Parish Council Internal Audit Checklist: What Auditors Check in 2026

Internal audit is not optional. Every parish and town council must have an internal audit at least once a year, and the auditor's report goes directly into Section 3 of your Annual Governance and Accountability Return (AGAR). If the auditor answers "no" to any question, you need an explanation — and your external auditor will want to see it.

This guide covers what internal auditors actually check, what evidence to prepare, and what has changed for the 2025–26 audit cycle.

What the internal auditor reviews

The internal auditor works through a structured report covering the effectiveness of your council's internal controls. Their job is to test whether your systems work in practice — not just whether policies exist on paper.

The areas covered align with the governance assertions in AGAR Section 1 (the Annual Governance Statement). For the definitive list of assertions, download the current SAPPP Practitioners' Guide from NALC or SLCC. Here is what each area involves in practice.

Financial management and accounting

The auditor checks whether your council has effective financial management arrangements and whether the accounting statements are properly prepared.

Evidence to have ready:

• Bank statements for the full financial year (April to March)
• Bank reconciliation at year-end — the cashbook balance must match the bank statement
• Payment records showing authorisation (two signatories for cheques/BACS, council approval on minutes)
• Income records and receipts
• Budget vs. actual comparison with explanations for significant variances (10–15% or more)
• VAT reclaim records and Section 137 expenditure tracking

Common failures: Year-end bank reconciliation doesn't balance. Payment authorisation records are incomplete — especially for direct debits and standing orders, which still need council approval. VAT reclaim not submitted or poorly tracked.

Budgets and precept

The auditor checks whether your budget supports the precept requirement and whether spending is monitored against it.

Evidence to have ready:

• Approved budget for the current and previous year
• Precept demand submitted to the billing authority
• Quarterly or monthly budget monitoring reports (if produced)
• Minutes showing budget approval and precept setting

Common failures: Budget set without council resolution. No in-year monitoring — the budget was approved in January and never looked at again.

Standing orders and financial regulations

The auditor checks whether you have adopted standing orders and financial regulations, and whether the council follows them.

Evidence to have ready:

• Current standing orders (ideally based on the latest NALC model, reviewed within the last year)
• Current financial regulations (same)
• Minutes showing adoption/review dates
• Evidence that procurement thresholds are being followed

Common failures: Standing orders adopted years ago and never reviewed. Financial regulations reference superseded legislation. The council has a £500 procurement threshold but no evidence of quotes for purchases above it.

Risk management

The auditor checks whether the council has assessed and managed its risks.

Evidence to have ready:

• Risk assessment reviewed and approved within the current financial year
• Insurance schedule covering public liability, employer's liability (if applicable), fidelity guarantee, and property
• Insurance renewal date and evidence of cover
• Any risk mitigation actions taken during the year

Common failures: Risk assessment not reviewed annually. Insurance schedule doesn't match actual assets (new equipment not covered, disposed assets still listed).

Internal controls

The auditor checks whether adequate internal controls exist and are followed.

Evidence to have ready:

• Segregation of duties — who authorises payments, who makes them, who reconciles
• Regular bank reconciliations (ideally monthly)
• Petty cash procedures and reconciliation
• Fixed asset register matching the AGAR asset statement

Common failures: Same person authorises and makes payments with no independent check. Bank reconciliations done only at year-end. Fixed asset register not updated when items are purchased or disposed of.

Compliance with laws, regulations, and proper practices

The auditor checks whether the council complied with its legal obligations during the year.

Evidence to have ready:

• Publication of transparency information by 1 July (see our transparency code guide)
• Publication scheme maintained and accessible
• GDPR compliance — privacy notice on website, data processing records, FOI/SAR response tracking
• Minutes show all statutory requirements met (annual meeting held, accounts approved, precept set)
• Employment contracts and pension enrolment (if you have employees)

Common failures: Transparency information not published by the deadline. No privacy notice on the council website. Minutes don't record that the annual meeting was held within the required timeframe.

Exercise of public rights

The auditor checks whether the council properly advertised and facilitated the public's right to inspect the accounts.

Evidence to have ready:

• Notice of public rights period (30 working days including the first 10 working days of July)
• Evidence the notice was published on your website and noticeboard
• Records showing documents were made available for inspection if requested

Common failures: Public rights period not advertised. Period doesn't start on the correct date. Notice published on the noticeboard but not the website.

Assertion 10: digital and data compliance (new from 2025)

The 2025 edition of the SAPPP Practitioners' Guide introduced Assertion 10, which covers digital and data compliance. This is the first new assertion added to the AGAR governance statement in years, and many councils are unprepared. For a detailed breakdown of each requirement, see our Assertion 10 compliance guide.

Assertion 10 covers:

• Council-owned domain — the council website must be on a domain the council controls (not a personal domain or one tied to a specific clerk)
• Official email system — council business conducted via official council email addresses, not personal Gmail, Outlook, or Yahoo accounts
• IT policy — a documented policy covering acceptable use, data backup, password requirements, and incident response
• Website accessibility — the council website must meet WCAG 2.2 AA standards (a legal requirement for public sector bodies under the Public Sector Bodies Accessibility Regulations 2018)
• GDPR compliance — privacy notice, data processing records, FOI/SAR procedures
• Data handover procedures — documented procedures for transferring council data when the clerk role changes

Evidence to have ready:

• Domain registration showing the council (not an individual) as registrant
• Screenshots or documentation of the official email system
• Approved IT policy
• Website accessibility statement and WCAG compliance evidence
• Published privacy notice
• Data handover procedure document

Common failures: Website registered to the clerk personally. Council email uses a free provider (Gmail) rather than a council domain. No IT policy exists. Accessibility statement missing or template-only with no actual compliance evidence.

Try our free compliance checklist tool to self-assess your council against Assertion 10 requirements, and use the audit deadline calculator to confirm your key AGAR dates.

Timeline for audit preparation

When	What
January–March	Review standing orders, financial regulations, risk assessment. Begin year-end preparation
31 March	Financial year ends
April–May	Complete bank reconciliation, prepare AGAR, arrange internal audit
May–June	Internal auditor conducts audit and completes their report
Before 30 June	Council approves AGAR Section 1 (governance) then Section 2 (accounts) at a full council meeting. Section 1 must be approved before Section 2
1 July	Publish AGAR, transparency information, and commence the public rights period
Before 1 October (if applicable)	Limited assurance review completed and published

Who can be the internal auditor?

The internal auditor must be independent of the council. They cannot be:

• A councillor or employee of the council
• Someone closely related to a councillor or employee
• The council's bookkeeper or accountant

Many councils appoint a local auditor through their county association of local councils. The auditor should have competence in accounting and internal controls — they do not need to be a qualified accountant, but they must understand parish council governance.

The auditor reviews prime documents at source (bank statements, invoices, minutes), unlike the external auditor who works from the completed AGAR forms.

Sources

• Smaller Authorities' Audit Appointments — AGAR process
• Local Audit and Accountability Act 2014

This article is for general guidance only. The definitive source for AGAR requirements is the SAPPP Practitioners' Guide, published annually by the Joint Panel on Accountability and Governance (JPAG) through NALC and SLCC.