Appendix 1
INTERNAL AUDIT
ANNUAL REPORT & OPINION
2025/2026
1. Internal Control and the Role of Internal Audit
1.1 All local authorities must make proper provision for internal audit in line with the 1972 Local Government Act (S151) and the Accounts and Audit Regulations 2015. The full role and scope of the Council’s Internal Audit Service is set out within our Internal Audit Charter.
1.2 It is a management responsibility to establish and maintain internal control systems and to ensure that resources are properly applied, risks appropriately managed and outcomes achieved.
1.3 Annually the Chief Internal Auditor is required to provide an overall opinion on the Council’s internal control environment, risk management arrangements and governance framework to support the Annual Governance Statement.
2. Delivery of the Internal Audit Plan
2.1 The Council’s Internal Audit Strategy and Plan is updated each year based on a combination of management’s assessment of risk (including that set out within the departmental and strategic risk registers) and our own risk assessment of the Council’s major systems and other auditable areas. The process of producing the plan involves extensive consultation with a range of stakeholders to ensure that their views on risks and current issues, within individual departments and corporately, are identified and considered.
2.2 In accordance with the audit plan for 2025/26, a programme of audits was carried out in accordance with best practice, this programme was reviewed during the year and revised to reflect changes in risk and priority. All adjustments to the audit plan were agreed with the relevant departments and reported throughout the year to the Corporate Leadership Team and the Audit, Standards and General Purposes Committee as part of our periodic internal audit progress reports. Full details of the adjustments to the plan can be found in Appendix D.
2.3 It should be noted that whilst there were some audit reports in progress or at draft report stage at year-end, outcomes from this work have been considered in forming our annual opinion. Full details of these audits will be reported to the Corporate Leadership Team and the Audit, Standards and General Purposes Committee once each of the reports have been finalised with management.
3. Audit Opinion
3.1 No assurance can ever be absolute; however, based on the internal audit work completed, the Chief Internal Auditor can provide partial ([1]) assurance that the Council has in place an adequate and effective framework of governance, risk management and internal control for the period 1 April 2025 to 31 March 2026.
3.2 Further information on the basis of this opinion is provided below. Although the majority of audit opinions issued in the year were generally positive, there are still a high number of partial assurance reports overall and internal audit activities have identified a number of key areas where the operation of internal controls has not been fully effective. A number of these relate to key financial or key services and link to risks identified in the Council’s strategic risk register.
3.3 Internal Audit work closely with management and discuss areas of risk and focus for our audit work. This means that we do receive requests from management for audit work and we will consider these, alongside the risk profile for the Council. Sometimes this is a request in order to obtain assurance over areas where there are known issues and a potential need for improvement. This demonstrates a positive organisational culture which utilises Internal Audit to help support service improvement.
3.4 It is essential that management continue to recognise the need to take prompt and robust action in response to the findings arising from internal audit activities, in order to ensure an adequate control environment remains in place and that there is no future deterioration in the level of assurance. Where improvements in controls are identified during our audit work, we have asked management to consider and decide on appropriate remedial action that mitigates the risk. This approach results in agreed actions that are tailored for their service and that management should feel more committed to.
3.5 We are pleased to note that following discussion with the Corporate Leadership Team on the annual audit opinion, action is being taken to review identified themes, identify root causes and incorporate appropriate actions within the Transformation and Innovation Portfolio of Strategic Programmes and the Annual Governance Statement. Key actions will also be added to the Corporate Leadership Plan.
4. Basis of Opinion
4.1 The opinion and the level of assurance takes into account:
· All audit work completed during 2025/26, planned and unplanned;
· Follow up of actions from previous audits;
· Management’s response to the findings;
· Ongoing advice and liaison with management, including regular attendance by the Chief Internal Auditor and Audit Managers at organisational meetings relating to risk, governance, and internal control matters;
· Effects of significant changes to the Council’s systems;
· The extent of resources available to deliver the audit plan; and
· Quality of the Internal Audit service’s performance.
