COYC%202%20colour

CONTENTS

3 Background

3 Internal audit progress

4 Follow up

6 Appendix A: Internal audit work in 2025/26

9 Appendix B: Current priorities for internal audit work

14 Appendix C: Summary of key issues from finalised audits

20 Appendix D: Audit opinions and finding priorities

21 Appendix E: Follow up of agreed actions

A blue and white triangle pattern Description automatically generated

BACKGROUND

1 Internal audit provides independent and objective assurance and advice about the council’s operations. It helps the organisation to achieve its overall objectives by bringing a systematic, disciplined approach to the evaluation and improvement of the effectiveness of risk management, control, and governance processes.

2 The work of internal audit is governed by the Accounts and Audit Regulations 2015 and relevant professional standards. These include the Global Internal Audit Standards and the Application Note: Global Internal Audit Standards in the UK Public Sector.

3 In accordance with the Global Internal Audit Standards (UK Public Sector) the Head of Internal Audit is required to report progress against the internal audit plan (the work programme) agreed by the Audit & Governance Committee, and to identify any emerging issues which need to be brought to the attention of the committee.

4 The internal audit work programme was agreed by this committee in March 2025.

5 Veritau adopts a flexible approach to work programme development and delivery. Work to be undertaken during the year is kept under review to ensure that audit resources are deployed to the areas of greatest risk and importance to the council.

6 The purpose of this report is to update the committee on internal activity up to 15 July 2025, and to outline current plans for delivery over the remainder of the year.

INTERNAL AUDIT PROGRESS

7 A summary of internal audit work currently underway, as well as work finalised in the year to date, is included in appendix A. Appendix A also details other work completed by internal audit during the year.

8 Since our last report to this committee, seven audits have been finalised. A further seven internal audit engagements have reached draft report stage. These will be finalised over the coming weeks.

9 A total of 15 audits are underway at the time of reporting. A further nine audits are at the background planning stage, in preparation for commencement during the current quarter.

Contract management audit: Audit & Governance Committee request

10 At the May meeting this committee, we advised that work on this audit had recommenced following a pause while the council was working on implementation of the Procurement Act. We had been prioritising review of a sample of 10 contracts during April and May and were preparing to complete testing with the relevant contract managers during June and July.

11 As a reminder to the committee, the following areas are in scope:

Objective 1: suitable contract terms are included within contracts,

Objective 2: contract management procedures are in place and have been communicated,

Objective 3: training is provided in respect of the contract management procedures.

12 We have now completed audit testing across all three objectives, have held a closing meeting with the Director of Governance and Head of Procurement, and issued a draft report. Officers are currently considering the report, and the audit is on track to be finalised by 15 August, as set out in the agreed timeline.

13 Members will receive a copy of the final report when this is issued next month, and a summary of the outcomes will be presented to the committee at its 12 November meeting.

14 In addition to the internal audit engagements discussed above, we have also continued to support the council by certifying central government grants, undertaking consultative engagements, and providing support and advice on governance, risk and control related matters.

15 The 2025/26 work programme, showing current priorities for internal audit work, is included in appendix B.

16 The seven audits that have been finalised since the last report to this committee are included in appendix C. The appendix summarises the key findings from these audits, and includes actions agreed with officers to address identified control weaknesses. The finalised reports in appendix C are also included as exempt annexes to this report.

17 Appendix D provides the definitions for our audit opinions and finding ratings.

FOLLOW UP

18 All actions agreed with services as a result of internal audit work are followed up to ensure that issues are addressed. As a result of this work, we are generally satisfied that sufficient progress is being made to address the control weaknesses identified in previous audits.

19 With the support of senior management, we have recently refreshed the follow-up and escalation procedure. This sees any non-responses (or unsatisfactory responses) to requests for evidence of completion brought to the attention of increasingly more senior officers and, ultimately, to this committee.

20 The procedure sets out when and with whom contact will be made to confirm completion of actions. It includes a series of escalation points which are used where a satisfactory response has not been received and so actions are considered overdue. These escalation points involve, in order:

Notifying the relevant director

Presenting overdue actions to Governance, Risk and Assurance Group (GRAG)

Reporting unresolved overdue actions to the Audit & Governance Committee

21 Our first follow-up status report was presented to GRAG in June, and this is now a standing item on the agenda for each meeting (held approximately every six weeks).

