Annex A
Internal Audit Strategy and
Annual Audit Plan 2025-2026
1. Role of Internal Audit
1.1 The full role and scope of the Council’s Internal Audit Service is set out within the Internal Audit Charter and Terms of Reference, attached to this Strategy as Appendix B.
1.2 The purpose of Internal Audit, as defined within Global Internal Audit Standards (GIAS), is to ‘strengthen the organisation’s ability to create, protect, and sustain value by providing the board and management with independent, risk based, and objective assurance, advice, insight and foresight’.
1.3 Internal audit activity, and the organisation’s response to it, enhances the organisation’s:
· Successful achievement of its objectives;
· Governance, risk management and control processes;
· Decision making and oversight;
· Reputation and credibility with its stakeholders;
· Ability to serve the public interest.
2. Risk Assessment and Audit Planning
2.1 East Sussex County Council’s Internal Audit Strategy and Annual Audit Plan is updated annually and is based on a number of factors, especially management’s assessment of risk (including that set out within the strategic and departmental risk registers) and our own risk assessment of the Council’s major systems and other auditable areas. This allows us to prioritise those areas to be included within the audit plan on the basis of risk.
2.2 The annual planning process has once again involved consultation with a range of stakeholders to ensure that their views on risks and current issues, within individual departments and corporately, are identified and considered. In order to ensure that the most effective use is made of available resources, to avoid duplication and to minimise service disruption, efforts will continue to be made to identify, and where possible, rely upon, other sources of assurance available. The following diagram sets out the various sources of information used to inform our 2025/26 audit planning process:
2.3 Through this process, we are able to identify key areas for audit activity, including strategic risks and issues, key priority projects and programmes, priority service reviews, key financial systems, and grant claims. We also earmark time for emerging risk which enables us to respond to the rapidly changing risk landscape across the Authority.
2.4 In order to ensure audit and assurance activity is properly focussed on supporting the delivery of the Council’s priorities, the audit plan has taken into account the key corporate priority outcomes of the Council as set out within the Council Plan. These are:
· Helping people help themselves;
· Keeping vulnerable people safe;
· Driving sustainable economic growth; and
· Making best use of our resources in the short and long term.
2.5 In producing the audit plan (which is set out in Appendix A to this report) the following key principles continue to be applied:
· Key financial systems are subject to a cyclical programme of audits covering, as a minimum, compliance against key controls. For this year, this work is expected to be more significant given the planned go-live of the Oracle Enterprise Resource Planning (ERP) solution and the extent to which so many key financial processes are dependent upon this system;
· Previous reviews which resulted in ‘minimal assurance’ or ‘partial assurance’ audit opinions will be subject to specific follow-up reviews to assess the effective implementation by management of agreed actions; and
· Any reviews which we were unable to deliver during the previous financial year will be considered once again as part of our audit planning risk assessment and prioritised as appropriate.
2.6 It should be noted that the 2025/26 audit plan remains as flexible as possible, in accordance with professional standards. One driver for this is the changing nature of the landscape across the public sector, especially with new legislation associated with Local Government Reorganisation (LGR) and Devolution, which will create unitary authorities and transform the current two-tier local authority model. Depending on final timescales, we anticipate additional calls upon Internal Audit toward the second half of the year as issues and risks emerge around this transformation, although at this stage the specific scope of our work cannot be fully defined. Regardless, Internal Audit will aim to do all it can to provide proactive advice, support and assurance around this major change activity.
2.7 Given the likelihood of the plan needing to flex within the year ahead, we have identified, at the end of Appendix A, additional audit assignments that may, on a risk-prioritised basis, be drawn into our workload if planned audits are postponed or cancelled. Given Internal Audit may also need to remodel as a service to adapt to the emerging position around LGR, we have included time within the audit plan to provide capacity to undertake this work, updates on which will be provided as the position becomes clearer.
2.8 In addition to all planned activity, formal action tracking arrangements remain in place to monitor the implementation by management of all individual high-priority agreed actions, with the results of this work reported to CMT and the Audit Committee on a quarterly basis.
2.9 The Internal Audit service for East Sussex County Council continues to be delivered in partnership with Surrey County Council and Brighton and Hove City Council. In so doing, we are able to deliver high quality and cost-effective assurance services to each partner, drawing upon the wide range of skills and experience from across the various teams. The size and scale of the partnership has also enabled us to invest in specialist IT Audit and Counter Fraud services, to the benefit of each partner council and external fee-paying clients.
