Internal Audit Annual Report 2025/26
Internal Audit Annual Report 2025/26
Report by: BDO
Published: June 2026
Contents
- Executive Summary
- Thematic reporting
- Summary of results
- Quality assurance
- Quality assurance improvement programme
- Annual attestation of independence
- Appendix 1: Definitions
- Appendix 2: Link to Strategic Objectives
1. Executive Summary
Introduction
Role of Internal Audit
Internal auditing strengthens the organisation’s ability to create, protect, and sustain value by providing the Council’s board* and management with independent, risk based, and objective assurance, advice, insight, and foresight.
The primary responsibility of the internal audit service is to provide the Board with assurance on the adequacy and effectiveness of risk management, control and governance arrangements.
Responsibility for these arrangements remains fully with management, who should recognise that internal audit can only provide a reasonable level of assurance and cannot provide any guarantee against material errors, loss or fraud. Internal audit also plays a valuable role in helping management improve risk management control and governance, so reducing the effects of any significant risks faced by the organisation.
The Council’s Board is ultimately responsible for the system of internal control and the management of risk, including reviewing the effectiveness of internal control. Management is responsible for implementing board policies on risk and control, achieved by designing,
operating and monitoring a suitable system of internal control and risk management. All employees have some responsibility for internal control, in that they are all accountable for achieving objectives and should also understand the risk implications of the activities they
perform.
The Global Internal Audit Standards (GIAS) refer to the ‘board’ as ‘the highest-level body charged with governance.’ For Rushcliffe Borough Council, ‘the board’ is the Governance Scrutiny Group (AC) acting on behalf of Full Council.
Planned Coverage
Our internal audit work for Rushcliffe Borough Council (the Council) covered the period 1 April 2025 to 31 March 2026 and was carried out in accordance with the Internal Audit Plan approved by the AC and in line with the recognised Global Internal Audit Standards (GIAS) from the Institute of Internal Auditors and the Internal Audit Standards Advisory Board's Application Note GIAS in the UK Public Sector, which together comprise the 'GIAS in the UK Public Sector'.
The internal audit programme is risk-based and our work is designed to align to key risks over the life cycle of the internal audit plan. The approved internal audit annual plan for 2025/26 comprised the following assignments:
- Main Financial Systems
- Streetwise Management
- Rushcliffe Oaks Crematorium - Operational Management
- Health and safety
- Council Tax and NNDR
- Business Continuity and Emergency Planning
- Procurement
- Asset Investment and Management
Changes to the plan
There were no changes to the internal audit plan during 2025/26.
Audit outcomes
The conclusions from our reports are summarised below.....add link?????????????? Key themes are summarised xxxxx add link
Background to the Annual Opinion
Internal Audit is required to provide an opinion to the Board, through the Audit Committee, on the adequacy and effectiveness of the internal control system to ensure the achievement of the organisation’s objectives in the areas reviewed. The annual report from internal audit provides an overall opinion on the adequacy and effectiveness of the organisation’s risk management, control and governance processes, within the scope of work undertaken by us as outsourced providers of the internal audit service. It also summarises the activities of internal audit for the period.
Opinion
We are satisfied that sufficient internal audit work has been undertaken to allow us to draw a reasonable conclusion as to the adequacy and effectiveness of the Council’s risk management, control and governance processes.
Our opinion is as follow: Good
Overall, The controls in the areas which we examined were found to be suitably designed and operating effectively to achieve the specific risk management, control and governance arrangements. This is consistent with our annual opinion provided in the prior year as there have been no material changes to the Council’s risk management, controls and governance arrangements. This is demonstrated by the Council’s continued efforts to be a high performing local authority.
Significant structural changes to local authorities have been announced by the Ministry for Housing, Communities and Local Government through local government organisation. This is a risk to all local authorities, particularly Rushcliffe Borough Council who will not find out which new authority it will be a part of until July 2026. However, despite this landscape, the Council have continued to design and operate controls effectively across the areas reviewed during the year.
We have not raised any limited assurance opinions during 2025/26 , with five Substantial and three Moderate assurance opinions for the design of controls. There was also six Substantial and two Moderate assurance opinions on the effectiveness of controls.
