The Internal Audit Department is responsible for providing an objective and independent appraisal of all the University of Bath's activities, financial and otherwise. It should provide a service to the whole organisation, including Council and all levels of management. It is not an extension of, nor a substitute for, good management, although it can have a role in advising management.
The Internal Audit department is responsible for evaluating and reporting to the Council and Vice-Chancellor, thereby providing them with assurance on the arrangements for risk management, control and governance, and value for money (VFM).
It remains the duty of management, not the internal auditor, to operate these arrangements.
All the University's activities, funded from whatever source, fall within the remit of the Internal Audit department. The Internal Audit department will consider the adequacy of controls necessary to secure propriety, economy, efficiency and effectiveness in all areas. It will seek to confirm that management have taken the necessary steps to achieve these objectives and manage the associated risks.
The scope of Internal Audit work should cover all operational and management controls and should not be restricted to the audit of systems and controls necessary to form an opinion on the financial statements. This does not imply that all systems will be subject to review, but that all will be included in the audit risk assessment and hence considered for review following the assessment of risk. It follows that if Internal Audit is to give an opinion on the whole system then that will include academic operations.
The role of Internal Audit in this area is to confirm that there are adequate systems for the management of teaching and learning and research. For example, Internal Audit could confirm that the examination system is operating effectively and meeting its objectives, but this does not mean that Internal Audit should form academic judgements. Similarly, Internal Audit might review a research grant to ensure that the requirements of the grant have been met, but it should not form a view on the merit of the research undertaken.
It is not within the remit of the Internal Audit department to question the appropriateness of policy decisions. However, Internal Audit is required to examine the arrangements by which such decisions are made, monitored and reviewed, and related risks identified and managed.
The Internal Audit department may also conduct any special reviews requested by the Council, Audit and Risk Assurance Committee or Vice-Chancellor, provided such reviews do not compromise its objectivity or independence, or achievement of the approved audit plan.
The Head of the Internal Audit Department is required to give an annual opinion to the Council and Vice-Chancellor, through the Audit and Risk Assurance Committee, on the adequacy and effectiveness of the arrangements for risk management, control and governance; and for economy, efficiency and effectiveness (value for money) within the University; and the extent to which the Council can rely on these.
The Head of Internal Audit should also comment on other activities for which the Council is responsible, and to which the Internal Audit Department has access.
To provide the required assurance, the Internal Audit department will undertake a programme of work, based on a strategy authorised by the Council on the advice of the Audit and Risk Assurance Committee. The programme will evaluate the arrangements in place:
- to establish and monitor the achievement of organisational objectives
- to identify, assess and manage risks to the achievement of those objectives
- to assess compliance with policies, laws and regulations
- to ascertain the integrity and reliability of financial and other information provided to management and stakeholders, including that used in decision making
- to ascertain that systems of control are laid down and operate to promote the economic, efficient and effective use of resources and to safeguard assets
The Head of the Internal Audit Department is responsible for providing assurance to external stakeholders as requested by the Vice-Chancellor, Council and Audit and Risk Assurance Committee in accordance with the written instructions (provided doing so is in the University's interest and does not conflict with the Code of Ethics and International Standards of the Institute of Internal Auditors (IIA)).
Standards and approach
The Internal Audit department's work will be performed with due professional care, in accordance with appropriate professional auditing practice. It will have due regard to the Office for Students regulatory framework and the IIA Code of Ethics and International Standards and their mandatory requirements.
In achieving its objectives the Internal Audit department will develop and implement an audit strategy that assesses the University’s arrangements for risk management, control and governance and for achieving value for money.
The Head of Internal Audit will implement measures to monitor the effectiveness of the service and compliance with standards.
The Audit and Risk Assurance Committee will consider and approve these performance measures and may also ask the external auditor to provide an independent assessment of Internal Audit's effectiveness.
The Internal Audit department has no executive role, nor does it have any responsibility for the development, implementation or operation of systems. However, it may provide independent and objective advice on risk management, control and governance, value for money and related matters, subject to resource constraints.
For day-to-day administrative purposes only such as the approval of travel expenses the Head of Internal Audit should liaise with the Director of Finance.
Holiday forms will be approved by the Vice-Chancellor. The Head of Internal Audit shall have right of access to the Vice-Chancellor.
Within the University, responsibility for risk management, control and governance arrangements and the achievement of value for money rests with the Council and management, who should ensure that appropriate and adequate arrangements exist without reliance on the University's Internal Audit Department.
Where there are differences of opinion between Internal Audit and management, the governing body (on the advice of the Audit and Risk Assurance Committee) should ultimately determine whether or not to accept audit recommendations, recognise and accept the risks of not taking action, and instruct management to implement recommendations.
The Internal Audit service has rights of access to all the University's records, information and assets which it considers necessary to fulfil its responsibilities. Rights of access to other bodies funded by the University should be set out in the conditions of funding provided by the University.
The Head of Internal Audit has a right of direct access to the Chair of the Council, the Chair of the Audit and Risk Assurance Committee and the Vice-Chancellor. In turn, the Internal Audit Department agrees to comply with any requests from the external auditors and the Office for Students for access to any information, files or working papers obtained or prepared during audit work that they need to discharge their responsibilities.
The Head of the Internal Audit Department must submit an annual report to the Council and Vice-Chancellor through the Audit and Risk Assurance Committee. The report must relate to the University’s financial year and include any significant issues up to the date of preparing the report which affect the opinion.
The report should give an opinion on the adequacy and effectiveness of the University’s arrangements for:
- risk management, control and governance
- economy, efficiency and effectiveness and the extent to which the Council can rely on them.
The auditor should also prepare, before the beginning of the year, an audit risk assessment and strategy supported by an assessment of resource needs. These should be submitted to the Council for approval following consultation with relevant managers and the Vice-Chancellor, and after consideration by the Audit and Risk Assurance Committee. Under the Council scheme of delegation, approval of the Head of Internal Audit's risk assessment, strategy and programme is delegated to the Audit and Risk Assurance Committee.
The Head of the Internal Audit Department is accountable to the Vice-Chancellor and the Council through the Audit and Risk Assurance Committee for the performance of the department.
The Head of Internal Audit should also report audit findings to relevant managers (including the Vice-Chancellor) and draw the attention of the Audit and Risk Assurance Committee to key issues and recommendations. This will be done by providing the committee with copies of all reports, unless otherwise directed by the committee.
The Internal Audit Department should usually produce its reports, in writing, within one month of completing each audit, giving an opinion on the system reviewed and highlighting issues that require addressing to improve systems where appropriate. Such reports should be copied to the Vice-Chancellor, the Audit and Risk Assurance Committee and the external auditor.
Managers will be required to respond to each audit report, usually within one month of issue, stating their proposed action with a timetable for implementing agreed recommendations. Material recommendations will usually be followed up some 6-12 months later. In addition, the Audit and Risk Assurance Committee will monitor the implementation of audit recommendations.
The Head of the Internal Audit Department should report to the Vice-Chancellor and the Chair of the Audit and Risk Assurance Committee any serious weaknesses, significant fraud or major accounting breakdown discovered during the normal course of audit work.
If the Vice Chancellor refuses to report the matter to the Office for Students and the chair of the Council, then the auditor must report to them directly.
The Internal Audit department will liaise with the external auditors and the Office for Students to optimise the audit services provided to the University.