RAPC 592-26 – Internal Audit Annual Conclusion 2025/26 – Annex 1
Summary
Document Viewer
Agenda Item No.
Appendix
NFNPN
NFNPA RAPC 592/26
Annex 1
Prepared by: Antony Harvey, Deputy Head of Partnership
May 2026
NEW FOREST NATIONAL PARK AUTHORITY
Annual Internal Audit Conclusion 2025-2026
Annual Internal Audit Conclusion 2025-26
1. Internal Audit Standards
The Global Internal Audit Standards, issued by the Institute of Internal Auditors and effective in the UK Public Sector from April 2025, guide the worldwide professional practice of internal auditing and serve as a basis for evaluating and elevating the quality of the internal audit function. While the Global Internal Audit Standards apply to all internal audit functions, it is acknowledged that internal auditors in the public sector work in a political environment under governance, organisational and funding structures that differ from those of the private sector.
Consequently, internal audit practitioners working in, or for, the UK public sector are required to apply the Global Internal Audit Standards subject to the interpretations and requirements of the Application Note: Global Internal Audit Standards in the UK public sector, issued by Relevant Internal Audit Standard Setters.
In addition, relevant public sector bodies are also required to apply the Chartered Institute of Public Finance & Accountancy (CIPFA) Code of Practice for the Governance of Internal Audit in UK Local Government which provides a conduit for meeting the essential conditions for governance set out in the Global Internal Audit Standards, tailored for UK local government. The collective requirements shall be referred to as the Global Internal Audit Standards in the UK Public Sector.
2. Internal Audit Mandate
The mandate for internal audit in local government is specified within the Accounts and Audit [England] Regulations 2015, which states:
‘5. (1) A relevant authority must undertake an effective internal audit to evaluate the effectiveness of its risk management, control and governance processes, taking into account public sector internal auditing standards or guidance.
(2) Any officer or member of a relevant authority must, if required to do so for the purposes of the internal audit—
(a) make available such documents and records; and
(b) supply such information and explanations
as are considered necessary by those conducting the internal audit.’
The role of internal audit is best summarised through its definition within the Standards as:
‘An independent, objective assurance and advisory service designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.’
The Authority is responsible for establishing and maintaining appropriate risk management processes, control systems, accounting records and governance arrangements. Internal audit plays a vital role in advising the Authority that these arrangements are in place and operating effectively.
The Authority’s response to internal audit activity should lead to the strengthening of the control environment and, therefore, contribute to the achievement of the organisations’ objectives.
3. Internal Audit Approach
To enable effective outcomes, internal audit provides a combination of assurance and advisory activities. Assurance work involves objective assessment of how well systems and processes are designed and working, with advisory activities available to help to improve those systems and processes where necessary whilst not assuming any management responsibilities.
As the Chief Internal Auditor, I review the approach to each audit, considering the following key points:
- Level of assurance required.
- Significance of the objectives under review to the organisations’ success.
- Risks inherent in the achievement of objectives.
- Level of confidence required that controls are well designed and operating as intended.
All formal internal audit assignments will result in a published report. The primary purpose of the audit report is to provide an independent and objective opinion to the Authority on the framework of internal control, risk management and governance in operation and to stimulate improvement.
A full range of internal audit services is available in forming the annual audit conclusion:
The Southern Internal Audit Partnership maintain an agile approach to audit, seeking to maximise efficiencies and effectiveness in balancing the time and resource commitments of our partners, with the necessity to provide comprehensive, compliant and value adding assurance.
We have sought to optimise the use of virtual technologies to communicate with key contacts and in completion of our fieldwork, however, the need for site visits to complete elements of testing continues to be assessed and agreed on a case-by-case basis.
4. Internal Audit Coverage
The annual internal audit plan is prepared taking account of the characteristics and relative risks and objectives of the Authority and to support the preparation of the Annual Governance Statement. Work has been planned and performed to establish if sufficient evidence is available to provide reasonable assurance that the framework of governance, risk management and internal control is operating effectively.
The 2025-26 internal audit plan was considered by the Resources, Audit and Performance Committee in March 2025. It was informed by internal audit’s own assessment of risk and materiality in addition to consultation with management to ensure it aligned to organisational objectives / priorities and the key risks facing the organisation.
