![]() |
|||||
![]() |
|||||
![]() |
![]() |
|||||
![]() |
|||||
![]() |
|||||
3 Introduction
3 Strategic context
4 Programme principles and development
7 2024/25 internal audit work
9 Annex A: indicative internal audit work programme
13 Annex B: current priorities for internal audit work (‘do now, ‘do next and ‘do later’)
1 This report sets out the proposed 2024/25 programme of work for internal audit, provided by Veritau for North Yorkshire Council.
2 The work of internal audit is governed by the Public Sector Internal Audit Standards (PSIAS) and the council’s audit charter. To comply with professional standards and the charter, internal audit work must be risk based and take into account the requirement to produce an evidence-based annual internal audit opinion. Accordingly, planned work should be reviewed and adjusted in response to changes in the business, risks, operations, programmes, systems and internal controls.
3 Specifically, the PSIAS require that the Head of Internal Audit “must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organisation’s goals. The risk-based plan must take into account the requirement to produce an annual internal audit opinion.”
4 The Head of Internal Audit’s annual opinion is formed following an independent and objective assessment of the effectiveness of the framework of risk management, governance and internal control. Our planned audit work includes coverage of all three areas to develop a wider understanding of the assurance framework of the council, and to produce a body of work which allows us to provide our opinion.
5 Responsibility for effective risk management, governance and internal control arrangements remains with the council. The Head of Internal Audit cannot be expected to prevent or detect all weaknesses or failures in internal control nor can audit work cover all areas of risk across the organisation.
6 North Yorkshire Council is facing unprecedented financial and delivery pressures as a result of the continued increase in demand for its services, the impact of inflation and economic uncertainty. The council is also embarking on an ambitious transformation programme to help the new organisation become ‘One Council fit for the future’.
7 2024/25 is only the second year of the council’s existence and so the transformation programme includes a significant amount of work. Many legacy council systems and processes remain, with further convergence of services planned. There are also opportunities to go further and deliver services in new ways to achieve efficiencies and improvements.
8
The council does not
face immediate financial risks providing it delivers the savings
opportunities arising from local government reorganisation. In the
current Medium Term Financial Strategy, a savings programme
totalling £46 million (to 2026-27) has been identified but
there is still a projected recurring shortfall building to
£48.2m by 2026/27. In the current year, it is therefore
important for the council to
identify additional transformational savings to bridge much of this
deficit.
9 Service transformation runs deeper than financial savings alone. Key corporate policies, such as the people strategy, will aim to embed the organisation’s values. Change programmes are aiming to create a culture where teams prioritise customer experience, purposeful delivery, and a strong performance ethos.
10 In short, the council is expected to deliver more with less, whilst running a very ambitious transformational programme. Maintaining effective operational arrangements is essential to achieving all of these objectives. Internal audit contributes to overall objectives by helping to ensure that systems of governance, risk management and control that underpin operational arrangements are robust. To maximise the value of internal audit, it is important that we provide assurance in the right areas at the right time. We’ve therefore designed a process for developing the internal audit work programme and refining it through the year.
Flexible,
risk-based planning and the opinion framework
11 In order to best meet professional standards, internal audit is required to adopt flexible planning processes that are sensitive to risk. This flexibility and risk-based approach are driving principles for the delivery of North Yorkshire Council’s 2024/25 internal audit work programme.
12 The Audit Committee was introduced to Veritau’s opinion framework as part of the 18 March 2024 internal audit work programme consultation report. The opinion framework sets out the principles that will be used to develop and manage the audit work programme over the year. It ensures that assurance coverage is targeted towards priority areas. This, in turn, allows us to provide a properly informed annual opinion.
Identification of initial internal audit priorities
13 Internal audit maintains a long list of all areas within the council that could potentially be audited. It is not possible to review all areas in any one year. Instead, we prioritise audits by considering potential risks in each area at the time of the assessment and by considering requirements for assurance coverage. The opinion framework provides the structure for internal audit to take informed decisions on priorities.
14 Figure 1 on the following page demonstrates how the framework is applied to identify initial internal audit priorities.
