A blue and white triangle pattern  Description automatically generated
Date: 28 February 2024,Appendix 1A black and white logo  Description automatically generatedInternal Audit Work Programme Consultation 2024/25


3           Introduction

4           Approach: The Opinion Framework

7           Key assurance areas

12         Questions for the committee to consider

13         Next steps



A blue and white triangle pattern  Description automatically generated





1             The Public Sector Internal Audit Standards (PSIAS), and the council’s audit charter, require internal audit to draw up an indicative programme of work based on an assessment of risk. The standards require internal audit to independently form a view on the risks facing the council. However, they also require the opinions of the Audit and Governance Committee and senior council officers to be considered when forming that view.

2             A specific public sector requirement for internal audit is that the risk-based programme must take into account the requirement to produce an annual internal audit opinion. Internal audit work programmes cover a range of risk areas to ensure that the work undertaken enables Veritau to provide an overall opinion on the framework of governance, risk management, and control operating at the council.

3             This report provides information on Veritau’s approach to planning audit work. It also asks for the committee’s views on areas it considers a priority for internal audit in 2024/25. This is the first stage in consultation on the annual programme of work. A full draft programme is expected to be brought to the committee in May 2024.









A path leading to a castle  Description automatically generated with medium confidence 























4             In addition to the requirements referred to above, the PSIAS also expect that the risk-based programme of work is linked to, and contributes to:

·         the management of strategic risks, and

·         the achievement of organisational objectives and priorities.


5             The annual opinion is the most important output from internal audit and a key source of objective assurance that the council’s leadership team and councillors can use to inform the annual governance statement. The opinion must therefore be well founded if it is to give proper assurance to the council.


The opinion framework

6             Veritau has established an opinion framework. This reflects the requirements of the PSIAS and the council’s internal audit charter, to enable us to deliver an annual opinion.


7             The opinion framework sets out the principles that will be used to develop and manage the audit work programme. It ensures that assurance coverage is targeted towards priority areas to allow us to develop a properly informed annual opinion. We continuously revisit priorities during the year so that the work programme remains up to date.


8             The opinion framework is comprised of three main parts. The main component is a definition of several key assurance areas. These represent areas of internal control that we think are essential to the proper functioning of the council. Systems and controls in each area need to be operating effectively to maximise the likelihood that the council’s objectives are achieved without undue exposure to risk.


9             The 11 areas we have identified make the most significant contribution to achievement of organisational objectives or give rise to the greatest risks. They are based on our internal audit experience in local government and good practice guidance. The 11 areas cover both corporate arrangements, and management of risks and controls in individual service areas that collectively contribute to the council’s wider objectives.


10          Overlaid on the key assurance areas are two further components of the framework:

·         Organisational risks 

·         Organisational objectives


11          The risks that are most important for audit planning are those set out in the council’s Key Corporate Risk (KCR) Register. These are the risks included in quarterly monitoring reports presented to the committee by the Chief Finance Officer.


12          There are many other risks associated with the wide range of services the council delivers. Where appropriate, service risks are considered as part of individual audit assignments. However, the risks on the KCR register are those considered most significant to the achievement of the council’s objectives and therefore are the main focus for internal audit planning. There are currently 12 risks on the KCR register.


13          The council’s organisational objectives are expressed in its 2023-27 Council Plan as priorities. There are seven priorities covering health and wellbeing, education and skills, economy and employment, transport, housing, sustainability, and how the council operates. These priorities are expected to create the conditions to make the city of York a healthier, fairer, more affordable, more sustainable and more accessible place, where everyone feels valued.


14          The council’s strategic ambitions, and the mechanisms by which they are delivered, are a key consideration when identifying and prioritising engagements for inclusion in the internal audit work programme.


15          The internal audit work programme will be developed by looking to have appropriate coverage across all 11 of the key assurance areas. In deciding what work is a priority in each area, we also consider which audits will also provide coverage of strategic risks and corporate ambitions and priorities.


16          The process followed in using the opinion framework to determine audit priorities, and so to develop the internal audit work programme, is illustrated on the following page.




















