Agenda item

This report outlines the work undertaken by Internal Audit in respect of delivery of the 2025-26 Internal Audit Plan as at the end of October 2025.

Darren Armstrong (Deputy Director of Organisational Assurance and Resilience) introduced the report, outlining the work undertaken by the Internal Audit function as at the end of October 2025.

In highlighting the role of the report in providing assurance that the Council had a sound framework of governance, risk management and internal control in place supported by a summary of Internal Audit activity, updating on the performance of the function, highlighting areas where high priority recommendations had been made and commenting on the level of implementation of audit recommendations by management, the following key issues were highlighted:

·            The report reflected the continuation of the flexible audit planning approach adopted in 2024-25, moving away from the previous ‘annual plan’ approach and towards a less rigid and more flexible process but which would still provide assurance over areas of inherent risk, core systems and processes regarding key foundations to Council governance and control frameworks based on the following areas - Core Assurance, an Agile Risk-based Plan, Consultancy and Advice & Follow-up Activity.  It was noted that the current Plan had been agreed by the Committee in March 2025.

·            The summary provided within section 3.3 of the report relating to delivery of the 2025-26 Internal Audit Plan including progress (as detailed within Appendix 1 of the report) in relation to the Core Assurance Plan and development of the Agile Risk-Based plan listing the potential high risk and high assurance audit areas prioritised for activity during the remainder of the year.  The key highlights included the completion of five core assurance reviews with 13 core assurance reviews currently underway, comprising of seven at the fieldwork stage and six at the planning stage.  Completion of four risk-focused reviews, with eight additional risk-focused reviews in progress (four at the fieldwork stage and four at the planning stage) and the completion of two follow-up reviews, with a further thirteen actively being tracked through to implementation.  Members noted there had been no changes to this section of planned work from that approved by the Committee in March, and the service currently remained on track to deliver 100% of the Core Assurance Plan by March 2026 enabling the Head of Internal Audit to provide a well-informed, evidence-based opinion on the effectiveness of the Council’s governance, risk management, and internal control framework.

·            The summary of risk focussed work and findings identified within section of Appendix 1 to the report based on the Agile Risk-Based Plan, which included potential high-risk and high-assurance audit areas prioritised for delivery.  Members were reminded of the fluid nature of this element of the plan which had been designed to ensure the Internal Audit function was able to respond to emerging risks and shifting organisational priorities (based on the resource available) whilst providing transparency and assurance around how Internal Audit activity continued to be identified, prioritised, and directed throughout the year.  The current potential audit areas identified as part of the rolling internal audit risk assessment process had been included within section 2c of Appendix 1 of the report.

·            In addition to its assurance work, Internal Audit continues to provide consultancy and advisory support where required or requested. So far this year, this had included a range of advisory activities, such as participation on various boards and working groups, contributing to discussions and decisions designed to support effective governance and risk management across the Council.

·            The summary of follow-up outcomes and activity, as detailed within section 3.4 and Section 3 within Appendix 1 of the report, from planned audit work in relation to implementation of agreed actions, with it noted that the majority of follow-up work was due to be undertaken in Q3 and Q4 on which a final update would be provided within the Annual Internal Audit Report.  Members were reminded that where actions were found to be partially implemented or not implemented at the time of follow-up, revised target dates would be agreed with management. These outstanding actions would then be subject to ongoing monitoring through departmental action trackers, with updates reported periodically to Departmental Management Teams and the designated action owner then responsible for advising Internal Audit once an action had been implemented, including the provision of appropriate evidence in support.  Where actions were not implemented within their revised target dates, or where there was persistent lack of engagement in the follow-up process, these actions would be flagged as ‘overdue’ and escalated to senior management, with the list of those high-risk actions currently identified as overdue detailed within Section 3c within Appendix 1 of the report.

Having thanked Darren Armstrong for presenting the report the Chair then invited comments from the Committee, which are summarised below:

·            Additional clarification was sought in relation to the executive responses and completion dates in relation to the audit activity and findings listed within Section 2c (Risk Focussed Activity) detailed within Appendix 1 of the report alongside the revised targets dates for items included within Section 3b (as overdue high risk audit activity follow up) which in the case of the Kilburn Square TMO appeared as being before the original target date.  A query was also raised in relation to the status of the Licensing and Northgate Housing Benefits audits, given the status showed the findings as not implemented.

