total number of days delivered against the plan (figures are up to end of October 2019, about 40% through the audit year).


Category

2019/20 Plan Days

Outturn at Interim

Days Remaining

2018/19 Assurance Projects

0

28

n/a

2019/20 Assurance Projects

331

74

257

Non project assurance work[1]

159

60

99

Unallocated contingency

50

39

11

Totals (19/20 Work Only)

540

173

367

 

13.         Based on resources available to the partnership for the rest of the year we forecast delivery of around 335 further audit days.  This creates a forecast total of 508, or 94% of planned days. 

14.         We detail the specifics, and results, of this progress further within this report.

 


Results of Audit Work

15.         The tables below summarise audit project findings and outturn up to the date of this report.  Where there are material matters finished between report issue and committee meeting we will provide a verbal update.  (* = days split between partners, MBC only shown).

Completed Assurance Projects Since Annual Report in June 2019

 

Title

Days Spent

Report Issue

Assurance Rating

Notes

2018/19 Plan Projects Issued after 1 June 2019

 

Licensing Administration

8*

Jun-19

Sound

Reported to Members July 2019

 

Building Control

30

Jun-19

Sound

Reported to Members July 2019

 

Revenues & Benefits Compliance Team

9*

Jul-19

Sound

Reported to Members July 2019

 

Declarations of Interest

16

Jul-19

Weak

Reported to Members July 2019

 

General Data Protection Regulations

6*

Jul-19

N/A

Reported to Members July 2019

I

Council Tax Reduction Scheme

8*

Aug-19

Sound

 

II

Transformation

30

Aug-19

Sound

 

IV

Cyber Security

8*

Oct-19

Sound

 

2019/20 Plan Projects Issued up to Report Date

III

Corporate Credit Cards

15

Oct-19

Sound

 

V

Recruitment

8*

Oct-19

Sound

 

 


 

Assurance Projects Underway

Title

Days So Far

Expected Final Report

Notes / Stage

Planning Enforcement

15

Nov-19

Draft report issued

Civil Parking Enforcement

10*

Nov-19

Draft report issued

Commercial Waste

19

Nov-19

Fieldwork complete

Parks

11

Dec-19

Fieldwork complete

Health & Safety

21

Dec-19

Fieldwork complete

Council Tax Billing

3*

Dec-19

Fieldwork underway

Discretionary Housing Payments

1*

Jan-20

Planning

Social Media

2

Jan-20

Planning


Assurance Projects Yet to Begin But Scheduled

Title

Expected Start

Expected Report

Notes

Treasury Management

Quarter 3

Feb-20

 

Planning Discharge Conditions

Quarter 3

Feb-20

 

ICT Technical Support

Quarter 3

Feb-20

Joint with SBC & TWBC

Universal Credit

Quarter 3

Mar-20

Joint with TWBC

Waste Crime Team

Quarter 4

Apr-20

 

Information Management

Quarter 4

Apr-20

Cross partnership

Network Security

Quarter 4

May-20

Cross partnership

Planning Administration

Quarter 4

May-20

Joint with SBC

We will continue to keep these projects under review because of our available resources and the changing risk position at the authority.


Audit Project Summary Results

I: Council Tax Reduction Scheme (August 2019)

16.         Our opinion based on our audit work is that the Service has Sound controls in place to manage its risks and support achievement of its objectives relating to the council tax reduction scheme. 

17.         The council tax reduction scheme has been appropriately approved and is being monitored through appropriate performance indicators which are regularly reported to appropriate levels within both Councils. 

18.         Our testing found that all claims sampled were verified, assessed and awarded in line with the scheme.  However, the Data Protection declaration present on the Council Tax Support application form did not include all required text recommended by the Information Commissioners Office in the most recent guidance on privacy statements.

Recommendation summary

II: Transformation (August 2019)

19.         Our opinion based on our audit work is that theC Cou  Council has SOUND controls in place to manage its risks and support achievement of its objectives. 

26.         Reviews are assessed on receipt, in line with the Council’s priorities and resources available.  Projects are well governed with a project board or relevant officers oversee them.  Recommendations are tracked and update reports on the progress and implementation of actions is communicated to the project board.  The team reflect upon lessons learnt to improve future reviews.

27.         Records of key decisions for individual reviews, such as agreement of objectives are not retained.  There is no monitoring of planned dates against dates when projects were delivered, so there is no way to identify project overruns retrospectively.  Where the Trello board is used there was a clearer link between the evidence and findings than when working papers are stored on the shared drive.

