Internal Audit Plan

2020-21 / 2022-23

Mole Valley District Council

 Draft Internal Audit Plan 2020-21 / 2022-23

Contents

Introduction …………………………………………………………………………………………… 3

Your Internal Audit Team …………………………………………………………………………………………… 4

Conformance with Internal Audit Standards …………………………………………………………………………………………… 4

Conflicts of Interest …………………………………………………………………………………………… 4

MVDC Council Strategy …………………………………………………………………………………………… 5

Council Risk …………………………………………………………………………………………… 6

Developing the internal audit plan 2020-21 / 2022 -23 …………………………………………………………………………………………… 7

Internal Audit Plan 2020-21 / 2022-23 …………………………………………………………………………………………… 8 – 16

2
 Draft Internal Audit Plan 2020-21 / 2022-23

Introduction

The role of internal audit is that of an:

‘Independent, objective assurance and consulting activity designed to add value and improve an organisations operations. It helps an organisation
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and
governance processes’.

The Council is responsible for establishing and maintaining appropriate risk management processes, control systems, accounting records and governance
arrangements. Internal audit plays a vital role in advising the Council that these arrangements are in place and operating effectively.

The Council’s response to internal audit activity should lead to the strengthening of the control environment and, therefore, contribute to the achievement
of the organisation’s objectives.

The aim of internal audit’s work programme is to provide independent and objective assurance to management, in relation to the business activities,
systems or processes under review that:
• the framework of internal control, risk management and governance is appropriate and operating effectively; and
• risk to the achievement of the Council’s objectives is identified, assessed and managed to a defined acceptable level.

The internal audit plan provides the mechanism through which the Chief Internal Auditor can ensure most appropriate use of internal audit resources to
provide a clear statement of assurance on risk management, internal control and governance arrangements.

Internal Audit focus should be proportionate and appropriately aligned. The plan will remain fluid and subject to on-going review and amendment, in
consultation with the Strategic Leadership Team and Audit Sponsors, to ensure it continues to reflect the needs of the Council. Amendments to the plan will
be identified through the Southern Internal Audit Partnership’s continued contact and liaison with those responsible for the governance of the Council.

3
 Draft Internal Audit Plan 2020-21 / 2022-23

Your Internal Audit Team

Your internal audit service is provided by the Southern Internal Audit Partnership. The team will be led by Natalie Jerams, Assistant Head of Southern
Internal Audit Partnership, supported by Joanne Barrett, Audit Manager.

Conformance with internal auditing standards

The Southern Internal Audit Partnership service is designed to conform to the Public Sector Internal Audit Standards (PSIAS). Under the PSIAS there is a
requirement for audit services to have an external quality assessment every five years. In September 2015 the Institute of Internal Auditors were
commissioned to complete an external quality assessment of the Southern Internal Audit Partnership against the PSIAS, Local Government Application Note
and the International Professional Practices Framework.

In selecting the Institute of Internal Auditors (IIA) a conscious effort was taken to ensure the external assessment was undertaken by the most credible
source. As the authors of the Standards and the leading Internal Audit authority nationally and internationally the IIA were excellently positioned to
undertake the external assessment.

In considering all sources of evidence the external assessment team concluded:

‘It is our view that the Southern Internal Audit Partnership (SIAP) service generally conforms to all of these principles. This is a notable achievement given the
breadth of these Standards and the operational environment faced by SIAP.

There are no instances across these standards where we determined a standard below “generally conforms”, and 4 instances where the standard is assessed as
“not applicable” due to the nature of SIAP’s remit.’

Conflicts of Interest

We are not aware of any relationships that may affect the independence and objectivity of the team, and which are required to be disclosed under internal
auditing standards.

4
 Draft Internal Audit Plan 2020-21 / 2022-23

Corporate Strategy 2019 - 24

Mole Valley District Council’s Corporate Strategy summarises the Council’s vision, values, guiding principles and priority outcomes and is used as a basis for
service planning.

5
 Draft Internal Audit Plan 2020-21 / 2022-23

Council Risk

The Council have a clear framework and approach to risk management. The strategic risks assessed by the Council are a key focus of our planning for the
year to ensure it meets the organisation’s assurance needs and contributes to the achievement of their objectives. We will monitor the strategic risk
register closely over the course of the year to ensure our plan remains agile to the rapidly changing landscape.