In response, Darren Armstrong advised that a number of executive responses for activity listed within Section 2c of Appendix 1 were still being finalised at the time the report was prepared, which it was confirmed had now been finalised with target dates and action plans available, on which a further update would be provided at the next meeting.  Moving forward, it was agreed that details relating to completion dates would be included in future updates. In terms of the target date for Kilburn Square TMO audit ,members were advised this reflected an error within the report and should have been listed as August 2024.  In relation to reasons for non-implementation, members were advised that following the formal follow-up process if actions were not implemented by their original target date, revised dates were agreed with a rationale captured at that time with the responsibility on management or the designated action owner to notify Internal Audit of subsequent implementation and update on the reasons for delay in implementation where revised dates had passed.  Where available, it was agreed that detail on the rationale for non-implementation should be included in future update reports alongside the degree of associated risk (whether high, medium or low) arising from non-implementation to enable the Committee to assess priority and any further monitoring action that may be required as a result.

·            Following on in support of the previous comments, support was also expressed for consideration of the risk weighting associated with repeated non implementation of high-risk audit findings to be included within future reports, particularly where this involved multiple actions related to a single audit.

·            Further details were sought on the management letter in response to the audit on Wembley Learning Zone (listed under the risk-based audit findings within section 2c of Appendix 1 to the report) with members keen to explore whether (given the nature of the findings identified) these were isolated to Wembley Learning Zone or were more integrated with wider Council processes.  In response, officers confirmed the issues identified were isolated to Wembley Learning Zone and did not extend to the Council's wider controls or processes.  Follow Up audit activity would, however, consider the arrangements in place to provide wider oversight over the second line of assurance in seeking to avoid the recurrence of such issues.

·            Highlighting reference to the phrase “weaknesses” identified in a number of areas within the Interim Report details were sought on the extent this reflected issues relating to the level of staffing available and whether there was a systematic approach to assessing the impact of the risks being identified in relation to staffing levels.  In responding, members were advised that this would form part of the relevant considerations and assessment of the root causes identified as part of each finding, although whilst the audit would focus on the context and the risk, it would be the responsibility of management to determine how these were addressed. Where resourcing issues were identified, recommendations would often focus on the effective utilisation of existing resources, implementing smarter controls and processes, or managing risk in different ways rather than simply highlighting a need for more staff. Officers emphasised that recommendations needed to be cost-effective and within the Council's ability to deliver, achieved through collaborative discussion with management to develop suitable solutions.

·            In response to a query, further clarification was provided on the definition of "limited assurance" with additional details also requested on the specific timescales for the management response and implementation of the findings relating to the limited assurance provided as an outcome of the risk based audit on Residential & Nursing Care and also on AI Governance, given concerns raised over the nature of the findings.

In response, officers advised that they would include definitions for the various assurance categories within future updates along with details on timescales and responsible officers in terms of management responses.  Darren Armstrong advised that he would also provide a further update on progress with the management responses in response to the internal audits on Residential & Nursing Care and also AI governance at the next meeting.  It was also noted that the Committee had agreed to undertake a deep dive on the use and potential emerging risks relating to AI at a future meeting, which would provide an opportunity for further review of governance and oversight arrangements.

·            Returning to the issue of core assurance, further details were also sought in relation to the audit findings and limited assurance provided as a result of the audit on Council Tax and Business Rates and management action being taken in response, with members keen to understand the root causes of the issues identified, especially in relation to issuing of reminders, summons and recovery actions.  Whilst noting these would be matters for management to respond on in detail, the report had included a summary of findings with Darren Armstrong advising that he would seek to ensure future updates were enhanced to provide a brief synopsis that also gave indication of root causes.

In a broader response, officers emphasised this represented the internal audit process working effectively, focusing on the controls in place to address core assurance and high-risk activity. Whilst recognising that limited assurance may be an unsatisfactory outcome, from a risk perspective it was a good indication that Internal Audit was focusing on the right areas and adding value in identifying issues, with a key focus then on the outcomes delivered as a result through the follow-up process. The Chair acknowledged this was an area of concern and advised that following receipt of the management response and follow-up, if the Committee was not satisfied, they would have the ability to examine the matter in greater depth.

·            As a final question, a member sought clarification on whether management had provided a timeline for implementation of AI governance policy, noting the report stated the current approach was reactive and seeking assurance on when it would become proactive. Officers advised that management had now responded with target dates for all actions, with a further update to be provided as an addendum to the report at the next meeting. In terms of when issues would be addressed, this would be reviewed through the follow-up process once the Committee had seen the target dates and Internal Audit had completed its follow-up work.

As there were no further issues raised, the Chair once again thanked Darren Armstrong and his team for the report and progress update provided, noting the reassurance that targeted work was identifying issues.  As a result of their consideration, the Committee RESOLVED:

(1)       To note the Internal Audit Interim report 2025-26 and additions identified in relation to the provision of future updates.

(2)       That an update be provided as an addendum to the Interim Internal Audit Plan Update on progress in delivery of the management responses to the limited assurance identified in response to the internal audits on Residential & Nursing Care and also AI governance.