The plan has remained fluid throughout the year to maintain an effective focus and ensure that it continues to provide assurance, as required, over new or emerging challenges and risks that management need to consider, manage, and mitigate.
Internal audit reviews culminate in an opinion on the assurance that can be placed on the effectiveness of the framework of governance, risk management, and control designed to support the risks to the achievement of management objectives of the service area under review. The assurance opinions are categorised as follows:
5. Resources
The Southern Internal Audit Partnership has a strategy in place to optimise internal audit resource. Ongoing sufficiency of resources (financial, human and technological) are transparently communicated by the chief internal auditor to senior management and the Resources, Audit and Performance Committee through regular reporting as part of the approval of the internal audit plan and further throughout the year as part of the progress reports and ultimately within the annual conclusion.
Any resource implications that put the fulfilment of the internal audit plan and internal audit mandate at risk are reported accordingly through the afore mentioned reports.
There have been no resource implications that have adversely affected the fulfilment of the internal audit mandate or delivery of the Authority’s internal audit plan impacting my ability to provide a conclusion on the organisation’s framework of governance, risk, and internal control.
6. Independence
As your chief internal auditor, I retain no roles or responsibilities that have the potential to impair my independence, either in fact or appearance. Internal auditors engaged in the delivery of the 2025-26 internal audit plan have had no direct operational responsibility or authority over any of the activities reviewed.
I can confirm there has been no interference encountered by the Southern Internal Audit Partnership related to the scope, performance, or communication of internal audit work during the year in the delivery of the internal audit plan or the fulfilment of the internal audit mandate.
7. Impairments
There have been no impairments to internal audit activity during the year. As chief internal auditor I have ensured that the internal audit function has remained free from all conditions that threaten the ability of internal auditors to carry out their responsibilities in an unbiased manner, including matters of engagement selection, scope, procedures, frequency, timing, and communication.
The internal audit team have maintained an unbiased mental attitude allowing them to perform engagements objectively and enabling them to believe in their work product, with no compromise to quality, and no subordination to their judgment on audit matters, either in fact or appearance.
8. Limitations of Scope
There have been no limitations to the scope of internal audit work during the course of the year.
9. Internal Audit Conclusion
As chief internal auditor, I am responsible for the delivery of an audit conclusion that can be used by the Authority to inform their Annual Governance Statement. The annual audit conclusion culminates in an overall opinion on the adequacy and effectiveness of the organisations’ framework of governance, risk management and control.
In giving this opinion, assurance can never be absolute and therefore, only reasonable assurance can be provided that there are no major weaknesses in the processes reviewed. In assessing the level of assurance to be given, I have based my opinion on:
- written reports on all internal audit work completed during the course of the year (assurance & advisory).
- results of any follow up exercises undertaken in respect of previous years’ internal audit work.
- the results of work of other review bodies where appropriate.
- the extent of resources available to deliver the internal audit work.
- the quality and performance of the internal audit service and the extent of compliance with the Standards
- the proportion of the Authority’s audit need that has been covered within the period.
We enjoy an open and honest working relationship with the Authority. Our planning discussions and risk-based approach to internal audit ensure that the internal audit plan includes areas of significance raised by the Resources, Audit and Performance Committee and senior management to ensure that ongoing organisational improvements can be achieved. I feel that the maturity of this relationship and the Authority’s effective use of internal audit has assisted in identifying and putting in place action to mitigate weaknesses impacting on organisational governance, risk, and control over the 2025-26 financial year.
Annual Internal Audit Conclusion 2025-26
I am satisfied that sufficient assurance and advisory work has been carried out to allow me to form a conclusion on the adequacy and effectiveness of the internal control environment. In my opinion the framework of governance, risk management and control are ‘reasonable’, and audit testing has demonstrated controls to be working in practice.
Where weaknesses have been identified through internal audit review, we have worked with management to agree appropriate corrective actions and a timescale for improvement.
10. Governance, Risk Management & Control – Overview, Key Observations & Themes
Assurance opinions for 2025-26
We are pleased to report that no audits concluded with either a ‘Limited’ or ‘No’ Assurance opinion therefore there are no significant issues to report. Findings from our reviews have been reported to senior management and the Resources, Audit and Performance Committee throughout the year and a summary of the assurance opinions is outlined below.
