What Do We Do?
IAS Terms of Reference
To provide an objective assessment to the Principal and Court of the adequacy and effectiveness of the University's internal systems of control via review of management practices, operations, systems and procedures throughout the University, with the aim of improving control and achieving better value for money.
1.1 In order to provide that assessment, the Internal Audit Service will undertake a cyclic programme of work which has been agreed by Audit Committee and which includes these objectives:
- To appraise the adequacy and effectiveness of the University's internal system of control;
- To ensure compliance with established policies and procedures;
- To ascertain the integrity and reliability of financial and other information held;
- To ensure that the University's assets are properly controlled and exposure to losses from irregularity is minimised;
- To ensure that the University's systems of control encourage the economic, efficient and effective use of resources.
2. Customers of Internal Audit
2.1 The main customers of the Internal Audit Service are :-
- Audit Committee
- University Management
- All University Departments
- SFC Governance and Management : Appraisal and Policy (GMAP)
- External Auditors
- Other Institutions
- Professional Groups (CHEIA, Cipfa, etc)
3. Scope and Approach
3.1 All the University's activities, funded from whatever source, fall within the scope of the Internal Audit Service. The scope of internal audit work shall cover all operational and management controls, including those at departmental level, and shall not be restricted to the audit of those systems and controls necessary to form an opinion on the financial statements.
3.2 The Internal Audit Service's work will be performed with due professional care, in accordance with appropriate professional auditing practice, including the Auditing Practices Committee's "Guidance for Internal Auditors" (June 1990). It will have regard to the relevant sections of the Government Internal Audit Manual, guidance issued by SFC and will comply with the Council's Code of Audit Practice.
4. Operational Areas and Activities
The main areas of service provision are:-
- To undertake a planned series of audit visits to both academic and non-academic departments throughout the University.
- To review critical systems in operation across the University (e.g. Finance Office systems).
- To identify possible savings and identify improvements in service provision via specific value for money reviews.
- To encourage and promote best practice in departments in relation to internal control.
- To respond to requests for assistance and advice from departments in internal control matters.
- To respond to specific requests from senior committees and management of the University.
- To liaise with the external auditors, SFC' Governance and Management: Appraisal and Policy Service (GMAP) and other auditors to enhance the audit service provided to the University.
5.1 The Internal Audit Service has no executive role within the University. The Head of Internal Audit, subject to any guidance from the Audit committee, is solely responsible for the management and development of the Internal Audit Service. The Service has no responsibility for the development, implementation or operation of systems although it may provide advice on implementation, control and related matters, subject to resource constraints and the need to maintain objectivity. For day-to-day administrative purposes, the Head of the Internal Audit Service will report directly to the Secretary to the University.
6.1 The Internal Audit Service has unrestricted rights of access to all of the University's records, information, staff and assets, which it considers necessary to fulfil its responsibilities.
6.2 The Head of the Internal Audit Service has a right of direct access to the Convener of Court, the Convener of the Audit Committee, the Treasurer and the Principal, as Designated Officer.
6.3 The Internal Audit Service shall comply with any requests from the external auditors and SFC' GMAP for access to any information, files or working papers obtained or prepared during audit work that they need to discharge their responsibilities.
7.1 The Head of Internal Audit will prepare, before the beginning of each year, a rolling three-year Audit Plan supported by an audit needs assessment, and an annual audit plan. An appropriate extract of the Plan shall be submitted to Court for approval following consultation with relevant University managers and after consideration and endorsement by the Audit Committee.
8.1 The Head of Internal Audit shall submit an annual report to Court and to the Principal (via the Audit committee) on work undertaken, which will include an opinion on the operation, adequacy and effectiveness of internal control at the University.
8.2 Draft audit reports will be issued timeously to audited departments following the completion of audit fieldwork and will include an opinion on control and recommendations, where appropriate. Draft reports will also be issued to the Secretary to the University and the Director of Finance. Final audit reports, including the auditee's response, will normally be issued to:
- The Convener of Audit Committee
- The Principal
- The Dean (or CAS budget-holder)
- The Secretary to Audit Committee representative(s)
- The External Auditors
- The Treasurer
- The Secretary to the University
- The Director of Finance
- The Auditee
A management summary of final audit reports issued will be presented to Audit Committee.
