West Lothian College. Internal Audit Annual Report 2014/15

Transcription

1 West Lothian College Internal Audit Annual Report 2014/15 October 2015

2

3 West Lothian College Internal Audit Annual Report 2014/15 Introduction 1 Internal Audit work performed 2 Overall internal audit opinion 6 Appendix 1 Summary of Quality Assurance assessment 7 Appendix 2 Planned v actual days 9 Appendix 3 Summary of audit conclusions 10 Appendix 4 Strategic Internal Audit Plan

4

5 Introduction Internal audit is an independent, objective assurance and consulting activity designed to add value and improve an organisation s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. This Annual Internal Audit Report has been prepared to meet two objectives: To provide the Audit Committee with a summary of the activities of the Internal Audit Service for the financial year ended 31 July To provide the College Board and the Principal, through the Audit Committee, with a formal opinion on the adequacy and effectiveness of West Lothian College s arrangements for governance, risk management, internal control and value for money. This opinion forms part of the annual assurance framework that supports the Governance Statement included in the College s annual accounts. In Appendix 4, we have also included the internal audit plan previously discussed and approved by the Audit Committee. This sets out the proposed programme of work for 2015/16. We invite any comments from the Audit Committee to ensure the scope of activity remains fit for purpose and aligned to the College s requirements. Acknowledgement We would like to take this opportunity to thank all members of management and staff for the help, courtesy and co-operation extended to us during the year. scott-moncrieff.com West Lothian College Internal Audit Annual Report 2014/15 1

6 Internal Audit work performed Scope and Responsibilities The purpose of the Internal Audit Service is to provide an objective, independent appraisal of the adequacy and effectiveness of the organisation s arrangements for governance, risk management, internal control and value for money. Management It is management s responsibility to establish a sound internal control system. The internal control system comprises the whole network of systems established to provide reasonable assurance that organisational objectives will be achieved, with particular reference to: risk management; the effectiveness of operations; the economical and efficient use of resources; compliance with applicable policies, procedures, laws and regulations; safeguards against losses, including those arising from fraud, irregularity or corruption; and the integrity and reliability of information and data. Internal audit Internal audit assists management by examining, evaluating and reporting on the controls in order to provide an independent assessment of the adequacy of the internal control system. To achieve this, internal audit should: analyse the internal control system and establish a risk-based Internal Audit programme which incorporates both new and follow-up reviews; identify and evaluate the controls which are established to achieve objectives in the most economic and efficient manner; report findings and conclusions and, where appropriate, make recommendations for improvement; provide an opinion on the reliability of the controls in the system under review; and provide an annual audit opinion to the Principal, through the Audit Committee, on the adequacy and effectiveness of the internal control system and the extent to which it can be relied upon. Conformance with Internal Auditing Standards We can confirm that our Internal Audit Service conforms with the International Standards for the Professional Practice of Internal Auditing. This is confirmed through our quality assurance and improvement programme, which includes cyclical internal and external assessments of our methodology and practice against the standards. A summary of the results of our most recent internal assessment is provided at Appendix 1. 2 West Lothian College Internal Audit Annual Report 2014/15 scott-moncrieff.com

