Annex A
INTERNAL AUDIT
ANNUAL REPORT & OPINION
2024/2025
1. Internal Control and the Role of Internal Audit
1.1 All local authorities must make proper provision for internal audit in line with the 1972 Local Government Act (S151) and the Accounts and Audit Regulations 2015. The full role and scope of the Council’s Internal Audit Service is set out within our Internal Audit Charter.
1.2 It is a management responsibility to establish and maintain internal control systems and to ensure that resources are properly applied, risks appropriately managed and outcomes achieved.
1.3 Annually, the Chief Internal Auditor is required to provide an overall opinion on the Council’s internal control environment, risk management arrangements and governance framework to support the Annual Governance Statement.
2. Delivery of the Internal Audit Plan
2.1 The Council’s Internal Audit Strategy and Plan is updated each year based on a combination of management’s assessment of risk (including that set out within the departmental and strategic risk registers) and our own risk assessment of the Council’s major systems and other auditable areas. The process of producing the plan involves extensive consultation with a range of stakeholders to ensure that their views on risks and current issues, within individual departments and corporately, are identified and considered.
2.2 In accordance with the audit plan for 2024/25, a programme of audits was carried out covering all Council departments and, in accordance with best practice, this programme was reviewed during the year and revised to reflect changes in risk and priority. All adjustments to the audit plan were agreed with the relevant departments and reported throughout the year to the Corporate Management Team (CMT) and the Audit Committee as part of our periodic internal audit progress reports. Full details of the adjustments to the plan can be found in Appendix D.
2.3 It should be noted that whilst there were some audit reports in progress or at draft report stage at year-end, outcomes from this work have been taken into account, where possible, in forming our annual opinion. Full details of these audits will be reported to CMT and the Audit Committee once each of the reports have been finalised with management.
3. Audit Opinion
3.1 No assurance can ever be absolute; however, based on the internal audit work completed, the Chief Internal Auditor can provide substantial[1] assurance that the Council has in place an adequate and effective framework of governance, risk management and internal control for the period 1 April 2024 to 31 March 2025.
3.2 Further information on the basis of this opinion is provided below. Overall, the majority of audit opinions issued in the year were positive, with only a small number of instances where internal audit activities have identified that the operation of internal controls have not been fully effective. We are pleased to report that no minimal assurance opinions were issued in the year and there were only two partial assurance opinions reported (see 5.4 below) which will be subject to follow-up in 2025/26.
3.3 Where improvements in controls are required as a result of our work, we have agreed appropriate remedial action with management.
4. Basis of Opinion
4.1 The opinion and the level of assurance given takes into account:
· All audit work completed during 2024/25, planned and unplanned;
· Follow up of actions from previous audits;
· Management’s response to the findings and recommendations;
· Ongoing advice and liaison with management, including regular attendance by the Chief Internal Auditor and Audit Managers at organisational meetings relating to risk, governance and internal control matters;
· Effects of significant changes in the Council’s systems;
· The extent of resources available to deliver the audit plan; and
· Quality of the internal audit service’s performance.
4.2 No limitations have been placed on the scope of Internal Audit during 2024/25.
5. Key Internal Audit Issues for 2024/25
5.1 The overall audit opinion should be read in conjunction with the key issues set out in the following paragraphs. These issues, and the overall opinion, will be taken into account when preparing and approving the Council’s Annual Governance Statement.
5.2 The internal audit plan is delivered each year through a combination of formal reviews with standard audit opinions, direct support for projects and new system initiatives, investigations, grant audits and ad hoc advice. The following graph provides a summary of the outcomes from all audits finalised over the past three years:
Audit Opinions
*Not Applicable: Includes grant certifications and audit reports where we did not give a specific audit opinion. Typically, this tends to be proactive advice and support activity where, due to the advisory nature of the audit work, provision of formal assurance-based opinions is not appropriate.
5.3 A full listing of all 2024/25 completed audits and opinions for the year is included at Appendix B. The status of all planned audits in progress but not completed to final report by year-end is shown in Appendix C.
