CONTENTS

3           Introduction

3           Strategic context

5           Programme principles and development

8           2024/25 internal audit work

10         Appendix A: indicative internal audit work programme

 

 

 

 

 

1             This report sets out the proposed 2024/25 programme of work for internal audit, provided by Veritau for City of York Council.

2             The work of internal audit is governed by the Public Sector Internal Audit Standards (PSIAS) and the council’s audit charter. To comply with professional standards and the charter, internal audit work must be risk based and take into account the requirement to produce an evidence-based annual internal audit opinion. Accordingly, planned work should be reviewed and adjusted in response to changes in the business, risks, operations, programmes, systems and internal controls.

3             Specifically, the PSIAS require that the Head of Internal Audit “must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organisation’s goals. The risk-based plan must take into account the requirement to produce an annual internal audit opinion.”

4             The Head of Internal Audit’s annual opinion is formed following an independent and objective assessment of the effectiveness of the framework of risk management, governance and internal control. Our planned audit work includes coverage of all three areas to develop a wider understanding of the assurance framework of the council, and to produce a body of work which allows us to provide our opinion.

5             Responsibility for effective risk management, governance and internal control arrangements remains with the council. The Head of Internal Audit cannot be expected to prevent or detect all weaknesses or failures in internal control nor can audit work cover all areas of risk across the organisation.

 

 

6             The council is facing unprecedented financial and delivery pressures as a result of the continued increase in demand for its services and the impact of inflation and economic uncertainty. An ageing population, an increase in the complexity of need in the adult and child populations, exposure to unfavourable market conditions[1], and challenging financial positions for health partners all represent risks to the council’s ability to deliver its priorities and maintain its services (see figure 1 on the following page).

7             These pressures are set against a backdrop of real terms decline in central government funding over multiple years. While core spending power has increased by 6% since 2010/11, this has translated to a real term reduction in spending power of 28.5% for the city of York. This has seen City of York Council become one of the lowest funded upper-tier local authorities in the country, with a national rank of 143 out of 150[2].

8             The combined effect of all these pressures means that the council needs to take action to maintain a stable and resilient financial position while still delivering on its statutory duties, and on the priorities set out in the Council Plan and its three 10-year strategies. These priorities include continuing to invest in adult social care and support for children and supporting its communities facing the cost-of-living crisis. Meanwhile, the council has an extensive and ambitious programme of major capital projects designed to stimulate economic growth, to deliver more housing, and to improve its highway network infrastructure. Large sums have been committed to complex, high profile, and often multi-year projects. While these projects present significant opportunities for the council, they also bring with them considerable risks.

9             In short, the council is expected to deliver more with less. Maintaining effective operational arrangements is essential to achieving this. Internal audit contributes to overall objectives by helping to ensure that systems of governance, risk management and control that underpin operational arrangements are robust. To maximise the value of internal audit, it is vital that we provide assurance in the right areas at the right time. We’ve designed the processes for developing the internal audit work programme, and refining it through the year, to do that.

Figure 1: An illustration of the key threats currently facing City of York Council.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Flexible, risk-based planning and the opinion framework

10          In order to best meet professional standards, internal audit is required to adopt flexible planning processes that are sensitive to risk. This flexibility and risk-based approach are driving principles for delivery of City of York Council’s 2024/25 internal audit work programme.

11          The Audit & Governance Committee was introduced to Veritau’s opinion framework as part of the 28 February 2024 internal audit work programme consultation report (Annex 1 - Internal Audit Work Programme Consultation Report 2024-25.pdf (york.gov.uk)).

12          The opinion framework sets out the principles that will be used to develop and manage the audit work programme over the course of the year. It ensures that assurance coverage is targeted towards priority areas. This, in turn, allows us to arrive at a properly informed annual opinion.

Identification of initial internal audit priorities

13          Internal audit maintains a long list of all areas within the council that could potentially be audited. It is not possible to review all areas in any one year. Instead, we prioritise audits by considering potential risks in each area at the time of the assessment and by considering requirements for assurance coverage.

14          The opinion framework provides the structure for internal audit to take informed decisions on priorities.

15          Figure 2 on the following page demonstrates how the framework is applied to identify initial internal audit priorities. It illustrates how an example audit (‘savings delivery’) passes through the framework and how we evaluate it for potential inclusion in the work programme. In this case, we have assessed the savings delivery audit as a high priority for inclusion as it contributes to coverage of a key assurance area, a key corporate risk, and a council priority. The committee will note that the savings delivery audit has been included in the 2024/25 indicative internal audit work programme at appendix A.

 

 

The ‘do now’, ‘do next’, ‘do later’ audit prioritisation system

16          Once initial internal audit priorities have been identified through application of the opinion framework, we then overlay a second system of prioritisation. This system allows us to determine the relative priority of audits included in the indicative work programme.

17          This second prioritisation system sees audits assigned to one of three categories, as shown in figure 3 below.

 

Figure 3: ‘do now’, ‘do next’, ‘do later’ prioritisation system.

 

 

 

 

 

18          Decisions on which category of the three categories internal audit work falls into will be based on judgement, and will be made having given consideration to the prioritisation factors in table 1 below. These will result in internal audit work being considered a relatively higher or lower priority at the time of assessment.

Table 1: Internal audit prioritisation factors.