Corporate Governance Framework - Substantial Assurance
General Ledger, Bank Reconciliations & User Access - Substantial Assurance
Procurement/Contract Management - Reasonable Assurance.
Governance
Governance arrangements are considered during the planning and scoping of each review and in most cases, the scope of our work includes overview of:
- the governance structure in place, including respective roles, responsibilities, and reporting arrangements.
- relevant policies and procedures to ensure that they are in line with requirements, regularly reviewed, approved, and appropriately publicised and accessible to officers and staff.
In addition, during 2025-26 we undertook an assessment of the Authority’s Corporate Governance Framework against the CIPFA Delivering Good Governance in Local Government principles. The review focused on key governance documents and processes, including the Local Code of Governance, Annual Governance Statement, Scheme of Delegation, Standing Orders, and Member Declarations, to confirm they are current, approved, and accessible. The audit concluded in a substantial assurance opinion.
Based on the work completed during the year, in our opinion the governance frameworks in place across the Authority are robust, fit for purpose and subject to regular review. There is also appropriate reporting to the Resources, Audit and Performance Committee to provide the opportunity for independent consideration and challenge including review of the Annual Governance Statement.
Risk management
The risk register is a key document that is considered during the development of our risk based internal audit plan. Additionally, information from the risk register is taken into account when scoping each review in detail to ensure that our work is appropriately aligned.
Control
In general, internal audit work found there to be a sound control environment in place across the majority of review areas included in the 2025-26 plan that were working effectively to support the delivery of corporate objectives. We generally found officers and staff to be aware of the importance of effective control frameworks, and open to our suggestion for improvements or enhancements where needed.
Other Sources of Assurance
Internal audit remained cognisant of other sources of assurance from which the Authority benefit. Due to legal and regularity nature of some public sector assurance providers internal audit do not have engagement with or insight into the scope and timing of their work. Where appropriate internal audit does coordinate with and place reliance on the outcomes of other assurance providers to minimise duplication and highlight potential gaps in assurance needs.
Additionally, as chief internal auditor I liaise with the external auditors on matters of mutual interest and to seek opportunities for cooperation in the conduct of audit work.
During the year there have been no external sources of assurance that have been relied upon when forming my conclusion for 2025-26.
Management actions
Where our work identified risks that we considered fell outside the parameters acceptable to the Authority, we agreed appropriate corrective actions and a timescale for improvement with the responsible managers. Progress is periodically reported during the year to the Resources, Audit and Performance Committee through our quarterly internal audit progress reports.
Acceptance of Risk
From the work carried out by the Southern Internal Audit Partnership during the year, I am not aware of any instances where management have accepted a level of risk that we feel exceeds the organisations risk appetite or risk tolerance.
11. Themes
The findings and conclusions of multiple engagements, when viewed holistically, can reveal patterns or trends, such as root causes. Analysis of root cause through assurance work undertaken across the organisation’s framework of governance, risk management and control processes during the year has highlighted common themes where either standards & policies or operational processes & procedures* could benefit from further formalisation in order to strengthen consistency, provide greater resilience if key officers are absent, or provide clearer visibility over on-going activity to ensure requirements are met.
*Definitions to support root cause categorisations are detailed in Annexe 2.
12. Anti-Fraud and anti-corruption
In accordance with the internal audit charter and the audit plan, auditors will plan and evaluate their work so as to have a reasonable expectation of detecting fraud and identifying any significant weaknesses in internal controls.
Whilst not responsible for the detection of fraud within the Authority, Southern Internal Audit Partnerships work during 2025/26 has not identified, and we have not been made aware of, any significant control deficiencies that may pose a significant fraud risk.
13. Quality Assurance and Improvement
From 1 April 2025, the ‘standards or guidance’ in relation to internal audit are those laid down in the Global Internal Audit Standards, Application Note: Global Internal Audit Standards in the UK Public Sector and the Code of Practice for the Governance of Internal Audit in UK Local Government. The collective requirements shall be referred to as the Global Internal Audit Standards in the UK Public Sector.
Standard 8.4 [External Quality Assessment] requires internal audit providers to undergo an external quality assessment every five years. In September 2025 JC Training Ltd were commissioned to complete an external quality assessment of the Southern Internal Audit Partnership against the Global Internal Audit Standards in the UK Public Sector.
