Safety Valve (implementation review)

May 2025

Substantial Assurance

Housing benefits

May 2025

Substantial Assurance

NHS Data Security and Protection Toolkit: accountable suppliers

May 2025

No Opinion Given

School themed audit: purchasing and best value

July 2025

Reasonable Assurance

Communications

July 2025

No Opinion Given

Funded early education

July 2025

Reasonable Assurance

Member induction programme

July 2025

No Opinion Given

Commercial asset performance

July 2025

Substantial Assurance

Savings plans

July 2025

Reasonable Assurance

Clifton Green Primary School

July 2025

Reasonable Assurance

Elvington Primary School

November 2025

Reasonable Assurance

Carbon adaptation and reduction

November 2025

Substantial Assurance

Physical information security

November 2025

Reasonable Assurance

Schools themed audit: premium allocations

November 2025

Substantial Assurance

Public EV charging strategy

November 2025

Substantial Assurance

Free school meals: auto-enrolment

November 2025

Substantial Assurance

Recruitment and selection

November 2025

Reasonable Assurance

Contract management

November 2025

Reasonable Assurance

Contract management (major project delivery)

In draft

Risk management (follow-up audit)

In draft

ICT disaster recovery

In draft

Performance management

In draft

Flexitime and annual leave

In draft

Service and role-specific training

In progress

Absence management

In progress

Travel and subsistence

In progress

Main accounting system

In progress

Sundry debtors

In progress

Ordering and creditor payments (P2P action plan and verification)

In progress

Council Tax and NNDR

In progress

Property asset management

In progress

Residential care: Ousecliffe and Wenlock Terrace

In progress

Payments to care providers and contract management (ASC&I)

In progress

Continuing healthcare

In progress

Children & Education Directorate: local scheme of delegation

In progress

Unaccompanied asylum seeker children

In progress

Schools themed audit: Governance

In progress

Home to school transport

In progress

Cybersecurity: user account management

In progress

Project management (gateway reviews)

In progress

Information access request management (annex 6 requests)

Planning

Payroll

Planning

Right To Buy

Planning

Licensing

Planning

Referrals and care assessments (ASC&I)

Planning

St Mary’s CE Primary School

Planning

Westfield Primary Community School

Planning

      Follow up of agreed actions

      Refresh of the follow-up and escalation procedure, with regular reporting to the Governance, Risk and Assurance Group

      Grant certification work:

      Scambusters

      UK Shared Prosperity Fund programme assurance (2024/25)

      HUG2

      Consultative engagements:

      Fact-finding review into manual creditor payments

      Fact-finding review into the management of services provided by YorHome

      Provision of support and advice:

      Preparation of a briefing note on CIPFA’s Code of Practice for the Governance of Internal Audit in UK Local Government (‘the Code’)

      Support with undertaking the council’s self-assessment against the Code

      Holiday let commercial waste income collection procedures

APPENDIX B: CURRENT AUDIT PRIORITIES

Audit / Engagement

Rationale

Strategic / corporate & cross cutting

Do now

Contract management (major project delivery)

Provides coverage of more than one key assurance area.

Travel and subsistence

Identified in consultation with officers.

Performance management framework

No recent coverage. Provides coverage of a key assurance area.

Risk management (follow-up audit)

Key area of corporate governance. Provides broader assurance.

Flexitime and annual leave

Identified in consultation with officers.

Absence management

Emerging risk area.

Service and role-specific training

No recent coverage. Provides coverage of a key assurance area.

Information access request management

No recent coverage. Risks / controls are changing.

Do next

Building security (West Offices and Hazel Court)

Provides coverage of a key assurance area.

Procurement Act compliance

Risks / controls are changing.

Data quality

Provides coverage of a key assurance area. Provides broader assurance,

Do later

Overtime

Physical information security

Contract management

Risk management (maturity assessment)

Public health: procurement and contract management

York 2032: partnership governance

Management of York & North Yorkshire Combined Authority funding

Financial systems

Do now

Main accounting system

No recent coverage. Provides coverage of a key assurance area.

