ANNUAL HEAD OF INTERNAL AUDIT REPORT 2023/24

A building with a tower Description automatically generated

HEAD OF INTERNAL AUDIT ANNUAL REPORT 2024/25

CONTENTS

2 Background

2 Internal audit work carried out in 2024/25

3 Follow up of agreed actions

4 Professional standards

5 Opinion of the Head of Internal Audit

7 Appendix A - 2024/25 internal audit work

10 Appendix B - Summary of key issues from audits finalised since the last report to the committee

A blue and white triangle pattern Description automatically generated 13 Appendix C – Assurance audit opinions and finding priorities

14 Appendix D - Follow up of agreed audit actions

15 Appendix E - Internal audit quality assurance and development arrangements

Background

1 The work of internal audit is governed by the Global Internal Audit Standards in the UK Public Sector and the council’s audit charter. These require the Head of Internal Audit to bring an annual report to the Audit and Governance Committee. The report must include an opinion on the adequacy and effectiveness of the council’s framework of governance, risk management and control. The report should also include:

(a) any qualifications to the opinion, together with the reasons for those qualifications (including any impairment to independence or objectivity)

(b) any particular control weakness judged to be relevant to the preparation of the annual governance statement

(c) a summary of work undertaken to support the opinion,including any reliance placed on the work of other assurance bodies

(d) an overall summary of internal audit performance and outcomes from the internal audit service’s quality assurance arrangements, including a statement on conformance with professional standards.

Internal audit work carried out in 2024/25

2 Throughout 2024/25 audit work has continued to be prioritised based on risk and the need to provide coverage of the council’s framework of governance, risk management and control. This has seen audits removed from the work programme and others added as risks and priorities have changed, and as our understanding of key systems of internal control has developed.

3 We have also continued to promote good governance, provide advice and support, and make recommendations to management to help improve controls. We have met with the Director of Finance, Director of Governance and Monitoring Officer, directorate senior management teams and other officers on a regular basis to help identify and address governance issues and concerns, and to ensure audit work has remained targeted towards key areas.

4 The results of completed audit work have been reported to service managers, relevant chief officers, members of this committee, and Executive portfolio holders during the course of the year. In addition, summaries of all finalised audit reports have been presented to this committee as part of regular progress reports.

5 A summary of internal audit work undertaken during the year, and relevant to the opinion, is contained in appendix A. This appendix also shows other work undertaken by the internal audit team to support the council during 2024/25.

6 At the time of writing, three audits have been finalised since the previous report to this committee. A further nine audit reports have been issued to the responsible officers but remain in draft. We expect these audits to be finalised over the next 3-4 weeks.

7 10 audits relating to the year just ended are ongoing. The majority of work on these audits is complete. We expect to report on outcomes at the next meeting of the committee.

8 Appendix B provides details of the key findings arising from internal audit assignments completed, that we have not previously reported to the committee. Final reports listed in appendix B are included as exempt annexes to this report.

9 Appendix C provides an explanation of our assurance levels and priorities for management action.

Contract management audit: Audit & Governance Committee request

10 At the March 2025 meeting of this committee a verbal update was provided on the status of this audit. The council’s work on implementation of the New Procurement Act has meant that the audit had to be deprioritised as the key contact was unavailable. We have now re-engaged with officers and have restarted work on the audit.

11 As a reminder to the committee, the following areas are in scope:

· Objective 1: suitable contract terms are included within contracts,

· Objective 2: contract management procedures are in place and have been communicated,

· Objective 3: training is provided in respect of the contract management procedures.

12 We have now finalised a sample of 10 contracts (including the expired Salvation Army contract) for review against objective 1, which is where most of our work will be focused. At the time of writing, we have progressed significantly with objective 1 but are awaiting two contracts in the sample to conclude testing. We will then begin work on objectives 2 and 3.

13 Our original intention was to have finalised our work on the audit by February 2025. We have agreed a revised timeline for the audit which will see us report outcomes to the September 2025 meeting of this committee.

Follow up of agreed actions

14 All actions agreed with services as a result of internal audit work are followed up to ensure that issues are addressed. Based on follow up work completed we are generally satisfied that sufficient progress is being made to address the control weaknesses identified in previous audits. A summary of the current status of follow up activity is included at appendix D.

