Internal audit in local government: Time to lead, not linger

After 40 years in internal audit—working with more than fifty councils across the UK—I have seen the profession at its best and at its most constrained. I have led teams, built partnerships, and watched audit evolve from paper checklists to data-driven insights. But I have also seen it sidelined, misunderstood, and underused.

Since the abolition of the Audit Commission, internal audit in local government has operated with little external oversight. That may sound controversial, but it is the truth. And in the absence of consistent scrutiny, the quality, independence, and influence of audit functions have become increasingly variable.

We are now at a turning point. With the right mindset, this can be a moment of transformation.

Why internal audit matters more than ever

When audit operates effectively, it is transformative. We bring transparency to decisions, hold leaders accountable, and help services run more efficiently. We are not just about assurance—we are about improvement.

This occurs only when we are empowered, trusted, resourced, and allowed to challenge constructively. Sadly, that is not always the case. Audits can be deferred, reports buried, and Chief Audit Executives pushed down the reporting line. That is not just poor practice—it is a failure of governance.

The maturity gap

The maturity of a local authority directly affects its audit team. In mature councils, internal audit is regarded as a strategic partner. In others, it is a nuisance. I have seen audit findings ignored, politically sensitive areas declared “off-limits,” and risk management treated as insurance rather than a strategic discipline.

We need to be brave enough to say: this is not good enough. And we need leaders—elected and executive—who understand that audit is not about catching people out. It is about helping them succeed.

New standards, new possibilities

The Global Internal Audit Standards (GIAS) and the CIPFA Code of Practice offer a real opportunity. They provide a framework to define what “good” looks like—and a mandate to improve. But adopting them is not enough. We need to stretch them, using them to drive innovation, not just compliance.

That means tearing up static annual plans and moving to rolling, risk-based programmes. It means building dashboards that give real-time insights. And it means coordinating with other assurance providers to close gaps and avoid duplication.

Solutions and opportunities: A positive path forward

There is no single best approach to internal audit in local government. But there are promising options:

One of the most significant gaps since the abolition of the Audit Commission has been the absence of a national body to set expectations, define ambition, and hold internal audit functions to account.

That is why I believe we should seriously consider creating a national oversight body for internal audit in local government.

Such a body could:

• Set minimum standards: Define what “good” looks like in terms of independence, resourcing, reporting lines, and audit committee effectiveness.
• Promote ambition: Encourage innovation, professional development, and strategic alignment through benchmarking, awards, and shared learning.
• Monitor performance: Collect data on audit coverage, impact, and maturity and publish it transparently.
• Intervene where necessary: Where internal audit functions persistently underperform or are structurally compromised, escalate concerns to senior leadership, elected members, or regulators.
• Support improvement: Offer peer reviews, mentoring, and access to shared resources for councils that want to improve but lack capacity.

This would not be about central control—it would be about collective responsibility. A way to ensure every council, regardless of size or budget, has access to a high-quality internal audit function that protects the public interest.

It would also give Chief Audit Executives the backing of a national organisation that recognises their responsibilities and independence.

Centralisation or hybrid models

Many internal audit partnerships already exist in the UK. But it is worth considering whether a centralised or hybrid internal audit function would be appropriate. As an example, The Government Internal Audit Agency is a leader in this space and this model could unlock shared strength across councils.

This model could enable:

• Innovation: AI-powered risk assessments, predictive auditing, and real-time dashboards.
• Career progression: Clear pathways from junior auditor to CAE, with specialist tracks in cyber, data, fraud, and transformation.
• Collaboration: Cross-council learning, thematic deep-dives, and partnerships with academia and the private sector.
• Visibility and influence: A recognised centre of excellence that shapes national policy and raises the profile of public sector audit.

With greater scale or stronger governance, audit teams can act with more independence. A more arm’s-length structure—whether through centralisation or stronger internal protections—can give CAEs the confidence to challenge constructively and act in the public interest.

Investment in people

We must invest in our teams. That means:

• Access to professional certifications.
• Training in AI, data science, and digital assurance.
• Leadership development, mentoring, and secondments.
• Opportunities to speak at national and international conferences.
• A central knowledge hub for best practice, research, and case studies.

Smarter, more agile audit

We can modernise how we work by:

• Moving to rolling, risk-based audit plans.
• Adopting agile methodologies for faster, more responsive audits.
• Building dashboards that make risk visible and actionable.
• Coordinating with other assurance providers to avoid duplication and close gaps.

Creativity, foresight, and innovation

Internal audit is not about hindsight—it is about foresight. We should be scanning the horizon, identifying emerging risks, and helping councils prepare. That means embracing technology, AI, data analytics, and process mining, and developing strategies that promote innovation.

It also means being creative in how we engage stakeholders. Telling stories. Using case studies. Showing how audit adds value—not just in compliance, but in transformation.

Relationships matter

Audit is a people business. We need to build trust with senior officers, elected members, and service leads. That means clear communication, regular engagement, and a willingness to listen. It also means offering advisory services—not just assurance. Helping teams improve, not just pointing out where they have gone wrong.

Practical tips that work

Here is what I have found effective:

• Ditch the annual plan—go rolling and risk-based.
• Coordinate constantly—with finance, risk, legal, and IT.
• Go agile—short, sharp audits that deliver fast insights.
• Build dashboards—make risk visible and actionable.
• Stretch the standards—do not settle for minimum compliance.

Internal audit is one of the few functions that sees across the entire organisation. We connect the dots. We ask the questions no one else is asking. And when things go wrong, we are often the last line of defence.

But we can be more than that. We can be a catalyst for better governance, smarter decisions, and stronger public services. If we get this right, we won’t just improve audit. We will improve local government.

And that is a legacy worth leaving.

About the authors

David Hill is the former CEO of SWAP Internal Audit Services based in the UK. David has nearly 40 years of audit experience, and is a former member of the Global Guidance Committee. Connect with David on LinkedIn.