The Audit and Governance Committee of Rushmoor Borough Council met on Wednesday, 10 June 2026, to review reports from the Council's external and internal auditors. The meeting was scheduled to discuss the proposed audit planning report for the 2025/26 financial year from external auditors Ernst & Young (EY), and the annual audit opinion for the same period from internal auditors Southern Internal Audit Partnership (SIAP).

External Audit Proposed Audit Planning Report 2025/26

The committee was scheduled to receive Ernst & Young's (EY) Audit Planning Report for the 2025/26 financial year. This report outlines EY's proposed audit approach and scope for the Council's external audit. It details the key issues driving the development of an effective audit, aligning the audit approach and scope accordingly. The report also addresses the broader impact of government proposals aimed at establishing a sustainable local audit system.

EY's report highlighted several significant risks and areas of focus for the upcoming audit. These included the presumptive risk of management override of controls and the risk of fraud in revenue and expenditure recognition, particularly through the inappropriate capitalisation of revenue expenditure. A significant risk was identified concerning the valuation of land and buildings, and investment property, due to the complex assumptions and judgements involved. The report noted that in previous years, EY had been unable to substantiate key inputs and assumptions used in these valuations. The implementation of CIPFA's Bulletin 22, which reassesses the valuation regime for non-investment assets, was also highlighted as a key consideration for the 2025/26 financial statements.

The report also detailed the audit strategy for rebuilding assurance following previous disclaimed audit opinions. This strategy focuses on strengthening the underlying control environment, providing high-quality working papers, and actively engaging with auditors. EY indicated that it was unlikely they would commence rebuilding assurance over the historic position during the 2025/26 audit cycle, due to the inability to complete all planned audit procedures in prior years.

Materiality for the audit was set at £1.65 million, representing 2% of the forecast gross expenditure for 2025/26. Performance materiality was set at £0.83 million. The report also outlined the auditor's responsibilities regarding value for money arrangements, focusing on financial sustainability, governance, and improving economy, efficiency, and effectiveness. A risk of significant weakness was identified concerning the Council's long-term financial sustainability due to current debt levels and borrowing costs, and the utilisation of reserves to balance the budget.

Internal Audit Annual Audit Opinion 2025/26

The committee was also scheduled to receive the Annual Internal Audit Conclusion for 2025/26 from Southern Internal Audit Partnership (SIAP). This report provides the Chief Internal Auditor's opinion on the effectiveness of the Council's framework of governance, risk management, and control for the year.

SIAP's report indicated that the Southern Internal Audit Partnership had been assessed as 'Generally Conforms' against the Global Internal Audit Standards in the UK Public Sector during 2025-26. The revised internal audit plan for 2025-26 had been delivered in full. The overall conclusion was that the Council's framework of governance, risk management, and management control is considered Reasonable, and audit testing demonstrated that controls were working in practice.

However, the report highlighted several areas where assurance was limited or no assurance could be provided. These included:

• Agency Staff (No Assurance): The audit found no formal policies or procedures governing the engagement or use of agency staff, and a lack of evidence that the Council's Procurement Strategy or Contract Standing Orders had been followed. Issues were also identified regarding mandatory training registration, IR35 status checks, the use of Approval to Recruit forms, and corporate oversight of spend and performance monitoring.
• Disabled Facility Grants (Limited Assurance): While the processes were generally sound, concerns were raised regarding the procurement of contractors and surveyors, with contract standing orders not being followed. There was no contractor framework, formalised annual checks, or onboarding process for new contractors, and Disclosure and Barring Service (DBS) checks were not part of due diligence. Documentation was also not maintained in accordance with the retention policy.
• Pay360 (Limited Assurance): While access to the payment collection software was secured, password expiry and minimum length deviated from National Cyber Security Centre (NCSC) best practices. Access reviews were ad-hoc, and new user access was provisioned by copying existing permissions without full visibility. Inconsistencies were noted in user roles versus group assignments, and reliance on a single administrator account created a key person dependency. Remote access controls were also found to be less effective than intended.
• Union Yard (Limited Assurance): Reports submitted prior to 2021, relating to project appraisal and land acquisition for the regeneration scheme in Aldershot, were not presented with sufficient information for fully informed decision-making. The project's risk register also had instances where materialised risks were not specified with the severity of their impact, and not all risk entries included defined mitigating actions or updates.
• Effectiveness of Financial Rules (Limited Assurance): Responsibilities and execution of financial controls were not clearly documented. Virements over £50,000 had not been reported to or approved by Cabinet, and approval trails for virements below this threshold were not retained. Not all authorised signatories for payments had been properly authorised, and the requirement for dual signatories for cheques over £25,000 was not being enforced.

The report also noted themes identified across multiple engagements, including issues related to Resources, Competencies & Training, Systems, Standards & Policies, Governance, Process & Procedures, Accountability, and Assurance & Monitoring.

The meeting was also scheduled to receive the Minutes of the previous meeting held on 25th March 2026.