Preparing for a Successful Internal Audit: Insights for the 2025/26 Season

by 
Eleanor Greene
· Updated
Mar 11, 2026

Hello everyone! I’m Eleanor Greene, Chief Accountant at Do the Numbers Ltd. I also serve as the Secretary for the Internal Auditors Forum and work closely with SLCC Hampshire. I’ve been auditing since 1997, and while I currently work with about 90 councils at any given time, my experience spans over 200 different authorities.

I recently had the pleasure of speaking at a Scribe Academy Webinar to discuss the shifting landscape of internal audits. As one attendee, Maggie, beautifully put it: "Audit should be welcomed, not feared. It's the best opportunity to learn, develop, and improve." I couldn't agree more. My goal is to help clerks, RFOs, and councillors navigate the 2025/26 season with confidence, ensuring your council is not just compliant, but resilient.

🔎 The Current Audit Landscape

We are currently in the fourth year of a five-year contract between the SAAA and external audit firms like PKF, BDO, Moores, and Mazars. While your external auditors won't change this year, negotiations for the next contract are already well underway.

It is vital to understand that the 25/2026 AGAR (Annual Governance and Accountability Return) and the 2026 Practitioners’ Guide are in their final review stages and are expected to be published in mid-March 2026. While the 2026 Practitioners’ Guide is technically compulsory for the 2026/27 year, the internal audit section represents our current "direction of travel". Your internal auditor should be looking at these changes immediately.

The Critical Importance of Assertion 10

One of the most significant focal points for this season is Assertion 10 and I want to be very clear: Do not panic. There are no new laws here; Assertion 10 is simply a consolidation of existing requirements that have been in place for years.

Key existing laws consolidated in Assertion 10:

  • Model Publication Scheme: Requirement for an up-to-date FOIA scheme (Law since 2008).
  • Website Ownership: The council must own and manage its own website (Law since 2008).
  • Transparency Code: Compliance for smaller councils (Law since 2015).
  • GDPR Data Audit: Checking and managing stored data (Law since 2018).
  • Web Accessibility: Compliance with accessibility rules (Law since 2018).

🪪 Securing Your Digital Identity

A major "fail" point for external audits this year involves your email setup. Every council must have a generic email address linked to its domain (e.g., clerk@myparishcouncil.gov.uk).

If an external auditor sends AGAR guidance to a personal Gmail or Yahoo address, you have immediately breached Assertion 10. Generic addresses like clerk@ or rfo@ (rather than name@) make your council more resilient. If a staff member leaves, the email history and contacts stay with the council, ensuring data security and continuity.

⚖️ Understanding Proportionality in Web Accessibility

There is a common misconception that every tiny parish needs a website with "all the bells and whistles." Under WCAG 2.2, the rules are meant to be proportionate for the smallest public authorities.

For a small council with a tiny precept and few meetings, an accessibility statement on the home page may be sufficient. If you provide information in an alternative format upon request, you are making yourselves accessible. Internal auditors are not the regulators of web accessibility—that is the EHRC—nor are we the regulators of GDPR—that is the ICO. Our job is simply to check that you have the systems in place to tick "Yes" on the AGAR.

📝Practical Strategies for Council Officers

To prepare for your internal audit, I recommend the following actionable steps:

  • Audit Your Minutes: Ensure there is a clear minute showing that the full council has reviewed the independence and competence of your Internal Auditor within the year.
  • Review Your Domain: If you haven't already, move toward a .gov.uk domain. While not strictly required yet, it is becoming the standard.
  • Run an Accessibility Tool: Periodically use a tool to check your website's accessibility rating. It doesn't have to be 100%, but you should show the council is aware of its status.
  • Control Your Assets: Ensure the council owns the laptop and phone used for business. This protects the council if a clerk leaves and ensures access to banking or HMRC codes.

Key Takeaways

  • Generic Emails are Mandatory: Ensure your registered audit email is clerk@myparishcouncil.gov.uk.
  • Assertion 10 is Not New: It is a collection of laws you should already be following.
  • Transparency is Increasing: From next year, you will be required to publish the whole AGAR and the Internal Auditor’s management report on your website.
  • Councillor Oversight: Councillors must know who their internal auditor is and actively review their reports.

The "lighter touch" of previous years is becoming "firmer". However, these changes shouldn't be seen as a burden. By tightening your digital security, improving website transparency, and ensuring robust councillor oversight, you are protecting your council from vexatious complaints and ensuring better service for your community.

▶️ Access the On-Demand Webinar & Slides

Questions & Answers

Q: Is an IT policy specifically required under Assertion 10?

A: Paragraph 1.54 here https://www.saaa.co.uk/wp-content/uploads/2025/10/FINAL-Practitioners-Guide-2025-with-addendum.pdf “All smaller authorities (excluding parish meetings) must also have an IT policy. This explains how everyone - clerks, members and other staff - should conduct authority business in a secure and legal way when using IT equipment and software. This relates to the use of authority-owned and personal equipment “ so its very much part of GDPR rcoverage. 

Q: For a small council with a combined procedures/policies document (including GDPR and FOI), is it necessary to have separate, individual policies for these items?

A: No.

Q: Do policy reviews/approvals need to be done by the Full Council, or can they be handled by a delegated committee?