4.2 No limitations have been placed on the scope of Internal Audit during 2025/26.
5. Key Internal Audit Issues for 2025/26
5.1 The overall audit opinion should be read in conjunction with the key issues set out in the following paragraphs. These issues, and the overall opinion, have been taken into account when preparing and approving the Council’s Annual Governance Statement.
5.2 The internal audit plan is delivered each year through a combination of formal reviews with standard audit opinions, direct support for projects and new system initiatives, investigations, grant audits and ad hoc advice. The following graph provides a summary of the outcomes from all audits finalised over the past four years:
Comparisons of Opinions 2022/23 through 2025/26
*Non-Opinion: Includes grant certifications and audit reports where we did not give a specific audit opinion. Typically, this tends to be proactive advice and support activity where, due to the advisory nature of the audit work, provision of formal assurance-based opinions is not appropriate.
5.3 A full listing of all 2025/26 completed audits and opinions for the year is included at Appendix B, along with an explanation of each of the assurance levels. The status of all planned audits in progress but not completed to final report by year-end is shown in Appendix C.
5.4 Four follow-up audits were completed on areas that previously received partial assurance opinions. There was evidence of sufficient improvement to receive opinions of reasonable or substantial assurance. However, three other follow-up audits resulted in repeated partial assurance, meaning no significant improvement was found. An additional three follow-up audits were still in progress at year end.
5.5 One minimal assurance audit opinion was issued during the year, and twelve audits received partial assurance (including three schools) during 2025/26 (all of which have been reported on in our quarterly progress reports) as follows:
· Home Purchase Scheme
· Attendance Management
· Brighton Centre, Cultural Compliance
· Temporary Accommodation, Block Booked & Spot Purchase Payments
· Accounts Receivable (Debtors) follow up
· Off Payroll Payments (IR35) follow up
· Council Tax
· Direct Payments (Children’s)
· Contract Management Compliance – Facilities and Building Services follow up
· St Andrews Primary School
· Tarnerland Nursery School
· Elm Grove Primary School
· Reactive and Planned Maintenance (Minimal Assurance)
5.6 In addition to the above, as at March 2026 year-end, there were a further six draft reports, not yet finalised. Of note was the likely partial assurance opinion for Housing Repairs.
5.7 We would also like to highlight that in discussing the root cause for weaknesses in control with management, we have identified capacity challenges and service resilience in several areas. This is an area that has also been raised in previous years. We understand that these issues have been further compounded by increased demand on services and the ongoing financial pressures resulting in recruitment and expenditure controls. We note that spending controls are being eased in 2026-27, with changes to the process to ensure service critical expenditure is not delayed.
5.8 All audit reviews that received a partial or minimal assurance opinion will be subject to a follow up audit. We aim to carry these out within 12 months, but there may be occasions when the audit is delayed, due to available resources within Internal Audit and the service area.
5.9 Internal Audit track implementation of all high priority agreed actions and request confirmation from responsible officers that they have been implemented by the due date. It is noticeable that during 2025/26 some services have struggled to respond and implement actions that mitigate the risk by their due date. These are reported within the quarterly progress reports to the Audit, Standards and General Purposes Committee and key performance indicators. Whilst most actions are implemented within a reasonable time period, any delay in implementation results in an increased period of risk exposure for the organisation.
5.10 Given the substantial values involved, each year a considerable proportion of our time is spent reviewing the Council’s key financial systems. Of those completed during 2025/26, two of these, Council Tax and Accounts Receivable (Debtors) have resulted in only partial assurance being provided over the control environment. This is an area of concern and therefore something that management should be taking prompt action to resolve.
5.11 We also note that progress of the programme to improve corporate financial systems has been delayed, though there is now a dedicated project management resource and a new Board is being set up for 2026-27. Internal audit have set aside time to provide support to this programme.
5.12 We are pleased to note that we saw improvements in payroll controls, which received partial assurance in 2024-25 and reasonable assurance in 2025-26.
