Internal Audit Work Programme 2024/25
Annex 1


A blue and white triangle pattern  Description automatically generated



3           Introduction

3           Strategic context

5           Programme principles and development

8           2024/25 internal audit work

10         Appendix A: indicative internal audit work programme





A blue and white triangle pattern  Description automatically generated

 ,Briefcase with solid fill 

1             This report sets out the proposed 2024/25 programme of work for internal audit, provided by Veritau for City of York Council.

2             The work of internal audit is governed by the Public Sector Internal Audit Standards (PSIAS) and the council’s audit charter. To comply with professional standards and the charter, internal audit work must be risk based and take into account the requirement to produce an evidence-based annual internal audit opinion. Accordingly, planned work should be reviewed and adjusted in response to changes in the business, risks, operations, programmes, systems and internal controls.

3             Specifically, the PSIAS require that the Head of Internal Audit must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organisation’s goals. The risk-based plan must take into account the requirement to produce an annual internal audit opinion.”

4             The Head of Internal Audit’s annual opinion is formed following an independent and objective assessment of the effectiveness of the framework of risk management, governance and internal control. Our planned audit work includes coverage of all three areas to develop a wider understanding of the assurance framework of the council, and to produce a body of work which allows us to provide our opinion.

5             Responsibility for effective risk management, governance and internal control arrangements remains with the council. The Head of Internal Audit cannot be expected to prevent or detect all weaknesses or failures in internal control nor can audit work cover all areas of risk across the organisation.

 Strategic context
 ,Puzzle with solid fill 


6             The council is facing unprecedented financial and delivery pressures as a result of the continued increase in demand for its services and the impact of inflation and economic uncertainty. An ageing population, an increase in the complexity of need in the adult and child populations, exposure to unfavourable market conditions[1], and challenging financial positions for health partners all represent risks to the council’s ability to deliver its priorities and maintain its services (see figure 1 on the following page).

7             These pressures are set against a backdrop of real terms decline in central government funding over multiple years. While core spending power has increased by 6% since 2010/11, this has translated to a real term reduction in spending power of 28.5% for the city of York. This has seen City of York Council become one of the lowest funded upper-tier local authorities in the country, with a national rank of 143 out of 150[2].

8             The combined effect of all these pressures means that the council needs to take action to maintain a stable and resilient financial position while still delivering on its statutory duties, and on the priorities set out in the Council Plan and its three 10-year strategies. These priorities include continuing to invest in adult social care and support for children and supporting its communities facing the cost-of-living crisis. Meanwhile, the council has an extensive and ambitious programme of major capital projects designed to stimulate economic growth, to deliver more housing, and to improve its highway network infrastructure. Large sums have been committed to complex, high profile, and often multi-year projects. While these projects present significant opportunities for the council, they also bring with them considerable risks.

9             In short, the council is expected to deliver more with less. Maintaining effective operational arrangements is essential to achieving this. Internal audit contributes to overall objectives by helping to ensure that systems of governance, risk management and control that underpin operational arrangements are robust. To maximise the value of internal audit, it is vital that we provide assurance in the right areas at the right time. We’ve designed the processes for developing the internal audit work programme, and refining it through the year, to do that.

Figure 1: An illustration of the key threats currently facing City of York Council.



















Packing Box Open with solid fill 


Flexible, risk-based planning and the opinion framework

10          In order to best meet professional standards, internal audit is required to adopt flexible planning processes that are sensitive to risk. This flexibility and risk-based approach are driving principles for delivery of City of York Council’s 2024/25 internal audit work programme.

11          The Audit & Governance Committee was introduced to Veritau’s opinion framework as part of the 28 February 2024 internal audit work programme consultation report (Annex 1 - Internal Audit Work Programme Consultation Report 2024-25.pdf (

12          The opinion framework sets out the principles that will be used to develop and manage the audit work programme over the course of the year. It ensures that assurance coverage is targeted towards priority areas. This, in turn, allows us to arrive at a properly informed annual opinion.

Identification of initial internal audit priorities

13          Internal audit maintains a long list of all areas within the council that could potentially be audited. It is not possible to review all areas in any one year. Instead, we prioritise audits by considering potential risks in each area at the time of the assessment and by considering requirements for assurance coverage.

