Standards and Approach
1. The Internal Audit Service is responsible for conducting an objective and independent appraisal of all the University's activities, financial and otherwise. It should provide a service to the whole organisation, including Council and all levels of management. It is not an extension of, nor a substitute for, good management, although it can have a role in advising management. The Internal Audit Service is responsible for evaluating and reporting to Council and the Vice-Chancellor, and thereby providing them with assurance on the arrangements for risk management, control and governance, VFM and the production of data for public bodies. It remains the duty of management, not the Internal Auditor, to operate these arrangements, to determine whether or not to accept audit recommendations and to recognise and accept the risks of not taking action.
2. All the University's activities, funded from whatever source, fall within the remit of the Internal Audit Service. The Internal Audit Service will consider the adequacy of controls necessary to secure propriety, economy, efficiency and effectiveness in all areas. It will seek to confirm that management have taken the necessary steps to achieve these objectives and manage the associated risks.
3. The scope of internal audit work should cover all operational and management controls and should not be restricted to the audit of systems and controls necessary to form an opinion on financial statements. This does not imply that all systems will be subject to review, but that all will be included in the audit risk assessments and hence considered for review following the assessment of risk. It follows that if internal audit is to give an opinion on the whole system then that will include academic operations. The role of internal audit in this area is to confirm that there are adequate systems for management of teaching and learning and research. For example, internal audit could confirm that the examination system is operating effectively and meeting its objectives, but this does not mean that internal audit should form academic judgements. Similarly, internal audit might review a research grant to ensure that the requirements of the grant have been met, but it should not form a view on the merit of the research undertaken.
4. It is not within the remit of the Internal Audit Service to question the appropriateness of policy decisions. However, internal audit is required to examine the arrangements by which such decisions are made, monitored and reviewed.
5. The Internal Audit Service may also conduct any special reviews requested by Council, Audit Committee or Vice-Chancellor, provided such reviews do not compromise its objectivity or independence, or achievements of the approved audit plan.
6. The Head of Internal Audit is required to give an opinion to Council and Vice-Chancellor, through the Audit Committee, on the adequacy and effectiveness of the arrangements for risk management, control and governance; and for economy, efficiency and effectiveness (value for money) within the institution; and the extent to which Council can rely on these. He or she should also comment on other activities for which the governing body is responsible, and to which the Internal Audit Service has access. Internal Audit are not required to provide an opinion on the adequacy of management controls over the production of data, but will audit these controls regularly to provide Audit Committee with the information required to form an opinion on these matters.
7. To provide the required assurance, the Internal Audit Service will undertake a programme of work based on a strategy, authorised by Council on the advice of the Audit Committee. The programme will evaluate the arrangements in place:
- To establish and monitor the achievement of organisational objectives.
- To identify, assess and manage risks to those objectives.
- To advise on, formulate and evaluate policy within the responsibilities of the Vice-Chancellor.
- To ensure compliance with policies, laws and regulations.
- To ascertain the integrity and reliability of financial and other information provided to management and stakeholders, including that used in decision making.
- To ascertain that systems of control are laid down and operate to promote the most economic, efficient and effective use of resources and to safeguard assets.
- To ascertain the effectiveness of management controls over the production of data.
Standards and Approach
8. The Internal Audit Service's work will be performed with due professional care, in accordance with appropriate professional auditing practice. It will have regard to Treasury and CIIA standards and will comply with the HEFCE Audit Code of Practice as set out in Annex A of the Financial Memorandum.
9. In achieving its objectives the Internal Audit Service will develop and implement an audit strategy that assesses the University's arrangement for risk management, control and governance and for achieving value for money.
10. The Head of Internal Audit will implement measures to monitor the effectiveness of the service and compliance with standards. The Audit Committee will consider and approve the performance measures and may also ask the external auditor to provide an independent assessment of the effectiveness of the Internal Audit.
11. The Internal Audit Service has no executive role, nor does it have any responsibility for the development, implementation or operation of systems. However, it may provide independent and objective advice on risk management, control and governance, value for money and related matters, subject to resource constraints. For day to day administration purposes only, the Head of Internal Audit reports to the Director of Finance. The Head of Internal Audit has right of access to the Vice-Chancellor.
12. Within the University, responsibility for risk management, control and governance arrangements and the achievement of value for money rests with Council, who should ensure that appropriate and adequate arrangements exist without reliance on the University's Internal Audit Service. To preserve this objectivity and impartiality of the Internal Auditors' professional judgment, it is for management to determine whether or not to accept audit recommendations, to recognise and accept the risks of not taking action, and to implement recommendations.
13. The Internal Audit Service has rights of access to all the University's records, information and assets which it considers necessary to fulfil its responsibilities. Rights of access to other bodies funded by the University should be set out in the conditions of funding. The Head of Internal Audit has a direct access to the Chairman of Council, the Chairman of the Audit Committee and the Vice-Chancellor. In turn, the Internal Audit Service agrees to comply with any requests from the external auditors and the HEFCE Assurance Service for access to any further information, files or working papers obtained or prepared during audit work that they need to discharge their responsibilities.
14. The Head of Internal Audit must submit an annual report to Council and the Vice-Chancellor through the Audit Committee. The report must relate to the institution's financial year, and include any significant issues up to date for preparing the report which affect the opinion. The report should give an opinion on the adequacy and effectiveness of the institution's arrangements for: risk management, control and governance, economy, efficiency and effectiveness and the extent to which the governing body can rely on them. The Auditor should also prepare, before the beginning of the year, a long-term strategy document supported by an assessment of resource needs. These should be submitted to Council for approval following consultation with relevant managers and the Vice -Chancellor, and after consideration by the Audit Committee.
15. The Head of Internal Audit is accountable to the Vice-Chancellor and Council through the Audit Committee for the performance of the service. He or she should also report audit findings to relevant managers (including the Vice-Chancellor) and draw the attention of the Audit Committee to key issues and recommendations.
16. The Head of Internal Audit should usually produce its reports, in writing, within one month of completion of each audit, giving an opinion on the area reviewed and making recommendations where appropriate. These reports are copied to the Registrar & Secretary and summarised for Audit Committee. Managers will be required to respond to each audit report, usually within one month of issue, stating their proposed action with a timetable for implementing agreed recommendations. Material recommendations will usually be followed up some six to twelve months later. In addition the Audit Committee will monitor implementation of audit recommendations.
17. The Head of Internal Audit will report to the Vice-Chancellor any serious weaknesses, significant fraud or major accounting breakdown discovered during the normal course of audit work. If the Vice-Chancellor refuses to report the matter to the HEFCE Accounting Officer, the Chairman of the Audit Committee and the Chairman of Council, then the Auditor must report to them directly.
18. The Internal Audit Service will liaise with the External Auditors and the HEFCE Assurance Service to optimise the audit services provided to the University.