7 Independence Public Sector Internal Audit Standards require us to communicate on a timely basis all facts and matters that may have a bearing on our independence. We can confirm that staff members involved in each 2014/15 internal audit review were independent and their objectivity was not compromised. Approach We have agreed that our internal audit reviews will: Give clear ownership to directorates and faculties in the planning phase and encourage a holistic approach to assessing West Lothian College s risks and challenges. Approach internal audit by taking an intelligence-led, proportionate and risk based approach to quality assurance/review. Recognise the tightening financial environment which West Lothian College faces in the long term and encourage a cross-functional approach to delivering improvements. Deploy resources to ensure that the right staff are involved in the right way. This approach should realise real improvements to the organisation by enhancing understanding of the role of internal audit across the business and encouraging closer relationships with management. Planning process In order that we can provide an annual assurance statement that supports the organisation-wide Governance Statement, we include all of West Lothian College s activities and systems within the scope of our audits. Our strategic and annual internal audit plans are designed to provide the Audit Committee with assurance that internal control systems are effective in managing the organisation s key risks and best value is being achieved. The plans are therefore linked to the College s risk register. The strategic internal audit plan was developed in consultation with senior management and was formally approved by the Audit Committee. The annual internal audit plan is subject to revision throughout the year to reflect changes in the College s risk profile. A report is presented to each Audit Committee meeting summarising progress against the plan and any changes to the plan since the last meeting. We have planned our work so that we have a reasonable expectation of detecting significant control weaknesses. However, internal audit can never guarantee to detect all fraud or other irregularities and cannot be held responsible for internal control failures. Cover achieved The annual internal audit plan comprises 35 days (plus additional time for annual SUMS, EMA and student funding certification). As shown in Appendix 2, we have delivered these days in full. We confirm that there were no resource limitations that impinged on our ability to meet the audit needs of West Lothian College and no restrictions were placed on our work by management. scott-moncrieff.com West Lothian College Internal Audit Annual Report 2014/15 3

8 Reports We have reported our audit findings over the year. In addition, we also facilitated risk management workshops during the year. Where relevant, all reports contained action plans detailing responsible officers and implementation dates. The reports were discussed and agreed with management prior to submission to the Audit Committee. Each report assessed a set of control objectives in accordance with the following definitions. Assessment BLACK RED YELLOW GREEN Definition Fundamental absence or failure of key control procedures immediate action required. The control procedures in place are not effective inadequate management of key risks. No major weaknesses in control but scope for improvement. Adequate and effective controls which are operating satisfactorily. In addition, all of the actions within the reports are given a grade to assist management and the Audit Committee in assessing the significance of the issues raised and prioritising the actions required to address them. The grading structure is set out below: Grade Definition 5 Very high risk exposure major concerns requiring immediate Board attention. 4 High risk exposure Absence/failure of significant key controls. 3 Moderate risk exposure Not all key control procedures are working effectively. 2 Limited risk exposure Minor control procedures are not in place/effective. 1 Efficiency/housekeeping point. A summary of the results of each internal audit review including control objective assessments and number of issues raised is set out in the table below. No control objectives were assessed as black (fundamental failures). there were no grade 5 recommendations made during the year, and only one control objective was rated as red. We can confirm that we made no significant recommendations that were not accepted by management. 4 West Lothian College Internal Audit Annual Report 2014/15 scott-moncrieff.com

9 Review Control objective assessment No. of issues per grading Income & Debtors 1 4 Risk Management 4 1 Performance Management & Delivery of Outcomes 3 2 Workforce Management ICT shared services 3 A summary of the conclusions from all of our 2014/15 reports is provided at Appendix 3. Management actions to address the issues raised have been agreed and progress will be monitored through the ongoing follow-up process. We work with management to review progress in implementing actions, with reports regularly submitted to the Audit Committee. The number of outstanding actions is relatively low. scott-moncrieff.com West Lothian College Internal Audit Annual Report 2014/15 5

10 Overall internal audit opinion Basis of opinion As Internal Auditors of West Lothian College, we are required to provide the Audit Committee with assurance on the adequacy and effectiveness of the arrangements for governance, risk management and internal control. In giving our opinion, it should be noted that this assurance can never be absolute. The most that the Internal Audit Service can provide is reasonable assurance that no major weaknesses have been identified in the governance, risk management or internal control arrangements, or where weaknesses have been identified, these are being addressed by management. In assessing the level of assurance to be given, the following is taken into account: The results of all audit reviews undertaken as part of the 2014/15 internal audit annual plan; Matters arising from previous audit reviews and the extent of follow-up action taken; Representations from management, both written and oral, as to corrective action taken or to be taken in response to agreed audit actions which have yet to be confirmed by internal audit review; The effect of any significant changes in the College s objectives or systems; The proportion of the College s review needs covered to date. A variety of sources of evidence are considered when assessing the level of assurance that can be given and opinions are based on evidence gathered through the whole activity and work of the Internal Audit Service. The Chief Audit Executive is satisfied that our work to date allows us to draw a reasonable conclusion as to the adequacy and effectiveness of West Lothian College s governance, risk management and internal control arrangements, and on value for money processes. Internal Audit Opinion We can provide reasonable assurance that the governance, risk management and internal control arrangements in place at West Lothian College are adequate and effective, and that adequate arrangements are in place to promote and secure value for money, deliver best value and secure regularity and propriety, subject to implementing a specific but key action in relation to completeness of recruitment audit trails. Where issues have been identified, the College has agreed actions to address these areas. Scott-Moncrieff October West Lothian College Internal Audit Annual Report 2014/15 scott-moncrieff.com

