The University s responsibilities and its arrangements for internal audit Internal audit protocol 2012/13

Transcription

1 The University s responsibilities and its arrangements for internal audit Internal audit protocol 2012/13 Summary This paper sets out the University s current obligations and arrangements for internal audit, and defines the responsibilities, processes and requirements (the internal audit protocol ) that govern the internal audit process in 2012/13. Internal audit Internal audit is defined as an independent, objective assurance and consulting activity designed to add value and improve an organisation s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. 1 HEFCE s requirements for internal audit and assurance Under the terms of the Financial Memorandum 2 between HEFCE and the University, Council must ensure that it is fulfilling its responsibilities for ensuring adequate and effective risk management, control and governance, and for the economy, efficiency and effectiveness (or value for money, VfM ) of the University s activities. Council must also ensure that it has effective arrangements for the management and quality assurance of data submitted to HESA, HEFCE and other funding bodies. Although responsibility for these arrangements remains fully with Council, Council seeks assurance on these matters from the Audit and Scrutiny Committee. The role of the Audit and Scrutiny Committee The Audit and Scrutiny Committee reports annually to Council on its opinion as to the adequacy and effectiveness of the University s arrangements for the following five areas: i. risk management; ii. control; iii. governance; iv. economy, efficiency and effectiveness (value for money); v. management and quality assurance of data submitted to HESA and to HEFCE and other funding bodies. The Audit and Scrutiny Committee s opinions on these arrangements are based on the information presented to the Committee. This includes (but is not confined to) evidence presented by the University s internal auditors, whose reports also include an annual audit opinion on the five elements above. Internal audit is designed to provide reasonable assurance in relation to these areas, and cannot provide any guarantee against material errors, loss or fraud. The University s internal audit function The University s internal audit function is currently provided by an external firm, PricewaterhouseCoopers LLP ( PwC ), under an outsourcing arrangement. While the internal auditors are external to the University, the planning, delivery and reporting of their work is supervised by the Audit and Scrutiny Committee. The internal audit plan is developed in collaboration with, and is approved by, the 1 Global Institute of Internal Auditors; Approved_Internal audit protocol_ docx

2 Committee, and adopts a risk-based approach to focus audit work on the Committee s priorities and the key risks facing the University. 2012/13 marks a change in the operation and delivery of the University s internal audit, reflecting the developing maturity of the University s internal control processes. There is a greater integration of the internal auditors work with risk management and assurance more broadly. In order to be effective, the internal auditors have access to the Chair of the Audit and Scrutiny Committee, the Vice-Chancellor, the Registrar and other senior officers as necessary. In addition, departments and other units that receive visits from the internal auditors are required to assist them in the scoping, planning and delivery of their audit work so that the resulting report is of maximum possible value both to the audited unit 3 and to the Committee in the development of its annual opinion. The internal audit protocol 2012/13 This internal audit protocol has been developed to set out clearly the responsibilities of the internal auditors and the audited units, and to define the responsibilities, timetables and processes that govern the internal audit process - see Parts A-E of this document. Attention is drawn in particular to the setting of the date by which an audit recommendation will be completed. Departments must take care when agreeing this date because once the date is set, the Audit and Scrutiny Committee will expect that date to be met. Only in exceptional circumstances will an extension to this date be agreed. Given the importance of meeting the agreed timescales, the dates to which a department agrees must be realistic (noting that sufficient time should be allowed to enable evidence to be gathered to demonstrate completion); and work to complete the recommendations must commence as soon as possible upon the report having been accepted by the Committee. Contact details The relationship with the internal auditors is managed by the Senior Assistant Registrar within Council Secretariat, and by the Audit Management Group (see Part E). Colleagues are invited to contact the Senior Assistant Registrar to discuss any concerns they may have with internal audit, or to raise areas requiring investigation (sally.vine@admin.ox.ac.uk, (2)80179). 3 In this regard, audited units refers to the units of the University being audited, to include academic divisions, departments, faculties and research centres, administrative and service departments, and other auditable units.

