Q1: How does the Internal Audit Service decide when to perform an audit?

A: The Internal Audit Service works on a five year cyclical plan that covers all academic departments, administration, and other areas of the University. Some of these areas are audited annually; others are looked at between one and three times over the five year period. The frequency of the audit is determined by a risk based model that uses the University's Risk Register and the Council for Higher Education Internal Auditors (CHIEA) ' Audit Universe' to determine all the auditable activities and the level of risk that they represent.

Q2: What happens during the internal audit?

A: The Internal Audit Service meets with the Head of Department to discuss the scope of the audit and gain some background information on what systems are used and controls in operation. We are required to consider operational risks and controls so we will also discuss areas such as Health and Safety arrangements as well as controls over financial processes. We have further meetings with other members of staff to obtain more detailed information on the controls that are used.  

Tests are carried out to check that controls are adequate and are operating effectively. This may require sampling, observing work being performed, reviewing notes of meetings and holding discussions.  

We will meet again with the Head of Department to discuss our draft findings and any recommendations we wish to make in the report.  

After this meeting, a draft report is produced. The Head of Department will be asked to comment on the factual accuracy of the report before it is finalised.

Q3: How long does an internal audit take?

A: The time involved should not normally be significant, but this depends on the complexity of the assignment. We are sensitive to the potential disruption that may occur during an audit and will always try to limit this, working around existing commitments wherever possible. Co-operation in arranging meetings as soon as possible helps to minimise the length of the audit.

Q4: Can I refuse to have an internal audit?

A: No. The Internal Audit Service has a right of access to all documents and records needed to carry out the audit. We aim to agree a convenient time to carry out the work.

Q5: Do I have to agree with what the Internal Audit Service has recommended?

A: Not necessarily, however the reason behind why certain recommendations have been made will have been fully discussed with the Head of Department at the post audit fieldwork meeting. The degree of importance of recommendations varies. IAS recommendations are graded over the following three categories:  

  • Compliance - An absence of expected key controls or complete breakdown in an existing control has been identified. The recommendation is associated with addressing non-compliance with existing University policy and procedures and immediate remedial action is required.
  • Control Improvement - The improvement to or development of an existing control has been identified. Remedial action is required in accordance with an agreed timescale.
  • Good Practice - An area of good practice or where better value for money can be achieved has been identified. Action is required in accordance with an agreed timescale.  

In addition IAS also provides an overall evaluation of each report undertaken i.e.  

  • Highly Satisfactory
    A Highly Satisfactory evaluation in general terms would be given to a report where there was evidence of a strong internal control environment and evidence of good practice.
  • Satisfactory
    A Satisfactory evaluation in general terms would be given to a report where the internal control environment was seen to be satisfactory although some good practice (and the occasional control improvement) recommendations have been identified.
  • Requires Improvement
    Similarly a Requires Improvement evaluation would be allocated when weaknesses are identified in the internal control environment with control improvement (and the occasional compliance) recommendation identified.
  • Unsatisfactory
    An Unsatisfactory evaluation would be allocated where there was found to be a poor standard of internal control with compliance (and possibly control improvement) recommendations made.

Professional judgement is required to be applied in allocating an audit evaluation to an area of work undertaken by IAS. We assess the materiality and impact on the business of the control weaknesses identified and rank each one on the basis of the likelihood of a breakdown in the control across the University and the impact that the breakdown would have. The focus of management action on the recommendations included in the report are summarised in a risk matrix which helps form the basis of the overall audit evaluation.

Q6: Who receives audit reports?

A: Draft audit reports will be issued to audited departments following the completion of audit fieldwork. Draft reports will also be issued to the University Secretary and the Director of Finance. Final audit reports incorporating the departments' response to the audit report are issued to:  

  • Convenor of Audit Committee
  • Treasurer
  • Principal
  • University Secretary
  • Dean
  • Director of Finance
  • Secretary to the Audit Committee
  • Head of Department
  • External Auditors

Q7: Can I ask the Internal Audit Service for assistance?

A: Yes. The Internal Audit Service are happy to advise on the University's rules and procedures or on implementing new systems.

Wherever possible we aim to work in partnership to improve systems for the benefit of the University. If you need to contact someone in the Internal Audit Service click here to be taken to our ' Who Are We' page.

Q8: What is the difference between an IA and the annual external audit

A: External audit is a statutory requirement which checks that the University's accounts present a true and fair view of the financial position. The internal auditors report to the Audit Committee and the University Secretary on the control systems used within the University. They should have a more detailed knowledge of systems than is required for external audit.

Q9: What is the difference between the role of the IA and line management

A: It is the management's responsibility to establish internal control. Internal control includes the whole systems of control and methods, both financial and operational, which are established to minimise risks and their impact, safeguard assets, ensure efficiency and to encourage adherence to University policies and directives.

It is the Internal Audit Service's role to carry out an independent appraisal and evaluation of the effectiveness of these controls. The Internal Audit Service is not part of line management. The Internal Audit Service does not develop and install procedures, prepare records or engage in any activity which could compromise its independence. The emphasis on independence in no way diminishes the close working relationship and need for communication between the Internal Audit Service and other functions within the University. This communication is particularly important, as our role includes appraising and advising on the controls to be included in new or revised systems, both computer and manual, before they are introduced.

Q10: What do I do if I suspect a colleague is doing something illegal?

A: You should initially contact the University Secretary. Your concerns will be taken seriously and appropriate enquiries will be made. The procedure for reporting any suspected irregularity can be found by visiting the University's web pages on Whistle blowing.

Q11: Who audits the Internal Auditors?

A: IAS is subject to audit by both the External Auditors and the SFC Governance and Management Appraisal and Policy section. Even the Auditors get audited!