11 Appendix 1 Summary of Quality Assurance assessment The International Standards for the Professional Practice of Internal Auditing expect us to disclose the outcome of our regular internal and external quality assessments. External assessment The diagram below summarises the outcome of our most recent quality assessment, in an externally-validated review of our compliance with education-specific internal auditing best practice. due professional care 100% 80% quality assurance 60% 40% 20% 0% strategy due professional care 89% strategy 96% methodology 93% people 88% independence 98% independence methodology quality assurance 87% people This assessment scored well against a range of other benchmark institutions. Our externally-validated group of education institutions for this assessment included a range of bodies from across the UK. We continue to work in collaboration with these partners and to develop our processes to ensure our service to the College is as efficient and effective as possible. For example, ensuring that an internal audit charter is established for all clients, and further improving the linkage of our internal audit plans to the key risks facing our clients. Internal assessment In addition, the table below summarises the outcome of our most recent internal quality assessment, in which we have assessed the extent to which our internal audit methodology conforms with the standards. Standard Does not conform Conforms Improvements we have identified Purpose & positioning Remit Reporting lines Independence Other assurance providers scott-moncrieff.com West Lothian College Internal Audit Annual Report 2014/15 7

12 Standard Does not conform Conforms Improvements we have identified Risk based plan Structure & resources Competencies Technical training & development Resourcing Performance management Knowledge management Audit execution Management of the IA function Engagement planning Engagement delivery Reporting Impact Standing and reputation of internal audit Impact on organisational delivery Impact on Governance, Risk and Control Comment Overall, our service conforms with the requirements of the PSIAS. A range of actions have been identified which will improve the overall effectiveness and consistency with which our methodology is applied. For example, ensuring that all relevant staff are involved in the audit planning and reporting process, and further improving the linkage of our internal audit plans to the key risks facing our clients. Our assessment is based on the overall service that is delivered to each client. Compliance with the methodology will be monitored through an enhanced system of internal quality assurance to supplement existing arrangements. We would be happy to provide Audit Committee members with further details of the information set out above and the assessment process followed, if required. 8 West Lothian College Internal Audit Annual Report 2014/15 scott-moncrieff.com

13 Appendix 2 Planned v actual days Name of report Planned Days Actual Days Income & Debtors 5 5 Risk Management 5 5 Performance Management Delivery of Outcomes 6 6 Workforce Management 5 5 ICT Shared Services 6 6 Audit planning, Audit management, Audit Committees, follow up, management support and external audit liaison 6 6 Annual Reporting and related 2 2 Total IA days In addition to the above, we also delivered the annual SUMS, EMA and student funding certification, as planned. scott-moncrieff.com West Lothian College Internal Audit Annual Report 2014/15 9

