NORTH YORKSHIRE COUNCIL AUDIT COMMITTEE
23 JUNE 2025
ANNUAL REPORTOF THE HEAD OF INTERNALAUDIT
2.0
BACKGROUND
2.1
The work of internalaudit is governedby the Accounts and
Audit Regulations 2015, relevant professional standards, and the
Council’s Internal Audit Charter. Up until the end of
2024/25, these standards included the Public Sector Internal Audit
Standards (PSIAS), CIPFA guidance on the application of those
standards in Local Government, and the CIPFA Statement on the role
of the Head of Internal Audit.
2.2
These standards require the Head of InternalAudit to
presentan annual reportto the Audit Committee. The report must
include an opinion on the adequacy and effectiveness of the
Council’s framework of governance, risk management, and
control.
2.3
The Head of Internal Audit should also contribute to the
preparation of the Annual Governance Statement by identifying any
significant controlissues identified during audit work, and report
any material breaches of the Council’s Financial, Procurement
and Contract, Staff Employment and Property Procedure Rules to the
Audit Committee. Internal audit work undertaken during2024/25 is
the main subject of this report. PSIAS therefore applied to this
work.
2.4
With effect from 1 April 2025, PSIAS were replaced by what
is known as the Global Internal Audit Standards in the UK Public
Sector.This new regimeis made up of the Institute of Internal
Auditors’ Global Internal Audit Standards (GIAS), including
Topical Requirements, and the Application Note: Global Internal
Audit Standards in the UK Public Sector (‘the Application
Note’).
2.5
CIPFA has also produceda ‘Code of Practice for the
Governance of Internal Audit in UK Local Government’
(‘the Code’). The purpose of the Code is to ensure that
the essential conditions for the governance of internal audit can
be met in a local
government context. The Code is intended for local
authorities, being designed to support them in establishing
effective internal audit arrangements and in providing oversight
and support for internal audit.
2.6
The Internal Audit Charteris a key documentgoverning the
Council’s internal audit function. In drafting the updated
Charter, the requirements and expectations of the GIAS, Application
Note, and the Code have been considered and applied.
3.0
ANNUAL REPORTOF THE HEAD OF INTERNALAUDIT
3.1
The annual report of the Head of Internal Audit is attached
at appendix 1. The report includes details of the internal
audit work completed during 2024/25, the annual opinion of the Head
of InternalAudit and the results of the qualityassurance and
development arrangements.
3.2
In additionto providing an opinion, the Head of Internal
Audit is requiredto report on the outcomes of the internal audit
service’s quality assurance and development arrangements.
This is to provide the Committee with reassurance that work
continues to be conform to professional standards. Annex D provides
details on Veritau’s arrangements, confirming its conformance
to the PSIAS during 2024/25 and to the new Global Internal Audit
Standards in the UK Public Sector.
4.0
DRAFT INTERNALAUDIT CHARTER
4.1
Professional standards for internal audit require that the
Head of Internal Audit develops and maintains an internal audit
charter. An internal audit charter addresses the purpose, scope,
positioning, and authority of internal audit, the support it can
expect to receivefrom senior management, its interactions with the
committee, its commitment to adhering to professional standards,
and the arrangements for managing resources and quality.
4.2
The changesto the internal audit standards covered in
paragraphs 2.3 and 2.4 above have required Veritau to update the
Council’s Internal Audit Charter.
4.3
The Council already has well-established arrangements for
internal audit and so only limited changes to the Charter have been
necessary. References to PSIAS have been removed and replacedwith
the GlobalInternal Audit Standards in the UK PublicSector. Some
minorstructural and formatting changes have also been
made.
4.4
The updatesmade to the Charter will result in no changeto
how the internal audit service is delivered to the council. The
draft Internal Audit Charter is attached at appendix
2.
5.0
BREACHES OF PROCEDURE RULES
5.1
As in previous years,breaches of the Council’s
procedures rules may be identified through ongoing internal audit
work.
5.2
Where breaches are identified, it is usually sufficient to
draw the matter to the attention of management for the appropriate
remedialaction to be taken. If a wider training need is identified
this will be addressed accordingly. Finally in thosecases where the
breach identifies a fundamental weakness/deficiency in the
relevant
Procedure Rule this will be addressedseparately as part of
the ongoing review process for all the Council’s Procedure
Rules.
5.3
There were no material breaches of the Procedure Rules
identified during the year although a number of issues were
raisedwith management throughthe normal audit reporting
process.
MAX THOMAS
Head of Internal Audit
Report preparedand presented by Max Thomas,Head of
InternalAudit Veritau - Assurance Services for the Public
Sector
County Hall Northallerton
5 June 2025
Background Papers:
None.
Appendices:
Appendix 1: Annual Head of InternalAudit Report
CONTENTS
2
Background
2
Internal Audit work carriedout in 2024/25
3
Follow up of agreedactions
3
Professional standards
5
Opinion of the Head of InternalAudit
7
Annex A - 2024/25internal audit work
10
Annex B - Summaryof key issues from audits finalised since
the last report to the committee
27
Annex C – Assuranceaudit opinions and finding
priorities
28
Annex D - Internalaudit quality assurance and development
arrangements
Stuart Cutts
Assistant Director– Audit
As
Max Thomas
Head of InternalAudit
Circulation list: Membersof the Audit Committee
Background
1
The work of internalaudit is
governed by the Global Internal AuditStandards in the UK Public
Sector and the Council’s Audit Charter. These require the
Head of InternalAudit to bring an annual report to the Audit
Committee. The report must include an opinion on the adequacy and
effectiveness of the Council’s frameworkof governance, risk
management and control. The report should also include:
(a)
any qualifications to the
opinion,together with the reasons for those qualifications
(including any impairment to independence or objectivity)
(b)
any particular controlweakness
judged to be relevantto the preparation of the annual governance
statement
(c)
a summary of work undertaken to
support the opinion, includingany reliance placed on the work of
other assurance bodies
(d)
an overall summaryof internal
audit performance and outcomes from the internal audit
service’s quality assurance arrangements, including a
statement on conformance with professional standards.
Internal audit work carried
out in 2024/25
2
The 2024/25 internal audit
programme was formally agreed by the Audit Committee on 24 June
2024. During the year audit work has continued to be prioritised
based on risk and the need to provide coverage of the
Council’s framework of governance, risk management and
control.
3
We have continued to promote
good governance, provide advice and support, and make
recommendations to management to help improve controls. We have met
with the Corporate Director Resources (s151 Officer), Assistant
DirectorResources (Deputy s151 Officer), AssistantChief Executive
Legal and Democratic Services (Monitoring Officer), Assistant
Directors, directorate senior managers and other officers on a
regular basis tohelp identify and address governance issues and
concerns,and to ensure audit work has remained targeted towards key
risk areas.
4
In addition to undertaking
specific audits, we have been involved in gathering assurance from
anumber of sourcesto help supportour opinion and to better
understand the Council’s risks and priorities. This work has
included attendance at key governance and operational groupssuch as
the Finance Improvement Board and Corporate Governance Officer
Group (CGOG), and the review of full council, executive and other
key meeting reports. Senior managers at the Council have continued
to support the delivery of internal audit work during
2024/25.
5
The results of completed audit
work have been reportedto relevant officers during the course of
the year. In addition, summaries of all final audit reports have
been presented to the Audit Committee as part of regular progress
reports.
6
A summary of internal audit
work undertaken during the year and relevant to the opinionis
contained in annex A. At the time of writing 14 audits have been
finalised since the previous report to this committee. A further 5
audit reports have been issued to the responsible officers but
remain in draft. We expect those audits to be finalised within the
next month.
7
13 audits relatingto the year
just ended are ongoing.The majority of work on these audits is
complete. We expect to report on the outcomes of this work to the
next meeting of the Committee.
8
Annex B provides details of the
key findings arising from internal audit assignments completed,
that we have not previously reported to the Audit Committee. Annex
C provides an explanation of our assurance levels and priorities
for management action.
Follow up of agreed
actions
9
It is important that agreed
actions are followed up to ensure they have been implemented.
Veritauhas followed up agreed actionsduring the year, taking
account of the timescales previously agreed with management for
implementation.
10
Our work showsthat generally,
good progress has continued to be made by management to address
previously identified control weaknesses. Where improvement actions
are required, management are generally completing these within
acceptable timescales. There are therefore no significant
outstanding actions to report to the Committee at this
time.
Professional standards
11
In order to comply with
professional standards, the Head of Internal Audit is required to
develop and maintain ongoing quality assurance arrangements. The
objective of these arrangements is to ensure that working practices
continue to conform with the standards. A summary of quality
assurance processes and any areas identified for development are
reported to the committee each year as part of the annual report.
The arrangements consist of various elements, including:
maintenanceof a detailed audit procedures manual
and standard operating practices
ongoing performance monitoring of internal
auditactivity regular customer feedback
training plans and associated training and
development activities periodic self-assessments of internal audit
working practices (to
evaluate conformance to the standards)
12
External assessments must be
conducted at least once every five years by a qualified,
independent assessor or assessment team from outside the
organisation. An external assessment of Veritau’s internal
audit working practices was undertaken between June and August 2023
by John
Chesshire, an approved
reviewerfor the Chartered Institute of Internal Auditors (the UK
and Ireland’s local chapter)1.
13
The assessment involveda full
independent validation of Veritau’s own self- assessment of
conformance to the Public Sector Internal Audit Standards (PSIAS),
as well as to the wider International Professional Practices
Framework which governed the performance of internal auditing
globally at the time the assessment was undertaken. The report
concluded that Veritau’s internal audit activity generally
conforms to the PSIAS2 and, overall, the findings were very positive.
14
The feedbackincluded comments
that the internal audit service was highly valued by its clients.
Key stakeholders felt confident in the way Veritau had established
effective working relations, both in our approach to planning and
the way in which we engage flexibly with our clients throughout the
internal audit process, at the strategic and operational
levels.
