Internal Audit Work Programme 2025/26
Annex 1

 

A blue and white triangle pattern Description automatically generated

 



CONTENTS

3           Introduction

4           Strategic context

5           2025/26 internal audit work programme

9           Appendix A: indicative internal audit work programme

 

 

 

 

 

A blue and white triangle pattern Description automatically generated

Introduction

Briefcase with solid fill

 

1             This report sets out the proposed 2025/26 programme of work for internal audit, provided by Veritau for City of York Council.

2             The work of internal audit is governed by the Public Sector Internal Audit Standards (PSIAS) and the council’s audit charter[1]. To comply with professional standards and the charter, internal audit work must be risk based and take into account the requirement to produce an evidence-based annual internal audit opinion. Accordingly, planned work should be reviewed and adjusted in response to changes in the business, risks, operations, programmes, systems and internal controls.

3             Specifically, the PSIAS require that the Head of Internal Audit must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organisation’s goals. The risk-based plan must take into account the requirement to produce an annual internal audit opinion.”

4             The Head of Internal Audit’s annual opinion is formed following an independent and objective assessment of the effectiveness of the framework of risk management, governance and internal control. Our planned audit work includes coverage of all three areas to develop a wider understanding of the assurance framework of the council, and to produce a body of work which allows us to provide our opinion.

5             At the 29 January 2025 meeting of this committee, we presented our work programme consultation report. This report explained how we approach development of the work programme by using our opinion framework. In summary, by considering key areas of assurance, the council’s risks, and its priorities we are able to define a body of work which will allow us to provide an opinion.

6             However, responsibility for effective risk management, governance and internal control arrangements remains with the council. The Head of Internal Audit cannot be expected to prevent or detect all weaknesses or failures in internal control nor can audit work cover all areas of risk across the organisation.

 

 

 

Strategic context

Puzzle with solid fill

 

7             Sustained real terms reductions in central government funding (11.7% since 2010/11) continue to put the council’s financial sustainability under real threat. While the council’s financial position has improved, thanks in part to significant funding from York and North Yorkshire Combined Authority, it will still require savings on a large scale over the next five years (with this set at 4% of net revenue budget for 2025/26) to prevent the budget gap from growing[2].

8             With government funding seemingly not set to increase in the short term, and both cost and demand pressures showing no signs of abating, reductions in service are inevitable and some discretionary services may stop altogether.

9             It remains the case that the council’s demand-led services continue to exert the most significant pressure on its budget. In 2025/26, adult social care and children social care budgets will be increased by £8m and £3m respectively, due to unavoidable contractual price increases and demographic pressures. Exposure to unfavourable market conditions and an increasing volume and complexity of need have become perennial issues for local authorities. The council has increased council tax and social care precepts by 4.99%, and fees and charges by 5% to offset some of this pressure.

10          Meanwhile, the council has an extensive and ambitious programme of major capital projects designed to stimulate economic growth, to deliver more housing, and to improve its highway network infrastructure. Large sums have been committed to complex, high profile, multi-year projects. While these projects present significant opportunities for the council, they also bring with them considerable risks. These risks are heightened due to the impact of the cost of borrowing on the revenue budget and price hikes due to inflation.

11          Delivering on the council’s strategic priorities in its council plan and 10-year strategies are expected to require a more transformational, long term approach which continues to reduce costs and prioritise resources. The council will be developing a transformation programme during 2025/26 to coordinate achievement of this change. The need to accelerate digitalisation, optimise use of council assets, exercise cost control, explore income generation opportunities, and secure grant funding are all priorities, alongside this wider transformational change.

12          Maintaining effective operational arrangements is an essential building block towards achieving the council’s strategic objectives and navigating risks to delivery. Internal audit contributes to overall objectives by helping to ensure that systems of governance, risk management and control that underpin operational arrangements are robust.

13          To maximise the value of internal audit, it is vital that we provide assurance in the right areas at the right time. We’ve designed the processes for developing the internal audit work programme, and refining it through the year, to do that.

