Internal Audit Service What to expect from an audit
The Audit Plan
The IAS Internal Audit Plan is prepared annually using a risk-based approach and aims primarily to ensure assurance can be given in respect of the key risks faced by the University in achieving its objectives. This involves reviewing the University’s Strategy and Corporate Risk Register as well as the subsidiary risk registers held within individual Directorates, Faculties, Schools and Departments. In developing the plan, IAS also take into account their inherent knowledge and experience of the University’s governance and control systems including the results of previous audit activities.
In developing the plan, IAS consult with senior managers and other key stakeholders, including members of the Audit & Risk Committee, to ensure the reviews are targeted at areas where the most value can be added. Furthermore, IAS take cognisance of professional publications including the annual Risk in Focus publication from the Chartered Institute of Internal Auditors which details the hot topics that internal audit functions should consider when developing their plan.
In addition to the risk-based plan, IAS also perform annual recurring audit work. This work is designed to meet the requirements of the Scottish Funding Council’s Financial Memorandum and Outcome Agreement.
Before the Audit
At the beginning of the academic year, the Head of Internal Audit will consult with you (as the Audit Sponsor/key contact) on the proposed scope of the review. This meeting provides you with an opportunity to raise any particular areas that you would like IAS to consider during the review.
The terms will be agreed between you and the Head of Internal Audit and provided to you in writing in advance of the audit commencing. Wherever possible, we will try to avoid your busiest times of the year to conduct our audit work. A few weeks before we are scheduled to start the work, we will arrange an initial meeting to:
- establish some background information
- explain the audit process in more depth
- identify key contacts for the review
- and, where appropriate, request copies of key documents / management information to inform our work
During the Audit
Each audit is different, but follows a planned programme of work. It will involve speaking to key members of staff and reviewing documentation to understand the systems and processes we are auditing. It will typically involve sample checking how systems and processes work in practice and using data analytics to identify areas which require further investigation. Typically, each review will include an assessment of the adequacy of the key controls in place to manage risks and the overall governance arrangements for the area under review.
IAS also have a statutory duty to consider both value for money and the risk of fraud in each of the reviews we carry out.
IAS has been authorised full and unrestricted access to all the University’s records, information, personnel, premises and assets which it considers necessary to fulfil its responsibilities. In line with GDPR compliance, these records will only be kept as long as necessary to complete the audit and will be treated as strictly confidential.
IAS adopt a “no surprises” approach - we will keep you updated on any significant issues identified during the fieldwork stage to ensure our understanding is correct. At the end of the fieldwork, we will arrange a closing meeting with you to discuss all of the findings identified during the course of the review. Draft reports will be issued by email within seven days of the closing meeting. The covering email will specify the deadline for management responses, which will normally be within a further two weeks. The Audit Sponsor is responsible for checking the factual accuracy of the report and providing appropriate management actions to address the internal audit recommendations. Once satisfied that the management actions adequately address the internal audit recommendations, IAS will issue the report as final to both the Audit Sponsor and the University Secretary & Compliance Officer for final review and approval.
After the Audit
Once approval is granted by the University Secretary & Compliance Officer, the report is issued to Audit and Risk Committee members and will be presented at the next Committee meeting by the Head of Internal Audit.
Twice a year (typically in February and October), we will contact you to request a written update on the progress being made on the agreed management actions in the Audit Report. This progress is also reported to Audit and Risk Committee.