 |
 |
Introduction
The mandate for internal audit in local government is specified within the Accounts and Audit [England] Regulations 2015, which states:
‘5. (1) A relevant authority must undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards or guidance.’
The scope of internal audit includes both assurance and advisory services covering the entire breath of New Forest District Council (‘the Council’), including all activities, assets, and personnel of the organisation.
The role of internal audit is that of an:
‘Independent, objective assurance and advisory service designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes’.
The Council is responsible for establishing and maintaining appropriate risk management processes, control systems, accounting records and governance arrangements. Internal audit plays a vital role in advising the Council that these arrangements are in place and operating effectively.
The Council’s response to internal audit activity should lead to the strengthening of the control environment and, therefore, contribute to the achievement of the organisation’s objectives.
The aim of internal audit’s work programme is to provide independent and objective assurance to management, the Executive Management Team and the Audit Committee, in relation to the business activities; systems and processes under review that:
· the framework of internal control, risk management and governance is appropriate and operating effectively; and
· risks to the achievement of the Council’s objectives are identified, assessed and managed to a defined acceptable level.
Conformance with internal auditing standards
From 1 April 2025, the ‘standards or guidance’ in relation to internal audit are those laid down in the Global Internal Audit Standards, Application Note: Global Internal Audit Standards in the UK Public Sector and the Code of Practice for the Governance of Internal Audit in UK Local Government. The collective requirements shall be referred to as the Global Internal Audit Standards in the UK Public Sector.
The Southern Internal Audit Partnership have made all necessary adaptions to its processes, procedures and practices to ensure it is best placed to conform with these requirements with effect from 1 April 2025.
Prior to 1 April 2025 conformance was required to the Public Sector Internal Audit Standards (PSIAS). Under the PSIAS there was a requirement for audit services to have an external quality assessment every five years. In September 2020 the Institute of Internal Auditors were commissioned to complete an external quality assessment of the Southern Internal Audit Partnership against the PSIAS, Local Government Application Note and the International Professional Practices Framework.
In selecting the Institute of Internal Auditors (IIA) a conscious effort was taken to ensure the external assessment was undertaken by the most credible source. As the authors of the Standards and the leading Internal Audit authority nationally and internationally the IIA were excellently positioned to undertake the external assessment.
In considering all sources of evidence the external assessment team concluded:
‘The mandatory elements of the IPPF include the Definition of Internal Auditing, Code of Ethics, Core Principles and International Standards. There are 64 fundamental principles to achieve with 118 points of recommended practice. We assess against the principles. It is our view that the Southern Internal Audit Partnership conforms to all 64 of these principles.
We have also reviewed SIAP conformance with the Public Sector Internal Audit Standards (PSIAS) and Local Government Application Note (LGAN). We are pleased to report that SIAP conform with all relevant, associated elements.’
Despite the change in the Standards any external quality assessment undertaken under the Public Sector Internal Audit Standards remains valid for the duration of the successive five years (from the date it was undertaken). The Southern Internal Audit Partnership will be commissioning an external quality assessment against the Global Internal Audit Standards in the UK Public Sector during 2025.
Developing the internal audit plan 2025/26
In accordance with the
Global Internal
Audit Standards in the UK Public Sector there is a requirement that
internal audit must create a risk-based
internal audit plan that supports the achievement of the
organisation’s objectives. The internal audit plan
provides the mechanism through which the Chief Internal Auditor can
ensure most appropriate use of internal audit resources to fulfil
the audit mandate and delivery of the
internal audit strategy.
|
The risk-based internal audit plan is prepared based on a range of inputs (see diagram).
Internal Audit focus should be proportionate and appropriately aligned. The plan will remain fluid and subject to on-going review and amendment, in consultation with the relevant audit sponsors, the Executive Management Team, and Audit Committee, to ensure internal audit are able to react to new and emerging risks and the changing needs of the Council.
Amendments to the plan will be identified through the Chief Internal Auditor’s continued contact and liaison with those responsible for the governance of the Council and reported and approved by the Executive Management Team, and Audit Committee through regular progress reports.
