Internal Audit Work Programme 2024/25
Annex 1

 

A blue and white triangle pattern Description automatically generated

 



CONTENTS

3           Introduction

3           Strategic context

4           Programme principles and development

7           2024/25 internal audit work

9           Annex A: indicative internal audit work programme

13         Annex B: current priorities for internal audit work (‘do now, ‘do next and ‘do later’)

 

 

 

A blue and white triangle pattern Description automatically generated

Introduction ,Briefcase with solid fill 


1             This report sets out the proposed 2024/25 programme of work for internal audit, provided by Veritau for North Yorkshire Council.

2             The work of internal audit is governed by the Public Sector Internal Audit Standards (PSIAS) and the council’s audit charter. To comply with professional standards and the charter, internal audit work must be risk based and take into account the requirement to produce an evidence-based annual internal audit opinion. Accordingly, planned work should be reviewed and adjusted in response to changes in the business, risks, operations, programmes, systems and internal controls.

3             Specifically, the PSIAS require that the Head of Internal Audit must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organisation’s goals. The risk-based plan must take into account the requirement to produce an annual internal audit opinion.”

4             The Head of Internal Audit’s annual opinion is formed following an independent and objective assessment of the effectiveness of the framework of risk management, governance and internal control. Our planned audit work includes coverage of all three areas to develop a wider understanding of the assurance framework of the council, and to produce a body of work which allows us to provide our opinion.

5             Responsibility for effective risk management, governance and internal control arrangements remains with the council. The Head of Internal Audit cannot be expected to prevent or detect all weaknesses or failures in internal control nor can audit work cover all areas of risk across the organisation.

Strategic context ,Puzzle with solid fill 

 


6             North Yorkshire Council is facing unprecedented financial and delivery pressures as a result of the continued increase in demand for its services, the impact of inflation and economic uncertainty. The council is also embarking on an ambitious transformation programme to help the new organisation become ‘One Council fit for the future’.

7             2024/25 is only the second year of the council’s existence and so the transformation programme includes a significant amount of work. Many legacy council systems and processes remain, with further convergence of services planned. There are also opportunities to go further and deliver services in new ways to achieve efficiencies and improvements.

8             The council does not face immediate financial risks providing it delivers the savings opportunities arising from local government reorganisation. In the current Medium Term Financial Strategy, a savings programme totalling £46 million (to 2026-27) has been identified but there is still a projected recurring shortfall building to £48.2m by 2026/27. In the current year, it is therefore Packing Box Open with solid fillimportant for the council to identify additional transformational savings to bridge much of this deficit.

9             Service transformation runs deeper than financial savings alone. Key corporate policies, such as the people strategy, will aim to embed the organisation’s values. Change programmes are aiming to create a culture where teams prioritise customer experience, purposeful delivery, and a strong performance ethos.

10          In short, the council is expected to deliver more with less, whilst running a very ambitious transformational programme. Maintaining effective operational arrangements is essential to achieving all of these objectives.  Internal audit contributes to overall objectives by helping to ensure that systems of governance, risk management and control that underpin operational arrangements are robust. To maximise the value of internal audit, it is important that we provide assurance in the right areas at the right time. We’ve therefore designed a process for developing the internal audit work programme and refining it through the year.

Programme principles and development  



Packing Box Open with solid fillFlexible, risk-based planning and the opinion framework

11          In order to best meet professional standards, internal audit is required to adopt flexible planning processes that are sensitive to risk. This flexibility and risk-based approach are driving principles for the delivery of North Yorkshire Council’s 2024/25 internal audit work programme.

12          The Audit Committee was introduced to Veritau’s opinion framework as part of the 18 March 2024 internal audit work programme consultation report. The opinion framework sets out the principles that will be used to develop and manage the audit work programme over the year. It ensures that assurance coverage is targeted towards priority areas. This, in turn, allows us to provide a properly informed annual opinion.

