Internal Audit Annual Report 2024/25
Internal Audit Annual Report 2024/25
Report by: BDO
Published: June 2025
Contents
- Executive Summary
- Review of 2024/25 Work
- Summary of Findings
- Added Value
- Key Themes
- Background to Annual Opinion
- Key Performance Indicators (KPIs)
- Appendix 1: Opinion and Recommendation Significance
Executive Summary
Internal Audit 2024/25
This report details the work undertaken by internal audit for Rushcliffe Borough Council (the Council) and provides an overview of the effectiveness of the controls in place for the full year. The following reports have been issued for this financial year:
- Workforce and Succession Planning
- Cyber Security
- Main Financial Systems
- Fraud Report
- Budgetary Control
- Equality / Equity Diversity and Inclusion (EDI)
- Carbon Management Action
- Disabled Facilities Grant (DFG)
- Housing Benefits.
We have detailed the opinions of each report and key findings on pages three to nine. Our internal audit work for the period 1 April 2024 to 31 March 2025 was carried out in accordance with the internal audit plan approved by management and the Governance Scrutiny Group. The plan was based upon discussions held with management and was constructed in such a way as to gain a level of assurance on the main financial and management systems reviewed. There were no restrictions placed upon the scope of our audit and our work complied with Public Sector Internal Audit Standards.
Head of Internal Audit Opinion
The role of internal audit is to provide an opinion to the Council, through the Governance Scrutiny Group, on the adequacy and effectiveness of the internal control system to ensure the achievement of the organisation’s objectives in the areas reviewed. The annual report from internal audit provides an overall opinion on the adequacy and effectiveness of the organisation’s risk management, control
and governance processes, within the scope of work undertaken by our firm as outsourced providers of the internal audit service. It also summarises the activities of internal audit for the period. The basis for forming my opinion is as follows:
- An assessment of the design and operation of the underpinning risk management processes.
- An assessment of the range of individual opinions arising from risk-based audit assignments contained within internal audit risk-based plans that have been reported throughout the year; this assessment has taken account of the relative materiality of these areas and management’s progress in respect of addressing control weaknesses.
- Any reliance that is being place upon third party assurance.
Overall, we provide Substantial assurance that there is a sound system of internal controls, designed to meet the Council’s objectives, that controls are being applied consistently across various services, with limited levels of non-compliance.
In forming our view, we have taken into account that:
- We completed a total of nine reviews (eight assurance audits and two advisory reviews). Across the internal audit reviews, we consistently provided Substantial assurance over the design of controls and/or the control effectiveness. There were only four reviews where we provided a Moderate opinion for the control design of effectiveness.
- There has been prompt implementation of audit recommendations, with most recommendations implemented by the initial due date. We have collaborated with Management to improve our follow up process by obtaining access to the Council’s Microsoft Team channel to allow continued follow up throughout the year.
- There has been a continued engagement with internal audit by the Executive Management Team Rushcliffe Borough Council
(EMT), demonstrating a commitment to enhancing internal controls, governance and risk management processes. This is despite a backdrop of increasing challenges on resources for local authorities, compounded by other demands that have impacted capacity of staff (such as managing the electoral pressures of a General Election). Staff have consistently provided our Internal Audit Team with availability to support the delivery of our reviews. - While the Council has a new Chief Executive, there has been a consistency in the ELT which supports the organisational stability. There has been a similar stability on the Governance Scrutiny Group who have embraced further improvement and developmental opportunities during the year. This includes Audit Committee training provided by us to support new and existing members understand their roles and functions of an effective Audit Committee.
- The Council’s external auditors have issued an unqualified opinion on its Statement of Accounts for the Year-Ended 31 March 2024. Across local authorities, there have been 300 accounts that have a disclaimed opinion from the external auditors across 2022/23 and 2023/24 by the backstop set by the Government. Against this wider view of challenges in the sector, the fact that the Council’s accounts have been audited demonstrates good governance and effective management.