There has generally been positive engagement by Council staff and members throughout the year, including from senior officers. Management responses have been provided promptly and, on the whole, our recommendations have been accepted, demonstrating a positive culture for improvement.
Basis of opinion
As the provider of internal audit services to the Council, we are required to provide the AC and the Board with an opinion on the adequacy and effectiveness of the risk management, control and governance processes.
In giving our opinion, it should be noted that the assurance can never be absolute. The most that Internal Audit can provide to the Board is reasonable assurance that there are no major weaknesses in the Council’s risk management, control and governance processes.
In assessing the level of assurance to be given, we have taken into account:
- Our assessment of the design and operation of the underpinning risk management framework and supporting processes, including whether risk appetite has been established and embedded within the activities, limits and reporting of the organisation.
- The range of individual opinions arising from risk-based audit assignments that have been reported throughout the year; including the relative materiality of these areas.
- The positive culture from senior officers to accept our recommendations demonstrating a focus on continued improvement where control gaps or weaknesses have been identified.
- Management’s progress in respect of addressing control weaknesses and implementing recommendations.
- Reliance placed upon other assurance providers, such as external auditors and benchmarking data provided by the Local Government Association and the Office For Local Government which show that the Council perform above the average across a range of metrics.
- The continued strength of the design and effectiveness of controls amidst significant structural changes to local authorities from local government reorganisation.
This opinion is based on information provided between 1 April 2025 and 31 March 2026, and the projection of any information or conclusions contained in our opinion to any future periods is subject to the risk that changes may alter its validity.
2. Thematic reporting
Throughout the 2025/26 internal audit plan, we have considered key findings against six core themes. Broadly, these themes were considering the following key questions:
Statutory Compliance
- Do the Council demonstrate compliance with statutory legislation in the areas covered in our audit plan?
- Are adequate actions taken to ensure compliance with new or changes to legislation?
Controls and Assurance
- What first/second line controls are in place, and are these offering adequate comfort? Does the business obtain assurance from other sources?
- Is the overall control framework fit for purpose?
Documentation
- What is the quality of the documentation? Is it user friendly, accessible, and easily understood?
- Where are documents stored? Are policies up to date?
Governance and Culture
- Is there a good culture and governance from the top, contributing to a focus on improving internal controls and maintaining high standards?
Resources
- Where does responsibility sit? Do they have sufficient capacity?
- Are people appropriately skilled and trained? Are there any cultural issues to note?
- Are controls in place to reduce the risk of fraud, or to highlight instances where there may be higher risk of fraud within processes?
There was consistent trends around compliance with core processes and procedures, specifically where there is strict legislative requirements that must be adhered to. These themes presented well across the independent assurance programme for the year. Looking across the work we have completed, the themes where more recommendations have focused include on Documentation and Resources, occasionally where systems have not been fully used to their maximum capability to retain documentation. Resources are a significant challenge across most local authorities, with expectations that these will be perpetuated by the demands of local government reorganisation up to 2028.
Statutory Compliance
- In areas audited where there had been legislative changes, the Council demonstrated a proactive approach for preparing to comply with the changes. In the Rushcliffe Oaks Crematorium – Operational Management review we raised no findings and confirm that for a sample of cremations, the correct forms had been completed and retained on PlotBox as prescribed by the Cremation, Coroners and Notification of Deaths (England and Wales) (Amendment) Regulations 2024 (the Cremation Regulations). Similarly, the Procurement Act 2023 came into force on 24 February 2025 and our review confirmed that adequate action had been taken to prepare for the new requirements. Templates were available and training had been provided to staff to ensure there was sufficient awareness of legislative changes.
- Similarly, in other reviews areas we confirmed compliance and consideration of existing legislation, notably in the Health and Safety audit. Compliance with statutory requirements is considered a core expectation of a local authority.
Controls and Assurance
- First line controls were identified across the organisation in all reviews undertaken, including preventative and detective controls although these could be developed further in places. However, on the whole these were proportionate to the level of risk.
- Management routines are in place to confirm compliance with approved procedures and the accuracy of data; although in some instances the evidencing of controls taking place could be strengthened, such as ensuring documentation of second line reviews.
Documentation
- Relevant systems were used wherever possible to maintain centralised and contemporaneous records such as through storage of documents, particularly in areas where these are required by statutory legislation.
