CONTENTS

3           Introduction

4           Approach: The Opinion Framework

6           Key assurance areas

11         Questions for the committee to consider

11         Next steps

12         Annex A – an overview of the opinion framework

         

 

 

 

 

1             The Global Internal Audit Standards (GIAS) requires internal audit to draw up an indicative programme of work based on a documented assessment of the organisation’s strategies and objectives, and its risks, including emerging and evolving risks. This helps to ensure that audit activities focus on areas that matter most to supporting organisational success.

2             A specific public sector requirement for internal audit is that the risk-based programme must take into account the requirement to produce an annual internal audit opinion. Internal audit work programmes cover a range of areas to ensure the work undertaken enables Veritau to provide an overall opinion on the framework of governance, risk management, and control operating at the council.

3             The work programme is informed in a number of ways. One is the engagement with, and input from, the Audit Committee and senior management. This helps to ensure the work is aligned with the council’s expectations. 

4             This report is the first stage in consultation on the annual programme of work for 2026/27. It also asks for the Committee’s views on areas it considers a priority for internal audit in 2026/27. A full draft programme will be brought to the Committee for approval at its March 2026 meeting.

The year ahead for North Yorkshire Council

5             Like other local authorities across the country, North Yorkshire Council continues to face significant financial and demand related challenges as it approaches 2026/27.

 

6             Demand for many services continues to increase. The latest 2025/26 budget monitoring report[1] also highlights a projected net overspend of £7.8m. Despite including growth of £12.0m in the 2025/26 budget for Children & Young People’s Services, the increasing demands in the service are leading to a significant forecasted overspend of £15.1m. Whilst a number of measures are being applied to offset the forecast overspend, some of these are only one off in nature.

 

7             The Council’s overall financial resources are also not keeping up with the increases in the level of demand elsewhere. Whilst details of the 2026/27 government funding allocations will not be available until the end of this year, initial analysis by officers indicates there will be a significant reduction in funding for the Council compared to 2025/26. Significant savings (both LGR and non LGR related) have been made since the establishment of the new Council, with a further £40m of planned savings included in the 2025/26 to 2027/28 Medium Term Financial Strategy (MTFS). However, a worsening of the financial position will impact the Council’s ability to achieve the necessary future savings. This will increase the reliance on reserves.

 

8             In addition to the financial and demand related pressures, the Council faces a range of other challenges to the effective delivery of its services, strategic objectives, and ultimately to its systems of governance, risk management, and internal control. Whilst some consolidation of systems and processes has taken place many legacy council systems and processes still remain. Further transformation and structural changes are therefore planned.

 

9             For internal audit to add most value, it needs to align its work to the areas of greatest risk and highest priority. The next sections explain how we do this at North Yorkshire Council, by applying our ‘opinion framework’.

 

The opinion framework

10          Veritau has an opinion framework which sets out the principles used to develop and manage the internal audit work programme. The framework ensures audit coverage is aligned with the Council’s risks and targeted towards the key priority areas.We continuously revisit those priorities during the year so that the work programme remains up to date.

 

11          The main component of the opinion framework is our definition of key assurance areas. These represent 11 areas of internal control that we think are essential to the proper functioning of the Council. Systems and controls in each area need to be operating effectively to maximise the likelihood that the Council’s objectives are achieved without undue exposure to risk. The areas cover both corporate arrangements, and the management of risks and controls in individual service areas that collectively contribute to the Council’s wider objectives.

 

12          The annual opinion is the most important output from internal audit and a key source of objective assurance for the Council’s leadership team and those charged with governance. It also helps to inform the Council’s Annual Governance Statement. The opinion must be well founded if it is to provide proper assurance to the Council.

 

13          Internal auditing standards require the internal audit work programme is linked to, and contributes to, the organisations:

·         management of strategic risks, and

·         achievement of organisational objectives and priorities.

 

14          The risks at North Yorkshire Council most important for audit planning are those set out in the Council’s corporate risk register. There are many other risks associated with the wide range of services the Council delivers. Where appropriate, service risks are considered as part of individual audit assignments. However, the risks on the corporate register are those considered most significant to the achievement of the Council’s objectives and therefore are the main focus for internal audit planning.

 

15          The Council’s organisational objectives are expressed in its 2025-29 Council Plan which was approved by Full Council in January 2025. The plan has ambitions covering four areas supported by One Council with strong, local and customer led services.  