Review of 2024/25 Work
Report Issued - Workforce and Succession Planning
Recommendations and Significance
- High - 0
- Medium - 0
- Low - 2
Overall Report Conclusions (See Appendix 1)
- Design - Substantial
- Operational Effectiveness - Substantial
Conclusion and Summary of Key Findings
This audit assessed the Council’s workforce and succession planning arrangements, focusing on critical and senior roles, and whether sufficient skills and development programmes were in place.
Conclusion
We concluded that there were substantial controls in place for workforce and succession planning and these controls were consistently complied with. There was regular dialogue between the HR Team and departments, although there could be enhanced controls for
analysing staff productivity and demand to improve short, medium and long term planning. There was also a workforce strategy in place.
The Council had succession plans for critical and senior roles, which is not always the case for local authorities. However, there were no formal plans for identifying and developing high performing staff through the appraisal process to support their learning and progression.
Findings
- While the Council has workforce and succession plans in place, there was not a detailed analysis of the current workforce and service demand, along with an analysis of forecast demand and future workforce requirements for services. We also observed some areas for improvement when benchmarking to professional guidance.
- A quantitative scoring metric is not used for appraisals to objectively identify high performing staff to then enrol them onto development programmes. Furthermore, the compliance rates for performance development reviews were lower than expected.
Report Issued - Cyber Security
This was a confidential internal audit report, therefore, we do not include the opinion or the conclusions in the Annual Report.
Report Issued - Main Financial Systems
Recommendations and Significance
- High - 0
- Medium - 0
- Low - 4
Overall Report Conclusions (See Appendix 1)
- Design - Substantial
- Operational Effectiveness - Moderate
Conclusion and Summary of Key Findings
We review the Council’s main financial systems on a cyclical basis as part of our core payroll service is outsourced to Gedling Borough Council based on information provided by the Council.
Conclusion
We provided Substantial assurance for the design of controls because these were generally robust. There were appropriate procedures for debt recovery, underpinned by the Debt Recovery Policy, and this was followed appropriately to support effective collection. There was also adequate reporting to the Executive Management Team on debts and write-offs.
However, the control effectiveness was Moderate because there were some exceptions to how these controls were applied. We identified that there were seven Council staff members who had access to changing pay scales in the payroll system, which should be
limited to Gedling Borough Council only. Additionally, payroll reconciliations were not reviewed promptly, although they were performed on time. From the sample of new starters, leavers and salary changes, we confirmed that these were processed accurately and supported by sufficient documentation.
Findings
- Segregation of duties were not in place for journals on E-Fins below the value of £10,000.
- While suppliers of high value transactions and those procured through frameworks were subject to due diligence, low value or low risk new suppliers were set up without credit checks, and there was no way to record approvals of supplier set up within the system.
- Four members of the HR Team and three of the Finance Team could change pay scales in the payroll system which should be restricted to payroll staff at Gedling Borough Council only.
- A review of the payroll reconciliation was not completed promptly for one month, although the reconciliation was performed on time.
Report Issued - Fraud Report
Advisory report
This was an advisory report where findings and recommendations are not raised.
Report Issued - Budgetary Control
Recommendations and Significance
- High - 0
- Medium - 0
- Low - 2
Overall Report Conclusions (See Appendix 1)
- Design - Substantial
- Operational Effectiveness - Substantial
Conclusion and Summary of Key Findings
We assessed whether there were adequate controls in place for budgetary reporting and management to support accountability for budget holders and effective budget management. We also benchmarked the Council’s practices to other local authorities.
Conclusion
The control design was Substantial as there were proportionate governance structures to oversee budgetary performance at departmental and a senior level. There was cooperation with internal and external stakeholders during the budget setting process.
Furthermore, there was regular one-to-one meetings between Finance Business Partners and budget holders to scrutinise and re-forecast budgets. These were also presented to Performance Clinic meetings.
Annual budget holder training sessions were held and attended by all budget holders. The Finance Team has also established tailored sessions with some departments on specific topics that had been requested.
Overall, amidst a backdrop of financial and budgetary challenges in local government organisations, the Council’s budget management was effective.
Findings
- Budget holders may benefit from further training such as short sessions on challenging areas of the role and a ‘how to’ guides for the functionality of the finance system for self-service use.
