Safety Valve (implementation review)

May 2025

Substantial Assurance

Housing benefits

May 2025

Substantial Assurance

NHS Data Security and Protection Toolkit: accountable suppliers

May 2025

No Opinion Given

School themed audit: purchasing and best value

July 2025

Reasonable Assurance

Communications

July 2025

No Opinion Given

Funded early education

July 2025

Reasonable Assurance

Member induction programme

July 2025

No Opinion Given

Commercial asset performance

July 2025

Substantial Assurance

Savings plans

July 2025

Reasonable Assurance

Clifton Green Primary School

July 2025

Reasonable Assurance

Elvington Primary School

November 2025

Reasonable Assurance

Carbon adaptation and reduction

November 2025

Substantial Assurance

Physical information security

November 2025

Reasonable Assurance

Schools themed audit: premium allocations

November 2025

Substantial Assurance

Public EV charging strategy

November 2025

Substantial Assurance

Free school meals: auto-enrolment

November 2025

Substantial Assurance

Recruitment and selection

November 2025

Reasonable Assurance

Contract management

November 2025

Reasonable Assurance

ICT disaster recovery

March 2026

Reasonable Assurance

Follow-up audit: risk management

March 2026

Reasonable Assurance

Schools themed audit: governance

March 2026

Reasonable Assurance

Service and role-specific training

March 2026

Reasonable Assurance

Sundry debtors

March 2026

Substantial Assurance

Main accounting system

March 2026

Substantial Assurance

Danesgate Community School

March 2026

Reasonable Assurance

Contract management: major project delivery

March 2026

Limited Assurance

Information access request management

In draft

Children & Education Directorate: local scheme of delegation

In draft

Performance management

In draft

Residential care: Ousecliffe and Wenlock Terrace

In draft

Flexitime and annual leave

In draft

Absence management

In draft

Unaccompanied asylum seeker children

In draft

Travel and subsistence

In progress

Ordering and creditor payments (P2P action plan and verification)

In progress

Payments to care providers and contract management (ASC&I)

In progress

Home to school transport

In progress

Cybersecurity: user account management

In progress

Payroll

In progress

Right To Buy

In progress

Children’s direct payments

In progress

St Mary’s CE Primary School

In progress

Westfield Primary Community School

In progress

Section 106 agreements

In progress

Data quality and security: applications

In progress

       Follow up of agreed actions

       Refresh of the follow-up and escalation procedure, with regular reporting to the Governance, Risk and Assurance Group

       Grant certification work:

      Scambusters

      UK Shared Prosperity Fund programme assurance (2024/25)

      HUG2

       Consultative engagements:

      Fact-finding review into manual creditor payments

      Fact-finding review into the management of services provided by YorHome

      Fact-finding review into the engagement of consultations on the York Station Gateway project

       Provision of support and advice:

      Preparation of a briefing note on CIPFA’s Code of Practice for the Governance of Internal Audit in UK Local Government (‘the Code’)

      Support with undertaking the council’s self-assessment against the Code

      Holiday let commercial waste income collection procedures

APPENDIX B: CURRENT AUDIT PRIORITIES

Audit / Engagement

Rationale

Strategic / corporate & cross cutting

Do now

Travel and subsistence

Identified in consultation with officers.

Performance management

No recent coverage. Provides coverage of a key assurance area.

Flexitime and annual leave

Identified in consultation with officers.

Absence management

Emerging risk area.

Information access request management

No recent coverage. Risks / controls are changing.

Data quality and security: applications

Provides broader assurance.

Do later

Building security (West Offices and Hazel Court)

Physical information security

Procurement Act compliance

Contract management

Risk management (maturity assessment)

Management of York & North Yorkshire Combined Authority funding

Financial systems

Do now

Ordering and creditor payments (P2P action plan and verification)

Being undertaken to verify progress made in implementing improvements to control.

Payroll

Key financial system.  Risks / controls are changing.

Do later

Council Tax and NNDR

No recent coverage. Provides coverage of a key assurance area.

Housing rents

Risks / controls are changing.

Service areas

Do now

Payments to care providers and contract management (ASC&I)

No recent coverage. Provides coverage of a key assurance area.

Residential care: Ousecliffe and Wenlock Terrace

Being undertaken in response to known areas for improvement.

Unaccompanied asylum seeker children

Emerging risk area.

Children & Education Directorate: local scheme of delegation

Risks / controls are changing. Provides coverage of a key assurance area.

Home to school transport

Risks / controls are changing. Known area of pressure.

Westfield Primary School

Identified in consultation with officers.

St Mary's CE Primary School

Identified in consultation with officers.

Children’s direct payments

Risks / controls are changing.

Right To Buy

Risks / controls are changing. Changes to government policy.

Section 106 agreements

Being undertaken at the request of the committee.

Do later

Foster carer payments (follow-up audit)

Children’s continuing care

Schools themed audit: procurement

Licensing

Technical / projects

Do now

Cybersecurity: user account management

Provides coverage of a key assurance area.

