Glasgow Caledonian University Internal Audit Annual Report for the year ended 31 July 2008

Similar documents
Glasgow Caledonian University. Internal Audit Annual Report 2013/2014

Internal Audit Report

NOT PROTECTIVELY MARKED. Item Number 5.10 Gary Devlin, Partner, Scott- Moncrieff Recommendation to Members Members are requested to note the report.

Cairngorms National Park Authority

SARBANES-OXLEY INTERNAL CONTROL PROVISIONS: FILE NUMBER 4-511

Loch Lomond & The Trossachs National Park Authority. Annual internal audit report Year ended 31 March 2015

Internal Audit Report

City College Plymouth

Bluewaters Power 1 Pty Ltd

Sample Independent Auditor s Reports

Assistance Options to New Applicants and Sponsors in connection with Internal Controls over Financial Reporting

Customer Support Group (CSG) Invoicing and Monitoring Arrangements. April 2016

Agreeing the Terms of Audit Engagements

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a

Grant Thornton s annual report on the HCPC s governance, risk management and internal control systems is attached.

Auditing Standards and Practices Council

Audit (Monitoring of Investigations) Sub-Committee 21 July 2014

Contract Management Final Report March 2016

INTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT CONTENTS

Auditing Standards and Practices Council

The definition of a deficiency is also set forth in the attached Appendix I.

The definition of a deficiency is also set forth in the attached Appendix I.

Loch Lomond and The Trossachs. National Park Authority. Review of Internal Controls 2015/16. Prepared for Loch Lomond and The Trossachs.

An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

Comments to be received by 31 January 2008

FOUNDATIONS IN ACCOUNTANCY Paper FAU (UK) Foundations in Audit (United Kingdom)

Minneapolis Public Schools Special School District No. 1 Minneapolis, Minnesota. Communications Letter of the Student Activity Accounts.

Review of agreed-upon procedures engagements questionnaire

Annual Audit Letter. Sheffield Teaching Hospitals NHS Foundation Trust. Year ending 31 March 2018

CAAS 104 Cost Audit and Assurance Standard on Knowledge of Business, its Processes and the Business Environment

INTERNAL AUDIT PLAN AND CHARTER 2018/19

MACQUARIE TELECOM GROUP LIMITED CORPORATE GOVERNANCE

INTERNATIONAL STANDARD ON AUDITING (IRELAND) 210 AGREEING THE TERMS OF AUDIT ENGAGEMENTS

IAASB Main Agenda (December 2008) Page Agenda Item

The NAO letter is provided to the Committee for its consideration.

Agreeing the Terms of Audit Engagements

Health Department Directorate of Performance Management and Finance

AUDITING. Auditing PAGE 1

Audit & Risk Committee Charter

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

Cost Auditing Standard Cost Auditing Standard on Knowledge of Business, its Processes and the Business Environment

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

International Standard on Auditing (UK) 701

Wokingham Borough Council

Comparison of the PCAOB s Auditing Standards No. 5 and No. 2 (Certain key differences are highlighted by underlining)

Independent auditor's report

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Internal Audit Report

Internal Control Questionnaire and Assessment

Internal Controls. June-20-17

AGS 10. Joint Audits AUDIT GUIDANCE STATEMENT

Guidance Note on the College Internal Audit Service

Internal controls over Financial Reporting Key concepts. Presentation by Jayesh Gandhi at WIRC

AGS 10. Joint Audits AUDIT GUIDANCE STATEMENT

Internal Audit Charter

King III Chapter 7 & 9 Guidance on the Assessment of the System of Internal Control. June 2010

Annual Audit Letter. South Central Ambulance Service NHS Trust Audit 2007/08 September 2008

International Standard on Auditing (Ireland) 402 Audit Considerations Relating to an Entity using a Service Organisation

APES 305 TERMS OF ENGAGEMENT

Internal financial controls

The Annual Audit Letter for Devon Partnership NHS Trust

Annual Audit Letter North East Ambulance Service NHS Foundation Trust Year ended 31 March 2016 July 2016

