CONTENTS

2           Background

2           Internal audit work carried out in 2025/26

3           Follow up of agreed actions  

4           Professional standards

6           Opinion of the Head of Internal Audit

7           Appendix A - 2025/26 internal audit work

10         Appendix B - Summary of key issues from audits finalised since the last report to the committee

23         Appendix C – Assurance audit opinions and finding priorities

24         Appendix D - Follow up of agreed audit actions

27         Appendix E - Internal audit quality assurance and improvement programme

36         Appendix F – Exit payments

 

 

 

 

 

 

 

 

 

 

 

            

 

 

Background

 

1          The work of internal audit is governed by the Global Internal Audit Standards in the UK Public Sector and the council’s audit charter. These require the Head of Internal Audit to bring an annual report to the Audit and Governance Committee. The report must include an opinion on the adequacy and effectiveness of the council’s framework of governance, risk management and control.

2          To assist the committee in interpreting the annual report, it should also include:

(a)        any qualifications to the opinion, together with the reasons for those qualifications (including any impairment to independence or objectivity)

(b)        any particular control weakness judged to be relevant to the preparation of the annual governance statement

(c)        a summary of work undertaken to support the opinion,including any reliance placed on the work of other assurance bodies

(d)        an overall summary of internal audit performance and outcomes from the internal audit service’s quality assurance arrangements, including a statement on conformance to professional standards.

 

Internal audit work carried out in 2025/26

 

3          Throughout 2025/26 audit work has continued to be prioritised based on risk and the need to provide coverage of the council’s framework of governance, risk management and control. This has seen audits removed from the work programme and others added as risks and priorities have changed, and as our understanding of key systems of internal control has developed.

4          We have also continued to promote good governance, provide advice and support, and make recommendations to management to help improve controls. We have attended the council’s Governance, Risk, and Assurance Group (GRAG) and met with the Director of Finance, Director of Governance and Monitoring Officer, directorate senior management teams and other officers on a regular basis. Maintaining this level of contact over the year has helped us to identify and address governance issues and concerns, and to ensure audit work has remained targeted towards key risk and priority areas.

5          The results of completed audit work have been reported to service managers, relevant chief officers, members of this committee, and Executive portfolio holders during the year. In addition, summaries of all finalised audit reports have been presented to this committee as part of regular progress reports.

6          An overview of internal audit work undertaken 2025/26, and relevant to the Head of Internal Audit’s opinion, is contained in appendix A. This appendix also shows other work undertaken by the internal audit team to support the council during the year.

7          At the time of writing, six audits have been finalised since the previous report to this committee. A further three audit reports have been issued to the responsible officers but remain in draft. We expect these audits to be finalised over the next 2-3 weeks.

8          Seven audits from the 2025/26 programme are ongoing. The majority of work on these audits is complete. We expect to share outcomes in our next report to the committee.

9          Appendix B provides details of the key findings arising from internal audit assignments completed between November 2025 and April 2026. Summaries were provided for eight audits in our 11 March 2026 progress report. However, the committee was only able to consider one of these before the meeting was called to a close. The other seven audit summaries have been reproduced in this report, alongside summaries from audits that we have not previously reported to the committee. Final reports listed in appendix B are included as exempt annexes to this report.

10       Appendix C provides an explanation of our assurance levels and priorities for management action.

 

Follow up of agreed actions

 

11       All actions agreed with services as a result of internal audit work are followed up to ensure that issues are addressed. A refreshed follow-up and escalation procedure was agreed for 2025/26. Implementation of the procedure has resulted in improvements to overall action completion rates and better visibility of action status across the organisation. The procedure has also provided a route for escalation via GRAG meetings – a route that ultimately was not required during the year.

12       Based on follow up work completed, we are satisfied that sufficient progress is being made to address the control weaknesses identified in previous audits.

13       A summary of the current status of follow up activity is included at appendix D.

 

 

 

 

 

 

 

Professional standards

 

14       In order to comply with professional standards,the Head of Internal Audit is required to develop and maintain a quality assurance and improvement programme (QAIP).

 

15       The objective of the QAIP is to ensure that working practices continue to conform with the standards. A summary of quality assurance processes, and any areas identified for development, are reported to the committee each year as part of the annual report. The arrangements consist of various elements, including:

 

       maintenance of a detailed audit procedures manual and standard operating practices

       ongoing performance monitoring of internal audit activity

       regular customer feedback

       training plans and associated training and development activities

       periodic self-assessments of internal audit working practices (to evaluate conformance to the standards).

 

16       External assessments must also be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organisation. An external assessment of Veritau’s internal audit working practices was undertaken between June and August 2023 by John Chesshire, an approved reviewer for the Chartered Institute of Internal Auditors (the UK and Ireland’s local chapter)[1].

 

17       The assessment involved a full independent validation of Veritau’s own self-assessment of conformance to the Public Sector Internal Audit Standards (PSIAS)[2], as well as to the wider International Professional Practices Framework which governed the performance of internal auditing globally at the time the assessment was undertaken. The report concluded that Veritau’s internal audit activity generally conforms to the PSIAS[3] and, overall, the findings were very positive.

 

18       The feedback included comments that the internal audit service was highly valued by its clients. Key stakeholders felt confident in the way Veritau had established effective working relations, both in our approach to planning and the way in which we engaged flexibly with our clients throughout the internal audit process, at the strategic and operational levels.