- While there was a consistent baseline, there was an inconsistency in the level of detail provided by budget holders in the completion of action logs and justifications for variances.
Report Issued - Carbon Management Action Plan
Recommendations and Significance
- High - 0
- Medium - 2
- Low - 0
Overall Report Conclusions (See Appendix 1)
- Design - Substantial
- Operational Effectiveness - Moderate
Conclusion and Summary of Key Findings
The purpose of this audit was to assess whether the Carbon Management Action Plan was effectively monitored and managed, including alignment between the actions and the Council’s budget.
Conclusion
The Carbon Management Action Plan covered the areas we would expect. However, there were actions which had been removed from the Action Plan, reducing the audit trail for actions taken. To help monitor trends and the reduction of carbon emissions, a Carbon
Clever Progress Dashboard has been developed. This shows that the Council is on target to reach its objective to be carbon neutral by 2030. The actions taken are reported to the Communities Scrutiny Group who maintain oversight of the delivery.
Costs for actions on the Carbon Management Action Plan had been estimated based on historic contracts or general understanding of the costs. When these are incorporated into the capital programme a formal appraisal is documented with more tangible costs. To demonstrate its commitment to carbon neutrality, the Council put £1,000,000 towards a climate change reserve which is topped up annually and monitored monthly.
Findings
- Actions in the Carbon Management Action Plan were not all SMART (specific, measurable, achievable, realistic and time-bound) and some actions have been removed from the action plan tracker without a formal change control process. Other actions were not worded as a clear action and referred to ‘investigating’ a solution, which is not tangible and measurable.
- Minutes of Carbon Reduction Group meetings were not retained; therefore, we were unable to provide assurance over the effectiveness of scrutiny and governance.
Report Issued - Housing Benefits
Recommendations and Significance
- High - 0
- Medium - 0
- Low - 2
Overall Report Conclusions (See Appendix 1)
- Design - Substantial
- Operational Effectiveness - Substantial
Conclusion and Summary of Key Findings
Housing Benefits are a statutory service provided by local authorities. We assessed the new housing benefit claims and changes in circumstances and overpayments processes.
Conclusion
The control design and effectiveness were Substantial because there was a sound system of internal control designed to achieve system objectives and these were consistently followed.
Policies and procedures for processing housing benefit claims were clear, with roles and responsibilities defined. There was also robust reporting to the Executive Management Team and Corporate Overview Group to monitor timescales for processes changes in circumstances.
Our sample testing of new benefit claims and changes in circumstances identified consistent compliance with targeted timescales for processing applications. Weekly payment runs were made to ensure prompt payments to claimants, with a separation of duties embedded to mitigate the risk of fraud or error.
However, we identified that there was not a formal separation of duties when awarding discretionary housing payments (DHPs) to claimants in accordance with the Council’s policies.
Findings
- The Council conduct Searchlight checks of new claimants but do not perform ID checks or review bank statements or payslips to verify the income and investments of applicants. We identified one case where a Searchlight check was not completed as the claimant had been transferred from Universal Credit, so it was assumed that identity checks had been performed by the DWP.
- DHPs are not subject to a separate review or approval to ensure that these are being consistently accepted or rejected in accordance with the policy.
Report Issued - Equality / Equity Diversity and Inclusion
Recommendations and Significance
- High - 0
- Medium - 0
- Low - 0
Overall Report Conclusions (See Appendix 1)
- Advisory report
Conclusion and Summary of Key Findings
We used our internally developed EDI Maturity Assessment Toolkit to assess the Council’s internal EDI controls and management for its workforce. This is a ‘gold standard’ criteria which overlaps with the Equality Framework for Local Government (EQLG) but has higher
standards than those recommended in the EQLG.
Conclusion
We concluded that the Council had a Defined level of maturity for EDI in its workforce, with some scope areas being Aware. Critically, the tone from the top and the governance was Defined, which relates to the culture in the Council and statutory reporting compliance. This is in line with other local authorities that we have conducted the EDI Maturity Assessment for. As there are limitations to resource available to EDI, the implementation of the Equalities Scheme is delivered through the EDI Steering Group and collaboration between service areas.