The Council are reminded that internal audit is only one source of assurance and through the delivery of our plan we will not, and do not seek to cover all risks and processes within the organisation. We will however continue to work closely with other assurance providers to ensure that duplication is minimised, and a suitable breadth of assurance is obtained. |
Internal audit resources
On development of the 2025/26 internal audit plan as Chief Internal Audit I am of the opinion that there is a sufficient level of resource available, supported by an appropriate range of knowledge, skills, qualifications and experience to deliver the internal audit plan in the fulfilment of the audit mandate and delivery of the internal audit strategy.
The Head of the Southern Internal Audit Partnership has a resource strategy in place to optimise internal audit resources to efficiently and effectively deliver the internal audit plan.
|
|
Human Resource - the internal audit service has access to an appropriate range of knowledge, skills, qualifications and experience required to deliver the internal audit strategy and operational risk-based audit plan.
If the Chief Internal Auditor, Executive Management Team or the Audit Committee consider that the scope or coverage of internal audit is limited in any way, or the ability of internal audit to deliver a service consistent with the Global Internal Audit Standards in the UK Public Sector is prejudiced, they will advise the Strategic Director - Corporate Resources & Transformation and Section 151 Officer, accordingly.
|
|
Financial Resource - the Head of Southern Internal Audit Partnership will manage the internal audit budget to enable the successful implementation of the internal audit mandate and achievement of the plan. The budget includes the resources necessary for the function’s operation, including training and relevant technologies and tools.
|
|
|
Technological Resource - the internal audit function has the technology to support the internal audit process and regularly evaluates technological resources in pursuit of opportunities to improve effectiveness and efficiency. |
Resourcing the internal audit plan
The Global Internal Audit Standards in the UK Public Sector require a clear analysis of the resources and hours available for internal audit engagements compared to other administrative and non-audit related activities or initiatives focused on improving the internal audit function.
|
Activity |
Days |
||
|
Risk-Based Audit /Advisory |
- |
Delivery of risk-based internal audit assignments designed to fulfil the audit mandate, delivery of the internal audit strategy and in support of the Council in the achievement of their objectives. |
344 |
|
Audit Management |
- |
Time allocated for the liaison and reporting to the Executive Management Team and Audit Committee, ongoing monitoring and update of the audit plan, implementation of management actions and ongoing quality review. |
38 |
|
New Forest National Park Authority |
- |
Provision of audit days to fulfil the Council’s Service Level Agreement with the National Park Authority |
18 |
|
Total Audit Days |
- |
Total resource allocation for the delivery of the internal audit plan |
400 |
*100% of the commissioned audit days are dedicated to fulfilling the audit mandate, and delivery of the internal audit strategy. Internal audit services are provided through the Southern Internal audit Partnership who undertake all administrative and non-audit related activities outside of the commissioned audit days.
A range of internal audit services are provided to deliver the internal audit plan (see Internal Audit Charter). The approach is determined by the Chief Internal Auditor and will depend on the level of assurance required, the significance of the objectives under review to the organisation’s success, the risks inherent in the achievement of objectives and the level of confidence required that controls are well designed and operating as intended.
Your Internal Audit Team
Your internal audit service is provided by the Southern Internal Audit Partnership. The team will be led by Antony Harvey, Deputy Head of Southern Internal Audit Partnership (Chief Internal Auditor), supported by Jade Lakeland, Audit Manager.
Independence
The Chief Internal Auditor will ensure that the internal audit function remains free from all conditions that threaten the ability of auditors to carry out their responsibilities in an unbiased manner, including matters of engagement selection, scope, procedures, frequency, timing, and communication. The Chief Internal Auditor is not aware of any relationships that may affect the independence and objectivity of the internal audit team.
The internal audit team retains no roles or responsibilities that have the potential to impair the internal audit functions independence, either in fact or appearance. Should such circumstance arise, the Chief Internal Auditor will advise the Audit Committee of the safeguards put in place to manage actual, potential or perceived impairments.