Recommendation Summary

III: Corporate Credit Cards (October 2019)

28.         Our opinion based on our audit work is that the Service has Sound controls in place to manage its risks and support achievement of its objectives relating to Corporate Credit Cards. 

29.         It is the responsibility of Finance to provide oversight of the corporate credit card process, and for cardholders to uphold the conditions outlined in the Council’s Corporate Credit Card (CCC) policy, which was last refreshed in November 2018.  The CCC policy must be upheld in conjunction with the Council’s Financial Procedures, Gifts & Hospitality, Travel & Subsistence, and Non-Cash Reward Policies.

30.         The audit confirmed that generally the CCC policy is followed with effective controls in place which ensure segregation of duties and to detect contravention.  Our testing returned largely positive results but did identify a few minor findings with opportunities to tighten application of the controls.  These include reminding cardholders to provide receipts or to complete a ‘Card Purchase – No Receipt’ form to substantiate all credit card transactions and periodically reviewing cardholder limits to ensure they are appropriate.

Recommendation Summary


 

IV: Cyber Security (October 2019)

31.         Following recent cyber-related attacks experienced by well-established organisations including Councils and the NHS, cyber security has become a high-profile risk at many organisations concerned about suffering a similar attack themselves. 

32.         The HMG Cyber Essentials framework has been developed by Government and industry to provide a clear statement of the basic controls that all organisations should implement to mitigate the risk from internet-based threats, within the context of the 10 Steps to Cyber Security. The Cyber Essentials scheme defines a set of controls which, when correctly implemented, will provide organisations with basic protection from the most prevalent forms of threats derived from the Internet. In particular, it focuses on threats which require low levels of attacker skill, and which are widely available online.

33.         Risk management is a vital starting point for organisations to act to protect their information and data. However, given the nature of the threat, the government believes that action should begin with a core set of security controls which all organisations – large and small – should implement.  However, it does not offer a solution to remove all cyber security risk; for example, it is not designed to address more advanced, targeted attacks and hence organisations facing these threats will need to implement additional measures as part of their security strategy.

34.         There is a Cyber Essentials Assurance Framework that offers a mechanism for organisations to demonstrate to customers, investors, insurers and others that they have taken these essential precautions. The level one Cyber Essentials certification is awarded on the basis of a verified self-assessment. An organisation undertakes their own assessment of their implementation of the Cyber Essentials control themes via a questionnaire, which is approved by a senior executive such as the CEO. This questionnaire is then verified by an independent accredited Certification Body to assess whether an appropriate standard has been achieved, and certification can be awarded.  The level two (Cyber Essentials Plus) certification requires an independent vulnerability assessment to validate the effectiveness of controls declared in the self-assessment questionnaire.

35.         Please note this audit was carried out based on the cyber essential principles.

36.         Our opinion based on our audit work is that the IT service has SOUND controls in place to manage its risks and support achievement of its objectives.

 

Recommendation summary

V: Recruitment (October 2019)

37.         Our opinion based on our audit work is that there are Sound controls in place to manage risks and support achievement of objectives in relation to Recruitment.

40.         We found the majority of the council's controls, to mitigate the risk of being unable to recruit staff with the right skills to deliver priorities, are well designed and fully operating.

41.         Our testing established the service maintains a workforce strategy at each council and joint recruitment and selection policy/procedures, which are regularly reviewed. These key documents provide a framework upon which the recruitment process is based.

42.         Recruitment roles are clearly defined and both Council’s offer extensive staff rewards, which are continuously reviewed for appropriateness and adequacy.

43.         Our testing of the recruitment process established compliance with procedures in all areas apart from training and retention of interview notes. Not all interview panels have an officer who has received recruitment and selection training. It is also unclear if they have instead satisfied the training requirement based on their experience.

44.         Evidence of interview notes were not always saved, without these we could not establish if the selection process was completely fair and transparent. We have made recommendations to address these areas.

Recommendation summary


Agreed Actions Follow Up Results

45.         Our approach to agreed actions is that we follow up each as it falls due in line with the plan agreed with management when we finish our reporting.  We report progress on implementation to Corporate Leadership Team each quarter. This includes noting any matters of continuing concern and where we have revisited an assurance rating (typically after addressing key actions).