To improve its maturity for EDI, sponsorship of EDI at a senior level could be allocated to a member of the Executive Management Team and higher completion rates for EDI training modules could be enforced. Furthermore, the Council could use its workforce data more
effectively to drive its EDI outcomes.
Critically, the Council complied with the gender pay gap reporting requirements of the Public Sector Equality Duty. Furthermore, the Chief Executive and Executive Directors demonstrated a commitment to EDI and attended key meetings to monitor and oversee EDI objectives.
Findings
- There did not appear to be a golden thread between corporate strategies and values, and the Equality Scheme. Roles and responsibilities to promote EDI across the Council were not documentation and there was no senior sponsor for EDI to promote networks and forums.
- The EDI Action Plans did not have SMART objectives or outcomes, making it difficult to assess the impact of EDI initiatives.
- EDI training completion rates are low, with only 26.4% of staff having completed Equality Act 2010 training between January 2023 and October 2024.
- There were inadequate arrangements for evaluating the implementation of the EDI Strategy, using data collected on the workforce, residents and services users to share lessons learnt and drive future initiatives.
Report Issued - Disabled Facilities Grants
Recommendations and Significance
- High - 0
- Medium - 0
- Low - 2
Overall Report Conclusions (See Appendix 1)
- Design - Substantial
- Operational Effectiveness - Moderate
Conclusion and Summary of Key Findings
The purpose of this audit was to review the operational management and administration
of the Disabled Facilities Grant (DFG), including an end-to-end review of the application
process.
Conclusion
There was a Substantial design of controls for the administration of the DFG and a Moderate effectiveness of controls, as some non-compliance was identified.
The DFG Policy establishes aa robust procedure and timescales for reviewing and assessing applications, including how the Council will cooperate with the County Council. This included clarity over the eligibility criteria and requirements for obtaining multiple quotes for the works to obtain value for money. There was one instances where three quotes, as required by the policy, were not obtained. However, this was an exception and, broadly, the application process was followed correctly, with appropriate levels of sign off. There were two applications where we were unable to verify that the application was approved before an Approval Notice Letter was sent to the applicant. Documentation was retained on iDocs for each stage of the application process.
Findings
The audit trail for applications, including the approvals of applications, were overwritten on Uniform when changes to the grant are made. This results in the Council being unable to demonstrate that applications were approved before an Approval Notice Letter was initially sent to the applicant, if there were subsequent changes to the grant award.
Only one quote was obtained from a contractor for one of the works selected in our sample of DFG projects. This is non-compliant with the DFG Policy, however, this relates to works that an existing contractor had supported on before and so they were considered the best value for money.
Summary of Findings
Recommendations and Assurance
Recommendations
2022/23
- High - 0
- Medium - 10
- Low - 20
2023/24
- High - 0
- Medium - 3
- Low - 15
2024/25
- High - 0
- Medium - 2
- Low - 12
As with prior years, we did not raise any high findings in the year. The proportion of Medium and Low findings remained consistent with
2023/24.
Control Design
2022/23
- High - 0
- Medium - 3
- Low - 6
2023/24
- High - 0
- Medium - 2
- Low - 7
2024/25
- High - 0
- Medium - 0
- Low - 6
We provided Substantial opinions for the control design for all reviews in 2024/25. Other advisory work was conducted in the year which
supported our Head of Internal Audit Opinion.
Operational Effectiveness
2022/23
- High - 0
- Medium - 3
- Low - 6
2023/24
- High - 0
- Medium - 1
- Low - 8
2023/24
- High - 0
- Medium - 3
- Low - 3
There was an increase in the number of Moderate assurance opinions provided on the control effectiveness across our reviews. Broadly, the overall view control effectiveness remained positive.
Added Value
Use of Specialists
Our reviews were performed by our dedicated Public Sector Internal Audit Team. For specialist reviews, these were completed by subject matter experts to ensure the Council received assurance from qualified individuals. This includes the Fraud Report where the work was performed and reviewed by Accredited Counter Fraud Specialists. The Cyber Security audit was undertaken by our Cyber
Security and Infrastructure Security Agency (CISA) qualified staff.
