Agenda item

This report presents the proposed Internal Audit Plan for 2025-26.  The report also includes an assessment of the progress made at the end of Year 1 towards achieving the objectives outlined in the Internal Audit Strategy 2024-27, which was approved by Audit and Standards Advisory Committee in March 2024.

Darren Armstrong (Deputy Director Organisational Assurance and Resilience) introduced a report from the Corporate Director Finance & Resources setting out the Internal Audit Plan 2025-26 along with an assessment of the progress made at the end of Year 1 towards delivery of the objectives outlined within the Internal Audit Strategy 2024-27.

In presenting the report the following key areas were highlighted:

·             The adoption of a revised methodology in relation to the Internal Audit Plan during 2024-25 that moved away from the traditional, rigid 'annual plan' approach. Due to its success, this methodology had been retained for 2025-26 aligned with the objectives outlined in the Internal Audit Strategy 2024-2027, which aimed to implement a more agile and enhanced risk-based approach to planning and delivery, while also continuing to provide a robust programme of core assurance.

·             The extensive scope of internal audit activity which required the management and balancing of evolving and often conflicting needs and expectations from a broad range of stakeholders. To meet these demands, the Plan detailed the approach towards the management of resources which had been structured to ensure the Internal Audit function remained agile and responsive to new and emerging risks, while also providing robust assurance over the Council’s core processes and controls, fulfilling an advisory role and supporting management in relation to areas of emerging risks and opportunities. 

·             In considering the factors outlined and reflecting the objectives within the Internal Audit Strategy, the Plan (as detailed within Appendix 1 of the report) had been divided into four sections split between core assurance work; a list of audit areas identified under an agile risk based approach designed to provide enhanced flexibility in order to respond to changing risks and priorities; consultancy & advice work and finally follow up activity with a strategic and inherent risk assurance map also provided covering the three year plan period which also set out how Internal Audit resources would be utilised and deployed, underpinned by the Internal Audit Charter.

·             Officers had developed the Internal Audit Plan alongside Global Internal Audit Standards, which set out requirements including the need for the plan to remain dynamic and subject to regular updates with the new approach having been validated by the Council’s External Auditors as providing increased flexibility and responsiveness and also receiving positive feedback as part of the Council’s recent Corporate Peer Challenge.

·             In terms of the work outlined within the Internal Audit Plan to provide assurance over the Council’s key systems and controls in accordance with the three-year cyclical plan this included (during 2025-26) 5 audits across the Council’s key financial systems and 5 audits of high inherent risk areas and other matters such as school audits and grant certification work. This work was predicted to remain relatively stable throughout the year accounting for approximately 28% of available time and Internal Audit resource.  In terms of the agile risk based element of the Plan in seeking to focus audit resources on areas with the greatest assurance needs, members were advised that three audits were currently in progress (which had commenced in 2024-25); eight audits were currently proposed to take place in Quarters 1 and 2 of 2025-26; and a further 15 potential audit areas have been identified for Quarters 3 and 4. It was, however noted, that element of the Plan was not rigid and was designed to  provide an indication of potential audit areas for 2025-26, which would be subject to continually update and adjustment. It was anticipated that this element of the Plan would account for up to 46% of available time and Internal Audit resource.  In addition, up to 7% of time and resource had also been retained to respond to the more reactive requests for consultancy and advice with up to 19% of time allocated to Follow Up audit activity designed to ensure internal audit actions and recommendations were being tracked through to implementation with members advised of the increased focus on this area of activity.

·             The outcome of the assessment undertaken in relation to Year 1 of the Internal Audit Strategy, as detailed within Appendix 2 of the report.  Members were reminded that the Strategy had been developed in accordance with the Global Internal Audit Standards to detail the main strategic objectives and priorities of for the Internal Audit function and had been designed to ensure that the work carried out by Internal Audit was aligned with the Council’s strategic objectives and assurance needs.  Members were advised that no revisions or adjustments had been identified in relation to the current strategy as a result of the Year 1 review.

Having thanked Darren Armstrong for introducing the report the Chair then invited comments from the Committee on the Strategy and Plan which are summarised below:

·             In recognising the outcome of the recent Value for Money External Audit assessment further details were sought on the role of Internal Audit in following up on recommendations made by External Audit and the potential to include a review of the way Value for Money was being delivered across the Council as part of the Internal Audit Plan.  In response, members were advised of the Committee’s role in following up and monitoring the implementation of recommendations made by External Audit, which was subject to regular and routine update and efforts made by Internal Audit to avoid duplicating this role.  In terms of any wider Value for Money audit activity, members were advised of the challenges involved in being able to scope such a wide area of review across various departments.  In seeking to assure members, however, confirmation was provided on the way Value for Money considerations and risks were included as part of every Internal Audit review which it would be possible to focus on in more detail within future updates, should the need be identified.  In addition, the Chair reminded members of the focus already included within the Audit Plan as part of the core assurance work in relation to contract management which had been designed to provide a rolling programme of assurance as a key area of inherent risk  which included the scope to include contract variations as well as social value.

