Annex A









Internal Audit Strategy and

Annual Audit Plan 2024-2025



























1.         Role of Internal Audit


1.1       The full role and scope of the Council’s Internal Audit Service is set out within the Internal Audit Charter and Terms of Reference (attached as Appendix B).  


1.2       The mission of Internal Audit, as defined by the Chartered Institute of Internal Auditors (CIIA), is to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight.  Internal Audit is defined as “an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”


1.3       The organisation’s response to internal audit activity should lead to a strengthening of the control environment, thus contributing to the overall achievement of organisational objectives.


2.         Risk Assessment and Audit Planning


2.1         East Sussex County Council’s Internal Audit Strategy and Annual Audit Plan is updated annually and is based on a number of factors, especially management’s assessment of risk (including that set out within the strategic and departmental risk registers) and our own risk assessment of the Council’s major systems and other auditable areas.  This allows us to prioritise those areas to be included within the audit plan on the basis of risk. 


2.2         The annual planning process has once again involved consultation with a range of stakeholders to ensure that their views on risks and current issues, within individual departments and corporately, are identified and considered.  In order to ensure that the most effective use is made of available resources, to avoid duplication and to minimise service disruption, efforts will continue to be made to identify, and where possible, rely upon, other sources of assurance available.  The following diagram sets out the various sources of information used to inform our 2024/25 audit planning process:


Diagram  Description automatically generated


2.3         Through this process, we have been able to identify key areas for audit activity in 2024/25, including strategic risks and issues, key priority projects and programmes, priority service reviews, key financial systems, and grant claims.  The remainder of the direct audit days are earmarked as emerging risks/contingency which enables us to respond to the rapidly changing risk landscape across the Authority.


2.4         In order to ensure audit and assurance activity is properly focussed on supporting the delivery of the Council’s priorities, the audit plan has taken into account the key corporate priority outcomes of the Council as set out within the Council Plan. These are:


·           Helping people help themselves;

·           Keeping vulnerable people safe;

·           Driving sustainable economic growth; and

·           Making best use or resources in the short and long term.


2.5       In producing the audit plan (which is set out in Appendix A to this report) the following key principles continue to be applied:


·         Key financial systems are subject to a cyclical programme of audits covering, as a minimum, compliance against key controls;

·         Previous reviews which resulted in ‘minimal assurance’ or ‘partial assurance’ audit opinions will be subject to a specific follow-up review to assess the effective implementation by management of agreed actions; and

·         Any reviews which we were unable to deliver during the previous financial year will be considered once again as part of our audit planning risk assessment, and prioritised as appropriate.


2.6       As with previous years, the 2024/25 audit plan remains flexible.  This is in part due to the continued uncertainties over timing of the go-live of the new ERP system, and also because of the changing nature of the risk landscape across the public sector, including in relation to the ongoing financial challenges faced by councils.  Given the likelihood of the plan needing to flex within the year ahead, we have identified, at the end of Appendix A, a number of additional audit assignments that may, on a risk-prioritized basis, be drawn into our workload if planned audits are postponed or cancelled.


2.7       In addition, formal action tracking arrangements are in place to monitor the implementation by management of all individual high-priority agreed actions, with the results of this work reported to CMT and the Audit Committee on a quarterly basis.


2.8       Since 2018, East Sussex County Council, Surrey County Council and Brighton and Hove City Council have been working together to establish and develop the Orbis Internal Audit Partnership.  In doing this, we are able to deliver high quality and cost-effective assurance services to each partner, drawing upon the wide range of skills and experience from across the various teams.  The size and scale of the partnership has also enabled us to invest in specialist IT Audit and Counter Fraud services, to the benefit of each partner council and external fee-paying client.



3.         Key Issues


3.1       As the Council responds to operational and financial challenges, it must both manage change effectively and ensure that core controls remain in place.  In order to respond to the continued reduction in financial resources and the increased demand for services, the Council needs to consider some radical changes to its service offer in many areas.