Additional Training Outside of the Assurance Plan
We recognise the importance of assurance providers supporting local authorities, at no extra cost, outside of the Internal Audit Plan.
Training was provided to the Governance Scrutiny Group on how to be an effective Audit Committee, changes to the Global Internal Audit Standards, the impact of the Redmond Review and good governance principles.
Blend of Assurance
Our Internal Audit Plan had a blended assurance approach, covering core assurance, soft controls and future-focused assurance. We used innovative methods, such as our internally-developed Equality and Diversity Maturity Assessment to review the Council's arrangements against best practice, to support an improved control environment. Our risk-based auditing methodology considered the higher risk areas, such as Cyber Security, to focus our audit days on the areas that will have the most impact to the Council.
Key Themes
People and Workforce
There was a continued welcoming of internal audit reviews from staff across the Council, demonstrating the commitment to improving internal controls, governance and risk management. Furthermore, our audit review of Workforce and Succession Planning and advisory review for the EDI Maturity Assessment identified an effective approach to managing changes in the workforce and promoting an inclusive culture, which has helped good retention.
Effective Financial Control
Our internal audit reviews of Budgetary Control and Main Financial Systems (focusing on payroll and accounts receivable) identified strong controls in place which were consistently followed. As the Council are integrating a new financial system in 2025/26, these sound foundations support an effective system of financial controls.
Compliance with Statutory Requirements
Our audit plan covered statutory processes to provide assurance to the Governance Scrutiny Group that the Council complied with legislative requirements, such as for Housing Benefits and DFG. Controls were designed effectively and generally complied with.
Emerging Risks
An effective audit plan has due consideration with emerging risks. We reviewed the Council's delivery of its Carbon Management Action Plan (amidst a climate emergency declaration) and Cyber Security. Due to a growth in cyber risks, caused by technological advancements and an increase in malicious actors, this is an emerging risk for local authorities.
Background to Annual Opinion
Introduction
Our role as internal auditors to Rushcliffe Borough Council (the Council) is to provide an opinion to the Council, through the Governance Scrutiny Group, on the adequacy and effectiveness of the internal control system to ensure the achievement of the organisation’s objectives in the areas reviewed. Our approach, as set out in the firm’s Internal Audit Manual, is to help the organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
Our internal audit work for 2024/25 was carried out in accordance with the internal audit plan approved by the Executive Management Team (EMT) and the Governance Scrutiny Group, adjusted during the year for any emerging risk issues. The plan was based upon discussions held with management and was constructed in such a way as to gain a level of assurance on the main financial
and management systems reviewed. There were no restrictions placed upon the scope of our audit and our work complied with Public Sector Internal Audit Standards.
The annual report from internal audit provides an overall opinion on the adequacy and effectiveness of the organisation’s risk management, control and governance processes, within the scope of work undertaken by our firm as outsourced providers of the internal audit service. It also summarises the activities of internal audit for the period.
Audit Approach
We have reviewed the control policies and procedures employed by the Council to manage risks in business areas identified by management set out in the 2024/25 Internal Audit Annual Plan which was approved by the Governance Scrutiny Group. This report is made solely in relation to those business areas and risks reviewed in the year and does not relate to any of the other operations of the
organisation. Our approach complies with best professional practice, in particular, Public Sector Internal Audit Standards, the Chartered Institute of Internal Auditors’ Position Statement on Risk Based Internal Auditing.
We discharge our role, as detailed within the audit planning documents agreed with the Council’s management for each review, by:
- Considering the risks that have been identified by management as being associated with the processes under review.
- Reviewing the written policies and procedures and holding discussions with management to identify process controls.
- Evaluating the risk management activities and controls established by management to address the risks it is seeking to manage.
- Performing walk through tests to determine whether the expected risk management activities and controls are in place.
- Performing compliance tests (where appropriate) to determine that the risk management activities and controls have operated as expected during the period.
The opinion provided in this report is based on historical information and the projection of any information or conclusions contained in our opinion to any future periods is subject to the risk that changes may alter its validity.
