Authority Compliance (Section 4)

The authority should explain how it complies with the Code in its annual governance statement. CIPFA is currently updating its guidance on annual governance statements for publication in 2025. Conformance with both the Code and Global Internal Audit Standards (GIAS) in the UK public sector will be featured in the new Addendum as part of the core arrangements authorities should have in place. Effective arrangements for the governance of internal audit, as well as effective internal audit, are vital parts of an authority’s governance arrangements.

Authority

This is a new requirement and will therefore be included in the 2025/26 Annual Governance Statement (AGS).

Management to ensure that the 2025/26 AGS includes specific reference to organisational compliance with the Code of Practice for the Governance of Internal Audit in UK Local Government.

Internal Audit’s Mandate (Section 1.1)

In local government in the UK, internal audit’s authority comes from the statutory requirement within the Accounts & Audit Regulations [England] 2015.

Internal Audit

Included within the Internal Audit (IA) Charter, which is approved annually by senior management and the Audit Committee.

None.

In addition to internal audit’s mandate from regulations, each body may agree a wider statement of internal audit’s authority.

Authority

Internal Audit’s mandate is further set out within local financial regulations and procedures.

None.

Internal Audit Charter (Section 1.2)

The chief audit executive has a responsibility to prepare a charter that conforms with GIAS (UK public sector). When reviewing the charter, the audit committee should be satisfied that it covers the governance arrangements for internal audit. It must include the mandate derived from the regulations, plus any additional agreed mandate, and include internal audit’s reporting line to the audit committee. The charter should include the administrative reporting arrangements for internal audit and the chief audit executive.

Internal Audit

The Charter has been updated to reflect new GIAS, including governance arrangements for Internal Audit. Specific reference to mandate from regulations already covered.

None.

Support for Internal Audit (Section 1.3)

Internal audit’s activities require access to and support from senior management, the audit committee and those charged with governance. Support allows internal audit to apply their mandate and charter in practice and meet expectations.

Authority

Internal Audit has regular access to senior management, the Audit Committee and those charged with governance.

None.

Support including putting in place the following conditions:

·         The direct reporting line of the Chief Internal Auditor is not lower than a member of the senior management team and has access to all members of the team;

·         The Chief Internal Auditor should be a senior manager, providing them with the necessary profile to fulfil the function’s mandate;

·         Where internal audit is delivered through a partnership arrangement, there is a nominated Chief Internal Auditor and client responsibility lies with a member of senior management;

·         The organisational position of the Chief Internal Auditor should be supported by direct reporting to the audit committee.

Authority

The Chief Internal Auditor (CIA) is a senior manager and reports directly to a member of the senior management team and has access to all others where needed.

Client management rests with a member of senior management.

The CIA has a direct reporting line to the Audit Committee. The CIA attends each Audit Committee.

None.

The audit committee can also demonstrate its support for internal audit by:

·         Enquiring of senior management and the Chief Internal Auditor about any restrictions on the internal audit’s scope, access, authority or resources that limit its ability to carry out its responsibilities effectively.

·         Considering the audit plan or planning scope and formally approving or recommending approval.

·         Meeting at least annually with the Chief Internal Auditor in sessions without senior management present.

Authority

In all cases, Audit Committee has the ability to, and does, enquire as to any restrictions on Internal Audit activities. 

Audit strategies and plans are approved by the Audit Committee on an annual basis.

Whilst it does not routinely happen, arrangements exist to enable the CIA to meet with the Audit Committee without senior management present.

None.

Organisational Independence (Section 2.1)

On behalf of those charged with governance, senior management needs to establish and safeguard internal audit’s independence. These arrangements must include:

·         Ensuring internal audit’s access to staff and records, as set out in regulations and the charter, operates freely and without any interference to its scope, performance of engagements or communication of results.

·         Ensuring that the chief audit executive reports in their own right to the audit committee on the work of internal audit. 

·         Providing opportunities for the chief audit executive to meet with the audit committee without senior management present.  At least one such meeting must be held each year.

·         Where there are actual or potential impairments to the independence of internal audit, senior management should work with the chief audit executive to remove or minimise them or ensure safeguards are operating effectively.

·         Recognise that if the chief audit executive has additional roles and responsibilities beyond internal auditing, or if new roles are proposed, it could impact on the independence and performance of internal audit. The impact must be discussed with the chief audit executive and the views of the audit committee sought. Where needed, appropriate safeguards must be put in place by senior management to protect the independence of internal audit and support conformance with professional standards.

Authority

Internal Audit access to staff and records is covered within the Charter, Accounts and Audit Regulations and local financial procedures/regulations.