Do later

Project governance (major projects)

Project management (gateway reviews)

ICT emergency response & business continuity planning

ICT disaster recovery

(November 2025)

Reasonable Assurance

This audit reviewed the council’s ICT disaster recovery arrangements.

The council has key ICT disaster recovery arrangements in place and its current plan is clear, accessible and regularly updated. Roles are defined and incident action cards support responses, although detailed playbooks are not yet in place.

Recovery priorities are set by ICT, without structured input from service areas.

Disaster recovery testing is informal, relying on lessons from real incidents rather than being formally scheduled. Backup arrangements and security controls are robust.

Actions to address weaknesses will be agreed as part of phase two of the ICT disaster recovery audit (scheduled for 2026/27).

Follow-up audit: risk management

(November 2025)

No Opinion Given

The purpose of this audit was to review the council’s arrangements for identifying, managing, and reporting directorate and service risks in accordance with corporate requirements. It was undertaken as a follow-up of the 2023/24 audit.

Although some progress was evident, with the Risk Management Team beginning to reestablish its support and facilitation role, this had not been fully embedded between directorates and across service areas sufficient for them to continue risk management work independently. This also meant that agreed processes, including the issuing of quarterly risk reports, had not been regularised.

While arrangements for risk management remain inconsistent across directorates, and the council’s risks are not visible on a council-wide basis, the risk management process is not embedded to the level expected in the policy and strategy.

A detailed management response to the report and its recommendations was provided. In summary, the response cited improvements made (and in progress) while also recognising that the council’s policy and strategy need to be reviewed to reflect the council’s desired approach to risk management.

Schools themed audit: governance

(November 2025)

Reasonable Assurance

The purpose of this audit was to provide assurance that maintained schools met statutory governance requirements.

Governance arrangements met statutory requirements, with appropriate structures and up‑to‑date schemes of delegation. However, some schools lacked a documented governance framework for the full governing body, committee terms of reference had not been recently reviewed, and declarations of interest had not been fully updated. Minutes, agendas and documentation were generally available and minutes evidenced appropriate challenge. Policy schedules were maintained well overall.

Governor membership and attendance were mostly strong, but some vacancies, outdated skills audits and unclear training records were noted.

Contract registers were kept but risk registers and website compliance checks were inconsistent across schools.

A number of actions were agreed to address the identified control weaknesses. These included:

▲   Reviewing training records termly

▲   Clearly capturing outcomes and actions from skills audits

▲   Making cybersecurity and data protection training mandatory for at least one governor

▲   Formalising and including the role of the Finance Committee chair / school business manager link in committee terms of reference

▲   Improving arrangements for providing ‘Get Information About Schools’ data

▲   Standardising risk registers and guidance, and ensuring termly review of risks

▲   Adoption of the contract register template already shared with schools

▲   Including school website checks in the annual framework.

Service and role-specific training

(November 2025)

Substantial Assurance

This audit reviewed the council’s arrangements for identifying, monitoring and recording training required within adult social care, children and education, and housing.

The council’s MyLo system provides a strong basis for managing training, with effective tools for assigning courses, tracking completion and maintaining certifications.

Training matrices are well designed and updated through regular engagement between services and the Workforce Development Unit. However, not all courses are yet on MyLo, meaning that some services rely on manual records.

MyLo is not always updated to reflect the true status of training, resulting in inaccurate or incomplete information. Reporting arrangements also varied, with no consistent process for escalating training performance at directorate level.

A reminder will be issued reinforcing the requirement to ensure that staff training completions are promptly recorded on MyLo. The reminder will also emphasise the need for timely renewal of service and role-specific training to prevent lapses.

The Workforce Development Unit will promote the use of existing MyLo functionality and the annual Learning Needs Analysis to support consistent oversight of training compliance. Through this exercise, it will be recommended that Directorate Management Teams discuss training issues quarterly, and awareness of available MyLo system support will be reinforced.

Sundry debtors

(December 2025)

Substantial Assurance

This audit reviewed the council’s arrangements for issuing invoices, collecting and recording income, monitoring debt, and writing off debt.

Invoices are raised accurately with proper supporting information, and no duplicates were found. Only a very small number of duplicate debtor accounts and unallocated suspense items exist, and both were being addressed at the time of the audit. The council’s corporate debt policy and guidance on raising invoices are outdated and do not fully reflect current practice.

Income is correctly allocated, and credit notes are properly authorised (albeit with occasional delays in processing).

Debt is monitored but recovery is inconsistent and not always sustained, with older debts being significant in volume and value.

Debt write-offs are well controlled and authorised, although accounts could be closed more promptly.

Debt forums will be established for the Adult Social Care and Integration directorate, and similar measures introduced for non-adult social care debt.

Details of service-area specific debt recovery procedures will be documented. The corporate debt policy will be reviewed, and a suitable review schedule established. Existing guidance on raising invoices will also be updated.

Refunds will now be processed twice a week. The debtors team will regularly produce a report of outstanding refunds. The income services team will then be notified that there are refunds to process.