 

19       Effective from 1 April 2025, the PSIAS were replaced by what are known as the Global Internal Audit Standards in the UK Public Sector. These standards are made up of the Institute of Internal Auditors’ Global Internal Audit Standards (GIAS) and the Application Note: Global Internal Audit Standards in the UK Public Sector (‘the Application Note’). The Application Note interprets the GIAS, clarifying how they should be applied in UK public sector organisations.

 

20       In the UK, the body responsible for interpreting the GIAS and setting expectations for the performance of internal audit in the public sector is the Internal Audit Standards Advisory Board (IASAB). The IASAB is made up of six ‘Relevant Internal Audit Standard Setters’ (RIASS) representing central and local government, and the health sector. The RIASS for UK local government is the Chartered Institute of Public Finance and Accountancy (CIPFA). The IASAB developed the Application Note, releasing it in the early part of 2025.

 

21       The Global Internal Audit Standards (from which the Application Note provides its local government interpretations) were launched on 9 January 2024 and became effective on 9 January 2025. Veritau has used a conformance assessment toolkit, published by CIPFA in January 2026, to undertake our self-assessment against the Global Internal Audit Standards in the UK Public Sector. At the time of reporting, the self-assessment has not been finalised, but no conformance issues have been identified to date.

 

22       Our overall assessment is that Veritau conforms to the Global Internal Audit Standards in the UK Public Sector. However, through application of the QAIP, we have identified some actions to help strengthen our ability to demonstrate conformance and to continuously improve service delivery.

 

23       Details of Veritau’s QAIP are set out in appendix E.

 

24       The internal audit charter sets out how internal audit at the council will be provided in accordance with professional standards. The charter is reviewed on an annual basis. It was updated following the introduction of the Global Internal Audit Standards in the UK Public Sector in April 2025 and was presented to the committee in May 2025. No further changes are considered necessary at this time.

 

Opinion of the Head of Internal Audit

 

25       The overall opinion of the Head of Internal Audit on the framework of governance, risk management and control operating at the council is that it provides Reasonable Assurance.

 

26       The opinion given is based on work that has been undertaken directly by internal audit, and on the cumulative knowledge gained through our ongoing liaison and planning with officers. No reliance was placed on the work of other assurance providers in reaching this opinion.

 

27       In giving this opinion, there is one significant control weaknesses which, in the opinion of the Head of Internal Audit, is rightly included in the council’s annual governance statement. The Head of Internal Audit’s opinion on this significant control weakness is as follows:

 

▲   Governance and management of major capital projects: in evaluating the council’s arrangements for governing and managing its portfolio of major capital programmes and projects, several issues have been identified which, taken together, represent a significant control weakness.

 

Issues include a lack of oversight and critical appraisal in pre-delivery phases (which has led to consequences such as entering contracts at risk or of a form not optimised for the project, and incurring additional costs due to changes during delivery), inadequate financial profiling, under-developed governance and assurance arrangements, a lack of skills and support capacity, and an over-reliance on external expertise.

 

Most of these issues were included in the contract management: major project delivery internal audit report which was presented to the Audit and Governance Committee in January, and again in March 2026. Since this audit, the council has been implementing an improvement plan which seeks to strengthen governance arrangements and build internal capacity and expertise.

 

Given the significant sums invested in these projects, and the potential implications on already pressured capital and revenue budgets, this is an area which will require continued focus.

 

 

 

 

APPENDIX A: 2025/26 INTERNAL AUDIT WORK

Final reports issued

Audit	Reported to Committee	Opinion
Safety Valve (implementation review)	May 2025	Substantial Assurance
Housing benefits	May 2025	Substantial Assurance
NHS Data Security and Protection Toolkit: accountable suppliers	May 2025	No Opinion Given
School themed audit: purchasing and best value	July 2025	Reasonable Assurance
Communications	July 2025	No Opinion Given
Funded early education	July 2025	Reasonable Assurance
Member induction programme	July 2025	No Opinion Given
Commercial asset performance	July 2025	Substantial Assurance
Savings plans	July 2025	Reasonable Assurance
Clifton Green Primary School	July 2025	Reasonable Assurance
Elvington Primary School	November 2025	Reasonable Assurance
Carbon adaptation and reduction	November 2025	Substantial Assurance
Physical information security	November 2025	Reasonable Assurance
Schools themed audit: premium allocations	November 2025	Substantial Assurance
Public EV charging strategy	November 2025	Substantial Assurance
Free school meals: auto-enrolment	November 2025	Substantial Assurance
Recruitment and selection	November 2025	Reasonable Assurance
Contract management	November 2025	Reasonable Assurance
ICT disaster recovery	March 2026	Reasonable Assurance
Follow-up audit: risk management	March 2026	Reasonable Assurance
Schools themed audit: governance	March 2026	Reasonable Assurance
Service and role-specific training	March 2026	Reasonable Assurance
Sundry debtors	March 2026	Substantial Assurance
Main accounting system	March 2026	Substantial Assurance
Danesgate Community School	March 2026	Reasonable Assurance
Contract management: major project delivery	March 2026	Limited Assurance
Children and Education local scheme of delegation	May 2026	Reasonable Assurance
Children’s residential care: overtime and procurement cards	May 2026	Reasonable Assurance
Key financials: Westfield Primary	May 2026	Substantial Assurance
Information access request management	May 2026	Reasonable Assurance
Absence management	May 2026	Reasonable Assurance
Travel and subsistence	May 2026	Reasonable Assurance