A black and white logo  Description automatically generated
Badge with solid fill
11 Key Assurance Areas
Badge 1 with solid fillThe Audit Universe

Badge 5 with solid fillBadge 3 with solid fill

The audit universe represents all areas across the council that Veritau has identified as being auditable. The universe is broadly structured as follows:
  Corporate and cross-cutting
  Key financial systems
  Service areas
  ICT and technical
Internal Audit Work
 , Council Ambitions
 ,Key Corporate Risks
  Financial pressures
  Effective and strong partnerships
  Changing demographics
  Health and wellbeing
  Capital programme
  Local plan
  External market conditions
  Major incidents
 ,Having evaluated all potential audits against the opinion framework in steps 1 to 4, audits are prioritised for inclusion in the internal audit work programme.
Information outline
Badge 4 with solid fill
Laptop outlineGantt Chart outlineCity outlineUsers outlineHandshake outline
Procurement and contract management
 People management
 Asset management
 Programmes and project management
 IT Governance
Upward trend outlineMap with pin outlineScales of justice outlineCoins outlineDatabase outlineWarning outline
Strategic Planning
 Organisational governance
 Financial governance
 Risk management
 Information governance
 Performance management
 and data quality
 Health and wellbeing: A health generating city for
  children and adults 
  Education and skills: High quality skills and learning for all
  Economy and good employment: A far, thriving, green economy for all 
  Transports: Sustainable accessible transport for all 
  Housing: Increasing the supply of affordable housing
  Sustainability: Cutting carbon, enhancing the environment for our future
  How the council operates
A blue and white triangle pattern  Description automatically generated



Key assurance areas: an overview and examples

17          Details of the 11 key assurance areas are set out below. We have provided definitions, and some examples of arrangements, systems, and processes we could audit within each area. The examples are for illustrative purposes and are not exhaustive. Some audits we will consider for inclusion in the work programme are also likely to cut across a number of the key assurance areas.


Strategic planning

18          Strategic planning covers the arrangements the council has to define and develops its strategy, or direction, and make decisions on resource allocation to successfully pursue this strategy. It also encompasses the control measures in place to guide strategy implementation. The council’s strategy and policy framework is comprised of three core interdependent 10-year strategies (relating to the local economy, health and wellbeing, and climate change), supporting strategies, the Council Plan, and other key plans and policies which give effect to the strategies.


19          This area is of importance to internal audit as effective strategic planning is a prerequisite for delivering long term, sustainable success.



*       Social care delivery and commissioning

*       Organisational development

*       Housing development

*       Strategy action planning and delivery


Organisational governance

20          Governance is the combination of processes and structures implemented to inform, direct, manage and monitor the activities of the council toward the achievement of its objectives. At its most visible, governance involves the set of policies put in place for the direction and control of the organisation and the establishment of rules and procedures for making decisions and for complying with relevant legislation and regulations. Governance also encompasses business ethics, leadership, strategic management, and control activities. In a local authority context, the principles of effective governance are set out in CIPFA / Solace’s 2016 Delivering Good Governance in Local Government: Framework.


21          Internal audit is expected to assess and make appropriate recommendations to improve the council’s governance processes. It is also expected to evaluate risk exposures relating to compliance with laws, regulations, policies, procedures and contracts.



*       Adherence to Constitution

*       Declarations of interests & gifts and hospitality

*       Policy framework

*       Democratic governance


Financial governance

22          Section 151 of the Local Government Act 1972 requires that every local authority in England and Wales should “... make arrangements for the proper administration of their financial affairs...". Financial governance involves arrangements for giving a reliable account of the money spent and income received, stewardship of public resources, compliance with legal and regulatory requirements, ensuring value for money, supporting effective decision-making, and facilitating planning and resource allocation.


23          The PSIAS require that internal audit evaluates the adequacy and effectiveness of controls relating to the reliability and integrity of financial information.



*       Income collection & debt management

*       General ledger / accounting records

*       Treasury management

*       Ordering and creditor payments


Risk management

24          Risk management encompasses the council’s arrangements for identifying, assessing, managing, and controlling potential events or situations to provide reasonable assurance that its objectives will be achieved. It involves being aware of risk exposures, selecting appropriate risk responses that align risks with the council’s risk appetite, and communicating relevant information in a timely manner across the organisation.


25          As the council’s internal audit provider, the PSIAS expect that we evaluate the effectiveness of risk management processes and contribute to their improvement.



*       Risk management processes

*       Health and safety

*       Insurance

*       Disaster recovery


Information governance

26          Information governance is the set of multi-disciplinary structures, policies, procedures, processes, and controls implemented to manage information across the council. These governance arrangements should support the council’s immediate and future regulatory, legal, risk, environmental and operational requirements.


27          Given its links to information asset security, compliance risk, and the importance of data in driving and informing the council’s decisions and operations, it is an important area for internal audit coverage.



*       UK GDPR compliance

*       Records management

*       Data breach management

*       Rights of individuals requests


Performance management and data quality

28          Performance management refers to the systematic process by which the council plans, monitors, and improves the delivery of the services it provides to the public. The starting point for performance management is the council’s strategic ambitions which then filter down the organisation to directorate, service, team and individual levels. The council’s performance management framework aims to join up delivery at all levels by setting clear, achievable targets which can be accurately monitored and reported, with corrective action being taken promptly and appropriately.



