CONTENTS
INTRODUCTION
1 This document sets out the proposed 2023/24 programme of work for internal audit, provided by Veritau for City of York Council.
2 The work of internal audit is governed by the Public Sector Internal Audit Standards and the council’s audit charter. In order to comply with those standards and the charter, internal audit work must be risk based and take into account the requirement to produce an evidence-based annual internal audit opinion. Accordingly, planned work should be reviewed and adjusted in response to changes in the business, risks, operations, programmes, systems and internal controls.
3 The Head of Internal Audit’s annual opinion is formed following an independent and objective assessment of the effectiveness of the framework of risk management, governance and internal control. Our planned audit work includes coverage of all three areas to develop a wider understanding of the assurance framework of the council, and to produce a body of work which allows us to provide that opinion.
4 Responsibility for effective risk management, governance and internal control arrangements remains with the council. The Head of Internal Audit cannot be expected to prevent or detect all weaknesses or failures in internal control nor can audit work cover all areas of risk across the organisation.
APPROACH
5 In order to best meet professional standards, internal audit is required to adopt flexible planning processes that are sensitive to risk. This flexibility and risk-based approach are driving principles for delivery of City of York Council’s 2023/24 internal audit work programme.
6 The council is facing unprecedented financial pressures as a result of the continued increase in demand for its services and the impact of inflation and economic uncertainty. An ageing population, an increase in the complexity of need in the adult and child populations, exposure to unfavourable market conditions, and challenging financial positions for health partners all represent risks to the council’s ability to deliver its priorities and maintain its services.
7 This is against a backdrop of declining central government funding over recent years. The combination of these pressures means that the council needs to act to maintain a stable and resilient financial position while still delivering on the priorities set out in the Council Plan. These priorities include continuing to invest in adult social care and support for children, and supporting its communities facing the cost of living crisis. Meanwhile, the council has an extensive and ambitious programme of major capital projects designed to stimulate economic growth, to deliver more housing, and to improve its highway network infrastructure.
8 The work programme for 2023/24 represents a summary of the overall areas we currently believe will be the highest priority for work during the next year, based on our current assessment of risk facing the council. This assessment involves giving careful consideration to:
· systems where the volume and value of transactions processed are significant, or the impact if risks materialise is very high, making the continued operation of regular controls essential
· areas of known concern, where a review of risks and controls will add value to operations
· areas of significant change which may include providing direct support / challenge to projects, reviewing project management arrangements, or consideration of the impact of those changes on the control environment, for example where reductions in resources may result in fewer controls.
9 Internal audit work covers a range of risk areas to ensure that, overall, the work undertaken will enable us to meet the requirement to provide an overall opinion on the council’s framework of risk management, governance and internal control.
10 We have defined 11 areas where we require assurance during the course of the year to help provide that opinion:
• strategic planning
• organisational governance
• financial governance
• risk management
• information governance
• performance management and data quality
• procurement and contract management
• people management
• asset management
• programme and project management
• ICT governance
11 The 11 assurance areas represent aspects of the council’s systems of internal control that need to be in good health and functioning correctly to maximise the likelihood that its objectives are achieved without undue exposure to risk.
12 The requirement to provide assurance across these areas to arrive at a strong, evidenced-based annual opinion is taken into account when identifying and prioritising work throughout the year. The process for developing the 2023/24 work programme has involved the following key steps:
· undertaking a detailed review of the council’s corporate risk register, including changes in risk profile over time, controls and actions
· understanding the council’s longer- and shorter-term objectives through an extensive desktop review of committee reports, decisions, performance data, and Council Plan priorities
· evaluating other known risk areas (for example, areas of concern highlighted by management or through our experience at other clients), and
· considering fundamental controls, the results of recent audit work, outcomes from any external reviews, and changes in council services and systems.
13 The results of these assessments and considerations have been combined to allow us to evaluate the impact and value each potential audit would bring. The proposed areas of coverage have already been subject to consultation with the Audit and Governance Committee, as part of its 18 January 2023 meeting, and they continue to be subject to consultation and discussion with directors and senior officers from across the organisation.
14 The overall programme, and the relative priorities for work within it, will be revisited and updated throughout the year. Work to be started will be based on the most immediate priorities at any point. We will regularly consult with officers on the priority, scope and timing of work to help ensure that we provide assurance in the right areas at the right time. We will also provide regular updates on the scope and findings of our work to the Audit and Governance Committee throughout 2023/24.
