1 Purpose of this report

1.1 The Internal Audit Plan for 2025/26 was approved by the Audit Committee in March 2025. This report details the progress to date in undertaking the agreed coverage.

2 Internal audit work undertaken

2.1 To date, 32 days have been spent this financial year on completion of the 2025/26 plan which equates to 46%. The table in section 3 below provides a summary of the assignments that comprise the 2025/26 audit plan.

Use of this report

2.2 This report has been prepared solely for the use of Lancashire Combined Fire Authority, and it would therefore not be appropriate for it or extracts from it to be made available to third parties other than the external auditors. We accept no responsibility to any third party who may receive this report, in whole or in part, for any reliance that they may place on it and, in particular, we expect the external auditors to determine for themselves the extent to which they choose to utilise our work.

3 Progress

Audit review	Audit days			Status	Assurance Opinion
Audit review	Planned	Actual	Variation	Status	Assurance Opinion
Governance and business effectiveness
Overall governance, risk management and control arrangements	3	0	3	Not started
Service delivery and support
Risk Management	12	14	(2)	Final Report	˜ Reasonable October 2025
Business Continuity	10	12	(2)	Final Report	˜ Substantial November 2025
Business processes
VAT	8	1	7	Planning	N/A
Treasury Management	10	0	10	Not started	N/A
Procurement	12	1	11	Planning	N/A
Follow up audit activity
Cyber Security- Governance	2	0	2	Not started	N/A
Learning from National Incidents	2	0	2	Not started	N/A
Other components of the audit plan
Management activity	10	4	6	Ongoing
National Fraud Initiative	1	0	1	Ongoing
Total	70	32	38

4 Extracts from AuditReports

4.1 Extracts of assurance summaries are on the page below for:

· Risk Management

· Business Continuity

Risk Management – final report issued 22 November 2025

Overall assurance rating	Audit findings requiring action
˜	Extreme	High	Medium	Low
Reasonable assurance	0	0	2	1
See Appendix A for Rating Definitions
Lancashire Fire and Rescue Service is on a strong and positive trajectory in enhancing its risk management framework. The Service has laid solid foundations, and with continued focus on training, consistency, and reporting, it is well positioned to fully embed the process across the organisation. A formal risk management policy and procedure have been developed and is broadly aligned with ISO 31000:2018 principles. These documents clearly outline responsibilities, escalation processes, and the organisation’s risk appetite. They are reviewed annually and approved by the Audit Committee, reflecting a commitment to continuous improvement. Making these documents more widely accessible will help strengthen staff engagement and understanding. Senior management benefits from comprehensive risk management training delivered through quarterly meetings. Formalising this approach and extending structured, role-specific training to risk owners, managers, and Audit Committee members will further embed a consistent understanding of risk responsibilities. While business continuity training is mandatory for new staff, incorporating risk management into this training would enhance integration of the framework across the Service. Risk identification and assessment are carried out at the departmental level, with most departments updating their registers quarterly in collaboration with the Senior Business Continuity and Emergency Planning Officer. Many risks have been assessed and assigned owners, although some departments are still developing their processes. Mitigating actions are in place for most risks, and there are examples of good practice, such as in the Property department, where actions are clearly defined and time bound. Continued focus on making actions more measurable and time-specific will further strengthen the framework. Monitoring and reporting of risks take place through the Corporate Programme Board and the Audit Committee. Discussions at the Programme Board have become more structured, with plans to introduce formal reporting to support better scrutiny and escalation decisions. The Audit Committee now reviews risk management quarterly, rather than annually, and members actively engage with the process. Reporting is evolving to include more detail on mitigating actions, risk scores, and changes over time. Standardising report content will enhance the Committee’s ability to evaluate risks effectively and support informed decision-making.

Business Continuity – final report issued 25 November 2025

Overall assurance rating	Audit findings requiring action
˜	Extreme	High	Medium	Low
Substantial assurance	0	0	0	1
See Appendix A for Rating Definitions
Lancashire Fire and Rescue Service (LFRS) has implemented a robust Business Continuity Management System (BCMS), underpinned by a comprehensive Policy and Standard Operating Procedure. These documents clearly articulate the aims, objectives, and operational framework of business continuity management and are aligned with key standards and legislation. Staff responsibilities are clearly defined across all levels, whilst accessibility of documentation is ensured through multiple platforms. Training is embedded into induction for all staff and supplemented by targeted, in-depth courses for those with specific business continuity responsibilities. Oversight is maintained through structured governance, with the Deputy Chief Fire Officer accountable for policy implementation, and regular scrutiny by the Corporate Programme Board and Planning Committee, where updates and improvements are actively discussed and documented. The service employs a structured approach to business continuity planning, comprising strategic, tactical, operational, and station-level plans informed by business impact analyses. Communication plans support internal and external messaging during disruptions. All plans are reviewed annually, managed via SharePoint, are current, accessible and supported by communication protocols and secure backups. However, a minor issue was noted relating to inconsistencies in grab bag contents such as missing registers and contact lists, though this documentation is also accessible electronically and offline through other means. Utilities continuity is supported by contracts and contingency measures, though formal service level agreements are not possible due to infrastructure and fire services being discounted from priority supply for electricity. Upcoming procurement will include business continuity clauses to enhance resilience. A robust business continuity testing programme is maintained, including real-time and tabletop exercises. All plans are tested annually, with activations tracked and lessons learned documented. Strategic and tactical debriefs are coordinated by the Response and Emergency Planning Team with documented recommendations and assigned responsibilities. Recommendations raised during structured debriefs are entered into the Assurance Management System for ongoing tracking and monitoring by the Organisational Assurance Group, whilst more detailed oversight will be maintained by the Business Continuity Management Group going forward. Benchmarking is supported through active participation in regional and national forums, enabling shared learning and planning for emerging risks such as cyber threats and power outages. These measures reinforce the Authority's commitment to resilience and continuous improvement.

Audit assurance levels and residual risks Appendix 1

Note that our assurance may address the adequacy of the control framework's design, the effectiveness of the controls in operation, or both. The wording below addresses all of these options, and we will refer in our reports to the assurance applicable to the scope of the work we have undertaken.

˜ Substantial assurance: the framework of control is adequately designed and/ or effectively operated overall.

˜ Reasonable assurance: the framework of control is adequately designed and/ or effectively operated overall, but some action is required to enhance aspects of it and/ or ensure that it is effectively operated throughout.

˜ Limited assurance: there are some significant weaknesses in the design and/ or operation of the framework of control that put the achievement of its objectives at risk.

˜ No assurance: there are some fundamental weaknesses in the design and/ or operation of the framework of control that could result in failure to achieve its objectives.

Classification of residual risks requiring management action

All actions agreed with management are stated in terms of the residual risk they are designed to mitigate.

˜ Extreme residual risk: critical and urgent in that failure to address the risk could lead to one or more of the following: catastrophic loss of the LRFS services, loss of life, significant environmental damage or significant financial loss, with related national press coverage and substantial damage to the LRFS reputation. Remedial action must be taken immediately.

˜ High residual risk: critical in that failure to address the issue or progress the work would lead to one or more of the following: failure to achieve organisational objectives, significant disruption to the LRFS business or to users of its services, significant financial loss, inefficient use of resources, failure to comply with law or regulations, or damage to the LRFS reputation. Remedial action must be taken urgently.

˜ Medium residual risk: failure to address the issue or progress the work could impact on operational objectives and should be of concern to senior management. Prompt specific action should be taken.

˜ Low residual risk: matters that individually have no major impact on achieving the service's objectives, but when combined with others could give cause for concern. Specific remedial action is desirable.