Identification of initial internal audit priorities

13          Internal audit maintains a long list of all areas within the council that could potentially be audited. It is not possible to review all areas in any one year. Instead, we prioritise audits by considering potential risks in each area at the time of the assessment and by considering requirements for assurance coverage. The opinion framework provides the structure for internal audit to take informed decisions on priorities.

14          Figure 1 on the following page demonstrates how the framework is applied to identify initial internal audit priorities.

5
Figure 1: The opinion framework.
A black and white logo Description automatically generated
THE OPINION FRAMEWORK

A blue and white triangle pattern Description automatically generatedBadge with solid fill

11 Key Assurance Areas
Badge 1 with solid fillThe Audit Universe

Badge 4 with solid fillKey Corporate Risks Climate change Quality / economic issues (care, workforce) Information governance & cyber Transformation and savings Property / housing regulation compliance Recruitment, retention, & resources Significant incidents , Place and Environment Economy Health and Wellbeing People Organisation Badge 5 with solid fillBadge 3 with solid fill

The audit universe represents all areas across the council that Veritau has identified as being auditable. The universe is broadly structured as follows: Corporate and cross-cutting Key financial systems Service areas ICT and technical
Having evaluated all potential audits against the opinion framework in steps 1 to 4, audits are prioritised for inclusion in the internal audit work programme (step 5).
Internal Audit Work Programme , Council Ambitions
Information outline
Laptop outlineGantt Chart outlineCity outlineUsers outlineHandshake outline
Procurement and contract management People management Asset management Programmes and project management IT governance
Upward trend outlineMap with pin outlineScales of justice outlineCoins outlineDatabase outlineWarning outline
Strategic planning Organisational governance Financial governance Risk management Information governance Performance management and data quality

 


The ‘do now’, ‘do next’, ‘do later’ audit prioritisation system

15          Once initial internal audit priorities have been identified through application of the opinion framework, we then overlay a second system of prioritisation. This system allows us to determine the relative priority of audits included in the indicative work programme.

16          This second prioritisation system sees audits assigned to one of three categories, as shown in figure 2 below.

 

Figure 2: ‘do now’, ‘do next’, ‘do later’ prioritisation system.

 

 

 

 

 


17          Decisions on which category of the three categories internal audit work falls into will be based on judgement and will be made having given consideration to the prioritisation factors in table 1 below. These will result in internal audit work being considered a relatively higher or lower priority at the time of assessment.

Table 1: Internal audit prioritisation factors.

Prioritisation factors

*       where we have no recent audit assurance, or other sources of information

*       where controls are changing and / or risks are increasing

*       where we are following up previous control weaknesses

*       where specific issues are known to have arisen

*       that are of significant importance to the council, for example they reflect key objectives or high priority projects

*       that provide broader assurance, for example corporate policies and frameworks

*       that need to be covered to enable us to provide an annual opinion

*       where there are time pressures or scheduling requirements, for example grant deadlines, or work scheduled to minimise the impact on council service areas at busy times

 

18          The above factors will be used on an ongoing basis to decide what internal audit work will be carried out, and when, during the course of the year. These decisions will be made in consultation with the council through our ongoing dialogue with senior officers. Individual pieces of work will move between the three categories, as required, based on their priority at the time of assessment.

19          For example, an audit scheduled for quarter two to minimise the impact on a service area may initially be classed as to ‘do later’ but will become ‘do now’ as we move into quarter two. Similarly, an audit of a council project classed as ‘do now’ because it represents an area of high importance may move from ‘do now’ to ‘do next’ or ‘do later’ if the project slips or planned work cannot be undertaken until a specific point is reached. Towards the end of the year, audits classed as ‘do later’ are likely to be deferred until the following year.

20          The committee will be provided with information on current internal audit priorities throughout the year as part of regular progress reporting.

Inbox with solid fill
2024/25 Internal audit work
 

 

 


The 2024/25 indicative internal audit work programme

21          The work programme for 2024/25 is set out in annex A, beginning on page 9. Annex B outlines and organises the programme by current ‘do now’, ‘do next’ and ‘do later’ priorities.

