 |
 |
|||
 |
|||
CONTENTS
3 Introduction
4 Approach: The Opinion Framework
6 Key assurance areas
10 Questions for the committee to consider
11 Next steps
12 Appendix A: the opinion framework
|
Introduction |
|
Professional standards: work programme development
1 The Public Sector Internal Audit Standards (PSIAS), and the council’s audit charter, require internal audit to draw up an indicative programme of work based on an assessment of risk. The standards require internal audit to independently form a view on the risks facing the council. However, they also require the opinions of the Audit and Governance Committee and senior council officers to be considered when forming that view.
2 A specific public sector requirement for internal audit is that the risk-based programme must take into account the requirement to produce an annual internal audit opinion. Internal audit work programmes cover a range of risk areas to ensure that the work undertaken enables Veritau to provide an overall opinion on the framework of governance, risk management, and control operating at the council.
3 This report provides information on Veritau’s approach to planning audit work. It also asks for the committee’s views on areas it considers a priority for internal audit in 2025/26. This is the first stage in consultation on the annual programme of work. A full draft programme will be brought to the committee for approval at its 26 March 2025 meeting.
The year ahead for City of York Council
4 Much like other local authorities across the country, City of York Council will continue to face significant financial challenges as it moves into 2025/26. This is despite a significant reduction in its forecast overspend for 2024/25, which was £2.7m as at September 2024 (down from circa £11m at this stage in previous years)[1].
5 The council has been under cost control for all of 2024/25 and it is likely that this will continue into 2025/26, alongside other measures to bring spending down to affordable levels over the short to medium term. Delivery of the council’s savings programme will also therefore remain a key priority. Savings will be required across the council but particularly within adult’s and children’s social care which continue to overspend. Actions to safeguard the council’s financial viability into 2025/26 and beyond are particularly important since the council’s general reserves, of £6.9m, are currently below the minimum level of £7.4m (i.e. as recommended by the council’s Chief Finance Officer and approved by Budget Council in February 2024).
▲ responding to legislative and regulatory change: most notably the Procurement Act and Procurement Regulations, and others that will be introduced by the new government.
▲ responding to increased demand and complexity in customer needs: especially within adult’s and children’s social care services.
▲ maintaining and improving service levels in response to regulator requirements: for example, with new standards and inspection regimes issued by the CQC and the Regulator of Social Housing.
▲ delivering key place-shaping projects across the city: for example, York Central, Castle Gateway, and York Station Gateway.
7 For internal audit to add most value, it needs to align its work to areas of greatest risk and highest priority. The next sections of this report explain how we do this at City of York Council, by applying our ‘opinion framework’.
|
Approach: The Opinion Framework |
|
Background
8 In addition to the requirements referred to in paragraphs 1 and 2, the PSIAS also expect that the risk-based programme of work is linked to, and contributes to:
▲ the management of strategic risks, and
▲ the achievement of organisational objectives and priorities.
9 The annual opinion is the most important output from internal audit and a key source of objective assurance that the council’s leadership team and councillors can use to inform the annual governance statement. The opinion must therefore be well founded if it is to give proper assurance to the council.
The opinion framework
10 Veritau has established an opinion framework. This reflects the requirements of the PSIAS and the council’s internal audit charter, to enable us to deliver an annual opinion.
11 The opinion framework sets out the principles that will be used to develop and manage the audit work programme. It ensures that assurance coverage is targeted towards priority areas to allow us to develop a properly informed annual opinion. We continuously revisit priorities during the year so that the work programme remains up to date.
12 The opinion framework is comprised of three main parts. The main component is a definition of several key assurance areas. These represent areas of internal control that we think are essential to the proper functioning of the council. Systems and controls in each area need to be operating effectively to maximise the likelihood that the council’s objectives are achieved without undue exposure to risk.
13 The 11 areas we have identified are those that we believe make the most significant contribution to achievement of organisational objectives or give rise to the greatest risks. They are based on our internal audit experience in local government and good practice guidance. The 11 areas cover both corporate arrangements, and management of risks and controls in individual service areas that collectively contribute to the council’s wider objectives.
14 Overlaid on the key assurance areas are two further components of the framework:
▲ Organisational risks
▲ Organisational objectives
15 The risks that are most important for audit planning are those set out in the council’s Key Corporate Risk (KCR) Register. These are the risks included in quarterly monitoring reports presented to the committee by the Chief Finance Officer.