 

16          Other key documents include the latest revenue budget and medium-term financial strategy which outline a number of the challenges the Council is facing.

 

17          As well as taking into account the organisational risks and objectives, we will also reflect the Council’s current and future challenges including the need to deliver savings and complete a range of system and service transformation projects.

 

Overview

 

18          An overview of the process followed in using the opinion framework to determine audit priorities, and so to develop the internal audit work programme, is included in annex A.

 

19          In the next section we will explain the 11 key assurance areas in more detail and provide examples of risk areas, systems and processes we could review, as part of the 2026/27 programme of work.

 

 

 

 

 

 

 

Key assurance areas: an overview and examples

20          Details of the 11 key assurance areas are set out below. We have provided definitions, and some examples of arrangements, systems, and processes we could review under each area. The examples are for illustrative purposes and are not exhaustive. Some audit work will likely cut across a number of the key assurance areas.

 

Strategic planning

21          Strategic planning covers the arrangements the Council has in place to define and develop its strategy, or direction, and make decisions on resource allocation to successfully pursue this strategy. It also encompasses the control measures in place to guide strategy implementation. The Council’s strategy and policy framework are comprised of the Council Plan, and other key plans and policies which give effect to the strategies.

 

22          This area is of importance to internal audit as effective strategic planning is a prerequisite for delivering long term, sustainable success.

 

Examples

Delivery of council plan objectives	Transformation and savings programme
Climate change	Social care delivery and commissioning

 

Organisational governance

23          Governance is the combination of processes and structures implemented to inform, direct, manage and monitor the activities of the Council toward the achievement of its objectives. At its most visible, governance involves the set of policies put in place for the direction and control of the organisation and the establishment of rules and procedures for making decisions and for complying with relevant legislation and regulations. Governance also encompasses business ethics, leadership, strategic management, and control activities. In a local authority context, the principles of effective governance are set out in the CIPFA / Solace 2016 Delivering Good Governance in Local Government: Framework, supported by the recent addendum to the framework issued in May 2025. 

 

24          Internal audit is expected to assess and make appropriate recommendations to improve the Council’s governance processes. It is also expected to evaluate risk exposures relating to compliance with laws, regulations, policies, procedures and contracts.

 

 

 

Examples

Adherence to Constitution	Council Companies
Policy framework	Housing regulation compliance

 

Financial governance

25          Section 151 of the Local Government Act 1972 requires that every local authority in England and Wales should “... make arrangements for the proper administration of their financial affairs...". Financial governance involves arrangements for giving a reliable account of the money spent and income received, stewardship of public resources, compliance with legal and regulatory requirements, ensuring value for money, supporting effective decision-making, and facilitating planning and resource allocation.

 

26          GIAS requires internal audit to consider how an organisation evaluates the risks, and adequacy and effectiveness of controls relating to the reliability and integrity of financial information.

 

Examples

Main accounting system	Benefits and Council Tax systems
Revenue and capital budget management        Payroll	Ordering and creditor payments        Income collection and debt recovery

 

Risk management

27          Risk management encompasses the Council’s arrangements for identifying, assessing, managing, and controlling potential events or situations to provide reasonable assurance that its objectives will be achieved. It involves being aware of risk exposures, selecting appropriate risk responses that align risks with the Council’s risk appetite, and communicating relevant information in a timely manner across the organisation.

 

28          Internal audit’s role is to evaluate the effectiveness of risk management processes and contribute to their improvement.

 

Examples

Risk management processes	Health and safety
Insurance	Disaster recovery

 

Information governance

29          Information governance is the set of multi-disciplinary structures, policies, procedures, processes, and controls implemented to manage information across the Council. These governance arrangements should support the Council’s immediate and future regulatory, legal, risk, environmental and operational requirements.

 

Examples

UK GDPR compliance	Records management
Data breach management        Information asset management	Rights of individuals requests

 

Performance management and data quality

30          Performance management refers to the systematic process by which the Council plans, monitors, and improves the delivery of the services it provides to the public. The starting point for performance management is the Council’s strategic ambitions which then filter down the organisation to directorate, service, team and individual levels. The Council’s performance management framework aims to join up delivery at all levels by setting clear, achievable targets which can be accurately monitored and reported, with corrective action being taken promptly and appropriately.