- Relevant policies and procedures were in place for the areas reviewed and these were accessible to relevant personnel as needed. There were some instances where policies had not been through the approval routes but were fit-for-purpose.
Governance and Culture
- Effective governance from committee and performance clinics was consistently demonstrated through our audits, with clear reporting on performance into senior officers and members.
- Electronic software is used to monitor performance indicators monthly to facilitate the operational oversight activities.
Resources
- There were gaps identified in relation to the provision and completion of training on systems or processes. There were also challenges at times around resources leading to backlogs in processes (the renewal of expired leases). There were also gaps identified in resources which led to the absence of a separation of duties for council tax refunds, which could lead to fraud.
- Except for some processes, a separation of duties was consistently followed to mitigate risks of fraud or error. Particularly in finance areas, resource allocation was adequate to enable segregation of duties.
3. Summary of results
Findings by significance
Medium
- 2023/24 - 3
- 2024/25 - 2
- 2025/26 - 4
Low
- 2023/24 - 15
- 2024/25 - 12
- 2025/26 - 14
Assurance Options
Control Design
Substantial
- 2023/24 - 7
- 2024/25 - 6
- 2025/26 - 5
Moderate
- 2023/24 - 2
- 2024/25 - 0
- 2025/26 - 3
Assurance Audits and Findings by year
2023/24
- Assurance audits completed - 9
- Findings raised - 18
- Average per audit - 2
2024/25
- Assurance audits completed - 6
- Findings raised - 14
- Average per audit - 2.3
2025/26
- Assurance audits completed - 8
- Findings raised - 18
- Average per audit - 2.3
Control Effectiveness
Substantial
- 2023/24 - 8
- 2024/25 - 3
- 2025/26 - 6
Moderate
- 2023/24 - 1
- 2024/25 - 3
- 2025/26 - 2
Comparison to prior year
-
The total number of findings raised has increased, however, this is partly because there have been more assurance audits in 25/26 compared to the prior year.
-
There has been an increase in the number of Moderate opinions for the control design but a reduction in the number of Moderate opinions for the effectiveness of controls. There continued to be no Limited assurance opinions given.
-
There have been 18 findings raised during the year which means the number of findings per review remains stable. This is lower than most other authorities that we are the auditors for.
Within the year, we produced nine audit reports, one which was advisory. We set out below our summary of the audits completed, the significance of recommendations raised, our opinions on control design and operational effectiveness, a comparison against the original Internal Audit plan and the link to the relevant strategic risk / objective.
The definitions of recommendation significance and report conclusions are set out in the tables in Appendix 1. The Audit Plan is mapped to the strategic objectives in Appendix 2.
Audit - Fraud Report
Type of review
Advisory
Recommendations and Significance
- High - 0
- Medium - 0
- Low - 0
Overall Report Opinion
This was an Advisory Review where an opin8ion is not provided.
Strategic Risk Register Reference
FCS03 Fraud identification - Inadequate or poorly executed internal controls failing to prevent or detect fraud may lead to financial and/or reputational losses.
Audit - Council Tax and NNDR
Type of review
Assurance
Recommendations and Significance
- High - 0
- Medium - 0
- Low - 2
Overall Report Opinion
- Control design - Substantial
- Operational Effectiveness - Substantial
Strategic Risk Register Reference
FCS05 Reduction in the Business Rates base - loss of major business rates payer reducing the rates collected leading to a potential budget deficit.
Audit - Streetwise Management
Type of review
Assurance
Recommendations and Significance
- High - 0
- Medium - 1
- Low - 2
Overall Report Opinion
- Control design - Moderate
- Operational Effectiveness - Substantial
Strategic Risk Register Reference
FCS11 Increased service demand - increase in population resulting in higher demand for services leading to expected increased cost and increased service pressures.
Audit - Main Financial Systems
Type of review
Assurance
Recommendations and Significance
- High - 0
- Medium - 1
- Low - 2
Overall Report Opinion
- Control design - Moderate
- Operational Effectiveness - Substantial
Strategic Risk Register Reference
FCS11 Increased service demand - increase in population resulting in higher demand for services leading to expected increased cost and increased service pressures.