3 Part A: process, timetable and reporting Process Responsible Timescale (these timescales are indicative only and are subject to change) Document circulation These processes and timescales are indicative and may be altered with the agreement of the auditable unit, the internal auditors and the Senior Assistant Registrar. Some audit work will not fit easily into this outline timetable and a flexible approach will need to be adopted. In circumstances where agreement cannot be reached, the Audit Management Group will set out the timescale that will be required. Audit planning Auditable unit contacted, departmental audit contacts identified. Meeting between departmental audit contacts and internal audit to agree scope of review. A divisional representative or alternative may also attend. to identify the purpose of the review, its place in the current year s internal audit plan, the risks addressed by the work and the intended outcomes. Auditable unit to contribute to the development of the audit scope in order to ensure that work is appropriately targeted and adds value. University introduction section to be drafted by the auditable unit and/or the Senior Assistant Registrar to set context and ensure key deliverables are identified and prioritised., PwC; in collaboration with the Senior Assistant Registrar and departmental audit contacts; also Senior Assistant Registrar if required. As early as possible, and no less than 4 weeks before the start of audit fieldwork As early as possible, and no less than 2 weeks before the start of audit fieldwork.

4 Draft Terms of Reference issued to auditable unit for agreement. The Terms of Reference will confirm key audit milestone dates for the fieldwork and reporting stages of the audit. No less than 1 week before the start of audit fieldwork. Senior Assistant Registrar Draft ToRs may also be circulated (if relevant) to: Divisional Financial Controller (DFC) Final Terms of Reference issued to auditable unit and Senior Assistant Registrar. Before the start of fieldwork. Senior Assistant Registrar If related to financial matters: Deputy Director of Finance, Director of Finance, Head of Financial Assurance Services Final ToRs are also circulated (if relevant) to: Head of Division, DFC, or relevant alternative Audit fieldwork and closure Closing meeting to confirm matters arising from the audit. and departmental audit contacts Last day of field work, or no more than 2 weeks after completion of fieldwork Audit reporting initial draft Initial draft audit report issued to departmental audit contacts and other agreed key stakeholders. As soon as possible after closing meeting; timescale will depend on the nature of the report. Senior Assistant Registrar If related to financial matters: Head of Financial Assurance Services and DFC

5 Departmental audit contacts confirmation as to the material accuracy of the initial draft report and highlighting of issues to be discussed/ amended. Departmental audit contacts No more than 1 week after receipt of report Management responses Departmental audit contacts provide: (i) management responses to individual audit recommendations, including responsible officers for implementation and deadlines; (ii) overall conclusion for inclusion within executive summary of the report. Departmental audit contacts No more than 3 weeks after confirmation of material accuracy of the initial draft report. Infrequently, it may be identified at the fieldwork closing stage that more time is required to provide management responses. confirm the management responses, proposed delivery dates and responsible officers as acceptable for audit purposes and issue Final Draft report. No more than 1 week after receipt of management responses. Final draft report Departmental audit contacts confirm Final Draft Report. Departmental audit contacts No more than 1 week after final draft report has been issued Senior Assistant Registrar If related to financial matters: Head of Financial Assurance Services and DFC

6 Final report Report graded (see Part C: report grading) and final report circulated. Within 1 week of departmental confirmation on Final Draft Audited department Vice-Chancellor Deputy University Secretary Members of the Audit and Scrutiny Committee Director of Finance Deputy Director of Finance Senior Assistant Registrar Head of Financial Assurance Services University's external auditors Other members of management and staff agreed as appropriate during audit scoping Post-audit recommendations Audit recommendations posted on the tracking portal (see Part B: post-audit recommendation tracking and extensions) and departments provide evidence as recommendations are completed. Financial Assurance Services team Departmental representatives

7 Part B: post-audit recommendation tracking and extensions The recommendation tracking portal The recommendation tracking portal 4 is used to record and monitor internal audit recommendations. Once an internal audit report has been finalised, the recommendations in the report are uploaded on to the portal by a member of the Financial Assurance Services team 5. The responsible officer for each audit recommendation must ensure that the recommendation is implemented by the agreed date. The Senior Assistant Registrar will remind the departmental audit contacts for each recommendation of the need to complete an action or, in exceptional circumstances, to apply for an extension to the completion date. The PwC internal audit team will work with the department to seek completion of the recommendation. If no action is taken towards completion of a recommendation, it will be escalated to the relevant Divisional Financial Controller and the Divisional Secretary or other management as appropriate. Departmental audit contacts are asked to note that it is essential that recommendations are discussed and understood as they arise during the fieldwork stage, at the completion meeting, and during the report drafting process. Full engagement in the process of developing the audit recommendations should ensure that the failure to address a recommendation by the deadline only occurs in exceptional circumstances. Extensions to audit recommendation completion dates If exceptional circumstances prevent the agreed deadline on an audit recommendation being met, the departmental audit contact should contact the Senior Assistant Registrar for assistance in completing a request for an audit extension. The audit extension request must be completed in advance of the recommendation deadline. The audit extension request will be considered by the Audit Management Group (see Part E), which may require the departmental audit contact to attend to discuss the reasons for the extension request. The extension will only be approved if there is a valid reason why the deadline could not be met. If the extension is approved, the recommendation tracking portal will be updated with the revised completion date. In the event that the Audit Management Group cannot reach a satisfactory resolution, the matter will be referred to the Chair of the Audit and Scrutiny Committee, and/or to a meeting of the Committee

