What is Internal Audit?
The Institute of Internal Auditors (IIA) describes internal auditing as ".....an independent, objective assurance and consulting activity designed to add value and improve and organisation's operations. It helps an organisation accomplish its objectives by bringing an systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes."
Why is Internal Audit so important?
Internal audit helps the University achieve its strategic objectives by evaluating the management of risk. It also provides reassurance to senior management and other key stakeholders that important risks have been evaluated and highlights where any improvements may be necessary. The internal audit function is a critical part of the top level governance of any organisation and helps senior management to demonstrate that they are managing the organisation effectively.
How is the Internal Audit Plan agreed?
The current internal audit plan is a three year plan, agreed by the Audit & Risk Committee in October 2018. The internal audit plan is written by the University's internal audit providers and takes account of the following key areas:
- The University's strategic and operational plans and objectives;
- The University's top corporate risks;
- Results of internal audit work completed in prior years;
- External audit reports and plans;
- Input from the Audit & Risk Committee;
- Discussions with senior management
Who are our Internal Auditors?
The University's appointed internal auditors are Ernst & Young (EY).
My area is subject to an internal review- what happens next?
A detailed programme of work is agreed annually by the Audit & Risk Committee on a rolling three year basis. An outline timetable is then agreed which is designed to deliver a steady flow of reports to the Audit & Risk Committee. The timetable is shared with all of the senior staff likely to be involved in the relevant audits.
Each audit will involve "Sponsor" who will be a member of ULT (or equivalent) with overall responsibility for the area being audited, and a "Co-ordinator" who will be a senior manager appointed by the Sponsor to lead the work internally.
The Sponsor will be asked to agree a detailed scope of work with the Auditors. Formally, this is then signed off by the University Secretary as the internal contract manager.
The Co-ordinator will meet with the auditors and provide access to such information and staff as the auditors might reasonably require. The members of staff to be interviews are normally agreed as part of the project scope, and will generally include both providers and consumers or users of the services and processes being audited.
The fieldwork will normally take approximately 10-15 days depending on the complexity of the area under review and will consist of a combination of face to face interviews with staff and review and analysis of key documentation.
It is important to understand that the internal audit protocol establishes turnaround times for both parties. The auditors are required to issue a draft report within 15 days of the fieldwork concluding. The University is similarly required to approve management responses within 15 days of receiving the draft report.
When will I get to see a copy of the report and will I have an opportunity to comment on it?
A written report will be prepared and issued to the Governance Officer (in the first instance) following the conclusion of each internal audit engagement (normally within 15 working days of the fieldwork concluding). The Governance Officer will then distribute the report to the review sponsor and other key contacts identified in the assignment plan for management comments.
The covering email which accompanies the report will normally specify the deadline for management responses, which will normally be within a further 15 days.
The management comments and response to any report will be overseen by the Governance Officer (Risk & Governance), approved by the relevant ULT sponsor and then sent to the University Secretary and Principal.
The internal auditors will issue the final report to the Governance Officer within 10 working days of the management responses being received.
Internal audit reports will then be communicated and considered at the Audit & Risk Committee.
What happens after the report has been considered by the Audit & Risk Committee?
The Governance Officer (Risk & Governance) will get in touch with the review contacts to ensure that all agreed recommendations have been completed by the deadline identified by University management.
A tracking report which monitors the progress of recommendations agreed is presented at every Audit & Risk Committee by the University Secretary. Further information on how managers should respond to internal audit reviews can be found in the Internal Audit Guidelines for Managers.pdf
How often does the Audit & Risk Committee meet?
The Audit & Risk Committee meets four times a year- normally in October, December, March and May.
If you would like to discuss any aspect of the internal audit process further or have any questions in relation to any of the above please contact Governance Services.