5.4 As stated above, we are pleased to report that there were no minimal assurance audit opinions issued and only two received partial assurance (both of which have been reported previously within our quarterly progress reports) as follows:
· Vehicle Use Follow Up
· Frant Church of England Primary School
5.5 Whilst actions arising from these reviews will be followed up by Internal Audit, either through specific reviews or via established action tracking arrangements, it is important that management take prompt action to secure the necessary improvements in internal control.
5.6 Eleven follow-up audits were completed during 2024/25. All but one of these (Vehicle Use) resulted in an improved opinion of reasonable or substantial assurance.
Key Financial Systems
5.7 Given the substantial values involved, each year a significant proportion of our time is spent reviewing the Council’s key financial systems, both corporate and departmental. Of those audits completed during 2024/25, all resulted in either substantial or reasonable assurance opinions. It should be noted, however, that the audits of Procure to Pay and LCS/Controcc, due to be undertaken across quarters three and four, were cancelled due to the continued pressures on staff involved in the implementation of Oracle and the need for us to focus on assurance arrangements relating to this. Full audits of all key financial systems, the majority of which will be Oracle based, will be undertaken in 2025/26 in accordance with the agreed annual audit plan.
Other Internal Audit Activity
5.8 During 2024/25, Internal Audit has continued to provide advice, support and independent challenge to the organisation on risk, governance and internal control matters across a range of areas. These include:
· Oracle implementation (where we reviewed arrangements relating to several areas associated with the implementation, including programme governance and risk management, key controls relating to key financial systems, testing arrangements, integrations, system security and administration, data cleansing and migration, and business continuity);
· SAP Support Team costs;
· New declaration of interest system; and
· Transition of the Local Enterprise Partnership.
And attendance at, and support to:
· Oracle Programme Board
· Statutory Officers’ Group
· Finance Management Team
· Departmental Management Teams
· BSD Business Partners Group
· Pension Board and Pension Committee
· Joint Service Schools Risk Review Group
5.9 As well as actively contributing to, and advising these groups, we utilise the intelligence gained from the discussions to inform our own current and future work programmes to help ensure our work continues to focus on the most important risk areas.
5.10 During the year, the Internal Audit Counter Fraud Team continued to deliver both reactive and proactive fraud services across the organisation. Details of all counter fraud and investigatory activity, both proactive and reactive, have been summarised within our quarterly progress reports and a separate Counter Fraud Annual Report will be presented alongside this annual report. Where relevant, the outcomes from this work have also been used to inform our annual internal audit opinion and future audit plans.
Amendments to the Audit Plan
5.11 In accordance with proper professional practice, the Internal Audit plan for the year was kept under regular review to ensure that the service continued to focus its resources in the highest priority areas based on an assessment of risk. All audits added to, and removed from, the plan are provided in Appendix D.
6. Internal Audit Performance
6.2 Over the course of the year, we have continued to receive positive feedback on a range of completed audit assignments from management. The following ‘word-cloud’ identifies some of the key, positive phrases used to describe our service and that contributed to a 98% satisfaction rate being recorded in the year:
PSIAS
6.3 The Standards cover the following aspects of internal audit, all of which were independently assessed during late 2022 by the Chartered Institute of Internal Auditors:
· Purpose, authority and responsibility;
· Independence and objectivity;
· Proficiency and due professional care;
· Quality assurance and improvement programme;
· Managing the internal audit activity;
· Nature of work;
· Engagement planning;
· Performing the engagement;
· Communicating results;
· Monitoring progress; and
· Communicating the acceptance of risks.
Key Service Targets
6.5 Performance against our previously agreed service targets is set out in Appendix A. Overall, client satisfaction levels remain high, demonstrated through the results of our post audit questionnaires, discussions with key stakeholders throughout the year through service liaison and annual consultation meetings with senior officers.
6.6 All high priority actions agreed with management as part of individual audit reviews are subject to action tracking, whereby we seek written confirmation from services that these have been implemented. As at the end of the year, it was confirmed that 14/15 (93.3%) of the high-risk actions due to be implemented on a 12-month rolling basis had been actioned. The one outstanding action, relating to the need to introduce a declaration to the staff loan application process that requires staff to confirm that they have considered the affordability of the loan, has not yet been implemented. A revised implementation date has subsequently been agreed.