16 There are many other risks associated with the wide range of services the council delivers. Where appropriate, service risks are considered as part of individual audit assignments. However, the risks on the KCR register are those considered most significant to the achievement of the council’s objectives and therefore are the main focus for internal audit planning. There are currently 12 risks on the KCR register.
17 The council’s organisational objectives are expressed in its 2023-27 Council Plan as priorities. There are seven priorities covering health and wellbeing, education and skills, economy and employment, transport, housing, sustainability, and how the council operates. These priorities are expected to create the conditions to make the city of York a healthier, fairer, more affordable, more sustainable and more accessible place, where everyone feels valued.
18 The council’s strategic ambitions, and the mechanisms by which they are delivered, are a key consideration when identifying and prioritising engagements for inclusion in the internal audit work programme.
19 The internal audit work programme will be developed by looking to have appropriate coverage across all 11 of the key assurance areas. In deciding what work is a priority in each area, we also consider which audits will also provide coverage of strategic risks and corporate ambitions and priorities.
20 An overview of the process followed in using the opinion framework to determine audit priorities, and so to develop the internal audit work programme, is included in Appendix A.
|
Key assurance areas |
|
Key assurance areas: an overview and examples
21 Details of the 11 key assurance areas are set out below. We have provided definitions, and some examples of arrangements, systems, and processes we could audit within each area. The examples are for illustrative purposes and are not exhaustive. Some audits we will consider for inclusion in the work programme are also likely to cut across a number of the key assurance areas.
Strategic planning
22 Strategic planning covers the arrangements the council has to define and develops its strategy, or direction, and make decisions on resource allocation to successfully pursue this strategy. It also encompasses the control measures in place to guide strategy implementation. The council’s strategy and policy framework is comprised of three core interdependent 10-year strategies (relating to the local economy, health and wellbeing, and climate change), supporting strategies, the Council Plan, and other key plans and policies which give effect to the strategies.
23 This area is of importance to internal audit as effective strategic planning is a prerequisite for delivering long term, sustainable success.
Examples
|
|
|
|
|
|
Organisational governance
24 Governance is the combination of processes and structures implemented to inform, direct, manage and monitor the activities of the council toward the achievement of its objectives. At its most visible, governance involves the set of policies put in place for the direction and control of the organisation and the establishment of rules and procedures for making decisions and for complying with relevant legislation and regulations. Governance also encompasses business ethics, leadership, strategic management, and control activities. In a local authority context, the principles of effective governance are set out in CIPFA / Solace’s 2016 Delivering Good Governance in Local Government: Framework.
25 Internal audit is expected to assess and make appropriate recommendations to improve the council’s governance processes. It is also expected to evaluate risk exposures relating to compliance with laws, regulations, policies, procedures and contracts.
Examples
|
|
|
|
|
|
Financial governance
26 Section 151 of the Local Government Act 1972 requires that every local authority in England and Wales should “... make arrangements for the proper administration of their financial affairs...". Financial governance involves arrangements for giving a reliable account of the money spent and income received, stewardship of public resources, compliance with legal and regulatory requirements, ensuring value for money, supporting effective decision-making, and facilitating planning and resource allocation.
27 The PSIAS require that internal audit evaluates the adequacy and effectiveness of controls relating to the reliability and integrity of financial information.
Examples
|
|
|
|
|
|
Risk management
28 Risk management encompasses the council’s arrangements for identifying, assessing, managing, and controlling potential events or situations to provide reasonable assurance that its objectives will be achieved. It involves being aware of risk exposures, selecting appropriate risk responses that align risks with the council’s risk appetite, and communicating relevant information in a timely manner across the organisation.
29 As the council’s internal audit provider, the PSIAS expect that we evaluate the effectiveness of risk management processes and contribute to their improvement.
Examples
|
|
|
|
|
|
Information governance
30 Information governance is the set of multi-disciplinary structures, policies, procedures, processes, and controls implemented to manage information across the council. These governance arrangements should support the council’s immediate and future regulatory, legal, risk, environmental and operational requirements.
31 Given its links to information asset security, compliance risk, and the importance of data in driving and informing the council’s decisions and operations, it is an important area for internal audit coverage.