14 Appendix 3 Summary of audit conclusions Income & Debtors February 2015 Systems and processes for income and debtors are well designed and we have identified no major weaknesses in the controls. However, we have identified some scope for improvement in the application of operational financial controls. An underlying theme of this review was the capacity and resources within the Finance Team. Due to staff turnover, the College has had to prioritise certain financial controls and processes over others. Main Findings Good practice The College recognises the importance of generating non-sfc income, demonstrated through establishing a Business Growth Committee. The Committee is charged with leading, managing and coordinating the College s income generation activities and growth of business across the College. The Committee meets monthly and includes representation from Curriculum, Workforce Development, Commercial & Enterprise, Finance, Management Information and Marketing. The College operates 30 days payment terms as standard, only varied and agreed for specific contracts by exception. Payment terms are clearly stated on all sales invoices. All income was raised for the correct customer and amount in the testing we performed. The College uses specific account codes on the ledger to categorise income. We tested a sample of invoices and confirmed that the income had been posted accurately to an appropriate account code, consistent with the services provided by the College. General security surrounding the accounting system is well designed. The College uses the Sun accounting system. All users require a unique username and password to access the system. Only a limited number of staff have access and their level of access is dependent on their role. All user access requests are processed by the Finance Manager, who therefore retains control over who can and cannot access the system. Opportunities for improvement To support its commercial income aspirations, the College has developed a Commercial & Growth Strategy. However, the Strategy is still in draft and is currently awaiting a piece of market research. By ensuring the Strategy is finalised and implemented, the College will be in a stronger position to evaluate and prioritise those areas where it can generate the greatest level of commercial income and ensure resources are allocated to those areas in a targeted and coordinated manner. We have also identified the following areas where financial and related controls could be further improved: The College s debtor control processes have not been formally and consistently followed throughout the year due to ing issues following the move to Office 365 (which have prevented statements being issued). This includes outstanding student debts, which have not been pursued since September West Lothian College Internal Audit Annual Report 2014/15 scott-moncrieff.com

15 Where course start dates that are flexible (ie out with the annual academic cycle, 1 August to 31 July), Unit-E is not updated with the actual start date of the course. Instead, the system default dates of 1 August and 31 July are accepted. MIS should investigate whether actual course start and end dates could be input to Unit-E instead of these default dates. Where possible, information systems should contain as accurate data as possible. The College has not written-off bad debts since April A monthly report is made available by the debt recovery agency TNC, which recommends debts to be written-off because collection efforts have been exhausted. We obtained a copy of this report and noted that it contained 105 proposed debts to be written-off totalling 25,000. (Management have confirmed that all such debt has been provided for within the bad debt provision). Testing identified three instances where credit notes had been either retrospectively approved or had not been approved at all (amounts were low, ranging between 100 and 400). Risk exposure versus resources for control We understand through our discussions with the Finance Team that staffing pressures have affected the ability of the College to comply with certain controls. In such cases, and with focus on lower risk/value areas, management could make a proactive decision to revise the balance between the risk exposure and resource implications of controls. For example, the policy could be revised to require bad debt reports to be generated and reviewed quarterly rather than monthly. We have discussed this with management as part of the fieldwork and finalisation of this review. Risk management February 2015 West Lothian College is actively developing its risk management arrangements. The College s strategic risk register has gone through a number of iterations to make the articulation, assessment and presentation of risk information more useful and intuitive to the users of the document. This supports scrutiny and challenge. There is evidence of effective risk management at a strategic level, aligned to and supported by a strong corporate planning process. Risks have been explicitly linked to strategic or operational objectives. This approach should help support successful achievement of the College s objectives, whilst ensuring that effort/ resource is not needlessly expended on managing inconsequential risks or over-managing key risks. Main Findings West Lothian College has made good progress in developing its risk management arrangements. There is clear leadership by senior management, including the Principal. The organisation can demonstrate commitment and effort in producing a strategic risk register which has been consulted on widely, has been periodically refined, and which has been used to support executive and non-executive scrutiny and challenge. We have observed that the document is seen as a live and supportive management tool, rather than just a periodic administrative tick-box exercise. We have made several moderate-to-low risk observations in this report, to support further development of the College s risk management arrangements. These broadly relate to (i) refreshing and reminding college staff of the risk management policy and developing formal procedures and (ii) further developing risk management arrangements at operational/departmental levels. Our observations are summarised as follows: scott-moncrieff.com West Lothian College Internal Audit Annual Report 2014/15 11