*       Performance framework

*       Data quality

*       Action planning and delivery

*       Follow-up processes


Procurement and contract management

29          Effective procurement is vital for any local authority to ensure that it maximises value for money in its service delivery. Every procurement process undertaken by the council needs to comply with the provisions of its Constitution (including the Contract Procedure Rules) and the objectives set out in its Procurement Strategy. Public sector procurement also needs to comply with the Public Contracts Regulations and with any changes introduced by the new Procurement Act 2023.


30          Once a procurement exercise is completed and the contract begins, it is essential that it is monitored regularly to ensure compliance with terms and conditions, to manage delivery risk, and to assess performance.



*       Individual procurement exercises

*       Contract management

*       Compliance with the CPRs

*       Category management and forward planning


People management

31          This area covers all aspects of the management of human resources across the council. For example, recruitment and selection, remuneration, attendance management, training and talent development, individual performance management, equal opportunities, welfare and industrial relations, working arrangements, and discipline.


32          The council’s people are essential to the achievement of its objectives, and there are a wide range of potentially significant risks in this area.



*       Training

*       Performance management

*       Equalities, diversity, and inclusion

*       Agency staff and recruitment


Asset management

33          Asset management involves the proper management, safeguarding and recording of assets. It seeks to align the asset base with the council’s corporate ambitions and objectives. Key areas for effective asset management include strategic planning, maintenance of accurate records, an understanding of the physical location of assets, allocated responsibility for assets, and periodic and systematic physical verification of the existence, condition, and performance of assets.


34          Ensuring the safeguarding of assets is one of five key risk areas that the PSIAS require internal audit to evaluate when providing assurance on the adequacy and effectiveness of the council’s risk management arrangements.



*       Verification of assets

*       Asset repair and maintenance

*       Commercial property strategy

*       Acquisition, transfer, and disposal


Programme and project management

35          Programmes are a collection of related projects managed in a coordinated way. This can bring  benefits and control over and above what is achievable from managing projects individually. Projects are discrete, clearly defined, shorter-term engagements, involving the application of processes, methodologies, and specific/cross-functional skills and methodologies to achieve specific and measurable outcomes.


36          Effective project management is important for the council to ensure resources are used efficiently and to achieve value for money. Particularly for large and high-profile projects that bring about significant change. Internal audit is expected to evaluate risk exposures relating to the effectiveness and efficiency of council programmes and projects.



*       Project management framework review / compliance

*       Individual review of projects

*       Project assurance arrangements

*       Project governance and risk management


IT governance

37          Information technology (IT) governance is a sub-discipline of organisational governance. It relates to leadership, organisational structures, policies, and processes that ensure that information technology supports council strategies and objectives. IT governance should also support the management and oversight of the council’s business as usual activities.


38          The PSIAS require internal audit to assess whether information technology governance supports the council’s strategies and objectives.



*       Cybersecurity

*       IT asset management

*       Access controls

*       IT systems development


39          Details of the 11 key assurance areas are set out below. We have provided a definition of the areas as well as some examples of areas we could audit within each assurance area. The example audits are for illustrative purposes and are not exhaustive. Some audits we will consider are likely to cut across a number of the key assurance areas.
























40          As part of our preparations for the audit work programme for 2024/25, the committee is invited to express a view on any areas it feels should be considered a priority for internal audit work. In considering this, relevant questions may include the following:

*       For any of the council’s strategic risks, are there any which the committee would like internal audit to look at, to provide additional assurance about arrangements for the management of the risk?

*       What are the biggest threats to the achievement of the council’s priorities?

*       Are there any of the 11 key assurance areas where the committee feels internal audit should pay particular attention, to provide it additional comfort that arrangements are operating effectively?

*       Are there any specific elements within the 11 key assurance areas that the committee would like internal audit to look at during 2024/25?

*       Irrespective of the assurance areas, risks and council priorities, does the committee have any specific suggestions for internal audit assignments we should consider in 2024/25?




















41          Following consultation with the committee we will hold further discussions with officers to understand their view of priorities for internal audit work over the next year. These meetings will take place during February and March 2024.


42          Alongside this we will continue to keep abreast of emerging issues relevant to the public sector as well as any specific sectoral risks or developments including any relevant changes to legislation. We will also continue to review committee papers and other relevant background information to ensure we have an up-to-date picture of the challenges and issues facing the council.


43          Information collected will be used to develop the indicative long list of audits to be included in the 2024/25 internal audit work programme. This will be brought to the committee for approval in April or May 2024.


44          Our risk assessment and the programme of work will continue be updated and revisited throughout the year to ensure audit work continues to target priority areas.