Louise Clapton (Devon Assurance Partnership), supported by Gareth Sampson (Operations Development Manager for Social Care) introduced the report and highlighted:

a)    The report outlined progress against the approved internal audit plan and provides a mid?year assurance opinion on the adequacy and effectiveness of the Council’s internal controls;

b)    A reasonable assurance opinion had been issued, confirming that governance and control arrangements were generally sound, though some areas needed further improvement to support strategic objectives;

c)    At the half?year point, 59% of the audit plan was complete or in progress, and 76% of completed audits had received reasonable or substantial assurance;

d)    Some audits had been deferred to the next financial year due to ongoing strategic programmes, external reviews, or capacity constraints. These would be reassessed during audit planning for the next cycle;

e)    Audit coverage continued to be aligned with organisational risks and priorities, with assurance delivered in a timely and responsive way;

f)     The update tracked progress on implementing management actions from limited assurance audits;

                      i.        There were 13 limited assurance audits with outstanding actions at the mid?year point;

                     ii.        Of 108 agreed actions, 59 had been completed and 49 remained outstanding;

                    iii.        11 actions were overdue by more than 90 days;

                    iv.        Four actions were currently on hold due to system changes or resource constraints;

                     v.        A breakdown of outstanding actions by audit area and officer commentary on overdue items had been provided;

g)    The tracking process ensured risks identified through audit were being mitigated, and internal audit would continue to work with management to progress outstanding actions and report back.

Supported by Ian Trisk-Grove (Service Director for Finance), the following was discussed in response to questions;

h)    There had been a strong push from the corporate management team to support officers in progressing management actions;

i)     Many of the outstanding items were complex;

j)     Two major actions remained overdue because the Eclipse upgrade was still awaiting a final software development;

                      i.        Earlier phases were completed in 2022 and 2023, and the Eclipse Board had agreed to begin negotiations with the manufacturer, with the intention of placing an order before the new year and starting implementation in the new financial year;

                     ii.        Improvements had already been made in CareFirst to provide better reporting and clarity, and reporting to the NHS had increased. Once the Eclipse finance module was implemented, the Council would be able to fully complete this audit work and use improved functionality to show joint?funded costs clearly;

                    iii.        Eclipse had stronger cybersecurity protection than the CareFirst system.

k)    A full cybersecurity update would come to the committee in January 2026, and the topic had already been considered by Scrutiny Management Board, with substantial work underway.

The Committee agreed:

1. To note the report including:
   
   
   • The assurance position presented within this report, including progress toward the annual internal audit opinion;
     
     
   • The delivery of audit work against the approved plan, including any in-year adjustments;
     
     
   • The scope, capacity, and resourcing of the internal audit function to complete its planned work;
     
     
   • The key audit findings and any significant issues or themes arising from completed engagements;
     
     
   • The performance of the internal audit service;
     
     
   • The proposed in-year changes to the audit plan, and that these remain aligned to organisational risk and priorities.