5.13 For Accounts Receivable, this was the second consecutive audit resulting in partial assurance. We noted the rising levels of debt in Adult Social Care which required a strategic review. In addition, some agreed actions to strengthen the control environment had not yet been implemented at the time of the audit, including the use of an external agency specialising in debt resolution with vulnerable adult clients.
5.14 We found that the implementation of a new electronic document management system for Council Tax had negatively impacted service performance and resulted in an increased backlog of work that needs to be managed. There is a financial pressure on the Council in this area and at the time of the audit there was a reduction in the in-year collection rate forecast.
5.15 Actions were agreed to improve the control environment for these key financial systems. We plan to complete an enhanced follow up review on both these areas in 2026/27, covering all key risks and controls.
5.16 The Council’s financial systems remain a key focus in the 2026-27 audit plan.
Corporate Systems
5.17 We are pleased to note that reasonable assurance reports were issued for Corporate Governance focusing on the Code of Conduct and the Risk Management audit which reviews the corporate process.
5.18 At the end of the year a report on Budget Management and the Implementation of the new Procurement Regulations resulted in reasonable assurance opinion. These both looked at the corporate process and additional audit work is completed on compliance within directorate audits.
Building Maintenance and Repairs
5.19 The Council is facing significant challenge to ensure that all buildings owned either corporately or through the Housing Revenue Account (HRA) are maintained and improved so that they meet regulatory standards.
5.20 This risk was identified in departmental and strategic risk registers and remains a key area of focus for the Council. In 2024-25 audits of Planned and Major Works in Housing and Contract Management in Facilities and Building Services resulted in partial assurance opinions.
5.21 The following audits were completed in 2025-26 to provide assurance in this area:
· Reactive and Planned Maintenance
· Contract Management – Facilities and Building Services (follow up)
· Housing Repairs
5.22 These audits resulted in opinions of partial assurance and in the case of Reactive and Planned Maintenance a minimal assurance opinion. The Housing Repairs audit report was in draft at year end with a partial opinion.
5.23 The Reactive and Planned Maintenance audit of non-housing property assets sought to provide assurance over project management controls to deliver the planned preventative works and reactive repairs. The minimal assurance opinion reflected the need to make improvements and that the current corporate landlord model may no longer be effective. Lack of resources have resulted in the service only being able to undertake essential or critical works which may result in future higher costs. A summary of this audit is provided in the quarter 4 progress report, included as a separate agenda item to the Committee.
5.24 It is notable that the follow up audit for Contract Management for Facilities and Building Services resulted in another partial opinion as the service had struggled to implement the agreed actions from the previous review. Procurement and contract management activities are key to the success of the Council maintaining these properties.
5.25 A follow up audit of Planned and Major Works to HRA properties was in progress at year end.
Information Technology and Design
5.26 A significant part of the audit plan is used to provide assurance in this key area of risk. A list of all audits completed is included in Appendix B.
5.27 Assurance audits completed in this area in 2025-26 resulted in positive opinions of reasonable or substantial assurance. In addition, Internal Audit resources were used to provide advice and support.
5.28 During the year the Council invested in pilot programmes to develop technology at a fast pace across the Council. Considerable work has taken place on these pilots but due to the speed of this work it has not yet been possible to schedule in Internal Audit work to provide assurance during 2025-26. However, audit work is planned for 2026-27 as successful pilots progress into programmes of work.
5.29 There is an increased risk nationally from cyber-attack which can have a significant impact on organisations affected. In recognition that schools are particularly vulnerable an audit on cyber security in schools was added to the plan and was in progress at year end. Internal Audit also provided support to the Cyber Security programme and continue to work with other officers across the Council to further improve security of networks and raise awareness.
Other Internal Audit Activity
5.30 During 2025/26, Internal Audit has continued to provide advice, support, and independent challenge to the organisation on risk, governance, and internal control matters across a range of areas. These include:
· Transition Local Enterprise Programme
· Fleet Procurement Compliance and Payment Controls
· Large Panel System Programme
· Cyber Security Programme Support
· Online Safety Act
· Microsoft Power Platform Data Governance
· IT Service Management System Replacement Project (Cherwell).