22          Functionally, the indicative programme is structured into a number of areas, as set out in table 2, below.

Table 2: Work programme functional areas.

Programme area

Purpose

*       Strategic / corporate & cross cutting

To provide assurance on areas which, by virtue of their importance to good governance and stewardship, are fundamental to the ongoing success of the council.

 

*       Technical / projects

To provide assurance on those areas of a technical nature and where project management is involved. These areas are key to the council as the risks involved could detrimentally affect the delivery of services.

 

*       Financial systems

To provide assurance on the key areas of financial risk. This helps provide assurance to the council that risks of loss or error are minimised.

 

*       Service areas

To provide assurance on key systems and processes within individual service areas. These areas face risks which are individually significant but which could also have the potential to impact more widely on the operations or reputation of the council if they were to materialise.

 

*       Other assurance work

An allocation of time to allow for continuous audit planning and information gathering, unexpected work, and the follow up of work we have already carried out, ensuring that agreed actions have been implemented by management.

 

*       Client support, advice & liaison

Work we carry out to support the council in its functions. This includes the time spent providing support and advice, and liaising with staff.

 

 

23          The overall level of service is based on an indicative number of days, for planning purposes (2,250 days for 2024/25). Figure 3 below shows the proportion of time we expect to deliver across each area during the year.

Figure 3: 2024/25 work programme: indicative functional area split.

 

24          It is important to emphasise two important aspects of the programme. Firstly, the audit activities included in annex A are not fixed. As described above, work will be kept under review to ensure that audit resources are deployed to the areas of greatest risk and importance to the council. This is to ensure the audit process continues to add value.

25          Secondly, it will not be possible to deliver all of the audit activities listed in the programme. The programme has been intentionally over-planned, to build in flexibility from the outset while also providing an indication of the priorities for work at the time of assessment. Over-planning the programme enables us to respond quickly by commencing work in other areas of importance to the council when risks and priorities change during the year.

 

ANNEX A: indicative internal audit work programme 2024/25

 

Programme area

 Potential internal audit activity

Strategic / corporate & cross cutting

 

 

*       Council transformation

*       Governance arrangements

*       Revenue and capital budget setting, monitoring and management

*       Information governance and information security incidents review and support

*       Records management

*       Risk management

*       Property asset management

*       Procurement Act: preparedness assessment

*       Procurement -specific reviews

*       Contract management

*       Business continuity

*       Climate change

*       Health and safety

*       Partnership working and governance

*       Performance management framework

*       Project management arrangements

*       Management of external funding

*       Council companies and other commercial operations

*       HR audit (culture/absence management)

*       Agency staff and consultants

*       Complaints

Technical / projects

 

 

*       Support and advice for council and service transformation

*       Involvement in specific service areas developments

*       ICT disaster recovery and incident management

*       ICT cyber security

*       ICT asset management

*       ICT applications – including Highways Aurora System

*       IT information security operations centres

*       Projects / systems advice and support

Financial systems

 

 

*       Main accounting system

*       Ordering and creditor payments

*       Purchase cards

*       Sundry debtors and debt recovery

*       Payroll

*       Income collection and management

*       Revenues

*       Benefits

*       Housing rents

Service areas

 

 

*       Locality working

*       Community infrastructure levy and s106 agreements

*       Planning systems

*       Council house stock and repairs

*       Homelessness

*       Leisure – cash handling procedures

*       Economic development

*       Harbours

*       Licensing

*       Car Parking

*       Highways

*       CCTV

*       Developing stronger families

*       Special educational needs – transition planning

*       Early years funding expansion

*       Maintained school’s visits

*       Schools themed audits

*       Schools financial value standard

*       Home to school transport

*       Social care provider visits

*       Social care financial assessments

*       Safeguarding

*       Power of Attorney and Court of Protection

*       Payment to care providers (Provider Portal)

*       Liberty protection safeguards

*       Continuing Healthcare

*       Public health

Other assurance work

 

 