Ordering and creditor payments (P2P action plan and verification)

Being undertaken to verify progress made in implementing improvements to control.

Sundry debtors

No recent coverage. Provides coverage of a key assurance area.

Council Tax and NNDR

No recent coverage. Provides coverage of a key assurance area.

Payroll

Key financial system.  Risks / controls are changing.

Do next

Housing rents

Risks / controls are changing.

Do later

-

-

Service areas

Do now

Unaccompanied asylum seeker children

Emerging risk area.

Residential care: Ousecliffe and Wenlock Terrace

Being undertaken in response to known areas for improvement.

Children & Education Directorate: local scheme of delegation

Risks / controls are changing. Provides coverage of a key assurance area.

Schools themed audit: Governance

Identified in consultation with officers.

Home to school transport

Risks / controls are changing. Known area of pressure.

Continuing healthcare

Risks / controls are changing.

Payments to care providers and contract management (ASC&I)

Provides coverage of more than one key assurance area.

Property asset management

Risks / controls are changing. New regulatory regime.

Right To Buy

Risks / controls are changing. Changes to government policy.

Licensing

No recent coverage. Provides coverage of a key assurance area.

Referrals and care assessments (ASC&I)

Provides coverage of a key assurance area.

Westfield Primary School

Identified in consultation with officers.

St Mary's CE Primary School

Identified in consultation with officers.

Do next

Foster carer payments (follow-up audit)

Follow-up of previous Limited Assurance audit.

Use of fleet vehicles

No recent coverage. Provides coverage of a key assurance area.

Do later

RoSH standards improvement plan (inc. housing repairs performance)

Transport and highways programme

Managing customer finances

Danesgate Community School

Schools themed audit: procurement

Education, health and care plans (EHCPs)

Children’s direct payments

Out of area placements

Children leaving care

Care and support planning

Housing allocations

Building control

Section 106 agreements: use of contributions

Public protection

Technical / projects

Do now

ICT disaster recovery

Provides broader assurance. Linked to key corporate risk.

Cybersecurity: user account management

Provides coverage of a security controls.

Project management (gateway reviews)

Provides coverage of more than one key assurance area.

Do next

-

-

Do later

Cybersecurity: user awareness / resilience

Key attack vector. Provides coverage of a key assurance area.

ICT applications and database security

ICT emergency response & business continuity planning

Project governance (major projects)

Elvington Primary School

(July 2025)

Reasonable Assurance

This audit reviewed the design and effectiveness of governance and controls for administering key financial, human resources, and safeguarding processes.

The school’s website was not up to date with the most recent academic year’s declarations of interests.

The contract register had not been fully completed and adequately reviewed by governors.

The school had not been routinely using purchase orders to initiate expenditure.

The school's purchase card limit was significantly higher than its typical monthly usage. Transaction logs were not being used correctly and there was no evidence that these were being checked by the card holder or independently reconciled.

There are gaps in the undertaking of mandatory training and of training which would improve the school’s resilience for managing activities such as school trips and recruitment exercises.

A number of actions were agreed to address the identified control weaknesses. These included:

▲   Updating the school website to include current declarations, and strengthening processes to capture declarations when made

▲   Quarterly reviews of the contract register and annual reporting to governors

▲   Using Xero accounting software to encourage consistent use of purchase orders, with periodic checks to be undertaken

▲   Reducing the school’s purchase card limit

▲   Transaction logs will be completed by the cardholder each month and independently reviewed

▲   Mandatory training will be brought up to date, with the training log improved to clearly show expiry dates

▲   A review of skills / training will be undertaken to ensure suitable resilience is built

Carbon adaptation and reduction

(July 2025)

Substantial Assurance

The purpose of this audit was to provide assurance that the council has a suitable climate change action plan which supports delivery of the Climate Change Strategy, and that emissions data is accurately reported.