Main accounting system

(December 2025)

Substantial Assurance

The purpose of this audit was to provide assurance on access arrangements to the financial management system and on the performance of key in-system activities.

Access to the financial management system (FMS) is appropriately restricted and supported by layered controls, but weaknesses in user access management—such as complex access structures, inconsistent forms, and delays for movers and leavers—reduce assurance that access remains appropriate.

Controls over journals, virements and year‑end processes are generally effective, although virement guidance could be clearer.

Feeder system data is transferred accurately, with timely uploads and reconciliations.

Suspense and control accounts are reviewed regularly, with reasonable balances and prompt resolution of discrepancies.

Service managers’ responsibilities for user access management, particularly regarding the timely completion or user access forms when roles or responsibilities change, will be reinforced, and communicated.

The user access management process will be enhanced by streamlining access categories and clearly defining the permissions associated with each, based on typical role requirements. User access request forms will be updated to ensure they are clearer, more user-friendly, and aligned with the revised process.

The virements guidance will be reviewed and updated to clearly define what constitutes a virement, and to clarify the associated processes for managing and approving them and evidencing approval on the FMS.

Danesgate Community School

(December 2025)

This audit reviewed the governance and financial management arrangements at Danesgate Community School - a specialist provider for pupils with social, emotional and mental health needs.

Danesgate Community Pupil Referral Unit’s management committee operates within a compliant legal constitution, with statutory policies and website content up to date. Governance is effective, with regular meetings, challenge, and budget oversight. However, some gaps in governor training and inconsistent financial delegations were noted.

Financial processes are generally sound. Systems and controls for purchasing, income, payroll, payment cards, reconciliations and petty cash are appropriate but some financial policies lack sufficient guidance to support their practical implementation.

The school’s contract register lacks key detail, and some contracts have not been recently reviewed.

A review of governor training and skills will be conducted to identify training requirements. Training will be a regular item on management committee meetings and governors will be signposted to the training available through the council’s governance team.

The financial management policy will be reviewed.

The debt management policy will be reviewed. Debt management will be a standing item on Finance and Resource committee meeting agendas.

The contract register will be updated to ensure that it contains information to assist governors in overseeing contract management.

Contract management: major project delivery

(January 2026)

Limited Assurance

The focus of this audit was on how the main construction contracts for the Tadcaster Road project, Housing Delivery Programme, and York Station Gateway had been managed. However, in the case of York Station Gateway, we also evaluated officers’ own review into the circumstances relating to the significant overspend and delays with the project.

The key finding from this audit related to the management of the York Station Gateway project. A number of weaknesses were identified, as follows:      

▲   entering the construction contract ‘at risk’, before legal agreements with statutory undertakers had been sufficiently progressed

▲   additional costs incurred as a result of changes during project delivery

▲   inaccuracy / incompleteness of financial implications in decision reports

▲   gaps in project governance, and insufficient delivery and support capacity.

The remaining findings related to inaccuracies in how York Station Gateway costs were presented in monthly project highlight reports, a lack of rigour in reviewing and approving the Tadcaster Road project brief, and inconsistency / unavailability of compensation event documentation.

A number of actions were agreed to address the identified control weaknesses. These included:

▲   Reviewing and improving the existing Programme Management Office function (including resourcing and skills)

▲   Reviewing wider programme and contract governance arrangements

▲   Creating of dedicated construction / commercial contract management capacity

▲   Undertaking recruitment and creating a career pathway to better retain and grow talent in project management

▲   Identifying and delivering training to key staff involved in construction project delivery

▲   Reviewing highlight reports to ensure that RAG ratings take account of multi-phase projects

▲   Adopting the NEC approach to managing and recording compensation events

▲   Undertaking a feasibility review on investing in a contract management system.

Audit opinions

Audit work is based on sampling transactions to test the operation of systems. It cannot guarantee the elimination of fraud or error. Our opinion is based on the risks we identify at the time of the audit. Our overall audit opinion is based on four grades of opinion, as set out below.

Opinion

Assessment of internal control

Substantial assurance

Overall, good management of risk with few weaknesses identified. An effective control environment is in operation but there is scope for further improvement in the areas identified.

Reasonable assurance

Overall, satisfactory management of risk with a number of weaknesses identified. An acceptable control environment is in operation but there are a number of improvements that could be made.

Limited assurance

Overall, poor management of risk with significant control weaknesses in key areas and major improvements required before an effective control environment will be in operation.

No assurance

Overall, there is a fundamental failure in control and risks are not being effectively managed. A number of key areas require substantial improvement to protect the system from error and abuse.

Finding ratings

Critical

A fundamental system weakness, which presents unacceptable risk to the system objectives and requires urgent attention by management.

Significant

A significant system weakness, whose impact or frequency presents risks to the system objectives, which needs to be addressed by management.

Moderate

The system objectives are not exposed to significant risk, but the issue merits attention by management.

Opportunity

There is an opportunity for improvement in efficiency or outcomes but the system objectives are not exposed to risk.