Internal Audit Plan 2025-26
|
Directorate Sponsor |
Scope |
Corporate Priority |
Principal Risk Register Reference |
Assurance / Advisory |
Internal Audit Risk Assessment |
Quarter |
|
|
Governance / Corporate Reviews |
|||||||
|
Transformation Programme |
SDCR&T |
How workstreams are identified, prioritised, delivered and benefits realised. |
Transformation Priority 4 |
PR17 |
Assurance |
High |
2 |
|
Corporate Governance Framework – Complaints |
CX |
Assess the framework for managing complaints, reporting measures and learning lessons to drive future improvements. |
All |
Service RR |
Assurance |
Medium |
1 |
|
Asset Management – Corporate Estate |
SDCR&T |
To assess the approach to strategic asset management including statutory compliance checks. |
Transformation Priority 3 |
Service RR |
Assurance |
High |
4 |
|
Investment Property Management |
SDCR&T |
The governance framework for managing investment properties including revenue collection. |
Transformation Priority 3 |
PR12 |
Assurance |
Medium |
2 |
|
Information Governance |
CX |
To assess progress with the delivery of the Council’s GDPR action plan and/or the arrangements to prevent, identify, investigate and learn lessons from data breaches. |
All |
PR7 |
Assurance |
High |
3 |
|
Procurement |
SDCR&T |
The governance framework for complying with the requirements of the new Procurement Act. |
Transformation Priority 3 |
PR14 |
Assurance |
Medium |
2 |
|
Business Continuity |
SDH&C |
Assessment of the plans and arrangements to maintain services following a major incident. |
All |
PR5 |
Assurance |
High |
3 |
|
Emergency Planning |
SDH&C |
Assessment of the plans and arrangements to respond to emergencies under the Civil Contingencies Act. |
Transformation Priority 4 |
PR2 |
Assurance |
High |
3 |
|
Risk Management |
SDCR&T |
To assess how the new risk management arrangements are becoming embedded following a Limited assurance review in 2024/25. |
All |
n/a |
Assurance |
High |
4 |
|
HR – Workforce Strategy and Wellbeing |
SDCR&T |
To assess the arrangements to attract, retain and develop the Council’s workforce and support wellbeing. |
Transformation Priority 2 |
Service RRs |
Assurance |
Medium |
3 |
|
Safeguarding |
SDH&C |
To assess the governance arrangements to identify/prevent potential safeguarding issues. |
People Priority 1 |
PR8 |
Assurance |
High |
1 |
|
Core Financial Systems |
|||||||
|
Council Tax |
SDCR&T |
Regular assessment of core financial systems and processes. |
Transformation Priority 3 |
PR12 & 13 |
Assurance |
Medium |
2 |
|
Accounts Receivable & Debt Management |
SDCR&T |
Regular assessment of core financial systems and processes. |
Transformation Priority 3 |
PR12 & 13 |
Assurance |
Medium |
4 |
|
Main Accounting and Reconciliations |
SDCR&T |
Regular assessment of core financial systems and processes. |
Transformation Priority 3 |
PR12 & 13 |
Assurance |
Medium |
2 |
|
ICT |
|||||||
|
Cyber Security Training and Awareness |
SDCR&T |
Assurance over controls in place to mitigate the likelihood of users causing compromise of data and/or systems through inappropriate actions. |
Transformation Priority 4 |
PR1 |
Assurance |
High |
1 |
|
IT Disaster Recovery and Service Continuity |
SDCR&T |
Assurance over the policies, procedures and controls in place to enable recovery of IT systems and IT's own service continuity plans to enable restoration of services and continuation of business as usual activities. |
Transformation Priority 4 |
PR1 |
Assurance |
High |
2 |
|
Application Product Management |
SDCR&T |
Assurance over the policies, procedures and controls in place to effectively manage applications including low code developments, e-forms, application upgrades. |
Transformation Priority 4 |
PR1 |
Assurance |
Medium |
3 |
|
Vulnerability Management |
SDCR&T |
Assurance over the policies, procedures and controls in place to identify and remediate vulnerabilities in the IT estate completely, promptly and effectively. |
Transformation Priority 4 |
PR1 |
Assurance |
High |
3 |
|
Service Reviews |
|||||||
|
Planning/Development |
SDPOS |
Assurance over the planning application processes as a core function of the Council. |
Place Priority 1 |
Service RR |
Assurance |
Medium |
2 |
|
Engineering works |
SDPOS |
To assess how the effectiveness of the actions taken to address issues identified within a previous Limited Assurance review prior to rollout to other Service areas. |
