 |
|||
 |
|||
 |
|||||
 |
|||||
 |
|||||
3 Introduction
4 Strategic context
5 2026/27 internal audit work programme
10 Annex A: indicative internal audit work programme
16 Annex B: current priorities for internal audit work (‘do now’, ‘do next’ and ‘do later’)
1 This report sets out the proposed 2026/27 programme of work for internal audit, provided by Veritau for North Yorkshire Council (NYC).
2 The work of internal audit is governed by the Global Internal Audit Standards in the UK Public Sector (GIAS UK Public Sector). These standards are made up of:
▲ the Global Internal Audit Standards (GIAS), set by our professional body, The Institute of Internal Auditors, and
▲ the Application Note: Global Internal Audit Standards in the UK Public Sector, produced by the Relevant Internal Audit Standard Setters[1].
3 The Application Note contains interpretations and requirements which need to be applied to the GIAS so that they form a suitable basis for internal audit practice in the UK public sector.
4 Internal Audit maintains organisational independence. Auditors have no operational responsibilities, and safeguards are in place to prevent any impairment to independence or objectivity. Any actual or potential threats will be reported to the Audit Committee. Veritau also operates a programme of ongoing quality assurance designed to confirm that audit work is delivered in accordance with the GIAS. The outcomes of these arrangements are reported annually to this Committee, alongside the annual audit opinion.
5 At the local level, the council has an internal audit charter. The charter addresses how internal audit is performed and governed, and its commitment to adhering to professional standards.
6 To conform to professional standards and the audit charter, the Head of Internal Audit must develop a plan based on a documented assessment of the council’s strategies, objectives, and risks and on their understanding of the governance, risk management, and internal control arrangements. The plan should also be informed by input from key stakeholders, such as senior management and this committee.
7 Internal audit work should be risk-based and dynamic, being undertaken in a way that supports achievement of organisational objectives. Accordingly, planned work should be reviewed and adjusted in response to changes to risks, priorities, operations, programmes, systems, and internal controls.
8 The GIAS UK Public Sector places a specific requirement on the Head of Internal Audit to prepare an overall conclusion (opinion), at the level of the organisation, about the effectiveness of governance, risk management, and internal control. This must be done at least annually in support of wider governance reporting.
9 The basis of the Head of Internal Audit’s annual opinion is the outcomes from planned audit work undertaken over the year (referred to as the ‘work programme’). Our work programme will include coverage of governance, risk management, and internal control which, in turn, allows an opinion to be given.
10 At the December 2025 meeting of this committee, we presented our work programme consultation report. This report explained how we approach development of the work programme by considering key areas of assurance, the council’s risks, and its priorities to define a body of work from which an independent and well-informed opinion can be given.
11 North Yorkshire Council enters 2026/27 facing a challenging financial environment. National reforms to local government finance have resulted in a like‑for‑like reduction in funding of just under £20m in 2026/27. Demand‑related pressures remain intense. The MTFS identifies rising costs for people‑based services, particularly those for young people, as one of the two principal factors shaping the Council’s financial outlook, with growth in Children & Young People’s Services continuing to be outpaced by need. Current budget monitoring for 2025/26 forecasts a £7.8m net overspend, including £15.1m within Children & Young People’s Services despite £12m of budget growth. Adult social care also faces significant cost pressures driven by market conditions, workforce shortages and complexity of need.
12 The Medium‑Term Financial Strategy identifies a recurring deficit of £17m in 2026/27, rising to £25m by 2028/29, requiring reserve contributions totalling £59.3m over the settlement period. While local government reorganisation has delivered substantial efficiencies, the MTFS notes that LGR‑related savings have now mostly been delivered, meaning future savings increasingly depend on delivering transformation at scale rather than further consolidation.
13 Operationally, the Council continues its transition from post‑LGR consolidation to full standardisation. While many legacy systems and processes have been aligned, some inherited arrangements remain. The rollout of a single operating model, combined with improvements in data, digital capability and customer service, forms a critical part of the Council’s transformation plans. These programmes provide significant opportunities but also carry inherent risks around governance, programme management and organisational capacity.
14 The Council also continues to deliver a sizeable capital programme involving multi‑year, high‑value and in some cases high‑risk projects. These schemes support long‑term strategic ambitions but increase exposure to risks associated with borrowing costs, inflation, supply chain pressures and the management of complex delivery environments.
15 Taken together, this creates a heightened risk landscape requiring strong governance, disciplined financial management and effective control arrangements. Under the Global Internal Audit Standards, Internal Audit must target its assurance work to the areas of highest organisational significance and risk exposure. Timely, risk‑aligned assurance will remain essential throughout 2026/27 to support the Council in navigating financial constraint, service demand and transformation at pace.
16 To maximise the value of internal audit, it is important that we provide assurance in the right areas at the right time. We’ve designed the processes for developing the internal audit work programme, and refining it through the year, to do that.
|
2026/27 Internal audit work programme |
|
The 2026/27 indicative internal audit work programme
17 The work programme is set out in annex A (see page 9). Annex B outlines the proposed timing of the programmed work in terms of ‘do now’ ‘do next’ or ‘do later’. It should be noted that this prioritisation of audit work is likely to change as we move to the delivery stage.