 

Audits in progress

Audit	Status
Flexi time and annual leave	In draft
Data quality and security: applications	In draft
Unaccompanied asylum seeker children	In draft
Payments to care providers and contract management (ASC&I)	In progress
Home to school transport	In progress
Cybersecurity: user account management	In progress
Payroll	In progress
Right To Buy	In progress
Children’s direct payments	In progress
St Mary’s CE Primary School	In progress

 

Other work completed in 2025/26

Internal audit work has been undertaken in a range of other areas during the year, including those listed below.

Follow up of agreed actions        Refresh of the follow-up and escalation procedure, with regular reporting to the Governance, Risk and Assurance Group        Grant certification work:       Scambusters       UK Shared Prosperity Fund programme assurance (2024/25)       HUG2        Consultative engagements:       Fact-finding review into manual creditor payments       Fact-finding review into the management of services provided by YorHome       Fact-finding review into the engagement of consultants on the York Station Gateway project       High-level review of the council’s performance management framework        Provision of support and advice:       Preparation of a briefing note on CIPFA’s Code of Practice for the Governance of Internal Audit in UK Local Government (‘the Code’)       Support with undertaking the council’s self-assessment against the Code       Holiday let commercial waste income collection procedures

APPENDIX B: SUMMARY OF KEY ISSUES FROM AUDITS FINALISED SINCE THE LAST REPORT TO THE COMMITTEE

System/area (month issued)	Opinion	Area reviewed	Comments / Issues identified	Management actions agreed
Travel and subsistence (April 2026)	Reasonable Assurance	The purpose of this audit was to review the council’s compliance with its travel and subsistence policy.	The council’s travel and subsistence policy is up to date, reflecting the claims process in operation. However, weaknesses were identified in compliance with key policy requirements. A high proportion of claims reviewed included subsistence costs incurred on service users which are excluded under the policy but had nonetheless been approved by line managers. In addition, there was widespread non‑compliance with requirements to retain supporting evidence, with receipts often unavailable.	A HR advisory circular will be issued which will recommunicate policy requirements and expected practice. Options will be explored to change the configuration of iTrent so that receipts can be uploaded and records deleted at the end of their retention period.
Absence management (April 2026)	Substantial Assurance	This audit reviewed the council’s processes for managing short- and long-term sickness absence.	The council has a comprehensive attendance management policy, with supporting procedures and guidance. However, weaknesses were identified with return‑to‑work (RTW) interviews, which were not always held within the three‑day requirement and, in some cases, were not held at all. Follow‑up action on triggers is not consistently applied by line managers. Where RTW interviews had been held, absence triggers were generally identified and appropriate action taken in most cases. Management and HR receive sufficient and timely information to monitor attendance, with HR actively chasing outstanding RTWs and undertaking work to strengthen managerial ownership of absence monitoring through improved use of Medigold data. Controls over absence data are operating effectively, with timely system notifications to managers, reliable management reporting produced by Business Intelligence, and regular data integrity checks. Interfaces between attendance management and payroll processes are also working correctly.	HR will remind DMTs of expectations relating to RTW interviews and responding to absence triggers. Managers will also continue to be supported and coached on attendance management procedures.
Children’s residential care: overtime and procurement cards (April 2026)	Reasonable Assurance	The purpose of this audit was to review the design and effectiveness of controls relating to overtime and use of procurement cards at children’s residential homes. The audit reviewed processes in operation at the Wenlock Terrace & Ousecliffe homes.	Controls over overtime and allowance claims are not consistently applied, with unclear guidance, inconsistencies in claims, and gaps in the retention of daily running logs reducing assurance over the accuracy and appropriateness of payments. A purchasing card policy and supporting guidance are in place and clearly set out cardholder responsibilities. However, the policy is out of date and lacks a defined review schedule, reducing assurance that requirements remain current. Weaknesses in purchasing card controls, including inconsistent use of transaction logs, missing receipts, a breach of loyalty card rules, and insufficient evidence to support increases to card limits, undermine the integrity of card monitoring and compliance.	Overtime claims made on RotaCloud will require citation that allows for matching to individual shifts. Spot checks will be undertaken to ensure compliance. Business support will provide weekly assistance to ensure all transactions are logged on Civica. Alternative systems that enable real-time card expenditure monitoring will be explored. Authorisation to increase single transaction card limits for purchases will be documented separately by business support, the manager of the service and the procurement team.
Information access request management (April 2026)	Reasonable Assurance	This audit reviewed the council’s arrangements for handling a range of information access requests relating to data protection, use, and disclosure in accordance with legislation.	Key documentation and templates for handling information requests have been updated to reflect legislative changes, and processes for Annex 6 and CCTV requests are generally operating effectively, with requests completed appropriately and within reasonable timescales. However, arrangements for logging and tracking information requests are inconsistent across services, with gaps in recording, duplicated data, and key information dispersed across multiple systems. The absence of comprehensive and consistent logging, particularly for adult and children’s social care requests, limits assurance over the completeness and accuracy of management information. It therefore reduces the council’s ability to report reliably on volumes, outcomes, and disclosure decisions.	Standing operating procedures for managing and responding to all requests for information will be developed with input from Legal Services and Business Support. An alternative, secure network system storage solution for CCTV network requests will be explored.
