1 Purpose of this report

1.1 The Internal Audit Plan for 2024/25 was approved by the Audit Committee in March 2024. This report details the progress to date in undertaking the agreed coverage.

2 Internal audit work undertaken

2.1 Work carried out during the period 1 April 2024 to 7 November 2024 was in accordance with the agreed audit plan. To date, 26 days have been spent this financial year on completing the 2024/25 plan, equating to 37% of the total planned audit activity of 70 days. The table below shows the current status of all audit work.

Use of this report

2.2 This report has been prepared solely for the use of the Lancashire Combined Fire Authority, and it would therefore not be appropriate for it or extracts from it to be made available to third parties other than the external auditors. We accept no responsibility to any third party who may receive this report, in whole or in part, for any reliance that they may place on it. In particular, we expect the external auditors to determine for themselves the extent to which they choose to utilise our work.

Audit review	Audit days			Status	Assurance opinion
Audit review	Planned	Actual	Variation	Status	Assurance opinion
Governance and business effectiveness
Overall governance, risk management and control arrangements	3	2	1	Ongoing
Service delivery and support
Cyber security	15	1	14	Scoping started	N/A
Implementation of learning from national incidents	15	14	1	Final	□ Substantial November 2024
Business processes
Accounts payable	9	1	8	Scoping started	N/A
Accounts receivable	9	1	8	Scoping started	N/A
General ledger	6	0.5	5.5	Scoping started	N/A
Follow up audit activity
District planning activity	2	1.5	0.5	Final	N/A
Other components of the audit plan
Management activity	10	4	6	Ongoing
National Fraud Initiative	1	1	0	Ongoing
Total	70	26	44

3 Extracts from AuditReports

3.1 Extracts of assurance summaries are shown below

Implementations of Learning from National Incidents

Overall assurance rating	Audit findings requiring action
˜	Extreme	High	Medium	Low
Substantial	0	0	1	1
See Appendix A for Rating Definitions
Lancashire Fire and Rescue Service (LFRS) has strong controls in place to ensure that learnings from national and regional services are implemented consistently and in a timely manner. The Organisational Assurance Group (OAG) meets quarterly to monitor and report on performance against the service's preparedness, response, and learning. Its membership is agreed in its terms of reference and covers each operational area of the organisation. The group reviews action and information notes submitted by the National Operational Learning (NOL) and Joint Organisational Learning (JOL) and assesses the impact of these learnings against its own policies and procedures. Whilst these briefings are archived on the Assurance Monitoring System (AMS), meeting minutes sometimes lack sufficient detail regarding their impact on LFRS, which could inform members not present due to operational demand. Actions identified from action and information notes submitted by other fire services are raised and assigned to appropriate officers on the AMS system, and updates tracked until completion. Notes uploaded were found to be sufficiently detailed and accompanied by supporting documentation. OAG meetings are supported by an action plan for issues raised during discussions, with updates given at the start of each meeting through a standing agenda item. Whilst updates provided are detailed in meeting minutes, our review identified two instances where issues from other fire services were not added to the action plan and subsequently not followed up at the next meeting.

Audit assurance levels and residual risks Appendix 1

Note that our assurance may address the adequacy of the control framework's design, the effectiveness of the controls in operation, or both. The wording below addresses all of these options, and we will refer in our reports to the assurance applicable to the scope of the work we have undertaken.

· Substantial assurance: the framework of control is adequately designed and/ or effectively operated overall.

· Moderate assurance: the framework of control is adequately designed and/ or effectively operated overall, but some action is required to enhance aspects of it and/ or ensure that it is effectively operated throughout.

· Limited assurance: there are some significant weaknesses in the design and/ or operation of the framework of control that put the achievement of its objectives at risk.

· No assurance: there are some fundamental weaknesses in the design and/ or operation of the framework of control that could result in failure to achieve its objectives.

Classification of residual risks requiring management action

All actions agreed with management are stated in terms of the residual risk they are designed to mitigate.

Extreme residual risk: critical and urgent in that failure to address the risk could lead to one or more of the following: catastrophic loss of the LRFS services, loss of life, significant environmental damage or significant financial loss, with related national press coverage and substantial damage to the LRFS reputation. Remedial action must be taken immediately.

High residual risk: critical in that failure to address the issue or progress the work would lead to one or more of the following: failure to achieve organisational objectives, significant disruption to the LRFS business or to users of its services, significant financial loss, inefficient use of resources, failure to comply with law or regulations, or damage to the LRFS reputation. Remedial action must be taken urgently.

Medium residual risk: failure to address the issue or progress the work could impact on operational objectives and should be of concern to senior management. Prompt specific action should be taken.

Low residual risk: matters that individually have no major impact on achieving the service's objectives, but when combined with others could give cause for concern. Specific remedial action is desirable.