3. Key Issues
3.1 In times of significant transformation, organisations must both manage change effectively and ensure that core controls remain in place. In order to respond to the continued reduction in financial resources and the increased demand for services, the Council needs to consider some radical changes to its service offer in many areas.
3.2 Internal Audit must therefore be in a position to give an opinion and assurance that covers the control environment in relation to both existing systems and these new developments. It is also essential that this work is undertaken in a flexible and supportive manner, in conjunction with management, to ensure that both risks and opportunities are properly considered.
3.3 A significant proportion of our work in 2025/26 will be in relation to the Council’s new Enterprise Resource Planning (ERP) system, Oracle. With phase 2 (Finance, Procurement and Recruitment) of the implementation programme due to go-live in April 2025, we will assess the control environment across the whole system following implementation. We will also assess the proposed controls within Payroll (phase 3) which is due to go live in 2026.
3.4 As explained previously, in recognition of current uncertainties and that in some cases, sufficient information regarding the full extent of future changes and associated risks may not yet be known, the 2025/26 audit plan will, as in previous years, include a proportion of time classified as ‘Emerging Risks’. This approach has been adopted to enable Internal Audit to react appropriately throughout the year as new risks materialise and to ensure that expertise in governance, risk and internal control can be utilised early in the change process.
3.5 In view of the above, Internal Audit will continue to work closely with senior management and Members throughout the year to identify any new risks and to agree how and where audit resources can be utilised to best effect.
3.6 Other priority areas identified for inclusion within the audit plan include:
· Devolution / Local Government Reorganisation
· Compliance with New Procurement Regulations
· Transport for the South-East – Governance Arrangements
· Alternative Education Provision
· Implementation of Savings in Adult Social Care
· Artificial Intelligence
· Cultural Compliance Audits
3.7 The results of all audit work undertaken will be summarised within quarterly update reports to CMT and the Audit Committee, along with any common themes and findings arising from our work.
4. Counter Fraud
4.1 Managing the risk of fraud and corruption is the responsibility of management. Internal Audit will, however, be alert in all its work to risks and exposures that could allow fraud or corruption and will investigate allegations of fraud and corruption in line with the Council’s Anti-Fraud and Corruption Strategy.
4.2 The Chief Internal Auditor should be informed of all suspected or detected fraud, corruption or irregularity in order to consider the adequacy of the relevant controls and evaluate the implication for their opinion on the control environment.
4.3 In addition, Internal Audit will promote an anti-fraud and corruption culture within the Council to aid the prevention and detection of fraud. Through the work of the Counter Fraud Team, Internal Audit will maintain a fraud risk assessment and deliver a programme of proactive and reactive counter fraud services to help ensure that the Council continues to protect its services from fraud loss. This will include leading on the National Fraud Initiative data matching exercise on behalf of the Council.
5. Matching Audit Needs to Resources
5.1 The overall aim of the Internal Audit Strategy is to allocate available internal audit resources so as to focus on the highest risk areas and to enable an annual opinion to be given on the adequacy and effectiveness of the Council’s governance, risk management and internal control arrangements.
5.2 In addition to this, resources have been allocated to the external bodies for whom Orbis Internal Audit also provide internal audit services, at an appropriate charge, therefore further improving the value for money of the service. These include Horsham District Council, Hastings Borough Council, Elmbridge Borough Council, East Sussex Fire Authority and South Downs National Park.
5.3 Internal audit activities will be delivered by a range of staff from across the wider service, maximising the value from the broad range of skills and experience available. In the small number of instances where sufficient expertise is not available from within the service, mainly in highly technical or specialist areas, the option of engaging externally provided specialist resources will continue to be considered.
5.4 The following table summarises the level of audit resources expected to be available for the Council in 2025/26 (expressed in days), compared to the equivalent number of planned days in previous years. As can be seen, the total estimated resource for 2025/26 remains the same as in the previous year. The overall level of planned resource continues to be considered sufficient to allow Internal Audit to deliver its risk-based plan in accordance with professional standards[1] and to enable the Chief Internal Auditor to provide his annual audit opinion.
Table 1: Annual Internal Audit Plan – Plan Days
|
|
2022/23 |
2023/24 |
2024/25 |
2025/26 |
|
ESCC Audit Plan Days |
1,495 |
1,445 |
1,520 |
1,520 |
|
East Sussex Pension Fund Plan Days |
100 |
75 |
75 |
75 |
|
Total |
1,595 |
1,520 |
1,595 |
1,595 |
6. Audit Approach
6.1 The approach of Internal Audit is to use risk-based reviews, supplemented in some areas by the use of compliance audits and themed reviews. All audits have regard to management’s arrangements for:
· Achievement of the organisation’s objectives;
· Reliability and integrity of financial and operational information;
· Effectiveness and efficiency of operations and programmes;
· Safeguarding of assets; and
· Compliance with laws, regulations, policies, procedures and contracts.