Current
No. Ref Risk Description Risk
Score*

1 C1d Loss of rental income from key properties. 9

2 C3 Corporate Health & Safety 8

3 C4b IT Systems – risk of hacking. 6

4 C4c IT Systems – operational resilience 6

5 C4d Document Management System 12

6 C5 Data Protection / Information Governance 8

7 C7 Organisational capacity to deliver 9

8 C8 Safeguarding 9

9 C9 Climate change 15

*Strategic Risks as per the Strategic Risk Register – March 2020

6
 Draft Internal Audit Plan 2020-21 / 2022-23

Developing the internal audit plan 2020-21 / 2022-23

We have used various sources of information and discussed priorities for internal audit with the following groups:
• Strategic Leadership Team
• Director of Finance and Deputy Chief Executive
• Executive Heads of Service
• Business Managers
• Audit Committee
• Other key stakeholders

Based on these conversations with key stakeholders, review of key corporate documents and our understanding of the organisation the Southern Internal
Audit Partnership have developed an annual audit plan for 2020-21 / 2022-23.

The Council are reminded that internal audit is only one source of assurance and through the delivery of our plan we will not, and do not seek to cover all
risks and processes within the organisation.

We will however continue to work closely with other assurance providers to ensure that duplication is minimised and a suitable breadth of assurance is
obtained.
Internal
Audit
External Emerging
Audit Issues

Key
Strategic
stakeholder
Risk Register
Liaison

Internal
Audit Plan Committee
Council
20/21 minutes /
Strategy
reports
(to 22/23)

7
 Draft Internal Audit Plan 2020-21 / 2022-23

Internal Audit Plan

Audit Risk / Scope Strategic / Service Previous IA 2020-21 2021- 2022-

Risk Coverage 22 23
Corporate
Programme & Project Assurance over project management framework LEG02; PP02; RMP08 2018/19 ✓
Management and compliance in relation to delivery on live / AGS (4-19/20) 2017/18
ongoing projects. 2016/17
2015/16
Financial Sustainability Assurance over budgetary control, efficiency Plans, FIN06, 07; MVL07, 08; 2019/20 ✓
financial risks relating to assumptions made for PDC02; PLC03a; 2017/18
medium term financial projections. PCC04a; RMP10, 11 2015/16
Transformation To meet future financial challenges and enable ✓
improved and more efficient services. To include
digitalisation and new ways of working.
Working in Partnership Working alongside different cultures. Potential for FIN11 2019/20 ✓
some loss of control / ownership of service 2016/17
delivery. Assurance over governance, rights of AGS (3-18/19) (Homelessness)
access, third party assurance, contingency AGS (1-19/20)
arrangements, exit strategy, hosting
arrangements (accountabilities), benefit
realisation.
Asset Management (Property Assurance over statutory compliance checks for PRO02, 06, 08; DH07, 2018/19 Q1 ✓
Assets) properties. (2020/21 review) 10
Delivery of the Asset Management Plan including
repairs and maintenance to non-housing assets
(planned & reactive). (2021/22 review)

8
 Draft Internal Audit Plan 2020-21 / 2022-23

Audit Risk / Scope Strategic / Service Previous IA 2020-21 2021- 2022-

Risk Coverage 22 23

Governance
Human Resources & Weak or ineffective internal control leading to C7, C8 2019/20 Q4 ✓ ✓
Organisational Development financial loss resulting in damage to the Council’s 2018/19
reputation and adverse publicity. Assurances over FIN01, 02; MVL03; (Workforce
the audit cycle to cover: PDC01, 11; PRO10; Planning)
• Performance Management LEG08; CS12; BEN02, 2017/18
• Absence management 03; HR01, 02, 03, 04, (Casual
• Recruitment 05, 06 payments &
• Training & Development Member
• Workforce Strategy / Development AGS (2-18/19) expenses)
• Flexible Working
• Volunteers
• Safeguarding awareness.

2020/21 focus to be recruitment and induction (to

include safeguarding awareness and training.)
Commissioning & Procurement Assurance over the effective identification and I&R04; PRO01 2016/17 Q2
assessment of organisational needs to maximise
value for money and efficiencies through
procurement.
Assurance over compliance with contract
procedure rules and legislative requirements.
Shared Service arrangement for Procurement with
Horsham DC, Crawley BC and Mid-Sussex DC.
Contract Management Review of contract management arrangements and I&R04; PRK04, 07; 2019/20 ✓
compliance across a selection of contracts in place. ENV08, 10, 12; MVL17 2017/18
(Advisory
Report)