Audit - Business Continuity and Emergency Planning
Type of review
Assurance
Recommendations and Significance
- High - 0
- Medium - 0
- Low - 2
Overall Report Opinion
- Control design - Substantial
- Operational Effectiveness - Substantial
Strategic Risk Register Reference
FCS32 Business Continuity - Being unable to deliver critical services during a disruption, such as unprecedented demand, failure to negotiate contract continuation, or weather related incident, and / or return to business as usual after a disruption as a result of
inadequate preparation.
Audit - Rushcliffe Oaks - Operational Management
Type of review
Assurance
Recommendations and Significance
- High - 0
- Medium - 0
- Low - 0
Overall Report Opinion
- Control design - Substantial
- Operational Effectiveness - Substantial
Strategic Risk Register Reference
DEG03 Rushcliffe Oaks Crematorium - not meeting the business model targets as a result of lower than forecast numbers of cremations being carried out, impacting on the internal rate of return and therefore longer return on investment.
Audit - Asset Management and Investment
Type of review
Assurance
Recommendations and Significance
- High - 0
- Medium - 0
- Low - 1
Overall Report Opinion
- Control design - Substantial
- Operational Effectiveness - Substantial
Strategic Risk Register Reference
DEG02 Council Assets - failure to manage our land and building assets (including trees) and meet with Landlord Compliance as a result of a lack of resources and / or inadequately trained staff potentially leading to damage to our assets or harm to the public.
Audit - Health and Safety
Type of review
Assurance
Recommendations and Significance
- High - 0
- Medium - 1
- Low - 5
Overall Report Opinion
- Control design - Substantial
- Operational Effectiveness - Moderate
Strategic Risk Register Reference
CED06 Health and Safety - Health and safety risks are not managed adequately across the organisation as a result of insufficient resources and / or priority leading to an increase in accidents and potentially a breach of health and safety legislation.
Audit - Procurement
Type of review
Assurance
Recommendations and Significance
- High - 0
- Medium - 1
- Low - 1
Overall Report Opinion
- Control design - Moderate
- Operational Effectiveness - Moderate
Strategic Risk Register Reference
FCS07 Centralised policy changes - Changes to Government policy that result in an increase in demand on resources leading to a reduction in capacity of the Council to undertake other activities and inability to deliver identified priorities.
4. Quality Assurance
As a firm we are committed to continual improvement. To achieve this, we apply the latest internal quality standards, which are designed to ensure that the work we perform meets the requirements of the regulatory environment within which each of our clients operates. The provision of Internal Audit services rests with a team of dedicated internal audit professionals who form part of a national Risk and Advisory Services (RAS) team.
Qualifications, Training And Development
It is our policy that staff engaged in the provision of a specialist service be qualified in the relevant professional discipline. In Internal Audit, staff are qualified or are studying for the exams by the Chartered Institute of Internal Auditors, or for a professional
accountancy body.
Qualified staff are required to retain commitment to their professional body after their qualification and the firm is committed to continuing professional education and provide staff access to quality training programmes.
Quality assurance processes
We adopt the following processes in order to ensure that the internal audit work we
perform meets our required quality standards:
- Documented standards - the fundamentals of our auditing standards are set out within our audit manual and related documentation. Our audit methodology complies with current best practice, Global Internal Audit Standards and GIAS in the UK public sector.
- Annual plan – A risk-based approach is taken to determine the annual plan.
- Planning - each assignment is planned based upon a thorough understanding of the business area being audited and the risks that are associated with that area. All assignments are supported by briefing documents agreed in advance with the client.
- Quality assurance - the work conducted to meet the requirements of each assignment brief is subject to a full client debrief and to manager review within the audit team before a final draft report is issued. All finalised reports are approved and signed off by a licence holder (Partner or Director).
- Cold reviews - we also adopt a cold review process where samples of the work performed by the internal audit team are reviewed to ensure that they meet our own internal standards. These reviews are conducted by professionals outside of the team which conducted the work. The work of cold review is subject to our National Quality Review processes, aimed at ensuring consistency of standards adopted within the firm.