Professional standards

15 In order to comply with professional standards,the Head of Internal Audit is required to develop and maintain ongoing quality assurance arrangements. The objective of these arrangements is to ensure that working practices continue to conform with the standards. A summary of quality assurance processes and any areas identified for development are reported to the committee each year as part of the annual report. The arrangements consist of various elements, including:

maintenance of a detailed audit procedures manual and standard operating practices

ongoing performance monitoring of internal audit activity

regular customer feedback

training plans and associated training and development activities

periodic self-assessments of internal audit working practices (to evaluate conformance to the standards)

16 External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organisation. An external assessment of Veritau’s internal audit working practices was undertaken between June and August 2023 by John Chesshire, an approved reviewer for the Chartered Institute of Internal Auditors (the UK and Ireland’s local chapter)[1].

17 The assessment involved a full independent validation of Veritau’s own self-assessment of conformance to the Public Sector Internal Audit Standards (PSIAS), as well as to the wider International Professional Practices Framework which governed the performance of internal auditing globally at the time the assessment was undertaken. The report concluded that Veritau’s internal audit activity generally conforms to the PSIAS[2] and, overall, the findings were very positive.

18 The feedback included comments that the internal audit service was highly valued by its clients. Key stakeholders felt confident in the way Veritau had established effective working relations, both in our approach to planning and the way in which we engage flexibly with our clients throughout the internal audit process, at the strategic and operational levels.

19 Effective 1 April 2025, the PSIAS were replaced by what are known as the Global Internal Audit Standards in the UK Public Sector. These standards are made up of the Institute of Internal Auditors’ Global Internal Audit Standards (GIAS) and the Application Note: Global Internal Audit Standards in the UK Public Sector (‘the Application Note’). The Application Note interprets the GIAS, clarifying how they should be applied in UK public sector organisations.

20 In the UK, the body responsible for interpreting the GIAS and setting expectations for the performance of internal audit in the public sector is known as the Internal Audit Standards Advisory Board (IASAB). The IASAB is made up of six ‘Relevant Internal Audit Standard Setters’ (RIASS) representing central and local government, and the health sector. The RIASS for UK local government is the Chartered Institute of Public Finance and Accountancy (CIPFA). The IASAB developed the Application Note, releasing it in the early part of 2025.

21 The Global Internal Audit Standards (from which the Application Note provides its local government interpretations) were launched on 9 January 2024 and became effective on 9 January 2025. Veritau has used a GIAS conformance readiness tool provided by the IIA, alongside the specific public sector interpretations and requirements of the Application Note to prepare for the introduction of the new standards.

22 Our overall assessment is that Veritau conforms to the Global Internal Audit Standards in the UK Public Sector. However, we have identified a small number of actions to help strengthen our ability to demonstrate conformance. In addition, we have identified a further set of actions to continuously improve service delivery.

23 Details of Veritau’s ongoing quality assurance arrangements and the outcomes from our conformance assessment are set out in appendix E.

24 The internal audit charter sets out how internal audit at the council will be provided in accordance with professional standards. The charter is reviewed on an annual basis. Updates to the charter have been made to ensure that it meets the requirements of the Global Internal Audit Standards in the UK Public Sector. The council already has a well-established internal audit service and so very few changes have been made to the charter. Those changes which have been made will have no impact on how the service is delivered. The updated charter is contained in annex 2 to this report.

Opinion of the Head of Internal Audit

25 The overall opinion of the Head of Internal Audit on the framework of governance, risk management and control operating at the council is that it provides Reasonable Assurance.

26 The opinion given is based on work that has been undertaken directly by internal audit, and on the cumulative knowledge gained through our ongoing liaison and planning with officers. No reliance was placed on the work of other assurance providers in reaching this opinion.

27 In giving this opinion, there are no significant control weaknesses which, in the opinion of the Head of Internal Audit, need to be considered for inclusion in the council’s annual governance statement.

