CONTENTS

 

 

 INTRODUCTION

1            This document sets out the proposed 2022/23 programme of work for internal audit, provided by Veritau for City of York Council.

2            The work of internal audit is governed by the Public Sector Internal Audit Standards and the council’s audit charter. In accordance with those standards, internal audit work must be risk based and take into account the requirement to produce an evidence based annual internal audit opinion. Planned work should be reviewed and adjusted in response to changes in the business, risks, operations, programmes, systems and internal controls.

3            The Head of Internal Audit’s annual opinion is based on an objective assessment of the effectiveness of the framework of risk management, governance and internal control. Our planned audit work includes coverage of all three areas to develop a wider understanding of the assurance framework of the council.

4            Responsibility for effective risk management, governance and internal control arrangements remains with the council. The Head of Internal Audit cannot be expected to prevent or detect all weaknesses or failures in internal control nor can audit work cover all areas of risk across the organisation.

 

 APPROACH

5            To meet professional aims and objectives, good practice for internal audit requires us to adopt flexible planning processes. This flexibility remains particularly important in 2022/23 as there is a significant amount of uncertainty for the council arising from the environment in which it operates and as it recovers from the Covid-19 pandemic. It also helps us to ensure that audit work undertaken during the year is adapted on an ongoing basis to reflect changing risks within the council.

6            The work programme for 2022/23 represents a summary of the overall areas we currently think will be the highest priority for work during the next year, based on our current assessment of risk. This assessment involves giving careful consideration to:

·         systems where the volume and value of transactions processed are significant, or the impact if risks materialise is very high, making the continued operation of regular controls essential

 

·         areas of known concern, where a review of risks and controls will add value to operations

 

·         areas of significant change which may include providing direct support / challenge to projects, reviewing project management arrangements, or consideration of the impact of those changes on the control environment, for example where reductions in resources may result in fewer controls.

 

7            The identification of risks has been informed in a number of ways; including review of the organisational risk management processes, understanding the council’s strategies and objectives, other known risk areas (for example areas of concern highlighted by management), the results of recent audit work and other changes in council services and systems.

8            Internal audit work covers a range of risk areas to ensure that overall, the work undertaken will enable us to meet the requirement to provide an overall opinion on the council’s framework of risk management, governance and internal control.

9            We have defined 11 areas where we require assurance during the course of the year to help provide that opinion:

•     strategic planning

•     organisational governance

•     financial governance

•     risk management

•     information governance

•     performance management and data quality

•     procurement and contract management

•     people management

•     asset management

•     programme and project management

•     ICT governance

 

10        The requirement for providing assurance across these areas is taken into account when identifying and prioritising work.

11        The proposed areas of coverage have been subject to consultation with the audit and governance committee and is subject to ongoing consultation and discussion with directors and senior officers.

12        The overall programme and the relative priorities for work within it will be updated throughout the year. Actual work to be started will be based on the most immediate priorities at any point. We will regularly consult with officers on the priority, scope and timing of work to help ensure that we provide assurance in the right areas at the right time. We will also provide regular updates on the scope and findings of work to the Audit and Governance Committee throughout 2022/23.

 

 2022/23 INTERNAL AUDIT WORK

13        The plan is based on a total commitment of 1023 days. Further detail on the potential areas of coverage is included in appendix A.

14        The programme is designed to ensure that limited audit resources are prioritised towards those areas which are considered to carry the most risk or which contribute the most to the achievement of the council’s strategic priorities and objectives.

15        Functionally, the indicative programme will be structured into a number of sections, as set out below. In assessing what work is included in each section, consideration is given to the priorities listed at paragraph 6 and the areas set out in paragraph 9.

·                Strategic / corporate & cross cutting– to provide assurance on areas which, by virtue of their importance to good governance and stewardship, are fundamental to the ongoing success of the council.

·                Technical / projects – to provide assurance on those areas of a technical nature and where project management is involved. These areas are key to the council as the risks involved could detrimentally affect the delivery of services.

·                Financial systems – to provide assurance on the key areas of financial risk. This helps provide assurance to the council that risks of loss or error are minimised.

·                Service areas – to provide assurance on key systems and processes within individual service areas. These areas face risks which are individually significant but which could also have the potential to impact more widely on the operations or reputation of the council if they were to materialise.

·                Other assurance areas – an allocation of time to allow for continuous audit planning and information gathering, unexpected work, and the follow up of work we have already carried out, ensuring that agreed actions have been implemented by management.

·                Client support, advice & liaison– work we carry out to support the council in its functions. This includes the time spent providing support and advice, and liaising with staff.

16        It is important to emphasise two important aspects of the programme. Firstly, the audit areas included in this draft programme and indicative days assigned to each of the areas in appendix A are not fixed. Work will be kept under review to ensure that audit resources continue to be deployed in the areas of greatest risk and importance to the council. This is to ensure the audit process continues to add value.

17        Secondly, it will not be possible to deliver all of the audits listed in the programme. The programme has been over planned, to build in flexibility from the outset while providing an indication of the priorities for work at the time of assessment. This will enable us to respondquickly by commencing work in other areas of importance to the council when risks and priorities change during the year.

 

 

APPENDIX A: Draft Internal Audit Work Programme 2022/23

 

Area	Indicative Days	Potential activity
Strategic risks / Corporate & cross cutting	260	Budgetary control / savings plans HR – absence management, staff wellbeing, recruitment and retention, hybrid working arrangements Information governance and data protection – information security checks, information security breaches / incident management Risk management Partnership working Insurance arrangements Performance management and data quality Teckal company governance Governance and decision making Procurement and contract management Environment and climate change – strategy, energy reduction Health and safety Business continuity / incident response
Technical / projects	100	ICT procurement and contract management ICT applications / database security ICT systems development and benefits realisation York Central / Castle Gateway Overall project management arrangements and/or specific support and review of key projects
Financial systems	120	Main accounting system Cash income Ordering and Creditors Debtors Payroll Council tax and NNDR Benefits Housing rents
Service areas	360	Commercial waste (follow up audit) Housing repairs and maintenance – recovery plans, health and safety, and procurement and contract management Public health commissioning and contract management Education, health and care plans (EHCPs) Children’s social care budget management Children’s services safeguarding Educational psychology Housing strategy, use of temporary accommodation and homelessness Adult social care – care payments and contract management Adult social care safeguarding Integrated care partnerships and joint commissioning Schools themed audits – HR / payroll, schools financial value standard (SFVS), lettings and income (individual school audits may be done in response to specific issues) Section 106 agreements
Other assurance work	90	Follow-up of previously agreed management actions Continuous audit planning and assurance gathering to help support our overall opinion on the framework of risk management, governance and internal control of the council Continuous assurance work, including data analytics and data matching projects Assurance related working groups Contingency
Client support, advice and liaison	93	Committee preparation and attendance Client liaison, support and advice on control, governance and risk related issues External audit liaison
TOTAL	1023