Often the first contact you will have with Internal Audit is when you find out that an audit will take place in an area for which you have responsibility. It is normal for managers in this situation to have questions and we will be pleased to answer these early in the audit process. You may also like to take a look at the information on these pages in preparation for your audit visit.
Internal Audit produces an annual audit plan which outlines the likely areas of our activity for the coming year. This is largely based upon our assessment of the risks facing the University. We work flexibly allowing us to respond to emerging risks identified by Internal Audit or managers during the year. The Annual Internal Audit Plan is approved by the University’s Audit Committee.
We consider departmental work patterns when scheduling audits and try to avoid times of peak workloads and minimise disruption.
We normally contact you a few weeks prior to the scheduled start date of the audit. We will arrange an initial meeting to establish some background knowledge about the area being reviewed and discuss the scope and timing of the planned audit work. This is an opportunity for you to provide input to the scope of the audit, particularly if there are any issues or areas of special concern you have identified. There is normally no need to prepare documentation specifically for the audit. We will confirm the audit arrangements with you in the form of an Audit Memorandum.
The audit will normally involve discussions with key staff and a review of documentation to gain a clear understanding of systems and processes. We usually carry out some tests to check how the systems work in practice. This information will influence our assessment of the systems under review and the effectiveness of controls in place. Fieldwork will normally be scheduled to fit in as conveniently as possible for you and your team, whilst allowing for us to complete the audit.
We will be open with you about issues identified through our work as the audit progresses. We believe this aspect of the audit is important as managers are well placed to offer insights and work with us to determine the best ways of resolving any issues that arise. We find that the most effective reviews occur when staff are willing to share their knowledge and experience.
We will evaluate the findings from our audit work and assess whether actions adopted by management address risks to the extent intended.
Our aim is to communicate our findings and recommendations to you in a clear, concise and constructive report.
A draft report and summary of recommendations will be prepared and circulated to you as soon as possible after the completion of the audit. We will then meet with you again to discuss the findings and related recommendations. This meeting provides an opportunity to explain the issues arising from the review and to consider any outstanding queries. The meeting also helps to ensure that any possible misunderstandings are resolved. We aim to agree all recommendations as far as possible with relevant managers at this stage.
If any changes to the draft report are agreed during the meeting these will be incorporated into the final report. You will also be asked to provide a written response to any recommendations. These responses will be formally recorded on the Summary of Recommendations. The final report will be circulated to appropriate managers and will be considered by the University’s Audit Committee.
Management are responsible for implementing the recommendations which have been agreed within the identified timescale. Internal Audit will monitor implementation by requesting periodic updates from managers. Progress is reported to the University’s Audit Committee. If problems are encountered in the implementation phase please let us know as soon as possible – wherever possible we will do our best to assist.
We do not routinely carry out follow-up audits although occasionally this may be required – either to assess progress made or to direct additional attention towards areas which could not be fully addressed within the original audit.