An Overview of the 2013 COSO Framework. August 2013

COSO What s New, What s Changed, Why Does it Matter and Other Frequently Asked Questions

Internal Control Questionnaire and Assessment

Audit Documentation. ISA 230 (Redrafted) Issued June International Standard on Auditing

Appendix 1 Detailed Internal Audit Strategic Planning Process

REPORT 2016/033 INTERNAL AUDIT DIVISION

STAFF QUESTIONS AND ANSWERS

The Annual Audit Letter for Derby City Council

Independent Auditor s Report

CPA REVIEW SCHOOL OF THE PHILIPPINES M a n i l a. AUDITING THEORY Risk Assessment and Response to Assessed Risks

Evaluating Internal Controls

IAASB Main Agenda (December 2004) Page Agenda Item

International Standard on Auditing (UK) 600 (Revised June 2016)

Strathclyde Partnership for Transport

Chapter 06. Audit Planning, Understanding the Client, Assessing Risks, and Responding. McGraw-Hill/Irwin

CLIENT ALERT: INTERNAL CONTROL OVER FINANCIAL REPORTING

REPORT 2014/010 INTERNAL AUDIT DIVISION. Audit of contract administration at the United Nations Office at Geneva

ISA 701, Communicating Key Audit Matters in the Independent Auditor s Report

Gloucestershire Hospitals NHS Foundation Trust

Audit Committee, 20 March Internal Audit Report Stakeholder Communications. Executive summary and recommendations.

Loch Lomond and The Trossachs National Park Authority. Key Controls Report

SUGGESTED SOLUTIONS/ ANSWERS EXTRA ATTEMPT EXAMINATIONS, MAY of 11 AUDIT & ASSURANCE [P2] PROFESSIONAL LEVEL

AUDIT FIELD WORK Laws and Regulations. Presenter: Errol Gardner

We wish to thank the staff and management of the Authority for their cooperation and assistance during the course of this engagement.

We will be pleased to discuss the attached comments with you and, if desired, to assist you in implementing any of the suggestions.

1. Membership of the Committee

Communicating Key Audit Matters in the Independent Auditor s Report (ISA (NZ) 701)

Introductions. An Overview of the COSO 2013 Framework. Christian Peo Sharon Todd. An Overview of the 2013 COSO Framework.

Devon and Cornwall Police May 2017

6 Assessment of risk Introduction General risk assessment Specific risk assessment Reliability factors 50 6.

For personal use only

Paper FAU (UK) Foundations in Audit (United Kingdom) FOUNDATIONS IN ACCOUNTANCY. Monday 18 June 2012

Memo. Date: October 2018 INTRODUCTION

ESSEX POLICE, FIRE AND CRIME COMMISSIONER, FIRE AND RESCUE AUTHORITY

13-A. Fraud Phase II Issues Paper

Transcription:

Government and Public Sector Internal Audit Services October 2008 Internal Audit Annual Report for the year ended 31 July 2008

Contents Section Page 1. Background and Scope...1 2. Our Annual Opinion...3 Appendix A: Internal Audit Plan 2007/08...5 Appendix B: Critical and High Risk Recommendations...6 Appendix D: Limitations and responsibilities...9 This report is intended solely for the information of. Its existence may not be disclosed nor its contents published in any way without the prior written approval of PricewaterhouseCoopers. PricewaterhouseCoopers does not accept any responsibility to any other party to whom this report may be shown or into whose hands it may come.