 

Prioritisation factors
where we have no recent audit assurance, or other sources of information	where controls are changing and / or risks are increasing
where we are following up previous control weaknesses	where specific issues are known to have arisen
that are of significant importance to the council, for example they reflect key objectives or high priority projects	that provide broader assurance, for example corporate policies and frameworks
that need to be covered to enable us to provide an annual opinion	where there are time pressures or scheduling requirements, for example grant deadlines, or work scheduled to minimise the impact on council service areas at busy times

 

19          The above factors will be used on an ongoing basis to decide what internal audit work will be carried out, and when, during the course of the year. These decisions will be made in consultation with the council through our ongoing dialogue with senior officers. Individual pieces of work will move between the three categories, as required, based on their priority at the time of assessment.

20          For example, an audit scheduled for quarter two to minimise the impact on a service area may initially be classed as to ‘do later’ but will become ‘do now’ as we move into quarter two. Similarly, an audit of a council project classed as ‘do now’ because it represents an area of high importance may move from ‘do now’ to ‘do next’ or ‘do later’ if the project slips or planned work cannot be undertaken until a specific point is reached. Towards the end of the year, audits classed as ‘do later’ are likely to be deferred until the following year.

21          The committee will be provided with information on current internal audit priorities throughout the year as part of regular progress reporting.

 

 

 

The 2024/25 indicative internal audit work programme

22          The work programme for 2024/25 is set out in appendix A, beginning on page 10.

23          Functionally, the indicative programme is structured into a number of areas, as set out in table 2, below.

Table 2: Work programme functional areas.

Programme area	Purpose
Strategic / corporate & cross cutting	To provide assurance on areas which, by virtue of their importance to good governance and stewardship, are fundamental to the ongoing success of the council.
Technical / projects	To provide assurance on those areas of a technical nature and where project management is involved. These areas are key to the council as the risks involved could detrimentally affect the delivery of services.
Financial systems	To provide assurance on the key areas of financial risk. This helps provide assurance to the council that risks of loss or error are minimised.
Service areas	To provide assurance on key systems and processes within individual service areas. These areas face risks which are individually significant but which could also have the potential to impact more widely on the operations or reputation of the council if they were to materialise.
Other assurance work	An allocation of time to allow for continuous audit planning and information gathering, unexpected work, and the follow up of work we have already carried out, ensuring that agreed actions have been implemented by management.
Client support, advice & liaison	Work we carry out to support the council in its functions. This includes the time spent providing support and advice, and liaising with staff.

 

24          The overall level of service is based on an indicative number of days, for planning purposes (1,023 for 2024/25). Figure 4 below shows the proportion of time we expect to deliver across each area during the year.

Figure 4: 2024/25 work programme: indicative functional area split.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

25          It is important to emphasise two important aspects of the programme. Firstly, the audit activities included in appendix A are not fixed. As described above, work will be kept under review to ensure that audit resources are deployed to areas of greatest risk and importance to the council. This is to ensure the audit process continues to add value.

26          Secondly, it will not be possible to deliver all of the audit activities listed in the programme. The programme has been intentionally over-planned, to build in flexibility from the outset while also providing an indication of the priorities for work at the time of assessment. Over-planning the programme enables us to respond quickly by commencing work in other areas of importance to the council when risks and priorities change during the year.

 

APPENDIX A: indicative internal audit work programme 2024/25

 

Programme area		Potential internal audit activity
Strategic / corporate & cross cutting			Savings plans        Overtime and allowances        Workforce development        Data Protection and Digital Information Act        FOI and EIR improvement plan        Physical information security compliance (satellite sites)        Physical information security compliance (West Offices and Hazel Court)        Use of CCTV and investigatory powers (covert surveillance)        Asset performance        Procurement Act: preparedness assessment        Contract management        Risk management        York 2032: partnership governance        Performance management framework        Data quality        Equalities        Carbon reduction / adaptation        Public health: procurement and contract management
Technical / projects			NHS Data Security and Protection Toolkit: accountable suppliers        Project management        ICT disaster recovery        ICT applications / database security        Cybersecurity: user awareness        ICT projects / systems development
Financial systems			Main accounting system        VAT accounting        Ordering and creditor payments        Sundry debtors        Housing benefits        Housing rents
Service areas			Locality working / ward committee model        Community Safety Strategy        Community Infrastructure Levy        Public EV charging strategy (tariff management)        Council house repairs        Additional landlord duties        Green waste subscription service        Public protection        Section 17 payments        Children’s direct payments        Unaccompanied asylum seeker children        Residential care: The Beehive / Wenlock Terrace        Alternative provision        Funded early education        Full school audit: Clifton Green Primary School        Full school audit: Danesgate Community School        Schools themed audit: purchasing and best value        Schools themed audit: pupil premium        Payments to care providers and contract management (adult social care)        Referrals and care assessments (adult social care)        Care and support planning (adult social care)        Managing customer finances (adult social care)        Continuing healthcare (adult social care)
Other assurance work			Follow-up of previously agreed management actions        Continuous audit planning and additional assurance gathering to help support our opinion on the framework of risk management, governance and internal control        Continuous assurance work, including data analytics and data matching projects Attendance at, and contribution to, governance- and assurance-related working groups
Client support, advice & liaison			Committee preparation and attendance        Key stakeholder liaison        Support and advice on control, governance and risk related issues