6.7 Internal Audit will continue to liaise with the Council’s external auditors (Grant Thornton) to ensure that the Council obtains maximum value from the combined audit resources available.
6.8 In addition to this annual summary, the Corporate Management Team (CMT) and the Audit Committee will continue to receive performance information on Internal Audit throughout the year as part of our quarterly progress reports and corporate performance monitoring arrangements.
Appendix A
Internal Audit Performance Indicators 2024/25
|
Aspect of Service |
Orbis IA Performance Indicator |
Target |
RAG Score |
Actual Performance |
|
Quality
|
Annual Audit Plan agreed by Audit Committee |
By end April |
G |
2025/26 Internal Audit Strategy and Plan formally approved by Audit Committee 28 March 2025 |
|
Annual Audit Report and Opinion
|
By end July |
G |
2023/24 Annual Report and Opinion presented to Audit Committee 5 July 2024 |
|
|
Customer Satisfaction Levels |
90% satisfied
|
G |
98% |
|
|
Productivity and Process Efficiency |
Audit Plan – completion to draft report stage
|
90% |
G |
95% |
|
|
Percentage of audit plan days delivered
|
90% |
G |
101% |
|
Compliance with Professional Standards |
Public Sector Internal Audit Standards |
Conforms |
G
|
Dec
2022 - External Quality Assurance completed by the Institute of
Internal Auditors (IIA). Orbis Internal Audit assessed as achieving
the highest level of conformance available against professional
standards with no areas of non-compliance identified, and therefore
no formal recommendations for improvement arising. In summary the
service was assessed as: November 2023 - Updated
self-assessment against the Public Sector Internal Audit Standards
completed, the service was found to be fully complying with 319 of
the standards and partially complying with 2 of the standards, in
both cases proportionate arrangements remain in place. |
|
|
Relevant legislation such as the Police and Criminal Evidence Act, Criminal Procedures and Investigations Act |
Conforms |
G
|
No evidence of non-compliance identified. |
|
Outcome and degree of influence |
Implementation of management actions agreed in response to audit findings |
97% for high priority agreed actions |
A |
93.3% - see 6.6 above. |
|
Our staff |
Professionally Qualified/Accredited
|
80% |
G |
90%[2] |
Appendix B
Summary of opinions for Internal Audit final reports issued during 2024/25
(Explanation of assurance levels provided at the bottom of this document)
|
Audit Title |
Department |
|
Pension Fund - Cash Management 23/24 |
BSD |
|
Pension Fund - Investments and Accounting 23/24 |
BSD |
|
Pension Fund - Financial Controls 24/25 |
BSD |
|
Pension Fund - Administration of Benefits 24/25 |
BSD |
|
Alfriston School Follow-Up |
CSD |
|
Supplier Failure Follow-Up |
Corporate |
|
Ukraine Funding Follow-Up |
ASC |
|
Contract Management Follow-Up |
Corporate |
|
Waivers to Procurement and Contract Standing Orders |
Corporate |
|
Microsoft Teams Governance |
BSD |
|
Audit Title |
Department |
|
Pension Fund – Administration of Pension Benefits 23/24 |
BSD |
|
Supplier Change Control and Release Management |
BSD |
|
Climate Change Follow-Up |
Corporate |
|
Adult Social Care Liquidlogic (LAS) and Controcc |
ASC |
|
ASC Debt Management and Recovery |
ASC |
|
Greenwood Establishment Review |
ASC |
|
Grangemead Establishment Review |
ASC |
|
Highways Maintenance Contract – Contract Management |
CET |
|
Contract Management Group Cultural Compliance Follow-Up |
CET |
|
Parking – Procurement and Management of External Service Providers |
CET |
|
Payroll |
BSD |
|
Accounts Receivable |
BSD |
|
Cyber Security Response and Resilience |
BSD |
|
Domestic Violence and Abuse Refuge Contract – Contract Management |
ASC |
|
Health Visiting Contract – Contract Management |
ASC |
|
Registration Service |
CET |
|
Ashdown Primary School |
CSD |
|
Claverham Community College |
CSD |
|
Procurement Data Analytics Follow-Up |
Corporate |
|
