Agenda item

To present the report of the Head of Audit and Risk.

The report of the Head of Audit and Risk providing an update as at 21 November, 2025 on the audits completed since the previous update as at 30 September 2025 was presented for the committee’s consideration. The report also set out the current workload of Internal Audit and its priorities for the short to medium term going forward. Members of the committee were provided under separate cover with copies of the assurance reports finalised in the period in relation to Performance Management (Reasonable Assurance) and Secondary Schools ICT Security (Limited Assurance).

The Head of Audit and Risk presented the report and summarised the two assurance reviews completed in the period, highlighting the issues identified. In relation to the Limited Assurance review, she reported that the Council has launched several initiatives and established a project team to address the risks raised. An action plan has been agreed with management and schools. All actions are scheduled for completion by July 2026 with Internal Audit to conduct a follow-up review in April 2026 and report progress to the committee’s July 2026 meeting. Due to the nature of the concerns raised by the audit, the limited assurance report will need to be discussed in private session, subject to the appropriate public interest test. The committee agreed that the Secondary Schools ICT Security (Limited Assurance) report and action plan be considered in detail at the July 2026 meeting following Internal Audit’s progress review and requested that the Council’s Chief Digital Officer attend.

The Director of Education, Skills and Young People confirmed that work to implement the audit recommendations is ongoing in partnership between the Learning Service, the ICT service and secondary schools, with several actions already completed. A fuller update will be provided to the committee’s July 2026 meeting as agreed.

In the subsequent discussion the committee raised the following matters  –

·      Members questioned whether the Council’s performance management framework could be considered effective and proactive given the audit findings, particularly the limited assurance in relation to data quality at both service and corporate levels, posing risks to the accuracy of reported outcomes.

The Head of Audit and Risk reaffirmed that internal audit views the framework as effective overall and well embedded across the organisation with the main issue being the inconsistency of performance management across services.

The Strategic Performance and Projects Manager added that the audit supports this view stating that the Performance Management team works closely with services on business planning and monitoring. The Corporate Scorecard has been reviewed for 2025/26 to better align with the Council’s strategic objectives and is monitored regularly. Accepting that improvements can be made in data management and analysis, he considered the  core processes to be thorough and sound.

·      Members also asked whether the number of major and moderate issues identified in the Performance Management and Secondary Schools ICT Security audits should be a cause for concern, and whether any of the schools ICT security issues might be critical.

The Head of Audit and Risk explained that one critical issue had initially been identified in the secondary schools ICT review but was de-escalated to major following remedial work. She explained that each audit is assessed independently and that the number of issues raised does not determine the assurance level. She confirmed that given the small number of limited assurance reports issued overall, she had no broader concerns. Where limited assurance reports are issued, internal audit gives them high prominence and ensures they are formally followed up in accordance with internal audit’s protocol.

It was resolved to note the outcome of Internal Audit’s engagements, the assurance provided and its priorities going forward.