14          The opinion framework provides the structure for internal audit to take informed decisions on priorities.

15          Figure 2 on the following page demonstrates how the framework is applied to identify initial internal audit priorities. It illustrates how an example audit (‘savings delivery’) passes through the framework and how we evaluate it for potential inclusion in the work programme. In this case, we have assessed the savings delivery audit as a high priority for inclusion as it contributes to coverage of a key assurance area, a key corporate risk, and a council priority. The committee will note that the savings delivery audit has been included in the 2024/25 indicative internal audit work programme at appendix A.



Badge 1 with solid fill

APPPLYING THE FRAMEWORK: A WORKED EXAMPLE,Figure 2: The opinion framework, applied.
A black and white logo  Description automatically generated
11 key assurance areas
 ,The audit universe
 , Financial governance

Badge 4 with solid fillBadge 4 with solid fillBadge 3 with solid fillBadge with solid fill

Key Corporate Risks
  Financial governance 
  Financial pressures
 ,Information outline,Having evaluated all potential audits against the opinion framework in steps 1 to 3, audits are prioritised for inclusion in the internal audit work programme (step 4).
Badge 1 with solid fill,Badge with solid fill,Badge 3 with solid fill
Badge 1 with solid fill,Badge with solid fill
Badge 1 with solid fillInternal audit work
 , Council priorities
 ,, Financial governance 
  Financial pressures
  How the council operates 
 ,Audit identified: Savings delivery 
  Corporate and cross-cutting
 A blue and white triangle pattern  Description automatically generated

The ‘do now’, ‘do next’, ‘do later’ audit prioritisation system

16          Once initial internal audit priorities have been identified through application of the opinion framework, we then overlay a second system of prioritisation. This system allows us to determine the relative priority of audits included in the indicative work programme.

17          This second prioritisation system sees audits assigned to one of three categories, as shown in figure 3 below.


Figure 3: ‘do now’, ‘do next’, ‘do later’ prioritisation system.






18          Decisions on which category of the three categories internal audit work falls into will be based on judgement, and will be made having given consideration to the prioritisation factors in table 1 below. These will result in internal audit work being considered a relatively higher or lower priority at the time of assessment.

Table 1: Internal audit prioritisation factors.


Prioritisation factors

*       where we have no recent audit assurance, or other sources of information

*       where controls are changing and / or risks are increasing

*       where we are following up previous control weaknesses

*       where specific issues are known to have arisen

*       that are of significant importance to the council, for example they reflect key objectives or high priority projects

*       that provide broader assurance, for example corporate policies and frameworks

*       that need to be covered to enable us to provide an annual opinion

*       where there are time pressures or scheduling requirements, for example grant deadlines, or work scheduled to minimise the impact on council service areas at busy times


19          The above factors will be used on an ongoing basis to decide what internal audit work will be carried out, and when, during the course of the year. These decisions will be made in consultation with the council through our ongoing dialogue with senior officers. Individual pieces of work will move between the three categories, as required, based on their priority at the time of assessment.

20          For example, an audit scheduled for quarter two to minimise the impact on a service area may initially be classed as to ‘do later’ but will become ‘do now’ as we move into quarter two. Similarly, an audit of a council project classed as ‘do now’ because it represents an area of high importance may move from ‘do now’ to ‘do next’ or ‘do later’ if the project slips or planned work cannot be undertaken until a specific point is reached. Towards the end of the year, audits classed as ‘do later’ are likely to be deferred until the following year.

21          The committee will be provided with information on current internal audit priorities throughout the year as part of regular progress reporting.

Inbox with solid fill
 2024/25 Internal audit work



The 2024/25 indicative internal audit work programme

22          The work programme for 2024/25 is set out in appendix A, beginning on page 10.

23          Functionally, the indicative programme is structured into a number of areas, as set out in table 2, below.

Table 2: Work programme functional areas.

Programme area


*       Strategic / corporate & cross cutting

To provide assurance on areas which, by virtue of their importance to good governance and stewardship, are fundamental to the ongoing success of the council.