In considering all sources of evidence the external assessor concluded:
‘SIAP has achieved an excellent result of ‘generally achieves’ in this EQA in relation to the GIAS and Application Note. The IIA use the term ‘general achievement’ or ‘general conformance’ to indicate that “internal audit activities were performed in general conformance with the Global Standards.”
I include a summary of SIAP’s conformance to the GIAS, below. Overall, I believe that the team has achieved an excellent performance given its size, together with the breadth and depth of the benchmark established by the new GIAS.
I am delighted to confirm that SIAP fully achieves 46 of the 52 Standards and generally achieves the remaining six Standards. There are no partial conformances, or areas where the team do not conform with any Standards.
I have undertaken ten reviews of diverse internal audit functions using the (new) GIAS to date and this result puts SIAP firmly within the top quartile and represents the highest level of achievement and conformance with the new GIAS that I have seen to date.’
14. Disclosure of Non-Conformance
There are no disclosures of Non-Conformance to report. In accordance with Global Internal Audit Standards in the UK Public Sector, I can confirm through endorsement from the independent external quality assessment that:
‘The Southern Internal Audit Partnership ‘generally conforms’ to the Global Internal Audit Standards in the UK Public Sector and its work is performed in accordance with the International Professional Practices Framework (endorsed by the IIA).’
15. Quality Control
Our aim is to provide a service that remains responsive to the needs of the Authority and maintains consistently high standards. In complementing the QAIP this was achieved in 2025-26 through the following internal processes:
- On-going liaison with management to ascertain risk management, control and governance arrangements, key to corporate success
- On-going constructive working relationships with other assurance providers to maintain a cooperative assurance approach.
- A tailored audit approach using a defined methodology and assignment control documentation.
- Review and quality control of all internal audit work by professional qualified senior staff members.
- An external quality assessment against the industry Standards.
- Maintenance of Key Performance Indicators and ongoing overview of Internal Audit Strategy and Partnership objectives / actions (Annexe 1)
16. Acknowledgement
I would like to take this opportunity to thank all those staff throughout the Authority with whom we have made contact in the year. Our relationship has been positive, and management were responsive to the comments we made both informally and through our formal reporting.
Antony Harvey
Deputy Head of Southern Internal Audit Partnership
Annexe 1
Performance Measurement
Key Performance Indicators
| Performance Measure | Regularity | Target | Actual 25/26 | Status | Direction of Travel |
|---|---|---|---|---|---|
| 1. Percentage of the agreed audit plan completed (issue of draft / final report) | Ongoing | 90% | 100% | ✓ | n/a |
2. Audits delivered within agreed timescales (% year to date)
|
Ongoing Ongoing |
80% 80% |
67% 33% |
X X |
n/a n/a |
| 3. Conformance with the Global Internal Audit Standards in the UK Public Sector | Annual | Generally conforms | Generally conforms | ✓ | n/a |
| 4. Audits conducted optimising the effective use of data analytics (% year to date) | Ongoing | 60% | 67% | ✓ | n/a |
5. Stakeholder satisfaction (annual survey)
|
Annual Annual Annual |
90% 90% 90% |
100% 100% n/a |
✓ ✓ n/a |
n/a n/a n/a |
6. Internal audit effectively communicates with key stakeholders
|
Annual Annual Annual |
90% 90% 90% |
100% 100% n/a |
✓ ✓ n/a |
n/a n/a n/a |
7. Sufficiency of input to and discussion of the internal audit plan
|
Annual Annual |
90% 90% |
100% 100% |
✓ ✓ |
n/a n/a |
8. Appropriate focus on key risks
|
Annual Annual Annual |
90% 90% 90% |
100% 100% n/a |
✓ ✓ n/a |
n/a n/a n/a |
Internal Audit Strategy 2025/28
| Action | Target Date | Update | Status |
|---|---|---|---|
| Innovate to explore a more agile approach to the audit process, building efficiencies and producing more timely feedback to the organisation. | |||
| Confirm expectations of Partners regarding desired reporting timelines and methodology. | Dec 2025 | The Terms of Reference for each audit review provides a timeline of audit activity from initial scoping through the final report. This is signed and agreed by both SIAP and the client prior to commencement. Our KPIs provide outcomes of delivery against agreed targets. | Complete |
| Complete a detailed analysis of bottle necks in SIAP and external to the internal audit function. | April 2026 | Data has been compiled throughout the year. Analysis will commence following completion of the 2025/26 internal audit plans | Ongoing |
| Benchmark with peer audit services and explore opportunities to make the process ‘leaner’ through auditor working group. | Dec 2026 | Agenda item to be taken to ‘Audit Together’ and Local Authority Chief Auditor Network’ which are two national forums representing over 150 local authorities to explore good practice. | Ongoing |