15
From 1 April 2025, the PSIAS
were replaced by what are known as the Global Internal Audit
Standards in the UK Public Sector. These standards are made up of
the Institute of Internal Auditors’ Global Internal Audit
Standards (GIAS) and the Application Note: Global InternalAudit
Standards in the UK Public Sector (‘the Application
Note’). The Application Note interprets the GIAS, clarifying
how they should be applied in UK public sector
organisations
16
In the UK, the body responsible
for interpreting the GIAS and setting expectations for the
performance of internal audit in the public sector is known as the
Internal Audit Standards AdvisoryBoard (IASAB). The IASAB is made
up of six ‘Relevant Internal Audit Standard Setters’
(RIASS) representing central and local government, and the health
sector. The RIASS for UK local government is the Chartered
Institute of Public Finance and Accountancy (CIPFA). The IASAB
developed the Application Note, releasing it in the early part of
2025.
17
The Global Internal Audit
Standards (from which the Application Note provides its local
government interpretations) were launched on 9 January 2024 and
became effective on 9 January 2025. Veritau has used a GIAS
conformance readiness tool provided by the IIA, alongside the
specific public sector interpretations and requirements of the
Application Note to prepare for the introduction of the new
standards.
18
Our overall assessment is that
Veritauconforms to the Global InternalAudit Standards in the UK
Public Sector. However, we have identified a small number of
actions to help strengthen our ability to demonstrate
this
1
Reported to the Audit Committee in October 2023.
2
PSIAS guidance suggestsa scale of three
ratings,‘generally conforms, ‘partially conforms’
and ‘does not conform’. ‘Generally
conforms’ is the top rating.
conformance and a further set
of actionsto support continuous improvement in service
delivery.
19
Details of Veritau’s
ongoing quality assurance arrangements and the outcomes from our
conformance assessment are set out in annex D.
20
The Internal Audit Charter sets
out how internal audit at the council will be provided in
accordance with professional standards. The charter is reviewed on
an annual basis. Updates to the charter have been made to ensure
that it meets the requirements of the Global Internal Audit
Standards in the UK Public Sector. The Council already has a
well-established internal audit function and so very few changes
have been made to the charter. Those changes which have been made
will have no impact on how the service is delivered. The updated
charter is attached as appendix 2 to the covering report.
Opinion of the Head of
Internal Audit
21
The overall opinion of the Head
of Internal Audit on the framework of governance, risk management
and control operating at the Councilis that it provides
Reasonable Assurance.
22
A Reasonable Assurance opinion
means that, overall, there is satisfactory management of risk
within the Council but with a number of weaknesses identified. An
acceptable control environment is in operationbut there are a
number of improvements that could be made3.
23
The opinion givenis based on
work that has been undertaken directlyby internal audit, and on the
cumulative knowledge gained through our ongoing liaisonand planning
with officers. No reliance was placed on the work of other
assurance providers in reaching this opinion
24
In giving this opinion, there
are two significant controlweaknesses which, in the opinion of the
Head of Internal Audit, need to be considered for inclusion in the
council’s annual governance statement:
Capital scheme management
The Council has a very large
capital programme including many complex schemes which were
inherited from the formerNorth Yorkshire districtand borough
councils.
Our audit of the Claro Road
project in Harrogate identified several significant internal
control weaknesses. The issues included a lack of effective project
management and problems with decision making, governance, project
documentation and budgeting. Further information about this audit
is includedin annex B on pages 10 and 11. Whilstsome of the issues
were linked to decisions made and the project management processes
in place pre-April 2023 (before NYC became responsible for
the
3 Please refer
to annex C for the definitions of other opinionsused by Veritau.
Note that annual opinions use the same definitions as those given
for individual audit engagements.
scheme), similar problems have
been identified with other schemes. The successful delivery of
capital schemes requires effective project and budget management
processes to be in place and for these processes to be applied
consistently. Veritau has worked with officers to support capital
scheme improvement actions with applicability for all schemes which
focus on improving guidance, introducing training and embedding the
application of expected requirements included those as documented
in the Financial Procedure rules, and elsewhere. Three actions are
planned to be completed bySeptember 2025. Projectmanagement
training is planned for completion by 31 March 2026.
Information security
Further improvements are
required to ensure the Council’s IT networks are protected
from external threatsand to ensure compliance with the
Council’s data protection policies. The threat of
cyber-attacks has increased with many councils, schools, NHS bodies
and other agencies suffering incidents in the last year. Ongoing
work has also identified the need to further improve compliance
with the Council’s data protection policies. There have also
been a number of serious data security beaches in the year,
including 8 incidents that have required reporting to the
Information Commissioner’s Office.
Annex A:
InternalAudit work in 2024/25
Final reportsissued
|
Audit
|
Reported to
Committee
|
Opinion
|
|
Early years providers
|
June 2025
|
No opinion given
|
|
Benefits
|
June 2025
|
Substantial Assurance
|
|
Information security compliance reviews
|
June 2025
|
Reasonable Assurance
|
|
IT disaster recovery
|
June 2025
|
Reasonable Assurance
|
|
Climate change
|
June 2025
|
Reasonable Assurance
|
|
Risk management
|
June 2025
|
Substantial Assurance
|
|
Children leaving care
|
June 2025
|
Reasonable Assurance
|
|
Payroll
|
June 2025
|
Substantial Assurance
|
|
Governance arrangements
|
June 2025
|
Substantial Assurance
|
|
Adult social care stage one discussion
process
|
June 2025
|
Substantial Assurance
|
|
Harbours
|
June 2025
|
Reasonable Assurance
|
|
School audit (Risedale School)
|
June 2025
|
Reasonable Assurance
|
|
Cash handling at leisure centres
|
June 2025
|
Reasonable Assurance
|
|
Claro Road project review
|
June 2025
|
No opinion given
|
|
Purchasing cards
|
March 2025
|
Reasonable Assurance
|
|
Schools themed - ring fenced funding
|
March 2025
|
Reasonable Assurance
|
|
Business continuity
|
March 2025
|
Reasonable Assurance
|
|
Health and Social Care personal bank
accounts
|
March 2025
|
No opinion given
|
|
Power of Attorney and Court of Protection
|
March 2025
|
Substantial Assurance
|
|
IT access controls
|
March 2025
|
Reasonable Assurance
|
|
Procurement Act – preparedness
assessment
|
March 2025
|
Substantial Assurance
|
|
School audit (Wheatcroft CP School)
|
March 2025
|
Limited Assurance
|
|
School audit (Overdale CP School)
|
March 2025
|
Reasonable Assurance
|
|
School follow-up audit (East Ayton Primary
School)
|
March 2025
|
No opinion given
|
|
NY Pension Fund – investments
|
March 2025
|
Substantial Assurance
|
|
Early years payments
|
December 2024
|
Reasonable Assurance
|
|
NY Pension Fund – expenditure
|
December 2024
|
Substantial Assurance
|
|
Audit
|
Reported to
Committee
|
Opinion
|
|
NY Pension Fund – income
|
December 2024
|
Substantial Assurance
|
|
ICT asset management
|
December 2024
|
Substantial Assurance
|
|
2 x school follow up audits (Hutton Rudby Primary
School and Fairburn CP School)
|
December 2024
|
No opinion given
|
|
Schools themed audit – business
continuity
|
September 2024
|
Limited Assurance
|
|
CCTV office review
|
September 2024
|
Reasonable Assurance
|
|
Revenue budget monitoring
|
September 2024
|
Reasonable Assurance
|
|
Housing rents
|
September 2024
|
Reasonable Assurance
|
|
Contract management -waivers
|
September 2024
|
Reasonable Assurance
|
|
ICT governance
|
September 2024
|
Reasonable Assurance
|
Audits in progress
|
Audit
|
Status
|
|
Scarborough Waterpark
|
Draft report issued
|
|
Creditors
|
Draft report issued
|
|
Bank reconciliations and suspense
accounts
|
Draft report issued
|
|
Adult direct payments
|
Draft report issued
|
|
Revenues
|
Draft report issued
|
|
HAS financial assessments
|
Fieldwork completed
|
|
Mandatory Training
|
Fieldwork completed
|
|
Housing Rents
|
Fieldwork completed
|
|
Schools themed audit – purchasing
|
Fieldwork completed
|
|
Liberty Protection Safeguards
|
Fieldwork completed
|
|
Performance Management
|
Fieldwork close to completion
|
|
Council companies
|
Fieldwork close to completion
|
|
Arrangements for Social Care
|
Fieldwork in progress
|
|
Contract management - unaccompanied asylum-seeking
children
|
Fieldwork in progress
|
|
Customer complaints
|
Fieldwork in progress
|
|
Management of external funding
|
Fieldwork in progress
|
|
Housing stock
|
Fieldwork in progress
|
|
Children’s Direct Payments
(Education)
|
Fieldwork in progress
|
Other work
completed in 2024/25
|
Internal audit work
has been undertaken in a range of other areas during the year,
including those listed below.
|
|
·
Follow up of agreed management
actions
·
Consultative engagements,
including:
 Financial management system replacement project
(data analysis)  A review of the recently introduced purchase to
pay processes
Grant schemes including UK shared prosperity
fund
Reviewing the new control arrangements for personal bank
accounts
·
Grant certification
work:
Bus Subsidy Operators Grant
Changing Places - 6 separate scheme reviews
Future High Streets Fund - Hambleton
Heritage Action Zone - 3 separate scheme
reviews Library Improvement Fund - Scarborough
Local Enterprise Partnership (LEP) growth
hub Local Transport Plan
Pooling Housing Capital Receipts return
Supporting Families Programme – covering 4 separate
time periods
·
Provision of support and
advice
·
Completing financial
appraisals
·
Certifying Scarborough and
Harrogate Charter Trustee annual returns
Obtaining updates on the
control and risk management arrangements of the Council within the
11 key assurance areas for our annual opinion.
|
Annex B: Summaryof key
issues from auditsfinalised since the last report to the
committee
|
System /area
|
Opinion
|
Area reviewed
|
Date
issued
|
Comments
|
Management actions
agreed
|
|
Claro Road
project review
|
No opinion
given
|
The
Claro Road depot project was a scheme specified and procured by
Harrogate Borough Council (one of the former NY
councils). Approval was given for work to commence in February
2023. As work on the scheme progressed it became apparent that the
costs would exceed the approved budget.