· Grants
· Schools
And attendance at, and support to:
· Orbis Customer Board/Finance & Resources Lead Business Partners Meetings;
· Corporate Leadership Team Governance and Assurance Meetings
· Directorate Leadership Teams (quarterly attendance)
· Information Governance Board;
· Whistleblowing Co-ordination Meetings; and
· Leadership Network.
5.31 As well as actively contributing to, and advising these groups, we utilise the intelligence gained from the discussions to inform our own current and future work programmes to help ensure our work continues to focus on the most important risk areas.
Anti-Fraud and Corruption
5.32 During the year, the Internal Audit Counter Fraud Team continued to deliver both reactive and proactive fraud services across the organisation. Details of all counter fraud and investigatory activity, both proactive and reactive, have been summarised within a separate Counter Fraud Annual Report due to be presented alongside this Internal Audit Annual Report. Where relevant, the outcomes from this work have also been used to inform our annual internal audit opinion and future audit plans.
Amendments to the Audit Plan
5.33 In accordance with professional practice, the Internal Audit plan for the year was kept under regular review to ensure that the service continued to focus its resources in the highest priority areas based on an assessment of risk. All audits added to and removed from the plan are provided in Appendix D.
6. Internal Audit Performance
6.2 Over the course of the year we have continued to receive positive feedback on a range of completed audit assignments from management within services. The following ‘word cloud’ identifies some of the key, positive phrases used to describe our service and that contributed to a 100% satisfaction rate being recorded in year:
Professional Standards
6.4 As reported to Audit Committee in January 2023, Orbis Internal Audit was assessed during 2022 by the Institute of Internal Auditors (IIA) as achieving the highest level of conformance available against The Public Sector Internal Audit Standards (PSIAS), with no areas of non-compliance identified.
6.5 During 2025-26 Orbis Internal Audit completed a self-assessment against the new Global Internal Audit Standards (GIAS) which was reported to committee in September 2025 and only identified minor areas of improvement for full compliance with the new standards.
Key Service Targets
6.5 Performance against our previously agreed service targets is set out in Appendix A. Overall, client satisfaction levels remain high, demonstrated through the results of our post audit questionnaires, discussions with key stakeholders throughout the year and annual consultation meetings with senior management.
6.6 Internal Audit will, where possible, continue to liaise with the Council’s external auditors (Grant Thornton) to ensure that the Council obtains maximum value from the combined audit resources available.
6.7 In addition to this annual summary, the Corporate Leadership Team and the Audit, Standards and General Purposes Committee will continue to receive performance information on Internal Audit throughout the year as part of our quarterly progress reports and corporate performance monitoring arrangements.
Appendix A
Internal Audit Performance Indicators 2025/26
|
Aspect of Service |
Performance Indicator |
Target |
RAG Score |
Actual Performance |
|
Quality
|
Annual Audit Plan agreed by Audit Committee (2025/26) |
By end April |
G |
2025/26 Internal Audit Strategy and Annual Audit Plan formally approved by Audit, Standards & General Purposes Committee 22 April, 2025 |
|
Annual Audit Report and Opinion (2024/25)
|
By end July |
G |
2024/25 Annual Report and Opinion presented to Audit, Standards & General Purposes Committee 24 June 2025 |
|
|
Customer Satisfaction Levels |
90% satisfied.