Key financials: Westfield Primary (April 2026)	Substantial Assurance	This audit reviewed the governance and financial management arrangements at Westfield Primary Community School.	Governance arrangements are compliant with statutory and local authority requirements. The School Financial Value Standard for 2025/26 had been completed but the minutes of the governing body do not evidence scrutiny prior to its submission. Financial management arrangements are generally sound. One instance was identified where the required number of quotations was not obtained, and while a justification was provided, the exception was not formally documented or approved. Income collection arrangements are sound, but ParentPay income recording could be done more efficiently. Debt management, budget setting, and monitoring arrangements are also effective. However, the school website does not currently include the required declaration on staff earning over £100,000.	The governing body will ensure that scrutiny and approval of the SFVS is clearly evidenced within meeting minutes prior to sign-off. Reasons for applying exemptions to the school’s financial procedures will be formally documented and approved. The current process for recording ParentPay income will be reviewed and options considered to reduce reliance on manual data entry. The school’s website will be updated to include a declaration confirming the number of staff earning over £100,000 in £10,000 bandings, or confirm that no staff fall within this category, in line with transparency requirements.
Children and Education local scheme of delegation (April 2026)	Reasonable Assurance	The purpose of this audit was to review the Children and Education directorate’s arrangements for implementing and applying its scheme of delegation.	While an up-to-date scheme of delegation was in place for Children’s Services, at the time of the audit there was no scheme covering the work of Education and Skills. Financial decision-making in the directorate is facilitated by Civica Purchasing. Changes in financial thresholds for individual officers are independently updated by Finance, following requests made by authorised individuals. These arrangements provide a documented audit trail of sub-delegations (and alterations to these). Most staff in Children and Education with financial responsibilities had not completed finance and procurement training. This is despite both being identified as ‘service critical’ by the management team.	The directorate prepared a scheme of delegation for Education and Skills before the audit was concluded. The Assistant Director of Education and Skills will liaise with Finance and workforce development to discuss appropriate finance and procurement training to be delivered to the directorate, and will also agree what should be mandatory and service critical.
Danesgate Community School (December 2025)	Reasonable Assurance	This audit reviewed the governance and financial management arrangements at Danesgate Community School - a specialist provider for pupils with social, emotional and mental health needs.	Danesgate Community Pupil Referral Unit’s management committee operates within a compliant legal constitution, with statutory policies and website content up to date. Governance is effective, with regular meetings, challenge, and budget oversight. However, some gaps in governor training and inconsistent financial delegations were noted. Financial processes are generally sound. Systems and controls for purchasing, income, payroll, payment cards, reconciliations and petty cash are appropriate, but some financial policies lack sufficient guidance to support their practical implementation. The school’s contract register lacks key detail, and some contracts have not been recently reviewed.	A review of governor training and skills will be conducted to identify training requirements. Training will be a regular item on management committee meetings and governors will be signposted to the training available through the council’s governance team. The financial management policy will be reviewed. The debt management policy will be reviewed. Debt management will be a standing item on Finance and Resource committee meeting agendas. The contract register will be updated to ensure that it contains information to assist governors in overseeing contract management.
Main accounting system (December 2025)	Substantial Assurance	The purpose of this audit was to provide assurance on access arrangements to the financial management system and on the performance of key in-system activities.	Access to the financial management system (FMS) is appropriately restricted and supported by layered controls, but weaknesses in user access management such as complex access structures, inconsistent forms, and delays for movers and leavers reduce assurance that access remains appropriate. Controls over journals, virements and year‑end processes are generally effective, although virement guidance could be clearer. Feeder system data is transferred accurately, with timely uploads and reconciliations. Suspense and control accounts are reviewed regularly, with reasonable balances and prompt resolution of discrepancies.	Service managers’ responsibilities for user access management, particularly regarding the timely completion of user access forms when roles or responsibilities change, will be reinforced, and communicated. The user access management process will be enhanced by streamlining access categories and clearly defining the permissions associated with each, based on typical role requirements. User access request forms will be updated to ensure they are clearer, more user-friendly, and aligned with the revised process. The virements guidance will be reviewed and updated to clearly define what constitutes a virement, and to clarify the associated processes for managing and approving them and evidencing approval on the FMS.