2023/24 INTERNAL AUDIT WORK
15 The work programme is based on a total commitment of 1023 days. Further detail on the current priorities for internal audit coverage during 2023/24 is provided in appendix A.
16 The programme is designed to ensure that limited audit resources are prioritised towards those areas which are considered to carry the most risk or which contribute the most to the achievement of the council’s strategic priorities and objectives.
17 Functionally, the indicative programme is structured into a number of sections, as set out below. In assessing the work to be included in each section, consideration is given to the priorities listed at paragraph 8 and the areas set out in paragraph 10.
· Strategic / corporate & cross cutting– to provide assurance on areas which, by virtue of their importance to good governance and stewardship, are fundamental to the ongoing success of the council.
· Technical / projects – to provide assurance on those areas of a technical nature and where project management is involved. These areas are key to the council as the risks involved could detrimentally affect the delivery of services.
· Financial systems – to provide assurance on the key areas of financial risk. This helps provide assurance to the council that risks of loss or error are minimised.
· Service areas – to provide assurance on key systems and processes within individual service areas. These areas face risks which are individually significant but which could also have the potential to impact more widely on the operations or reputation of the council if they were to materialise.
· Other assurance areas – an allocation of time to allow for continuous audit planning and information gathering, unexpected work, and the follow up of work we have already carried out, ensuring that agreed actions have been implemented by management.
· Client support, advice & liaison– work we carry out to support the council in its functions. This includes the time spent providing support and advice, and liaising with staff.
18 It is important to emphasise two important aspects of the programme. Firstly, the audit areas included in this programme and the indicative days assigned to each of the areas in appendix A are not fixed. As described in paragraph 14, work will be kept under review to ensure that audit resources continue to be deployed in the areas of greatest risk and importance to the council. This is to ensure the audit process continues to add value.
19 Secondly, it will not be possible to deliver all of the audits listed in the programme. The programme has been intentionally over-planned, to build in flexibility from the outset while also providing an indication of the priorities for work at the time of assessment. Over-planning the programme enables us to respond quickly by commencing work in other areas of importance to the council when risks and priorities change during the year.
APPENDIX A: Indicative Internal Audit Work Programme 2023/24
Area |
Indicative Days |
Potential activity |
Strategic risks / Corporate & cross cutting
|
300 |
Budget management Cipfa Financial Management Code (support / consultancy) Management of external funding sources Absence management Agency staff (Children and Education / Adult Social Care and Integration) Freedom of Information Act compliance Physical information security compliance (West Offices and Hazel Court) CCTV Information asset management Contract management (delivery of social value) Risk management (including risk identification support to major projects) York 2032: The 10-Year Plan Data and decision-making Member induction programme Adherence to constitution: decision-making Health and safety Transparency Officer declarations of interest Public health Climate adaptation / carbon reduction |
Technical / projects
|
90 |
ICT procurement and contract management ICT disaster recovery OneDrive / Microsoft Teams information governance NHS Data Security and Protection Toolkit (thematic review) Overall project management arrangements and / or specific support and review of key projects |
Financial systems
|
110 |
Main accounting system Treasury management Ordering and creditor payments Sundry debtors Payroll Council tax and NNDR Housing benefits |
Service areas
|
340 |
Procurement Bill (preparedness assessment) Adult education Ward committee model / locality working Asset management (housing management services and highways) Additional landlord duties Section 106 agreements Community Infrastructure Levy Public EV Charging Strategy (tariff management) Highway maintenance scheme development review Public protection Continuing healthcare Integrated care partnerships Commissioning (adult social care) Reablement and independent living Mental health services Payments to care providers and contract management Performance management and data quality (children’s social care) Early help (assessments and interventions) Adoption / SGO / CAO allowances Children’s safeguarding Safety Valve (implementation review) Education, health and care plans (EHCPs) Free early education funding School themed audits |
Other assurance work
|
90 |
Follow-up of previously agreed management actions Continuous audit planning and additional assurance gathering to help support our opinion on the framework of risk management, governance and internal control Continuous assurance work, including data analytics and data matching projects Attendance at, and contribution to, governance- and assurance-related working groups |
Client support, advice & liaison
|
93 |
Committee preparation and attendance Key stakeholder liaison Support and advice on control, governance and risk related issues |
TOTAL |
1023 |
|