What Does an Internal Audit Involve?
Each department within the University is unique and as a result Internal Audit has to adapt audit work to each different environment.
However, in general, within an academic department there are certain key areas which will always be reviewed as part of the internal audit process. These include:
- Budgetary Control
- Purchasing Procedures
- Stores/Stock Control
- Research Contracts/Centres
- Asset Register
- Computer Arrangements
- Safety Arrangements
- Data Protection
- Freedom of Information
- Strategic Plan
The Auditor assesses the procedures in place within the department for monitoring all of the department's monthly budget statements (running costs, special funds, research contracts etc). The Head of Department is responsible for the management (including financial management) of the department. The objective of this part of the audit is to assess how the Head of Department monitors the overall financial 'health' of the department on a month by month basis.
The Auditor primarily assesses the procedures in place within the department for
- recording annual leave for all categories of staff,
- completing the monthly Absence Return ,
- recording overtime
- recording additional payments to staff
- processing expenses claim forms
The Auditor assesses the procedures in place within the department for the completion and recording of orders, receipt of goods and the processing of the resultant invoices. The Auditor also selects a sample of orders (c40) raised within the department to ensure compliance with the University's Purchasing Procedures .
The Auditor assesses the procedures in place to ensure that all sales invoices ( e.g. billing for courses, conferences, services rendered) are raised via the University's Finance Office.
The Auditor assess the procedures in place within the department for cash handling (e.g. sale of course notes) to ensure adherence with the University's Cash Handling procedures.
The Auditor assess the procedures in place (where appropriate) for the maintenance and update of accurate stock control records. The Auditor will assess areas such as the procedures for recording stock in and out of store, the procedures for undertaking stock checks and the procedures for reporting any stock discrepancies.
The Auditor selects on average three research active members of staff and assess the procedures in place for the monitoring of these research accounts e.g. reconciliation of the monthly budget statements to source records. Where departments have research centres the Auditor will review the financial monitoring procedures in place (if these are run separately from the main department).
The Auditor assesses the procedures in place within the department to maintain and regularly update the University's Asset Register. From the University's Asset Register the Auditor selects a sample of assets and verifies the entry back to the physical asset held in the department. The Auditor also ensures that all additions deletions and movements of the department's assets have been correctly recorded and authorised as per the University Asset Register procedures .
The Auditor assesses the department's IT strategy including back up and computer security arrangements. The arrangements to ensure that only legitimately purchased software is in place are also reviewed. A meeting is arranged with the Departmental Computer Officer.
The Auditor assesses the procedures in place within the department to ensure compliance with the University's Health and Safety Policy . Whilst the IAS team are not Health and Safety experts we review key aspects of the Policy (e.g. departmental safety procedures, safety inspection documentation, maintenance of S17 training forms, risk assessments including COSHH assessments, review of high risk areas). A meeting is arranged with the Departmental Safety Convener.
The Auditor assesses the procedures in place for informing the department's annual DP Return e.g. discussion at departmental meetings, completion of the DP Audit Checklist .A meeting is arranged with the Departmental Data Protection Officer.
Freedom of Information
The Auditor assesses the procedures in place for dealing with Freedom of Information Requests. A meeting is arranged with the Departmental Freedom of Information Officer.
To ensure departmental awareness and assess the departmental contribution via the Departmental Disability contact towards the University goal set by the Disability Discrimination Act 1995 of full and equal participation of disabled people in all aspects of University life.
To confirm the department's awareness and compliance with the University's Code of Practice on Investigations on Human Beings in relation to to the requirements of the Departmental Ethics Committee (DEC).
To review the department's strategic plan and to assess the progress in implementation.
Each department we visit is unique. As such there may be areas which are unique to that department which are worthy of IAS review. Provision is made within the audit plan for these areas to be reviewed as part of the routine audit programme.