The
audit reviewed the causes of the projected overspend on the
project. The aim of the audit was to help NYC to improve
wider project management controls and to feed into
the lessons learnt process.
|
March 2025
|
A
number of areas of improvement covering project management,
decision making, governance, project documentation, budgeting, and
working with consultants were identified.
The
three most senior members of the project team left between March
and October 2023. Roles and responsibilities for key project
management tasks were then not assigned following these
changes.
Project documentation failed to record in sufficient detail
how key decisions were considered, made, and who made them, as well
as how risks were identified and controlled. Consequently, it was
unclear who specifically, and on what basis, made many of the key
decisions.
There
was a lack of clarity about the total budget for the scheme. No
document set out all the approved costs by type, both in the
initially agreed contract or in subsequent variations. Budget
monitoring was also not carried out effectively.
Formal
approval of additional work was carried out by the scheme
consultant and not
|
3 significant
priority actions
were agreed.
Responsible officer(s):
Head
of Project Management, Assistant Director Resources (Corporate) and
Head of Procurement.
We
will review the council’s project management guidance to ensure it provides
clarity for scheme governance, roles, responsibilities, and
decision making.
Project management training will be rolled out and
be made mandatory for those involved in medium/high risk projects.
Budget
|
|
System /area
|
Opinion
|
Area reviewed
|
Date
issued
|
Comments
|
Management actions
agreed
|
|
|
|
|
|
by the council. The council had
also not effectively defined or managed the working relationship
with the consultant.
|
manager training
will be reviewed.
More
detailed council arrangements around the use and management of
consultants will be documented, and shared throughout the Council.
Three
actions are planned to be completed by September 2025. Project
management training is planned for completion by 31 March
2026.
|
|
Cash Handling at Leisure Centres
|
Reasonable Assurance
|
At the time of our fieldwork, NYC was in the
process of bringing together leisure services into the in-house
operation, Active North Yorkshire.
Our work reviewed whether:
|
March 2025
|
The
sites reviewed operated with different cash handling procedures and
systems.
However, the Council had plans to standardise these
processes.
Across
all three sites, tills were operated accurately throughout the day,
with clear procedures in place for end-of-day reconciliations. All
three sites used till systems with pre-programmed entries for
centre activities, which significantly reduces
|
3
significant and 3 moderate priority actions were agreed.
Responsible officer(s):
Head
of Sport and Active Wellbeing
Process notes will be reviewed, with
|
|
System /area
|
Opinion
|
Area reviewed
|
Date
issued
|
Comments
|
Management actions
agreed
|
|
|
|
·
tills
were operating accurately and securely, with transactions appropriately
recorded and
authorised
·
cashing up and end-of- day procedures were conducted
consistently and effectively,
·
cash
was accounted for, securely stored, and recorded to the general
ledger
·
there was adequate segregation of duties
·
cash payment methods were appropriate and secure methods were
encouraged for large payments.
The audit
covered cash handling
procedures and systems at three
sites.
|
|
the risk of human
error by minimising the need for manual input.
One
centre did not have a documented process for investigating cash
discrepancies. Other improvements to processes were also
highlighted.
Some issues
related to documenting and reconciling the cash floats were found
at the three sites.
Safe
access was well controlled across all three sites, with only
authorised personnel in suitably senior positions permitted
access.
Segregation of duties was generally maintained across all
three sites, with access controls in place to limit
responsibilities based on staff roles. Some improvements were
however recommended.
Officers were
aware of the risks associated with large cash payments and are
trained to promote more secure payment methods for such
transactions.
|
discrepancy
processes extended
where needed and a cash security policy
implemented across all sites.
Standardised and regular management checks will be introduced
for float counts.
The
controls hierarchy will be reviewed to ensure appropriate access
rights for till systems are assigned to the correct delegated
levels.
All
actions were due to be completed by the end of May 2025, and were
in the process of being followed up at the time of writing this
report.
|
|
System /area
|
Opinion
|
Area reviewed
|
Date
issued
|
Comments
|
Management actions
agreed
|
|
School audit
(Risedale School)
|
Reasonable assurance
|
A
review of financial and business processes within the school.
|
March 2025
|
A
number of findings were raised relating to the business and
financial management of the school. These have been reported to the
school’s head teacher, central finance staff, governors, and
the local authority.
|
All
actions were due to be completed by the end of May 2025, and were
in the process of being followed up at the time of writing this
report.
|
|
Harbours
|
Reasonable Assurance
|
We reviewed the controls and processes in place to
ensure:
·
the
accurate recording of health and safety incidents, proactive
and reactive monitoring and inspections, fault
reporting and their appropriate
management.
·
all
income due to the Council is promptly collected and accurately accounted.
The audit
reviewed operations specifically at Scarborough and Whitby
harbours. The audit did not
include the
review of compliance with the Port
|
April 2025
|
Responsibility
for health and safety is clearly assigned to the Harbour Master who
holds appropriate qualifications.
The harbours
service has procedures and guidance for the completion of routine
maintenance inspections.
High
risk areas identified in the service risk register are included in
the inspection regime.
Completed inspections and defects identified are recorded
in a service spreadsheet tracker. Defects identified through
inspections are not always being appropriate logged. Records did
not demonstrate defects had been addressed or any follow-up action
taken and recorded for those which were outstanding.
Fees
and charges for harbour users are approved each financial year. The
service does not currently have a completed master record of
periodical income due for each of
|
3 significant,
5
moderate, and 1
opportunity priority actions were agreed.
Responsible officer(s):
Deputy Harbour Master and Ports Business Manager.
The newly implemented Harbour Management Meeting will
include defects as a standing agenda item.
Information will be updated to include the date reported,
date repaired and closure date. Meeting actions will be logged to
provide tracking of outstanding
|
|
System /area
|
Opinion
|
Area reviewed
|
Date
issued
|
Comments
|
Management actions
agreed
|
|
|
|
Marine Safety Code and associated reporting, and instead focussed on local
arrangements for maintenance.
|
|
the harbour
locations, and we found significant variations in the expected and
actual income posted for several budget areas.
The
process for raising invoices with accounts receivable (AR) is
sufficiently documented and provides information relating to the
detail required to be prepared and sent to AR to raise an invoice.
However, invoices are not always being raised in the required
timeframes. Officers were unclear on the processes for invoicing
for fishing dues.
Harbours are not receiving aged debt reports. These are not
pursued resulting in outstanding balances totalling £156k at
the time of the audit.
|
defects and other
items discussed.
On
periodic income we currently capture expected income at source for
Whitby and we will implement the same process to capture expected
income at Scarborough and Filey.
The
procedures manual is to be updated to ensure it reflects the ways
of working (for harbours and finance) in respect of invoicing and
work to enable timely invoice requests are made.
Quarterly meetings will be held with Accounts Receivable to review debts
and agree appropriate recovery action.
All
actions are planned to be completed by the end of July
2025.
|
|
System /area
|
Opinion
|
Area reviewed
|
Date
issued
|
Comments
|
Management actions
agreed
|
|
Adult
Social Care: Stage one
discussion
process
|
Substantial Assurance
|
A Stage One discussion should take place for all
permanent Residential and Nursing Placements. The scheme of
delegation is a support mechanism for practitioners and managers,
providing a clear rationale for the decision-making
process.
We reviewed the controls that ensure:
·
Stage
One discussions have been appropriately completed and
documented for all permanent residential and nursing placements,
and authorisations were in line with the Scheme of Delegation.
·
Placements requiring assistant director and director-level
sign off were supported by a Scheme of Delegation
|
April 2025
|
Stage
one discussions are completed for all new and increased value
permanent residential and nursing placements.
Our
review of a sample of authorised Stage One discussions confirmed
that, overall, stage one case notes were being recorded and
supporting documents completed appropriately. However, there was
some non-compliance with the process, in particular one case was
missing key supporting documents.
The
cases had been authorised correctly and appropriate consideration
given of the Care Act during decision making.
None
of the cases we tested were declined for financial reasons. Where
further information or funding confirmation was required, interim
decisions had been recorded.
A sample of cases
were reviewed for appropriate scheme of delegation approval during
October and November 2024. There was evidence of completion of the
necessary paperwork for all, except one of the cases.
There were two
cases where consideration forms were not completed and approved in
a timely manner.
|
2 moderate
priority actions
were agreed.
Responsible officer:
Assistant Director Adult Social Care
The
process has now reverted to authorisation at Team Manager level
with the Assistant Director completing sampling of cases. Case
notes will sit with Team Managers solely avoiding any future issues
on incomplete records.
A new
‘pathway for practice’ scrutiny has been introduced.
The long-term aim is for this to reduce timescales for
consideration and approval of these cases and allow for Scheme of
Delegation to be used solely for what it is intended for, financial
authorisations.
|
|
System /area
|
Opinion
|
Area reviewed
|
Date
issued
|
Comments
|
Management actions
agreed
|
|
|
|
Funding Consideration Form and these complied with the
Scheme of Delegation.
|
|
|
Both actions are
planned to be implemented
by 31
October 2025.
|
|
Governance arrangements
|
Substantial Assurance
|
We reviewed the controls to ensure:
·
The
Constitution and schemes of delegation comply with relevant
legislation with suitable processes to ensure they are
reviewed and remain up to date.
·
Key,
executive and non-executive decisions taken by
Councillors and officers are made in line with the
Constitution and schemes of delegation, and decision records are
made publicly available (where not confidential/exempt).
·
Guidance and training on the decision-making process is provided
to
Councillors and
|
April 2025
|
The
Constitution is compliant with relevant legislation, outlining
adequate processes for decision-making at the council. It has been
subject to regular review since it was adopted in April
2023.
However, not all schemes of sub-delegation have been
reviewed since their publication in April 2023. The Constitution
does not clearly define frequency and responsibility for review or
whether schemes should be published.
Key
decisions were found to have been taken by individuals with
appropriate delegated authority, decisions records had been
published and were included in the forward plan. However, not all
notices required by the Constitution for urgent decisions or
private meetings were available or published on the Council
website.
There is suitable
guidance available on the Council's intranet regarding the
Constitution and decision-making processes. Training, support and
advice is provided to officers across the directorates and to
Councillors by Legal & Democratic Services on an ad-hoc
or
|
2 moderate and 2
opportunity priority actions were agreed.