Continuous Improvement
The results of the various review processes that are outlined opposite are used to inform the development needs of staff through our appraisal process and by the development of relevant training courses for the staff involved in internal audit work. The appraisal process adds to the structured training that each member of our RAS team receives on a firm wide basis. At the moment each of our team members is required to attend at least two RAS training days annually with additional training being provided in response to changes in the environment in which we operate.
Compliance with the Global Internal Audit Standards (GIAS)
Based on the results of our internal assessments, we can confirm that our Internal Audit services are aligned and have been delivered in accordance with the Global Internal Audit Standards and GIAS in the UK public sector during the year. It should be noted that as the
GIAS became effective on 9 January 2025 and GIAS in the UK public sector on 1 April 2025), there has been a transition period during the year.
We confirm there have been no deviations from the GIAS during the year.
External Quality Assessment
The Global Internal Audit Standards of the Institute of Internal Auditors (IIA) requires every internal audit function that aims to comply with its standards to be reviewed, externally, every five years. At BDO we recognise the importance of independent quality assurance and so submit our RAS team to an External Quality Assurance (EQA) review every five years, most recently in April 2021. We engaged the Chartered Institute of Internal Auditors (CIIA) to carry out the EQA and, in summary, their conclusion was that BDO generally conforms to the International Professional Practices Framework (IPPF). This is the highest of the three gradings awarded by the CIIA.
RAS is committed to continuous improvement and has agreed a Quality Assurance Improvement Programme with the CIIA to respond to the recommendations and suggestions raised through the EQA exercise. A copy of the EQA report is available to our clients in order they may obtain comfort regarding our working practices.
Our next EQA is due in late 2026
5. Quality assurance improvement programme
An update on our specific improvement actions as part of our Quality Assurance Improvement Programme is below.
| Initiative | Benefit | Due date | Status |
|---|---|---|---|
| Ensure our annual plan was wide coverage of the four strategic priorities, providing assurances over the delivery of strategies and objectives across the whole Council, including front-line services impacting residents |
Align our audit plan to the Council’s strategic risks, ensuring that areas we cover link back to strategic objectives | Ongoing throughout delivery of our 2025/26 Internal Audit plan which has been mapped to your four corporate priorities and risks |
Complete |
| Apply a blend of audit and advisory techniques using our various toolkits to assess the Council’s ‘soft controls’ such as EDI, Environment, Governance/Culture, Sustainability, etc. This will provide roadmaps to applying best practice controls to achieve objectives |
Allows management to gain insights into emerging risks with advisory support rather than traditional third line assurance |
Ongoing throughout delivery of our 2026/27 Internal Audit plan and over our three-year plan to FY29. We have scheduled ‘soft control’ reviews in our three-year audit plan, including for local government reorganisation in each year, to provide the Council with advisory support as it transitions into a new authority. We will share best practice approaches from across our local government clients who are also impacted by local government reorganisation | Ongoing |
|
Use SMEs and specialist skills and knowledge for highly technical areas of testing Ensure 60% of qualified resources are used in the delivery of the audit plan Ensure team members hold or are working towards professional and relevant qualifications Team members will comply with the firm’s and professional bodies policies on CPD requirements |
Allow the Council continue to benefit from expertise across our firm on specific, technical audit engagements. Furthermore, use of qualified staff and ensuring our staff maintain relevant CPD ensures that emerging issues and risks are addressed in our audit work to maximise the value to the Council | Through the delivery of individual audit engagements during 2026/27 and throughout the full plan for the year | On track |
| Commission independent EQA every five years | Allows for independent assurance that our work conforms with the GIAS. | Late-2026 | Not yet due |
6. Annual attestation of independence
Independence
The Internal Audit function is independent and objective and we undertake our work with an impartial, unbiased attitude, avoid conflicts of interest and perform engagements in such a manner that there are no quality compromises.
During the year we have not acted in any management capacity, taken on any responsibility for the operations of your organisation or provided any services that would compromise our independence.
In the year BDO has not been engaged by management to carry out additional services outside of Internal Audit contract.
If the independence or objectivity of the Internal Audit service is ever impaired, details of the impairment will be disclosed to either the CEO / their delegate, or the Chair of the Governance Scrutiny Group, dependent upon the nature of the impairment.
Relationship with external audit
All of our final reports are available to the external auditors through the Governance Scrutiny Group papers and are available on request.
