Joint Audit and Governance Committee

Vale of White Horse District small

Report of Internal Audit and Risk Manager

Author: Victoria Dorman-Smith

Telephone: 01235 422430


South cabinet member responsible: Councillor Pieter-Paul Barker

Tel: 01844 212438


Vale cabinet member responsible: Councillor Andy Crawford

Telephone: 01235 772134



To: Joint Audit and Governance Committee

DATE: 28 March 2023




Internal audit plan 2023/2024




(a) That members approve the internal audit plan 2023/24



Purpose of Report

1.            The purpose of this report is:

·       to explain the process for setting the internal audit plan and for calculating the resources available; and

·       to set out the proposed internal audit plan for 2023/24.


2.            The contact officer for this report is Victoria Dorman-Smith, internal audit and risk manager for South Oxfordshire District Council (South) and Vale of White Horse District Council (Vale), email


Strategic Objectives


3.            Delivery of an effective internal audit function will support the councils in meeting their strategic objectives.






4.            The definition of internal audit is set out in the Public Sector Internal Audit Standards (PSIAS): “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations.  It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.  It may also undertake consulting services at the request of the councils, subject to there being no impact on the core assurance work and the availability of skills and resources.


5.            Internal audit supports the head of finance (section 151 officer) in discharging his/her statutory duties, particularly in relation to the following legislation:

·       The Local Government Act 1972 states that the section 151 officer is responsible for ensuring that there are arrangements in place for the proper administration of the authority’s financial affairs.  

·       The Accounts and Audit Regulations state that ‘A relevant body must maintain an adequate and effective system of internal audit of the control environment and systems of internal control’.


6.            The PSIAS states that the head of internal audit should prepare a risk-based internal audit plan, and for plans to receive input from management.  It also states that the plan should outline the assignments to be carried out and the resource requirements to deliver the plan.  The PSIAS also states that the audit committee should approve the internal audit plan and monitor progress against the plan.  This document sets out the proposed internal audit plan for 2023/24.


The Audit Planning Process


7.            The PSIAS refer to the need for the risk-based plan to consider the requirement to produce an annual internal audit opinion and report that is used by the organisation to inform its governance statement.  The annual internal audit opinion must conclude on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control.  


8.            To support this, the risk-based plan needs to consider the risk priorities per the South and Vale corporate risk registers, review of large or significant income and budget spend and review of the corporate priorities and objectives.


9.            The approach to the audit planning process was agreed by the head of finance.  The following steps were undertaken:

Step 1: The South and Vale corporate risk registers have been reviewed as the starting point for the audit planning process as this represents management’s assessment of the risks to the councils achieving their strategic objectives.  Checks have been performed to ensure that the top eight risks on the South corporate risk register and the top seven risks on the Vale corporate risk register are reviewed regularly by internal audit.

Step 2: Areas of large or significant income and budget spend across each service area have been reviewed to ensure that they are included as a possible audit area in the SAA.

Step 3: The SAA is attached in appendix 1 and lists every possible audit area at both or either South or Vale.  The audit areas have been reviewed and updated to reflect the current organisational structure and division of responsibilities across each service area.  Each audit has been rated by the internal audit and risk manager and critically reviewed by the head of finance on several risk factors to give an overall risk score, and this assists in the assessment of what should be placed in the annual internal audit plan.  Although scoring is subjective, and no two people would score alike the process attempts to introduce a degree of objectivity into the assessment process. 

Step 4: Meetings have been held between the internal audit and risk manager and deputy chief executives and heads of service in February 2023 to obtain insights into the level of risk exposure within each service area across both councils.  In addition, heads of service have requested that, where required, specific function(s) within their service area are reviewed as part of the planned assurance or consultancy work for 2023/24 or future years.

Step 5: The proposed internal audit plan for 2023/24 has been finalised with the head of finance and shared with the senior management team for their information on 8th March 2023.


10.         Due to the changing environment that exists in Local Government, there is a need for an element of flexibility in the internal audit plan due to potential changes in the council risk profiles and the potential for emerging risks.  The SAA and corporate risk registers will be reviewed regularly by the internal audit and risk manager throughout the year, and it is possible that changes to the internal audit plan may be required. Any changes (e.g., due to changes to the council risk profiles or due to management requests) will be agreed with the head of finance and reported to the audit committee.  In September 2023, meetings will be held between the internal audit and risk manager and deputy chief executives and heads of service to understand if there have been any changes to the level of risk exposure within each service area across both councils, since the initial discussions in February 2023.  Based on the outcome of these meetings, the internal audit and risk manager will assess whether audits need to be added, removed, or amended on the internal audit plan.