The Stages of an Audit
An Internal Audit review, regardless of what area is being audited or the nature of the type of audit (e.g. departmental, CAS, value for money) follows a set pattern. Internal Audit plans are submitted to Audit Committee in May/June each year. The plans are then forwarded by Audit Committee to the June meeting of Court for final approval. Prior to the start of the new academic year the Head of Internal Audit notifies each of the Deans/ Senior Officers of the areas under their management which will be subject to an internal audit review. The Head of Internal Audit will write to the Head of Department usually three to four weeks prior to the intended start of the internal audit review.
Each audit undertaken proceeds through certain distinct stages, the details of which are illustrated below:
An introductory meeting is arranged with the Head of Department and the Head of Internal Audit or the Senior Internal Auditor (depending on who has been assigned as the key Auditor) to explain and discuss the nature of the audit work about to be undertaken and to identify useful pre-audit material ( departmental organization chart, copies of minutes of key departmental committees over the last 12 months etc).
The key areas to be reviewed are discussed with the Head of Department in order to ascertain the main ''contact'' staff within the Department who will liaise with Internal Audit throughout the course of the audit fieldwork.
The audit fieldwork commences i.e. meetings take place with 'contact' staff, audit sampling, testing and review of procedures and transactions within the Department is undertaken. On average, the Auditor is physically based in the Department for 7/10 days.
Post audit fieldwork may require to be undertaken with ''contact'' staff to discuss preliminary findings and clarify any outstanding matters. This can be done by a variety of methods (e-mail, phone, face to face meeting).
A post audit fieldwork meeting ('wash up' meeting) is undertaken with the Head of Department in order to discuss preliminary findings.
The draft audit report (hardcopy and electronic 'pdf' version) is issued to the Head of Department in order for him to respond to the report's recommendations. The Head of Department is required to identify who in the department will have responsibility for implementing each of the agreed recommendations and the timescale for implementation. An electronic response document is also issued via e-mail. The response document sets out in a table format the report's recommendations and the Head of Department is required to complete the Management Response, Actioned By and Timescale sections of the response document. Copies of the draft reports are also lodged with the Secretary to the University and the Director of Finance.
The Department's response to the recommendations, are incorporated into the final copy of the report which is then issued to the Head of Department and also to the Principal, Secretary to the University, Treasurer, Director of Finance, Convener of Audit Committee, Secretary to the Audit Committee and External Audit.
The Internal Audit Service is keen to monitor and improve its own effectiveness. A number of performance indicators have been adopted and one of particular importance concerns the 'clients' view of the quality of the audit process. A short Client Satisfaction Survey is issued to the Department on completion of the final audit report.
The final Audit Report is submitted to the next meeting of the University's Audit Committee for review and discussion.
It is the responsibility of Internal Audit to follow up on the recommendations which have been agreed and accepted by the department in the audit report, and seek evidence of their implementation. Around three months from the issue of the final audit report a Progress Statement is also issued electronically to the Head of the Department. This statement basically requires the Head of Department to identify the state of implementation of each of the agreed recommendations. This Progress Statement is required to be completed and returned to the Head of Internal Audit Service normally 4 weeks from issue.
The full follow up review where the Auditor seeks audit evidence of the implementation of the agreed recommendation usually takes place three to ten months after the final audit report has been issued. Regular follow up reports are required to be submitted to Audit Committee in order to apprise Committee members of the current status, within the department, of the audit recommendations. A 'complete' status will not be placed on the audit file until audit evidence is obtained which confirms that all recommendations have been fully implemented.
Different Types of Audit
Central and Academic Service Reviews
Reviews undertaken within a Central and Academic Service (CAS) normally focus on systems in operation that is specific to the relevant CAS area. These 'system-based' audits enable us to:
- Assess how internal controls are operating in a system, thereby forming a view on whether reliance can be placed upon the system;
- Provide management with assurances that systems are adequately meeting the purpose for which they were designed; and
- Provide constructive and practical recommendations to strengthen systems and address identified risks.
