Agenda Item





Audit and Governance Committee

 21 January 2022


Report of the Head of Internal Audit


Internal Audit Plan Consultation



1          The purpose of the report is to seek members’ views on priorities for internal audit work for 2022/23.


2          Internal audit provides independent and objective assurance and advice on the council’s control processes. It helps the organisation to achieve objectives by bringing a systematic, disciplined approach to the evaluation and improvement of the effectiveness of risk management, control and governance processes.

3          Internal audit standards and the council’s audit charter require internal audit to draw up an indicative programme of work. The programme must be based on an assessment of risk. In coming to a view on the risks facing the council, the opinions of the Audit and Governance Committee and senior council officers must be taken into account. Consultation with officers will be undertaken over the next two months. The purpose of this report is to seek the committee’s views on priorities for audit over the coming year.

2022/23 internal audit work programme


4          A new, flexible, approach to audit planning was introduced last year. Under the new approach, an indicative long list is developed at the start of the year. The long-list includes all areas that are likely to be important for audit in the year. However, it is over-programmed (it includes more work than it is possible to complete). Actual work to be undertaken is selected from the long list throughout the year based on an ongoing assessment of risks and priorities. This approach allows us to keep upcoming work under review, to ensure we are targeting audit resources to those areas most needed. It also builds in flexibility, by enabling us to respond quickly to emerging issues or to commence work on other areas of importance when risks and priorities change. The long list is also kept under review during the year. Potential audits are added or removed as required.

5          The indicative programme is informed by a number of factors such as the Council’s risk registers, relevant national issues and our wider audit knowledge, including the results of recent audit work. The Council’s external auditors are also consulted to avoid possible duplication of work programmes, and to maximise the overall benefit of audit activity. The indicative programme will be presented to the Audit and Governance Committee in April 2022, for approval.

6          Internal audit work programmes cover a range of risk areas to ensure that the work undertaken enables Veritau to meet the requirement to provide an overall opinion on the governance, risk management, and control framework operating in the council. We have defined 11 key areas where we require assurance during the course of the year in order to provide that opinion, as follows.

      Strategic planning

      Organisational governance

      Financial governance

      Risk management

      Information governance

      Performance management and data quality

      Procurement and contract management

      People management

      Asset management

      Programme and project management

      ICT governance

7          Functionally, the indicative programme will be structured into a number of sections, as set out below. In assessing what work is included in each area, consideration is given to the priorities listed at paragraph 6.

      Strategic / corporate & cross cutting– to provide assurance on areas which, by virtue of their importance to good governance and stewardship, are fundamental to the ongoing success of the council.

      Technical / projects – to provide assurance on those areas of a technical nature and where project management is involved. These areas are key to the council as the risks involved could detrimentally affect the delivery of services.

      Financial systems – to provide assurance on the key areas of financial risk. This helps provide assurance to the council that risks of loss or error are minimised.

      Service areas – to provide assurance on key systems and processes within individual service areas. These areas face risks which are individually significant but which could also have the potential to impact more widely on the operations or reputation of the council if they were to materialise.

      Other assurance areas – an allocation of time to allow for continuous audit planning and information gathering, unexpected work, and the follow up of work we have already carried out, ensuring that agreed actions have been implemented by management.

      Client support, advice & liaison – work we carry out to support the council in its functions. This includes the time spent providing support and advice, and liaising with staff.

8          Figure 1 includes some initial ideas on areas for consideration for audit in 2022/23. These are included to prompt discussion and are not intended to be a definitive or complete list of areas that could be reviewed. The list includes areas which reflect risks arising from current external factors – for example the Covid-19 pandemic.

9          The committee’s views are sought about areas they consider a priority for audit in 2022/23. This may include particular areas listed in figure 1 that they think should be a high priority (or that may be less important) or any other areas which should be considered for audit.

Figure 1 – Risk areas to consider for Audit in 2022/23



Possible Work

Strategic risks / corporate & cross-cutting

·         Medium term financial planning and budgeting, budget management, savings plans, commercialisation and investment strategy, financial resilience

·         Areas of the council’s corporate governance framework (eg schemes of delegation, constitution, complaints process, standards)

·         Strategic planning (eg policies and procedures, the Council Plan, Covid-19 recovery)

·         Risk management, disaster recovery plans and insurance arrangements

·         Performance management and data quality

·         Partnership working

·         Procurement and contract management (including supply chain resilience third party risk, due diligence, Modern Slavery Act compliance)

·         Ethics and organisational culture

·         HR and organisational development / workforce planning (eg management and supervision of remote teams, staff wellbeing, recruitment and retention, succession planning, training and development)

·         Information governance and data protection – compliance, management of information assets, data breach management, data sharing agreements, data storage arrangements, training

·         Environment, climate change and waste – air pollution, carbon footprint, energy reduction, recycling, electric vehicle usage

·         Health and safety.  


Technical / project risks

·         IT strategy & governance (such as information security policies, IT risk management, supporting service development and roles and responsibilities)

·         IT information security (such as server configuration, patch management and operating system configuration)

·         IT services (such as help desk, incident management and network availability)

·         Cyber security 

·         Digitalisation / automation

·         Overall corporate project management arrangements and project risk management

·         Support and review of specific key projects


Main Financial systems

·         Payroll/personnel

·         General ledger, debtors (including debt recovery and enforcement practice), creditors, cash income

·         Capital accounting and assets

·         Council Tax/ NNDR & benefits (including review of Covid-19 related grants)

·         Treasury management


Service related areas

·         Adult and children’s social care – budget management, workforce planning, case management, placements, referrals and assessments, recruitment & retention, procurement, quality assurance, capacity, contract monitoring, deprivation of liberties

·         Special Education Needs and Disability (SEND) – EHC plans (processes), planning, working with partners, funding

·         Public health including management of contracts and management of Covid-19 schemes

·         Housing strategy, use of temporary accommodation and homelessness

·         Other risks relating to specific service areas (such as schools, planning, local plan strategy, waste collection and recycling, parking, licensing, community safety, environmental health, economic development, domestic violence strategies)

·         Contract management / client arrangements (eg Explore, YMT)

·         Building services / housing repairs

·         York Central





10      This report is part of the ongoing consultation with stakeholders on priorities for internal audit work in 2022/23.


11      Not relevant for the purpose of the report.


12      Not relevant for the purpose of the report.

Council Plan

13      The work of internal audit supports overall aims and priorities by promoting probity, integrity and honesty and by helping to make the council a more effective organisation. 


14      There are no implications to this report in relation to:

·                  Finance

·                  Human Resources (HR)

·                  Equalities

·                  Legal

·                  Crime and Disorder

·                  Information Technology (IT)

·                  Property

Risk Management Assessment

15      The council will fail to comply with proper practice if appropriate officers and members are not consulted on the content of risk based audit plans.


16      Members are asked to;

-              Comment on the priorities for internal audit work for 2022/23. 


To ensure that scarce audit resources are used effectively.


Contact Details


Chief Officer Responsible for the report:


Max Thomas

Head of Internal Audit

Veritau Limited

Telephone: 01904 552940




Janie Berry

Director of Governance

Telephone: 01904 555385



Report Approved





Specialist Implications Officers


Not applicable


Wards Affected:  Not applicable





For further information please contact the author of the report


Background Papers