 

Examples

Performance framework	Data quality
Service performance management	Follow-up processes

 

Procurement and contract management

31          Effective procurement and contract management is vital for any local authority to ensure that it maximises value for money in its service delivery. Every procurement process undertaken by the Council needs to comply with the provisions of its Constitution (including the Contract Procedure Rules) and the objectives set out in its Procurement Strategy. Public sector procurement also needs to comply with the Procurement Act 2023, which came into force on 24 February 2025.

 

32          Once a procurement exercise is completed and the contract begins, it is essential that it is monitored regularly to ensure compliance with its terms and conditions, to manage delivery risk, and to assess performance.

 

Examples

Individual procurement exercises	Individual contract management reviews
Compliance with contract procedure rules	Placements for children and young people

 

People management

33          This area covers all aspects of the management of human resources across the Council. For example, recruitment and selection, remuneration, attendance management, training and talent development, individual performance management, equal opportunities, welfare and industrial relations, working arrangements, and discipline.

 

34          The Council’s people are essential to the achievement of its objectives, and there are a wide range of potentially significant risks in this area.

 

Examples

Training	Performance management
Workforce planning	Recruitment and retention

 

Asset management

35          Asset management involves the proper management, safeguarding and recording of assets. It seeks to align the asset base with the Council’s corporate ambitions and objectives. Key areas for effective asset management include strategic planning, maintenance of accurate records, an understanding of the physical location of assets, allocated responsibility for assets, and periodic and systematic physical verification of the existence, condition, and performance of assets.

 

36          Ensuring the safeguarding of assets is a risk area the GIAS requires internal audit to evaluate when providing assurance on the adequacy and effectiveness of the Council’s risk management arrangements.

 

Examples

Verification of assets	Asset repair and maintenance
Commercial rents	Acquisition, transfer, and disposal

 

Programme and project management

37          Programmes are a collection of related projects managed in a coordinated way. This can bring benefits and control over and above what is achievable from managing projects individually. Projects are discrete, clearly defined, shorter-term engagements, involving the application of processes, methodologies, and specific/cross-functional skills and methodologies to achieve specific and measurable outcomes.

 

38          Effective project management is important for the Council to ensure resources are used efficiently and to achieve value for money. This is particularly the case for large and high-profile projects that bring about significant change. Internal audit is expected to evaluate risk exposures relating to the effectiveness and efficiency of Council programmes and projects.

 

Examples

Project management framework review	Individual review of projects
Partnerships	Project governance and risk management

 

IT governance

39          Information technology (IT) governance is a sub-discipline of organisational governance. It relates to leadership, organisational structures, policies, and processes that ensure that information technology supports Council strategies and objectives. IT governance should also support the management and oversight of the Council’s business as usual activities.

 

40          The GIAS require internal audit to assess whether information technology governance supports the council’s strategies and objectives.

 

Examples

Cybersecurity	IT infrastructure
Strategies and policies	IT systems

 

 

 

 

 

41          As part of our preparations for the audit work programme for 2026/27, the Committee is invited to express a view on any areas it feels should be considered a priority for internal audit work. In considering this, relevant questions may include the following:

       For any of the Council’s strategic risks, are there any which the Committee would like internal audit to look at, to provide additional assurance about arrangements for the management of the risk?

       What are the most significant threats to the achievement of the Council’s objectives and priorities?

       Are there any of the 11 key assurance areas which the Committee feels internal audit should pay particular attention to, and to provide additional comfort that arrangements are operating effectively?

       Are there any specific elements within the 11 key assurance areas that the Committee would like internal audit to look at during 2026/27?

       Irrespective of the assurance areas, risks and Council priorities, does the Committee have any specific suggestions for internal audit assignments in 2026/27?

 

 

42          Following consultation with the Committee we will hold further discussions with officers to understand their views on the priorities for internal audit work over the next year. These meetings will take place during January and February 2026.

 

43          Alongside this we will continue to take account of emerging issues relevant to the public sector as well as any specific sectoral risks or developments including any relevant changes to legislation. We will also continue to review Council committee papers and other relevant background information to ensure we have an up-to-date picture of the challenges and issues facing the Council.

 

44          Information collected will be used to develop the indicative long list of audits to be included in the 2026/27 internal audit work programme.

 

45          Our risk assessment and the programme of work will be updated and revisited throughout the year to ensure audit work continues to target priority areas.