Sundry debtors (December 2025)	Substantial Assurance	This audit reviewed the council’s arrangements for issuing invoices, collecting and recording income, monitoring debt, and writing off debt.	Invoices are raised accurately with proper supporting information, and no duplicates were found. Only a very small number of duplicate debtor accounts and unallocated suspense items exist, and both were being addressed at the time of the audit. The council’s corporate debt policy and guidance on raising invoices are outdated and do not fully reflect current practice. Income is correctly allocated, and credit notes are properly authorised (albeit with occasional delays in processing). Debt is monitored but recovery is inconsistent and not always sustained, with older debts being significant in volume and value. Debt write-offs are well controlled and authorised, although accounts could be closed more promptly.	Debt forums will be established for the Adult Social Care and Integration directorate, and similar measures introduced for non-adult social care debt. Details of service-area specific debt recovery procedures will be documented. The corporate debt policy will be reviewed, and a suitable review schedule established. Existing guidance on raising invoices will also be updated. Refunds will now be processed twice a week. The debtors’ team will regularly produce a report of outstanding refunds. The income services team will then be notified that there are refunds to process.
Service and role-specific training (November 2025)	Substantial Assurance	This audit reviewed the council’s arrangements for identifying, monitoring and recording training required within adult social care, children and education, and housing.	The council’s MyLo system provides a strong basis for managing training, with effective tools for assigning courses, tracking completion and maintaining certifications. Training matrices are well designed and updated through regular engagement between services and the Workforce Development Unit. However, not all courses are yet on MyLo, meaning that some services rely on manual records. MyLo is not always updated to reflect the true status of training, resulting in inaccurate or incomplete information. Reporting arrangements also varied, with no consistent process for escalating training performance at directorate level.	A reminder will be issued reinforcing the requirement to ensure that staff training completions are promptly recorded on MyLo. The reminder will also emphasise the need for timely renewal of service and role-specific training to prevent lapses. The Workforce Development Unit will promote the use of existing MyLo functionality and the annual Learning Needs Analysis to support consistent oversight of training compliance. Through this exercise, it will be recommended that Directorate Management Teams discuss training issues quarterly, and awareness of available MyLo system support will be reinforced.
Schools themed audit: governance (November 2025)	Reasonable Assurance	The purpose of this audit was to provide assurance that maintained schools meet statutory governance requirements.	Governance arrangements met statutory requirements, with appropriate structures and up‑to‑date schemes of delegation. However, some schools lacked a documented governance framework for the full governing body, committee terms of reference had not been recently reviewed, and declarations of interest had not been fully updated. Minutes, agendas and documentation were generally available, and minutes evidenced appropriate challenge. Policy schedules were maintained well overall. Governor membership and attendance were mostly strong, but some vacancies, outdated skills audits and unclear training records were noted. Contract registers were kept but risk registers and website compliance checks were inconsistent across schools.	A number of actions were agreed to address the identified control weaknesses. These included: ▲   Reviewing training records termly ▲   Clearly capturing outcomes and actions from skills audits ▲   Making cybersecurity and data protection training mandatory for at least one governor ▲   Formalising and including the role of the Finance Committee chair / school business manager link in committee terms of reference ▲   Improving arrangements for providing ‘Get Information About Schools’ data ▲   Standardising risk registers and guidance, and ensuring termly review of risks ▲   Adoption of the contract register template already shared with schools ▲   Including school website checks in the annual framework.
Follow-up audit: risk management (November 2025)	No Opinion Given	The purpose of this audit was to review the council’s arrangements for identifying, managing, and reporting directorate and service risks in accordance with corporate requirements. It was undertaken as a follow-up of the 2023/24 audit.	Although some progress was evident, with the Risk Management Team beginning to re-establish its support and facilitation role, this had not been fully embedded between directorates and across service areas sufficient for them to continue risk management work independently. This also meant that agreed processes, including the issuing of quarterly risk reports, had not been regularised. While arrangements for risk management remain inconsistent across directorates, and the council’s risks are not visible on a council-wide basis, the risk management process is not embedded to the level expected in the policy and strategy.	A detailed management response to the report and its recommendations was provided. In summary, the response cited improvements made (and in progress) while also recognising that the council’s policy and strategy need to be reviewed to reflect the council’s desired approach to risk management.
ICT disaster recovery (November 2025)	Reasonable Assurance	This audit reviewed the council’s ICT disaster recovery arrangements.	The council has key ICT disaster recovery arrangements in place, and its current plan is clear, accessible and regularly updated. Roles are defined and incident action cards support responses, although detailed playbooks are not yet in place. Recovery priorities are set by ICT, without structured input from service areas. Disaster recovery testing is informal, relying on lessons from real incidents rather than being formally scheduled. Backup arrangements and security controls are robust.	Actions to address weaknesses will be agreed as part of phase two of the ICT disaster recovery audit (scheduled for 2026/27).