APPENDIX A: 2024/25 INTERNAL AUDIT WORK

Final reports issued

Audit	Reported to Committee	Opinion
Safety Valve (implementation review)	May 2025	Substantial Assurance
Housing benefits	May 2025	Substantial Assurance
NHS Data Security and Protection Toolkit: accountable suppliers	May 2025	No Opinion Given
Officer declarations of interest and gifts & hospitality	January 2025	Substantial Assurance
VAT accounting	January 2025	Substantial Assurance
Ordering and creditor payments	November 2024	Substantial Assurance
Highways maintenance scheme development	November 2024	Reasonable Assurance
Section 106 agreements	November 2024	Reasonable Assurance
Asset management (TEPHC)	November 2024	Reasonable Assurance
Adult safeguarding	November 2024	Reasonable Assurance
Health and safety (TEPHC)	November 2024	Limited Assurance
ICT procurement and contract management	November 2024	Reasonable Assurance
Wigginton Primary School	November 2024	Reasonable Assurance
Procurement Act: preparedness assessment	November 2024	Substantial Assurance
Physical information security compliance	July 2024	Reasonable Assurance
Absence management	July 2024	Reasonable Assurance
Project management	July 2024	Substantial Assurance
Agency staff (C&E and ASC&I)	July 2024	Reasonable Assurance
NHS Data Security and Protection Toolkit (thematic review)	July 2024	No Opinion Given
Adult education (York Learning)	July 2024	Substantial Assurance
Foster carer payments	July 2024	Limited Assurance
Business continuity	July 2024	Reasonable Assurance
Payroll control	July 2024	Substantial Assurance

Audits in progress

Audit	Status
Member induction programme	In draft
Contract management: major project delivery	In draft
Physical information security	In draft
Elvington Primary School	In draft
Commercial asset performance	In draft
School themed audit: purchasing and best value	In draft
Schools themed audit: pupil premium	In draft
Funded early education	In draft
Savings plans	In draft
ICT disaster recovery	In progress
Carbon reduction and climate adaptation	In progress
Clifton Green Primary School	In progress
Main accounting system	In progress
Travel and subsistence	In progress
Residential care	In progress
Unaccompanied asylum seeker children	In progress
Performance management	In progress
Payments to care providers and contract management (ASC&I)	In progress
Public EV charging strategy	In progress

Other work completed in 2024/25

Internal audit work has been undertaken in a range of other areas during the year, including those listed below.
Follow up of agreed actions Grant certification work: Scambusters UKSPF assurance return support (2023/24) UKSPF assurance return support (mid-year 2024/25) Supporting Families West Yorkshire Combined Authority (YORR and TCF) Department for Transport (BSOG, LTP, Tadcaster Road, NPIF STEP) Social Housing Decarbonisation Fund (wave 2, 2023/24) Homes England compliance audit Pooling Housing Capital Receipts return (2023/24) Consultative engagements: Fact-finding review into adult social care provider overpayments Review of the Food and Fuel voucher scheme administration (including data analytics) Review of processes for managing transport direct payments Review of highways maintenance decisions (Heworth Without ward) Provision of support and advice: Implementation of Enterprise Travel Direct (hire car booking system) Duplicate creditor payments analysis Void recharge policy development Response to the Building Safety Regulator’s inspection of the council’s building control function

Internal audit work has been undertaken in a range of other areas during the year, including those listed below.

Follow up of agreed actions

Grant certification work:

Scambusters

UKSPF assurance return support (2023/24)

UKSPF assurance return support (mid-year 2024/25)

Supporting Families

West Yorkshire Combined Authority (YORR and TCF)

Department for Transport (BSOG, LTP, Tadcaster Road, NPIF STEP)

Social Housing Decarbonisation Fund (wave 2, 2023/24)

Homes England compliance audit

Pooling Housing Capital Receipts return (2023/24)

Consultative engagements:

Fact-finding review into adult social care provider overpayments

Review of the Food and Fuel voucher scheme administration (including data analytics)

Review of processes for managing transport direct payments

Review of highways maintenance decisions (Heworth Without ward)

Provision of support and advice:

Implementation of Enterprise Travel Direct (hire car booking system)

Duplicate creditor payments analysis

Void recharge policy development

Response to the Building Safety Regulator’s inspection of the council’s building control function

