1 Introduction

Purpose of this report

1.1 This report summarises the work undertaken by the Internal Audit Service during 2024/25 and highlights the key themes related to risk management, governance, and internal control.

The role of internal audit

1.2 The Internal Audit Service is an assurance function designed to evaluate and improve the effectiveness of risk management, control and governance processes. Public Sector Internal Audit Standards (PSIAS) require the head of internal audit to provide an opinion on the frameworks of governance, risk management and control of Lancashire Combined Fire Authority and a written report to those charged with governance, timed to support the annual governance statement.

1.3 This report is based upon the work the Internal Audit Service performed during 2024/25 in relation to the 2024/25 audit plan, approved by the Audit Committee in March 2024.

1.4 The scope of our work, management and audit’s responsibilities, the basis of my assessment, and access to this report are set out in Annex 1. The levels of assurance the Internal Audit Service provides are set out in Annex 2.

1.5 The Internal Audit Service plan is delivered and developed in accordance with its Internal Audit Charter. A revised charter for 2025/26, reflecting the Global Internal Audit Standards, accompanies this report.

Acknowledgements

1.6 I am grateful for the assistance that has been provided to the Internal Audit Service by the staff of Lancashire Fire and Rescue Service in the course of our work during the year.

Andrew Dalecki

Head of Internal Audit, Lancashire County Council

June 2025

2 Overall opinion on governance, risk management and internal control

Overall opinion

2.1 Overall, I can provide substantial assurance regarding the adequacy of design and effectiveness in operation of the organisation's framework of governance, risk management and control.

2.2 Systems and processes are generally working effectively and ensure staff are aware of correct processes. We have discussed the issues we raised during the year with senior managers and agreed action plans. The table in 3.1 details the audit assignments completed with the relevant assurance levels

2.3 In forming my opinion, I have considered the work undertaken by the Internal Audit Service throughout the year as well as information available from less formal sources than planned audit engagements.

Wider sources of assurance available to the Combined Fire Authority

2.4 Assurance is provided by Grant Thornton as the Authority's external auditor. Grant Thornton issued an unqualified opinion on the 2023/24 financial statements on 29 November 2024. They also confirmed that there were no significant weaknesses in the arrangements for financial sustainability, governance and economy, efficiency and effectiveness in the use of resources.

2.5 His Majesty's Inspector of Fire and Rescue Services and Constabulary inspection of the service’s effectiveness, efficiency and how well it looks after its people has recently been undertaken. At the time of writing the report the service was awaiting the outcome.

2.6 Assurance over the operation of the Pension Fund has been obtained from work conducted directly by Lancashire County Council's Internal Audit Service. Additionally, assurance has been obtained from internal audit work undertaken at the Local Pension Partnership (Administration) Ltd and Local Pension Partnership (Investments) Ltd. Both entities have also received an independent auditor's view of their controls through Audit and Assurance Faculty assurance reviews conducted by KPMG.

3 Internal audit work undertaken

3.1 The table below shows the status of each audit completed during the year along with the corresponding assurance opinion. It shows that all 70 budgeted days have been used to deliver the internal audit plan. All 2024/25 work has been completed.

3.2 During the year, no matters have arisen that impacted on the independence of the Internal Audit service and there have been no inappropriate scope or resource limitations on internal audit work.

Audit review	Audit days			Status	Assurance opinion
Audit review	Planned	Actual	Variation	Status	Assurance opinion
Governance and business effectiveness
Overall governance, risk management and control arrangements	3	3	0	Completed
Service delivery and support
Cyber security	15	14.5	0.5	Final	˜ Moderate March 2025
Implementation of learning from national incidents	15	15	0	Final	˜ Substantial November 2024
Business processes
Accounts payable	9	9	0	Final	˜ Substantial April 2025
Accounts receivable	9	9	0	Final	˜ Substantial April 2025
General ledger	6	7	-1	Final	˜ Substantial April 2025
Follow up audit activity
District planning activity	2	1.5	0.5	Final	Actions implemented
Other components of the audit plan
Management activity	10	10	0	Ongoing
National Fraud Initiative	1	1	0	Ongoing
Total	70	70	0

Follow up work

3.3 Under the Public Sector Internal Audit Standards, management is responsible for ensuring that agreed actions in audit reports are implemented. Internal Audit should obtain assurance that actions have been implemented as agreed or that senior management has accepted the risk of not taking action. All actions from the District Planning Activity audit had been implemented.

