Kent Fire and Rescue Service
Auditor’s annual report on Kent and Medway Fire And Rescue Authority 2020-21

Governance is the system by which an organisation is controlled and operates and is the mechanism by which it and its staff are held to account. It works from Authority meetings to the front line. Ethics, risk management, compliance, internal control and best practice are all fundamental elements of governance. Effective governance requires both clear and unambiguous structures and processes and effective working of people within these frameworks. Effective governance also requires an open culture that promotes transparency, a willingness to learn and improve and no fear to speak the truth.

From our review of risk management, it is clear appropriate arrangements are embedded within the Authority’s operations. The Authority has a comprehensive risk management policy, last reviewed in April 2020 and a separate document outlines the risk scoring process and the Authority’s risk appetite. The policy defines responsibilities for risk. Risk Management was last reviewed by Internal Audit in 2020/21 and received “Substantial Assurance”.

For 2020/21 the Authority was responsible for managing risk and received a summary Risk Register for discussion at each meeting. The summary Risk Register is underpinned by a detailed framework which includes a Corporate Risk Register. The purpose of the summary Risk Register and accompanying risk report were to ensure the Authority could understand the risks being actively managed by management. It doesn’t provide detail of controls in place for each risk or detail the full actions or timescale for implementation of these actions.

As there were 20 risks identified the level of detail seems appropriate for a Committee with a busy work plan. The creation of a Audit and Risk Committee from 2021/22 does provide a opportunity to consider whether the existing reporting is appropriate. The existing proposal is the Audit and Risk Committee will receive the summary Risk Register rather than the more detailed Corporate Risk Register. We also note a risk score will be added to make the comparison of risks clearer.

We also note that 16 of the 20 risks in the April 2021 Corporate Risk Register were assessed as ‘no change’. There will be instances where scores remain static due to the scale of work required to implement actions. However when an organisation has finite resources it needs to ensure it has visibility so possible resources and effort are being applied to the appropriate risk areas and whether they could be better directed in achieving other things that would benefit the organisation.

The Authority should consider whether the number of risks included is appropriate. A dedicated Audit and Governance Committee will likely have sufficient time available to it to meaningfully discuss and challenge a Corporate Risk Register with this many risks.

With increased time and specialism (benefitting from training, members more interested in risk and governance etc) the Audit and Governance Committee may benefit from expanding the summary Risk Register slightly to provide more detail around the risks listed.

The Authority should also consider whether the Corporate Risk Register should identify a target score for each risk aligned to the Authority’s risk appetite. This would help provide visibility on the success of existing controls in reducing the likelihood (and possibly the impact) of risks crystalising and help provide clarity on which risks are closer to being mitigated and which need more work.

Internal Audit and Counter Fraud services are provided by Kent County Council. The agreed plan had to be adjusted because of the pandemic, the Internal Audit fieldwork was completed within the year and all reports and the Head of Internal Audit Opinion provided to the Authority by June 2021. Progress reports highlighting key issues and findings on reviews are reported to Authority periodically. The Head of Internal Audit Opinion concludes that the Authority has an adequate and effective framework for risk management, governance and internal control.

Internal Audit work has identified further enhancements to the framework of risk management, governance and internal control to ensure it remains effective and adequate. Review of the Annual Internal Audit Opinion indicates a wide breadth of work during the year covering governance, financial and operational processes and including a flexible approach which allowed adjustments to the plan in year.

Counter fraud operations are underpinned by a code of conduct, anti-bribery anti- money laundering, anti- fraud and corruption and whistleblowing policies. There were no fraud or irregularities identified, reported or investigated by Internal Audit during 2020/21. There are various examples of the Authority demonstrating proactive anti-fraud initiatives. These include annual training provided by Internal Audit, procurement card fraud courses for card holders and the sharing of common scams and phishing exercises to alert staff to new and emerging fraud risks.

Internal audit presented no limited assurance reports in 2020/21 and only one (business continuity) in 2018/19. However, three reports were given limited assurance in 2019/20 namely Information Governance (in relation to physical information security), Building Compliance and Fire Setters. It is clear from Authority minutes that actions have been taken to address the issues identified and that findings from internal audit are given appropriate attention.

The annual work plans for internal audit are currently approved and overseen by Authority. There are plans to establish an Audit and Governance Committee in 2021 who will assume this responsibility. From our attendance at Authority, we consider it to robustly review the work of internal audit, providing appropriate challenge but we applaud the establishment of a separate audit committee where additional time may be available for more detailed scrutiny of risk, governance and internal control issues.

The financial landscape due to Covid-19 has made this a unique year for financial planning. The Authority has a robust approach to financial planning and assumptions made appear reasonable. While future funding is unclear, a medium-term financial plan has been produced based on prudent assumptions about future income streams. We’ve previously concluded the Authority has effective arrangements in place, using sensitivity analysis and scenario planning to understand its financial position and identify saving and investment options. Despite the pandemic there is no evidence the arrangements in place have been compromised. Budgets are discussed with budget holders, senior leadership and other stakeholders prior to approval at Authority level.
 
Investments and Borrowings are included within the financial plan, but the effects are minimal given the current rates of return on investments and the Authority’s plan to be debt free by 2025.

Budget managers have access to finance system and can review budgets at any time. There is regular contact between budget managers and finance contacts. The Authority has a strong history of financial control.

Budgets are reviewed at each meeting of the Authority and review of minutes indicates that variances are adequately identified and explained.

There is no evidence to suggest that Authority’s decision-making processes are not open or transparent. The Authority meetings are well attended by the Chief Executive and Directors to help provide sufficient support and explanation to the members in discharge of their function.

Our attendance at this meeting and review of papers indicates that sufficient information is provided to Members and they hold senior management to account. The Authority is engaged and provides appropriate levels of scrutiny to external and internal audit. There is no evidence of serious and pervasive weaknesses in final accounts processes leading to material errors in draft accounts, failure to meet statutory reporting deadlines and/or a modified opinion on the financial statements.

Covid-19 did impact on many organisations' ability to make decisions in line with existing delegations (e.g. decisions often having to be made outside of Committee cycles) however we have not identified any indication that existing arrangements were overridden at the expense of appropriate scrutiny and challenge.

Various internal and external mechanisms are used to ensure that the Authority meets the necessary standards and legislative requirements.

The Authority is subject to external inspection from Her Majesty's Inspectorate of Constabulary and Fire & Rescue Services In the last inspection report issued in June 2019, the Authority was rated as Good reflecting the high standard of service provided by the Authority.

Our work has not uncovered any non-compliance with the Constitution, statutory requirements or expected standards of behaviour. We have not been made aware of any data breaches at the Authority.

Officer and Member conduct is set in codes of ethical conduct and via the declaration gifts and hospitality code of practice. These were last updated in 2020. Members interests are published on the Authority Website and there is an opportunity for Members to declare interests at every Authority meeting as a set agenda item. Related party transactions are required to be declared as part of year end closure of accounts and sent to all Members and Senior officers for their completion. We found no evidence of adverse outcomes of interests not being declared.