16 The College s risk management policy has not been updated since November 2011 and does not appear to be readily and widely known to or used by staff across the organisation. Such a policy should provide a point of reference for all staff to consult, ensuring consistency of overall approach and understanding. Therefore, it is important that this document is revised (as appropriate), approved, and that all relevant staff are made aware of the guidance and how it should be used to support effective risk management. Defined risk management procedures have not yet been fully documented and developed. These are the operational procedures, methodologies, tools and techniques to implement the overarching risk management policy. This helps reduce opportunity for activities that are inconsistent, inaccurate or misaligned with the College s risk policy. As risk management becomes more embedded throughout the College, well defined risk management procedures will become increasingly valuable. Although alluded to in the Risk Policy, risk escalation/cascade routes have not been formally documented. As each tier of the College may have a slightly different perspective, each may identify different risks or perceive risks differently. Whilst there appears to be good communication within the College, formal risk escalation/risk cascade procedures will further strengthen the College s risk management framework. A risk classification system has not yet been established, nor has risk appetite been formally defined. By establishing a statement of risk appetite, aligned to a risk classification system, the College will be able to better understand and manage the impact of risks, as well as ensuring comparability between risks with differing impacts. The Scottish Public Sector Finance Manual (SPFM), which the College is now expected to comply with, stresses the importance of formally considering risk appetite. There has been a focus on risk management at a strategic level. A key principle of effective risk management is that it is successfully incorporated into all activities, processes and decision making carried out by an organisation. Accordingly, we recommend that risk management is integrated into the College s existing business processes, and is not viewed as stand-alone or parallel to the core processes. If effective risk management is not embedded at all levels of the College s activities, risks may not always be proactively identified or consistently managed. Performance Management April 2015 We have gained assurance that the College has a sound performance management framework in place. However, we have identified some areas where the College can further improve its existing processes, particularly in relation to SMART target setting, and monitoring and reporting on non-financial performance. Main Findings Good practice The College has a Regional Plan in place. The Regional Plan sets out how the College plans to achieve the SFC s priorities for the sector, as well as how it will deliver its local outcomes. The Regional Plan was approved by the Principal, the Regional Lead for West Lothian and the SFC. The Regional Plan sets out a number of Priority Outcomes the College wants to achieve and a number of Priority Outputs that underpin each Priority Outcome. The College undertook a formal internal review during 2013/14 - Fit For 2014/15, where the College looked to identify areas for improvement. The results of the review were used to develop a Fit For Plan for the College 12 West Lothian College Internal Audit Annual Report 2014/15 scott-moncrieff.com

17 for 2014/15. The Fit For 2014/15 Plan was centred on eight themes, each underpinned by a range of College Aims. Each department/centre was then required to develop its own Fit For 2014/15 Plan. The Centre plans were based on the same eight themes and College Aims, so there was a direct link between the Centre plans and the overall College plan. We met with a range of Centre Heads during the review and confirmed that performance against their Fit For 2014/15 Plan was regularly discussed at Team Meetings and other similar forums. In addition, the College regularly discusses academic performance, including SUMs targets, as part of the fortnightly Skills & Progression Meetings, where senior academic staff are present. The College has a range of key performance indicators (KPIs) in place which it uses to monitor performance. The KPIs are both financial and non-financial. The financial KPIs were discussed and approved by the Finance & General Purposes Committee in June Performance against the financial KPIs is reported to each meeting of the Committee throughout the year. Areas for improvement We reviewed a sample of Fit For 2014/15 Plans for a number of academic centres. We noted that some of the targets within the plans do not fully follow the SMART (specific, measurable, achievable, relevant and timebound) methodology. A lack of SMART targets may make it difficult for academic centres to monitor achievement of their objectives. During 2014/15 the year-end target for three financial KPIs changed during the year, but this was not explicitly stated either in the performance report to the Finance & General Purposes Committee or within the relevant minute from the Committee meeting. The financial KPIs that changed were in relation to non-sfc income, surplus on commercial activities and staff costs. In addition, we found that the commentary provided against the financial KPIs in the performance reports to the Committee did not always set out what action would be taken to address areas of under-performance. Although performance against the College s financial KPIs is reported to each meeting of the Finance & General Purposes Committee, performance against the non-financial KPIs is not reported in the same manner via a formal performance report to the relevant committee. Through developing a formal performance report for non-financial KPIs, the College will help ensure there is a focus on performance throughout the year, which will support the College in achieving its objectives and delivering its outcomes. Workforce Management April 2015 West Lothian College can demonstrate a range of good HR practices and there is an Organisational Development Strategy in place to help ensure a solid and well performing workforce. However, we have identified a number of opportunities for improving the effectiveness and efficiency of the College s workforce planning arrangements. Main Findings An assessment of staffing requirements is performed as part of the annual budgeting process. For service areas, this is performed through the application of zero-based budgeting. For curriculum areas, a curriculum plan is developed through Unit-E Columbus which identifies lecturing hours required and allows for a comparison against current resources available. Staffing issues are discussed at the Finance and General scott-moncrieff.com West Lothian College Internal Audit Annual Report 2014/15 13