*       Technical / projects

To provide assurance on those areas of a technical nature and where project management is involved. These areas are key to the council as the risks involved could detrimentally affect the delivery of services.


*       Financial systems

To provide assurance on the key areas of financial risk. This helps provide assurance to the council that risks of loss or error are minimised.


*       Service areas

To provide assurance on key systems and processes within individual service areas. These areas face risks which are individually significant but which could also have the potential to impact more widely on the operations or reputation of the council if they were to materialise.


*       Other assurance work

An allocation of time to allow for continuous audit planning and information gathering, unexpected work, and the follow up of work we have already carried out, ensuring that agreed actions have been implemented by management.


*       Client support, advice & liaison

Work we carry out to support the council in its functions. This includes the time spent providing support and advice, and liaising with staff.



24          The overall level of service is based on an indicative number of days, for planning purposes (1,023 for 2024/25). Figure 4 below shows the proportion of time we expect to deliver across each area during the year.

Figure 4: 2024/25 work programme: indicative functional area split.
























25          It is important to emphasise two important aspects of the programme. Firstly, the audit activities included in appendix A are not fixed. As described above, work will be kept under review to ensure that audit resources are deployed to areas of greatest risk and importance to the council. This is to ensure the audit process continues to add value.

26          Secondly, it will not be possible to deliver all of the audit activities listed in the programme. The programme has been intentionally over-planned, to build in flexibility from the outset while also providing an indication of the priorities for work at the time of assessment. Over-planning the programme enables us to respond quickly by commencing work in other areas of importance to the council when risks and priorities change during the year.


APPENDIX A: indicative internal audit work programme 2024/25


Programme area

 Potential internal audit activity

Strategic / corporate & cross cutting



*       Savings plans

*       Overtime and allowances

*       Workforce development

*       Data Protection and Digital Information Act

*       FOI and EIR improvement plan

*       Physical information security compliance (satellite sites)

*       Physical information security compliance (West Offices and Hazel Court)

*       Use of CCTV and investigatory powers (covert surveillance)

*       Asset performance

*       Procurement Act: preparedness assessment

*       Contract management

*       Risk management

*       York 2032: partnership governance

*       Performance management framework

*       Data quality

*       Equalities

*       Carbon reduction / adaptation

*       Public health: procurement and contract management

Technical / projects



*       NHS Data Security and Protection Toolkit: accountable suppliers

*       Project management

*       ICT disaster recovery

*       ICT applications / database security

*       Cybersecurity: user awareness

*       ICT projects / systems development

Financial systems



*       Main accounting system

*       VAT accounting

*       Ordering and creditor payments

*       Sundry debtors

*       Housing benefits

*       Housing rents

Service areas



*       Locality working / ward committee model

*       Community Safety Strategy

*       Community Infrastructure Levy

*       Public EV charging strategy (tariff management)

*       Council house repairs

*       Additional landlord duties

*       Green waste subscription service

*       Public protection

*       Section 17 payments

*       Children’s direct payments

*       Unaccompanied asylum seeker children

*       Residential care: The Beehive / Wenlock Terrace

*       Alternative provision

*       Funded early education

*       Full school audit: Clifton Green Primary School

*       Full school audit: Danesgate Community School

*       Schools themed audit: purchasing and best value

*       Schools themed audit: pupil premium

*       Payments to care providers and contract management (adult social care)

*       Referrals and care assessments (adult social care)

*       Care and support planning (adult social care)

*       Managing customer finances (adult social care)

*       Continuing healthcare (adult social care)

Other assurance work



*       Follow-up of previously agreed management actions

*       Continuous audit planning and additional assurance gathering to help support our opinion on the framework of risk management, governance and internal control

*       Continuous assurance work, including data analytics and data matching projects Attendance at, and contribution to, governance- and assurance-related working groups

Client support, advice & liaison



*       Committee preparation and attendance

*       Key stakeholder liaison

*       Support and advice on control, governance and risk related issues


[1] 31 January 2024: Audit & Governance Committee report: Monitor 3 2023/24 – Key Corporate Risks

[2] 25 January 2024 Executive decision report: Financial Strategy 2024/25 to 2028/29