APPENDIX B: SUMMARY OF KEY ISSUES FROM AUDITS FINALISED SINCE THE LAST REPORT TO THE COMMITTEE

System/area	Opinion	Area reviewed	Comments	Management actions agreed
Safety Valve (implementation review) (March 2025)	Substantial Assurance	This audit reviewed whether the council has been meeting the requirements of its Safety Valve agreement signed with the Department for Education (DfE).	Overall, the audit confirmed that the council has put appropriate arrangements in place to manage delivery of its Safety Valve agreement. The council has recently notified the DfE that it will not meet all the requirements by the end of 2025/26. This is largely due to invalidation of some of the assumptions used in the original agreement (an issue outside of the council’s control). The council has reported its performance against the agreement, to the DfE, in line with agreed quality and timescales, and has also adopted an internal reporting framework involving appropriate forums within the council. Reports are detailed and progress is provided against each of the aspects of the safety valve agreement. However, it is difficult and time consuming to access the data needed. Data is being stored on multiple platforms, and a lot of staff time is required to manipulate data to give a meaningful representation of performance.	Use of the SEND CMS system will be developed to ensure that financial data needed to evidence conformance to the agreement is recorded consistently for easier reporting. A post-16 data dashboard will also be developed to collate the required information relating to this cohort.
Housing benefits (March 2025)	Substantial Assurance	The purpose of the audit was to provide assurance on the administration of housing benefit and council tax support.	New applications are processed accurately, with appropriate evidence retained to support eligibility. The same is true of council tax support applications. The service undertakes its own quality assurance process on new claims and adjustments. While processing time targets are no longer set, they are still monitored and performance is strong. Overpayments are reducing, with the majority being recovered. Write-offs are subject to appropriate review and authorisation. The council’s declarations of interest policy only requires the Revenues & Benefits Manager to declare interests annually. There is no requirement for others in the service to do so, despite having privileged system access.	All staff involved in administering housing benefit and council tax support cases will be required to complete and submit an annual declaration of interest form annually.
NHS Data Security and Protection Toolkit: accountable suppliers (February 2025)	No Opinion Given	The purpose of this thematic review was to confirm whether the council had complied with the NHS toolkit requirements in completing its 2023/24 self-assessment, and that it has sufficient evidence to support the assertions made. This review focused on standard 10 which relates to the accountability of ICT suppliers to protect personal information processed using their systems.	We found that the council had responded fully to all questions in section 10 of the NHS toolkit. The responses provided were of good quality and met the requirements of the standard. Sufficient evidence was provided to support the assertions made. The council requires that suppliers complete a detailed ICT security questionnaire. This aims to ensure that suppliers have the necessary credentials and security certifications in place before the council enters into a contract. A contract due diligence process is also in place to ensure that each contract includes data protection clauses and schedules, or that bespoke clauses are agreed (as required) to ensure compliance with data protection requirements.	None.

APPENDIX C: ASSURANCE AUDIT OPINIONS AND FINDING PRIORITIES

Audit opinions
Audit work is based on sampling transactions to test the operation of systems. It cannot guarantee the elimination of fraud or error. Our opinion is based on the risks we identify at the time of the audit. Our overall audit opinion is based on four grades of opinion, as set out below.
Opinion	Assessment of internal control
Substantial assurance	Overall, good management of risk with few weaknesses identified. An effective control environment is in operation but there is scope for further improvement in the areas identified.
Reasonable assurance	Overall, satisfactory management of risk with a number of weaknesses identified. An acceptable control environment is in operation but there are a number of improvements that could be made.
Limited assurance	Overall, poor management of risk with significant control weaknesses in key areas and major improvements required before an effective control environment will be in operation.
No assurance	Overall, there is a fundamental failure in control and risks are not being effectively managed. A number of key areas require substantial improvement to protect the system from error and abuse.

Finding ratings
Critical	A fundamental system weakness, which presents unacceptable risk to the system objectives and requires urgent attention by management.
Significant	A significant system weakness, whose impact or frequency presents risks to the system objectives, which needs to be addressed by management.
Moderate	The system objectives are not exposed to significant risk, but the issue merits attention by management.
Opportunity	There is an opportunity for improvement in efficiency or outcomes but the system objectives are not exposed to risk.

APPENDIX D: FOLLOW UP OF AGREED AUDIT ACTIONS

Where weaknesses in systems are found by internal audit, the auditors agree actions with the responsible manager to address the issues. Agreed actions include target dates and internal audit carry out follow up work to check that the issue has been resolved once these target dates are reached. Follow up work is carried out through a combination of questionnaires completed by responsible managers, risk assessment, and by further detailed review by the auditors where necessary. Where managers have not taken the action they agreed to, issues are escalated to more senior managers, and ultimately may be referred to the Audit and Governance Committee.