| Optimise the use of technology (including audit management software) to deliver efficiencies. | Dec 2027 | Currently exploring opportunities to utilise Power BI and AI technologies | Ongoing |
| Embrace and prioritise conformance and embedding of the Global Internal Audit Standards in UK Local Government and maximising their potential to benefit the organisation and the internal audit function. | |||
| Stakeholder, staff training & awareness and alignment of policies, procedures, practice and software to the GIAS in UK PS. | July 2025 | A programme of training and staff awaydays have provided a robust overview of the GIAS in the UK PS to the SIAP team. This has been complemented through an updated suite of practice and procedure notes to fully reflect the expectations of the new Standards | Complete |
| Undertake a self-assessment of compliance with the GIAS in the UK PS | July 2025 | A self-assessment against the GIAS in the UK Public Sector was completed in July 2025 and presented to the external assessor to help inform the External Quality Assessment. | Complete |
| Commission an early External Quality Assessment to assess compliance with the GIAS in UK PS. | Dec 2025 | The External Quality Assessment was commission in July 2025 and delivered during September – December 2025. An outcome report was presented in December 2025 confirming ‘general conformance’ with the GIAS in the UK PS | Complete |
| Explore supplemental elements of the GIAS in UK PS Standards to fully assess value add. | Apr 2026 | An action plan has been developed to explore suggested opportunities for improvement highlighted within the External Quality Assessment [December 2025] | Complete |
| Action | Target Date | Update | Status |
|---|---|---|---|
| Further engage with the organisation to enhance and optimise the full potential of data analytics in the internal audit process | |||
| Implement a programme of training and awareness. Additional support through Data Analytic Champions | July 2025 | Training and guidance have been delivered and remains in place for all SIAP staff. Data Analytic Champions are in place as a centre of expertise to support SIAP staff in the potential and use of data analytics. | Complete |
| Acquire software to support the effective use of data analytics. | Sep 2025 | Knime has been acquired, implemented and utilise as our primary data analytic software. A further business case is being prepared to assess the addition of Idea to SIAPs suite of software solutions. | Complete |
| Refresh the existing data analytics strategy and promote a culture of data by default. | Apr 2026 | Regular and ongoing training and awareness is provided to SIAP staff to embed the culture and concept of data by default. Additionally, a KPI has been developed to measure demonstrable application within the internal audit process. A review of the strategy will be undertaken during 2026. | Ongoing |
| Be assessed as ‘data analytics enabled’. | Apr 2028 | Our Data Analytics Strategy provides the framework to position the Partnership as data analytics enabled. | Ongoing |
EQA / QAIP Action Plan
| Standard | Detail | Target Date | Update | Status |
|---|---|---|---|---|
| Compliance with the Global Internal Audit Standards in the UK Public Sector; Application Note; and Code Governance | ||||
| N/A | N/A | N/A | N/A | N/A |
| Suggested areas of improvement | ||||
| 1.1 & 1.2 | SIAP fully achieves Standard 1.1 Honesty and Professional Courage and Standard 1.2 Organisations Ethical Expectations. Going forward within the planned training on these areas and Domain II in general, detailed in the Learning and Development Plan 2024-2026, the Head of Partnership could usefully consider including practical ethical dilemmas, ethics scenarios or case studies, common challenges and how to deal with them, in future learning coverage | March 2026 | The next scheduled ethics training session for the Partnership is in May 2026. The training pack is currently being updated to include practical ethical dilemmas, ethics scenarios and case studies, common challenges and how to deal with them. | Ongoing |
| 3.1 | SIAP fully achieves Standard 3.1, Competency. SIAP leadership and their stakeholders recognise that additional emphasis on advisory, rather than assurance engagements, will be needed over the medium term as Local Government Reorganisation and Devolution proceeds. Additional advisory skills and learning may be necessary to add value, insight and foresight across SIAP. Staying up to date with IT and cyber security changes and associated developments are a real challenge for any internal audit function. This is normal for any internal audit function. | July 2026 | To arrange training and support to develop advisory skills to compliment future client needs (particularly in light of LGR & Devolution). All IT staff are appropriately required and must maintain comprehensive CPDs to maintain their professional accreditation. Additional training / qualification has been provided in respect of AI in recognition of its emerging prominence. | Ongoing / Complete |