3.2         Internal Audit must therefore be in a position to give an opinion and assurance that covers the control environment in relation to both existing systems and these new developments.  It is also essential that this work is undertaken in a flexible and supportive manner, in conjunction with management, to ensure that both risks and opportunities are properly considered.  During 2024/25, a number of major organisational initiatives and/or risks will feature within the audit plan, with the intention that Internal Audit is able to provide proactive advice, support and assurance as these programmes progress.  These include:


·           Modernising Back Office Systems (MBOS) programme (SAP replacement)

·           Transition of Local Enterprise Partnerships

·           Organisational Response to Financial Challenges

·           Implementation of IMPOWER Recommendations

·           Supply Chain Cyber Security

·           Cultural Compliance Reviews


3.3       As explained previously, in recognition of current uncertainties and that in some cases, sufficient information regarding the full extent of future changes and associated risks may not yet be known, the 2024/25 audit plan will, as in previous years, include a proportion of time classified as ‘Emerging Risks’.  This approach has been adopted to enable Internal Audit to react appropriately throughout the year as new risks materialise and to ensure that expertise in governance, risk and internal control can be utilised early in the change process.  


3.4       In view of the above, Internal Audit will continue to work closely with senior management and Members throughout the year to identify any new risks and to agree how and where audit resources can be utilised to best effect.  


3.5       Other priority areas identified for inclusion within the audit plan include:


·           Key Financial Systems

·           Volunteers

·           Accountable Body Status

·           Artificial Intelligence

·           Waivers to Procurement and Contract Standing Orders

·           Home Care Contract – Contract Management

·           Transition of Young People into Adult Social Care

·           Unaccompanied Asylum-Seeking Children

·           Alternative Education Provision Commissioning for Children

·           Emergency Planning



3.6       The results of all audit work undertaken will be summarised within quarterly update reports to CMT and the Audit Committee, along with any common themes and findings arising from our work.


4.         Counter Fraud


4.1       Managing the risk of fraud and corruption is the responsibility of management.  Internal Audit will, however, be alert in all its work to risks and exposures that could allow fraud or corruption and will investigate allegations of fraud and corruption in line with the Council’s Anti-Fraud and Corruption Strategy.


4.2       The Chief Internal Auditor should be informed of all suspected or detected fraud, corruption or irregularity in order to consider the adequacy of the relevant controls and evaluate the implication for their opinion on the control environment.


4.3       In addition, Internal Audit will promote an anti-fraud and corruption culture within the Council to aid the prevention and detection of fraud.  Through the work of the Counter Fraud Team, Internal Audit will maintain a fraud risk assessment and deliver a programme of proactive and reactive counter fraud services to help ensure that the Council continues to protect its services from fraud loss.  This will include leading on the National Fraud Initiative data matching exercise on behalf of the Council.


5.         Matching Audit Needs to Resources


5.1       The overall aim of the Internal Audit Strategy is to allocate available internal audit resources so as to focus on the highest risk areas and to enable an annual opinion to be given on the adequacy and effectiveness of the Council’s governance, risk and control framework.


5.2       In addition to this, resources have been allocated to the external bodies for whom Orbis Internal Audit also provide internal audit services, at an appropriate charge.  These include Horsham District Council, Hastings Borough Council, Elmbridge Borough Council, East Sussex Fire Authority and South Downs National Park.


5.3       Internal audit activities will be delivered by a range of staff from across the Orbis Internal Audit Service, maximising the value from a wide range of skills and experience available.  In the small number of instances where sufficient expertise is not available from within the team, mainly in highly technical or specialist areas, the option of engaging externally provided specialist resources will continue to be considered. 


5.4        The following table summarises the level of audit resources expected to be available for the Council in 2024/25 (expressed in days), compared to the equivalent number of planned days in previous years.  As can be seen, there is a slight increase in the number of planned days from 2023/24, returning to 2022/23 levels. In addition, wherever possible, we will continue to look to source additional capacity from outside of the service.  The overall level of planned resource continues to be considered sufficient to allow Internal Audit to deliver its risk-based plan in accordance with professional standards[1] and to enable the Chief Internal Auditor to provide his annual audit opinion.


Table 1:  Annual Internal Audit Plan – Plan Days






ESCC Audit Plan Days





East Sussex Pension Fund Plan Days











6.         Audit Approach


6.1       The approach of Internal Audit is to use risk-based reviews, supplemented in some areas by the use of compliance audits and themed reviews.  All audits have regard to management’s arrangements for:


·         Achievement of the organisation’s objectives;

·         Reliability and integrity of financial and operational information;

·         Effectiveness and efficiency of operations and programmes;

·         Safeguarding of assets; and

·         Compliance with laws, regulations, policies, procedures and contracts.


6.2       In addition to these audits, and the advice on controls given on specific development areas which are separately identified within the plan, there are a number of generic areas where there are increasing demands upon Internal Audit, some of which cannot be planned in advance.  For this reason, time is built into the plan to cover the following:


·         Contingency – an allowance of days to provide capacity for unplanned work, including special audits and management investigations.  This contingency also allows for the completion of work in progress from the 2023/24 plan;


·         Advice, Management, Liaison and Planning - an allowance to cover provision of ad hoc advice on risk, audit and control issues, audit planning and annual reporting, ongoing liaison with service management and Members, and audit management time in support of the delivery of all audit work, planned and unplanned.