Responsible officer(s):
Assistant Director Legal
Operations
Head of
Democratic Services
and Scrutiny
Schemes of sub- delegation will be reviewed and published for the start of the
financial year. They will then be updated as and when required, or
at least annually.
Reminders will be sent to staff about the process for
publishing notices for urgent decisions and private meetings.
|
|
System /area
|
Opinion
|
Area reviewed
|
Date
issued
|
Comments
|
Management actions
agreed
|
|
|
|
officers, is kept up to date and remains accessible.
·
Committee reports are appropriately prepared and approved, and contain
clear information on the implications of the decisions.
·
Suitable call in arrangements and processes are in place to
enable effective scrutiny of decisions made by
Councillors.
|
|
by-request basis. Guidance and
a checklist to aid report writing are available to
officers.
There
is a corporate reporting template in place which includes mandatory
consideration of legal, financial and equalities implications.
However, there is no version control or review dates for
this.
|
All actions were
due to be completed by the end of April 2025, and were in the
process of being followed up at the time of writing this
report.
|
|
Payroll
|
Substantial Assurance
|
We
reviewed the controls in place to ensure
·
the
payroll run is complete and accurate, conducted correctly, and
includes relevant exception reporting and receives suitable authorisation.
·
changes to payroll are applied correctly including
accurate
|
May 2025
|
There is an
established and documented process in place for conducting the pay
run supported by appropriate polices, documents and
checklists.
The
pay run processes were being followed each month. However,
evaluation of the process for a sample of months identified that
some pay run elements were not always signed and dated by
administrative officers and that some reports that are no longer
required remained on the checklist.
|
One moderate priority action was agreed.
Responsible officer(s):
Corporate and
Partners payroll manager
Payroll Team Leaders will review the processes included in the run
sheets and remove any tasks no
longer
required.
|
|
System /area
|
Opinion
|
Area reviewed
|
Date
issued
|
Comments
|
Management actions
agreed
|
|
|
|
processing of
starters, leavers, travel claims, maternity pay, and sick pay.
|
|
Testing confirmed
that a suite of reports, including exception reports, are run each
month to allow a comprehensive check of the payroll to be carried
out.
Anomalies are checked or investigated, although on occasion
it is not aways possible to check every anomaly due to the volume
of data generated. In those instances, certain anomalies are
prioritised for checking. A salary difference report is run each
month, and this is used to identify any high percentage differences
between the previous and current pay received by an employee, which
are then checked.
A
review of the processes for new starters, leavers, mileage claims,
maternity and sickness payments confirmed that they had been
completed in a timely manner and in line with the agreed procedure,
and that documents were retained for future reference in personnel
case notes. Testing identified that, where overpayments had been
made, the recovery process had been initiated appropriately in the
cases observed.
|
Payroll Team
Leaders will remind all staff of the need to sign off task
sheets.
The action was
due to be completed by the end of May 2025, and were in the process
of being followed up at the time of writing this report.
|
|
Children Leaving Care
|
Reasonable Assurance
|
The Council has set out what care leavers can
expect to receive from the
|
May 2025
|
The
Council’s pathway plan template was reviewed against relevant
guidance and found to cover all the key expected areas.
|
1
significant priority and 5 moderate priority actions was
agreed.
Responsible officer:
|
|
System /area
|
Opinion
|
Area reviewed
|
Date
issued
|
Comments
|
Management actions
agreed
|
|
|
|
Council in terms of support.
We reviewed the Council’s arrangements in
place to ensure:
·
Care
leavers had an up-to-date pathway plan that was compliant with relevant policies and procedures.
·
Care
leavers were provided with a personal adviser, and reasonable steps were taken to maintain contact.
·
All
purchasing card expenditure was approved, made in accordance with
relevant financial procedures, and was appropriate to the circumstances of the service user.
|
|
Pathway plans
were in place for all individuals tested.
Some
improvements could be made to the completion of the pathway plans.
Some plans did not contain sufficient detail around goal setting.
Some sections were blank, and it was unclear whether these were
blank as not being required, or left incomplete for other
reasons.
All young people
sampled had a personal adviser assigned. There had been regular in-
person visits by personal advisers to young people in the
service.
There were no
equalities monitoring to mitigate the risks of discrimination and
reduced accessibility to services for young people with protected
characteristics.
The
Leaving Care Service produce performance information but did not
provide evidence of reporting to the Performance Board.
All
purchase card payments reviewed were in line with allowable areas
of spend per the Councils financial offer to care leavers. In one
instance a payment of £942 was in excess of the card
limit.
|
Team Manager Leaving
Care.
The
service is in the process of improving the paperwork pulled from
the system that is given to young people. This will help to ensure
information not required in the plan is
omitted.
The
service will take advice and ensure equalities monitoring is set up as per other services
within CYPS.
Regarding the purchase card transaction - discussions will
take place with Exchequer on how these transactions have been made
and we will implement controls to mitigate the risk of this
happening again in the future.
All
actions are planned to be completed by 30 September
2025.
|
|
System /area
|
Opinion
|
Area reviewed
|
Date
issued
|
Comments
|
Management actions
agreed
|
|
Risk Management
|
Substantial Assurance
|
We
reviewed the Council’s systems and processes to ensure:
·
arrangements are in place for identifying, managing and
reporting risks, in line with corporate requirements.
·
staff
involved in risk management are aware of, and comply with, their
responsibilities.
·
actions to reduce and mitigate risks are clearly assigned
to responsible
officers and progress is monitored.
|
May 2025
|
There
are suitable arrangements in place for identifying, assessing,
recording and reporting risks. These requirements are clearly
detailed in the Council's risk management procedures.
Risk
management processes were reviewed in a number of directorates. We
found appropriate support and challenge was provided regarding risk
analysis. Key risks had been escalated.
Key processes were being
undertaken in line with policy and procedures.
All
risks included within risk registers reviewed had identified
mitigating actions, responsible officers and timescales for
implementation. Actions appeared suitable to help to mitigate
risks. There was evidence of actions being monitored and updated at
risk register reviews, including the use of percentage completion
rates.
Elected Members are not currently provided with information
on risk management at the Council as part of their
induction.
|
1
moderate priority action has been agreed.
Responsible officer: Risk
manager
An
overview of risk management within the Council will be developed
for inclusion in the Member Induction that is being prepared for
the May 2027 Council elections.
This
action is expected to be completed by 31 October 2025.
|
|
System /area
|
Opinion
|
Area reviewed
|
Date
issued
|
Comments
|
Management actions
agreed
|
|
Climate Change
|
Reasonable Assurance
|
The
Council’s Climate Change Strategy covers three key themes of
mitigation, adaptation and supporting nature. It sets out key
arrangements to manage, monitor and report on strategy delivery
including a Climate Change Action Plan.
Our work reviewed
arrangements to ensure:
·
suitable and effective monitoring and reporting arrangements are in place to support
strategy delivery
·
the
Climate Change Action Plan is in place, up to date, is supported by
directorate and service- level plans, and aligns to
ISO Net Zero Guidelines.
·
consideration of climate change is
embedded in the council’s decision- making process,
risk
|
June 2025
|
We
found the council has monitoring and reporting arrangements in
place which support the delivery of the strategy.
Climate change is included on the Council’s corporate
risk register which highlights the importance of the issue to the
council, its directorates and the public, and the challenges of
achieving carbon neutrality by 2030.
Both
the strategy and delivery pathway (action plan) documents were
mainly in-line with the Net Zero guidelines although further detail
could be added in some areas. The strategy covers the
council’s long term and short-term goals regarding climate
change and its approach to becoming Net Zero by 2030.
The
main area for improvement was the lack of climate change related
KPIs currently in place. Data reported by the Council is not set
against any targets meaning it is difficult to accurately assess
progress. Whilst the climate change strategy and delivery pathway
exist; these are not aligned to KPI’s.
Climate change consideration was evident within
all levels of the Council’s decision- making process.
Strategy officers within each directorate help ensure climate
change is
|
1
significant priority and 3 moderate priority actions were
agreed.
Responsible officer:
Climate Change Strategy Manager
The
Climate Change Strategy Manager will liaise with the Transformation
team regarding the roll out of KPIs in relation to the Climate
Change Strategy which will include KPIs such as Waste Recycling
Figures and Electric Vehicle Charging Roll out. A dashboard style
of reporting will be considered for the Transport, Economy,
Environment and Enterprise Overview and Scrutiny committee.
A section on climate change will be written for
the new induction module, which will be
|
|
System /area
|
Opinion
|
Area reviewed
|
Date
issued
|
Comments
|
Management actions
agreed
|
|
|
|
registers and
promoted through training for officers
and Councillors.
|
|
part of discussion and decision
making, and climate change is considered as part of every project
proposal.
Online
climate change training is available via the learning zone to all
staff and Members within the council. The training is not mandatory
and there was currently a lack of training available for staff
regarding how to appropriately assess potential climate change
impacts and to correctly complete the climate change impact
assessments.
Two other
improvements were highlighted regarding directorate climate change
action plan reporting and spreadsheet reporting to the Transport,
Economy, Environment and Enterprise Overview and Scrutiny committee
were made.
|
mandatory training for
all
new starters.
Support will also be made available for staff who require
assistance with the production of climate change impact
assessments.
The
Climate Change Strategy Manager will liaise with the transformation
team regarding the performance
management tool
that will assist in the
creation of uniform climate change action plans for the
directorates.
All
actions are planned to be completed by 31 October 2025.
|
|
System /area
|
Opinion
|
Area reviewed
|
Date
issued
|
Comments
|
Management actions
agreed
|
|
IT disaster
recovery
|
Reasonable Assurance
|
We
reviewed the Council’s arrangements to ensure:
·
disaster recovery roles and responsibilities are clearly documented and updated,
with assigned alternatives identified across the IT network
·
plans
are in place to ensure the recovery of systems and data within the
Council’s recovery
time objective following an
incident
·
backups are taken in line with the Council’s recovery objectives,
data is available for restoration and backups are stored
securely
·
lessons learned from a recent cyber-attack have been incorporated within Council policy
and procedures.
|
June 2025
|
The
Council has an incident management plan and disaster recovery plan
that covers all areas of information security framework ISO 27001
and IT service management framework ISO 20000.