 

APPENDIX C: ASSURANCE AUDIT OPINIONS AND FINDING PRIORITIES

Audit opinions
Audit work is based on sampling transactions to test the operation of systems. It cannot guarantee the elimination of fraud or error. Our opinion is based on the risks we identify at the time of the audit. Our overall audit opinion is based on four grades of opinion, as set out below.
Opinion	Assessment of internal control
Substantial assurance	Overall, good management of risk with few weaknesses identified. An effective control environment is in operation but there is scope for further improvement in the areas identified.
Reasonable assurance	Overall, satisfactory management of risk with a number of weaknesses identified. An acceptable control environment is in operation but there are a number of improvements that could be made.
Limited assurance	Overall, poor management of risk with significant control weaknesses in key areas and major improvements required before an effective control environment will be in operation.
No assurance	Overall, there is a fundamental failure in control and risks are not being effectively managed. A number of key areas require substantial improvement to protect the system from error and abuse.

 

Finding ratings
Critical	A fundamental system weakness, which presents unacceptable risk to the system objectives and requires urgent attention by management.
Significant	A significant system weakness, whose impact or frequency presents risks to the system objectives, which needs to be addressed by management.
Moderate	The system objectives are not exposed to significant risk, but the issue merits attention by management.
Opportunity	There is an opportunity for improvement in efficiency or outcomes but the system objectives are not exposed to risk.

 

 

APPENDIX D: FOLLOW UP OF AGREED AUDIT ACTIONS

1          Follow up work is carried out through a combination of questionnaires completed by responsible managers, risk assessment, and by further detailed review by the auditors where necessary.

2          Where responsible officers have not taken the action they agreed to, issues are escalated to more senior officers. Ultimately, they may be referred to the Audit & Governance Committee in accordance with the follow-up and escalation procedure. 

3          In figure 1, below, the status of agreed actions from follow-up activity undertaken in the last twelve months is shown[4]. For clarity, the figure shows the results of follow up activity for this period, regardless of when actions were originally due (that is, it includes actions which were due over twelve months ago but which are still being followed up).

4          For completeness, it also shows actions which have been agreed in finalised audits, but which have not yet fallen due and so have not been followed up.

Figure 1: Total agreed actions by current status

5          A total of 142 actions have been followed up so far this year. Of these, 119 have been satisfactorily implemented. 41 actions are not yet due for follow-up as their original implementation date has not passed at the time of reporting.

6          A total of 14 actions have had their original implementation timescale extended, with revised implementation dates being agreed with the action owner. We agree revised dates where the delay in addressing an issue will not lead to unacceptable exposure to risk and where the delays may be unavoidable. However, the committee should be aware that lengthy or continued revised dates do inevitably lead to a degree of risk exposure to the council.

7          Figure 2, below, shows how long dates have been revised from the original implementation date.

Figure 2: Length of revised dates agreed for action implementation

 

8          At the time of reporting, 7 actions are overdue. This is shown in figure 3, on the following page.

 

 

 

Figure 3: Length of time actions have been overdue

 

9          For all seven actions overdue by more than 90 days we have received a response from officers. In these cases, the process of following up the action and drawing conclusions is ongoing.

10       There will usually be some instances like this at any point in time. It can be due to ongoing communication with the responsible officers to obtain evidence confirming completion of the action. It can also be due to instances where the action taken is not exactly as agreed and further work is being undertaken to assess whether the action taken does satisfactorily address the risk or because there are ongoing discussions about whether to agree revised dates for the action.

11       Overdue actions are escalated according to the agreed escalation policy, firstly to relevant directors, then to senior officers via GRAG (Governance, Risk and Assurance Group). They may subsequently be brought to the Audit & Governance Committee. At this stage, no overdue actions are being escalated to the committee.

 

APPENDIX E: INTERNAL AUDIT QUALITY ASSURANCE AND IMPROVEMENT PROGRAMME

1.0    Background

 

Quality assurance and improvement programme (QAIP)

 

Veritau maintains appropriate ongoing quality assurance arrangements designed to ensure that internal audit work is undertaken in accordance with relevant professional standards. From April 2025 those standards are the Global Internal Audit Standards in the UK Public Sector. Veritau’s QAIP includes:

p  the maintenance of a detailed audit procedures manual

p  the requirement for all audit staff to conform to a Code of Ethics and Standards of Conduct Policy

p  the requirement for all audit staff to complete annual declarations of interest

p  detailed job descriptions and competency profiles for each internal audit post

p  regular operational 121 meetings for all auditors, to review progress with audit engagements, and formal 121s that include discussion of overall performance and development

p  induction programmes, training plans and associated training activities

p  attendance on relevant courses and access to e-learning material

p  the maintenance of training records and training evaluation procedures

p  membership of professional networks

p  agreement of the objectives, scope and expected timescales for each audit engagement with the client before detailed work commences (audit specification)

p  the results of all audit testing and other associated work documented in a structured format using our audit management system – K10 Vision

p  file review by senior auditors and audit managers and sign-off at each stage of the audit process

p  the ongoing investment in tools to support the effective performance of internal audit work (for example, data interrogation software)

p  post audit questionnaires (customer satisfaction surveys) issued following each audit engagement

p  regular client liaison meetings to discuss progress, share information and evaluate performance.

 

On an ongoing basis, completed audit work is subject to internal peer review by a Quality Assurance group. The review process is designed to ensure audit work is completed consistently and to the required quality standards. The work of the Quality Assurance group is overseen by an Assistant Director (Head of Internal Audit). Any key learning points are shared with the relevant internal auditors and internal audit management team. Appropriate mitigating action will be taken where required (for example, increased supervision of individual internal auditors or further training).  

 

Annual self-assessment

 

On an annual basis, Veritau seeks feedback from each client on the quality of the overall internal audit service. This includes surveys targeted at senior officers and chairs of audit committees. The Head of Internal Audit also undertakes an annual self-assessment against internal audit standards. As part of ongoing performance management arrangements, managers and auditors assess current skills and knowledge against the competency profiles for internal audit roles. Where necessary, further training or support will be provided to address any development needs.

 

The internal audit management team also participate in various professional networks and obtain information on operating arrangements and relevant best practice from other similar audit providers for comparison purposes.  