2025/26 Internal audit work programme

Inbox with solid fill

 

The 2025/26 indicative internal audit work programme

14          The work programme for 2025/26 is set out in appendix A, beginning on page 9.

15          The overall level of service is based on an indicative number of days, for planning purposes (1,023 for 2025/26). Figure 4 below shows the proportion of time we expect to deliver across each area during the year.

16          The proposed areas of coverage in the 2025/26 work programme have been subject to consultation with this committee, Directorate Management Teams, Leading Together, and with other senior officers from across the council.

17          Functionally, the indicative programme is structured into a number of areas, as set out in table 1, below.

Table 1: Work programme functional areas.

Programme area

Purpose

*       Strategic / corporate & cross cutting

To provide assurance on areas which, by virtue of their importance to good governance and stewardship, are fundamental to the ongoing success of the council.

 

*       Technical / projects

To provide assurance on those areas of a technical nature and where project management is involved. These areas are key to the council as the risks involved could detrimentally affect the delivery of services.

 

*       Financial systems

To provide assurance on the key areas of financial risk. This helps provide assurance to the council that risks of loss or error are minimised.

 

*       Service areas

To provide assurance on key systems and processes within individual service areas. These areas face risks which are individually significant but which could also have the potential to impact more widely on the operations or reputation of the council if they were to materialise.

 

*       Other assurance work

An allocation of time to allow for continuous audit planning and information gathering, unexpected work, and the follow up of work we have already carried out, ensuring that agreed actions have been implemented by management.

 

*       Client support, advice & liaison

Work we carry out to support the council in its functions. This includes the time spent providing support and advice, and liaising with staff.

 

 

18          Figure 1 below shows the proportion of time we expect to spend delivering work across each area during the year.

Figure 1: 2025/26 work programme: indicative functional area split.

 

The ‘do now’, ‘do next’, ‘do later’ audit prioritisation system

19          Once initial internal audit priorities have been identified through application of the opinion framework, we then overlay a second system of prioritisation. This system allows us to determine the relative priority of audits included in the indicative work programme.

20          This second prioritisation system sees audits assigned to one of three categories, as shown in figure 2 below.

 

Figure 2: ‘do now’, ‘do next’, ‘do later’ prioritisation system.

 

 

 

 


21          Decisions on which of the three categories internal audit work falls into will be based on judgement, and will be made having given consideration to the prioritisation factors in table 2 below. These will result in internal audit work being considered a relatively higher or lower priority at the time of assessment.

Table 2: Internal audit prioritisation factors.

 

Prioritisation factors

*       where we have no recent audit assurance, or other sources of information

*       where controls are changing and / or risks are increasing

*       where we are following up previous control weaknesses

*       where specific issues are known to have arisen

*       that are of significant importance to the council, for example they reflect key objectives or high priority projects

*       that provide broader assurance, for example corporate policies and frameworks

*       that need to be covered to enable us to provide an annual opinion

*       where there are time pressures or scheduling requirements, for example grant deadlines, or work scheduled to minimise the impact on council service areas at busy times

 

22          The above factors will be used on an ongoing basis to decide what internal audit work will be carried out, and when, during the course of the year. These decisions will be made in consultation with the council through our ongoing dialogue with senior officers. Individual pieces of work will move between the three categories, as required, based on their priority at the time of assessment.

23          For example, an audit scheduled for quarter two to minimise the impact on a service area may initially be classed as to ‘do later’ but will become ‘do now’ as we move into quarter two. Similarly, an audit of a council project classed as ‘do now’ because it represents an area of high importance may move from ‘do now’ to ‘do next’ or ‘do later’ if the project slips or planned work cannot be undertaken until a specific point is reached. Towards the end of the year, audits classed as ‘do later’ are likely to be deferred until the following year.

24          It is important to emphasise two important aspects of the programme. Firstly, the audit activities included in appendix A are not fixed. As described above, work will be kept under review to ensure that audit resources are deployed to areas of greatest risk and importance to the council. This is to ensure the audit process continues to add value.