Civica Property Management Application Controls Follow-Up |
BSD |
|
Civica Property Management Payment Controls |
BSD |
|
Health and Safety Compliance Property Management |
BSD |
|
Appointee and Deputyship Process Follow-Up |
ASC |
|
PAX (Passenger Transport System) Application Controls Audit |
CET |
|
St Richard’s Catholic College Follow-Up |
CSD |
|
IT Asset Records Management |
BSD |
|
Transition of Young People into Adult Social Care |
CSD/ASC |
Partial Assurance:
|
Department |
|
|
Frant Church of England Primary School |
CSD |
|
Vehicle Use Follow-Up |
CET |
Minimal Assurance:
|
Department |
|
|
None |
|
Non-Opinion:
|
Audit Title |
Department |
|
Oracle General Advice and Support |
Corporate |
|
Oracle Programme Governance and Risk Management Arrangements |
Corporate |
|
Oracle Key Financial Systems (Key Controls) |
Corporate |
|
Oracle Testing Arrangements |
Corporate |
|
Oracle Integrations |
Corporate |
|
Oracle System Security and Administration |
Corporate |
|
Oracle Data Cleansing and Migration |
Corporate |
|
Oracle Business Continuity Arrangements |
Corporate |
|
SAP Support Costs |
BSD |
|
Supporting Families Grant (Q1, Q2, Q3, Q4) |
CSD |
|
Childcare Expansion Capital Grant |
CSD |
|
Local Authority Bus Subsidy Grant |
CET |
|
Local Transport Capital Block Funding (Integrated Transport and Highways Maintenance) Grant |
CET |
|
New Declaration of Interests System |
Corporate |
|
Transition of Local Enterprise Partnership |
CET |
|
Traffic Signals and Green Light Fund |
CET |
|
Covid Outbreak Management Fund |
ASC |
2024/25 Audit Plan - Audits in Progress at Year-End
|
Audit Title |
Planned/ Unplanned |
Department |
Status |
|
Home Care Contract Management |
Planned |
ASC |
Draft Report |
|
Surveillance Cameras |
Planned |
BSD |
Draft Report |
|
Home to School Transport |
Unplanned |
CSD/CET |
Draft Report |
|
Pension Fund – Investments and Accounting |
Planned |
BSD |
Audit Fieldwork |
|
Pension Fund – Compliance with Regulatory Requirements |
Planned |
BSD |
Audit Fieldwork |
|
Direct Payments |
Planned |
ASC |
Audit Fieldwork |
|
IT&D Project Management |
Planned |
BSD |
Audit Fieldwork |
|
Risk Management |
Planned |
Corporate |
Audit Fieldwork |
|
Mobile Phone Application Management |
Planned |
BSD |
Audit Fieldwork |
|
Emergency Planning |
Unplanned |
CET |
Audit Fieldwork |
Appendix D
Audits added to, and removed from, the plan during 2024/25
Audits Added:
|
Review |
Rationale for Addition |
|
Registration Service |
Identified as an area for review after the audit plan had been agreed (reported in our Q2 progress report). |
|
Declaration of Interest System Upgrade Project |
Advice on risk and control in relation to the upgraded declaration of interest system (reported in our Q3 progress report). |
|
SAP Support Costs |
Requested by IT&D management to investigate the implications of removing the SAP security and access role (reported in our Q1 progress report). |
|
Civica Property Management (CPM) system - Payment Controls |
To review internal controls in the system following the identification of potential duplicate payments (reported in our Q3 progress report). |
|
Early Years Childcare Expansion Grant |
New grant requiring certification (reported in our Q1 progress report). |
|
Home to School Transport |
Audit requested by the Corporate Management Team due to the continued financial challenge in this area. Currently at draft report stage. |
|
Traffic Signal Obsolescence and DfT Green Light Fund |
New grant requiring certification (reported in our Q3 progress report). |
|
Oracle Programme Governance and Risk Management Arrangements |
To review programme governance and risk management arrangements (reported in our Q3 progress report). |
|
Oracle Procure to Pay |
Assessment of the ‘to-be’ controls prior to the proposed Oracle go-live date of April 2025 (see Q4 progress report for summary of work completed in relation to Oracle). |
|
Oracle Accounts Receivable |
As above. |
|
Oracle General Ledger |
As above. |
|