22 A summary of the current status of follow up activity is included at appendix E.

APPENDIX A: INTERNAL AUDIT WORK IN 2025/26

Final reports issued

Audit	Reported to Committee	Opinion
Safety Valve (implementation review)	May 2025	Substantial Assurance
Housing benefits	May 2025	Substantial Assurance
NHS Data Security and Protection Toolkit: accountable suppliers	May 2025	No Opinion Given
School themed audit: purchasing and best value	July 2025	Reasonable Assurance
Communications	July 2025	No Opinion Given
Funded early education	July 2025	Reasonable Assurance
Member induction programme	July 2025	No Opinion Given
Commercial asset performance	July 2025	Substantial Assurance
Savings plans	July 2025	Reasonable Assurance
Clifton Green Primary School	July 2025	Reasonable Assurance

Audits in progress

Audit	Status
Contract management (major projects)	In draft
Physical information security	In draft
Elvington Primary School	In draft
Schools themed audit: pupil premium	In draft
Carbon reduction and climate adaptation	In draft
ICT disaster recovery	In draft
Contract management (A&G request)	In draft
Main accounting system	In progress
Travel and subsistence	In progress
Residential care: Ousecliffe and Wenlock Terrace	In progress
Unaccompanied asylum seeker children	In progress
Performance management	In progress
Payments to care providers and contract management (ASC&I)	In progress
Public EV charging strategy	In progress
Flexitime and annual leave	In progress
Recruitment and selection	In progress
Children & Education Directorate: local scheme of delegation	In progress
Project governance (major projects)	In progress
Risk management (follow-up audit)	In progress
Cybersecurity: user account management	In progress
Free school meals: auto-enrolment	In progress
Schools themed audit: Governance	In progress
Ordering and creditor payments (P2P action plan and verification)	Planning
Sundry debtors	Planning
Absence management	Planning
Mandatory and role-specific training	Planning
Council Tax and NNDR	Planning
Information access request management	Planning
Property asset management	Planning
Home to school transport	Planning
Continuing healthcare	Planning

Other work completed in 2025/26

Internal audit work has been undertaken in a range of other areas during the year, including those listed below.
Follow up of agreed actions Refresh of the follow-up and escalation procedure, with regular reporting to the Governance, Risk and Assurance Group Grant certification work: Scambusters UK Shared Prosperity Fund programme assurance (2024/25) Consultative engagements: Fact-finding review into manual creditor payments Fact-finding review into the management of services provided by YorHome Provision of support and advice: Preparation of a briefing note on CIPFA’s Code of Practice for the Governance of Internal Audit in UK Local Government (‘the Code’) Support with undertaking the council’s self-assessment against the Code Holiday let commercial waste income collection procedures

Internal audit work has been undertaken in a range of other areas during the year, including those listed below.

Follow up of agreed actions

Refresh of the follow-up and escalation procedure, with regular reporting to the Governance, Risk and Assurance Group

Grant certification work:

Scambusters

UK Shared Prosperity Fund programme assurance (2024/25)

Consultative engagements:

Fact-finding review into manual creditor payments

Fact-finding review into the management of services provided by YorHome

Provision of support and advice:

Preparation of a briefing note on CIPFA’s Code of Practice for the Governance of Internal Audit in UK Local Government (‘the Code’)

