← All episodes
Episode 13 3 July 2026 · 34:05

From Submission to Sign-Off: Preparing for External Auditor Queries

Meet the guest

Listen Podcast episode

Download MP3

Or listen in your favourite app:
Watch Get the Video and Slides Full webinar recording, speaker slides & bonus resources

Show notes

Eleanor Greene is back — this time to walk you through the bit that comes after the AGAR submission: the external audit stage. In this episode, Eleanor covers what external auditors actually look for, why one in three councils received a qualified audit last year, and how to give yourself the best possible chance of a clean sign-off before the summer ends.

Eleanor has been auditing parish and town council accounts since 1997 — nearly 400 audits across her career — and this season alone has audited 97 councils. She knows every query the four major firms (PKF, BDO, Mazars, Moors) send out, and she's seen every way a council can trip over its own paperwork. Her advice is frank, practical, and occasionally quite funny.

Topics covered include: the four external audit firms, how they're appointed, and why they ask for different things; turnover thresholds, fee bands, and why a SIL receipt can create two years of high audit bills; what AGN02 actually says auditors can and can't ask for; the most common AGAR consistency errors; exercise of public rights — who actually turns up and what they're entitled to; writing variance explanations that get the auditor off your back the first time; what Assertion 10 compliance looks like at external audit stage; how to handle a query you don't understand without guessing; and John's quick bonus segment on setting up an email auto-reply that does actual work for you over August.

John also asks Eleanor the Pay-it-Forward question left by Dr Gale Pettifer (Episode 12): if you could choose anyone, alive or dead, to be your mentor, who would you choose?

From Submission to Sign-Off: Preparing for External Auditor Queries — episode artwork

Chapters

Questions answered in this episode

Drawn from our conversation with Eleanor Greene, Chief Accountant at Do the Numbers Ltd and Secretary to the Internal Audit Forum. The answers below are editorial summaries of the discussion — not verbatim transcripts.

What is a qualified external audit, and is it bad news?

A qualified audit — which one in three councils received last year — means 'yes, but.' It's not a clean pass. The council needs to read the qualification carefully, understand exactly what caused it, and make sure it doesn't repeat: if the auditor flagged a problem, that problem needs to be documented, actioned, and resolved before the following year's audit.

What do external auditors actually have to check, and what limits their questions?

The document governing external audit is AGN02, published by the National Audit Office and publicly available on the PKF and PSAA websites. It sets out what auditors must ask for and what they may ask for. Anything outside those categories cannot legitimately be demanded from the council — if an auditor asks for something unusual, AGN02 is the starting point when pushing back proportionately.

Why does my external auditor ask for different things than the auditor used by a nearby council?

External audit contracts are allocated in five-year blocks nationally: PKF covers 31 counties, BDO 4, Mazars 4, and Moors 5. Each firm applies its own interpretation of AGN02 and can require different supporting information. A query one council receives may not apply to a council with a different auditor, so always confirm which firm you're with before comparing notes with peers.

Why is consistency across the AGAR so important, and what happens if the responses contradict each other?

The AGAR has two sections filled in independently: the governance statements by the council, and the internal audit page by the auditor. If the internal auditor has ticked 'no' to something, the council must reflect that in its own section — inconsistency is one of the most common triggers for external audit queries. Councils should also check this year's responses against last year's AGAR and last year's internal audit report to ensure anything previously flagged is reported consistently.

What are the rules for the exercise of public rights, and can the council handle it remotely?

The exercise of public rights is a face-to-face process: members of the public must attend in person at a time and place the council agrees. They may photograph documents on their own phone but the council is not obliged to send copies electronically. If someone can't be bothered to attend, they don't receive the information. The council sets the appointment, should meet in a public venue with a councillor present, and can schedule it towards the end of the public rights period if needed.

How should variance explanations be written to satisfy the external auditor?

Variance explanations should start with the biggest discrepancy and work down, being specific rather than general — 'wages went up' isn't sufficient, but 'employer NI contributions increased by 9% plus an NJC pay award' is. The threshold is 15% or £500, whichever is larger, though PKF may apply a £200 floor — check the specific spreadsheet your auditor sends. If a first attempt comes back asking for more detail, tear it up and start again from the biggest item.

What does Assertion 10 compliance look like at external audit stage?

External auditors have made clear they will not go in heavy on Assertion 10 for this first year it appears on the AGAR. The testing is proportionate: does the council have a council-owned clerk@ email address (not a personal name), a data and IT policy minuted by full council, an accessibility statement on the website, and is the website under the council's own control? If the internal auditor ticked 'no,' the council must also say 'no' in its own AGAR response — consistency matters as much here as anywhere else.

What should a council do if it receives an external audit query it doesn't understand?

Don't guess and don't sit on it alone. Internal auditors and CALCs often see the same queries appearing across multiple councils in the same county and can help decode them. The SLCC also monitors external audit queries nationally and will be aware if a question is being challenged as disproportionate. If a query still doesn't make sense after asking around, go back to the external auditor for clarification — these queries aren't confidential and sharing them with peers is entirely reasonable.

How often should the council formally minute the appointment and independence of its internal auditor?

At minimum once a year. Best practice is to include a resolution in the minutes when accepting the internal audit report: confirming the auditor's reappointment for the following year and noting that both their competence and independence have been assessed. Independence can change at any time — a new councillor might turn out to be related to the auditor — so annual confirmation protects the council. The appointment should always be made by full council, not a sub-committee.

Can members of the public or external auditors see individual payroll data?

External auditors can see total payroll figures and total overtime as shown in the accounts, but individual pay records are confidential — they cannot see who received what. The same applies during the exercise of public rights: the NAO Guide to Public Rights explicitly addresses payroll confidentiality. If an auditor asks to see individual employment contracts or overtime breakdowns per employee, the AGN02 list of permitted categories is the basis for a polite but firm refusal.

Can the internal auditor also act as the council's Data Protection Officer?

No. A Data Protection Officer carries out a management function, which creates a conflict with the independence an internal auditor must maintain. For most small councils the solution is straightforward: parish and town councils are not legally required to appoint a DPO. If the auditor has informally been filling that role, stopping the arrangement resolves the conflict entirely.

Pod-on-the-Parish is brought to you by Scribe and Civic.ly.