4 Extracts from Audit Reports

4.1 Extracts of assurance summaries are shown in Appendix A for the audits finalised since the March 2025 Audit Committee meeting.

5 Fraud/ special investigations

5.1 There have been no incidences of fraud or irregularity brought to our attention that resulted from weakness in the control environment.

6 Implications for the Annual Governance Statement

6.1 In making its Annual Governance Statement the Combined Fire Authority should consider this report in relation to internal control, risk management and corporate governance.

6.2 We do not consider there are any matters arising from the audit work conducted during 2024/25 that require specific identification in the annual governance statement.

7 Internal audit quality assurance and improvement

Client satisfaction

7.1 Internal Audit invites feedback on the quality of service provided by issuing a ‘satisfaction questionnaire’ at the end of each audit. This is an important process for understanding how the audit was received and identifying areas of the audit process that can be improved.

7.2 In every case, our auditees have told us that they were satisfied overall with how we conducted our work. We also seek more detailed feedback on our audit planning, the audit process and reporting, our conduct, and the management and delivery of our service. While we received a limited number of questionnaire responses this year, however, in the feedback we did receive auditees have provided positive feedback across all these areas. No common themes emerged from the responses that indicated specific areas requiring improvement.

Ongoing and periodic assessments

7.4 In accordance with the PSIAS the Council’s Internal Audit function is required to have an external quality assessment (EQA) undertaken at least once every 5 years as part of its Quality Assurance Framework.

7.5 The last external quality assessment was in February 2023 and the overall opinion was that the Internal Audit team “generally conforms” to the IIA Standards. This is the same overall rating that the service achieved at the last assessment completed in November 2017 and is the highest of the three global grading definitions used in an EQA.

7.6 The Internal Audit Service has designed procedures and an audit methodology that conform to PSIAS and are regularly reviewed. Every auditor in the team is required to comply with these or document the reasons why not, and to demonstrate this compliance on every audit assignment. The audit managers assess the quality of each audit concurrently as it progresses, and a post-audit file review process has been undertaken. These reviews indicate that there is good evidence of compliance with our audit methodology and input from the audit managers to support the work of the auditors. In 2025/26, we are working towards compliance with the Global Internal Audit Standards.

7.7 In addition, the service's methodology includes a step which requires the head of internal audit to read each report as it is finalised. This does not entail an additional detailed review and the auditors' reports remain theirs, using their own style and wording, but is intended to ensure that each assignment can be adequately understood and is effectively communicated.

7.8 The Internal Audit Service operates a hybrid working model; with staff primarily home-based but undertaking client site visits as required by the audit. Performance management and support arrangements are in place to facilitate this including agreeing delivery timescales with clients and identifying audits to be completed for each Committee meeting.

Appendix A

Accounts Payable

Overall assurance rating	Audit findings requiring action
˜	Extreme	High	Medium	Low
Substantial	0	0	0	0
See Appendix A for Rating Definitions
There is a robust governance framework supported by Financial Regulations, Contract Standing Orders, and a Scheme of Delegation, ensuring comprehensive financial management and decision-making processes. A report has recently been delivered enabling the Procurement Officer to resume monitoring and reporting on contract spend, ensuring compliance and value for money, this was an action in our prior year audit. User access within the Oracle Fusion system is generally appropriate, although we recognise there is still some work to be done on fusion roles by Lancashire County Council (LCC) Digital Services, to ensure that users have no more than is required. The approval process for purchase requisitions is well-structured, with hierarchical limits ensuring thorough oversight. The holds process effectively resolves issues, ensuring payments are accurate and justified. System controls in Oracle Fusion along with strict adherence to the issue of purchase orders effectively prevents duplicate payments. Our testing confirmed the effectiveness of these controls. Supplier management processes are transparent and accountable, with verification of supplier details and regular invoice and bank detail checks for high-value payments. Performance in processing requisitions, purchase orders, and invoices is timely, though the lack of payment date information in reports limits full analysis. Addressing this data gap is essential for compliance with the new Procurement Act, which mandates stringent payment data requirements. Delivery of this report is being progressed by Lancashire County Council's Head of Service for Procurement and Contract Management. The anti-fraud measures, including an anti-fraud and corruption policy, participation in the National Fraud Initiative, and an internal audit program, effectively mitigate fraud risks. The review did not identify significant weaknesses, confirming the effectiveness of the controls in place.

