Agenda item

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk incorporating the Internal Audit Strategy and Plan for 2025/26 was presented for the committee’s consideration.

The Head of Audit and Risk reported that the Global Internal Audit Standards in the UK Public Sector (GIAS) require the Chief Audit Executive to establish a risk based strategy for determining the priorities of internal audit activity consistent with the Council’s objectives.

In line with the GIAS, Internal Audit has articulated its vision as outlined in paragraph 20 of the report which is directly aligned with the goals set out in the Council Plan. From this vision, the mission of Internal Audit is derived (paragraphs 21 to 24) supported by the three strategic objectives set out in section 25. She confirmed that strategic plan priorities for 2025/26 will continue to address the strategic risks, with a focus on inherent red and amber risks as referenced in Appendix B to the report. IT audit work will also continue, delivered through external commissioning with Salford Council’s IT auditors.

The Head of Audit and Risk highlighted Internal Audit’s performance measures for 2025/26, set out in the table on page 9 of the report. A total of 549 days are available to deliver the planned programme of work, including investigations and the provision of the annual audit assurance opinion.

The Head of Audit and Risk confirmed that in her opinion, there are no inappropriate scope or resources limitations that would affect delivery.

The following matters were discussed by the committee in considering the report –

·      The committee noted that one initiative under Strategic Objective 2 involves improving auditors’ digital literacy to ensure comfortable use of technology including Artificial Intelligence (AI), to improve risk assessment processes, enhance audit quality and improve reporting efficiencies. It was further noted that Internal Audit plans to monitor the implementation of AI as part of its 2025/26 IT audit work. The committee raised questions about a potential conflict of interest as Internal Audit could be examining AI practices before the Council has issued policy guidance on its use.

The Head of Audit and Risk clarified that the initiative applies to Internal Audit’s use of AI as a function to enhance its own operations, specifically using the opportunities that AI offers for research, scoping exercises and compiling working papers. AI is already being widely used in auditing to drive administrative efficiencies, and the Internal Audit team intends to explore its use further, in line with the Council’s policy once it is established.

In a follow-up question, the committee raised concerns about the accuracy and potential biases in AI generated information. Given the absence of formal guidance there were also questions around the ability of staff across the organisation to critically assess this information. The committee asked who is responsible for determining what constitutes acceptable use.

The Director of Function (Resources)/Section 151 Officer advised that when officers use AI to expand their knowledge and inform their judgement, the resulting conclusions remain their own. The key issue arises when unverified AI generated information is made public or is presented as the Council’s official position. Officers using AI have a responsibility to verify AI generated content, ensuring that it is consistent with their professional expertise and judgement. This is the issue which the draft policy guidance currently being reviewed by the Leadership Team is seeking to address, to define when AI can be used to support officers in broadening their knowledge and forming conclusions and when it is appropriate to use AI generated information such as meeting summaries which then become part of the public record.

·      The committee queried whether the external review of procurement was replacing any aspects of the Internal Audit’s work in this area.

The Head of Audit and Risk clarified that the Council’s procurement arrangements are currently undergoing a two year improvement programme led by STAR Procurement (a shared procurement service for local authorities in the north-west of England). The interim Procurement Manager is overseeing the implementation of the improvement action plan working with STAR to address the identified actions. Given this ongoing work, Internal Audit has decided to defer its own review until the improvement programme is completed. The Head of Audit and Risk also confirmed that the programme includes IT supplier management which after a recent follow up continues to hold a limited assurance rating.

The Head of Audit and Risk also responded to questions about the initiative to pilot continuous monitoring in at least one new risk area utilising data analytics, by clarifying that the risk areas pertain to payroll and creditors. She further explained that the review of the Council’s performance management arrangements referred to in paragraph 56 of the report relates to the Audit Wales November 2023 report  - The use of performance information: Service User Perspective and Outcomes which found limited performance information was provided to senior leaders to enable them to understand the service user perspective. She said she would forward a copy of the report to the member raising the questions.

The Governance and Audit Committee resolved –

·      To approve the risk based Internal Audit Strategy and Plan 2025/26 confirming that it is content that it provides the Council with the assurance it needs.

·      To confirm that the committee is content with Internal Audit’s resource requirements and the use of other sources of assurance.

·      To confirm that the committee is content that there are no inappropriate scope or resource limitations.