Allocation of Audit Resources


11.         The resources available to deliver the internal audit annual plan 2023/24 are arrived at by starting with the number of days available for all internal audit posts within the team.  This is then reduced by the estimated numbers of days lost through annual leave, bank holidays (planned) and sickness and other absences (unplanned).  The remaining days available are then allocated between the various elements of work which are expected to be carried out in the year to deliver an effective internal audit service. 


12.         The calculation of days available and the allocation of days between different categories of work is attached as appendix 2.  The different categories of work are classed as either chargeable or non-chargeable.  Chargeable means the work has an identifiable client or is directly linked to the delivery of internal audit services.  Non-chargeable means any other work which is not directly linked to the delivery of internal audit services (for example: admin, corporate responsibilities, training, staff briefings).


13.         An explanation of the individual variances against the previous year allocation is provided in appendix 2.


Internal Audit Plan


14.         The outputs from the audit planning and allocation of resources process have been prioritised to produce an internal audit plan that considers the following:

·       the requirement to give an objective and evidenced based opinion on aspects of governance, risk management and internal control.

·       the requirement for internal audit to add value through improving controls, streamlining processes, and supporting corporate priorities.

·       the need to allocate a suitable number of contingency days to respond to emerging risk, governance, and control matters.

·       the need to allocate a suitable number of investigation days for fraud or whistleblowing purposes.

·       to support the head of finance’s requirement for a cyclical review of key financial systems and processes throughout the councils.


15.         The internal audit plan for 2023/24 is designed and constructed in such a way to enable the internal audit and risk manager to form an opinion on the adequacy of each council’s control environment, taking into consideration available audit resources.  This opinion forms an important independent view of each council’s operations that feeds into and supports each council’s annual governance statement. 


16.         The proposed internal audit plan for 2023/24 is attached in appendix 3 and has been agreed with the head of finance and has been considered by the senior management team (SMT). 


Individual Audits


17.         For each audit, not all aspects within a specific area are necessarily examined.  Actual audit coverage is decided at the time of the audit in consultation with key management and officers.  This ensures that current issues together with recent coverage by internal audit or external bodies determine the scope of the work.


18.         An estimated start date for each audit is included in the internal audit plan in appendix 3, which aims to ensure the availability of key management and officers.  We will. however, seek to agree a date which is convenient to the officers involved during the scoping of each review.


19.         Upon completion of the audit fieldwork, the auditor will draft a report and arrange to meet with the auditees, to ensure factual accuracy of the audit observations and findings and to ensure a proper understanding of the risks to which any action plan relates.


20.         A formal audit report will be issued for all planned assurance audit work, which will provide an overall assurance rating, along with key observations and recommendations for each audit objective.  However, upon identification of any high-risk issues, internal audit will immediately notify management during the course of the audit to enable appropriate remedial action to be taken prior to being formally published in the audit report.



Follow Up


21.         Recommended actions are followed up and reported to the JAGC on a quarterly basis to provide assurance that the agreed actions within internal audit reports have been implemented correctly in the timescales originally offered by management, and that controls are managing risk more effectively.


Reporting to the Joint Audit and Governance Committee


22.         Monitoring of internal audit’s progress against the internal audit plan along with summarising the outcomes of recent audit and follow up work will be presented to the joint audit and governance committee.


23.         Following completion of the internal audit plan for 2023/24 we will produce an annual internal audit report on the work of internal audit in the year ended 31 March 2024, and to advise the committee of the internal audit and risk manager’s opinion on the overall adequacy and effectiveness of the internal control environments at South and Vale.


Climate and Ecological Impact Implications


24.         There are no direct climate or ecological implications arising from this report. However, per the climate action plan, for each individual audit in the 2023/24 internal audit plan, we will include risk considerations for the climate emergency in our audit work.


Financial Implications


25.         The internal audit plan can be delivered from within the approved 2023/24 budget, therefore there are no financial implications attached to this report.


Legal Implications


28.      None


Risk Implications


29.       Identification of risk is an integral part of all audits.