 |
CONTENTS
3 Introduction
4 Approach: the opinion framework
6 Key assurance areas
11 Questions for the committee to consider
12 Next steps
13 Appendix A: the opinion framework
|
Introduction |
|
Professional standards: work programme development
1 The Global Internal Audit Standards in the UK Public Sector (GIAS UK Public Sector), and the council’s audit charter, require internal audit to draw up an indicative programme of work based on an assessment of risk. The standards require internal audit to independently form a view on the risks facing the council. However, they also require the opinions of the Audit & Governance Committee and senior council officers to be considered when forming that view.
2 A specific public sector requirement for internal audit is that the risk-based programme must take into account the requirement to produce an annual internal audit opinion. Internal audit work programmes cover a range of risk areas to ensure that the work undertaken enables Veritau to provide an overall opinion on the framework of governance, risk management, and control operating at the council.
3 This report provides information on Veritau’s approach to planning audit work. It also asks for the committee’s views on areas it considers a priority for internal audit in 2026/27. This is the first stage in consultation on the annual programme of work. A full draft programme will be brought to the committee for approval at its 11 March meeting.
The year ahead for City of York Council
4 Much like other local authorities across the country, City of York Council will continue to face significant financial challenges as it moves into 2026/27. A £6.2m overspend is projected by the end of the current financial year, despite prudent financial management[1].
5 The council has been under cost control measures for the last two financial years. It is likely that measures will continue to be enforced into 2026/27 as the council looks to bring its spending down to affordable levels over the short to medium term.
6 Delivery of the council’s savings programme will also remain a key priority. Savings will be required across the council but particularly within adult social care, which continues to overspend. Managing this situation will be particularly challenging given the need to improve services following the recent CQC inspection.
▲ responding to increased demand and complexity in customer needs: especially within adult’s and children’s social care services.
▲ maintaining and improving service levels in response to regulator requirements and inspections: for example, with new standards and inspection regimes issued by the CQC and the Regulator of Social Housing.
▲ delivering key place-shaping projects across the city: for example, York Central, Castle and Eye of York, and York Station Gateway.
8 For internal audit to add most value, it needs to align its work to areas of greatest risk and highest priority. The next sections of this report explain how we do this at City of York Council, by applying our ‘opinion framework’.
|
Approach: the opinion framework |
|
The opinion framework
9 The annual opinion is the most important output from internal audit and a key source of objective assurance that the council’s leadership team and councillors can use to inform the annual governance statement. The opinion must therefore be well founded if it is to give proper assurance to the council.
10 Veritau has established an opinion framework designed to ensure that assurance coverage is targeted towards priority areas. This, in turn, allows us to provide a properly informed annual opinion. Application of the framework is therefore crucial during the work programme development stage. It continues to be so during the year as the work programme is adapted in response to changes in priorities.
11 The opinion framework has three components. The main component is a definition of several key assurance areas. These representareas of internal control that we think are essential to the proper functioning of the council. Systems and controls in each area need to be operating effectively to maximise the likelihood that the council’s objectives are achieved without undue exposure to risk.
12 The 11 key assurance areas we have identified make the most significant contribution to achievement of organisational objectives or give rise to the greatest risks. They are based on our internal audit experience in local government and on good practice guidance. The 11 areas cover both corporate arrangements, and management of risks and controls in individual service areas that collectively contribute to the council’s wider objectives.
13 The GIAS UK Public Sector require that internal audit work is linked to, and contributes to, an organisation’s:
▲ management of strategic risks, and
▲ achievement of organisational objectives and priorities.
14 Therefore, overlaid on the key assurance areas are two further components of the framework:
▲ Organisational risks
▲ Organisational objectives
15 The risks that are most important for audit planning are those set out in the council’s Key Corporate Risk (KCR) Register. These are the risks included in quarterly monitoring reports presented to the committee.
16 There are many other risks associated with the wide range of services the council delivers. Where appropriate, service risks are considered as part of individual audit assignments. However, the risks on the KCR register are those considered most significant to the achievement of the council’s objectives and therefore are the main focus for internal audit planning. There are currently 11 risks on the KCR register[2].