*       Follow-up of previously agreed management actions

*       Continuous audit planning and additional assurance gathering to help support our opinion on the framework of risk management, governance and internal control

*       Continuous assurance work, including data analytics and data matching projects Attendance at, and contribution to, governance- and assurance-related working groups

Client support, advice & liaison

 

 

*       Committee preparation and attendance

*       Key stakeholder liaison

*       Support and advice on control, governance and risk related issues

 

ANNEX B: Current priorities for Internal Audit work

Audit

Timing

 

Do now

Do next

Do later

Strategic and Corporate risks

 

 

 

Council transformation plans and savings programme

ü

ü

ü

Revenue budget setting, monitoring and management

 

ü

 

Capital budget management

ü

 

 

Governance

ü

 

ü

Information security incident reviews and support

 

 

ü

Records management

 

ü

 

Risk management

 

ü

 

Property asset management

ü

 

 

Procurement Act – preparedness assessment

ü

 

 

Procurement – specific reviews

ü

 

ü

Contract management – specific reviews

ü

ü

ü

Business continuity

ü

 

 

Climate change

ü

 

 

Health and safety

 

 

ü

Partnership working and governance

 

 

 

Performance management framework

 

ü

ü

Project management arrangements

ü

 

 

Management of external funding

 

ü

 

Council companies and other commercial operations

 

ü

 

Agency staff and consultants

 

 

ü

Complaints

ü

 

 

Technical / Project Risks

 

 

 

Support and advice for council and service transformation

ü

ü

ü

Involvement in specific service areas developments

ü

ü

ü

Project advice / implementation and support

ü

ü

ü

ICT disaster recovery and incident management

ü

 

 

ICT cyber security

ü

ü

 

ICT asset management

ü

ü

 

IT information security operations centres

 

ü

 

ICT applications – including Highways Aurora System

 

 

ü

Financial Systems

 

 

 

Main accounting system

ü

ü

ü

Creditor payments

ü

ü

ü

Purchase cards

ü

 

 

Sundry debtors, including debt recovery

 

ü

 

Payroll

ü

 

 

Income collection and management

 

ü

 

Revenues

ü

 

ü

Benefits

ü

 

ü

Housing rents

ü

 

ü

Service Area Related

 

 

 

Locality working

 

 

ü

Community infrastructure levy and s106 agreements

 

ü

 

Planning systems

 

 

ü

Housing regulation

 

 

ü

Council house stock and repairs

 

ü

 

Homelessness

 

 

ü

Leisure – cash handling procedures

ü

 

 

Economic development

 

 

ü

Harbours

ü

 

 

Licensing

 

 

ü

Car Parking

 

ü

 

Highways

 

ü

 

CCTV

ü

 

 

Developing stronger families

 

ü

ü

Special educational needs – transition planning

ü

ü

 

Early years funding expansion

 

ü

ü

Maintained school’s visits

ü

ü

ü

Schools themed audits

ü

ü

ü

Schools financial value standard

 

 

ü

Home to school transport

 

 

ü

Social care provider visits

 

ü

 

Social care financial assessments

ü

 

 

Safeguarding

ü

 

 

Power of Attorney and Court of Protection

ü

 

 

Payment to care providers (Provider Portal)

 

ü

 

Liberty protection safeguards

ü

 

 

Continuing Healthcare

 

 

ü

Public health

 

ü

 

Pensions Fund

 

 

 

Pensions expenditure

ü

 

 

Pensions income

 

ü

 

Pensions investments

 

ü

 

Attendance at pensions board

ü

ü

ü

Other assurance work

 

 

 

Follow-up of previously agreed management actions

ü

ü

ü

Gaining understanding on the evolving systems and processes at the new council

ü

ü

ü

Continuous audit planning and additional assurance gathering to help support our opinion on the framework of risk management, governance and internal control

ü

ü

ü

Continuous assurance work, including data analytics and data matching projects

ü

ü

ü

Attendance at, and contribution to, governance- and assurance-related working groups

ü

ü

ü