Audit Committee – 31 October 2025
External Quality Assessment
|
Purpose |
For information |
|
Classification |
Public |
|
Executive Summary |
The purpose of this paper is to provide an overview of the alternative options considered in commissioning an external assessor to undertake the independent assessment of the Southern Internal Audit Partnership against the Global Internal Audit Standards in the UK Public Sector. |
|
Recommendation(s) |
The Audit Committee are requested to: 1. note the arrangements for the external assessment of the Southern Internal Audit Partnership against the Global Internal Audit Standards in the UK Public Sector. |
|
Reasons for recommendation(s) |
The Audit Committee has a responsibility to note the arrangements for the external quality assessment in accordance with the Global Internal Audit Standards in the UK Public Sector. |
|
Ward(s) |
All Wards |
|
Portfolio Holder(s) |
Councillor Jeremy Heron – Finance and Corporate |
|
Strategic Director(s) |
Alan Bethune, Strategic Director of Corporate Resources and Transformation. S151 Officer |
|
Officer Contact |
Antony Harvey Deputy Head of Southern Internal Audit Partnership 07784 265289 |
Introduction and background
1. The mandate for internal audit in local government is specified within the Accounts and Audit [England] Regulations 2015, which states:
2. From 1 April 2025, the ‘standards or guidance’ in relation to internal audit are those laid down in the Global Internal Audit Standards (GIAS), Application Note: Global Internal Audit Standards in the UK Public Sector (Application Note) and the Code of Practice for the Governance of Internal Audit in UK Local Government. The collective requirements are referred to as the Global Internal Audit Standards in the UK Public Sector (the Standards).
3. The Standards (8.3) require ‘the Chief Internal Auditor to develop, implement and maintain a quality assurance and improvement programme that covers all aspects of the internal audit function. The programme includes two types of assessments:
· External assessments
· Internal assessments’
4. The Southern Internal Audit Partnership’s Quality Assurance and Improvement Programme is provided at Appendix 1
5. The Standards (8.4) require that ‘the Chief Internal Auditor must develop a plan for an external quality assessment and discuss the plan with the Audit Committee. The external audit assessment must be performed at least once every five years by a qualified, independent assessor or assessment team. The requirement for an external assessment may also be met through a self-assessment with independent validation.’
Form of External Quality Assessment
6. There are two approaches to meeting the requirement of an External Quality Assessment.
7. Both approaches include workpaper reviews, surveys, stakeholder interviews, and issuance of a report that provides a rating as identified by the Quality Assessment Manual, i.e., Full Achievement, General Achievement, Partial Achievement and Non-Achievement.
External Assessor
8. GIAS 8.4 sets out a requirement that when selecting the independent assessor or assessment team, the chief internal auditor must ensure at least one person holds an active Certified Internal Auditor designation.
9. The Relevant Internal Audit Standard Setters (RIASS) in their Application Note have determined that the qualification requirement in GIAS 8.4 (External Quality Assessment) should be replaced by a more comprehensive qualification requirement within the public sector.
10. The enhanced expectation within the public sector is that at least one person has the characteristics outlined for qualification as a chief internal auditor. The RIASS consider that such a person would normally have an understanding of the GIAS commensurate with the Certified Internal Auditor designation, including internal audit relevant continuing professional development and an understanding of how the GIAS are applied in the UK public sector. These matters must be considered as part of the selection process.
Independence
11. It is essential that there are no impairments to the independence of the external assessor or assessment team driven by past, present, or anticipated future relationships with the organisation, its personnel, or the Southern Internal Audit Partnership.
12. Appropriate due diligence has been carried out on the assessors and their assessments teams with which we have engaged to quote for the external quality assessment.
Scope & Frequency
13. There is a requirement that all internal audit providers undergo an external quality assessment performed by an independent and qualified assessor or assessment team at least once every five years to ensure conformance with the Standards.
14. It is permissible that more frequent external quality assessments are undertaken should this be considered necessary.
15. Given the requirement to supplement the external quality assessment with an annual self-assessment the outcomes of which will be fully and transparently reported to the Audit Committee, it is considered that an external quality assessment every five years remains a proportionate approach.
16. Should there be significant change to arrangements within the Southern Internal Audit Partnership including changes in leadership, operating model, methodologies or excessive staff turnover, the Head of the Southern Internal Audit Partnership will further engage with Senior Management and the Audit Committee to discuss whether an additional external assessment (within the 5-year timeframe) would be appropriate.
17. The scope of the external quality assessment will include a comprehensive review of the Southern Internal Audit Partnership’s:
· Conformance with the Global Internal Audit Standards in the UK Public Sector.
· Mandate, charter, strategy, methodologies, processes, risk assessment and internal audit planning.
· Performance measures and outcomes.
· Qualifications and competencies including those of the Chief Internal Auditor.
· Integration into the organisation’s governance processes.
· Contribution towards the organisation governance, risk management, and control processes.
· Contribution to the organisations operations and ability to attain its objectives.
· Ability to meet the expectations of stakeholders.
External Quality Assessment Providers
18. There are several organisations capable of providing external quality assessments, however, the requirement of public sector expertise does significantly limit the field. Consequently, the Head of Southern Internal Audit Partnership has engaged with the following providers to acquire details of approach and cost:
· Chartered Institute of Public Finance and Accountancy (CIPFA)
· JC Audit Training Ltd
· BHBi (in partnership with Littlejohn and Haley).
External Quality Assessment Providers Discounted
19. A further credible source of assessment provider would be the Institute of Internal Auditors (IIA), however, due to the IIA having undertaken the Southern Internal Audit Partnership’s external quality assessments in 2015 and 2020 this was not explored for our 2025 assessment as it is considered a fresh perspective on conformance and operating practices would be beneficial and mitigates any perceived impairment to independence.