Whilst the CIA effectively reports in their own right to the Audit Committee on the work of Internal Audit, technically, in some cases, the reports are presented in the name of senior management in accordance with organisational requirements.

Both the CIA and the Audit Committee has the ability to meet in private at any time without senior management present. This is an option available when needed. 

No actual or potential impairments to the independence of Internal Audit exist or have been experienced.

The CIA currently has no additional roles or responsibilities that impact on the independence and performance of Internal Audit.

None.

In local government, matters around the appointment, removal, remuneration and performance evaluation of the chief audit executive will be undertaken by senior management, but these arrangements must not be used to undermine the independence of internal audit. The audit committee should provide feedback on the proposed job description and the performance evaluation of the chief audit executive should include feedback from the chair of the audit committee.  In shared or outsourced arrangements, the audit committee should provide feedback on the operation of the contract.

Authority

Whilst the Audit Committee Chair has previously been involved in the appointment of the CIA, this has not formally included feedback on their performance evaluation. 

Through ongoing interaction between CIA and Audit Committee, along with performance information provided with regular progress reports, the Audit Committee is able to provide ongoing feedback on the operation of the shared services arrangements.

Consider whether the Audit Committee Chair should provide direct input to the CIA’s performance evaluation.

The audit committee must support internal audit’s independence by reviewing the effectiveness of safeguards at least annually, including any issues or concerns about independence from the chief audit executive. The chief audit executive must have the right of access to the chair of the audit committee at any time. The audit committee can escalate its concerns about internal audit independence to those charged with governance.

Authority

No issues or concerns over Internal Audit independence have arisen and the CIA has the right of access to the Chair of the Audit Committee where required. Should any issues or concerns arise, arrangements are in place for these to be escalated through regular formal and informal interactions between the CIA, the Chair of Audit Committee and the Audit Committee itself, including within formal Internal Audit progress reporting.

None.

Qualifications of the Chief Audit Executive (Section 2.2)

Ensuring effective leadership of the internal audit team requires a suitably qualified and experienced Chief Audit Executive. The Application Note: GIAS in the UK public sector sets out the qualifications and competencies expected of the chief audit executive. These must be taken into account by senior management when recruiting to the post.

Authority

The CIA role profile clearly requires the postholder to be suitably qualified and experienced, and these are taken into account by senior management when recruiting to the role.

None.

Where internal audit is fully outsourced, senior management should ensure that an appropriate individual from the provider is nominated as the chief audit executive and meets the qualification requirements.

Authority

No fully outsourced arrangements in place.

None.

Audit Committee Interaction (Section 3.1)

All audit committees should follow the CIPFA audit committee guidance for the oversight of internal audit.

Authority

In 2024, ESCC Audit Committee completed a self-assessment in accordance with CIPFA best practice. The assessment generally identified full compliance with good practice, with a few areas for improvement which are being taken forward.

None.

To ensure there is good interaction between the audit committee and internal audit, audit committees must agree its work plan with the chief audit executive to ensure there is appropriate coverage of internal audit matters within audit committee agendas.

Authority / Internal Audit

A forward plan is in place for the Audit Committee and is produced in conjunction with the CIA. It includes appropriate coverage of Internal Audit matters.

None.

The audit committee workplan should provide for the internal audit mandate and charter, strategy, plans, engagement reporting and the annual conclusion, and quality reports.  The committee should also oversee the tracking and implementation of the actions agreed following audits.

Authority / Internal Audit

As above, a forward plan for Audit Committee includes the Internal Audit mandate and charter, strategy, plans, engagement reporting, annual conclusion, quality reports and action tracking.

None.

The audit committee must familiarise itself with the authority’s assurance framework, governance, risk management and internal control arrangements to facilitate its interactions with internal audit.

Authority

The Audit Committee remit includes assurance framework (incl. AGS), governance, risk management and internal control.

None.

Senior management should update the audit committee on significant changes to governance, risk and control arrangements and any concerns they have on assurance.  The audit committee should have oversight of the annual governance statement before final approval.

Authority

See above. The Audit Committee has oversight of the annual governance statement before final approval.

None.

Where internal audit consider the management of risk or proposed actions in response to audit

engagements represent an unacceptable level of risk to the authority, the audit committee must review the matter. The committee should make their recommendation to either management or those charged with governance as necessary.

Authority / Internal Audit

Where Internal Audit consider management’s response to risk issues identified through internal audit activity is unacceptable, this will be reported to the Audit Committee for review.  No such circumstances have, however, been identified.