| Standard | Detail | Target Date | Update | Status |
|---|---|---|---|---|
| 6.3 & 8.1 | SIAP generally achieves Standard 6.3, Board and Senior Management Support, and 8.1, Board Interaction. The Head of Partnership and SIAP have undertaken everything I would expect of them under these Standards, the related Application Note and CIPFA Code. Where SIAP do not have a direct influence, I am satisfied that the team have engaged with each partner and client highlighting the importance of Domain III, the Application Note and Code and developing an action plan to encourage compliance, highlighting its importance and their ability as an organisation to confirm in the 2025/26 Annual Governance Statement that they are conforming with the GIAS in the UK Public Sector. Some partners and clients are fully compliant, while others still have some actions to progress, resulting in a general, rather than full, level of achievement for SIAP against these Standards. | February 2026 | Discuss and present action plans to individual Partners developed following assessment of compliance with the Code of Practice for the Governance of Internal Audit in UK Local Government. | Complete |
| 8.3 | SIAP fully achieves Standard 8.3, Quality. The team revised their Quality Assurance and Improvement Programme in June 2025. The result is excellent. SIAP will need to continue to focus on embedding and implementing the various actions and priorities contained within this document to progress the five identified areas for improvement. I support these next steps and the periodic reporting of progress to partner and client Audit Committees (or equivalent) and senior management, as well as to other key stakeholders. | December 2026 |
Ongoing implementation of actions within the QAIP.
*Actions in relation to Code of Governance & Topical Requirement covered elsewhere in this action plan |
Ongoing |
| 9.2 | SIAP generally achieves Standard 9.2, Internal Audit Strategy. SIAP has established an Internal Audit Strategy for 2025-2028. This is clear and well presented, with valid relevant objectives and priorities for the team to aim for and deliver. This has been developed with partner and client involvement, but given the number of partners and clients, it is not practical for this to be aligned to each separate organisation’s key objectives and priorities. The Head of Partnership and SIAP have consciously chosen not to seek to implement every aspect of this Standard, where it makes little practical sense to do so, given the size and nature of their function. In my opinion, this makes perfect sense, as there is little value in conformance for the sake of conformance, but it does result in this generally (rather than fully) achieves assessment here. | N/A | No action – accepting of the fact that due to SIAPs multi-client provider status we will never fully achieve this standard. | N/A |
| 9.4 | SIAP generally achieves Standard 9.4, Internal Audit Plan. Going forward, SIAP should add additional detail – ideally bespoke for each partner or client – on the rationale for not including an assurance engagement in a high-risk area or activity in its flexible internal audit plans. SIAP currently includes a short standard statement, but this would benefit from being more tailored to the individual partner or client if a ‘fully achieved’ rating is considered necessary. | March 2026 | Due to the timing of the EQA report and the development and presentation of the internal audit plans for 2026/27 we were unable to incorporate the suggested improvement. The internal audit plan template has now been updated to ensure future inclusion of all areas assessed as high priority that are not covered in the plan along with a reason for their omission. | Complete |
| 11.1 & 11.3 | SIAP fully achieves Standard 11.1, Building Relationships and Communicating with Stakeholders, and 11.3, Communicating Results. At interview, and in the April 2025 SIAP survey responses, some stakeholders commented whether there was more that could be done in terms of sharing cross-client themes, issues, results, root causes and insights. This is an obvious benefit of the partnership model and AI may enable the development of additional insights that could be efficiently created and add value. | April 2026 | A quarterly bulletin is to be introduced highlighting key cross-cutting themes and areas of good practice. It is intended for the first bulletin to be issued during Q1 2026/27 | Ongoing |