20. The Global Internal Audit Standards do enable provision for reciprocal peer assessments rotated among three or more organisations within the same industry sector.
21. Due to their nature there would be no financial outlay in adopting this approach, however, there would be the opportunity costs of the Head of the Southern Internal Audit Partnerships time in reciprocating any peer review requested of the SIAP.
22. The independent status of the external assessment is paramount and there may be a perception that this is diminished as part of the peer review approach. As such the collaborative approach has not been explored further as part of this paper.
Implications for Multi Service Providers
23. The benefits of an EQA go beyond conformance with the GIAS. An EQA provides independent and objective assurance to internal audit stakeholders that the governance, management, and services of internal audit are meeting best practice and the needs of the organisation.
24. However, the introduction of new requirements in GIAS, such as the essential conditions placed on the Audit Committee and senior management, introduce practical challenges for multi-client providers (MCPs) such as the Southern Internal Audit Partnership which need to be considered.
25. The involvement of the Audit Committee and senior management can now present challenge for MCPs who have historically arranged one EQA to cover all clients. MCPs now need to consult with every Audit Committee they provide services to and provide individual reports, increasing the workload and costs which have not been previously factored.
26. There remains ongoing consultation, and we await further clarification, however, engagement with each of the potential assessors has made clear our operating model, position as a multi-client provider and need to ensure a robust process to demonstrate conformance on which all of our partner organisations can place reliance.
Recommended Approach
27. It is recommended that the Southern Internal Audit Partnership conduct their external assessment as a Self-Assessment with Independent Validation (SAIV) as outlined in paragraph 6.
28. The key drivers for the SAIV approach include:
· It is a recognised approach within the Standards, meeting the requirements of an external quality assessment.
· The approach requires external validation from an independent, qualified external assessor.
· Provides a more economical approach as a majority of information gathering is completed by the Southern Internal Audit Partnership. This is particularly pertinent due to our multi-client provider status.
· Minimises capacity implications for our Partners.
Next Steps
29. Following receipt of quotations from the providers (detailed in paragraph 18) a full assessment of proposals will be undertaken with appointment based on:
· Cost
· Experience (profession and industry)
· Qualification
· Independence
· Approach.
30. The successful provider will be commissioned to undertake the SAIV with a requirement for completion by December 2025.
31. The Southern Internal Audit Partnership have already compiled a full self-assessment against the Global Internal Audit Standards in the UK Public Sector during July / August 2025 in preparedness for the external assessor.
32. A copy of the external assessor report will be presented to the first meeting of the Audit Committee in 2026. Additionally, an action plan for review and approval will be presented by the Chief Internal Auditor to address any identified deficiencies or opportunities for improvement, if applicable.
Conclusion
33. To accord with the Global Internal Audit Standards in the UK Public Sector the Head of the Southern Internal Audit Partnership has put in place arrangements for a SAIV to be conducted during November / December 2025.
34. In accordance with the Standards and the Internal Audit Charter outcomes will be fully reported to the Audit Committee following receipt of the assessor’s final report.
Corporate plan priorities
35. The Council is responsible for establishing and maintaining appropriate risk management processes, control systems, accounting records and governance arrangements. Internal audit plays a vital role in advising the Council that these arrangements are in place and operating effectively. The Council’s response to internal audit activity should lead to the strengthening of the control environment and, therefore, contribute to the achievement of the organisation’s objectives.
Options appraisal
36. The alternative options considered in commissioning an external assessor to undertake the independent assessment of the Southern Internal Audit Partnership against the Global Internal Audit Standards in the UK Public Sector have been outlined throughout this report. There are no other options to consider as an EQA is a requirement of the Global Internal Audit Standards against which all internal audit providers must conform.
Consultation undertaken
37. This report has been discussed with the Executive Management Team (EMT) on 23 September 2025. EMT:-
· noted and endorsed the arrangements for the external quality assessment of the Southern Internal Audit Partnership against the Global Internal Audit Standards in the UK Public Sector; and
· endorsed the report is shared with the Chair of the Audit Committee ahead of formal reporting to the Committee in October 2025.
Financial and resource implications
38. Internal audit is provided through the Southern Internal Audit Partnership and the cost of the recommended approach for the EQA is included within these arrangements.
Legal implications
39. The statutory requirement for internal audit in local government is specified within the Accounts and Audit [England] Regulations 2015. Internal audit functions within the UK Public Sector must conform with The Global Internal Audit Standards in the UK Public Sector (the Standards). The Standards require the Chief Internal Auditor ‘to develop, implement and maintain a quality assurance and improvement programme that covers all aspects of the internal audit function’ and ‘develop a plan for an external quality assessment and discuss the plan with the Audit Committee’. This report provides the Audit Committee with the planned approach for the external quality assessment (EQA) together with the Southern Internal Audit Partnership’s Quality Assurance and Improvement Programme.
Risk assessment
40. Failure to commission an EQA and report on the outcomes would lead to an audit service which does not comply with the Standards, or provide independent and objective assurance to stakeholders that the governance, management, and services of internal audit are meeting best practice and the needs of the organisation.
Environmental / Climate and nature implications
41. There are no additional implications arising from this report.
Equalities implications
42. There are no additional implications arising from this report.
Crime and disorder implications
43. There are no additional implications arising from this report.
Data protection / Information governance / ICT implications
44. There are no additional implications arising from this report.
|
Appendices: |
Background Papers: |
|
Appendix 1 – Quality Assessment and Improvement Programme
|
Implementation of the Global Internal Audit Standards Internal Audit Charter and Plan 2025-26 |