General Ledger

Overall assurance rating – General Ledger	Audit findings requiring action
˜	Extreme	High	Medium	Low
Substantial	0	0	0	0
See Appendix A for Rating Definitions
There is a service level agreement (SLA) for the provision of financial services by LCC to Lancashire Fire and Rescue (LFRS) for the period from 1 April 2024 to 31 March 2025. There were some delays in signing the SLA due to mid-year changes in service provision, the agreement was signed on 7 January 2025. There remain some reports unavailable in Oracle Fusion that were previously accessible in R12, this is being addressed through development work on priority reports and the provision of data directly from LCC Digital Services on request. Virements are managed in compliance with financial regulations, with appropriate approvals and documentation. Feeder file processes are well-controlled, with no significant issues detected. Journal entries are accurately recorded, with robust controls ensuring no unposted, unbalanced, or duplicated entries. A journal control sheet is maintained to log approvals, which are managed outside the Fusion system. Reconciliations of control and suspense accounts are conducted regularly, with discrepancies promptly addressed. These reconciliations are subject to periodic supervisory review, ensuring the accuracy and reliability of financial records. There is a robust system for monitoring budgets, with regular reports that include detailed variance analysis and explanations. Budget monitoring reports are presented to various committees and boards, ensuring thorough oversight and accountability. We have suggested an enhancement to further improve the clarity and usefulness of budget holder reports. Overall, the internal controls and procedures are effective in maintaining the integrity of the general ledger. However, improvements in system access management and the availability of reports in Oracle Fusion are necessary to enhance financial reporting and analysis and this work remains ongoing but lies with LCC.

Annex 1: Scope, responsibilities and assurance

Approach

1 The Internal Audit Service operates in accordance with the Public Sector Internal Audit Standards (PSIAS). The scope of internal audit encompasses all of the governance, risk management and control processes of the Combined Fire Authority including where they are provided by other organisations on their behalf.

Responsibilities of management and internal auditors

2 It is management’s responsibility to maintain systems of risk management, internal control and governance. Internal audit is an element of the internal control framework assisting management in the effective discharge of its responsibilities and functions by examining and evaluating controls.

3 Lancashire Combined Fire Authority has taken the decision to outsource their internal audit provision, and Lancashire County Council's Internal Audit Service was the appointed service provider for 2024/25.

4 It is the role of the Internal Audit Service to provide independent assurance that these risk management, control and governance processes are adequately designed and effectively operated. The PSIAS makes clear that the provision of this assurance is internal audit's primary role and that this requires the head of internal audit to provide an annual opinion based on an objective assessment of the framework of governance, risk management and control.

5 This assessment will be supported by the identification, analysis, evaluation and documentation of sufficient information on each individual audit assignment, and the completion of sufficient assignments to support an overall opinion for the organisation as a whole.

6 Internal auditors cannot be held responsible for internal control failures. However, we have planned our work so that we have a reasonable expectation of detecting significant control weaknesses. We have reported all such weaknesses to you as they have become known to us, without undue delay, and have worked with you to develop proposals for remedial action.

7 The requirement to be independent and objective means that the Internal Audit Service cannot assume management responsibility for risk management, control or governance processes. However, the Internal Audit Service may support management by providing consultancy services. These are advisory in nature and are generally performed at the specific request of the organisation, with the aim of improving governance, risk management and control and will also contribute to the overall assurance opinion.

