Merton Council's Governance Standards and Audit Committee has reviewed internal audit findings that reveal areas of concern within the council's operations. The meeting on 13 November 2025, addressed several key issues, including an internal audit progress report and the key strategic risks register.

The Corporate Leadership Team (CLT) is ultimately accountable for delivering the council's Business Plan and therefore responsible for monitoring and reviewing the Key Strategic Risk Register (KSRR). Risk owners are responsible for identifying and implementing appropriate actions which will mitigate against risks they own.

Internal audits revealed that, since April 2025, twenty-five audit assurance reviews had been undertaken, with the following assurance opinions:

  • 0 (0%) Substantial Assurance
  • 16 (64%) Reasonable Assurance
  • 9 (36%) Limited Assurance
  • 0 (0%) No Assurance

The Internal Audit Progress Report Nov 2025 lists the audits conducted since the last committee meeting that received a limited assurance opinion:

  • Transitions from Children to Adult
  • Client Financial Affairs
  • High Needs Block
  • Declaration of Interests
  • Planning Enforcement and Local Land Charges

Reasons for the 'Limited Assurance' ratings can be found in Appendix C, 'New Limited Assurance reviews', which details the Priority 1 actions resulting from these audits. For example, regarding 'Transitions from Children to Adult', the audit recommendation is: Transition plans should be reintroduced as soon as possible. It would seem reasonable to prioritise the re-introduction, so that the young people who currently stand to benefit most from a plan, receive one first.

The report also stated that 155 audit recommendations had been issued to management, of which:

  • 20 (13%) were Priority 1
  • 106 (68%) were Priority 2
  • 29 (19%) were Priority 3

Updates on outstanding Priority 1 audit actions, including those carried over from previous years, are detailed in Appendix B of the Internal Audit Progress Report, 'Priority 1 progress'. For example, regarding 'Financial assessments', the recommendation is: The Deferred Charge Mosaic report should be reviewed as soon as possible with appropriate action taken. The team should ensure that going forward, a deferred charge is correctly recorded on Mosaic. The updated management response is: 26/6/24 - work in progress but will take a further 6 months 06/01/25 This is still work in progress. 21/8/25 Deferred Charge Mosaic report & Deferred Charge Statements have not moved forward. with a revised due date of 31/1/26. Priority 1 recommendations are monitored on a regular basis by the Internal Audit team.

The Internal Audit Progress Report detailed changes to the Internal Audit Plan 2025/26, including the addition of audits for Risk Management, and Planning Enforcement Notice and Local Land charges. The report also provided updates on the progress of Priority 1 audit actions, with details of outstanding actions from previous years.

Heat maps showing the Key Strategic Risks and Issues (KSRR) for June 2025 and June 2024.
Heat maps showing the Key Strategic Risks and Issues (KSRR) for June 2025 and June 2024.

The Key Strategic Risks Register (KSRR) was also reviewed at the meeting. The report pack stated that there were currently 12 entries on the KSRR, comprising 9 Key Strategic Risks and 3 Key Strategic Issues. The report pack noted that there were 7 red Key Strategic Risks / Issues on the KSRR, relating to:

  • Housing Supply- Affordable Housing
  • Annual Savings Programme
  • Implementation of the Climate Action Plan
  • DSG Safety Valve
  • Risk of Cyber attack on the Council's IT Infrastructure and Systems
  • Corporate Business Plan & Balanced Budget
  • School Budget Deficit

The Appendix B - Key Strategic Risk Register Q1 2025-26 outlines the control actions for each red risk, but does not specify explicit targets and timelines for addressing them. For example, regarding the 'Implementation of the Climate Action Plan', the control actions include publishing a climate delivery plan each year. Regarding 'Housing Supply - Affordable Housing', the document does not specify targets or timelines.

The report pack stated that the score of one Key Strategic Risk/Issue had increased since the last quarterly review: Risk of Cyber attack on the Council's IT Infrastructure and Systems. According to the GSAC Risk Report 2025-26 and the Key Strategic Risk Register Q1 2025-26, the following measures are in place to mitigate this risk:

  • Use best of breed firewalls and DNS controllers
  • All devices have anti-virus and malware protection, which is regular updated.
  • Patch end user devices, servers and network infrastructure according to NCSC recommendations.
  • Managed SOC (Security Operations Centre) via our SIEM (Systems Incident and Event management provider
  • Email hygiene system.
  • We have recently engaged a supplier to undertake a Continuous Threat Exposure Management (CTEM) gap analysis, we will review and undertake the recommendations. We are also looking to recruit a Cyber Manager and Cyber officer to undertake these recommendations and build a strategy.
  • we have now moved all servers to Amazon and therefore reduced the potential attack vector.
  • We have also replace the current back up solution with cloud only