- Why do we have internal audit?
- What does Internal Audit do?
- What is the difference between internal audit and other audit activities?
- How does Internal Audit decide which areas to review?
- Can I refuse an audit?
- What happens during an audit?
- Do I have to accept recommendations from Internal Audit?
- Can I ask Internal Audit for advice?
- What should I do if I have concerns of theft, fraud or wrongdoing?
- How is the performance of Internal Audit measured?
Internal Audit is an important part of the University’s governance arrangements. We provide assurance to Council and the Vice-Chancellor that key risks are being managed effectively and highlight areas for improvement. Findings help line managers develop effective policies, procedures and processes. All English universities are required by HEFCE to have an internal audit function.
Throughout the year we carry out objective appraisals of selected areas of the University’s activities. Most people are aware that we evaluate and test financial systems but a significant proportion of our time is spent looking at other areas. Each audit demands a tailored approach and we draw upon financial, risk-based, systems-based, value for money, compliance-based and computer audit methodologies as appropriate. Occasionally we are involved in investigations of fraud or irregularity.
The number of different audit functions can be confusing. The University’s external audit service is provided by KPMG a professional accountancy firm. They provide an independent opinion on the accuracy of the University’s annual financial accounts. Internal Audit, however, is an in-house team of University employees and has a much broader remit covering both financial and non-financial aspects of the university’s operations. Our staff combines accountancy and specialist audit skills with experience of the higher education sector. Another audit function you may have come across is Institutional Audit. This is not financial at all - Institutional auditors carry out periodic reviews of the University’s quality and standards as part of the Quality Assurance Framework.
Audit Plans are prepared by Internal Audit and approved by the Audit Committee. Plans take into account identified risks together with information about the University’s structures, systems and processes including any areas of change. We try to achieve a balance of work between specific risks, functions and processes and across different areas of the University. Areas of high risk and impact are likely to be audited more frequently than other areas. Our plans also include provision to build in ad hoc reviews and investigations to allow us to respond to emergent risks.
No – but we are sensitive to concerns about any potential disruption that may occur during an audit. We will work with line managers to try and limit this and work around the other demands placed on departments wherever possible. We do have the right of access to all of the University's records, information and assets which we consider necessary to fulfil our responsibilities.
Each audit is slightly different so it is not possible to be exact here. Most audits include:
- An initial meeting with managers in the area to be reviewed to discuss the scope and timing of the audit
- Discussions with staff & review of documentation to gain an understanding of systems and processes
- Tests to check how systems are working in practice
- Identification and consideration of areas for improvement
- Preparation of draft report and discussion with managers
- Issue of final report including recommendations
- Follow up monitoring of management responses to recommendations.
More information at the Audit Process section.
We find that the vast majority of recommendations are agreed without any problems. During the audit we will discuss findings and possible recommendations as they emerge and will work with you to identify appropriate practical and cost-effective solutions. However it is a management responsibility to determine whether or not audit recommendations should be implemented. If recommendations are rejected it is important that managers recognise and accept the associated risks of not taking action. We will monitor agreed recommendations to ensure that they are effectively addressed in the post-audit period.
Yes. We encourage departments to approach us for independent advice and guidance on systems implementation, control and related matters. We find it is usually better to address such matters as systems are developed and before problems arise. We are happy to act as a critical friend subject, of course, to our need to maintain objectivity.
If you know of, or have a reasonable suspicion of fraud or irregularity you should notify the University Secretary so that problems can be resolved quickly. The Public Interest Disclosure Procedure sets out the procedures you should follow. The Public Interest Disclosure Act provides protection for workers who “blow the whistle” about wrongdoing.
We regularly monitor and evaluate our working practices to ensure that work is carried out in accordance with the HEFCE Code of Practice on Accountability and Audit and other professional standards. The Audit Committee formally reviews the quality of the service delivered by Internal Audit.