CONTENTS

3           Introduction

4           Strategic context

5           2026/27 internal audit work programme

9           Appendix A: indicative internal audit work programme

 

 

 

 

 

Introduction

 

1             This report sets out the proposed 2026/27 programme of work for internal audit, provided by Veritau for City of York Council.

2             The work of internal audit is governed by the Global Internal Audit Standards in the UK Public Sector (GIAS UK Public Sector). These standards are made up of:

▲   the Global Internal Audit Standards (GIAS), set by our professional body, The Institute of Internal Auditors, and

▲   the Application Note: Global Internal Audit Standards in the UK Public Sector, produced by the Relevant Internal Audit Standard Setters[1].

3             The Application Note contains interpretations and requirements which need to be applied to the GIAS so that they form a suitable basis for internal audit practice in the UK public sector.

4             At the local level, the council has an internal audit charter. The charter addresses how internal audit is performed and governed, and its commitment to adhering to professional standards.

5             To conform to professional standards and the charter, the Head of Internal Audit must develop a plan based on a documented assessment of the council’s strategies, objectives, and risks and on their understanding of governance, risk management, and internal control arrangements. The plan should also be informed by input from key stakeholders, such as senior management and this committee.

6             Internal audit work should be risk-based and dynamic, being undertaken in a way that supports achievement of organisational objectives. Accordingly, planned work should be reviewed and adjusted in response to changes to risks, priorities, operations, programmes, systems, and internal controls.

7             The GIAS UK Public Sector place a specific requirement on the Head of Internal Audit to prepare an overall conclusion (opinion), at the level of the organisation, about the effectiveness of governance, risk management, and internal control. This must be done at least annually in support of wider governance reporting.

8             The basis of the Head of Internal Audit’s annual opinion is the outcomes from planned audit work undertaken over the year (referred to as the ‘work programme’). Our work programmes include coverage of governance, risk management, and internal control which, in turn, allows an opinion to be given.

9             At the 28 January 2026 meeting of this committee, we presented our work programme consultation report. This report explained how we approach development of the work programme by considering key areas of assurance, the council’s risks, and its priorities to define a body of work from which an independent and well-informed opinion can be given.

Strategic context

 

10          Sustained real terms reductions in central government funding for over a decade continue to put the council’s financial sustainability under real threat. Following finalisation of the government’s three-year settlement in February 2026, the financial outlook is now even more severe.

11          The settlement means that the council’s non-council tax funding will reduce by £20m over the next three years, equivalent to 10% of its current core spending power[2]. This is mainly due to the council’s relative need having dropped by 9.3%, with York having been assessed as the seventh least deprived local authority area in the country.

12          The second major reform to government funding was council tax equalisation. The government used an assumed level of council tax which was set higher than the council’s actual 2026/27 council tax base. The result is that the council’s settlement was reduced by £135m, despite only being able to raise £127.2m in council tax.

13          The £200m funding envelope available between 2026/27 and 2028/29 means that the council’s per capita funding is £924. Only one other local authority has lower per capita spending power. It is expected that, by 2028/29, York will be lowest funded local authority area in the country. This is compounded by the fact that York is part of one of the lowest health-funded regions in the country.

14          In the face of these unprecedented financial pressures, the council will need to ensure that it is appropriately positioned and equipped to deal with the scale of cost reduction and transformation required to maintain its long-term financial viability. 2026/27 represents a key year for the council’s transformation programme. It is essential that the programme is well governed to ensure that it delivers across its key workstreams.

15          The consequence of the budget pressures is that more funding will need to be diverted from other services to protect core social care and children’s services being delivered to the city’s most vulnerable residents. This is while these demand-led services continue to exert their own pressures as a result of unfavourable market conditions and an increasing volume and complexity of need. In addition, the council’s adult social care services were rated as ‘requiring improvement’ in the CQC’s December 2025 inspection report. The pressures already mentioned and the need to raise service standards has required a further investment of £10m in this area.

16          Meanwhile, the council continues to invest in an extensive and ambitious programme of major capital projects. Large sums have been committed to complex, high profile, multi-year projects. While these projects present significant opportunities for the council, they also bring with them considerable risks. These risks are heightened due to the impact of the cost of borrowing on the revenue budget, exposure to cost increases, and cash flow deficits.

17          Maintaining effective operational arrangements is an essential building block towards achieving the council’s strategic objectives and navigating risks to delivery. Internal audit contributes to overall objectives by helping to ensure that systems of governance, risk management and control that underpin operational arrangements are robust.

18          To maximise the value of internal audit, it is vital that we provide assurance in the right areas at the right time. We’ve designed the processes for developing the internal audit work programme, and refining it through the year, to do that.

2026/27 Internal audit work programme

 

The 2026/27 indicative internal audit work programme

19          The work programme for 2026/27 is set out in appendix A, beginning on page 9.

20          The overall level of service is based on an indicative number of days, for planning purposes (1,023 for 2026/27). Figure 4, below, shows the proportion of time we expect to deliver across each area during the year.

21          The proposed areas of coverage in the 2026/27 work programme have been subject to consultation with this committee, Directorate Management Teams, and with other senior officers from across the council.

22          Functionally, the indicative programme is structured into a number of areas, as set out in table 1, below.

Table 1: Work programme functional areas.