Appendix 1: Definitions
Annual Opinion Definitions
Good (Green) - Fully meets expectations
The controls in the areas which we examined were found to be suitably designed and operating effectively to achieve the specific risk management, control and governance arrangements.
Moderate (Blue) - Generally satisfactory with improvements required in some areas
The controls in the areas which we examined were found to be suitably designed and operating effectively to achieve the specific risk management, control and governance arrangements. However, there are some areas where weaknesses and/or non-compliance were identified and therefore may put the achievement of objectives at risk. Where weaknesses have been identified, improvements are required to enhance the design and/or effectiveness of risk management, control and governance arrangements.
Improvements required (Amber) - Improvements required
Significant weaknesses were identified in both the design and/or operational effectiveness of the controls in all/the majority of the areas which we examined and weaken the risk management, governance and controls. Significant improvements are required to enhance the design and / or effectiveness of risk management, control and governance arrangements.
Unsatisfactory (Red) - Does not meet expectations
The framework of governance, risk management and control arrangements is poor. Immediate action is required to improve the design and / or operational effectiveness of the governance, risk management and controls.
Audit Report Definitions
An update on our specific improvement actions as part of our Quality Assurance Improvement Programme is below.
| Level of assurance | Design of internal control framework - Findings from review | Design of internal control framework - Design opinion | Operational effectiveness of controls - Findings from review | Operational effectiveness of controls - effectiveness opinion |
|---|---|---|---|---|
| Substantial | Appropriate procedures and controls in place to mitigate the key risks. | There is a sound system of internal control designed to achieve system objectives. | No, or only minor, exceptions found in testing of the procedures and controls. | The controls that are in place are being consistently applied. |
| Moderate | In the main there are appropriate procedures and controls in place to mitigate the key risks reviewed albeit with some that are not fully effective. | Generally a sound system of internal control designed to achieve system objectives with some exceptions. | A small number of exceptions found in testing of the procedures and controls. | Evidence of non compliance with some controls, that may put some of the system objectives at risk. |
| Limited | A number of significant gaps identified in the procedures and controls in key areas. Where practical, efforts should be made to address in-year. | System of internal controls is weakened with system objectives at risk of not being achieved. | A number of reoccurring exceptions found in testing of the procedures and controls. Where practical, efforts should be made to address in-year. | Non-compliance with key procedures and controls places the system objectives at risk. |
| No | For all risk areas there are significant gaps in the procedures and controls. Failure to address in-year affects the quality of the organisation’s overall internal control framework. | Poor system of internal control. | Due to absence of effective controls and procedures, no reliance can be placed on their operation. Failure to address in-year affects the quality of the organisation’s overall internal control framework. |
Non compliance and / or compliance with inadequate controls. |
Recommendation Significance
High (Red)
A weakness where there is substantial risk of loss, fraud, impropriety, poor value for money, or failure to achieve organisational objectives. Such risk could lead to an adverse impact on the business. Remedial action must be taken urgently.
Medium (Amber)
A weakness in control which, although not fundamental, relates to shortcomings which expose individual business systems to a less immediate level of threatening risk or poor value for money. Such a risk could impact on operational objectives and should be of concern to senior management and requires prompt specific action.
Low (Green)
Areas that individually have no significant impact, but where management would benefit from improved controls and/or have the opportunity to achieve greater effectiveness and / or efficiency.
Appendix 2
We have mapped the Internal Audit Plan to the organisation's strategic objectives to show coverage across the year.
| Audit | Type of review | Link to Environment | Link to Quality of Life | Link to Sustainable Growth | Link to Efficient Services |
|---|---|---|---|---|---|
| Fraud Report | Advisory | No | No | No | Yes |
| Council Tax and NNDR | Assurance | No | No | No | Yes |
| Streetwise Management | Assurance | Yes | Yes | No | No |
| Main Financial Systems | Assurance | No | No | No | Yes |
| Business Community and Emerging Planning | Assurance | No | No | No | Yes |
| Rushcliffe Oaks Crematorium - | Assurance | No | Yes | No | Yes |
| Assert Management and Investment | Assurance | No | Yes | Yes | No |
| Health and Safety | Assurance | No | No | No | Yes |
| Procurement | Assurance | Yes | No | No | Yes |