8 Accountability for responses to the Internal Audit Service’s advice and recommendations for action lies with the Senior Management Team, which either accepts and implements the advice or accepts the risks associated with not taking action. Audit advice, including where the Internal Audit Service has been consulted about significant changes to internal control systems, is given without prejudice to the right of the Internal Audit Service to review and recommend further action on the relevant policies, procedures, controls and operations at a later date.

9 The head of internal audit will provide an annual report incorporating an overall opinion, a summary of the work that supports that opinion, and a statement of conformity with the (PSIAS) and the results of the quality assurance and improvement programme.

10 The Internal Audit Service is not responsible for the prevention or detection of fraud and corruption. Managing the risk of fraud and corruption is the responsibility of management. Internal auditors will, however, be alert in all their work to risks and exposures that could allow fraud or corruption and to any indications that fraud and corruption may have occurred. Internal audit procedures alone, even when performed with due professional care, cannot guarantee that fraud or corruption will be detected.

Basis of our assessment

11 Our opinion on the adequacy of control arrangements is based upon the result of internal audit reviews undertaken and completed during the period in accordance with the plan approved by the Audit Committee. We have obtained sufficient, reliable and relevant evidence to support the improvements that we proposed and that have been accepted by management.

Limitations to the scope of our work

12 There have been no limitations to the scope of our audit work.

Limitations on the assurance that internal audit can provide

13 There are inherent limitations as to what can be achieved by internal control and consequently limitations to the conclusions that can be drawn from our work as internal auditors. These limitations include the possibility of faulty judgement in decision making, of breakdowns because of human error, of control activities being circumvented by the collusion of two or more people and of management overriding controls. Also, there is no certainty that internal controls will continue to operate effectively in future periods or that the controls will be adequate to mitigate all significant risks which may arise in future.

14 Decisions made in designing internal controls inevitably involve the acceptance of some degree of risk. As the outcome of the operation of internal controls cannot be predicted with absolute assurance any assessment of internal control is judgmental.

Access to this report and responsibility to third parties

15 This report has been prepared solely for the Combined Fire Authority. This report forms part of a continuing dialogue between the Internal Audit Service, senior officers within Lancashire Fire and Rescue Service and the Audit Committee. It is not therefore intended to include every matter that came to our attention during each internal audit review.

16 We acknowledge that this report may be made available to other parties, such as the external auditors. We accept no responsibility to any third party who may receive this report for any reliance that they may place on it and, in particular, we expect the external auditors to determine for themselves the extent to which they choose to utilise our work.

Annex 2: Audit assurance levels and classification of agreed actions

Note that our assurance may address the adequacy of the control framework's design, the effectiveness of the controls in operation, or both. The wording below addresses all of these options, and we will refer in our reports to the assurance applicable to the scope of the work we have undertaken.

˜ Substantial assurance: the framework of control is adequately designed and/ or effectively operated overall.

˜ Moderate assurance: the framework of control is adequately designed and/ or effectively operated overall, but some action is required to enhance aspects of it and/ or ensure that it is effectively operated throughout.

˜ Limited assurance: there are some significant weaknesses in the design and/ or operation of the framework of control that put the achievement of its objectives at risk.

˜ No assurance: there are some fundamental weaknesses in the design and/ or operation of the framework of control that could result in failure to achieve its objectives.

Classification of residual risks requiring management action

All actions agreed with management are stated in terms of the residual risk they are designed to mitigate.

Extreme residual risk: critical and urgent in that failure to address the risk could lead to one or more of the following: catastrophic loss of the LRFS services, loss of life, significant environmental damage or significant financial loss, with related national press coverage and substantial damage to the LRFS reputation. Remedial action must be taken immediately.

High residual risk: critical in that failure to address the issue or progress the work would lead to one or more of the following: failure to achieve organisational objectives, significant disruption to the LRFS business or to users of its services, significant financial loss, inefficient use of resources, failure to comply with law or regulations, or damage to the LRFS reputation. Remedial action must be taken urgently.

Medium residual risk: failure to address the issue or progress the work could impact on operational objectives and should be of concern to senior management. Prompt specific action should be taken.

Low residual risk matters that individually have no major impact on achieving the service's objectives, but when combined with others could give cause for concern. Specific remedial action is desirable