18 Purposes Committee, with a quarterly HR report being provided by the HR team. The report provides details of recruitment activity, starters and leavers, staff absences, employee relations, disciplinary actions and equal opportunities monitoring. The College has an Organisational Development Strategy in place, which sets out the College s strategy in relation to workforce development. This Strategy directly links to the College s Regional Plan and Outcome Agreement ( ) and identifies the aims that the strategy should help to achieve. Supporting the Organisational Development Strategy is a suite of Human Resource (HR) policies and procedures which provide details of operational processes and procedures. Management have recognised that many of these HR policies and procedures are not up-to-date and are to be reviewed and updated this year. We endorse this update. The College does not have a Workforce Plan in place to support its Organisational Development Strategy. Management have recognised that such a workforce plan is an important strategic and operational document, and work is underway to support its development. We encourage the production and approval of this plan as soon as possible. The College s current recruitment process has been in place for approximately 5 years and has not been subject to formal review in this time. Discussions with key members of staff highlighted areas for potential improvement, including review of the scoring matrix used in interviews and the make-up of interview panels. Our audit testing identified one issue in particular; a candidate, who was only 4 th placed at interview, was awarded a position. Discussions with HR advisors suggested that this was due to this candidate having relevant work experience, which suggests potential issues in the scoring matrix and weighting therein. Further, a Decision to Appoint form had not been completed and authorised. No evidence was provided showing that this individual s recruitment had been fully and appropriately authorised, and no supporting documentation was provided explaining or justifying this particular candidate s appointment in the circumstances. ICT Shared Services August 2015 The operation of the ICT shared services arrangement with the Council is very much in its infancy with the formal agreement between the two organisations being signed on the 20 May Despite this, the College has realised immediate benefits from the Council s hosting of its systems, primarily through transfer of College equipment to a more mature ICT control environment managed by dedicated specialist staff. Also, College equipment has undergone a security hardening process with server vulnerabilities being identified and fixed. The process has also resulted in the upgrading of server operating systems to ensure they could effectively be introduced into the new hosting environment. Through our meetings with representatives in the College and the Council, as well as review of the IT shared services written agreement, we have identified areas where further work is required in order to ensure the arrangement continues to operate in an efficient and effective manner for both organisations. Main Findings The main issues noted during the review were: Although, there is a meeting of minds between both the College and the Council with respect to the scope of service delivery, this needs to be more formally and explicitly defined within the written agreement to minimise the risk of misunderstandings arising with respect to service expectations; and 14 West Lothian College Internal Audit Annual Report 2014/15 scott-moncrieff.com

19 There is currently a single point of failure with respect to the network connection with the Council and this raises a business continuity risk for the College. Should the connection fail, then without additional planning and the introduction of resilience measures, there is a risk that users may lose access to systems and data for a prolonged period of time. scott-moncrieff.com West Lothian College Internal Audit Annual Report 2014/15 15