17 The council’s organisational objectives are expressed in its 2023-27 Council Plan as priorities. There are seven priorities covering health and wellbeing, education and skills, economy and employment, transport, housing, sustainability, and how the council operates. These priorities are expected to create the conditions to make the city of York a healthier, fairer, more affordable, more sustainable and more accessible place, where everyone feels valued.
18 The council’s strategic priorities, and the mechanisms by which they are delivered, are an important consideration when identifying and prioritising engagements for inclusion in the internal audit work programme. So too are key documents such as the latest revenue budget and strategy which shape how resources will be deployed to achieve the council’s ambitions.
19 The internal audit work programme will be developed by looking to have appropriate coverage across all 11 of the key assurance areas. In deciding what work is a priority in each area, we also consider which audits will also provide coverage of corporate risks and priorities.
Overview
20 An overview of the process followed in using the opinion framework to determine audit priorities, and so to develop the internal audit work programme, is included in appendix A.
21 In the next section, we will explain the 11 key assurance areas in more detail and provide examples of risk areas, systems and processes we could review, as part of the 2026/27 programme of work.
|
Key assurance areas |
|
Key assurance areas: an overview and examples
22 Details of the 11 key assurance areas are set out below. We have provided definitions, and some examples of arrangements, systems, and processes we could audit within each area. The examples are for illustrative purposes and are not exhaustive. Some audits we will consider for inclusion in the work programme are also likely to cut across a number of the key assurance areas.
Strategic planning
23 Strategic planning covers the arrangements the council has to define and develop its strategy, or direction, and make decisions on resource allocation to successfully pursue this strategy. It also encompasses the control measures in place to guide strategy implementation. The council’s strategy and policy framework is comprised of three core interdependent 10-year strategies (relating to the local economy, health and wellbeing, and climate change), supporting strategies, the Council Plan, and a range of other key plans and policies which give effect to the strategies.
24 This area is of importance to internal audit as effective strategic planning is a prerequisite for delivering long term, sustainable success.
Examples
|
|
|
|
|
|
Organisational governance
25 Governance is the combination of processes and structures implemented to inform, direct, manage and monitor the activities of the council toward the achievement of its objectives. At its most visible, governance involves the set of policies put in place for the direction and control of the organisation and the establishment of rules and procedures for making decisions and for complying with relevant legislation and regulations. Governance also encompasses business ethics, leadership, strategic management, and control activities. In a local authority context, the principles of effective governance are set out in CIPFA / Solace’s 2016 Delivering Good Governance in Local Government: Framework.
26 Internal audit is expected to assess and make appropriate recommendations to improve the council’s governance processes. It is also expected to evaluate risk exposures relating to compliance with laws, regulations, policies, procedures and contracts.
Examples
|
|
|
|
|
|
Financial governance
27 Section 151 of the Local Government Act 1972 requires that every local authority in England and Wales should “... make arrangements for the proper administration of their financial affairs...". Financial governance involves arrangements for giving a reliable account of the money spent and income received, stewardship of public resources, compliance with legal and regulatory requirements, ensuring value for money, supporting effective decision-making, and facilitating planning and resource allocation.
28 The GIAS UK Public Sector require that internal audit evaluates the adequacy and effectiveness of controls relating to the reliability and integrity of financial information.
Examples
|
|
|
|
|
|
Risk management
29 Risk management encompasses the council’s arrangements for identifying, assessing, managing, and controlling potential events or situations to provide reasonable assurance that its objectives will be achieved. It involves being aware of risk exposures, selecting appropriate risk responses that align risks with the council’s risk appetite, and communicating relevant information in a timely manner across the organisation.
30 As the council’s internal audit provider, the GIAS UK Public Sector expect that we evaluate the effectiveness of risk management processes and contribute to their improvement.
Examples
|
|
|
|
|
|
Information governance
31 Information governance is the set of multi-disciplinary structures, policies, procedures, processes, and controls implemented to manage information across the council. These governance arrangements should support the council’s immediate and future regulatory, legal, risk, environmental and operational requirements.
32 Given its links to information asset security, compliance risk, and the importance of data in driving and informing the council’s decisions and operations, it is an important area for internal audit coverage.
Examples
|
|
|
|
|
|
Performance management and data quality
33 Performance management refers to the systematic process by which the council plans, monitors, and improves the delivery of the services it provides to the public. The starting point for performance management is the council’s strategic ambitions which then filter down the organisation to directorate, service, team and individual levels. The council’s performance management framework aims to join up delivery at all levels by setting clear, achievable targets which can be accurately monitored and reported, with corrective action being taken promptly and appropriately.