Examples
|
|
|
|
|
|
Performance management and data quality
32 Performance management refers to the systematic process by which the council plans, monitors, and improves the delivery of the services it provides to the public. The starting point for performance management is the council’s strategic ambitions which then filter down the organisation to directorate, service, team and individual levels. The council’s performance management framework aims to join up delivery at all levels by setting clear, achievable targets which can be accurately monitored and reported, with corrective action being taken promptly and appropriately.
Examples
|
|
|
|
|
|
Procurement and contract management
33 Effective procurement is vital for any local authority to ensure that it maximises value for money in its service delivery. Every procurement process undertaken by the council needs to comply with the provisions of its Constitution (including the Contract Procedure Rules) and the objectives set out in its Procurement Strategy. Public sector procurement also needs to comply with the Procurement Act 2023 and Procurement Regulations 2024 which will come into effect from 24 February 2025.
34 Once a procurement exercise is completed and the contract begins, it is essential that it is monitored regularly to ensure compliance with terms and conditions, to manage delivery risk, and to assess performance.
Examples
|
|
|
|
|
|
People management
35 This area covers all aspects of the management of human resources across the council. For example, recruitment and selection, remuneration, attendance management, training and talent development, individual performance management, equal opportunities, welfare and industrial relations, working arrangements, culture, and discipline.
36 The council’s people are essential to the achievement of its objectives, and there are a wide range of potentially significant risks in this area.
Examples
|
|
|
|
|
|
Asset management
37 Asset management involves the proper management, safeguarding and recording of assets. It seeks to align the asset base with the council’s corporate ambitions and objectives. Key areas for effective asset management include strategic planning, maintenance of accurate records, an understanding of the physical location of assets, allocated responsibility for assets, and periodic and systematic physical verification of the existence, condition, and performance of assets.
38 Ensuring the safeguarding of assets is one of five key risk areas that the PSIAS require internal audit to evaluate when providing assurance on the adequacy and effectiveness of the council’s risk management arrangements.
Examples
|
|
|
|
|
|
Programme and project management
39 Programmes are a collection of related projects managed in a coordinated way. This can bring benefits and control over and above what is achievable from managing projects individually. Projects are discrete, clearly defined, shorter-term engagements, involving the application of processes, methodologies, and specific/cross-functional skills and methodologies to achieve specific and measurable outcomes.
40 Effective project management is important for the council to ensure resources are used efficiently and to achieve value for money. Particularly for large and high-profile projects that bring about significant change. Internal audit is expected to evaluate risk exposures relating to the effectiveness and efficiency of council programmes and projects.
Examples
|
|
|
|
|
|
IT governance
41 Information technology (IT) governance is a sub-discipline of organisational governance. It relates to leadership, organisational structures, policies, and processes that ensure that information technology supports council strategies and objectives. IT governance should also support the management and oversight of the council’s business as usual activities.
42 The PSIAS require internal audit to assess whether information technology governance supports the council’s strategies and objectives.
Examples
|
|
|
|
|
|
|
|
43 As part of our preparations for the audit work programme for 2025/26, the committee is invited to express a view on any areas it feels should be considered a priority for internal audit work. In considering this, relevant questions may include the following:
For any of the
council’s strategic risks, are there any which the committee
would like internal audit to look at, to provide additional
assurance about arrangements for the management of the
risk?
What are the biggest
threats to the achievement of the council’s
priorities?
Are there any of the
11 key assurance areas where the committee feels internal audit
should pay particular attention, to provide it additional comfort
that arrangements are operating effectively?
Are there any
specific elements within the 11 key assurance areas that the
committee would like internal audit to look at during
2025/26?
Irrespective of the
assurance areas, risks and council priorities, does the committee
have any specific suggestions for internal audit assignments we
should consider in 2025/26?
|
Next steps |
|
44 Following consultation with the committee we will hold further discussions with officers to understand their view of priorities for internal audit work over the next year. Initial meetings have already commenced during January, and consultation will continue into February and March 2025.
45 Alongside this we will continue to keep abreast of emerging issues relevant to the public sector as well as any specific sectoral risks or developments including any relevant changes to legislation. We will also continue to review committee papers and other relevant background information to ensure we have an up-to-date picture of the challenges and issues facing the council.
46 Information collected will be used to develop the indicative long list of audits to be included in the 2025/26 internal audit work programme. This will be brought to the committee for approval at its 26 March 2025 meeting.
47 Our risk assessment and the programme of work will continue be updated and revisited throughout the year to ensure audit work continues to target priority areas.
 |