Support with undertaking the council’s self-assessment against the Code

Holiday let commercial waste income collection procedures

APPENDIX B: CURRENT AUDIT PRIORITIES
Audit / Engagement		Rationale
Strategic / corporate & cross cutting
Do now
Contract management (major projects)		Provides coverage of more than one key assurance area.
Contract management (A&G request)		Being undertaken in response to known issues, and at the request of A&G.
Physical information security		Forms part of a rolling programme of assurance.
Carbon reduction and adaptation		Emerging risk area.
Travel and subsistence		Identified in consultation with officers.
Performance management framework		No recent coverage. Provides coverage of a key assurance area.
Risk management (follow-up audit)		Key area of corporate governance. Provides broader assurance.
Flexitime and annual leave		Identified in consultation with officers.
Recruitment and selection		No recent coverage. Provides coverage of a key assurance area.
Absence management		Emerging risk area.
Mandatory and role-specific training		No recent coverage. Provides coverage of a key assurance area.
Information access request management		Provides coverage of a key assurance area.
Do next
Building security (West Offices and Hazel Court)		Provides coverage of a key assurance area.
Procurement Act compliance		Risks / controls are changing.
Do later
Overtime
Physical information security
Contract management
Risk management (maturity assessment)
Data quality
Public health: procurement and contract management
York 2032: partnership governance
Management of York & North Yorkshire Combined Authority funding
Financial systems
Do now
Main accounting system		No recent coverage. Provides coverage of a key assurance area.
Ordering and creditor payments (P2P action plan and verification)		Being undertaken to verify progress made in implementing improvements to control.
Sundry debtors		No recent coverage. Provides coverage of a key assurance area.
Council Tax and NNDR		No recent coverage. Provides coverage of a key assurance area.
Do next
Housing rents		Risks / controls are changing.
Payroll		Key financial system. Risks / controls are changing.
Do later
-		-
Service areas
Do now
Elvington Primary School		Identified in consultation with officers.
Schools themed audit: pupil premium		Identified in consultation with officers.
Unaccompanied asylum seeker children		Emerging risk area.
Residential care: Ousecliffe and Wenlock Terrace		Being undertaken in response to known areas for improvement.
Children & Education Directorate: local scheme of delegation		Risks / controls are changing. Provides coverage of a key assurance area.
Free school meals: auto-enrolment		Risks / controls are changing.
Schools themed audit: Governance		Identified in consultation with officers.
Home to school transport		Risks / controls are changing. Known area of pressure.
Continuing healthcare		Risks / controls are changing.
Payments to care providers and contract management (ASC&I)		Provides coverage of more than one key assurance area.
Public EV charging strategy		Risks / controls are changing. Linked to council priorities.
Property asset management		Risks / controls are changing. New regulatory regime.
Do next
Westfield Primary School		Identified in consultation with officers.
St Mary's, Askham Richard Primary School		Identified in consultation with officers.
Education, health and care plans (EHCPs)		Risks / controls are changing. Known area of pressure.
Foster carer payments (follow-up audit)		Follow-up of previous Limited Assurance audit.
Managing customer finances		Risks / controls are changing.
Referrals and care assessments		Provides coverage of a key assurance area.
Right To Buy		Risks / controls are changing. Changes to government policy.
RoSH standards improvement plan (inc. housing repairs performance)		Risks / controls are changing. New regulatory regime.
Transport and highways programme		Identified in consultation with officers. Provides broader assurance.
Licensing		No recent coverage. Provides coverage of a key assurance area.
Use of fleet vehicles		No recent coverage. Provides coverage of a key assurance area.
Do later
Danesgate Community School
Schools themed audit: procurement
Children’s direct payments
Out of area placements
Children leaving care
Care and support planning
Housing allocations
Building control
Section 106 agreements: use of contributions
Public protection
Technical / projects
Do now
ICT disaster recovery		Provides broader assurance. Linked to key corporate risk.
Cybersecurity: user account management		Provides coverage of a security controls.
Project governance (major projects)		Provides coverage of more than one key assurance area.
Do next
Cybersecurity: user awareness / resilience		Key attack vector. Provides coverage of a key assurance area.
Do later
ICT applications and database security
ICT emergency response & business continuity planning
Project management (gateway reviews)