20

21 Appendix 4 Strategic Internal Audit Plan Audit area 2013/14 IA activity 2014/15 Plan days 2015/16 Plan days 2016/17 Plan days Risk Register Link Notes A. Key financial systems reviews Budget setting and monitoring 5 To review the budget setting and monitoring arrangements in place, to inform monitoring, scrutiny and challenge. Purchasing and creditors 4 To evaluate procedures in place for nonpay expenditure payments. Financial ledger 3 To review appropriateness of financial ledger for recording all financial transactions, ensuring completeness and integrity. Income (SFC and Non-SFC) 3 Assess the processes in place for identifying income, raising invoices and receiving/recording income. Debtors and debt management 2 To review the approach to debtor management, including ensuring funds due 2, 5, 6 are received and accounted for appropriately. Payroll and expenses 5 To evaluate and test the controls in place over payroll, including standing changes to payroll data. Will also include testing of expense claims. scott-moncrieff.com West Lothian College Internal Audit Annual Report 2014/15 17

22 Audit area 2013/14 IA activity 2014/15 Plan days 2015/16 Plan days 2016/17 Plan days Risk Register Link Notes Treasury and cash management 2 To review procedures surrounding cash and bank. Education Contracts Review by previous internal auditors. TOTAL Key Financial Systems B. Corporate Governance/Strategic Strategic and operational planning 5 1, 2, 3 Including corporate/strategic and department/operational objective setting and planning. Risk management 5 5, 6 Review of procedures for risks identification, assessment and mitigation across the College (strategic and operational). Corporate governance 5 5 1, 4, /14 review by previous internal auditors. 2016/17 as part of rolling programme. Student experience 6 6 1, 3, 4, 5 To review an aspect of the student experience. This will be agreed with the College as part of the annual planning process. (2013/14: Part-time Admissions) 18 West Lothian College Internal Audit Annual Report 2014/15 scott-moncrieff.com

23 Audit area 2013/14 IA activity 2014/15 Plan days 2015/16 Plan days 2016/17 Plan days Risk Register Link Notes Partnership working Review by previous internal auditors. Performance management and delivery of outcomes 6 2, 3, 4 Evaluate strategic performance management, including the timeliness and robustness of management information. To include consideration of regional board/ regional agreements. C. Operational Systems Reviews Business development: evaluation and pitching process 5 2 Assess the arrangements for efficient and effective identification, evaluation and response to BD opportunities. Workforce management 5 2, 5 Assess workforce strategies including skill mix and staff continuity, within the tightening financial environment. Health & Safety 4 6 Review by previous internal auditors Timetabling and curriculum planning 5 3 Agreed to look at early in 2016/17, once new arrangements have a chance to bed in. D. IT / Business Continuity reviews scott-moncrieff.com West Lothian College Internal Audit Annual Report 2014/15 19

24 Audit area 2013/14 IA activity 2014/15 Plan days 2015/16 Plan days 2016/17 Plan days Risk Register Link Notes Business continuity and disaster recovery 5 6 To assess business continuity arrangements, including disaster recovery. ICT shared services review 6 2, 3 To review the arrangements and ongoing developments for the College s strategic partnership with West Lothian Council. E. Internal audit management Audit management, audit committees, external audit liaison, follow up activity, annual planning, annual audit report Includes initial planning meetings, documentation review and audit needs assessment in 2014/15. Management support / contingency days 2 TOTAL ANNUAL DAYS IN IA PLAN In addition to the above internal audit programme, we will perform the annual certification audits of SUMS (6 days), the various Bursary and Hardship Funds (5 days), and EMA (3 days). 20 West Lothian College Internal Audit Annual Report 2014/15 scott-moncrieff.com

25 Scott-Moncrieff Chartered Accountants All rights reserved. Scott-Moncrieff refers to Scott-Moncrieff Chartered Accountants, a member of Moore Stephens International Limited, a worldwide network of independent firms. Scott-Moncrieff Chartered Accountants is registered to carry on audit work and regulated for a range of investment business activities by the Institute of Chartered Accountants of Scotland.