 

The results of annual client surveys, self-assessment against the standards, professional networking, and ongoing quality assurance and performance management arrangements are used to identify any areas requiring further development or improvement. Actions required are reflected in Veritau business plans, the Veritau internal audit strategy, and individual personal development plans as appropriate. Any specific changes needed to address conformance with professional standards are reported to the Audit and Governance Committee as part of the annual report of the Head of Internal Audit. The report also summarises other development activity planned to enhance the delivery of the service. Information gathered for quality assurance and development purposes is also used to evaluate overall conformance with internal audit standards.

 

External assessment

 

At least once every five years, arrangements must be made to subject internal audit working practices to external assessment to ensure the continued application of professional standards. The assessment should be conducted by an independent and suitably qualified person or organisation and the results reported to the Head of Internal Audit. The outcome of the external assessment also forms part of the overall reporting process to each client.  Any specific areas identified as requiring further development and/or improvement will be incorporated into current development plans.

 

2.0    Customer satisfaction survey 2026

 

In March 2026, we asked clients for feedback on the overall quality of the internal audit service provided by Veritau during the preceding year. Where relevant, the survey also asked questions about counter fraud and information governance services. A total of 189 surveys (2025 – 188) were issued to senior managers in client organisations. A total of 24 responses were received, representing a response rate of 13% (2025 – 17%). Respondents were asked to rate the different elements of the audit process as either excellent, good, satisfactory or poor.

 

Respondents were also asked to provide an overall rating for the service.  The results of the survey are set out in the charts below. These are presented as percentages, for consistency with previous years. However, it is recognised that the relatively low number of respondents means that the percentage for each category is sensitive to small changes in the selected response (1 respondent represents about 4%).

 

 

 

 

 

 

 

 

The overall ratings in 2026 were:

	2026[5]		2025
Excellent	14	61%	18	56%
Good	9	39%	12	38%
Satisfactory	0	0%	2	6%
Poor	0	0%	0	0%

 

The feedback shows that the respondents continue to value the service being delivered.  

  

3.0    Internal audit quality and effectiveness survey (audit committee chairs) 2026

 

In April 2025, Veritau issued its first internal audit quality and effectiveness survey. The survey was sent to the chairs of the audit committees (or equivalent) of our larger clients. Its purpose was to seek the chairs’ feedback on how well Veritau had performed, during 2024/25, in supporting the work of their committees. The same survey was issued in April 2026.

The survey includes eight questions covering consultation on audit priorities, coverage and relevance of audit work, timeliness of responses and communication of key issues, quality of reporting, and professionalism. Respondents are also asked to provide an overall rating for the service.

A total of 10 surveys (2025 – 10) were issued in April 2026. Seven responses were received, representing a response rate of 70% (2025 – 50%). Respondents were asked to provide a rating of excellent, good, satisfactory or poor for each question.

The overall ratings in 2026 were:

	2026[6]		2025
Excellent	5	83%	3	60%
Good	0	0%	2	40%
Satisfactory	1	17%	0	0%
Poor	0	0%	0	0%

 

Overall, the feedback shows that audit committee chairs continue to consider Veritau’s internal audit service effective.  

 

 

4.0    Self-assessment against audit standards

 

The Accounts and Audit Regulations 2015 require internal auditors working in local government to take into account public sector internal auditing standards or guidance. CIPFA (who are responsible for setting internal audit standards for local government) has adopted the Global Internal Audit Standards in the UK Public Sector – or GIAS (UK Public Sector). These standards came into effect on 1 April 2025.

 

Prior to 2025, Veritau had used a checklist published by CIPFA to assess conformance with the previous standards, the Public Sector Internal Audit Standards. No equivalent checklist for assessment against the new standards had been published by CIPFA at the time the 2025 self-assessment took place. This meant that the 2025 self-assessment used documentation published by the Institute of Internal Auditors (designed to help internal audit functions prepare for the introduction of the new standards) and CIPFA’s Application Note.

 

In January 2026, CIPFA launched its GIAS (UK Public Sector) conformance assessment toolkit. CIPFA’s toolkit was used to undertake a full self-assessment for 2026, the outcomes from which are summarised later.

 

5.0    2025 self-assessment: update on previous actions

 

Partial conformance actions

 

Our 2025 self-assessment allowed us to confirm our overall conformance with the GIAS (UK Public Sector). However, we identified two actions to address areas of partial conformance. These were to update internal audit charters to align with the GIAS (UK Public Sector) and to provide a more structured means for audit committees to provide input on internal audit performance. Both actions have been completed.

 

All audit charters were updated to incorporate new and changed requirements brought about by the GIAS (UK Public Sector) and were presented to audit committees for approval. A new survey of chairs of audit committees was also developed and issued in April 2025 and is now repeated annually.

 

Continuous improvement actions

 

The 2025 self-assessment also highlighted a number of other actions that were not required to conform to the standards but which would help to improve the service. Good progress has been made in implementing these actions.

 

Updates have been made to our internal training forward plan so that it now links individual sessions to the relevant professional standard(s). Training has been designed and delivered on the professional scepticism standard. Training preparation and evaluation forms have also been developed. Other actions, such reviewing role competency profiles and value for money auditing procedures, have been incorporated into wider development plans and initiatives.

 

6.0   2026 self-assessment: outcomes

 

At the time of preparing this report, our conformance self-assessment has not been finalised. Therefore, outcomes are not available for reporting to the committee at this meeting. However, no areas of non‑conformance have been identified to date, with only minor improvements required to strengthen evidence of conformance.

