Issue - meetings

At the Audit & Governance Committee meeting on 20 March 2025, the approval of the 2025/26 Internal Audit Plan was deferred to the next meeting on 29 May 2025. The Committee requested clarification on nine points derived from the Institute of Internal Auditor’s (IIA) Supplementary Guidance (non-mandatory) document “Developing a Risk Based Internal Audit Plan”.

This report responds to each point and clarifies the process followed by the BCP Internal Audit Function in determining its Internal Audit Plan and demonstrating conformance to the IIA’s mandatory requirements of the International Professional Practices Framework 2024 (IPPF).

The Chief Internal Auditor is satisfied that the Internal Audit team comply with all the mandatory elements of the IPPF (including the Global Internal Audit Standards and relevant application notes) and previously verified by external assessment.

Internal Audit planning takes into account the non-mandatory guidance elements of the IPPF.

Ensuring the Committee is equipped with all relevant, sufficiently detailed, information, to enable them to meaningfully consider and agree the Plan has continually evolved over time and requires judgement on what level of detail is helpful to the Committee. As a trial, further information has been included in the Internal Audit – Audit Plan 20256/26 report which is being brought separately to this Committee.

The Audit Manager presented a report, a copy of which had been circulated to each Member and a copy of which appears as Appendix 'C' to these Minutes in the Minute Book.

At the meeting on 20 March 2025, the approval of the 2025/26 Internal Audit Plan was deferred to provide clarification on nine points raised at the meeting by one of the independent Persons and which derived from the Institute of Internal Auditor’s (IIA) Supplementary Guidance (non-mandatory) document “Developing a Risk Based Internal Audit Plan”. The report responded to each point and clarified the process followed in determining the Internal Audit Plan and demonstrating conformance to the IIA’s mandatory requirements of the International Professional Practices Framework 2024 (IPPF).

The Committee was assured that the Chief Internal Auditor was satisfied that the Internal Audit team complied with relevant mandatory audit standards in producing the Internal Audit Plan. Information provided to the Committee continued to evolve over time with the aim of providing a level of content which was helpful without being unnecessarily detailed. As a trial, additional information had been incorporated into the Internal Audit – Audit Plan 2025/26 report, including more detail on work planned in quarter one, and further details for the whole year subsequently circulated.

The Chair thanked the Head of Audit and Management Assurance (HAMA) for arranging a briefing session in preparation for this meeting to go through the responses with members in more detail. Members agreed this had been a very useful and accessible session. The Chair commented on Internal Audit’s risk based approach and members supported the suggestion of including a briefing at a non-core meeting on how Internal Audit achieved ‘comfort’ with its coverage. It was also intended to use the Committee’s Teams channel to provide more detailed information for those who wanted it.

One of the Independent Persons noted that one of the Council’s corporate risks, (CR27 – We may fail to adequately address concerns around environmental impacts) did not seem to feature in the 25/26 Audit Plan. The HAMA stated that it was difficult to cross reference and immediately respond to that comment in the meeting. He would take it away and provide a written response to be circulated to the whole committee and included in the minutes, as set out below:

“Corporate Risk 27 “We may fail to adequately address concerns around environmental impacts” is further described as “This risk has been created to capture emerging risks in relation to environmental impacts. The first risk to be included under this group is that of cliff instability and the risk will primarily reflect this initially. The risk will continue to develop to include further areas over the next several months.” This risk was added to the risk register in March 2025. A 2024/25/26 (cross-over year) audit of Flood and Coastal Erosion Risk Management (FCERM) is currently underway, of which the scope comprises FCERM Commercial Operations (including business cases, grant funding bids), Procurement Activity and Team Resilience (capacity/expertise). A draft report is  ...  view the full minutes text for item 11