Reporting Mechanisms and Practices
Our initial draft reports are sent to the key contact responsible for the area under review to gather management responses. In every instance there is an opportunity to discuss the draft report in detail. Therefore, any issues or concerns can be discussed with management before finalisation of the reports.
Our method of operating with the Governance Scrutiny Group is to agree reports with management and then present and discuss the matters arising at the Governance Scrutiny Group meetings.
Management actions on our recommendations
Management was engaged with the internal audit process and provided considerable time to us during the fieldwork phases of our reviews, generally providing audit evidence promptly and allowing the reviews to proceed in a timely manner. This included opportunities to discuss findings and recommendations prior to the issue of draft internal audit reports. Management responses to draft
reports were consistently provided within our requested timescale.
We had direct channels of communication to members of the EMT throughout our audit engagements and in our audit planning process. We had a one-to-one meeting with the Council’s new Chief Executive to establish an open and transparent communication channel to ensure that any audit matters can be escalated where appropriate.
Recommendations Follow-up
Implementation of recommendations is a key determinant of our annual opinion. If recommendations are not implemented in a timely manner, weaknesses in control and governance frameworks will remain in place. Furthermore, an unwillingness or inability to implement recommendations reflects poorly on management’s commitment to the maintenance of a robust control environment.
Recommendations from our internal audit reports have generally been implemented promptly with appropriate actions taken to improve controls where weaknesses have been identified.
Relationship with External Audit
All our final reports are available to the external auditors through the Governance Scrutiny Group
papers and are available on request. Our files are also available to external audit should they wish
to review working papers to place reliance on the work of internal audit.
Report by BDO LLP to Rushcliffe Borough Council
As the internal auditors of Rushcliffe Borough Council we are required to provide the Governance Scrutiny Group, and the Executive Management Team with an opinion on the adequacy and effectiveness of risk management, governance and internal control processes, as well as arrangements to promote value for money.
In giving our opinion, it should be noted that assurance can never be absolute.
The internal audit service provides [name of organisation] with Substantial assurance that there are no major weaknesses in the internal control system for the areas reviewed in 2024/25. Therefore, the statement of assurance is not a guarantee that all aspects of the internal control system are adequate and effective. The statement of assurance should confirm that, based on the evidence of the audits
conducted, there are no signs of material weaknesses in the framework of control.
In assessing the level of assurance to be given, we have taken into account:
- All internal audits undertaken by BDO LLP during 2024-25.
- Any follow-up action taken in respect of audits from previous periods for these audit areas.
- Whether any significant recommendations have not been accepted by management and the consequent risks.
- The effects of any significant changes in the organisation’s objectives or systems.
- Matters arising from previous internal audit reports to the Council.
Key Performance Indicators
Quality Assurance
High quality documents produced by the auditor that are clear and concise and contain all the information requested.
KPI
Average client satisfaction received in 2024/25 was 4.3/5. While this is a positive score, we will continue to aim for high levels of satisfaction and act on any areas identified for further improvement.
RAG Rating - Green
Quality Assurance
Frequent communication to the customer of the latest mandatory audit standards and professional standards prescribed by the main accountancy bodies.
KPI
Sector updates are provided within our quarterly Progress Report to the Governance Scrutiny Group. We also provided a training session to the Governance Scrutiny Group in November 2024 which covered the changes to the Global Internal Audit Standards and the impact of this on public sector bodies.
RAG Rating - Green
Quality Assurance
The auditor attends the necessary meetings as agreed between the parties at the start of the contract.
KPI
All meetings (Governance Scrutiny Group, meetings, pre-meetings, individual audit meetings and contract reviews) are attended by a BDO Partner or Manager. Where there has been a change in contract manager during the year, we had an effective handover process to ensure continuity in the service provided to the Council.
RAG Rating - Green
Quality Assurance
Information is presented in the format requested by the customer.
KPI
In our audit satisfaction survey issued after each assignment identified that our reports added value and were presented appropriately. An average score of 4.7/5 was received when asked whether our final reports were clear and concise.