8 Part C: internal audit report grading Internal audit reports are graded and circulated according to the criteria below. Risk rating Assessment criteria Report circulation A : Critical risk Issues found which are very serious and which are systemic or are immediate problems for the University as a whole concerning its reputation, financial security, integrity of its processes or other threat, including fraud. e.g. significant: financial impact for the University (greater than 5 million); or potential constraint on the University s ability to achieve strategic or operational objectives. Council will be included in final report distribution (including appendices) following approval from Audit and Scrutiny Committee. B : High risk Issues found which are serious in the context of the report or could develop into wider problems if not attended to. e.g. major operational control deficiencies which require urgent and immediate attention. Report Executive Summary posted on the University intranet, following approval from the Audit and Scrutiny Committee. C : Medium risk Issues found which need to be corrected but do not impact on the University as a whole. e.g. improvements required to further strengthen the framework of internal control and / or address examples of non-compliance in the area concerned. Report Executive Summary posted on the University intranet, following approval from the Audit and Scrutiny Committee. D : Low risk No significant issues found. No significant enhancements required in the risk area under review. Report Executive Summary posted on the University intranet, following approval from the Audit and Scrutiny Committee.

9 Part D: non- audit work and consultancy provided by the internal auditors An important element of good governance is the independence and objectivity of the internal auditors. The provision of any non-audit services or consultancy work by the internal auditors must not compromise this independence and objectivity. The practice of internal auditors offering advice in the form of audit recommendations in response to control weaknesses identified in the course of assurance work is well established. However the provision of advisory or consultancy work that does not directly contribute to the provision of assurance is a departure from the traditional role of the internal auditor. That said, there is not an absolute distinction between internal audit or assurance work and consultancy work. Consultancy work can itself contribute to the overall assurance that can be delivered, as it adds to the internal auditors knowledge of risk, control and governance in the University. Departments or other units wishing to engage the internal auditors to supply consultancy services must first contact the Senior Assistant Registrar, Sally Vine (on (2)80179 or sally.vine@admin.ox.ac.uk), for assistance in making an application to the Audit Management Group. The membership of the Group is given in Part E of this protocol. The Group will require the following information: i. whether resources and expertise exist within the University to deliver the work; ii. iii. iv. whether the skills, knowledge and experience of the internal auditors make it appropriate to consider appointing them to undertake the consultancy work; whether the proposed work can be undertaken without risk to the internal auditors independence; and whether the proposed work should be classified as assurance or consultancy. In reaching a decision, the Group will take the following factors into account: v. whether other service providers have been considered; vi. vii. whether the proposed scope of work (including details of the proposed fees is sufficiently detailed; and whether the commissioning department intends to bear the cost of the work; In general, the cost of assurance work that can be delivered within the audit contract for the year, either as part of delivery of the agreed audit plan or through the approved use of contingency hours, will not be borne by the department. The cost of assurance work that is delivered in addition to the delivery of the audit plan, or the cost of consultancy work, may be borne by the commissioning department.

10 Part E: the Audit Management Group The Audit Management Group is responsible for the planning and monitoring of the internal audit contract. Its membership is as follows: Deputy University Secretary, Emma Rampton Director of Finance, Giles Kerr Deputy Director of Finance, Rob Williams Head of Financial Assurance Services, Barry Pemberton Engagement partner, PwC, Richard Bacon Senior manager, PwC, Leon Mayfield Secretary: Senior Assistant Registrar, Sally Vine Departments with questions or concerns regarding internal audit, or wishing to seek approval for consultancy services to be provided by the internal auditors, are requested to contact the Secretary to the Group, Sally Vine, on (2)80179 or