6.3       In delivering this strategy and plan, we will ensure that liaison has taken place with the Council’s external auditors, Grant Thornton, to ensure that the use of audit resources is maximised, duplication of work is avoided, and statutory requirements are met.


7.         Training and Development


7.1       The effectiveness of the Internal Audit Service depends significantly on the quality, training and experience of its staff.  Training needs of individual staff members are identified through a formal performance and development process and are delivered and monitored through on-going management supervision. 


7.2       The team is also committed to coaching and mentoring its staff, and to providing opportunities for appropriate professional development.  This is reflected in the high proportion of staff holding a professional internal audit or accountancy qualification as well as numerous members of the team continuing with professional training during 2024/25.


8.         Quality and Performance


8.1       With effect from 1 April 2013, all of the relevant internal audit standard setting bodies, including CIPFA, adopted a common set of Public Sector Internal Audit Standards (PSIAS).  These are based on the Institute of Internal Auditors International Professional Practices Framework and replace the previous Code of Practice for Internal Audit in Local Government.  


8.2       Included within the new Standards is the requirement for the organisation to define the terms ‘Board’ and ‘senior management’ in the context of audit activity.  This has been set out within the Internal Audit Charter, which confirms the Audit Committee’s role as the Board. 


8.3       The PSIAS require each internal audit service to maintain an ongoing quality assurance and improvement programme based on an annual self-assessment against the Standards, supplemented at least every five years by a full independent external assessment.  The outcomes from these assessments, including any improvement actions arising, will be reported to the Audit Committee, usually as part of the annual internal audit report.  In our latest external assessment, completed by the Chartered Institute of Internal Auditors (IIA) in autumn 2022, we were assessed as achieving the highest level of conformance available against the professional standards, with no areas of non-compliance identified, as reported to Audit Committee in March 2023.  


8.4       For clarity, the Standards specify that the following core principles underpin an effective internal audit service:


·         Demonstrates integrity;

·         Demonstrates competence and due professional care;

·         Is objective and free from undue influence (independent);

·         Aligns with the strategies, objectives, and risks of the organisation;

·         Is appropriately positioned and adequately resourced;

·         Demonstrates quality and continuous improvement;

·         Communicates effectively;

·         Provides risk-based assurance;

·         Is insightful, proactive, and future-focused;

·         Promotes organisational improvement.


8.5       In addition, the performance of Orbis Internal Audit continues to be measured against key service targets focussing on service quality, productivity and efficiency, compliance with professional standards, influence and our staff.  These are all underpinned by appropriate key performance indicators as set out in Table 2 below.


8.6       At a detailed level, each audit assignment is monitored and customer feedback sought.  There is also ongoing performance appraisals and supervision for all Internal Audit staff during the year to support them in achieving their personal targets. 


8.7       In addition to the individual reports to management for each audit assignment, reports on key audit findings and the delivery of the audit plan are made to the Audit Committee on a quarterly basis.  An Annual Internal Audit Opinion is also produced each year.


8.8       Whilst Orbis Internal Audit liaises closely with other internal audit services through the Sussex and Surrey audit and counter fraud groups, the Home Counties Chief Internal Auditors’ Group and the Local Authority Chief Auditors’ Network, we are continuing to develop joint working arrangements with other local authority audit teams to help improve resilience and make better use of our collective resources.


Table 2:  Performance Indicators


Aspect of Service

Orbis IA Performance Indicators



  • Annual Audit Plan agreed by Audit Committee
  • Annual Audit Report and Opinion





  • Customer satisfaction levels

By end April


By end July.  To inform Annual Governance Statement (AGS)


90% satisfied

Productivity and Process Efficiency

  • Audit Plan – completion to draft report stage by 31 March 2024
  • Audit Days – delivery of audit plan days




Compliance with Professional Standards


  • Public Sector Internal Audit Standards
  • Relevant legislation such as the Police and Criminal Evidence Act, Criminal Procedures and Investigations Act





Outcomes and degree of influence

  • Implementation of management actions agreed in response to audit findings

97% for high priority actions

Our Staff

  • Professionally Qualified/Accredited




Russell Banks

Orbis Chief Internal Auditor

[1] Public Sector Internal Audit Standards (PSIAS)