46.         In total, we summarise in the table below the current position on following up agreed actions:

Project

Total

High Priority

Medium Priority

Low Priority

Actions brought into 2019/20

33

10

12

11

New actions agreed in 2019/20

68

10

28

30

Total Actions Agreed

101

20

40

41

Fulfilled by 30 September 2019

52

13

22

17

Actions cfwd past 30 September

49

7

18

24

Not Yet Due

34

3

10

21

Delayed but no extra risk

15

4

8

3

Delayed with risk exposure

0

0

0

0

 

47.         The four deferred high priority actions fall between three reviews.

·         Animal Welfare Controls: The Council has experienced delays in re-procuring its stray dog collection service.  We now expect these actions before the end of 2019/20.  In the meantime the Council continues close supervision of its existing supplier.

·         Declarations of Interest: The Legal Service leading this work has sought to extend the timing for action to allow it to develop a more sustainable long term platform for managing declarations than a simple spreadsheet or listing.  Action is underway and we will follow up again early in the New Year.

·         Licensing: The service has reissued one of the incorrect licenses that formed the basis of our finding and is seeking further legal advice on the other. It is working towards the training and system improvements that reduce the risk of future recurrence.  We will follow up again early in the New Year.


 

48.         The table below shows distribution of outstanding recommendations across the Council (filtered to show only recommendations relevant to Maidstone). Note the numbers will not tally exactly with the table above because this includes recommendations raised in draft reports and therefore not yet final.

 


 

Other Audit Service Work

Risk Management Update

49.         We will present a full update on risk management at the next meeting of this Committee.

Counter Fraud Update

50.         We consider counter fraud and corruption risks in all of our audit engagements when considering the effectiveness of control.  We also undertake distinct work at assess and support the Council’s arrangements.

Investigations

51.         We have liaised with a specialist division of the Police Service, the National Investigation Service (NATIS) concerning a long running investigation.  We hope to provide more information on this investigation in due course.

52.         We have also investigated a specific allegation from a member of the public concerning bribery and corruption within the Council’s planning service.  We found no evidence to substantiate the allegation.

Whistleblowing

53.         The Council’s whistleblowing policy names internal audit as one route through which Members and officers can safely raise concerns on inappropriate or even criminal behaviour.

54.         We have so far had no matters raised with us through the Whistleblowing Policy this year.

National Fraud Initiative

55.         We continue to coordinate the Council’s response to the National Fraud Initiative (NFI).  NFI is a statutory data matching project and we must send in various forms of data to the Cabinet Office who manage the exercise.


 

56.         We have looked into matches from non-revenues datasets.  The Cabinet Office assigns a ‘risk’ rating to each match on a percentage scale.  Our approach is to review all matches in sets with less than 20 to examine, and to look at first to matches rated over 50% risk in larger data sets.  The Cabinet Office does not expect authorities to look into every match.

57.         The table below sets out results so far for the data sets within Mid Kent Audit’s scope:

Dataset

Matches to investigate

Completed

Frauds

Errors

Value

Creditors

112

57

0

0

0

Payroll

8

7

0

0

0

Housing Waiting List

43

36

0

1

0

Procurement

8

2

0

0

0

Licensing

6

6

0

0

0

Totals

177

108

0

1

0

 

58.         We are working towards completing the investigations by the end of the year.  The Cabinet Office plans to issue a new data set in January 2021.

Other Audit and Advice Work

59.         We also continue to undertake a broad range of special and scheduled consultancy and advice work for the Council.  Examples include our attendance at Information Governance and Corporate Governance Groups and as part of the Wider Management Team. We have also completed specific reviews looking at individual parts of the Council’s control environment at the request of officers.

60.         We have undertaken two serious case reviews for the Council as commissioned by the Kent Safeguarding Board.  These follow serious, often fatal, incidents and co-ordinate across agencies to consider how each served and worked with the family involved.  We will attend a final panel meeting on one of these reviews in December.

61.         One by-product of the new external audit arrangements is that the housing benefit certification exercise now falls outside central contracts and authorities must separately commission the review from a relevant accountant (which cannot be the Council’s internal auditors).  In Mid Kent Audit, though, we have significant housing benefit expertise including a Head of Audit Partnership who formerly led the Audit Commission’s regional work on housing benefits and two auditors who formerly worked as benefits assessors. 

62.         After reaching agreement with the Council’s external auditors we took on a significant proportion of the testing the Council would otherwise have paid Grant Thornton to complete. That work is nearly completion ahead of the 30 November claim deadline and will have saved the Council around £8,000.

63.         We have also led and contributed to a series of Member briefings at the Council on issues of governance interest.  We are keen to hear from Members on any other areas of interest which may form future briefing sessions.

64.         We remain engaged and flexible in seeking to meet the assurance needs of the Council. We are happy to discuss opportunities large and small where the Council can usefully employ the experience and expertise of the audit team.