There is a clear biennial process established to ensure the climate change action plan (‘action plan’) is updated following suitable consultation. Overall, a sound control environment is in place for the identification, collection and reporting of carbon emissions data. However, some control weaknesses were identified.

Action plan actions do not have clear completion timescales or success criteria. The criteria for categorising actions are also not transparent and it is unclear which actions are the responsibility of the council or of third parties.

Updates to action plan actions are made without supporting evidence from action owners.

The council is not reporting emissions from its biomass-generated electricity consumption in line with reporting guidance.

The carbon reduction team (CRT) will revise existing actions to ensure they meet SMART criteria as part of the biennial review cycle. The CRT will also add a key and legend to the next version of the action plan.

The CRT will request evidence of progress against actions from action owners in the next update of the action plan.

The CRT will include emissions derived from biomass-generated electricity consumption in their next annual carbon emissions report.

Physical information security compliance

(August 2025)

Reasonable Assurance

This audit reviewed the physical information security arrangements in place at West Offices and Hazel Court. It also involved assessing arrangements at the Union Terrace and Robinson Court hostels. Access to restricted areas was assessed by reviewing access arrangements for the Electoral Services room in West Offices.

Although most cupboards were secured and desks cleared at West Offices and Hazel Court, unlocked cabinets and cupboards containing documents, physical assets, and keys were found at both sites. The documents found often contained personal data, and sometimes of a sensitive nature.

Similarly, during the visits to Union Terrace and Robinson Court unlocked filing cabinets with personal records of residents were found. While both hostels always have staff present on site, staff do not have direct oversight of the records when not in use.

There is no documented access procedure for officers to request or remove access to the Electoral Services room. An annual review of access rights to the Electoral Services room has also not taken place in recent years. Key logs to the room showed that more officers had access than was expected.

A number of actions were agreed to address the identified control weaknesses. These included:

▲   Sharing the detailed findings with information asset owners, and requesting improvement / reinforcement of arrangements

▲   Regular all-staff emails on council policies, procedures and instructions on clearing desks, locking cupboards, storing keys, and password security.

▲   Review and improvement of access request and monitoring procedures for the Electoral Service room

▲   Undertaking annual secure room access reviews and communicating this requirement to service managers

Schools themed audit: premium allocations

(August 2025)

Substantial Assurance

The purpose of this audit was to provide assurance that procedures in place at the council’s maintained schools meet DfE guidance on use of pupil premium funding.

The audit reviewed procedures at six maintained schools.

The governing body of five of the schools had reviewed and approved the pupil premium strategy. One school’s governing body had not approved the strategy.

Four schools were unable to provide a detailed breakdown from their financial management systems of expenditure on provisions for pupil premium students. This makes it more difficult to monitor delivery of their strategies.

All primary schools must submit a digital return to the DfE detailing their use of the 2025 PE and sport premium funding by 31 July 2025. Staff at all six schools stated that they were not aware of the digital reporting changes that were being introduced. This is despite being informed by the council.

Schools will be reminded of the importance of having their pupil premium strategies approved in the full governing body meetings.

Schools have or will be adopting Xero as their new finance system. The council will look to introduce a financial process to ensure all premium allocation spending is suitably recorded and coded accurately.

Schools will be reminded of the importance of the council’s school finance updates, and a clearer update for the digital submission will be provided.

Public EV charging strategy

(October 2025)

Substantial Assurance

The purpose of this audit was to provide assurance on the council’s arrangements for managing its EV charging estate. it focused on ensuring that the strategy aligns with the council’s corporate objectives, and that financial management arrangements are sound.

The current strategy has clear links to the Corporate Plan outcomes, the council’s Climate Change Strategy, and the Local transport Strategy. An updated strategy is currently being written and is expected to launch in December 2025.

All income collected by BP Pulse on behalf of the council had been invoiced and reclaimed. However, a number of instances were identified where an incorrect tariff rate had been charged by BP Pulse. These had not been identified by the council when the charging statements were received. Errors were seen in all statements provided, covering the period from April 2023 to March 2025. The contract with BP Pulse runs until November 2025 and a temporary rolling extension has been agreed until the council enters a new contract.