The
Council’s backup schedule takes into account the criticality
of the data before being backed up. Business critical data is
backed up every 24 hours. There is a full log of backups and alerts
are received if there are any issues when taken. The Council has
layers of security controls in place to protect the backups from
malicious actors and malware such as ransomware. Whilst the Council
has tested restoring individual servers from backups, they have not
carried out a full service back up.
The incident
management plan was followed during a high-profile incident in the
first quarter of 2024. Lessons learnt have been enacted and these
actions should help to reduce the chance of a similar incident from
occurring again.
The Council has
high-level incident response plans in place. However, there is a
lack of detailed incident response playbooks to support those
plans.
|
1
significant priority and 1 moderate priority action was
agreed.
Responsible officer:
Head of
Technology Architecture & Infrastructure
The
need to be able to test full-service back- ups has been
identified.
Technology is waiting for an environment to be built to
allow for testing. Once built, a testing program will be introduced
for those services deemed business critical.
Incident response playbooks will be created for critical areas.
Both
actions are planned to be completed by 31
December 2025.
|
|
System /area
|
Opinion
|
Area reviewed
|
Date
issued
|
Comments
|
Management actions
agreed
|
|
Information security
compliance reviews
|
Reasonable assurance
|
Unannounced audit visits were made to NYC offices. The
visits are intended to assess the extent to which personal and
sensitive data is being held and processed securely. The visits
also consider general security and the security of assets,
particularly mobile electronic devices and other portable
equipment.
We visited three separate sites between March and
May 2025.
|
June 2025
|
In two
of those visits, we found no instances of personal and/or sensitive
information being left unsecured. All cupboards and key cabinets
were secured, and desks were clear. We also did not find any
instances of unsecured assets (laptops, phones, tablets
etc).
At the
third visit, documents containing personal or sensitive data and
physical assets have not been adequately secured. Keys and badges
were also found which presented potential security
risks.
|
1 significant priority action was agreed.
Responsible officer:
Head
of Information and Cyber Security
We
will engage and work with Property/Facilities Officers,
resident staff, and business leads with responsibilities and
accountabilities, to:
·
improve the secure environment,
·
provide tailored learning
·
manage risks
A
delivery plan will be agreed, and we will provide an update report
to Corporate Information
Governance Group in
November 2025.
|
|
System /area
|
Opinion
|
Area reviewed
|
Date
issued
|
Comments
|
Management actions
agreed
|
|
Benefits
|
Substantial Assurance
|
We
reviewed the Council’s arrangements to ensure:
·
Applications for Housing Benefit and Council Tax Reduction
are processed promptly and accurately.
·
Payments are made promptly
·
Procedures exist to minimise the number of
overpayments
·
Effective monitoring of the calculation
of entitlements,
overpayments and adjustments is undertaken
|
June 2025
|
Monthly reporting to management helps to monitor the speed
of applications. The time to process new claims and changes in
circumstances in 2024/25 were in line with council
targets.
Appropriate
system controls were in place ensuring National Insurance Numbers
should only be included in more than one claim in appropriate
circumstances.
Expected internal checks to assessments and adjustments had
been undertaken and were supported by appropriate
records.
Testing showed payments being made in line with expected
timescales.
Overpayments were subject to regular monitoring
and document types which are likely to create an overpayment being
prioritised and being assessed first.
|
No management
actions.
|
|
Early
Years provider checks
(Spring Term)
|
No opinion
|
The
council is required by the Childcare Act to ensure all eligible
children can take up their funded childcare place free of charge at
any childcare provider who chooses to be registered for
funding.
Our
work reviewed a sample
of invoices from
|
June 2025
|
Two providers met
both the compliance and best practice standards. A further three
were found to be compliant with the minimum requirements, but did
not demonstrate best practice.
The
remaining providers were found to not be compliant with the minimum
expected requirements; namely, that they did not adequately split
the funded and non-funded
|
1
significant priority, 2 moderate priority actions and 1
opportunity action were agreed.
Responsible officer: Head of Finance –
Schools, Early Years & High Needs
|
|
System /area
|
Opinion
|
Area reviewed
|
Date
issued
|
Comments
|
Management actions
agreed
|
|
|
|
across ten early years
providers to assess compliance with both government and council requirements.
|
|
hours so that
parents can clearly see how these have been applied.
|
A formal warning
letter will be issued to providers where invoicing was not
compliant with the requirements of the North Yorkshire Early Years
Funding Agreement. A follow up compliance check will be undertaken
with providers where significant concerns have been
identified.
Guidance and
briefings will continue to be provided to early years providers on
the required format and content for invoices.
Actions are planned to be completed by 31 October
2025.
|
Annex C: Assurance audit opinions and finding
priorities
|
Audit
opinions
|
|
|
Audit
work is based on sampling transactions to test the operation of
systems. It cannot guarantee the elimination of fraud or error. Our
opinion is based on the risks we identify at the time of the audit.
Our overall audit opinion is based on four grades of opinion, as
set out below.
|
|
Opinion
|
Assessment
of internal control
|
|
Substantial assurance
|
Overall, good management of risk with few weaknesses
identified. An effective control environment is in operation but
there is scope for further improvement in the areas
identified.
|
|
Reasonable assurance
|
Overall, satisfactory management of risk with a number of
weaknesses identified. An acceptable control environment is in
operation but there are a number of improvements that could be
made.
|
|
Limited assurance
|
Overall, poor management of risk with significant control
weaknesses in key areas and major improvements required before an
effective control environment will be in operation.
|
|
No
assurance
|
Overall, there is a fundamental failure in control and
risks are not being effectively managed. A number of key areas
require substantial improvement to protect the system from error
and abuse.
|
*There are circumstances when it is not
appropriate to give an opinion/assurance level on completed
work,for example on project and other targeted support,
consultancy, grant certification and follow up work. In these
instances a ‘No opinion’ will be given.
|
Finding
ratings
|
|
|
Critical
|
A
fundamental system weakness, which presents unacceptable risk to
the system objectives and requires urgent attention by
management.
|
|
Significant
|
A significant system weakness, whose impact or
frequency presents risks to the system objectives, which needs to
be addressed by management.
|
|
Moderate
|
The
system objectives are not exposed to significant risk, but the
issue merits attention by management.
|
|
Opportunity
|
There
is an opportunity for improvement in efficiency or outcomes but the
system objectives are not exposed to risk.
|
Annex D: InternalAudit
Quality Assurance and Development Arrangements
1.0
Background
Ongoing qualityassurance
arrangements
Veritau maintainsappropriate
ongoing qualityassurance arrangements designed to ensure that
internal audit work is undertaken in accordance with relevant
professional standards. From April 2025 those standards are the
Global Internal Audit Standards in the UK Public Sector. Quality
assurance arrangements include:
p the maintenance of a detailed audit procedures
manual
p the requirement for all audit staff to conform to
a Code of Ethicsand Standards of Conduct Policy
p the requirement for all audit staffto complete
annualdeclarations of interest
p detailed job descriptions and competency
profilesfor each internalaudit post
p regular operational 121 meetings for all
auditors,to review progresswith audit engagements, and formal 121s
that include discussion of overall performance
p induction programmes, training plans and
associated training activities
p attendance on relevant coursesand access to
e-learning material
p the maintenance of trainingrecords and
trainingevaluation procedures
p membership of professional networks
p agreement of the objectives, scope and
expectedtimescales for each audit engagement with the client before
detailed work commences (audit specification)
p the results of all audittesting and other
associated work documented in a structured format using our audit
management system – K10 Vision
p file review by senior auditorsand audit
managersand sign-off at each stage of the audit process
p the ongoing investment in tools to support the
effective performance of internal audit work (for example data
interrogation software)
p post audit questionnaires (customer satisfaction
surveys)issued following each audit engagement
p regular client liaisonmeetings to discussprogress,
share information and evaluate performance.
On an ongoingbasis, completed
audit work is subject to internal peer review by a Quality
Assurancegroup. The reviewprocess is designedto ensure audit work
is completed consistently and to the requiredquality standards. The
work of the Quality Assurance group is overseen by an Assistant
Director. Any key learning points are shared with the relevant
internal auditors and audit managers. The
Head of Internal Audit will
also be informed of any general areas requiring improvement.
Appropriate mitigating action will be taken where required(for
example, increased supervision of individual internal auditors or
further training).
Annual self-assessment
On an annual basis, the Head of
Internal Audit will seek feedback from each client on the quality
of the overall internal audit service. This includes surveys
targeted at senior officersand chairs of audit committees. The Head
of Internal Audit also undertakes an annual self-assessment against
internal audit standards. A hybrid approach to self-assessment has
been taken this year, as a result of the change in the internal
audit standards regime from April 2025.
Further information about this
year’s approach is set out below. As part of ongoing
performance management arrangements, managersand auditors assess
current skills and knowledge against the competency profiles for
internal audit roles. Where necessary, further training or support
will be provided to address any development needs.
The Head of Internal Audit and other members of the
internalaudit management team also participate in various
professional networks and obtain information on operating
arrangements and relevant best practice from other similar audit
providers for comparison purposes.
The results of annual client
surveys, self-assessment against the standards, professional
networking, and ongoing quality assurance and performance
management arrangements are used to identify any areas requiring
further development or improvement. Actions required are reflected
in Veritau business plans, the Veritau internal audit strategy, and
individual personal development plans as appropriate. Any specific
changes needed to address conformance with professional standards
are reported to the Audit Committee as part of the annual report of
the Head of Internal Audit. The report also summarises other
development activity planned to enhance the delivery of the
service.Information gathered for quality assurance and development
purposes is also used to evaluate overall conformance with internal
audit standards.
External assessment
At least once every five years,
arrangements must be made to subject internal audit working
practices to external assessment to ensure the continued
application of professional standards. The assessment should be
conducted by an independent and suitably qualified person or
organisation and the results reported to the Head of Internal
Audit. The outcome of the external assessment also forms part of
the overallreporting process to each client.Any specific areas
identified as requiring further development and/or improvement will
be incorporated into current development plans.