Examples of areas subject to review
The University's Finance Office is one example of an area which would be subject to a systems-based audit, in particular the following processes:
- Cash and Bank; and
Other examples of areas include: the Personnel Office, Registry, and Estates Management.
Strategic and Corporate Reviews
In general, these reviews focus upon issues affecting the University at a corporate, operational, or faculty level. These reviews can be influenced by external bodies, for example, the Scottish Funding Council, the Government, Research Councils, etc. However, these reviews can also be initiated by the University in response to locally developed strategies, corporate aims, etc.
These reviews require the University to implement systems, policies and procedures, or revise current arrangements in order to accommodate new initiatives or changes promoted by external bodies or internal strategies, etc.
The role of internal audit is to review the arrangements implemented by the University for introducing or revising systems, policies or procedures. The audit would also assess whether the system or policy/procedures complies with the relevant requirements of the initiatives or changes introduced by the external body, or internal strategy.
Examples of areas subject to review:
- Full Economic Costing;
- Framework Agreement;
- Payroll & Personnel system; and
- Risk management arrangements.
Academic Departmental Reviews
These audits are undertaken on a rolling cyclical programme, with the frequency of review determined by an assessment of risk, and are designed to ensure the proper administration of the University's affairs. The objective of the audit is to provide an assurance on the proper and effective administration of academic departments.
Examples of areas subject to review within academic departments, are as follows:
The audit also provides the opportunity for 'other' areas specific to the department to be reviewed.
Value for Money Reviews
The term value for money (VFM) is used to describe the combination of economy, efficiency and effectiveness within the University. The 3Es, as they are commonly known, can be described as:
- Economy is the study of purchasing goods or services of the quality desired at the best possible price.
- Efficiency is the relationship between inputs and outputs and this measures the use of goods and services towards a desired output.
- Effectiveness measures the relationship between outputs and objectives. It is a measure of the extent to which the University's outputs, policies and procedures achieve the desired objectives.
The role of internal audit in relation to VFM is twofold:
- As a fundamental part of the audit review, the systems and controls established by management to secure VFM will be examined and evaluated.
- Auditors may initiate, conduct or participate in special VFM reviews.
The following are typical areas which would be subject to a VFM review within the University:
Capital Project Reviews
As expenditure on contracts forms a large part of the University's expenditure, it follows that it is necessary to maintain an adequate and effective internal audit of that expenditure.
The role of the auditor is to review, appraise and report upon the systems involved in controlling projects. The auditor is required to verify that systems developed by management are sound and adhered to. The objective is to:
- Assess and report on the adequacy of the University's financial regulations relating to contracts.
- Review and report on the extent to which procedures comply with the policies and procedural rules of the University.
- Review the adequacy of systems for controlling the operation of contract works through all the stages from feasibility, planning and design through to post-completion assessment.
- Review and report on the extent to which management information is prompt, accurate and designed for the needs of all the users.
- Appraise the system for controlling and recording the use of resources, including staff.
- Review the use of consultants and agency services provided by other organisations.
- Monitor the arrangements for the security of the University's assets and for the recovery of cost of rechargeable works.
- Prevent and detect fraud, error and impropriety.
- Identify losses due to waste, inefficiency, etc and to effect recovery where appropriate.
To attain these objectives, the auditor needs to be concerned with all stages of the project, as follows:
- Pre-contract stage includes reviewing the system for admitting contractors to the approved list and for reviewing their performance and current viability, and reviewing the system for regulating the tendering procedures and the awarding of contracts.
- Construction stage includes reviewing the system for on-site control regulating valuations of work for interim payments.
- Post-contract stage includes reviewing system for ensuring that when the final account is produced, it is complete and accurate, and system for ensuring that liquidated damages have been recovered where appropriate.
Although internal audit are normally involved in the University's tendering procedures, these types of review would be reserved for major capital projects being undertaken. Future examples include: WestChem, Biomedical Institute, Sports and Health Centre.