Examples
|
|
|
|
|
|
Procurement and contract management
34 Effective procurement is vital for any local authority to ensure that it maximises value for money in its service delivery. Every procurement process undertaken by the council needs to comply with the provisions of its Constitution (including the Contract Procedure Rules) and the objectives set out in its Procurement Strategy. Public sector procurement also needs to comply with the Procurement Act 2023 and Procurement Regulations 2024 which will come into effect from 24 February 2025.
35 Once a procurement exercise is completed and the contract begins, it is essential that it is monitored regularly to ensure compliance with terms and conditions, to manage delivery risk, and to assess performance.
Examples
|
|
|
|
|
|
People management
36 This area covers all aspects of the management of human resources across the council. For example, recruitment and selection, remuneration, attendance management, training and talent development, individual performance management, equal opportunities, welfare and industrial relations, working arrangements, culture, and discipline.
37 The council’s people are essential to the achievement of its objectives, and there are a wide range of potentially significant risks in this area.
Examples
|
|
|
|
|
|
Asset management
38 Asset management involves the proper management, safeguarding and recording of assets. It seeks to align the asset base with the council’s corporate ambitions and objectives. Key areas for effective asset management include strategic planning, maintenance of accurate records, an understanding of the physical location of assets, allocated responsibility for assets, and periodic and systematic physical verification of the existence, condition, and performance of assets.
39 Ensuring the safeguarding of assets is an area that the GIAS UK Public Sector require internal audit to evaluate when providing assurance on the adequacy and effectiveness of the council’s risk management arrangements.
Examples
|
|
|
|
|
|
Programme and project management
40 Programmes are a collection of related projects managed in a coordinated way. This can bring benefits and control over and above what is achievable from managing projects individually. Projects are discrete, clearly defined, shorter-term engagements, involving the application of processes, methodologies, and specific/cross-functional skills and methodologies to achieve specific and measurable outcomes.
41 Effective project management is important for the council to ensure resources are used efficiently and to achieve value for money. Particularly for large and high-profile projects that bring about significant change. Internal audit is expected to evaluate risk exposures relating to the effectiveness and efficiency of council programmes and projects.
Examples
|
|
|
|
|
|
IT governance
42 Information technology (IT) governance is a sub-discipline of organisational governance. It relates to leadership, organisational structures, policies, and processes that ensure that information technology supports council strategies and objectives. IT governance should also support the management and oversight of the council’s business as usual activities.
43 The GIAS UK Public Sector require internal audit to assess whether information technology governance supports the council’s strategies and objectives.
Examples
|
|
|
|
|
|
|
|
44 As part of our preparations for the audit work programme for 2026/27, the committee is invited to express a view on any areas it feels should be considered a priority for internal audit work. In considering this, relevant questions may include the following:
For any of the
council’s strategic risks, are there any which the committee
would like internal audit to look at, to provide additional
assurance about arrangements for the management of the
risk?
What are the biggest
threats to the achievement of the council’s
priorities?
Are there any of the
11 key assurance areas where the committee feels internal audit
should pay particular attention, to provide it additional comfort
that arrangements are operating effectively?
Are there any
specific elements within the 11 key assurance areas that the
committee would like internal audit to look at during
2026/27?
Irrespective of the
assurance areas, risks and council priorities, does the committee
have any specific suggestions for internal audit assignments we
should consider in 2026/27?
|
Next steps |
|
45 Following consultation with the committee, we will hold further discussions with officers to understand their view of priorities for internal audit work over the next year. Initial meetings have already commenced during January, and consultation will continue into February and March 2026.
46 Alongside this we will continue to keep abreast of emerging issues relevant to the public sector as well as any specific sector risks or developments, including any relevant changes to legislation. We will also continue to review committee papers and other relevant background information to ensure we have an up-to-date picture of the challenges and issues facing the council.
47 Information collected will be used to develop the indicative long list of audits to be included in the 2026/27 internal audit work programme. This will be brought to the committee for approval at its 11 March 2026 meeting.
48 Our risk assessment and the programme of work will continue be updated and revisited throughout the year to ensure audit work continues to target priority areas.
 |