|
G |
100% |
|
|
Productivity and Process Efficiency |
Audit Plan – completion to draft report stage |
90% |
G |
90.4% |
|
Percentage of audit plan days delivered |
90% |
A |
89.1% |
|
|
Compliance with Professional Standards |
Public Sector Internal Audit Standards |
Conforms |
G
|
April 2025 - Self Assessment against the Global Internal Audit Standards (GIAS) completed. No major areas of non-conformance identified. Some areas to ensure full compliance have been identified including the update of the Audit Charter. Dec 2025 - Our latest quality review exercise, identified no major areas of non-conformance with only minor need to make improvements relating to internal record keeping within the service. |
|
|
Relevant legislation such as the Police and Criminal Evidence Act, Criminal Procedures, and Investigations Act |
Conforms |
G
|
No evidence of non-compliance identified |
|
Our staff |
Professionally Qualified/Accredited
|
80% |
G |
88%[2] |
The following Key Performance Indicators are not wholly owned by Internal Audit, but measure improvement in the internal control framework, as influenced by Internal Audit:
|
Aspect of Service |
Performance Indicator |
Target |
RAG Score |
Actual Performance |
|
|
|
|
|
|
|
Outcome and degree of influence |
Implementation of management actions agreed in response to audit findings |
95% for high priority agreed actions |
A |
91.9% |
Appendix B
Summary of Opinions for Internal Audit Reports Issued During 2025/26
Substantial Assurance:
(Explanation of assurance levels provided at the bottom of this document)
|
Audit Title |
|
Microsoft Teams Governance |
|
IT&D Project Management |
|
Home Purchase Scheme -follow up |
Reasonable Assurance:
|
Audit Title |
|
Mobile Phone Application Management |
|
Inclusion Support Service |
|
Public Health Locally Commissioned Services |
|
Home Care Contract Management |
|
Digital Literacy and Skills Training |
|
Fleet Management – follow up |
|
Business Rates |
|
Madeira Terrace |
|
Petty Cash |
|
Payroll |
|
Accounts Payable |
|
Risk Management |
|
Corporate Governance – Code of Conduct |
|
Artificial Intelligence Tools |
|
Brighton Marina to River Adur Flood and Coastal Erosion Programme |
|
Property Disposals |
|
Direct Payments (Adults) – follow up |
|
Budget Management Corporate Process (Draft) |
|
Implementation of Procurement Regulations (Draft) |
|
Add Your Own Device (Draft) |
|
Cultural Compliance Parking Services (Draft) |
Partial Assurance:
|
Audit Title |
|
Home Purchase Scheme |
|
Attendance Management |
|
Brighton Centre – Cultural Compliance |
|
Temporary Accommodation – Block Booked and Spot Purchase Payments |
|
Accounts Receivable (Debtors) – follow up |
|
Off Payroll Payments (IR35) follow up |
|
Council Tax |
|
Direct Payments (Children’s) |
|
Contract Management– Facilities and Building Services follow up |
|
St Andrews Primary School |
|
Tarnerland Nursery School |
|
Elm Grove Primary School |
|
Housing Repairs (Draft) |
Minimal Assurance:
|
Audit Title |
|
Reactive and Planned Maintenance |
Non-Opinion:
|
Transition Local Enterprise Programme |
|
Fleet Procurement Compliance and Payment Control |
|
Middle Street Primary School |
|
Online Safety Act – Position Statement |
|
Microsoft Power Platform Data Governance (Draft) |
Grant Certification:
|
Grant Title |
|
Multiply Grant |
|
Supporting Families Programme |
|
Childcare Expansion Capital Grant |
|
Local Transport Capital Block Funding Grant |
|
Bus Subsidy Grant |
Audit Opinions and Definitions
|
Opinion |
Definition |
|
Substantial Assurance |
Controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Reasonable Assurance |
Most controls are in place and are operating as expected to manage key risks to the achievement of system or service objectives. |
|
Partial Assurance |
There are weaknesses in the system of control and/or the level of non-compliance is such as to put the achievement of the system or service objectives at risk. |
|
Minimal Assurance |
Controls are generally weak or non-existent, leaving the system open to the risk of significant error or fraud. There is a high risk to the ability of the system/service to meet its objectives. |
Appendix C
2025/26 Audit Plan – Audits in Progress at Year-End
|
Audit Title |
Status |
|
Employment Checks – Disclosure and Barring Service |
Fieldwork in progress |
|
Supported Accommodation Contract Management |
Fieldwork in progress |
|
Transition of Young People to Adult Social Care |
Fieldwork in progress |
|
Appointee and Deputyship Arrangements |
Fieldwork in progress |
|
Large Panel System Blocks (Advisory Non-opinion) |
Fieldwork in progress |
|
Hove Park School |
Fieldwork in progress |
|
St Andrews School follow up |
Fieldwork in progress |
|
Housing Planned and Major Works follow up |
Fieldwork in progress |
|
Housing Client Property Asset Collection Controls follow up |
Fieldwork in progress |
|
Budget Management – Corporate Process |
Draft report |
|
Implementation of Procurement Regulations |
Draft report |
|
Add Your Own Device |
Draft report |
|
Microsoft Power Platform Data Governance |
Draft report |
|
Housing Repairs |
Draft report |
|
Cultural Compliance – Parking Services |
Draft report |
Appendix D
Audits added to and removed from the plan during 2025/26.