Other reviews cover a wide range of areas within the University. As a minimum, the standard objectives of these reviews are as follows:
- Achievement of the University's objectives.
- Ensuring economical and efficient use of resources.
- Ensuring compliance with established policies, laws and regulations.
- Safeguarding the University's assets and interests from losses of all kinds including those arising from fraud, irregularity and corruption.
- Ensuring the integrity and reliability of information and data.
These reviews may also consider certain areas focused upon during the Academic Departmental reviews, e.g. budgetary control, staffing, purchasing, etc.
The following are typical areas within the University which may be subject to this type of review:
- Students Association.
- Sports Union .
- Glasgow Graduate Law School .
- Professional Development Unit.
- Glasgow School of Social Work.
European Union Grant Claims
Grant claims are usually the province of the University's external auditors. However, there are an increasing number of occasions where internal audit has legitimately become involved in the audit of claims.
These claims allow departments which have been sponsored by an external body, to provide a statement showing the financial transactions relevant to that project, and the level of funding being claimed.
The sponsor body and the University department enter into a contractual agreement whereby certain conditions are agreed in advance which dictate, for example, allowable expenditure.
It is the responsibility of internal audit to undertake an audit which validates and verifies the information contained in these claims. Following this stage, a certificate is provided to the sponsor body which is signed off by the Head of Internal Audit.
Within the University, the main examples take the form of European Union grant claims.
Internal audit may be involved in investigations of fraud or irregularities. Internal auditors also assess the adequacy of the arrangements to prevent and detect irregularities, fraud and corruption. However, the primary responsibility for preventing and detecting corruption rests with management, who should institute adequate systems of internal control, including clear objectives, segregation of duties, and authorisation procedures.
The following are examples where investigations by internal audit may be required:
- Assets of the University which have gone missing, e.g. cash, equipment, etc.
- Circumvention of University policies and procedures.
- Financial or non-financial maladministration and malpractice.
- Improper conduct or unethical behaviour of a serious nature.
The Audit Planning Process
The overall objective of IAS is to provide the University's Principal and Court with an audit opinion on the adequacy and effectiveness of the University's systems of internal control. There must therefore be sufficient evidence underpinning our opinion to make it reliable.
When determining the coverage necessary to provide our assurance IAS applies the following considerations
- University's risk management arrangements continue to be reviewed each year to confirm the validity of the analysis to inform audit planning;
- Some high risk areas require more frequent review;
- The need for audit coverage to encompass the whole range of risks which the University has identified as 'key' to the achievement of its objectives;
- The need for an adequate range of non-key risks to be included to ensure our opinion is based on comprehensive coverage across the whole of the University;
- The need to audit projects and developments is identified as they impact on the University's risk management control and governance processes.
Audit coverage is achieved by a combination of strategic and operational audits. Strategic audits focus on the extent to which risk management, control and governance arrangements are well directed, whilst operational audits cover the extent to which these arrangements are working in practice.
Sharing of information between internal and external audit can avoid duplication of effort and enhance knowledge of the whole system of risk management, control and governance for both parties. IAS will continue to work with the External Auditors to ensure effective cooperation.
Strathclyde University , like many HEI's, limit their risk register to the top 20 significant risks. The list of auditable entities has been compiled by IAS. Where appropriate, an auditable entity on the audit universe is 'starred' to highlight the links with the key institutional risks identified by the risk management process.
Audit Committee in June 2004 indicated that it would be useful to review the University's Audit Universe on 'a regular basis'. A paper detailing the University's Audit Universe and also the CHEIA Audit Universe were presented to Audit Committee at its meeting on 10 February 2005 (AC paper 5.2) and also on 9 February 2006 (AC paper 4.5).