A total of 127 actions have been followed up during 2024/25. A summary of the priority of these actions and the outcome from the follow up activity is below. Actions are marked as superseded if circumstances have changed sufficiently that the action is no longer required. Revised dates are agreed where the delay in addressing an issue will not lead to unacceptable exposure to risk and where, for example, the delays are unavoidable.

Actions followed up		Results of follow up of agreed actions
Priority of actions	Number of actions followed up	Action implemented	Revised date agreed	Superseded
Critical	0	0	0	0
Significant	71	52	9	10
Moderate	56	50	2	4
Total	127	102	11	14

APPENDIX E: INTERNAL AUDIT QUALITY ASSURANCE AND DEVELOPMENT ARRANGEMENTS

1.0 Background

Ongoing quality assurance arrangements

Veritau maintains appropriate ongoing quality assurance arrangements designed to ensure that internal audit work is undertaken in accordance with relevant professional standards. From April 2025 those standards are the Global Internal Audit Standards in the UK Public Sector. Quality assurance arrangements include:

p the maintenance of a detailed audit procedures manual

p the requirement for all audit staff to conform to a Code of Ethics and Standards of Conduct Policy

p the requirement for all audit staff to complete annual declarations of interest

p detailed job descriptions and competency profiles for each internal audit post

p regular operational 121 meetings for all auditors, to review progress with audit engagements, and formal 121s that include discussion of overall performance

p induction programmes, training plans and associated training activities

p attendance on relevant courses and access to e-learning material

p the maintenance of training records and training evaluation procedures

p membership of professional networks

p agreement of the objectives, scope and expected timescales for each audit engagement with the client before detailed work commences (audit specification)

p the results of all audit testing and other associated work documented in a structured format using our audit management system – K10 Vision

p file review by senior auditors and audit managers and sign-off at each stage of the audit process

p the ongoing investment in tools to support the effective performance of internal audit work (for example data interrogation software)

p post audit questionnaires (customer satisfaction surveys) issued following each audit engagement

p regular client liaison meetings to discuss progress, share information and evaluate performance.

On an ongoing basis, completed audit work is subject to internal peer review by a Quality Assurance group. The review process is designed to ensure audit work is completed consistently and to the required quality standards. The work of the Quality Assurance group is overseen by an Assistant Director. Any key learning points are shared with the relevant internal auditors and audit managers. The Head of Internal Audit will also be informed of any general areas requiring improvement. Appropriate mitigating action will be taken where required (for example, increased supervision of individual internal auditors or further training).

Annual self-assessment

On an annual basis, the Head of Internal Audit will seek feedback from each client on the quality of the overall internal audit service. This includes surveys targeted at senior officers and chairs of audit committees. The Head of Internal Audit also undertakes an annual self-assessment against internal audit standards. A hybrid approach to self-assessment has been taken this year, as a result of the change in the internal audit standards regime from April 2025. Further information about this year’s approach is set out below. As part of ongoing performance management arrangements, managers and auditors assess current skills and knowledge against the competency profiles for internal audit roles. Where necessary, further training or support will be provided to address any development needs.

The Head of Internal Audit and other members of the internal audit management team also participate in various professional networks and obtain information on operating arrangements and relevant best practice from other similar audit providers for comparison purposes.

The results of annual client surveys, self-assessment against the standards, professional networking, and ongoing quality assurance and performance management arrangements are used to identify any areas requiring further development or improvement. Actions required are reflected in Veritau business plans, the Veritau internal audit strategy, and individual personal development plans as appropriate. Any specific changes needed to address conformance with professional standards are reported to the Audit and Governance Committee as part of the annual report of the Head of Internal Audit. The report also summarises other development activity planned to enhance the delivery of the service. Information gathered for quality assurance and development purposes is also used to evaluate overall conformance with internal audit standards.

External assessment

At least once every five years, arrangements must be made to subject internal audit working practices to external assessment to ensure the continued application of professional standards. The assessment should be conducted by an independent and suitably qualified person or organisation and the results reported to the Head of Internal Audit. The outcome of the external assessment also forms part of the overall reporting process to each client. Any specific areas identified as requiring further development and/or improvement will be incorporated into current development plans.

2.0 Customer satisfaction survey 2025

In March 2025 we asked clients for feedback on the overall quality of the internal audit service provided by Veritau during the preceding year. Where relevant, the survey also asked questions about counter fraud and information governance services. A total of 188 surveys (2024 – 173) were issued to senior managers in client organisations. A total of 32 responses were received representing a response rate of 17% (2024 – 10%). Respondents were asked to rate the different elements of the audit process as either excellent, good, satisfactory or poor.