 

Code of Ethics and Standards Compliance

Code of Ethics

65.         This Code applies specifically to internal auditors, though individuals within the team must comply with similar Codes for their own professional bodies.   Also the Standards also direct auditors in the public sector to consider the Committee on Standards in Public Life’s Seven Principles of Public Life (the “Nolan Principles”).

66.         We have included the Code within our Audit Manual and training for some years.  We also have policies and guidance in place on certain specifics, such as managing and reporting conflicts of interest.

67.         We can report to Members we remain in conformance with the Code. 

Public Sector Internal Audit Standards & External Quality Assessment

68.         Under the Public Sector Internal Audit Standards we must each year assess our conformance to those standards and report the results of that assessment to Members.

69.         As described in previous updates, 2019/20 is the fifth year since we underwent an external independent assessment and so we require a fresh review.  We aim to put this work out to contract before the end of November working towards having a final report complete in the spring.

70.         Based on our self-assessments we continue to work in full conformance with the Standards.

Acknowledgements

71.         We achieve these results through the hard work and dedication of our team and the resilience that comes from working a shared service across four authorities.

72.         As a management team in Mid Kent Audit, we wish to send our public thanks to the team for their work through the year so far.

73.         We would also like to thank Managers, Officers and Members for their continued support as we complete our audit work during the year.

Annex: Assurance & Priority level definitions

Assurance Ratings 2019/20 (Unchanged from 2014/15)

Full Definition

Short Description

Strong – Controls within the service are well designed and operating as intended, exposing the service to no uncontrolled risk.  There will also often be elements of good practice or value for money efficiencies which may be instructive to other authorities.  Reports with this rating will have few, if any; recommendations and those will generally be priority 4.

Service/system is performing well

Sound – Controls within the service are generally well designed and operated but there are some opportunities for improvement, particularly with regard to efficiency or to address less significant uncontrolled operational risks.  Reports with this rating will have some priority 3 and 4 recommendations, and occasionally priority 2 recommendations where they do not speak to core elements of the service.

Service/system is operating effectively

WeakControls within the service have deficiencies in their design and/or operation that leave it exposed to uncontrolled operational risk and/or failure to achieve key service aims.  Reports with this rating will have mainly priority 2 and 3 recommendations which will often describe weaknesses with core elements of the service.

Service/system requires support to consistently operate effectively

Poor – Controls within the service are deficient to the extent that the service is exposed to actual failure or significant risk and these failures and risks are likely to affect the Council as a whole. Reports with this rating will have priority 1 and/or a range of priority 2 recommendations which, taken together, will or are preventing from achieving its core objectives.

Service/system is not operating effectively

 


Recommendation Ratings 2019/20 (unchanged from 2014/15)

Priority 1 (Critical) To address a finding which affects (negatively) the risk rating assigned to a Council strategic risk or seriously impairs its ability to achieve a key priority.  Priority 1 recommendations are likely to require immediate remedial action.  Priority 1 recommendations also describe actions the authority must take without delay.

Priority 2 (High) – To address a finding which impacts a strategic risk or key priority, which makes achievement of the Council’s aims more challenging but not necessarily cause severe impediment.  This would also normally be the priority assigned to recommendations that address a finding that the Council is in (actual or potential) breach of a legal responsibility, unless the consequences of non-compliance are severe. Priority 2 recommendations are likely to require remedial action at the next available opportunity, or as soon as is practical.  Priority 2 recommendations also describe actions the authority must take.

Priority 3 (Medium) – To address a finding where the Council is in (actual or potential) breach of its own policy or a less prominent legal responsibility but does not impact directly on a strategic risk or key priority.  There will often be mitigating controls that, at least to some extent, limit impact.  Priority 3 recommendations are likely to require remedial action within six months to a year.  Priority 3 recommendations describe actions the authority should take.

Priority 4 (Low) – To address a finding where the Council is in (actual or potential) breach of its own policy but no legal responsibility and where there is trivial, if any, impact on strategic risks or key priorities.  There will usually be mitigating controls to limit impact.  Priority 4 recommendations are likely to require remedial action within the year.  Priority 4 recommendations generally describe actions the authority could take.

Advisory – We will include in the report notes drawn from our experience across the partner authorities where the service has opportunities to improve.  These will be included for the service to consider and not be subject to formal follow up process.



[1] Non-assurance project work includes our work in the fields of Risk Management, Counter Fraud and Investigative Support, following up recommendations and annual audit planning.



[i] Photograph of the River Medway running through Maidstone courtesy of Louise Taylor of the Mid Kent Audit Team.