The ‘do now’, ‘do next’, ‘do later’ audit prioritisation system
15 Once initial internal audit priorities have been identified through application of the opinion framework, we then overlay a second system of prioritisation. This system allows us to determine the relative priority of audits included in the indicative work programme.
16 This second prioritisation system sees audits assigned to one of three categories, as shown in figure 2 below.
Figure 2: ‘do now’, ‘do next’, ‘do later’ prioritisation system.
17 Decisions on which category of the three categories internal audit work falls into will be based on judgement and will be made having given consideration to the prioritisation factors in table 1 below. These will result in internal audit work being considered a relatively higher or lower priority at the time of assessment.
Table 1: Internal audit prioritisation factors.
Prioritisation factors |
|
|
|
|
|
|
|
|
|
18 The above factors will be used on an ongoing basis to decide what internal audit work will be carried out, and when, during the course of the year. These decisions will be made in consultation with the council through our ongoing dialogue with senior officers. Individual pieces of work will move between the three categories, as required, based on their priority at the time of assessment.
19 For example, an audit scheduled for quarter two to minimise the impact on a service area may initially be classed as to ‘do later’ but will become ‘do now’ as we move into quarter two. Similarly, an audit of a council project classed as ‘do now’ because it represents an area of high importance may move from ‘do now’ to ‘do next’ or ‘do later’ if the project slips or planned work cannot be undertaken until a specific point is reached. Towards the end of the year, audits classed as ‘do later’ are likely to be deferred until the following year.
20 The committee will be provided with information on current internal audit priorities throughout the year as part of regular progress reporting.
![]() |
|||
![]() |
The 2024/25 indicative internal audit work programme
21 The work programme for 2024/25 is set out in annex A, beginning on page 9. Annex B outlines and organises the programme by current ‘do now’, ‘do next’ and ‘do later’ priorities.
22 Functionally, the indicative programme is structured into a number of areas, as set out in table 2, below.
Table 2: Work programme functional areas.
Programme area |
Purpose |
|
|
To provide assurance on areas which, by virtue of their importance to good governance and stewardship, are fundamental to the ongoing success of the council. |
|
|
To provide assurance on those areas of a technical nature and where project management is involved. These areas are key to the council as the risks involved could detrimentally affect the delivery of services. |
|
|
To provide assurance on the key areas of financial risk. This helps provide assurance to the council that risks of loss or error are minimised. |
|
|
To provide assurance on key systems and processes within individual service areas. These areas face risks which are individually significant but which could also have the potential to impact more widely on the operations or reputation of the council if they were to materialise. |
|
|
An allocation of time to allow for continuous audit planning and information gathering, unexpected work, and the follow up of work we have already carried out, ensuring that agreed actions have been implemented by management. |
|
|
Work we carry out to support the council in its functions. This includes the time spent providing support and advice, and liaising with staff. |
|
23 The overall level of service is based on an indicative number of days, for planning purposes (2,250 days for 2024/25). Figure 3 below shows the proportion of time we expect to deliver across each area during the year.
Figure 3: 2024/25 work programme: indicative functional area split.
24 It is important to emphasise two important aspects of the programme. Firstly, the audit activities included in annex A are not fixed. As described above, work will be kept under review to ensure that audit resources are deployed to the areas of greatest risk and importance to the council. This is to ensure the audit process continues to add value.
25 Secondly, it will not be possible to deliver all of the audit activities listed in the programme. The programme has been intentionally over-planned, to build in flexibility from the outset while also providing an indication of the priorities for work at the time of assessment. Over-planning the programme enables us to respond quickly by commencing work in other areas of importance to the council when risks and priorities change during the year.