Place Priority 3 |
Service RR |
Assurance |
High |
1 |
|
Taxi Licencing |
SDH&C |
Assurance over the Taxi Licencing process to ensure all licences are issued in accordance with regulatory requirements and appropriate safeguarding checks are undertaken. |
Place Priority 2 |
PR8 |
Assurance |
Medium |
4 |
|
Tenant Engagement |
SDH&C |
To assess the governance arrangements for Tenant Engagement to understand their needs and provide high quality service standards in line with the Social Housing Charter and regulatory regime. |
People Priority 2 |
PR11 |
Assurance |
Medium |
1 |
|
Housing Asset Management – Analogue to Digital Switchover |
SDH&C |
To assess the plans and programme management arrangements to ensure all analogue lines are switched over to digital for Housing. |
People Priority 3 |
Service RR |
Assurance |
High |
3 |
|
Housing Asset Management – Fire Safety |
SDH&C |
To assess the plans and progress with addressing Fire Safety within the Council’s housing stock. |
People Priority 3 |
Service RR |
Assurance |
High |
2 |
|
Open spaces |
SDPOS |
To assess the processes to manage grounds maintenance including the calculation of service charges to tenants. |
People Priority 3 |
Service RR |
Assurance |
Medium |
3 |
|
Directorate Sponsor |
|||
|
CX |
Chief Executive |
SDPOS |
Strategic Director Place, Operations & Sustainability |
|
SDH&C |
Strategic Director Housing & Communities |
SDCR&T |
Strategic Director Corporate Resources & Transformation |
|
Corporate Plan Priorities |
|
|
People |
Helping people in the greatest need and creating balanced, resilient, and healthy communities who feel safe and supported with easy access to services. |
|
Priority 1 |
Helping those in our community with the greatest need. |
|
Priority 2 |
Empowering our residents to live healthy, connected and fulfilling lives. |
|
Priority 3 |
Meeting housing needs. |
|
Place |
Delivering growth, opportunity and services that shape our place now and for future generations, within a unique environmental context, to ensure we remain a special place to live, work and visit. |
|
Priority 1 |
Shaping our place now and for future generations. |
|
Priority 2 |
Protecting our climate, coast, and natural world. |
|
Priority 3 |
Caring for our facilities, neighbourhoods and open spaces in a modern and responsive way. |
|
Prosperity |
Promoting a strong local economy that delivers its inclusive aspirations through effective partnerships, attracting investment, and increasing skills and employment opportunities. |
|
Priority 1 |
Maximising the benefits of inclusive economic growth and investment. |
|
Priority 2 |
Supporting our high-quality business base and economic centres to thrive and grow. |
|
Priority 3 |
Championing skills and access to job opportunities. |
|
Future New Forest - Transformation |
Investing in our people and services to meet customer needs, protecting the Council’s financial position, and embedding sustainability through our Future New Forest transformation programme. |
|
Priority 1 |
Putting our customers at the heart. |
|
Priority 2 |
Being an employer of choice. |
|
Priority 3 |
Being financially responsible. |
|
Priority 4 |
Designing modern and innovative services. |
Annexe 1
Contingency Reviews
The table below includes a list of engagements that would have been performed if additional resources were available.
|
Audit Assignment |
Directorate Sponsor |
Scope |
Corporate Priority |
Corporate Risk Register Reference |
Assurance / Advisory |
Internal Audit Risk Assessment |
Quarter |
|
Street naming and numbering |
SDPOS |
Review identified by the Service Area to assess the processes for street naming and numbering. |
Place Priority 1 |
Service RR |
Assurance |
Low |
|
|
Anti-Social Behaviour |
SDH&C |
Review identified by the Service Area to assess the arrangements for tackling Anti-Social Behaviour. |
People Priority 2 |
Service RR |
Assurance |
Low |
|
|
Pest Control |
SDPOS |
Review identified by the Service Area to assess the arrangements for Pest Control including the calculation of charges and income collection. |
Place Priority 3 |
Service RR |
Assurance |
Low |
|
|
Beach Huts |
SDPOS |
Review identified by the Service Area to assess how leases are managed and charges are collected. |
Place Priority 3 |
Service RR |
Assurance |
Low |
|
Included to enable the Audit Committee to assess the adequacy of resources available to the internal audit function.