Respondents were also asked to provide an overall rating for the service. The results of the survey are set out in the charts below. These are presented as percentages, for consistency with previous years. However, it is recognised that the relatively low number of respondents means that the percentage for each category is sensitive to small changes in actual responses (1 respondent represents about 3%).

The overall ratings in 2025 were:

	2025		2024
Excellent	18	56%	7	44%
Good	12	38%	8	50%
Satisfactory	2	6%	1	6%
Poor	0	0%	0	0%

The feedback shows that the majority of respondents continue to value the service being delivered.

3.0 Self-assessment against audit standards 2025

The Accounts and Audit Regulations 2015 require internal auditors working in local government to take into account public sector internal auditing standards or guidance. Up to 31 March 2025, the relevant standards were the Public Sector Internal Audit Standards (PSIAS). CIPFA (who are responsible for setting internal audit standards for local government) have adopted new standards that apply from 1 April 2025. These are the Global Internal Audit Standards in the UK Public Sector – or GIAS (UK Public Sector)^{^[3]}. Internal auditors working in local government are expected to apply the new standards from April 2025.

In previous years Veritau has used a checklist published by CIPFA to assess conformance with the PSIAS. This is no longer appropriate following the change in standards. However, no equivalent checklist for assessment against the new standards has yet been published. For the self-assessment undertaken in April 2025, we have used documentation published by the Institute of Internal Auditors to prepare for the introduction of the new standards. This highlights areas of the GIAS that are changing and where updates to current arrangements may need to be made. We have also considered any changes required by the introduction of the new Application Note. We intend to undertake a further full assessment against the new standards later in 2025/26, once further guidance on assessing conformance is available.

The self-assessment has identified two actions required to address areas of partial conformance with the standards. These were:

p To update current internal audit charters to address various requirements of the new standards. For example, the need to set out the internal audit mandate and to clarify the roles of senior managers and the Audit and Governance Committee in championing the role of internal audit.

p To introduce a new survey of chairs of audit committees (or equivalent) to address requirements for the committees to provide input on internal audit performance.

A new charter has been prepared and is included as part of the agenda for the current committee, for approval. A survey of chairs of audit committees has been issued. However, the survey is still open and responses are still being received. Once complete, the results will be analysed and any actions required will be addressed as part of ongoing development plans.

The self-assessment has highlighted a number of other actions that are not required to comply with the standards – but which will help to improve the service. These will be taken forward as part of our existing internal audit strategy. Further information on development activity is included below.

4.0 External Assessment

As noted above, the PSIAS required the Head of Internal Audit to arrange for an external assessment to be conducted at least once every five years to ensure the continued application of professional standards. This requirement continues under the GIAS (UK Public Sector). The assessment is intended to provide an independent and objective opinion on the quality of internal audit practices.

An external assessment of Veritau’s internal audit working practices was undertaken in summer 2023, by John Chesshire, an approved reviewer for the Chartered Institute of Internal Auditors. The report concluded that Veritau internal audit activity ‘generally conforms’ to the PSIAS ^{^[4]} and, overall, the findings of the review were very positive. The feedback included comments that the internal audit service was highly valued by its member councils. Key stakeholders felt confident in the way Veritau had established effective working relations, both in our approach to planning, and the way we engage flexibly with our clients throughout the internal audit process, at both strategic and operational levels.

The outcomes from the external assessment were reported to this committee on 8 November 2023. The assessment was based on the PSIAS. Many of the requirements under the new standards are the same or similar, and we can therefore continue to place reliance on the previous report. However, a further external assessment against the new standards will need to be carried out in the next three years.

5.0 Development plans

Overall, the internal audit services provided by Veritau continue to meet the requirements of professional standards. However, we recognise that the pace of change in local government and the wider public sector mean that there is a need to continually review and update aspects of our service to ensure it stays up to date and continues to deliver good value.