2.0
Customer
satisfaction survey 2025
In March2025 we asked clients for feedback
on the overallquality of the internal audit service provided by
Veritauduring the preceding year.Where relevant, the survey also
asked questions about counter fraud and information governance
services. A total of 188 surveys (2024 – 173) were issued to
senior managers in client organisations. A total of 32 responses
were received representing a response rate of 17% (2024 –
10%). Respondents were asked to rate the different elements of the
audit process as either excellent, good, satisfactory or
poor.
Respondents were also asked to provide an
overall rating for the service. The results of the survey are set
out in the charts below. These are presented as percentages, for
consistency with previous years. However, it is recognised that the
relatively low number of respondents means that the percentage for
each category is sensitive to small changes in actual responses (1
respondent represents about 3%).
Quality of audit
planning / coverage
Provisionof advice / guidance
Staff conduct
& professionalism
Abilityto establish positive rapport
Knowledge of area being audited
Minimisingdisruption for area being audited
Communication of
issues during audit
Qualityof feedback at end of audit
Accuracy / format
/ length / style of report
Relevance of audit opinions &conclusions
Overall rating
for the Internal Auditservice
Excellent 
Good
Satisfactory 
Poor
The overall ratingsin 2025 were:
|
|
2025
|
2024
|
|
Excellent
|
18
|
56%
|
7
|
44%
|
|
Good
|
12
|
38%
|
8
|
50%
|
|
Satisfactory
|
2
|
6%
|
1
|
6%
|
|
Poor
|
0
|
0%
|
0
|
0%
|
The feedback showsthat the
majorityof respondents continueto value the service being
delivered.
3.0
Self-assessment againstaudit standards 2025
The Accounts and Audit
Regulations 2015 require internal auditors working in local
government to take into account public sector internal auditing
standards or guidance. Up to 31 March 2025, the relevant standards
were the Public Sector Internal Audit Standards (PSIAS). CIPFA (who
are responsible for setting internal audit standards for local
government) have adopted new standards that apply from 1 April
2025. These are the Global Internal Audit Standards in the UKPublic
Sector – or GIAS (UK Public Sector)4.
Internal auditors working in local government are expected to apply
the new standards from April 2025.
In previous years Veritau has
used a checklist published by CIPFA to assess conformance with the
PSIAS. This is no longer appropriate following the change in
standards. However, no equivalent checklist for assessment against
the new standards has yet been published. For the self-assessment
undertaken in April 2025, we have used documentation published by
the Institute of Internal Auditors to prepare for the introduction
of the new standards. This highlights areas of the GIAS that are
changing and where updatesto current arrangements may need to be
made. We have also considered any changes required by the
introduction of the new Application Note. We intend to undertake a
further full
|
|
 |
4
The GIAS (UK Public Sector)comprises the Instituteof
Internal Auditors’Global Internal Audit Standards (GIAS) and
the Internal Audit Standards Advisory Board’s Application
Note: Global Internal Audit Standards in the UK Public Sector
(referred to as the Application Note). The Application Note
interprets the GIAS for the UK public sector.
assessment against the new
standards later in 2025/26,once further guidance on assessing
conformance is available.
The self-assessment has
identified two actions requiredto address areas of partial
conformance with the standards. These were:
p To update current internal audit charters to
address various requirements of the new standards. For example, the
need to set out the internal audit mandate and to clarify the roles
of senior managersand the Audit Committee in championing the role
of internal audit.
p To
introduce a new survey of chairs of audit committees (or
equivalent) to address requirements for the committees to provide
input on internal audit performance.
A new charterhas been
preparedand is included as part of the agenda for the current
committee, for approval. A survey of chairs of audit committees has
been issued. However, the survey is still open and responses are
still being received. Once complete, the resultswill be analysed
and any actions required will be addressed as part of ongoing
development plans.
The self-assessment has
highlighted a number of other actionsthat are not required to
comply with the standards – but which will help to improve
the service. These will be taken forward as part of our existing
internal audit strategy. Further information on development
activity is included below.
4.0
External
Assessment
As noted above, the PSIAS
requiredthe Head of Internal Auditto arrange for an external
assessment to be conducted at least once every five years to ensure
the continued application of professional standards. This
requirement continues under the GIAS (UK Public Sector). The
assessment is intended to provide an independent and objective
opinion on the quality of internal audit practices.
An external assessment of
Veritau’s internal audit working practices was undertaken in
summer 2023, by John Chesshire, an approved reviewer for the
Chartered Institute of Internal Auditors. The report concluded that
Veritau internal audit activity ‘generally conforms’ to
the PSIAS5 and, overall, the findings of the review were very
positive. The feedback included comments that the internal audit
service was highly valued by its member councils. Key stakeholders
felt confident in the way Veritau had established effective working
relations, both in our approach to planning, and the way we
engageflexibly with our clients throughout the internal audit
process, at both strategic and operational levels.
The outcomes from the
externalassessment were reportedto this committee in October 2023.
The assessment was based on the PSIAS. Many of the requirements
under the new standards are the same or similar, and we
can
5 PSIAS guidancesuggests a scale of three ratings,
‘generally conforms, ‘partially conforms’and
‘does not conform’. ‘Generally conforms’ is
the top rating.
therefore continue to place
reliance on the previous report. However, a further external
assessment against the new standards will need to be carriedout in
the next three years.
5.0
Development plans
Overall, the internal audit
services provided by Veritau continue to meet the requirements of
professional standards. However, we recognisethat the pace of
change in local government and the wider public sector mean that
there is a need to continually review and update aspects of our
service to ensure it stays up to date and continues to deliver good
value.
We first introduced an internal
audit strategy in 2021. The strategy identified priorities for
developing the service and actions to deliver continuous
improvement. As a result of that we have changedmany aspects of the
service in the last four years. Key successes include:
p audit planning – we have become better at
defining the areas we need to focuson (including councilspecific
risks and objectives) and we’ve introduced new arrangements
for capturing and assessing information on the council’s
operations
p work planning – introducing flexible
arrangements that help us focus upcoming audits on areas that are
most important and allow us to change course quickly when
priorities change
p reporting – ensuringthat key information is
available to clients to understand audit priorities and
outcomes
p implementation of a new audit management system
(K10) – the new system uses the latest technology, offers
improved functionality, and is supporting development activity
across a range of areas.
We have also tried a few things
which did not deliver the expected outcomes. We have used the
experience gainedto improve core audit activities and ways of
working.
The lateststrategy (2025 to
2027) was adopted in January 2025. It sets out areas we are
prioritising for development over the next three years. These
include the following:
p focussing on the development of high value
assurance techniques and expertise. For example, the use of data
analytics to provide increased understanding of clients’
operations and the use of artificial intelligence tools to increase
efficiency and insights. Developing our knowledge of opportunities
and risks associated with AI will also help us to support client
adoption of new technologies.
p further development of systems for planning,
prioritising and reporting audit work to ensure work is targeted to
the areas of highest importance for our clients, our internal
processes are as efficient as they can be, and the clarity and
usefulness of reports is maximised.
p use of the new K10 audit system to
improvefunctionality for the delivery of audit work and the
production of management information. We want to use the system to
streamline follow up activity, and further develop internal
management processes. This will help us to better understand and
manage audit workflows, improve service delivery, and inform
performance management arrangements.
To achievethese priorities, we have focusedactions
in the following key areas:
p embedding a strategicapproach to work programme
development and the use of the audit opinion framework
p redesigning and modernising our audit
workingpractices (including assignment planning and
reporting)
p further developing our use of data analytics
p developing our key performance indicators and the
measures of added value Quality assurance group
The internal audit quality
assurance group has recently reported on their 2024/25 activities.
They were aimingto assess how well core audit practiceshad been
adopted and applied using the new K10 system by looking at a sample
of completed audit files. They found that overall, core working
practices had translated well to the new system. Strengths included
the following:
p the completeness of files and file reviewprocesses
– information expected to be on file was included and files
had been signedoff by relevant supervisors.
p good documentation of engagement with officers
when planning individual audits and agreement of the scope and
objectives of work.
p good use of new systemfunctionality to recordthe
systems auditedand linked to this, the tests to be
undertaken.
p assignment of the priorities to issues foundand
overall opinionswere in line with expectations, and key findings
were well documented.
A few areas requiringimprovement were found.These
included:
p the need to better documentthe analysis and
conclusions reachedduring the planning stage of each audit, and
discussions with clients at the end of each audit
p improvements needed to cross referencing documents
within the system between related piecesof work – this may
require a review of current system set up and training
p a need to better documentconclusions directly
withinK10, to increase the efficiency of report generation from the
system.
These issues have been flagged
for further actionthrough system development, whole team training
and feedback to individual auditors where required.
Improvement
actionsidentified during self-assessment
As noted above, we have identified a number of
areas for improvement while undertaking the annual self-assessment.
These do not represent non- conformance with standards but will
help us to improve the service. Continuous improvement actions
identified included the following:
p review existing auditorcompetency profiles to ensure
adequatecoverage of the auditor competencies identified in the
GIAS
p strengthen the analysis of outcomes from routine training
delivered, to ensure it met objectives and any furtheraction or
trainingrequired was identified
p undertake additional training for auditorson professional
scepticism
p ensure routine trainingdelivered clearly
highlights links to the relevant professional standards being
covered
p review coverage of value for money considerations
in the audit manual, and ensure adequate coverage in routine
training
p review the presentation of annual conclusions to
assess whetherdifferent approaches could present clearer
insights
These actions will be
integrated into the internalaudit strategy actionplan.
6.0
Overall
conformance with standards
Based on the overall outcomes
from quality assurance and development planning arrangements, the
Head of Internal Audit considers that the internal audit service
conforms to Global Internal Audit Standards in the UK Public
Sector.
North Yorkshire Council Internal Audit Charter
April 2025
1
Purpose and commitment to
professional standards
1.1
The
purpose of the internal audit service is to strengthen North
YorkshireCouncil’s ability to create, protect, and sustain
value by providing the Audit Committee and senior management with
independent, risk-based, and objective assurance, advice, insight,
and foresight.
1.2
The
internalaudit service enhancesNorth Yorkshire Council’s
·
successful achievement of its objectives
·
governance, risk management, and
control processes
·
decision-making and
oversight
·
reputation and credibility with its stakeholders
·
ability to serve the public interest.