9
 Draft Internal Audit Plan 2020-21 / 2022-23

Audit Risk / Scope Strategic / Service Previous IA 2020-21 2021- 2022-

Risk Coverage 22 23
Risk Management Assurance over the risk management framework 2017/18 Q3
including governance, transparency and maturity. 2016/17
2015/16
Fraud & Irregularities Cyclical assurance over the governance FIN03; RMP10 ✓
arrangements to prevent, detect and investigate
fraud and irregularities.
Health & Safety Effective H&S strategy in place and operating C3 2018/19 Q2
effectively with effective governance, 2015/16
accountability and issue resolution. RMP06; DEM09; EH11;
CS03, 14; PDC05;
PRO12; PRK01, 02, 03,
11; DH08, 10; BEN02;
HOU07, 08, 09; PR12;
MVL18
Information Governance Assurance over information governance C5; I&R05; ED05; 2018/19 Q3
arrangements to include FOI, SAR, Transparency LEG05, 06, 07; REV05; 2015/16
and General Data Protection Regulation (GDPR). DH09; EDT05; FIN12;
PRO11; EH09; CSS10,
13, 16; COMM13;
BEN04; HOU12; CRP08,
PLC09; PDC10; P&P05;
12; CS10, HR07;
DEM08; RMP05, 07, 13;
MVL16; AGS (2-19/20)
Decision Making & Assurance over the effectiveness and transparency RMP01; 02; 03 2017/18 ✓
Accountability of the decision-making process at officer and DEM04 05; 06 (Data quality)
Member level. To consider governance, COMMS06
sufficiency, accuracy and timeliness of information AGS (3-19/20)
including consultation with the public as necessary.

10
 Draft Internal Audit Plan 2020-21 / 2022-23

Audit Risk / Scope Strategic / Service Previous IA 2020-21 2021- 2022-

Risk Coverage 22 23
Ethical Governance Evaluation of the design, implementation and PDC04; DEM10 2018/19 Q1
effectiveness of MVDC’s ethics-related objectives,
programmes and activities.
Business Continuity & Assurance over planning for extreme events that C9 2018/19 Q2
Emergency Planning may lead to delays in responding to situations DH02; PBC05; EH10; 2016/17
resulting in increased costs and staff resources ENV02, 03, 04, 05;
including: DEM02, 03
• Business Continuity Plan
• Emergency Plan
• IT Disaster recovery, system resilience
Annual Governance Statement Cyclical assurance over the governance 2019/20 ✓
arrangements to compile, contribute and deliver
the AGS.

Core Financial Reviews

Housing Benefits BEN01 2018/19 ✓
2017/18
2016/17
Council Tax REV01 2018/19 Q2
2017/18
2016/17
Accounts Payable REV02; FIN13 2019/20 ✓
2016/17
Programme of cyclical systems reviews
Accounts Receivable / Debt REV01, 02; PRO03 2019/20 ✓
Management 2016/17
Main Accounting 2017/18 Q3
Treasury Management FIN04 2019/20 ✓
2016/17
Income Collection (incl. Cash 2019/20 ✓
Office) 2018/19
2016/17

11
 Draft Internal Audit Plan 2020-21 / 2022-23

Audit Risk / Scope Strategic / Service Previous IA 2020-21 2021- 2022-

Risk Coverage 22 23
Capital Accounting 2018/19 ✓
NNDR Outsourced to Reigate & Banstead BC. To review REV01, 03 2018/19 Q2
the systems and processes in place operated by 2017/18
Reigate & Banstead as per the Inter Authority 2016/17
Agreement.
Payroll Outsourced to Midland HR. Review of contract 2019/20 ✓
management arrangements. Assurance that MVDC 2017/18
are receiving all outcomes expected from the 2016/17
contract and to review MVDC in-house operations.
VAT Assurance that VAT is appropriately accounted for 2010/11 Q3
and effective policies and procedures are in place.

IT
IT Governance Review of IT strategy, policies, standards and C4c 2019/20 ✓
procedures. Other potential areas for consideration ICT05, 07
to include IT asset management, change
management and software licensing.
Data Management Review of data centre facilities and security ICT05 ✓
including storage and back-up. To also consider
database management.
Information Security Review of cyber security arrangements, security C4b, C4c, C4d 2016/17 Q3
controls (including remote access) and cloud (cyber security)
storage. To also consider network security and ICT02, 03, 05, 08, 09, 15
infrastructure management
System Development & Systems Life Cycle, Project Management and C4d ✓
Implementation Application Management. REV02
Networking & Virtualisation, operating system management ✓
Communications
Payment Card Industry Data Compliance to meet industry standards 2015/16 Q2
Security Standard

12
 Draft Internal Audit Plan 2020-21 / 2022-23

Audit Risk / Scope Strategic / Service Previous IA 2020-21 2021- 2022-

Risk Coverage 22 23
Environment
Affordable Housing Opportunities for development and alternative HOU03, 04, 10 ✓
methods of delivery to meet organisational and
national priorities. Review of the implementation
and delivery of the Affordable Housing Strategy.
Environmental Services To review arrangements for refuse collection, ENV08, 10, 11, 12 2019/20 ✓
recycling & street cleansing. Joint Waste Contract
in conjunction with four other local authorities with
Amey (effective August 2018), managed through
Joint Waste Solutions (hosted by Surrey Heath).
Environmental Health & Shared Service with Tandridge DC (hosted by EH02, 03 2018/19 ✓
Licensing MVDC). Assurance over governance and
accountability. Separate review required for Taxi AGS (3-18/19)
licensing as this does not form part of the shared
service agreement.