18 Functionally, the indicative programme is structured into a number of areas, as set out in table 1, below.
Table 1: Work programme functional areas.
|
Programme area |
Purpose |
|
|
|
To provide assurance on areas which, by virtue of their importance to good governance and stewardship, are fundamental to the ongoing success of the council. |
|
|
|
To provide assurance on those areas of a technical nature and where project management is involved. These areas are key to the council as the risks involved could detrimentally affect the delivery of services. |
|
|
|
To provide assurance on the key areas of financial risk. This helps provide assurance to the council that risks of loss or error are minimised. |
|
|
|
To provide assurance on key systems and processes within service areas. These areas face risks which are individually significant, but which could also have the potential to impact more widely on the operations or reputation of the council if they were to materialise. |
|
|
|
An allocation of time to allow for continuous audit planning and information gathering, and the follow up of work we have already carried out, ensuring that agreed actions have been implemented by management. |
|
|
|
Work we carry out to support the council in its functions. This includes the time spent providing support and advice, liaising with staff and preparing all papers for the Audit Committee. Client support also includes facilitating the council’s completion of the annual review of governance which supports the Annual Governance Statement, as well as involvement in a number of officer working groups. |
|
19 The overall level of service is based on an indicative number of days, for planning purposes; 1,800 days for 2026/27 (2,250 days in 2025/26). The plan reflects the risks of a maturing post LGR organisation that has aligned some legacy arrangements but still has some significant work ahead. Further explanation of our assessment of the sufficiency of resources (required by GIAS) is included in paragraphs 21 to 24.
20 Figure 1 below shows the proportion of time we expect to deliver across each area during the year.
Figure 1: 2026/27 work programme: indicative functional area split.
Sufficiency of resources
21 Domain III of the Global Internal Audit Standards requires the Board (Audit Committee) to ensure that internal audit has sufficient financial, human and technological resources to operate effectively (Standard 8.2). Adequate funding and staffing are identified as essential conditions which support the delivery of audit work and the annual opinion.
22 The resourcing requirements should be assessed with reference to the audit universe, risk assessment and the Council’s strategic priorities.
23 Consideration also needs to be given to the requirement for specialist skills and knowledge, for example in respect of digital assurance, cyber security and major project support. The Standards also require any resource limitations that could impair the delivery of audit work or the annual opinion, are reported to the Board (Audit Committee) as part of its oversight role.
24 For 2026/27, the Head of Internal Audit has reviewed the service’s staffing, skills mix and delivery capacity. Based on current resources, anticipated demand and planned use of specialist expertise, I confirm internal audit has sufficient and appropriate resources to deliver the audit plan and meet the requirements of the standards including the essential conditions on adequate resourcing under Domain III.
The audit
prioritisation system
25 It is important to emphasise two important aspects of the programme. Firstly, that the planned audit activities included in annex A are not fixed. As described above, work will be kept under review to ensure that audit resources are deployed to the areas of greatest risk and importance to the Council. This is to ensure that the audit process continues to add value.
26 Secondly, it will not be possible to deliver all of the audit activities listed in the programme. The programme has been intentionally over-planned, to build in flexibility from the outset while also providing an indication of the priorities for work at the time of assessment. Over-planning the programme enables us to respond quickly by commencing work in other areas of importance to the Council when risks and priorities change during the year.
27 Once initial internal audit priorities have been identified through the application of the opinion framework, we then overlay a second system of prioritisation. This system allows us to determine the relative priority of audits included in the indicative work programme.
28 This second prioritisation system sees audits assigned to one of three categories, as shown in figure 2 below.
Figure 2: ‘do now’, ‘do next’, ‘do later’ prioritisation system.
 |
29 Decisions on which of the three categories internal audit work falls into will be based on judgement and will be made having given consideration to the prioritisation factors in table 2 below. These will result in internal audit work being considered a relatively higher or lower priority at the time of assessment.
Table 2: Internal audit prioritisation factors.
|
Prioritisation factors |
|
|
|
|
|
|
|
|
|
|
|
|
|
30 The above factors will be used on an ongoing basis to decide what internal audit work will be carried out, and when, during the course of the year. These decisions will be made in consultation with the Council through our ongoing dialogue with senior officers. Individual audits will move between the three categories, as required, based on their priority at the time of assessment.
31 For example, an audit scheduled for quarter three to minimise the impact on a service area may initially be classed as to ‘do later’ but will become ‘do now’ as we move into quarter three. Similarly, an audit of a Council project classed as ‘do now’ because it represents an area of high importance may move from ‘do now’ to ‘do next’ or ‘do later’ if the project slips or planned work cannot be undertaken until a specific point is reached. Towards the end of the year, audits classed as ‘do later’ are likely to be deferred into the following year.
32 It is important to emphasise two important aspects of the programme. Firstly, the audit activities included in annex A are not fixed. As described above, work will be kept under review to ensure that audit resources are deployed to areas of greatest risk and importance to the council. This is to ensure the audit process continues to add value. Secondly, it will not be possible to deliver all of the audit activities listed in the programme. The programme has been intentionally over-planned, to build in flexibility from the outset while also providing an indication of the priorities for work at the time of assessment.
33 The committee will be provided with information on current internal audit priorities throughout the year as part of regular progress reporting.
Delivery of internal audit work
34 Ahead of each quarter, we will re‑confirm the timings of proposed work with the relevant service managers before the work begins.
35 For every assignment, we will agree realistic and achievable deadlines with officers in advance so that everyone has a clear understanding of what is required and by when. These deadlines apply to both internal audit and service teams, reflecting the shared nature of delivering an effective internal audit.
36 Internal audit and officers generally work well together. However, some audits can still take longer than planned for a range of understandable operational reasons. To support more timely delivery and after discussion with the deputy s151 officer, we are introducing a limited set of practical KPIs which will focus on measuring the completion of work to agreed timescales, agreeing draft reports promptly, client satisfaction with the audit, and confirmation that previously agreed actions have been completed.
37 These measures are designed to strengthen shared accountability and help both internal audit and the Council keep the audit reviews progressing to plan. Relevant KPI reporting will be included for Members as part of routine progress updates.