ANNEX A: indicative internal audit work programme 2024/25
Programme area |
Potential internal audit activity |
||
Strategic / corporate & cross cutting
|
|
|
|
Technical / projects
|
|
|
|
Financial systems
|
|
|
|
Service areas
|
|
|
|
Other assurance work
|
|
|
|
Client support, advice & liaison
|
|
|
|
ANNEX B: Current priorities for Internal Audit work
Timing |
|||
|
Do now |
Do next |
Do later |
Strategic and Corporate risks |
|
|
|
Council transformation plans and savings programme |
ü |
ü |
ü |
Revenue budget setting, monitoring and management |
|
ü |
|
Capital budget management |
ü |
|
|
Governance |
ü |
|
ü |
Information security incident reviews and support |
|
|
ü |
Records management |
|
ü |
|
Risk management |
|
ü |
|
Property asset management |
ü |
|
|
Procurement Act – preparedness assessment |
ü |
|
|
Procurement – specific reviews |
ü |
|
ü |
Contract management – specific reviews |
ü |
ü |
ü |
Business continuity |
ü |
|
|
Climate change |
ü |
|
|
Health and safety |
|
|
ü |
Partnership working and governance |
|
|
|
Performance management framework |
|
ü |
ü |
Project management arrangements |
ü |
|
|
Management of external funding |
|
ü |
|
Council companies and other commercial operations |
|
ü |
|
Agency staff and consultants |
|
|
ü |
Complaints |
ü |
|
|
Technical / Project Risks |
|
|
|
Support and advice for council and service transformation |
ü |
ü |
ü |
Involvement in specific service areas developments |
ü |
ü |
ü |
Project advice / implementation and support |
ü |
ü |
ü |
ICT disaster recovery and incident management |
ü |
|
|
ICT cyber security |
ü |
ü |
|
ICT asset management |
ü |
ü |
|
IT information security operations centres |
|
ü |
|
ICT applications – including Highways Aurora System |
|
|
ü |
Financial Systems |
|
|
|
Main accounting system |
ü |
ü |
ü |
Creditor payments |
ü |
ü |
ü |
Purchase cards |
ü |
|
|
Sundry debtors, including debt recovery |
|
ü |
|
Payroll |
ü |
|
|
Income collection and management |
|
ü |
|
Revenues |
ü |
|
ü |
Benefits |
ü |
|
ü |
Housing rents |
ü |
|
ü |
Service Area Related |
|
|
|
Locality working |
|
|
ü |
Community infrastructure levy and s106 agreements |
|
ü |
|
Planning systems |
|
|
ü |
Housing regulation |
|
|
ü |
Council house stock and repairs |
|
ü |
|
Homelessness |
|
|
ü |
Leisure – cash handling procedures |
ü |
|
|
Economic development |
|
|
ü |
Harbours |
ü |
|
|
Licensing |
|
|
ü |
Car Parking |
|
ü |
|
Highways |
|
ü |
|
CCTV |
ü |
|
|
Developing stronger families |
|
ü |
ü |
Special educational needs – transition planning |
ü |
ü |
|
Early years funding expansion |
|
ü |
ü |
Maintained school’s visits |
ü |
ü |
ü |
Schools themed audits |
ü |
ü |
ü |
Schools financial value standard |
|
|
ü |
Home to school transport |
|
|
ü |
Social care provider visits |
|
ü |
|
Social care financial assessments |
ü |
|
|
Safeguarding |
ü |
|
|
Power of Attorney and Court of Protection |
ü |
|
|
Payment to care providers (Provider Portal) |
|
ü |
|
Liberty protection safeguards |
ü |
|
|
Continuing Healthcare |
|
|
ü |
Public health |
|
ü |
|
Pensions Fund |
|
|
|
Pensions expenditure |
ü |
|
|
Pensions income |
|
ü |
|
Pensions investments |
|
ü |
|
Attendance at pensions board |
ü |
ü |
ü |
Other assurance work |
|
|
|
Follow-up of previously agreed management actions |
ü |
ü |
ü |
Gaining understanding on the evolving systems and processes at the new council |
ü |
ü |
ü |
Continuous audit planning and additional assurance gathering to help support our opinion on the framework of risk management, governance and internal control |
ü |
ü |
ü |
Continuous assurance work, including data analytics and data matching projects |
ü |
ü |
ü |
Attendance at, and contribution to, governance- and assurance-related working groups |
ü |
ü |
ü |