Eleanor Greene
Chief Accountant; Secretary to the Internal Audit Forum
Do the Numbers Ltd
Chief Accountant; Secretary to the Internal Audit Forum
Do the Numbers Ltd
Eleanor Greene is back — this time to walk you through the bit that comes after the AGAR submission: the external audit stage. In this episode, Eleanor covers what external auditors actually look for, why one in three councils received a qualified audit last year, and how to give yourself the best possible chance of a clean sign-off before the summer ends.
Eleanor has been auditing parish and town council accounts since 1997 — nearly 400 audits across her career — and this season alone has audited 97 councils. She knows every query the four major firms (PKF, BDO, Mazars, Moors) send out, and she's seen every way a council can trip over its own paperwork. Her advice is frank, practical, and occasionally quite funny.
Topics covered include: the four external audit firms, how they're appointed, and why they ask for different things; turnover thresholds, fee bands, and why a SIL receipt can create two years of high audit bills; what AGN02 actually says auditors can and can't ask for; the most common AGAR consistency errors; exercise of public rights — who actually turns up and what they're entitled to; writing variance explanations that get the auditor off your back the first time; what Assertion 10 compliance looks like at external audit stage; how to handle a query you don't understand without guessing; and John's quick bonus segment on setting up an email auto-reply that does actual work for you over August.
John also asks Eleanor the Pay-it-Forward question left by Dr Gale Pettifer (Episode 12): if you could choose anyone, alive or dead, to be your mentor, who would you choose?
Drawn from our conversation with Eleanor Greene, Chief Accountant at Do the Numbers Ltd and Secretary to the Internal Audit Forum. The answers below are editorial summaries of the discussion — not verbatim transcripts.
A qualified audit — which one in three councils received last year — means 'yes, but.' It's not a clean pass. The council needs to read the qualification carefully, understand exactly what caused it, and make sure it doesn't repeat: if the auditor flagged a problem, that problem needs to be documented, actioned, and resolved before the following year's audit.
The document governing external audit is AGN02, published by the National Audit Office and publicly available on the PKF and PSAA websites. It sets out what auditors must ask for and what they may ask for. Anything outside those categories cannot legitimately be demanded from the council — if an auditor asks for something unusual, AGN02 is the starting point when pushing back proportionately.
External audit contracts are allocated in five-year blocks nationally: PKF covers 31 counties, BDO 4, Mazars 4, and Moors 5. Each firm applies its own interpretation of AGN02 and can require different supporting information. A query one council receives may not apply to a council with a different auditor, so always confirm which firm you're with before comparing notes with peers.
The AGAR has two sections filled in independently: the governance statements by the council, and the internal audit page by the auditor. If the internal auditor has ticked 'no' to something, the council must reflect that in its own section — inconsistency is one of the most common triggers for external audit queries. Councils should also check this year's responses against last year's AGAR and last year's internal audit report to ensure anything previously flagged is reported consistently.
The exercise of public rights is a face-to-face process: members of the public must attend in person at a time and place the council agrees. They may photograph documents on their own phone but the council is not obliged to send copies electronically. If someone can't be bothered to attend, they don't receive the information. The council sets the appointment, should meet in a public venue with a councillor present, and can schedule it towards the end of the public rights period if needed.
Variance explanations should start with the biggest discrepancy and work down, being specific rather than general — 'wages went up' isn't sufficient, but 'employer NI contributions increased by 9% plus an NJC pay award' is. The threshold is 15% or £500, whichever is larger, though PKF may apply a £200 floor — check the specific spreadsheet your auditor sends. If a first attempt comes back asking for more detail, tear it up and start again from the biggest item.
External auditors have made clear they will not go in heavy on Assertion 10 for this first year it appears on the AGAR. The testing is proportionate: does the council have a council-owned clerk@ email address (not a personal name), a data and IT policy minuted by full council, an accessibility statement on the website, and is the website under the council's own control? If the internal auditor ticked 'no,' the council must also say 'no' in its own AGAR response — consistency matters as much here as anywhere else.
Don't guess and don't sit on it alone. Internal auditors and CALCs often see the same queries appearing across multiple councils in the same county and can help decode them. The SLCC also monitors external audit queries nationally and will be aware if a question is being challenged as disproportionate. If a query still doesn't make sense after asking around, go back to the external auditor for clarification — these queries aren't confidential and sharing them with peers is entirely reasonable.
At minimum once a year. Best practice is to include a resolution in the minutes when accepting the internal audit report: confirming the auditor's reappointment for the following year and noting that both their competence and independence have been assessed. Independence can change at any time — a new councillor might turn out to be related to the auditor — so annual confirmation protects the council. The appointment should always be made by full council, not a sub-committee.
External auditors can see total payroll figures and total overtime as shown in the accounts, but individual pay records are confidential — they cannot see who received what. The same applies during the exercise of public rights: the NAO Guide to Public Rights explicitly addresses payroll confidentiality. If an auditor asks to see individual employment contracts or overtime breakdowns per employee, the AGN02 list of permitted categories is the basis for a polite but firm refusal.
No. A Data Protection Officer carries out a management function, which creates a conflict with the independence an internal auditor must maintain. For most small councils the solution is straightforward: parish and town councils are not legally required to appoint a DPO. If the auditor has informally been filling that role, stopping the arrangement resolves the conflict entirely.