Audits Added:
|
Rationale for Addition |
|
|
Fleet Procurement Compliance and Payment Controls |
To review procurement compliance within the management of the Council’s fleet of vehicles and equipment. Review requested by Corporate Director, City Operations. |
|
Madeira Terrace |
To provide assurance that the programme to refurbish and repair Madeira Terraces is operating as expected to deliver the project objectives. Review requested by Corporate Director, City Operations. |
|
Brighton Marina to River Adur Flood and Coastal Erosion Programme |
To provide assurance that the programme is operating as expected to deliver coastal defences alongside the Environment Agency and the Council’s role as accountable body is effective. Review requested by Corporate Director, City Operations. |
|
Petty Cash |
A number of concerns have been raised in recent years regarding the control of petty cash across the Council. Although use of cash across the Council has significantly reduced, there are still some services that still heavily rely on petty cash systems to deliver support to clients. |
|
Home Purchase Scheme follow up |
Early follow up review requested by the service following previous partial assurance audit. |
|
Cyber Security in Schools (Themed Review) |
Audit added in response to incidents highlighting vulnerabilities, both locally and nationally. |
|
Cyber Security Programme Support |
This assignment has been added to provide ad-hoc advice, governance, and support regarding risk, control, and probity for a recently launched programme aimed at enhancing the Council’s cybersecurity arrangements. |
|
Large Panel System Blocks Programme Governance |
Advice work to include a review of documentation and processes in place in relation to governance, planning and preparation, focusing on the controls in place and opportunities to enhance these to mitigate the potential risks. |
|
Cherwell Replacement Project – Governance Arrangements |
Added to the plan in response to a request from the service for additional assurance over a large and complex project. |
Audits Removed/Deferred:
|
Audit Title |
Rationale for Removal |
|
Environmental Services Project Management |
Removed from the plan for 2025/26 to accommodate other requested audits in City Operations. Will be considered as part of a wider review of commissioning for future audit plans. |
|
Mobile Phone Application follow up |
Follow up review not required as final report opinion has changed from Partial to Reasonable Assurance. |
|
Local Government Reorganisation and Devolution |
Audit activity deferred to 2026/27 in accordance with timescales which will confirm plans for Sussex. |
|
Prepayment Cards – (Huggg) follow up review |
Since the audit, a control report has been issued following financial loss on unapproved vouchers issued via a school account. This follow up review is deferred to 2026/27 to allow further time to review usage and embed actions to improve controls. |
|
Cybersecurity and Data Loss Risks in Third Party Supply Contracts and Cloud Services |
The dedicated audit on cybersecurity risks related to third-party contracts and cloud services was cancelled to allow resources to support broader programme activities. Nevertheless, key findings from work already completed in this area have been conveyed to the cybersecurity programme for further action. |
|
Shadow IT Governance Arrangements |
The audit to cover computer systems and applications used by the Council outside the direct control of IT&D was cancelled for 2025-26 to support additional priority work within IT&D. |
|
Information Governance- General Data Protection Regulation (GDPR) |
This audit was deferred due to capacity issues within the team meaning the service was unable to support the audit during the quarter. |
|
This audit was deferred due to changes in staffing arrangements and resources that meant the service was unable to support the audit during quarter four. |