25          Secondly, it will not be possible to deliver all of the audit activities listed in the programme. The programme has been intentionally over-planned, to build in flexibility from the outset while also providing an indication of the priorities for work at the time of assessment. Over-planning the programme enables us to respond quickly by commencing work in other areas of importance to the council when risks and priorities change during the year.

26          The committee will be provided with information on current internal audit priorities throughout the year as part of regular progress reporting.

 

 

 

 

 

 

 

 

 

 

Packing Box Open with solid fill 

 

 

 

 

 

 

 

 

 



APPENDIX A: indicative internal audit work programme 2025/26

 

Programme area

 Potential internal audit activity

Strategic / corporate & cross cutting

 

 

*       Savings delivery

*       Overtime

*       Physical information security compliance (satellite sites)

*       Information access request management

*       Building security (West Offices and Hazel Court)

*       Procurement Act compliance

*       Contract management

*       Risk management

*       Data quality

*       Corporate complaints

*       Equality, diversity, and inclusion

*       Recruitment and selection

*       Mandatory and role-specific training

*       Flexitime and annual leave

*       Absence management

Technical / projects

 

 

*       ICT applications / database security

*       ICT projects / systems development

*       Cybersecurity: user awareness

*       Cybersecurity: malware protection

*       Cybersecurity: user access

*       Project governance (major projects)

*       Project management: gateway reviews

Financial systems

 

 

*       Ordering and creditor payments (P2P action plan)

*       Sundry debtors

*       Income and banking

*       Payroll

*       Council tax and NNDR

*       Housing rents

Service areas

 

 

*       Public health: procurement and contract management

*       York 2032: partnership governance

*       Management of York & North Yorkshire Combined Authority funding

*       Communications

*       Building control

*       Section 106 agreements: use of contributions

*       Transport and highways programme

*       Licensing

*       Use of fleet vehicles

*       Green waste subscription service

*       Holiday let commercial waste collection

*       Public protection

*       Right to Buy

*       Housing allocations

*       Property asset management (capital programme)

*       Regulator of Social Housing standards improvement plan

*       Housing repairs

*       Children’s direct payments

*       Foster carer payments (follow-up)

*       Free school means: auto-enrolment

*       Home to school transport

*       Children leaving care

*       Education, health and care plans (EHCPs)

*       Out of area placements

*       Children & Education: local scheme of delegation

*       Residential care: The Beehive / Wenlock Terrace

*       Full school audit: Danesgate Community School

*       Full school audit: Westfield Primary School

*       Full school audit: St Mary’s CE Primary School

*       Schools themed audit: procurement

*       Schools themed audit: governance

*       Adult social care: referrals and care assessments

*       Adult social care: care and support planning

*       Adult social care: managing customer finances

*       Adult social care: continuing healthcare

Other assurance work

 

 

*       Follow-up of previously agreed management actions

*       Continuous audit planning and additional assurance gathering to help support our opinion on the framework of risk management, governance and internal control

*       Continuous assurance work, including data analytics and data matching projects Attendance at, and contribution to, governance- and assurance-related working groups

Client support, advice & liaison

 

 

*       Committee preparation and attendance

*       Key stakeholder liaison

*       Support and advice on control, governance and risk related issues

 


[1]From 1 April 2025 the PSIAS will be replaced by the Global Internal Audit Standards (GIAS) and the Application Note: Global Internal Audit Standards in the UK Public Sector. Together, these are referred to as the GIAS (UK public sector) and will represent the new standards regime to be followed. Our next report to the Audit & Governance Committee will include an updated internal audit charter which is aligned to the GIAS (UK public sector). The GIAS (UK public sector) make no substantive changes to the approach to strategic planning and so the flexible, risk-based approach in use at the council remains appropriate.

[2] Financial strategy 2025/26 (Budget Executive, 21 January 2025)