RAG Rating - Green
Quality Assurance
External audit can rely on the work undertaken by internal audit (where planned).
KPI
Our internal audit work is available to external audit.
RAG Rating - Green
Quality Assurance
Annual Audit Plan delivered in line with timetable.
KPI
We have completed our annual programme of work for 2024/25 in time to issue our HoIA opinion ahead of the Trust finalising its Annual
Governance Statement. Our audit work was delivered evenly over the year.
RAG Rating - Green
Quality Assurance
At least 60% input from qualified staff.
KPI
In delivering the Internal Audit Programme, 70.4% of input was from qualified staff. Remaining audit work was performed by staff working towards a professional qualification.
RAG Rating - Green
Quality Assurance
Positive result from any external review.
KPI
The External Audit Quality Assessment by the Institute of Internal Auditors in April 2021 found BDO to ‘generally conform’ (the highest rating) to the International Professional Practice Framework and Public Sector Internal Audit Standards.
RAG Rating - Green
Appendix 1
Annual Opinion Definition
Substantial (Green) - Fully meets expectations
Our audit work provides assurance that the arrangements should deliver the objectives and risk management aims of the organisation in the areas under review. There is only a small risk of failure or non-compliance.
Moderate (Amber) - Significantly meets expectations
Our audit work provides assurance that the arrangements should deliver the objectives and risk management aims of the organisation in the areas under review. There is some risk of failure or non-compliance.
Limited (Red) - Partly meets expectations
Our audit work provides assurance that the arrangements will deliver only some of the key objectives and risk management aims of the organisation in the areas under review. There is a significant risk of failure or non-compliance.
No (Blue) - Does not meet expectations
Our audit work provides little assurance. The arrangements will not deliver the key objectives and risk management aims of the organisation in the areas under review. There is an almost certain risk of failure or non-compliance.
Report Opinion Significance Definition
Level of Assurance = Substantial (Green)
Design Opinion: Appropriate procedures and controls in place to mitigate the key risks.
Findings: There is a sound system of internal control designed to achieve system objectives.
Effectiveness Opinion: No, or only minor, exceptions found in testing of the procedures and controls.
Findings: The controls that are in place are being consistently applied.
Level of Assurance = Moderate (Amber)
Design Opinion: In the main, there are appropriate procedures and controls in place to mitigate the key risks reviewed, albeit with some that are not fully effective.
Findings: Generally, a sound system of internal control designed to achieve system objectives with some exceptions.
Effectiveness Opinion: A small number of exceptions found in testing of the procedures and controls.
Findings: Evidence of non-compliance with some controls that may put some of the system objectives at risk.
Level of Assurance = Limited (Red)
Design Opinion: A number of significant gaps identified in the procedures and controls in key areas. Where practical, efforts should be made to address in-year.
Findings: System of internal controls is weakened with system objectives at risk of not being achieved.
Effectiveness Opinion: A number of reoccurring exceptions found in testing of the procedures and controls. Where practical, efforts should be made to address in-year.
Findings: Non-compliance with key procedures and controls places the system objectives at risk.
Level of Assurance = No (Blue)
Design Opinion: For all risk areas there are significant gaps in the procedures and controls. Failure to address in-year affects the quality of the organisation’s overall internal control framework.
Findings: Poor system of internal control.
Effectiveness Due to absence of effective controls and procedures, no reliance can be placed on their operation. Failure to address in-year affects the quality of the organisation’s overall internal control framework.
Findings: Non-compliance and / or compliance with inadequate controls.
Recommendation Significance Definition
High (Red)
A weakness where there is substantial risk of loss, fraud, impropriety, poor value for money, or failure to achieve organisational objectives. Such risk could lead to an adverse impact on the business. Remedial action must be taken urgently.
Medium (Amber)
A weakness in control which, although not fundamental, relates to shortcomings which expose individual business systems to a less immediate level of threatening risk or poor value for money. Such a risk could impact on operational objectives and should be of concern to senior management and requires prompt specific action.
Low (Green)
Areas that individually have no significant impact, but where management would benefit from improved controls and/or have the opportunity to achieve greater effectiveness and / or efficiency.