None.

Resources (Section 3.2)

The audit committee and senior management must engage with the chief audit executive to review whether internal audit’s financial, human and technological resources are sufficient to meet internal audit’s mandate as set out in the regulations and achieve conformance with GIAS (UK public sector).

Authority

Through regular reporting to the Audit Committee throughout the year, the CIA will report any issues associated with financial, human or technological resources that may impact on service delivery. Regardless, the Audit Committee regularly enquires of the CIA on these issues to obtain the necessary assurance.  

None.

Where there are concerns about internal audit’s ability to fulfil its mandate or deliver an annual conclusion, the concerns should be formally recorded and reported to those charged with governance.

Authority

See above. This has not occurred, but should it happen, concerns would be escalated through the Audit Committee to those charged with governance.

None

If resource issues result in a limitation of scope on the annual conclusion, this should also be reported and disclosed in the annual governance statement.

Authority

See above. Should the CIA report on any limitation of scope, this will be included with the annual governance statement.

None.

Decisions on internal audit resourcing by senior management and those charged with governance must take account of the longer-term risks to the governance and financial sustainability of the authority and internal audit’s role in supporting those objectives. The long-term viability of the internal audit function must be considered.

Authority

Long term resourcing of the IA function is based on organisational priorities, risks and financial strategies.

None.

Where there are temporary resource constraints, senior management must work with the chief audit

executive to establish longer-term plans for sustainable internal audit resources.

Authority

Resourcing challenges are managed by the CIA in co-ordination with senior management and the Audit Committee. Long term strategy is currently focussed on ‘growing our own’ with appropriate investment in training and development.

None.

Quality (Section 3.3)

Annually, the audit committee must review the results of the chief audit executive’s assessment of conformance against GIAS (UK public sector), including any action plan.

Authority

An annual self-assessment against professional standards (GIAS) is undertaken by the CIA and reported to the Audit Committee, along with a summary of any actions arising.

None.

The audit committee must review the chief audit executive’s annual report, including the annual conclusion on governance, risk management and control, and internal audit’s performance against its objectives.  The committee should review in-year updates and make appropriate enquiries if there are concerns about internal audit performance.

Authority

The Audit Committee review all outputs from the CIA, including annual report and opinion, quarterly progress reports and the strategy and annual audit plan. Appropriate discussions and enquiries take place on all occasions.

None.

To meet the requirements of the regulations (the mandate) for internal audit, the audit committee must satisfy itself on the effectiveness of internal audit. They should take into account conformance with the standards, interactions with the committee, performance and feedback from senior management. Their conclusions should be reported to those charged with governance, for example, as part of the audit committee’s annual report.

Authority

See above. The Audit Committee regularly receives reports covering Internal Audit performance and effectiveness and makes enquiries of these throughout the year. Currently unclear, however, as to the extent to which conclusions are reported to those charged with governance.

Review arrangements for Audit Committee reporting on its conclusions as to the effectiveness of Internal Audit, possibly as part of the Committee’s annual report.

External Quality Assessment (Section 3.4)

On behalf of those charged with governance and the audit committee, senior management must ensure that internal audit has an external quality assessment at least once every five years of its conformance against GIAS (UK public sector), including this Code. Senior management and the chief audit executive should discuss the timing of the review and report the options and their recommendation to the audit committee.

Authority

Internal Audit is subject to an independent external quality assessment at least once every 5 years, with the last review conducted by the Chartered Institute of Internal Auditors, which reported in 2022. The next review is therefore due in 2027, the timing and options for which will be agreed with the Audit Committee.

None.

Where the authority is the client of an internal audit provider, (shared, partnership or outsourced

functions), then agreement on the approach to the EQA will need to take account of the broader

arrangements.

Authority

See above – agreement to the approach obtained from Audit Committee and takes account of broader partnerships arrangements.

None.

Where the authority commissions the EQA, the proposals for the scope, method of assessment and assessor should be brought to the audit committee for agreement.  For all EQAs covering local government clients, the assessor must use this Code alongside the standards and be familiar with the sector.

Authority

See above – for the next review, scope, method and assessor will continue to be bought to Audit Committee for agreement and will include use of the Code.

None.

The audit committee must receive the complete results of the assessment and consider the chief audit executive’s action plan to address any recommendations. Progress should be monitored.

Authority / Internal Audit

The complete results of external assessments are reported to Audit Committee along with details of any action plans arising.

None.

Where the audit committee does not have delegated authority, the committee should report the overall results of the external quality assessment to those charged with governance.

Authority

See above.

None.