APPENDIX C: SUMMARY OF KEY ISSUES FROM AUDITS FINALISED SINCE THE LAST REPORT TO THE COMMITTEE

System/area (month issued)	Opinion	Area reviewed	Comments / Issues identified	Management actions agreed
School themed audit: purchasing and best value (May 2025)	Reasonable Assurance	This audit reviewed arrangements for procurement, use of purchase cards, and leasing of premises across a sample of maintained schools.	Contract registers are not being adequately maintained across schools to facilitate effective and efficient monitoring of contractual agreements. Purchase orders are not consistently used. Schools are also not consistently recording when goods have been received. Transaction logs are not routinely maintained for procurement card purchases and, when these are used, reconciliations are not consistently documented. All schools had reported their leases to the council.	The council will remind schools the importance of maintaining an up-to-date contract register through the newsletters and as part of the forthcoming procurement update. As part of the transfer to Xero, schools will be required to create purchase orders for each transaction prior to ordering. Schools will be informed of the need to ensure correct recording of goods receipting for all transactions through the newsletters and Finance and School Business Manager meetings. The council will remind schools to use the transaction log template which requires independent reconciliation and sign off.
Communications (May 2025)	No Opinion Given	The purpose of this fact-finding review was to assess the clarity of the council’s communications strategy and the degree to which this has been translated into policies, protocols, and procedures.	The primary issue identified in this report was the lack of defined approach and strategy to the council’s communications. This is due to the absence of a current and comprehensive strategy and service plan. This meant that processes were often poorly defined, and risks were not identified, assessed and escalated appropriately. Weaknesses were also identified in relation to monitoring of the council’s social media accounts and the security of account passwords.	Five recommendations were made during the audit, all of which were accepted by management. Work is underway or planned to address the identified weaknesses in control.
Funded early education (May 2025)	Reasonable Assurance	This audit involved reviewing arrangements at a sample of funded early education providers to ensure that entitlements are being claimed in line with statutory guidance.	Providers are not ensuring parents sign the declaration forms before the deadlines set by the early years funding team (EYFT). Some forms lacked information on funded hours being accessed, and others were missing altogether. Some providers are not aware of their duty to report cases of low attendance to the EYFT to discuss whether the child's circumstances merit continuation of funding. Some providers are charging parents registration fees and other compulsory fees, in contravention of statutory guidance. Some providers do not publish updated fee lists on their websites or on the Raise York website.	Internal monitoring of parent declaration form completion, using a sample-based approach, will be undertaken from autumn term 2025. The topic of low-attendance cases will be discussed at the next leaders and managers meeting to begin strengthening the EYFT’s approach. The issues raised relating to registration and compulsory fees will be followed up with the relevant providers. The EYFT will issue communication to providers regularly, in advance of January 2026, to ensure compliance with the statutory guidance deadline around publication of fees. Providers without a website will be encouraged to utilise the Raise York website. The EYFT will perform a check of provider websites in January/February 2026 to ensure compliance.
Member induction programme (June 2025)	No Opinion Given	This fact-finding review evaluated the success of the programme’s delivery in its first year of operation. Its purpose was to assist officers in continually improving the programme.	Overall, the programme represents a sound basis for improving the completeness and consistency of the member induction process. However, a significant proportion of councillors have not fully engaged with the programme’s mandatory training. The council does not have the ability to enforce attendance. Notwithstanding this, with improvements to its monitoring processes, and by strengthening the link with wider member development, there is an opportunity to improve uptake.	A number of recommendations were made to improve the member induction programme. In May 2025, the Joint Standards Committee resolved to establish a Member Development Working Group. The remit of the group is to work with all members to determine the format of training sessions, and to develop the induction and ongoing training programme. The findings and recommendations from this report will be used to inform the work of the group.
Commercial asset performance (June 2025)	Substantial Assurance	This audit focused on the council’s commercial property estate. It sought to provide assurance on the accuracy of asset records, processes for undertaking rent reviews, and plans for vacant properties.	There is an adequate record of commercial assets owned by the council. Lease agreements set out the responsibilities of both the council and tenants when it comes to the maintenance of commercial assets. Upcoming rent reviews and arrears reports are monitored, allowing property services to maximise income collection from assets. However, there were instances where rent was kept at the same level for the property but there was insufficient evidence and authorisation to confirm how this decision had been reached. Property inspections occur annually. However, there are some delays in undertaking more comprehensive 5-yearly inspections. Records had also not been fully maintained to confirm whether the 5-yearly inspection had been undertaken.	During rent reviews where rent is not increased, the decision will be countersigned by the Head of Property to confirm that it was appropriate for the rent to remain unchanged for the duration of the upcoming tenancy. Details of five-year inspections will be kept up to date on the property management system, showing when they were inspected or explaining why an inspection has not been completed.
Savings plans (June 2025)	Reasonable Assurance	The purpose of this audit was to provide assurance on arrangements for the development, monitoring, and reporting of savings plans. A sample of savings proposals was selected for review.	We found that there is no corporately agreed approach for the development of savings proposals and creation of plans. This has led to inconsistencies in information supporting the proposal which could not be fully explained by their differing complexities. Furthermore, not all the proposed savings had action plans setting out how the savings would be achieved. This makes it more difficult to monitor progress. Despite the above, progress made against savings proposals is reported to members as part of quarterly budget monitoring reports and also to the Council Management Team.	A process will be implemented to ensure that the timeframe and saving assumptions for delivery are estimated before submission for approval in the council budget. Action plans and timescales for delivery will be created when preparing savings plans. These will be monitored and updated along with other savings.
Clifton Green Primary School (June 2025)	Reasonable Assurance	This audit reviewed the design and effectiveness of controls for administering key financial processes. This included budget management, purchasing, income collection, and payroll.	Purchase orders are not being used to initiate expenditure. The school does not have a process in place to ensure that a public liability insurance certificate is requested from contractors prior to works taking place on-site. Although governor interests are maintained and are up to date, the school does not obtain business interests from staff who are able to influence financial decisions (for example, members of the senior leadership team or the school business manager). The school’s debt management policy currently does not make any provision for the write-off of debts where they are uneconomical to pursue.	The purchasing process will be reviewed to ensure that the use of purchase orders is implemented and actioned using Xero. The purchasing process will be reviewed to ensure that public liability insurance is obtained prior to services being delivered on school premises. All staff who have financial authority or influence over the school’s finances will be asked to complete the register of business interests at the beginning of each academic year. The debt management policy will be reviewed and the final stage, which includes debt write-off, is to be added, shared with governors, and communicated to staff.

