1 Purpose of this report

1.1 The Internal Audit Plan for 2024/25 was approved by the Audit Committee in March 2024. This report details the progress to date in undertaking the agreed coverage.

2 Internal audit work undertaken

2.1 To date, 1 day has been spent this financial year on completion of the 2024/25 plan. The table at section 3 below provides a summary of the assignments that comprise the 2023/24 audit plan.

2.2 Time spent between 1 April 2024 and 6 June 2024 in completing assignments from the 2023/24 audit programme, has been accounted for within the 2023/24 Annual Report of the Head of Internal Audit.

Use of this report

2.3 This report has been prepared solely for the use of Lancashire Combined Fire Authority and it would therefore not be appropriate for it or extracts from it to be made available to third parties other than the external auditors. We accept no responsibility to any third party who may receive this report, in whole or in part, for any reliance that they may place on it and, in particular, we expect the external auditors to determine for themselves the extent to which they choose to utilise our work.

3 Progress

Audit review	Audit days			Status	Assurance Opinion
Audit review	Planned	Actual	Variation	Status	Assurance Opinion
Governance and business effectiveness
Overall governance, risk management and control arrangements	3	0	3	Not started
Service delivery and support
Cyber Security	15	0	15	Not started	N/A
Implementation of learning from National Incidents	15	0	15	Not started	N/A
Business processes
Accounts payable	9	0	9	Not started	N/A
Accounts receivable	9	0	9	Not started	N/A
General ledger	6	0	6	Not started	N/A
Follow up audit activity
Follow up activity	2	0	2	Not started	N/A
Other components of the audit plan
Management activity	10	1	9	Ongoing
National Fraud Initiative	1	0	1	Ongoing
Total	70	1	69

Audit assurance levels and residual risks Appendix 1

Note that our assurance may address the adequacy of the control framework's design, the effectiveness of the controls in operation, or both. The wording below addresses all of these options and we will refer in our reports to the assurance applicable to the scope of the work we have undertaken.

˜ Substantial assurance: the framework of control is adequately designed and/ or effectively operated overall.

˜ Moderate assurance: the framework of control is adequately designed and/ or effectively operated overall, but some action is required to enhance aspects of it and/ or ensure that it is effectively operated throughout.

˜ Limited assurance: there are some significant weaknesses in the design and/ or operation of the framework of control that put the achievement of its objectives at risk.

˜ No assurance: there are some fundamental weaknesses in the design and/ or operation of the framework of control that could result in failure to achieve its objectives.

Classification of residual risks requiring management action

All actions agreed with management are stated in terms of the residual risk they are designed to mitigate.

Extreme residual risk: critical and urgent in that failure to address the risk could lead to one or more of the following: catastrophic loss of the LRFS services, loss of life, significant environmental damage or significant financial loss, with related national press coverage and substantial damage to the LRFS reputation. Remedial action must be taken immediately.

High residual risk: critical in that failure to address the issue or progress the work would lead to one or more of the following: failure to achieve organisational objectives, significant disruption to the LRFS business or to users of its services, significant financial loss, inefficient use of resources, failure to comply with law or regulations, or damage to the LRFS reputation. Remedial action must be taken urgently.

Medium residual risk: failure to address the issue or progress the work could impact on operational objectives and should be of concern to senior management. Prompt specific action should be taken.

Low residual risk: matters that individually have no major impact on achieving the service's objectives, but when combined with others could give cause for concern. Specific remedial action is desirable.