Agenda item

Purpose: The key purpose of this report is to set out a risk-based plan of work for Internal Audit that will provide assurance to senior managers, members and the Audit and Risk Committee of the effectiveness of the Council’s governance, risk management and internal control frameworks, which also supports the Committee’s review of the Council’s Annual Governance Statement.

Julie Gillhespey (Audit Manager) presented the Internal Audit Plan 2026-2029 (Agenda Item 7).

During the debate the following points were discussed:

·       It was clarified that the programme was driven by ongoing review of internal risks, with an annual comprehensive refresh linking audit work to corporate priorities. Risks were prioritised and scored, ensuring higher risks were reviewed at an appropriate frequency.

·       A question was raised regarding GDPR responsibilities and assurance over third-party/contractor compliance. It was explained that this would be addressed through contract management, proportionate to the sensitivity and nature of the data involved.

·       It was asked whether internal audit cross-referenced information from other committees (for example, scrutiny work on transformation). It was confirmed that supporting evidence was cross-referenced and recorded in line with internal audit evidence standards and review requirements.

·       Members asked whether the Committee could see examples of full internal audit reports (beyond summaries) to support transparency and understanding. It was explained that, while full reports were not routinely presented, officers intended to use member training to walk through an example audit, including what a report looked like and how audit opinions were derived.

·       The Committee asked what measurable improvements/outcomes were expected over the three year plan period, and how success would be monitored and reported. Officers indicated that they aimed to have no recommendations flagged in the external assessment, and to maintain compliance with professional standards. The standards had recently changed, so there was a need to ensure that staff were appropriately trained. It was proposed to look at the Council’s approach to using AI and technology, covering any associated benefits and risks, including the need to validate AI outputs. Any monitoring requirements were informed by the Internal Audit Quality and Improvement Programme with results reported through the Annual Report.

·       A question was raised on whether Members would be consulted as part of the audit of the Council’s use of social media. It was stated this would not normally form part of audit work (which focused on management controls and risks), unless linked to wider strategic issues, but this did not happen often.

·       Clarification was sought regarding the HR audit and how retention would be audited. It was noted that recruitment and retention work had already been completed earlier in the year.

·       Sickness absence management was flagged as a potential risk area. It was explained that this had been reviewed in detail historically. Since then, the Council had put in place a more robust framework, which included benchmarking to see if absence rates were out of step with its peer group. The focus of any audit would be on whether policies and procedures were being adhered to.

·       Members queried whether care homes should be included as a high-risk area, given the current financial pressures. It was suggested that there may have been a recent change of plans for the Council’s care homes that would require clarification from the Executive.

·       Concerns were raised about ICT document storage/records management, which had been highlighted as part of a previous scrutiny review. It was confirmed this could be audited if requested, though ICT audits typically needed to be scoped into manageable elements. Access controls were covered routinely, and storage could be reviewed as a specific area.

·       Assurance was sought regarding the Internal Audit Team’s resources. It was confirmed the Internal Audit Plan was based on a team of 4.4 FTE. Resourcing was currently considered to be sufficient, but if a current vacancy was left unfilled and created a significant gap, then this would be flagged to the Committee.

RESOLVED: that the Proposed Audit Plan and Internal Audit Charter be approved.