System/area

(month issued)

Opinion

Area reviewed

Comments / Issues identified

Management actions agreed

School themed audit: purchasing and best value

(May 2025)

Reasonable Assurance

This audit reviewed arrangements for procurement, use of purchase cards, and leasing of premises across a sample of maintained schools.

Contract registers are not being adequately maintained across schools to facilitate effective and efficient monitoring of contractual agreements.

Purchase orders are not consistently used. Schools are also not consistently recording when goods have been received.

Transaction logs are not routinely maintained for procurement card purchases and, when these are used, reconciliations are not consistently documented.

All schools had reported their leases to the council.

The council will remind schools the importance of maintaining an up-to-date contract register through the newsletters and as part of the forthcoming procurement update.

As part of the transfer to Xero, schools will be required to create purchase orders for each transaction prior to ordering. Schools will be informed of the need to ensure correct recording of goods receipting for all transactions through the newsletters and Finance and School Business Manager meetings.

The council will remind schools to use the transaction log template which requires independent reconciliation and sign off.

Communications

(May 2025)

No Opinion Given

The purpose of this fact-finding review was to assess the clarity of the council’s communications strategy and the degree to which this has been translated into policies, protocols, and procedures.

The primary issue identified in this report was the lack of defined approach and strategy to the council’s communications. This is due to the absence of a current and comprehensive strategy and service plan. This meant that processes were often poorly defined, and risks were not identified, assessed and escalated appropriately.

Weaknesses were also identified in relation to monitoring of the council’s social media accounts and the security of account passwords.

Five recommendations were made during the audit, all of which were accepted by management. Work is underway or planned to address the identified weaknesses in control.

Funded early education

(May 2025)

Reasonable Assurance

This audit involved reviewing arrangements at a sample of funded early education providers to ensure that entitlements are being claimed in line with statutory guidance.

Providers are not ensuring parents sign the declaration forms before the deadlines set by the early years funding team (EYFT). Some forms lacked information on funded hours being accessed, and others were missing altogether.

Some providers are not aware of their duty to report cases of low attendance to the EYFT to discuss whether the child's circumstances merit continuation of funding.

Some providers are charging parents registration fees and other compulsory fees, in contravention of statutory guidance.

Some providers do not publish updated fee lists on their websites or on the Raise York website.

Internal monitoring of parent declaration form completion, using a sample-based approach, will be undertaken from autumn term 2025.

The topic of low-attendance cases will be discussed at the next leaders and managers meeting to begin strengthening the EYFT’s approach.

The issues raised relating to registration and compulsory fees will be followed up with the relevant providers.

The EYFT will issue communication to providers regularly, in advance of January 2026, to ensure compliance with the statutory guidance deadline around publication of fees. Providers without a website will be encouraged to utilise the Raise York website. The EYFT will perform a check of provider websites in January/February 2026 to ensure compliance.

Member induction programme

(June 2025)

No Opinion Given

This fact-finding review evaluated the success of the programme’s delivery in its first year of operation. Its purpose was to assist officers in continually improving the programme.

Overall, the programme represents a sound basis for improving the completeness and consistency of the member induction process.

However, a significant proportion of councillors have not fully engaged with the programme’s mandatory training. The council does not have the ability to enforce attendance. Notwithstanding this, with improvements to its monitoring processes, and by strengthening the link with wider member development, there is an opportunity to improve uptake.

A number of recommendations were made to improve the member induction programme.