Programme area	Purpose
Strategic / corporate & cross cutting	To provide assurance on areas which, by virtue of their importance to good governance and stewardship, are fundamental to the ongoing success of the council.
Technical / projects	To provide assurance on those areas of a technical nature and where project management is involved. These areas are key to the council as the risks involved could detrimentally affect the delivery of services.
Financial systems	To provide assurance on the key areas of financial risk. This helps provide assurance to the council that risks of loss or error are minimised.
Service areas	To provide assurance on key systems and processes within individual service areas. These areas face risks which are individually significant but which could also have the potential to impact more widely on the operations or reputation of the council if they were to materialise.
Other assurance work	An allocation of time to allow for continuous audit planning and information gathering, unexpected work, and the follow up of work we have already carried out, ensuring that agreed actions have been implemented by management.
Client support, advice & liaison	Work we carry out to support the council in its functions. This includes the time spent providing support and advice, and liaising with staff.

 

23          Figure 1, below, shows the proportion of time we expect to spend delivering work across each area during the year.

Figure 1: 2026/27 work programme: indicative functional area split.

The ‘do now’, ‘do next’, ‘do later’ audit prioritisation system

24          Once initial internal audit priorities have been identified through application of the opinion framework, we then overlay a second system of prioritisation. This system allows us to determine the relative priority of audits included in the indicative work programme.

25          This second prioritisation system sees audits assigned to one of three categories, as shown in figure 2, below.

 

Figure 2: ‘do now’, ‘do next’, ‘do later’ prioritisation system.

 

 

 

 

 

26          Decisions on which of the three categories internal audit work falls into will be based on judgement, and will be made having given consideration to the prioritisation factors in table 2, below. These will result in internal audit work being considered a relatively higher or lower priority at the time of assessment.

Table 2: Internal audit prioritisation factors.

Prioritisation factors
where we have no recent audit assurance, or other sources of information	where controls are changing and / or risks are increasing
where we are following up previous control weaknesses	where specific issues are known to have arisen
that are of significant importance to the council, for example they reflect key objectives or high priority projects	that provide broader assurance, for example corporate policies and frameworks
that need to be covered to enable us to provide an annual opinion	where there are time pressures or scheduling requirements, for example grant deadlines, or work scheduled to minimise the impact on council service areas at busy times

 

27          The above factors will be used on an ongoing basis to decide what internal audit work will be carried out, and when, during the course of the year. These decisions will be made in consultation with the council through our ongoing dialogue with senior officers. Individual pieces of work will move between the three categories, as required, based on their priority at the time of assessment.

28          For example, an audit scheduled for quarter three to minimise the impact on a service area may initially be classed as to ‘do later’ but will become ‘do now’ as we move into quarter three. Similarly, an audit of a council project classed as ‘do now’ because it represents an area of high importance may move from ‘do now’ to ‘do next’ or ‘do later’ if the project slips or planned work cannot be undertaken until a specific point is reached. Towards the end of the year, audits classed as ‘do later’ are likely to be deferred until the following year.

29          It is important to emphasise two important aspects of the programme. Firstly, the audit activities included in appendix A are not fixed. As described above, work will be kept under review to ensure that audit resources are deployed to areas of greatest risk and importance to the council. This is to ensure the audit process continues to add value.

30          Secondly, it will not be possible to deliver all of the audit activities listed in the programme. The programme has been intentionally over-planned, to build in flexibility from the outset while also providing an indication of the priorities for work at the time of assessment. Over-planning the programme enables us to respond quickly by commencing work in other areas of importance to the council when risks and priorities change during the year.

31          The committee will be provided with information on current internal audit priorities throughout the year as part of regular progress reporting.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

APPENDIX A: indicative internal audit work programme 2026/27

 

Programme area		Potential internal audit activity
Strategic / corporate & cross cutting			Building security (West Offices and Hazel Court)        Contract management        Corporate complaints        Data quality        Financial maturity and culture        Health surveillance        Incident management and business continuity        Performance management framework        Physical information security compliance        Procurement compliance        Procurement forward planning        Purchasing cards, online accounts, and petty cash        Savings delivery
Technical / projects			Cloud and third-party security        Cybersecurity and user awareness        Database and application security        Capital programme governance        Contract management: major project delivery (follow-up)        Highways and transportation capital programme management        Local Net Zero Accelerator: City Leap Accelerator Project        Transformation programme governance
Financial systems			Council tax and NNDR        Housing rents        Ordering and creditor payments        Sundry debtors
Service areas			Blue badge applications        Building control        Environmental health        Highways maintenance        Homelessness and housing options        Housing allocations        Housing management system: data integrity        Housing repairs        Housing safety compliance (fire safety)        Housing safety compliance (gas safety)        Licensing        YorHome (phase 3)        Adult social care strategies        All-age commissioning        Front door service (adult social care)        Telecare service        Children’s continuing care        Foster carer payments (follow-up)        Free early education funding        Huntington Secondary School        School attendance and fixed penalty notices        St Oswald’s CE Primary School
Other assurance work			Follow-up of previously agreed management actions        Continuous audit planning and additional assurance gathering to help support our opinion on the framework of risk management, governance and internal control        Continuous assurance work, including data analytics and data matching projects Attendance at, and contribution to, governance- and assurance-related working groups
Client support, advice & liaison			Committee preparation and attendance        Key stakeholder liaison        Support and advice on control, governance and risk related issues