| 12.3 & 13.5 | SIAP generally achieves both Standard 12.3, Oversee and Improve Engagement Performance, and 13.5 Engagement Resources. SIAP has set a strategic objective to innovate to explore a more agile approach to the audit process, building efficiencies and producing more timely feedback to the organisation. Some stakeholders at interview, through the April 2025 SIAP survey, and my own sample of engagements, commented that occasionally there were delays in the completion of engagements. While there can be varied reasons for these delays, this may require closer monitoring and earlier supportive intervention from engagement managers if delivery is affected and the allocation of additional resources, where necessary, to help ensure any particularly critical milestones or deadlines are achieved. I support the planned actions detailed in the Internal Audit Strategy 2025-2028 for investigating and addressing these concerns. | As per Strategy December 2025 to March 2027 | To complete objectives within the internal audit strategy ‘Innovate to explore a more agile approach to the audit process, building efficiencies and producing more timely feedback to the organisation’ KPIs have been put in place to help identify process bottlenecks. | Ongoing |
| 13.3, 13.4, & 14.3 | SIAP fully achieves Standard 13.3, Engagement Objectives and Scope, 13.4, Evaluation Criteria, and 14.3 Evaluation of Findings. SIAP will need to consider how best to incorporate the IIA’s Topical Requirements into their methodology, particularly when it comes to engagement scope and objectives. At the time of this EQA, two Topical Requirements have been finalised to date, two have been released in draft, and others are in the production pipeline. The first on Cybersecurity comes into effect in February 2026. Additional thinking, guidance and review on what constitutes the ‘criteria’ against which performance is assessed could also prove beneficial, as this is a key change included within the GIAS. Finally, the use of root cause analysis has commenced within the team, and the initial results are promising from both a SIAP and stakeholder perspective. There will be further opportunity to deliver insights on common root cause categories and themes across the partner and client base. | March 2026 / July 2026 | A Practice Note has been developed and incorporated within SIAPs process to incorporate consideration of Topical Requirements. Ensure root cause is appropriately captured at year end to inform themes to be incorporated within the Annual Conclusion(s) | Complete / Ongoing |
Root Cause Categories Annexe 2
| Category | Definition | Example |
|---|---|---|
| Resources | The extent to which the service has sufficient, capable resources, enabling it to carry out all aspects of its operational duties efficiently and effectively. | Functions that had been carried out by a now non-existent post have fallen through the gaps; services have only enough resources to carry out key aspects of operational delivery, meaning some lower priority tasks are not executed. |
| Competencies & Training | The extent to which staff are appropriately qualified, trained or experienced to carry out their role | Lack of training; inappropriate training; ineffective training plans; poor recruitment; poor training material |
| Systems | The extent to which systems are fit-for-purpose and support the service to carry out its operations effectively. | System processes are not available or are not effective, resulting in discrepancies or workarounds to get the required outcome, system processes are circumvented or duplicated manually. Processes are carried out manually where systems processes would be more efficient. |
| Motivation & Incentives | The extent to which factors such as organisational or personnel change have impacted on staff desire to carry out their role efficiently and effectively. | Staff are feeling demotivated by a recent restructuring and removal of some posts, and do not feel that they should be taking on new responsibilities. |
| Standards & Policies | The extent to which expected standards have been made clear to staff and the necessary policies are in place to support these standards. | There is no policy/procedure in place; policies/procedures are out of date; policies/procedures have not been reviewed within appropriate timescales; policies etc. are difficult to locate/access; links in policies either do not work or are out of date. |
| Governance | The extent to which the service is governed by a clear structure that sets out the roles and responsibilities of officers, and the service is supported by appropriate risk management and control systems. | Lack of assigned responsibility and accountability; failure to act / ignorance; intentional misleading by management to protect themselves; underqualified / trained Board members. |
| Process & Procedures | The extent to which established processes are operating effectively and are supported by defined procedures. | Failure to follow set procedures (take care re materiality/proportionality); lack of separation of duties; controls being bypassed. |
| Accountability | The extent to which roles and responsibilities for decision-making have been defined and are accepted and acted on by all parties. | Unclear expectations; avoiding responsibility; lack of management oversight; poor communication. |
| Assurance & Monitoring | The extent to which internal and/or external checking controls exist to monitor the effectiveness of, and provide assurance to, the service. | Unclear responsibility; not identifying and/or taking action on recurring problems; checking the wrong things; under-sampling |