In May 2025, the Joint Standards Committee resolved to establish a Member Development Working Group. The remit of the group is to work with all members to determine the format of training sessions, and to develop the induction and ongoing training programme. The findings and recommendations from this report will be used to inform the work of the group.

Commercial asset performance

(June 2025)

Substantial Assurance

This audit focused on the council’s commercial property estate. It sought to provide assurance on the accuracy of asset records, processes for undertaking rent reviews, and plans for vacant properties.

There is an adequate record of commercial assets owned by the council. Lease agreements set out the responsibilities of both the council and tenants when it comes to the maintenance of commercial assets.

Upcoming rent reviews and arrears reports are monitored, allowing property services to maximise income collection from assets. However, there were instances where rent was kept at the same level for the property but there was insufficient evidence and authorisation to confirm how this decision had been reached.

Property inspections occur annually. However, there are some delays in undertaking more comprehensive 5-yearly inspections. Records had also not been fully maintained to confirm whether the 5-yearly inspection had been undertaken.

During rent reviews where rent is not increased, the decision will be countersigned by the Head of Property to confirm that it was appropriate for the rent to remain unchanged for the duration of the upcoming tenancy.

Details of five-year inspections will be kept up to date on the property management system, showing when they were inspected or explaining why an inspection has not been completed.

Savings plans

(June 2025)

Reasonable Assurance

The purpose of this audit was to provide assurance on arrangements for the development, monitoring, and reporting of savings plans. A sample of savings proposals was selected for review.

We found that there is no corporately agreed approach for the development of savings proposals and creation of plans. This has led to inconsistencies in information supporting the proposal which could not be fully explained by their differing complexities. Furthermore, not all the proposed savings had action plans setting out how the savings would be achieved. This makes it more difficult to monitor progress.

Despite the above, progress made against savings proposals is reported to members as part of quarterly budget monitoring reports and also to the Council Management Team.

A process will be implemented to ensure that the timeframe and saving assumptions for delivery are estimated before submission for approval in the council budget.

Action plans and timescales for delivery will be created when preparing savings plans. These will be monitored and updated along with other savings.

Clifton Green Primary School

(June 2025)

Reasonable Assurance

This audit reviewed the design and effectiveness of controls for administering key financial processes. This included budget management, purchasing, income collection, and payroll.

Purchase orders are not being used to initiate expenditure.

The school does not have a process in place to ensure that a public liability insurance certificate is requested from contractors prior to works taking place on-site.

Although governor interests are maintained and are up to date, the school does not obtain business interests from staff who are able to influence financial decisions (for example, members of the senior leadership team or the school business manager).

The school’s debt management policy currently does not make any provision for the write-off of debts where they are uneconomical to pursue.

The purchasing process will be reviewed to ensure that the use of purchase orders is implemented and actioned using Xero.

The purchasing process will be reviewed to ensure that public liability insurance is obtained prior to services being delivered on school premises.

All staff who have financial authority or influence over the school’s finances will be asked to complete the register of business interests at the beginning of each academic year.

The debt management policy will be reviewed and the final stage, which includes debt write-off, is to be added, shared with governors, and communicated to staff.

Audit opinions
Audit work is based on sampling transactions to test the operation of systems. It cannot guarantee the elimination of fraud or error. Our opinion is based on the risks we identify at the time of the audit. Our overall audit opinion is based on four grades of opinion, as set out below.
Opinion	Assessment of internal control
Substantial assurance	Overall, good management of risk with few weaknesses identified. An effective control environment is in operation but there is scope for further improvement in the areas identified.
Reasonable assurance	Overall, satisfactory management of risk with a number of weaknesses identified. An acceptable control environment is in operation but there are a number of improvements that could be made.
Limited assurance	Overall, poor management of risk with significant control weaknesses in key areas and major improvements required before an effective control environment will be in operation.
No assurance	Overall, there is a fundamental failure in control and risks are not being effectively managed. A number of key areas require substantial improvement to protect the system from error and abuse.

Finding ratings
Critical	A fundamental system weakness, which presents unacceptable risk to the system objectives and requires urgent attention by management.
Significant	A significant system weakness, whose impact or frequency presents risks to the system objectives, which needs to be addressed by management.
Moderate	The system objectives are not exposed to significant risk, but the issue merits attention by management.
Opportunity	There is an opportunity for improvement in efficiency or outcomes but the system objectives are not exposed to risk.