← All episodes
Episode 3 12 March 2026 · 24:57

Preparing for a Successful 25/26 Internal Audit

Meet the guest

Listen Podcast episode

Download MP3

Or listen in your favourite app:
Apple Podcasts Spotify
Watch Get the Video and Slides Full webinar recording, speaker slides & bonus resources

Show notes

In this episode, John sits down with Eleanor Greene — Chief Accountant at Do the Numbers Ltd and Secretary to the Internal Audit Forum — for a straight conversation about internal audit best practice ahead of Year End.

Eleanor covers a wide range of ground: remote vs face-to-face audits and when each makes sense, what the updated Practitioner's Guide means in practice, Assertion 10 and what councils actually need to do about emails, FOI, and council phones, common governance pitfalls she sees, how to read audit reports properly, auditor independence, website accessibility, and the ever-useful Daily Mail Test.

This was recorded as a dedicated podcast conversation rather than a webinar conversion, so it's a more intimate, back-and-forth discussion. You'll also learn about Eleanor's unexpected passion for minerals and fossils — and yes, she really does own a dinosaur egg.

Preparing for a Successful 25/26 Internal Audit — episode artwork

Chapters

Questions answered in this episode

Drawn from our conversation with Eleanor Greene, Chief Accountant at Do the Numbers Ltd and Secretary to the Internal Audit Forum. The answers below are editorial summaries of the discussion — not verbatim transcripts.

Should internal audits be done face-to-face or remotely?

Face-to-face is the strong preference. A remote audit doesn't really meet the underlying requirements: the auditor can't inspect the physical minute book, can't look through the actual records, and can't read the clerk's body language when a question is asked. Remote works only as a follow-up arrangement — for councils the auditor has already worked with face-to-face in the past and built a relationship with. For a first audit, expect (and arrange for) someone in the room.

Which Practitioner's Guide applies to this year's internal audit?

The version compulsory for the year-ends now being audited is the one published in March 2025. A new 2026 edition is on the way, but it only becomes compulsory for the following financial year. It's worth being aware of where the new guide is heading — to see the direction of travel and where the sector is going — but the council still has to do what's in the guide it's actually got, not what's coming next.

What will the internal auditor actually test for Assertion 10?

Very little more than: has the council done the four things Assertion 10 requires? It's a high-level check, not a deep audit. The reason is that internal auditors aren't the regulators of the underlying legislation — FOI, GDPR, accessibility regulations — so they're not in a position to go beyond confirming that the council has the right pieces in place. Internal-auditor guidance for Assertion 10 is being written and will be published, but the testing itself will stay at that high level.

Why does it matter whether councillors use personal or council email addresses?

A council's actions, messages and emails are subject to Freedom of Information requests and subject access requests by any member of the public. If a councillor is using their personal account for council business, that personal account — alongside everything else in it, from tennis bookings to family photos — falls within the scope of those requests, and the ICO has strong powers to pursue them. Where councillors use a council email account, the clerk can answer an FOI directly from the web-stored emails through the back-end of the website, without needing to see anyone's phone. When a councillor leaves, the account can simply be switched off — closing the door on former councillors continuing to send mail as if they were still in post. The point is protecting both the council and the individual.

Does the council need to issue councillors and staff their own mobile devices?

The right framing isn't device-vs-device — it's about centralised control of the email account. If the council can grant and revoke access to the mail at any time, what hardware someone happens to read it on becomes a much smaller question. The work to do is in the management of the email, not in the handset.

Why should the clerk have a council-owned phone?

The risk being managed is loss of access. There's a real case of a clerk who resigned suddenly in difficult circumstances, with bank authentication codes still going to her personal phone, and didn't pass them back — leaving the council temporarily unable to pay wages. A refurbished phone and a £10 pay-as-you-go SIM (often topped up only once or twice a year) closes that gap for very modest money, and a council-owned number can also receive things like flood alerts from residents. The audit test is whether the council is taking good care of public money — on that test, the phone is a no-brainer.

What's the most common governance mistake councils make around the internal audit report?

Publishing only part of it. The internal audit page of the AGAR is often missed, with councils publishing the governance and accounting statements but quietly omitting the auditor's section. The requirement is to publish the whole AGAR — including the internal audit page — and current guidance reinforces that. Anything less leaves a visible gap that residents and external auditors will both spot.

What should the council do with the internal auditor's report?

Treat it as the start of a process, not the end. The auditor should be flagging things to improve; if they aren't, they probably haven't done a thorough job — no council is fully compliant, because the rules and rulings keep moving. The council needs to minute at full council that the report has been seen, agree an action plan to address each point, and track it through. That action plan is what closes the loop and is increasingly what the following year's auditor will look for.

Can a council use a friendly accountant or family friend to do the internal audit for free?

It's possible, but the bar is real. Even an unpaid auditor needs an engagement letter, an audit plan, and an action plan from the council in response. Standard accountancy qualifications cover company law; CIPFA-style qualifications cover county council law; very few cover charities and effectively none cover parish law — so an accountant has to be able to demonstrate they understand the legislation the AGAR sits under. And if there's no contract and no fee, there's also no comeback if the work isn't done — and no reassurance for a resident who learns the audit was done for free by someone close to the council. Parish councils aren't required to have professional indemnity insurance, but an engagement letter is required no matter how small the council.

Who actually enforces website accessibility, and how do they respond to complaints?

The statutory regulator is the Equality and Human Rights Commission (EHRC) — the same body that handles the Equality Act. Like the ICO with Freedom of Information, the EHRC only reacts to complaints; it has neither the right nor the resources to audit websites proactively. When a complaint does come in, the typical response is a request to fix the specific thing that prompted it — not a demand that the council remake the entire site.

What is the Daily Mail Test, and how should councils use it?

It's a sense-check for non-standard decisions: imagine a Daily Mail journalist sitting in on the meeting. If the way the council is acting could become a tabloid headline, that's a sign to stop and rethink. If it couldn't, the council is probably doing something right. The test isn't asking councils to be timid — there are moments when the right call is one that wouldn't pass a strict legal reading because it serves the community, and the local press would back it — but it's a useful pause before signing off on the unusual.

Pod-on-the-Parish is brought to you by Scribe and Civic.ly.