1.3
North
Yorkshire Council’s internal audit service is most effective
when:
·
Internal auditingis performed by competent
professionals in conformance with The Institute of Internal
Auditors’ Global Internal Audit Standards (UK public
sector).
·
The internalaudit service is independently
positioned, with direct accountability to the Audit
Committee.
·
Internal auditorsare free from undue influenceand
committed to making objective assessments.
1.4
North
Yorkshire Council can expect to see its internal audit service
demonstrate integrity, competence, and due professional care, align
with its strategies, objectives, and risks, demonstrate quality and
continuous improvement, be insightful, proactive, and
future-focused, communicate effectively, and contribute to
organisational improvement.
1.5
North
Yorkshire Council’s internal audit service will adhere to the
mandatory elements of The Institute of Internal Auditors'
International Professional Practices Framework, which are the
Global Internal Audit Standards in the UK Public Sector and
TopicalRequirements. The chief audit executive will report
annuallyto the Audit Committee and senior management regarding the
internal audit service’s conformance with the standards,
which will be assessed througha quality assurance and improvement
programme.
2
The internal audit mandate
2.1
There
is a statutory duty on the council to undertake an internal audit
of the effectiveness of its risk management, control and governance
processes. The Accounts and Audit Regulations 2015 also requirethat
the audittakes into account public sector internal auditing
standards or guidance. The Chartered Institute of Public Finance
and Accountancy (CIPFA) is responsible for setting standards for
proper practice for local government internal audit.
2
2.2
CIPFA
has determined that the Global Internal Audit Standards are a
suitable basis for the practice of internal auditingin UK local
government, subjectto interpretations and requirements set out in
its application note1. Taken together, the
Global Internal Audit Standards and the application note represent
proper practice for internal audit in local government. This
charter sets out how internal audit at North Yorkshire Council will
be provided in accordance with this proper practice.
2.3
The
charter should be read in the context of the wider legal and policy
framework which sets requirements and standards for internal
audit,including the Accountsand Audit Regulations, the application
note, the code of practice2, and the council’s
constitution, regulations and governance arrangements.
3
Definitions
3.1
The
GlobalInternal Audit Standards define internal auditingas
follows:
“Internal auditing is an independent, objective
assurance and consulting activity designed to add value and improve
an organisation’s operations. It helps an organisation
accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk
management, control and governance processes.”
3.2
The
Global Internal Audit Standards includereference to the roles and
responsibilities of the “board” and “senior
management” in relation to the governance of internal audit.
Each organisation is required to define these terms in the context
of its own governance arrangements. For the purposesof the Global
Internal Audit Standards in the UK Public Sector (hereon in
referred to as the “GIAS (UK public sector)”) these
terms are defined as follows at North Yorkshire Council.
“Board”– the Audit Committee fulfilsthe
responsibilities of the board in relationto internal audit
standards and activities.
“Senior Management” – in the majority of
cases, the term seniormanagement in the GIAS (UK public sector)
should be taken to refer to the Corporate Director of Resources in
their role as Chief Finance Officer. This includes all functions
relating directly to overseeing the work of internal audit. In
addition, senior management may also refer to any other director of
the council individually (including the Chief Executive, and Deputy
ChiefExecutives) or collectively as the Council’sManagement
Board) in relation to GIAS (UK public sector) requirements
for:
·
internal audit to have direct and unrestricted
accessto senior management for reporting purposes
·
consulting on risks affecting the council for audit
planningpurposes
·
approving the release of information arisingfrom audit work
to any third party.
3.3
The
GIAS (UK publicsector) also refer to the “chief audit
executive”. This is taken to be the Head of Internal Audit
(Veritau).
1 Application Note:Global Internal Audit Standards in the UK
Public Sector
2 CIPFA Code of Practicefor the Governance of Internal Audit
in Local Government
3
4
Scope of internalaudit
activities
4.1
The
scope of internal audit work will encompass the council’s
entire control environment3, comprising its systems
of governance, risk management, and control.
4.2
The
scope of audit work also extends to services provided through
partnership arrangements, irrespective of what legal standing or
particular form these may take. The Head of Internal Audit, in
consultation with all relevant parties and taking account of audit
risk assessment processes, will determinewhat work will be carried
out by the internal audit service, and what reliance may be placed
on the work of other internal and external providers of assurance
and advisory services auditors.
5
Responsibilities and
objectives
5.1
The
Head of InternalAudit has the responsibility to:
·
At
least annually, develop a risk-based internal audit work programme
that considers the input of the Audit Committee and senior
management. Discuss the work programme with the Audit Committee and
senior management, and submit the programme to the Audit Committee
for review and approval.
·
Communicate the impact of resource limitations on
the internalaudit work programme to the Audit Committee and senior
management.
·
Review and adjust the internal audit work
programme, as necessary, in response to changes in North Yorkshire
Council’s business, risks, operations, programs, systems, and
controls.
·
Communicate with the Audit Committee and senior
management if there are significant interim changes to the internal
audit work programme.
·
Ensure internal audit engagements are performed,
documented, and communicated in accordance with the GIAS (UK public
sector) and relevant laws and/or regulations.
·
Follow
up on engagement findings and confirm the implementation of
recommendations or action plans and communicate the results of
internal audit services to the Audit Committee and senior
management periodically and for each engagement, as
appropriate.
·
Ensure
the internal audit service collectively possesses or obtainsthe
knowledge, skills, and other competencies and qualifications needed
to meet the requirements of the GIAS (UK public sector) and to
fulfil the internal audit mandate.
·
Develop, implement, and maintain a quality assurance and
improvement programme that covers all aspects of the internalaudit
service. The programme will include external and internal
assessments of the internal audit service’s conformance with
the GIAS (UK public sector), as well as performance measurement to
assess the internal audit service’s progress toward the
achievement of its objectives and promotion of continuous
improvement.
3
For example, the work of internal audit is not limited to
the reviewof financial controlsonly.
4
·
Communicate with the Audit Committee and senior management
about the internal audit service’s qualityassurance and
improvement programme, including the outcomes of internal
assessments and external assessments.
·
Identify and consider trendsand emerging
issuesthat could impactNorth Yorkshire Council and communicate to
the Audit Committee and senior management as
appropriate.
·
Consider emergingtrends and successful practices in
internalauditing.
·
Establish and ensure adherenceto methodologies
designedto guide the internal audit service.
·
Ensure adherence to North Yorkshire
Council’s relevant policies and procedures unless such
policies and procedures conflictwith the internalaudit charter or
the GIAS (UK public sector). Any such conflicts will be resolved or
documented and communicated to the Audit Committee and senior
management.
·
Coordinate activities and consider relyingupon the work of
other internal and external providers of assurance and advisory
services. If the Head of Internal Audit cannot achieve an
appropriate level of coordination, the issue must be communicated
to senior management and if necessaryescalated to the Audit
Committee.
5.2
In
addition to the responsibilities set out above, to meet the
requirements for the practice of internal auditing in local
government, the Head of Internal Audit is also required to provide
an annual report to the Audit Committee. The report will be used by
the committee to inform its consideration of the council’s
annual governance statement. The report will include:
·
the Head of InternalAudit’s opinion on the
adequacyand effectiveness of the council’s framework of
governance, risk management, and control
·
any qualifications to the opinion, together with
the reasons for those qualifications (including any impairment to
independence or objectivity)
·
any particular control weakness judgedto be
relevant to the preparation of the annual governance
statement
·
a summaryof work undertaken to support the
opinion, includingany reliance placed on the work of other
assurance providers
·
an overallsummary of internalaudit performance and
the resultsof the internal audit service’s quality assurance
and improvement programme
·
a
statementon conformance with the GIAS (UK publicsector).
5.3
In
undertaking this work, the responsibilities of the internalaudit
service will include:
·
providing assurance to the board and senior
management on the effective operation of governance arrangements
and the internalcontrol environment operating at the
council4
·
objectively examining, evaluating and reporting on
the probity,legality and value for money of the council’s
arrangements for service delivery
4
Where third partiesplace reliance on the assuranceprovided
then they do so at theirown risk.
5
·
reviewing the Council’s financialarrangements to
ensurethat proper accounting controls, systems and procedures are
maintained and, where necessary, make recommendations for
improvement
·
helping to secure the effective operationof proper
controlsto minimise the risk of loss, the inefficient use of
resources and the potential for fraud and other wrongdoing
·
acting as a means of deterring all fraudulent
activity, corruption and other wrongdoing; this includes conducting
investigations into matters referred by councillors, officers, and
the public and reportingfindings of those investigations to the
relevant officers and councillors as appropriate for
action
·
advising the Council on relevant counterfraud and
corruption policies and measures.
5.4
The
Head of Internal Audit will ensure that the service is provided in
accordance with proper practice as set out aboveand in accordance
with any other relevantstandards – for example council policy
and legal or professional standards and guidance.
5.5
In
undertaking their work, internalauditors should have regard
to:
·
the purposeof internal auditing, and standards as
set out in the GIAS (UK public sector) and reflected in this
charter
·
the
codes of any professional bodiesof which they are members
·
standards of conduct expectedby the Council
·
the
Committeeon Standards in Public Life’sSeven Principles of
Public Life.
6
Organisationalindependence
6.1
It is
the responsibility of corporate directors and service managers to
maintain effective systems of risk management, internal control,
and governance. Auditorswill have no responsibility for the
implementation or operation of systems of control and will remain
sufficiently independent of the activities audited to enable them
to exercise objective professional judgement.
6.2
Audit
advice and recommendations will be made without prejudiceto the
rights of internal audit to review and make further recommendations
on relevant policies, procedures, controls and operations at a
later date.
6.3
The
Head of InternalAudit will put in place measures to ensure that
individual auditors remain independent of areas they are auditing
for example by:
·
rotation of audit staff
·
ensuring staff are not involved in auditing areas
where they have recentlybeen involved in operational management, or
in providing consultancy and advice5.
5
auditors will not be used on internalaudit engagements
where they have had directinvolvement in the area within the
previous 12 months
6
7
Accountability,reporting lines,
and relationships
7.1
Internal audit services are provided under contract to the
Councilby Veritau6. Staff undertaking internal audit work are employed
directly by Veritau. The Corporate Director of Resources acts as
client officer for the contract and is responsible for overall
monitoring of the service.