Oracle HR Recruitment |
As above. |
|
Oracle Testing Arrangements |
Assessment of the testing arrangements for Oracle implementation, prior to proposed go-live of April 2025 (see Q4 progress report for summary of work completed in relation to Oracle). |
|
Oracle Interfaces and Reconciliation |
Assessment of the interfaces and reconciliation arrangements for Oracle implementation, prior to the proposed go-live of April 2025 (see Q4 progress report for summary of work completed in relation to Oracle). |
|
Oracle Data Cleansing and Migration |
Assessment of the data cleansing and migration arrangements for Oracle implementation, prior to the proposed Oracle go-live of April 2025 (see Q4 progress report for summary of work completed in relation to Oracle). |
|
Oracle System Security and Administration |
Assessment of the system security and administration arrangements for Oracle implementation, prior to the proposed Oracle go-live of April 2025 (see Q4 progress report for summary of work completed in relation to Oracle). |
|
Oracle Business Continuity |
Assessment of the business continuity arrangements for Oracle implementation, prior to the proposed go-live of April 2025 (see Q4 progress report for summary of work completed in relation to Oracle). |
Audits Removed/Deferred:
|
Review |
Rationale for Removing/Deferral |
|
Capital Budgetary Control |
In-year reduction in audit plan days to generate required budget savings, as reported in the quarter 2 progress report. |
|
Alternative Education Provision Commissioning for Children |
Cancelled due to delays (external factors) in transferring the Pupil Referral Unit (a key part of alternative education provision) to a new trust. The cancellation of this audit has contributed to the required budget savings above. |
|
Cancelled as no grant certification required this year. The cancellation of this audit has contributed to the required budget savings above. |
|
|
Cancelled due to new process changes being implemented in this area. The cancellation of this audit has contributed to the required budget savings above. |
|
|
Accounts Payable (Procure to Pay) |
Started, but cancelled once it was proposed in late 2024 that Phase 2 of Oracle would go-live April 2025, with significant pressures on staff involved in the implementation of Oracle. Audit resources diverted to Oracle pre-implementation audit work. |
|
Implementation of Impower Recommendations |
Audit resources diverted to Oracle pre-implementation work. |
|
Children’s Liquidlogic (LCS) and Controcc Systems |
Significant pressures on staff involved in the implementation of Oracle. Audit resources diverted to Oracle pre-implementation work. |
|
Organisational Response to Financial Challenges |
Replaced with Home to School Transport review (see table above). |
|
Volunteers |
Audit resources diverted to Oracle pre-implementation work. |
|
Accountable Body Status |
Audit resources diverted to Oracle pre-implementation work. |
|
Unaccompanied Asylum-Seeking Children |
Audit resources diverted to Oracle pre-implementation work. |
|
Artificial Intelligence |
Audit resources diverted to Oracle pre-implementation work. |
|
External Funding Follow-Up |
Audit resources diverted to Oracle pre-implementation work. |
|
Supply Chain Cyber Security |
Audit resources diverted to Oracle pre-implementation work. |
Appendix E
Audit Opinions and Definitions
|
Opinion |
Definition |
|
Substantial Assurance |
Controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Reasonable Assurance |
Most controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Partial Assurance |
There are weaknesses in the system of control and/or the level of non-compliance is such as to put the achievement of the system or service objectives at risk. |
|
Minimal Assurance |
Controls are generally weak or non-existent, leaving the system open to the risk of significant error or fraud. There is a high risk to the ability of the system/service to meet its objectives. |