·             In commending the update provided for the Committee, members once again highlighted concerns in relation to the weaknesses identified around processes for the valuation of assets and management and control of the Fixed Asset Register given the delays these had had created in being able to complete the 2023-24 audit process on the Statement of Accounts with details sought on how these matters were being addressed, through the Internal Audit Plan.  In response, members were advised that the findings and weaknesses identified following the External Audit process had formed part of the risk based approach and assessment of the assurance needs used to inform the Internal Audit Plan.  Whilst seeking to avoid duplication with the work of External Audit it was pointed out that Internal Audit continued to provide support and advice regarding the external audit process with the Plan therefore designed to take into account prior audit findings, strategic and directorate risk registers, fraud risks, and work undertaken and reported by External Audit and other assurance providers.

·             Clarification was sought on the continued operation and monitoring of the outcomes being delivered through the co-sourced model by Internal Audit given the portion of the plan (approx. 200 days) delivered by the co-sourced partner, PwC.   In response, the Committee was advised this work was not provided on a consultancy basis with the role integrated as part of the Internal Audit team structure.  The co-sourced model was felt to be operating effectively with  the benefits provided including an in-depth understanding of the Council, its strategies and objectives, and it’s governance, risk management and control processes via the in-house team, increased flexibility and resilience in the resourcing of the function, access to specialist resource such as IT/Cyber specialisms as well as increased benchmarking opportunities with other Council’s operating under the same framework arrangement and with the costs quality of work subject to close monitoring in order to ensure there was no discernible difference between outcomes.

·             As a further issues, details were sought on the way in which the days and Internal Audit resource allocated to follow up activity were applied as part of the risk based approach used to inform development of the Internal Audit Plan and the scope for this to be reallocated should implementation rates improve as a result of the work being undertaken to address follow up actions with those responsible for their implementation.  In response, members were advised that whilst some scope existed to reduce the time allocated for follow up activity the current preference was to retain this allocation given the issues identified in relation to addressing implementation rates and the detailed work being undertaken designed to enhance performance, recognising the importance and value in addressing the actions outlined.  Whilst it was noted that there was currently no follow up activity identified as critical, those actions and risks identified as high-priority would be prioritised with confirmation provided that there were no plans to move towards a process of self-certification at this stage for those actions identified as medium or low risk.

In terms of the work being undertaken to address performance in relation to implementation rates for follow-up audit activity, details were sought on how receptive those officers and teams identified as responsible for individual audit actions were to the feedback provided through the Internal Audit process and what more, if anything, it was felt the Audit and Standards Advisory Committee could do to support this process.  Outlining the process taken by Internal Audit to review implementation of recommendations with management, members were advised that where actions were found to remain partially or not implemented at follow-up, revised target dates would be agreed with management with the outstanding actions monitored and reported via departmental ‘action trackers’ monitored through Departmental Management Teams, CMT and the Brent Assurance Board and the ability for any instances of persistent non-implementation of recommendations to be reported to the Committee.  Whilst recognising the balance being sought in seeking to robustly hold management to account for the delivery of audit actions and approach towards delivery of a modern audit function members were also reminded that in cases of specific non engagement in the audit process or where the risk identified in ongoing non implementation of the action was identified as critical, the risk owner/manager could be formally required to attend the Committee.

In considering other measures to improve compliance, members asked whether there was sufficient training for staff to understand their accountabilities.  In response details were provided regarding the training and support currently available for risk owners and managers which included measures to remind departments of the importance that needed to be placed at an operational level on the implementation of audit actions based on realistic achievable target dates and enhanced engagement and monitoring at departmental level to ensure issues with non-implementation of actions were highlighted and addressed prior to escalation (should that be identified as required).

In addition, support was expressed for the development of a KPI designed to focus on the implementation of follow up audit actions for the members and enhance ownership of the process in a visible way with action/risk owner and manager(s) required to include details regarding overdue actions along with their reasons and cause for the delay to enable trends to be monitored linked to the Council’s strategic and departmental risk management arrangements.  Whilst supportive of the basis of the approach outlined the need to ensure this was applied in a balanced way was also recognised to ensure managers were encouraged to continue engaging and working with Internal Audit in a transparent and open way.

·             In response to a query regarding the availability of resources to support the new approach identified, members were advised that the overall level of audit resource remained consistent with officers satisfied that adequate resources were available for the provision of an effective internal audit function focussed around the provision of core assurance. Whilst challenges remained in relation to recruitment and retention of staff across the sector the benefits provided through the co-source arrangements were highlighted in terms of the resilience they provided in maintaining capacity.

As no further issues were raised the Chair once again thanked Darren Armstrong for the report and as a result of their consideration the Committee RESOLVED:

(1)      To note and endorse the Internal Audit Plan 2025 -26.

(2)      To note and approve the outcome of the Internal Audit Strategy 2024-2027 Year 1 Review