We first introduced an internal audit strategy in 2021. The strategy identified priorities for developing the service and actions to deliver continuous improvement. As a result of that we have changed many aspects of the service in the last four years. Key successes include:

p audit planning – we have become better at defining the areas we need to focus on (including council specific risks and objectives) and we’ve introduced new arrangements for capturing and assessing information on the council’s operations

p work planning – introducing flexible arrangements that help us focus upcoming audits on areas that are most important and allow us to change course quickly when priorities change

p reporting – ensuring that key information is available to clients to understand audit priorities and outcomes

p implementation of a new audit management system (K10) – the new system uses the latest technology, offers improved functionality, and is supporting development activity across a range of areas.

We have also tried a few things which did not deliver the expected outcomes. However, we have used the experience gained to improve core audit activities and ways of working.

The latest strategy (2025 to 2027) was adopted in January 2025. It sets out areas we are prioritising for development over the next three years. These include the following:

p focussing on the development of high value assurance techniques and expertise. For example, the use of data analytics to provide increased understanding of clients’ operations and the use of artificial intelligence tools to increase efficiency and insights. Developing our knowledge of opportunities and risks associated with AI will also help us to support client adoption of new technologies.

p further development of systems for planning, prioritising and reporting audit work to ensure work is targeted to the areas of highest importance for our clients, our internal processes are as efficient as they can be, and the clarity and usefulness of reports is maximised.

p use of the new K10 audit system to improve functionality for the delivery of audit work and the production of management information. We want to use the system to streamline follow up activity, and further develop internal management processes. This will help us to better understand and manage audit workflows, improve service delivery, and inform performance management arrangements.

To achieve these priorities, we have focused actions in the following key areas:

p embedding a strategic approach to work programme development and the use of the audit opinion framework

p redesigning and modernising our audit working practices (including assignment planning and reporting)

p further developing our use of data analytics

p developing our key performance indicators and the measures of added value

Quality assurance group

The internal audit quality assurance group has recently reported on their 2024/25 activities. They were aiming to assess how well core audit practices had been adopted and applied using the new K10 system by looking at a sample of completed audit files. They found that overall, core working practices had translated well to the new system. Strengths included the following:

p the completeness of files and file review processes – information expected to be on file was included and files had been signed off by relevant supervisors.

p good documentation of engagement with officers when planning individual audits and agreement of the scope and objectives of work.

p good use of new system functionality to record the systems audited and linked to this, the tests to be undertaken.

p assignment of the priorities to issues found and overall opinions were in line with expectations, and key findings were well documented.

A few areas requiring improvement were found. These included:

p the need to better document the analysis and conclusions reached during the planning stage of each audit, and discussions with clients at the end of each audit

p improvements needed to cross referencing documents within the system between related pieces of work – this may require a review of current system set up and training

p a need to better document conclusions directly within K10, to increase the efficiency of report generation from the system.

These issues have been flagged for further action through system development, whole team training and feedback to individual auditors where required.

Improvement actions identified during self-assessment

As noted above, we have identified a number of areas for improvement while undertaking the annual self-assessment. These do not represent non-conformance with standards but will help us to improve the service. Continuous improvement actions identified included the following:

p review existing auditor competency profiles to ensure adequate coverage of the auditor competencies identified in the GIAS

p strengthen the analysis of outcomes from routine training delivered, to ensure it met objectives and any further action or training required was identified

p undertake additional training for auditors on professional scepticism

p ensure routine training delivered clearly highlights links to the relevant professional standards being covered

p review coverage of value for money considerations in the audit manual, and ensure adequate coverage in routine training

p review the presentation of annual conclusions to assess whether different approaches could present clearer insights

These actions will be integrated into the internal audit strategy action plan.

6.0 Overall conformance with standards

Based on the overall outcomes from quality assurance and development planning arrangements, the Head of Internal Audit considers that the internal audit service conforms to Global Internal Audit Standards in the UK Public Sector.

[1] Reported to the Audit and Governance committee in November 2023.

[2] PSIAS guidance suggests a scale of three ratings, ‘generally conforms, ‘partially conforms’ and ‘does not conform’. ‘Generally conforms’ is the top rating.

[3] The GIAS (UK Public Sector) comprises the Institute of Internal Auditors’ Global Internal Audit Standards (GIAS) and the Internal Audit Standards Advisory Board’s Application Note: Global Internal Audit Standards in the UK Public Sector (referred to as the Application Note). The Application Note interprets the GIAS for the UK public sector.

[4] PSIAS guidance suggests a scale of three ratings, ‘generally conforms, ‘partially conforms’ and ‘does not conform’. ‘Generally conforms’ is the top rating.