A: Full Council is most definitely the safest bet.

Q: What advice do you have for a new Clerk where policies haven't been reviewed annually? Should an Extraordinary General Meeting (EGM) be called to review all policies before the March 31st deadline?

A: Ideally yes, but if they were reviewed in the last two years and its agreed they will be done when the AGAR is approved, the sky will not fall in.

Q: Are councils obliged to make full contracts public, or does a list of contractors suffice?

A: Those covered by the Transparency code – yes its full contract. For all councils the value, name and key details should always be public so that there is proof that tendering was transparent AND that the end result was what was planned.

Q: Is Councillor training a formal requirement as part of Assertion 10?

A: Its not in the Practitioners Guide.

Q: How do we assess the competence of an Internal Auditor?

A: Please read section 4 of the Practitioners Guide. 

Q: What is the best way to find a new IA, specifically for community councils in Wales?

A: Please read section 4 of the Practitioners Guide, but also the Internal Audit Forum directory.

Q: Should a Clerk for multiple small parishes meet with their IA more than once a year?

A: Each council is treated as a stand alone engagement. So it depends on the size of each parish.

Q: What are your thoughts on auditors who offer their services for free as a "community give back"? Does this impact their independence?

A: You need to look at their letter of engagement – yes they still need one – the planning schedule, the reporting schedule and all the other requirements of audit. What is the evidence of their competence and ability, regardless of the fee. 

Q: Could you provide a clear checklist of the standard documents required for audit (e.g., bank statements, payslips, pension returns) to help newer Clerks?

A: Please read the testing summary in section 4 of the Practitioners Guide. It details what IAs need to look at as a minimum. Each IA has their own pet peeves. 

Q: What is a reasonable fee for an internal audit for a small Parish Council (e.g., a £7k budget)?

A: I would not charge less than £150 for that, because of the time taken to do all of the tests and write a report.

Q: Can you share a template of a narrative Internal Audit Report so we know what to expect/look for?

A: Each IA writes in their own style. Most Town Councils publish their Internal Audit report in the agenda pack when they approve the AGAR.

Q: If an IA does not typically produce a narrative report, is it a good idea for the Clerk to provide them with a form/template for completion?

A: No. The Auditor should be in control of their own report. If they do not understand the requirements, change IA.

Q: Why is there a fixation on having specific clerk@ or ceo@ addresses? Are generic addresses like accounts@ or enquiries@ sufficient?

A: Most councils only have one employee, the clerk. The key point is to have a never changing email for permanent contact.

Q: What exactly does a GDPR audit entail for a local council?

A: Have a read through the GDPR regulations (linked at 1.51 of the Practitioners Guide) and consider how your systems compare. Almost all CALCs and the SLCC offer regular training.

Q: Do we include VAT on the costs of new purchases when recording them on the Asset Register?

A: No because the VAT is reclaimed from HMRC. It should not appear in your expenditure coding either. See Section 5 of the PG for more guidance.

Q: Can a Clerk use a single phone for both personal and council business? When did the "rule" against using personal phones come into being?

A: There is no rule, just common sense protection of both the Clerk and the Council’s data. If the clerk is on holiday or leaves, the locum needs the phone for HMRC and the bank and communications. Refurb phones start at around £50, PAYG sims at £10 

Q: What is your advice regarding the use of WhatsApp groups on personal phones for council business?

A: No decisions, no prejudging, no defamation, be very very careful. For staff such groups are incredibly useful, for members, higher risk.

Q: If a Clerk warns Councillors that personal devices can be confiscated under FOI and they acknowledge the risk, does the IA have any further comments or concerns?

A: This was the case where a Councillors device was taken by the ICO for a year. It was incredibly disruptive for the clerk, the councillors and ALL other services delivered. Best avoided. https://ico.org.uk/action-weve-taken/decision-notices/2017/09/fs50654957/

Free Toolkits

GET YEAR END RIGHT FIRST TIME

Complete Year End Toolkit. Training Webinar, PDF Slides, PDF Guide & Checklist.

Get The FREE Toolkit
ACCESS GRANTS THE EASY WAY

PARISH & TOWN COUNCIL GRANT FUNDERS LIST

Get THE FREE LIST
Complete Budgeting ToolkitGET THE BUDGETING TEMPLATE FOR FREE

Includes Training Webinar, PDF Slides, PDF Guide & Budgeting Spreadsheet templatea

Get The FREE Toolkit

Read More

Scribe Academy
Preparing for a Successful Internal Audit: Insights for the 2025/26 Season
Mar 11, 2026
Eleanor Greene
Scribe Academy
Assertion 10 for Town & Parish Councils (Part 3 of 3): IT Policy
Jan 20, 2026
Mark Tomkins
Scribe Academy
Assertion 10 for Town & Parish Councils (Part 2 of 3): Website Accessibility
Jan 20, 2026
Mark Tomkins
Scribe Academy
Assertion 10 for Town & Parish Councils (Part 1 of 3): Council Domain & Emails
Jan 20, 2026
Mark Tomkins
HomeFeaturesCase studiespricingBLOGContactscribe cemeteryscribe BOOKINGS
GET STARTED
Carefully crafted by Starboard Systems Ltd
Terms and ConditionsPrivacy Policy