The Audit and Governance Committee approved the Internal Audit plan for 2026/27 and the associated Charter and Mandate, along with delegating authority for in-year amendments to the plan. The Committee also approved the Risk Management Policy and Strategy for 2026/27, noting that no material changes were proposed following its annual review. Finally, the Committee received updates on the Internal Audit progress report and the Strategic Risk Register.

Internal Audit Plan and Charter Approved

The committee formally approved the Internal Audit plan for 2026/27, which outlines the proposed audit work for the upcoming financial year. This plan is designed to provide assurance over the council's governance, risk management, and control processes, aligning with the Global Internal Audit Standards. Alongside the plan, the Internal Audit Charter and Mandate, which defines the service's role, organisational position, and reporting relationships, was also approved. This charter was last reviewed in 2025 to align with the Global Internal Audit Standards. A delegation was approved, granting the Executive Director of Finance, the Section 151 Officer, the authority to agree necessary amendments to the 2026/27 Internal Audit plan throughout the year, in consultation with the Chair of the Audit and Governance Committee. This ensures the plan remains responsive to the council's evolving risks and priorities.

Risk Management Policy and Strategy Approved

The Audit and Governance Committee approved the council's Risk Management Policy and Strategy for 2026/27. This document sets out how the council will manage risks across its operations and transformational activities, detailing the approach to risk management at all organisational levels and outlining the hierarchy of risk registers. The policy and strategy were reviewed annually, as agreed in April 2025, and no material changes were proposed for the upcoming year. The strategy is informed by best practices, including ISO 31000:2018, and aims to embed effective risk management into the council's culture and decision-making processes.

Internal Audit Progress Report

Rachel Ashley-Caunt, Chief Internal Auditor, presented an update on the Internal Audit team's progress, highlighting key findings from eight recently finalised audit reports.

• Complaints Management: An audit found positive progress in strengthening complaints handling arrangements since a previous review. The new case management system has been successfully rolled out with comprehensive training. However, some gaps in controls were identified, leading to a moderate assurance opinion for compliance. Recommendations included formalising senior management sign-off for ombudsman cases and periodic reviews of remedy payments.
• Emergency Planning: The audit assessed the council's arrangements as a category one responder under the Civil Contingencies Act 2004. While a robust framework is in place, weaknesses were identified in training records, the lack of council exercises in the financial year, and the tracking of learning from exercises. Of the 20 open actions reviewed, 17 were overdue. This resulted in a moderate assurance opinion for the control environment and compliance.
• Schools – Financial Governance and Budget Management: Audits across seven maintained schools focused on budget setting and financial governance. While generally positive, recommendations were made for the council to strengthen school governance by developing a formal framework and ensuring comprehensive financial governance training for governors. This area received a good assurance opinion for the control environment.
• Government Procurement Cards (GPC): The audit noted significant improvements in compliance with cardholder and approver reviews compared to the previous year, with 93% of transactions reviewed by cardholders and 75% by approvers. A recommendation was made to make VAT training mandatory for all GPC cardholders to ensure better recovery of eligible VAT. This area received a good assurance opinion for the control environment.
• Housing Benefit and Council Tax Support: The audit focused on the recovery of overpayments. While good practice was noted in recovering monies through deductions and a reduction in overall debt, weaknesses were identified in the independent review of payment runs and reconciliations. The activation of reminder letters on the new system was also noted as an area for review. A complete review of the housing benefit overpayment function will be undertaken, resulting in a moderate assurance opinion for control environment and compliance.
• Bank Reconciliations: All legacy bank accounts have now been closed, and final reconciliations have been produced. While a significant improvement was noted in reducing unreconciled items compared to the previous year, work is ongoing to clear remaining balances. For corporate bank accounts, a small number of uncashed cheques over a year old were identified. This area received a good assurance opinion for the control environment.
• Income Processing and Debt Recovery: Audits performed by West Northamptonshire Council and Cambridgeshire County Council respectively provided substantial and good assurance on income processing and debt recovery controls. While debt levels have increased, this is largely attributed to increased billing activity. However, areas for improvement were noted in the timeliness of letters before action and the proactive engagement for high-value debts.

The report also detailed the implementation of audit recommendations, noting that 30 actions had been implemented since the last meeting, with 61 overdue. Three high-priority overdue actions were less than one month late, with progress evident. Customer satisfaction feedback was generally positive.

Strategic Risk Register Update

The committee received an update on the council's Strategic Risk Register. The register details the strategic risks faced by the council in achieving its corporate priorities, along with current mitigation actions and residual risk scores. The content had been reviewed by the Corporate Leadership Team (CLT) and informed by directorate-level risk registers. No material changes were made to the risk entries in this update, but several risks are under active review, including those related to SEND reforms and the closure of the 2025/26 accounts. A new risk management system is being rolled out, which will involve a comprehensive review of all risk entries. The report included a risk heat map and the risk scoring methodology for the committee's reference. Risk 3, concerning data loss due to cyber attack, was redacted due to its sensitive nature.

Key risks discussed included:

• Children's Trust Failure (Risk 1): A very high residual risk score of 20 was noted, with ongoing efforts to address issues through Ofsted inspections, peer reviews, and internal audits.
• Unsustainable Finances (Risk 7): A high residual risk score of 16 was assigned, reflecting ongoing challenges in balancing the budget beyond 2026/27 and the need for a robust transformation plan.
• General Fund Overspend and DSG Deficit (Risk 8): Also carrying a high residual risk score of 16, this risk highlights significant pressures from demand-led services and inflation, with ongoing work to mitigate in-year pressures and address the DSG deficit.
• Health and Safety Breaches (Risk 16): This risk has a very high residual risk score of 25, with ongoing work to improve property compliance, recruit a wellbeing specialist, and develop corporate HSW plans.
• SEND Demand and Resources (Risk 21): A high residual risk score of 16 was noted, with actions underway to build capacity, address budget pressures, and establish an Inclusive Education Strategic Board.