Development Management Planning (street naming, CIL); Development Control PDC02, 06, 07, 08, 09, 2019/20 ✓
(planning applications, appeals); Planning Policy 11; FIN09; PLC02; PP01, 2017/18 x2
(local plan). 02, 07 10; PLC07, 12; 2015/16
PP11
Building Control Partnership initiated in 2017 hosted by Tandridge PBC01, 02, 03, 04; 2018/19 Q4
DC across three partners MVDC, R&BBC and TDC. PLC06 2017/18
Agreement through IAA. To consider governance,
deliverables and outcomes.

Environmental Sustainability Priority area within the Corporate Strategy. Review C9 ✓

of the development and implementation of the
Climate Change Strategy.

13
 Draft Internal Audit Plan 2020-21 / 2022-23

Audit Risk / Scope Strategic / Service Previous IA 2020-21 2021- 2022-

Risk Coverage 22 23
Prosperity
Economic Development Review business strategy and delivery ED02, 04 ✓
including processes and outcomes. To review
assurances from Coast to Capital LEP review.

Investments Assurance over the governance, accountabilities, I&R01, 02; LEG08; 2019/20 ✓
viability and outcomes of Asset Investment FIN02; PRO01
Strategy. Significant financial expectations through
the successful delivery of the AIS to meet savings
targets. Management direction around Risk
Management.

Regeneration Programme management, governance and I&R03 Q4

reporting of the ‘Transform Leatherhead’ and
‘Opportunity Dorking’ programmes against desired
outcomes.

Parking & Enforcement Assurance over cash collection of car park income CRP02, 06, 07, 09 Q1
(end to end review from point of pay to banking
and reconciliation.

Income Generation & Effectiveness of income generation / C1d 2019/20 ✓

Commercialisation maximisation (rental income and leases, optimal PRO03; PH03; MVL07
use of subsidies, fees and charges). Review of
relevant strategies.

14
 Draft Internal Audit Plan 2020-21 / 2022-23

Audit Risk / Scope Strategic / Service Previous IA 2020-21 2021- 2022-

Risk Coverage 22 23
Community Wellbeing
Homelessness Assurance over management and prevention of HOU01, 02 Q4
homelessness. Development and Implementation
of the Homelessness Strategy.
Housing Effective Housing Policy and procedures to achieve ✓
desired outcomes.
Effective relationship maintained and performance
monitoring of the local housing association.
Review of the Local Plan and provide assurance
around the progress/delivery.
Disabled Facility Grants Administration and compliance with local / 2017/18 Q1
legislative requirements. 2015/16
Community Safety & Response to community safety and anti-social C8 2017/18 Q3
Enforcement behaviour. To include PREVENT, East Surrey CS06, 07; PRK10 (community
Community Safety Partnership and the grants)
development of the JET. 2020-21 to focus on the
Community Safety Partnership

Health & Leisure Facilities Thematic reviews based on areas of significant risk. CS01,02,03,05,09,12,13; 2019/20 ✓
To include contract management of leisure PRK02, 03,
operators for Dorking Sports Centre and
Leatherhead Leisure Centre. Delivery of the Leisure
& Tourism Strategy.

Community Support Assurances over services designed to help residents C8, C9 2019/20 ✓
retain their independence and reduce social MVL03, 06, 09, 10, 19
isolation including: Telecare; Community transport; AGS (2-19/20)
Care Centres, Handyman Services. Inherent risks
include funding, demand, safeguarding.

15
 Draft Internal Audit Plan 2020-21 / 2022-23

Audit Risk / Scope Strategic / Service Previous IA 2020-21 2021- 2022-

Risk Coverage 22 23
Dorking Halls High levels of cash handling and banking. DH03, 04, 05; COMM08 ✓
Additionally, the function undertakes significant
level of commissioning and procuring artists.
Inherent risks include health & safety, fire and
safeguarding.

Other
Management To include annual planning, reporting and - - -
attendance at SLT and Audit Committee, action
tracking, liaison with key stakeholders and annual
report and opinion.

16