Russell Heppleston, the Deputy Head of Audit Partnership, presented the Internal Audit and Assurance Plan for 2018/19, which set out the Service’s risk-based work for the year ahead. It was noted that the Plan included relevant sections extracted from the Public Sector Internal Audit Standards – which specified the requirements that a Head of Audit must meet – as well as how it had been compiled and how it was proposed to manage its delivery.
Mr Heppleston began his summary of the Plan by drawing attention to the key risks faced by the four authorities within the partnership, which included such matters as (i) the impending General Data Protection Regulations and (ii) cybersecurity, the latter involving external IT audit expertise, accessed under local and regional framework contracts.
Mr Heppleston next ran through the proposed audit work for the year ahead, which was set out in the order of the three directorates of the authority. The Plan described how the audit work planned also included a ‘non-project’ element, covering activities such as; risk; counter-fraud; member support; recommendation follow-up; and audit planning.
Before opening up the meeting for questions, the Chairman of the meeting wished to place on record his thanks to Mr Heppleston and the Audit team, adding that he had always been a strong supporter of partnership working and the benefits that it brought to the authority.
Mr Quigley drew attention to paragraph 6 of the introduction section of the Plan. He asked what the impact was of not being able to address all of the Council’s risks across the 12 month period. Mr Heppleston said that, while it was difficult to quantify the impact of not being able to address all of the Council’s risks, the planning process did include consideration of wider assurances, upon which Internal Audit might place reliance, such as a service obtaining external accreditation. Mr Heppleston added that the Plan was reactive – and had contingency – so that if a risk were identified, it would be added, if necessary.
Mr Quigley also asked about the issue of cybersecurity; he sought reassurance that this was being addressed in a robust way and asked that the Committee be informed if there were any potential problems emerging during the work. Mr Heppleston advised that access to specialist expertise was guaranteed as the Partnership had just signed into the Apex framework with Croydon. He added that, while the precise work was still to be fully scoped, the Committee would be made aware of any key issues following the usual process. He reassured Mr Quigley that, should there be a potential problem, he would report this to the Committee during the year.
Parish Councillor Coleman said that, with a service such as Building Control, it was difficult to undertake a risk-based audit, as it had to compete with a private sector alternative. He sought clarification on whether the audit would investigate the impact of private sector competition. Mr Heppleston advised that, while individual reviews would be scoped in advance of the audit, a financial controls audit would look at how income was collected and banked and charged in accordance with the Council’s agreed fees and charges. He added that operational and technical compliance would usually take the form of a separate review.
On the operational aspect, Parish Councillor Coleman asked whether the scope of the review would extend to the Kent Fire and Rescue Service, which the Council required information from in order to fulfil its duties. Mr Heppleston said that the audit would focus on whether the service was operating in full compliance with its agreed procedures and controls, so if the Council were placing reliance on information received from external sources – such as Fire and Rescue – then it would be taken into consideration.
(1) That the Internal Audit and Assurance Plan for 2018/19 be approved;
(2) That the view of the Head of Audit Partnership, that the Partnership has sufficient resources to deliver the Plan and a robust Head of Audit Opinion, be noted; and
(3) That the Head of Audit Partnership’s assurance that the Plan is compiled independently and without inappropriate influence from management be noted.