Statements are currently checked prior to invoicing. However, these checks will be amended to include a check on the tariff rate being charged. The council will continue to work with BP Pulse to resolve the historic misbilling and ensure all overpayments are corrected.

Free school meals: auto-enrolment

(October 2025)

Substantial Assurance

The audit reviewed arrangements for managing the council’s free school meal auto-enrolment service.

A standard operating procedure, aligned with ‘Fix Our Food’ best practice, is in place and is consistently followed. Processes are in place to safeguard information and ensure data held is handled appropriately. Regular checks are undertaken on the database to ensure its continued accuracy.

N/A

Recruitment and selection

(October 2025)

Reasonable Assurance

The purpose of this audit was to provide assurance on the council’s arrangements for recruitment, selection, and onboarding of permanent staff.

Despite the comprehensive resources available to recruiting managers and business support, they did not make consistent use of these. Shortlisting matrices, interview record forms, notification to appoint forms, and new starter checklists had not been completed correctly or, in some cases, were missing altogether.

Pre-employment checks were carried out in all cases but not always properly recorded in a way that meets Home Office guidance.

Suitable management of a conflict of interest, declared at the application stage of one recruitment, was not evidenced.

A range of actions have been agreed with management to address the identified control weaknesses. Key among these are:

▲   a review of all recruitment forms to ensure they are sufficiently clear

▲   distribution of an all-staff HR advisory circular reinforcing council requirements

▲   training for business support on right to work checks

▲   an update to recruitment and selection guidance on how to handle and record conflicts of interest

Contract management

(October 2025)

Reasonable Assurance

This audit reviewed the council’s contract management arrangements, including procedures and training. It also involved a more detailed review of how a sample of 10 contracts have been managed.

The absence of corporately agreed expectations for contract management and a lack of training available to contract managers were the two key issues identified. This has led to inconsistent approaches across different service areas. Not all of this inconsistency can be explained by the variety in contracts being managed. Several service areas are also dependent on the knowledge of one individual to manage contracts.

Other issues identified included contracts which had missing or unclear terms in several important areas for contract management, unavailability or inaccessibility of contract documents, and issues with the quality and completeness of contract performance meeting records.

A new contract management post has been created within the Commercial Procurement that would look to bring in a consistent approach to contract management across the council, and to provide training on corporate expectations. The recruitment process was unsuccessful so the post will be readvertised as a permanent position, in the hope that this will encourage more candidates.

Legal Services and Commercial Procurement will jointly develop a checklist of standard terms to be included in all contracts let by the council, irrespective of value.

The Director of Governance will present a report to Council Management Team which reinforces expectations for the drafting, retention, and ongoing management of contracts.

Audit opinions

Audit work is based on sampling transactions to test the operation of systems. It cannot guarantee the elimination of fraud or error. Our opinion is based on the risks we identify at the time of the audit. Our overall audit opinion is based on four grades of opinion, as set out below.

Opinion

Assessment of internal control

Substantial assurance

Overall, good management of risk with few weaknesses identified. An effective control environment is in operation but there is scope for further improvement in the areas identified.

Reasonable assurance

Overall, satisfactory management of risk with a number of weaknesses identified. An acceptable control environment is in operation but there are a number of improvements that could be made.

Limited assurance

Overall, poor management of risk with significant control weaknesses in key areas and major improvements required before an effective control environment will be in operation.

No assurance

Overall, there is a fundamental failure in control and risks are not being effectively managed. A number of key areas require substantial improvement to protect the system from error and abuse.

Finding ratings

Critical

A fundamental system weakness, which presents unacceptable risk to the system objectives and requires urgent attention by management.

Significant

A significant system weakness, whose impact or frequency presents risks to the system objectives, which needs to be addressed by management.

Moderate

The system objectives are not exposed to significant risk, but the issue merits attention by management.

Opportunity

There is an opportunity for improvement in efficiency or outcomes but the system objectives are not exposed to risk.