6.2 In addition to these audits, and the advice on controls given on specific development areas which are separately identified within the plan, there are a number of generic areas where there are increasing demands upon Internal Audit, some of which cannot be planned in advance. For this reason, time is built into the plan to cover the following:
· Contingency – an allowance of days to provide capacity for unplanned work, including special audits and management investigations. This contingency also allows for the completion of work in progress from the 2024/25 plan;
· Advice, Management, Liaison and Planning - an allowance to cover provision of ad hoc advice on risk, audit and control issues, audit planning and annual reporting, ongoing liaison with service management and Members, and audit management time in support of the delivery of all audit work, planned and unplanned.
6.3 In delivering this strategy and plan, we will ensure that liaison has taken place with the Council’s external auditors, Grant Thornton, to ensure that the use of audit resources is maximised, duplication of work is avoided, and statutory requirements are met.
7. Training and Development
7.1 The effectiveness of the Internal Audit Service depends significantly on the quality, training and experience of its staff. Training needs of individual staff members are identified through a formal performance and development process and are delivered and monitored through on-going management supervision.
7.2 The team is also committed to coaching and mentoring its staff, and to providing opportunities for appropriate professional development. This is reflected in the high proportion of staff holding a professional internal audit or accountancy qualification, as well as numerous members of the team continuing with professional training during 2025/26.
8. Quality and Performance
8.1 With effect from 1 April 2025, all internal audit teams in the public sector will be working to new internal audit standards, being a combination of ‘Global Internal Audit Standards’ (GIAS) and the ‘Application Note, GIAS in the UK Public Sector’. Whilst these Standards replace the previous Public Sector Internal Audit Standards (PSIAS) and are likely to require some updating of internal documentation, such as the Internal Audit Charter, the impact on our approach to internal audit activities and methodologies is not considered to be significant.
8.2 Work is currently underway to complete an updated self-assessment against the new GIAS, details of which will be reported to CMT and Audit Committee during 2025/26, along with actions arising from this. In the meantime, the service will continue to maintain an ongoing quality assurance and improvement programme based on the previous Standards, which also required an independent external assessment of the service at least every five years.
8.3 The results of our latest external assessment, completed by the Chartered Institute of Internal Auditors (IIA) in autumn 2022, were reported to Audit Committee in March 2023. Internal Audit was assessed as achieving the highest level of conformance available against professional standards with no areas of non-compliance identified, and therefore no formal recommendations for improvement arising. In summary, the service was assessed as:
Excellent in:
· Reflection of the Standards
· Focus on performance, risk and adding value
Good in:
· Operating with efficiency
· Quality Assurance and Improvement Programme
Satisfactory in:
· Coordinating and maximising assurance
8.4 In addition, the performance of Internal Audit continues to be measured against key service targets focussing on service quality, productivity and efficiency, compliance with professional standards, impact/influence and our staff. These are all underpinned by appropriate key performance indicators as set out in Table 2 below.
8.5 At a detailed level each audit assignment is monitored, and customer feedback sought. There is also ongoing performance appraisals and supervision for all Internal Audit staff during the year to support them in achieving their personal targets.
8.6 Along with the individual reports to management for each audit assignment, reports on key audit findings and the delivery of the audit plan are prepared for CMT and the Audit Committee on a quarterly basis. An Annual Internal Audit Opinion is also produced each year.
8.7 Whilst Internal Audit liaises closely with other internal audit services through the Sussex and Surrey audit and counter fraud groups, the Home Counties Chief Internal Auditors’ Group and the Local Authority Chief Auditors’ Network, we are continuing to develop joint working arrangements with other local authority audit teams to help improve resilience and make better use of our collective resources.
Table 2: Performance Indicators
|
Aspect of Service |
Orbis IA Performance Indicators |
Target |
|
Quality |
|
By end April
By end July. To inform Annual Governance Statement (AGS) 90% satisfied |
|
Productivity and Process Efficiency |
|
90%
90% |
|
Compliance with Professional Standards
|
|
Conforms Conforms |
|
Outcomes and degree of influence |
|
97% for high priority actions |
|
Our Staff |
|
80% |
Russell Banks
Orbis Chief Internal Auditor