 

The final outcomes from our conformance self-assessment, including any improvement actions arising, will be reported to the committee at its next meeting.

 

7.0    External Assessment

 

The GIAS (UK Public Sector) require the Head of Internal Audit to arrange for an external assessment to be conducted at least once every five years to ensure the continued application of professional standards. The assessment is intended to provide an independent and objective opinion on the quality of internal audit practices.

 

An external assessment of Veritau’s internal audit working practices was undertaken in summer 2023, by John Chesshire, an approved reviewer for the Chartered Institute of Internal Auditors. The report concluded that Veritau internal audit activity ‘generally conforms’ to the PSIAS^[7] and, overall, the findings of the review were very positive. The feedback included comments that the internal audit service was highly valued by its member councils. Key stakeholders felt confident in the way Veritau had established effective working relations, both in our approach to planning, and the way we engage flexibly with our clients throughout the internal audit process, at both strategic and operational levels.

 

The outcomes from the external assessment were reported to this committee on 8 November 2023. The assessment was based on the PSIAS. Many of the requirements under the new standards are the same or similar, and we can therefore continue to place reliance on the previous report. However, a further external assessment against the new standards will need to be carried out in the next two years.

 

8.0    Wider development plans and initiatives

 

Overall, the internal audit services provided by Veritau continue to meet the requirements of professional standards. However, we recognise that the pace of change in local government and the wider public sector mean that there is a need to continually review and update aspects of our service to ensure it stays up to date and continues to deliver good value.

 

The internal audit strategy

 

We first introduced an internal audit strategy in 2021. The strategy identified priorities for developing the service and actions to deliver continuous improvement. The latest strategy (2025 to 2027) was adopted in January 2025. It sets out areas we are prioritising for development. These include the following:  

p  focussing on the development of high value assurance techniques and expertise

p  further development of systems for planning, prioritising and reporting audit work

p  use of the K10 audit system to improve functionality for the delivery of audit work and the production of management information.

 

To achieve these priorities, we have focused actions in the following four key areas during 2025/26:

1.   embedding a strategic approach to work programme development and the use of the audit opinion framework

2.   redesigning and modernising our audit working practices (including assignment planning and reporting)

3.   further developing our use of data analytics

4.   developing our key performance indicators and the measures of added value.

 

At the time of preparing this report, we are currently refreshing our internal audit strategy. The new strategy will retain many of the priorities and focus areas of the previous version because they remain central to our continuous improvement efforts. However, early stages of development show that further emphasis will be placed on generating deeper insights and minimising time taken to deliver value. Attention is required in these areas to ensure we keep pace with developments in the profession, aspects of which have been accelerated by improvements in data analytics capability / availability and the growth in artificial intelligence. We expect to launch the new strategy in the first half of 2026.

 

Quality assurance group: outcomes

 

The internal audit quality assurance group is currently working on its 2025/26 review. With new follow-up and escalation procedures established at the beginning of the year, the group is aiming to assess how well these have been applied through our K10 system. Specifically, the review is looking at the design and governance of the follow-up process, its overall effectiveness in terms of outcomes, compliance with procedures, and the strength of the links with client arrangements, the annual opinion, and work programme development.

 

The group has concluded the first part of the review into governance and procedures. They found that Veritau’s arrangements for follow-up align strongly with the requirements of the GIAS (UK Public Sector). Expectations are clearly set in the audit manual, with accompanying procedures available to support consistent application of the process.

 

A small number of areas requiring improvement have been identified. These include:

p  Further clarifying procedures for initiating follow-up audits, and how to treat the follow-up of actions prior to these audits

p  Developing a stronger process for recording and tracking new actions agreed as a result of follow-up work (i.e. those which replace the originally agreed action)

p  Developing more detailed guidance on the use of system reports, including data quality checks to perform on information shared with client governance groups and audit committees  

p  Improving the ease with which system reports can be converted into management information so that we can continue to report on the overall disposition of follow-ups to governance groups rather than on an escalation-only basis.

 

Once the review has concluded, the final set of improvement actions will be communicated and brought into Veritau’s quality assurance and improvement programme. Improvements will then be implemented in a range of ways such as through updating procedures, further system development, incorporation into the internal audit strategy, via team training events, and through feedback to individual auditors where required.

 

9.0    Overall conformance with standards

 

Based on the overall outcomes from Veritau’s quality assurance and improvement programme, the Head of Internal Audit considers that the internal audit service conforms to Global Internal Audit Standards in the UK Public Sector.

 

 

 

 

 

 

 

 

 

 

 

APPENDIX F: EXIT PAYMENTS

In April 2021, the council’s external auditor issued a Report in the Public Interest. This related to exit payments made to a former employee. The report, and actions to address concerns about processes that were raised, were considered by the Council on 4 May 2021.

 

Following the report, a new system for agreeing settlement agreements was approved by the Staffing Matters and Urgency Committee in October 2021.

 

It was agreed that internal audit would review packages finalised under the new system, to assess whether the council has complied with the process, and that it would report the outcome of any reviews in the annual Head of Internal Audit report.

 

In the period to the end of April 2026, one settlement agreement was reached. We reviewed the agreement, finding that the correct process had been followed.