The first stage is the identification of all the main financial and other systems and activities of the University. Through discussion with a wide variety of staff in the University including Finance Office, Deans and Senior Officers and by reviewing relevant information (e.g. Annual Accounts, Calendar, various key committee papers and minutes etc), a detailed list is prepared, currently amounting to 149 auditable areas. The activities of the University, for the purpose of planning, have been split broadly into the following categories:
- Financial Systems
- Administration and Central Services
- Academic and Student Services
- Academic Departments
- Strategic issues
- Other Areas
- Contract Audit
- Value for Money
The audit planning process is helped by CHEIA's Audit Universe document . The Audit Universe essentially brings together a comprehensive listing of audit areas within universities. This listing contains over two hundred distinct areas. As part of the guidance document published by HEFCE in 2004 'Risk-based Internal Audit in Higher Education' a suggested listing of auditable entities is also included. Both the CHEIA listing and the HEFCE listing provide a useful checklist to ensure the completeness of the Strathclyde Audit Universe.
The next stage is the prioritisation of the systems/activities which have been identified. This assessment utilises the IAS' knowledge of the University, professional judgement and experience. However this subjective criteria is supported by a more methodical approach. Each system/activity has been assessed over four set attributes. For each attribute, a score is given.
Each system/activity has been assessed over the following five attributes:
Materiality is a measure of the relative importance of a system or auditable area often based on the value of income and expenditure that flows through it. Factors to be considered include:
- value of individual transactions
- value of cumulative transactions
- perceived importance of the system/activity
Information on the Materiality of the system or department was readily obtained from the most recent set of accounts (2004/05) and the Finance Oracle system. Oracle reports were written to review income and expenditure flow through a number of Financial Account sort codes. Additional information was also available within the Finance Office (e.g. payroll system) and Personnel Office (e.g. Human Resource Information System) and elsewhere in the University.
Inherent risk is the risk associated with a particular activity or audit area by its very nature. Some transactions have a high inherent risk even though the amounts involved are small. Importantly, IAS also needs to consider risks that could harm the University's reputation. Factors to be considered include:
- is the system susceptible to error
- is the system susceptible to fraud
- is the system complex
- is the system long established
Information on the Inherent Risk was obtained from IAS' knowledge of the systems or department and the level of risk that is generally associated with such a system or department. This was informed by discussions with senior staff in the Finance Office and elsewhere in the University centre and, where appropriate, senior staff in the activity (e.g. department or unit) itself.
This is the risk that controls within a system will fail to identify any errors. The assessment of the adequacy of the internal controls, are based on the results of previous internal and external audits and the internal control environment. Factors to be considered include:
- is internal control adequate
- is data processed accurately
- is data processed completely
- is data reliable
- is it subject to few manual adjustments
Information on the Control Risk was similarly obtained via audit overviews, audit work itself, discussion with Finance Office staff (and others throughout the University) and staff in the activity itself, where appropriate.
The following factors to be considered include:
- any weaknesses identified by management
- any weaknesses identified by external audit
- any weaknesses identified by others
Information on Reported Weaknesses was obtained by detailed review of key university committee papers and minutes, audit reports, management letters, discussions with senior management, the external auditors and any other reports - e.g. risk management reports from departments and faculties.
Strategic Risk Register
In addition where a system or activity maps onto a strategic risk identified by the University in its Strategic Risk Register then this is separately 'starred' on the Audit Universe.
As can be seen from the above, the maximum score for any system or activity is 16 (with a 'star' flag). The Audit Universe is then analysed firstly by star category, overall scoring and then on the scoring within each of the eight key categories identified at para 4.3.
The following "risk gauge" is used by IAS in assessing the level of risk calculated.
High Risk Scoring [12 - 16]
Medium Risk Scoring [7 - 11]
Low Risk Scoring [6 or below]
It is acknowledged that this produces a priority listing based on a structured approach. No matter how carefully the four factors are assessed, together with the starred items the Head of IAS requires to review the outcome and use knowledge and judgement to decide whether the audit frequency 'looks' right. Any such adjustments to the scoring are 'flagged' via the use of a comments box on the planning spreadsheet. The arithmetic of the exercise does not and should not predominate over IAS' knowledge and experience of the University. The full planning documentation is presented to the Secretary to the University and Director of Finance as well as the Convener of Audit Committee to ensure that other, possibly intangible, factors are not missed and are taken into account.