The HEFCE Audit Code of Practice requires that Internal Audit produce an annual plan based on an audit strategy linked to the perception of risk. It is no longer appropriate for internal auditors to work to a rigid five year plan addressing all areas of the business with no risk based priorities.
The operational plan which is approved by Audit Committee each year takes account of the HEFCE requirements by incorporating:
- audits linked to the revised University risk register,
- audits addressing current specific higher risk operational activities,
- audits reviewing other activities which may be inherently more risky due to the elapsed time since previous audits (audits of ‘business as usual’).
- audits required to meet external needs, for example the audit approach adopted by the external auditors and work required by UUK/CUBO in respect of the student residences.
- The computer audit plan prepared by Deloitte is approved along with the main Internal Audit annual plan.
The Internal Audit Service is responsible for conducting an independent appraisal of all the University's activities, financial and otherwise. It provides a service to the whole University, including Council and all levels of management. It is not an extension of, nor a substitute for, good management. The Internal Audit Service is responsible for giving assurance to Council and the Accountable Officer (the Vice-Chancellor) on all control arrangements. It also assists management by evaluating and reporting to them on the effectiveness of the controls for which they are responsible.
It remains the duty of management, not the Head of Internal Audit, to operate an adequate system of internal control. It is for management to determine whether or not to accept audit recommendations and to recognise and accept the risks of not taking action.
The purpose of the audit strategy is to put in place an approach that will enable internal audit to be managed in a way which will facilitate:
- the provision to the Accountable Officer of an overall opinion each year on the University’s systems of risk management, operational control and governance,
- to support the Statement of Internal Control in the Annual Accounts;
- the audit of the University’s risk management, operational control and governance systems through periodic audit plans in a way which affords suitable priority to the University’s objectives and risks;
- provision to line management of recommendations arising from audit work;
- the identification of audit resources required to deliver an audit service which meets required professional standards;
- effective co-operation with external auditors and other review bodies;
- provision of both assurance and consultancy services by internal audit;
- provision of information supporting an opinion on whether appropriate measures are in place to obtain value for money from resources;
- provision of information to support an opinion on the adequacy and effectiveness of management controls over the production of data submissions to HEFCE.
The Internal Audit Service will consider the whole of the institutional risk management, operational control and governance arrangements, including all its operations, resources, staff, services and responsibilities for other bodies. This will cover all activities associated with the institution, including controls that protect the University in its dealings with subsidiary companies, the Guild of Students and any other activity in which the University has an interest.
Considering the whole system of risk management, control and governance does not imply that the whole system should be audited. This is the essence of the risk-based approach. If internal auditors are confident about risk management, and if the risk management arrangements effectively mitigate a risk, then that risk should not merit additional audit attention.
Audits will be undertaken using professional standards set out by the CIIA and a risk based approach. Our assessment of the results of the audit, and any recommendations arising from the work will be formally reported, and summarised for Audit Committee.
In addition to the core audit program of work, a proportion of the budgeted time is allocated to ‘consultancy / special’ activities. This contingency time is managed by the Head of Internal Audit, and ensures that resource is available in the event of a fraud or other investigation, or if other appropriate calls on the team are made. Internal audit is primarily responsible for providing an independent assurance opinion, and it is therefore not appropriate for consultancy time to be used on higher risk advisory work which will require assurance opinions in future years. However, wherever possible internal audit will provide advice and add value through early involvement in projects and other developments.
The HEFCE Financial memorandum and Audit Code of Practice includes a requirement for the audit committees to give, as part of their annual opinion, an assurance about the management controls and quality assurance of data provided to HEFCE and other public bodies. To support this assurance, Audit Committee receives an annual report from management which details the control arrangements that have been put in place to ensure data quality.
Data quality forms part of the risk assessment undertaken by the Head of Internal Audit when developing the audit plan for the year. The internal audit operational plan includes periodic audits of the management and quality assurance arrangements in respect of specific data returns. The outcomes of these audits can be used by Audit Committee as one source of assurance when forming the annual opinion.
Value For Money
Internal Audit is required to provide an opinion on the adequacy of the controls in place to ensure that the institutional resources are used in an economic, efficient and effective manner. Internal Audit considers VFM as an integral part of all audits undertaken, the scoping process includes a requirement to identify opportunities for obtaining VFM, and an assessment of the management controls in place to manage this risk.
In addition to the general requirement to assess controls over obtaining VFM, the Internal Audit plan periodically includes specific audits of VFM related activities such as aspects of procurement and contract management.
In addition to the reports from the Head of Internal Audit, Audit Committee receive an annual report from the Registrar & Secretary which summarises the institutional approach to achieving and maintaining financial sustainability and meeting key VFM objectives.
Identification of Fraud
The primary responsibility for the prevention, detection and investigation of fraud rests with management, which also has the responsibility to manage the risk of fraud. It is not the primary role of Internal Audit to detect fraud, but Internal Audit is required to give independent assurance on the effectiveness of the processes put in place by management to manage the risk of fraud. Internal Audit specifically consider fraud risk in every audit undertaken, review fraud prevention controls and make recommendations where appropriate to improve those processes.
In addition to this general responsibility to consider fraud risk, Internal Audit will lead investigations at the request of the Registrar & Secretary or advise on the use of specialists in more complex investigations.