7.2
In its
role in providing an independent assurance function, Veritau has
direct access to councillors and senior managersand can report
uncensored to them as considered necessary. Such reports may be
made to:
·
the
Council,Executive, or any committee (including the Audit
Committee)
·
the
Chief Executive
·
the
Deputy Chief Executives
·
the
CorporateDirector of Resources (Chief Finance Officer)
·
the
Monitoring Officer
·
Other corporate directors, directors, assistant
directors, heads of service or service managers.
7.3
The
Corporate Director of Resources (Chief Finance Officer) has
specific responsibilities for ensuring that the Council has
effective systems of risk management and internal control. The role
includes a responsibility to ensure that the Council has put in
place arrangements for effective internalaudit. In recognition of
the importance of the relationship between the Chief Finance
Officer and internal audit (recognised in the standards), a
protocol has been drawn up setting out the relationship between
them. This is included in appendix 1.
7.4
The
Head of InternalAudit will reportindependently to the Audit
Committeeon:
·
the
proposedallocation of audit resources
·
any
significant risks and controlissues identified throughaudit
work
·
their
annualopinion on the Council’s controlenvironment.
7.5
The
Head of Internal Audit will informally meet in private with members
of the Audit Committee, or the committee as a wholeas required.
Meetingsmay be requested by committee members or the Head of
Internal Audit.
7.6
The Audit Committee will oversee (but not direct)
the work of internal audit. This includes commenting on the scope
of internal audit work and approving the annual audit plan. The
committee will also protectand promote the independence and rights
of internal audit to enable it to conduct its work and report on
its findings as necessary7.
6
The contract is with VeritauPublic Sector Limited– a
company limited by guarantee. The Council is a member of the company along with a number of
other local authorities.
7
The relationship betweeninternal audit and the
AuditCommittee is set out in more detailin appendix 2.
7
8
Fraud, consultancy servicesand
non-audit services
8.1
The
primary role of internal audit is to provide audit assurance
services to the Council. However, the service is also required to
undertake fraud investigation and other consultancy work to add
value and help improvegovernance, risk management and control
arrangements.
8.2
The
prevention and detection of fraud and corruption is the
responsibility of corporate directors and service managers.
However, all instances of suspected fraud and corruption must be
notified to Veritau, who willagree the course of actionto be taken
in consultation with the relevant corporate director and other
advisors (for example human resources). Where appropriate, cases of
suspected fraud or corruption will be investigated by
Veritau.
8.3
Veritau also carry out other consultancy related work where
this is of value to the Council. This is generallyat the request of
Councilofficers. It includes,for example, advice on designing
efficient and effective processes. The scope of consulting work
will be agreed with the relevant corporate director or service
manager. Consulting work will only be carried out where it
represents good value, there are sufficient resources and skills
within Veritau to undertake the work, and where it does not
compromise the assurance role or the independence of internal
audit. Details of all significant consultancy assignments completed
will be reported to the Audit Committee.
8.4
Where
Veritau provides non-audit services (for example information
governance), appropriate safeguards are in place to ensure audit
independence and objectivity are notcompromised. These safeguards
include the work being performed by a separate team with different
line management arrangements.
8.5
Veritau also has responsibility for facilitating and
co-ordinating the completion of the Annual Governance Statement of
the Council. Whilst providing these services does not impact on the
independence or performance of internal audit, additional
safeguards are in place to protect independence and support
conformance with professional standards. Overall responsibility for
the preparation of the Annual Governance Statement lies with the
Corporate Director of Resources (s151 officer) and the Assistant
Director Resources (deputy s151 officer). The Annual Governance
Statement is also subject to review and sign off by the Corporate
Governance Officers Group (CGOG)and the Council’s Management
Board, beforebeing approved by the Council’s Audit
Committee.
8.6
The
Head of Internal Audit will report any instances where audit
independence or objectivity may be compromised to the Corporate
Director of Resources and the Audit Committee. The Head of Internal
Audit will also take steps to limit any actual or
perceivedimpairment that might occur (for example by arranging for
the audit of these services or functional activities to be overseen
externally).
9
Resourcing
9.1
As
part of the audit planning process the Head of Internal Audit will
review the resources available to internal audit, to ensure that
they are appropriate and sufficient to meet the requirement to
provide an opinion on the Council’s control
8
environment. Where resources are judged to be inadequate or
insufficient, recommendations to addressthe shortfall will be made
to the Corporate Directorof Resources and to the Audit
Committee.
10
Rights of access
10.1
To
enableit to fulfil its responsibilities, the Council gives internal
auditorsemployed by Veritau the authority to:
·
enter
all Council premisesor land, at any reasonable time
·
have access to all data, records, documents,
correspondence, or other information - in whateverform - relating
to the activities of the Council
·
have accessto any assets of the Council and to
requireany employee of the Council to produce any assets under
their control
·
be able to requirefrom any employeeor councillor
any information or explanation necessary for the purposes of
audit.
10.2
Corporate directorsand service managersare responsible for
ensuring that the rights ofVeritau to access premises, records,and
personnel are preserved, including where the Council’s
services are provided through partnership arrangements, contracts
or other means.
11
Review
11.1
This
charter will be reviewed periodically by the Head of Internal
Audit. Any recommendations for change will be made to the Corporate
Directorof Resources and the Audit Committee, for
approval.
9
Relationship betweenthe Corporate Directorof
Resources (the Chief Finance Officer) and internal
audit
1 In
recognition of the statutory duties of the council’s
Corporate Director of Resources in their role as Section 151
Officer, this protocol has been adopted to form the basis for a
sound and effective working relationship between the Corporate
Director and internal audit.
(i)
The
Head of InternalAudit (HoIA) will seek to maintain a positive and
effective working relationship with the Corporate
Director.
(ii)
Internal audit will review the effectiveness of the
Council’s systems of control, governance, and risk management
and report its findings to the Corporate Director (in addition to
the Audit Committee).
(iii)
The
CorporateDirector will be asked to comment on those elementsof
internal audit’s programmeof work that relate to the
discharge of their statutory duties. In devising the annual audit
plan and in carrying out internal audit work, the HoIA will give
full regard to the comments of the Corporate Director.
(iv)
The
HoIA will notify the Corporate Director of any matter that in the
HoIA’s professional judgement may have implications for the
Corporate Director in discharging their statutory
responsibilities.
(v)
The
CorporateDirector will notifythe HoIA of any concernsthat they may
have about control, governance, or suspected fraudand corruption
and may require internal audit to undertake further investigation
or review.
(vi)
The
HoIA will be responsible for ensuring that internal audit is
provided in accordance with proper practice.
(vii)
If the
HoIA identifies any shortfall in resources which may jeopardise the
ability to providean opinion on the council’s control
environment, then they will make representations to the Corporate
Director, as well as to the Audit Committee.
(viii)
The
HoIA will report to the Corporate Director (and the Audit
Committee) any instances where internal audit independence or
objectivity is likely to be compromised, together with any planned
remedial action.
(ix)
The
HoIA will report to the Corporate Director (and the Audit
Committee) any instances where audit work has not conformed to the
GIAS (UK publicsector). This includes the reasons for
non-conformance and the possible impact on the audit
opinion.
(x)
The
Corporate Director will champion the role of internal audit in
providing independent, risk-based assurance on the operation of the
council’s systems of governance, risk management, and
internal control, and in helpingthe council to achieveits
objectives. The Corporate Director will also protect and promote
the independence and rights of internal audit to enable it to
conduct its work effectively and to report as necessary.
10
Relationship betweenthe Audit Committee and
internal audit
1
The
Audit Committee plays a key role in ensuring that the
councilmaintains a robust internal audit service and it is
therefore essential that there is an effective working relationship
between the committee and internal audit. This protocol sets out
some of the key responsibilities of internal audit and the
committee.
2
The
AuditCommittee will seek to:
(i)
raise
awareness of key aspectsof good governance across the Council,
including the role of internal audit and risk management
(ii)
ensure
that adequate resources are provided by the Councilto ensure that
internal audit can satisfactorily discharge its
responsibilities
(iii)
protect and promote the independence and rights of internal
audit to conduct its work properly and to report on its findings as
necessary.
3
Specific responsibilities in respect of internal audit
include the following.
(i)
oversight of, and involvement in, decisions relatingto how
internal audit is provided.
(ii)
approval of the internalaudit charter.
(iii)
consideration of the annual report and opinion of the Head
of InternalAudit (HoIA) on the Council’s control
environment.
(iv)
consideration of other specificreports detailing the
outcomes of internal audit work.
(v)
consideration of reports dealingwith the performance of
internal audit and the results of its quality assurance and
improvement programme.
(vi)
consideration of reports on the implementation of actions
agreedas a result of audit work and outstanding actions escalated
to the Committee in accordance with the approved escalation
policy.
(vii)
approval (but not direction) of the indicative annual
internal audit work programme.
4
In
relationto the Audit Committee, the HoIA will:
(i)
attend
its meetings and contribute to the agenda
(ii)
ensure
that overall internal audit objectives, work programmes, and
performance are communicated to, and understood by, the
committee
(iii)
provide an annual summary of internal audit work and an
opinion on the council’s controlenvironment including
detailsof unmitigated risks or other issues that need to be
considered by the committee
(iv)
establish whether anything from the work of the committee
requires consideration of the need to changethe internal auditwork
programme or vice versa
(v)
highlight any shortfall in the resources available to
internal audit or any instances where the independence or
objectivity of internal audit work may be compromised (and make
recommendations to address these to the committee)
(vi)
report
any significant risks or control issues identified through audit
work which the HoIA feels necessary to specifically reportto the
committee. This includes risks whichmanagement are failingto
address but which the HoIA considers are unacceptable for the
council
(vii)
report
any actual or attempted interference in the performance or
reporting of internal audit work
(viii)
participate in the committee’s review of its own
remit and effectiveness
(ix)
discuss the outcomes of the qualityassurance and
improvement programme, and consult with the board on how external
assessment of the internal audit service will conducted (required
once every five years).
5
The
HoIA will informally meet in privatewith members of the Audit
Committee, or the committee as a whole as required. Meetings may be
requested by committee members or the HoIA.
12