1. Background and Scope Purpose 1.01 It is accepted best practice that the Head of Internal Audit provides the Audit Committee with an Annual Statement on the effectiveness of internal controls based on the work carried out during the financial year. This report constitutes this statement and covers the period from 1 August 2007 to 31 July 2008. The Audit Committee should use this and other sources of assurance it has gained during the year to make an Annual Report to the Court. Additionally we would expect our report to help inform the Audit Committee and the Court s consideration of the Statement of Internal Control. The opinion of the internal auditors does not supersede the Court s responsibility for risk, control and governance. Scope and Responsibilities 1.02 Our agreed work plan is prepared on the basis of the University s strategic risk register, existing sector knowledge, appropriate discussion with management and the focus and findings of prior internal audit work. We prepared an internal audit plan based on the risk profile which was approved by the Audit Committee. 1.03 It is management s responsibility to maintain systems of risk management, internal control and governance. Respective responsibilities of management and internal audit are set out in our engagement letter. 1.04 Internal Audit is an element of the internal control framework established by management to examine, evaluate and report on accounting and other controls over operations. Internal audit assists management in the effective discharge of its responsibilities and functions by examining and evaluating controls. Internal auditors cannot be held responsible for internal control failures. 1.05 This allocation of responsibilities is consistent with the Turnbull guidance on responsibilities for maintaining a sound system of internal control and the Scottish Funding Council (SFC) Code of Audit Practice. In summary, this guidance suggests that: the Court should set appropriate policies on internal control and seek regular assurance that the system of control is functioning effectively; management should implement the Court s policies on internal control and design, implement and monitor suitable systems; and internal audit should provide an independent assessment of the adequacy of the system of internal control. 1

Internal Audit Work Conducted 1.06 Our internal audit work has been conducted in accordance with our letter of engagement, the SFC Code of Audit Practice and the agreed strategic and annual audit plans. Appendix A summarises the internal audit activity undertaken during the period 1 August 2007 to 31 July 2008 in accordance with our agreed plan. 2

2. Our Annual Opinion Basis of Assurance 2.01 We are able to provide assurance on the adequacy of internal controls within the University arising only from the results of reviews we have completed during the period (see Appendix A), in accordance with the programme approved by the Audit Committee. In this context it is important to note that: it is management s responsibility to maintain internal control on an ongoing basis; the internal audit function only forms part of the overall internal control structure of the University; and whilst we have planned our work so that we have a reasonable expectation of detecting significant control weakness, internal audit procedures do not guarantee that fraud, or any other irregularities, will be detected. Limitations 2.02 There are inherent limitations as to what can be achieved by internal control and consequently limitations to the conclusions that can be drawn from this engagement. These limitations include the possibility of incorrect judgements in decision making, control breakdowns because of human error, control activities being circumvented by the collusion of two or more people and of management overriding controls. Also there is no certainty that internal controls will continue to operate effectively in future periods or that the controls will be adequate to mitigate all significant risks that may arise in future. Overall Assessment 2.03 We have completed the programme of internal audit work for the year ended 31 July 2008 and can report that our work did not identify any critical control weaknesses that we consider to be pervasive in their effects on the system of internal control. 2.04 However, we did identify a number of areas of higher risk in the specific systems and processes, which are outlined in Appendix B for information. It is emphasised that corrective action to address these areas has been agreed with management and a number of actions have already been implemented by management to address our findings. The findings from our review of the Cultural Business Centre financial controls were followed up during 2007/08 and good progress has been made by management. In addition, all outstanding actions will be followed up during our audit programme in 2008/09. 2.05 Taking account of the matters noted in Appendix B, we can give moderate assurance on the adequacy and effectiveness of the System of Internal Control. The definitions of our assurance levels are provided at Appendix C. For ease of reference the definition of moderate assurance is reproduced below. 3

Moderate Assurance We will provide moderate assurance in our annual opinion where we have identified mostly low and medium rated risks during the course of our audit work on business critical systems, but there have been some isolated high risk recommendations and/or the number of medium rated risks is significant in aggregate. The level of our assurance will therefore be moderated by these risks and we cannot provide a high level of assurance. Acknowledgements 2.06 We would also wish to express our thanks to all those staff who assisted in supporting the internal audit activity. Kintyre House 209 West George Street Glasgow G2 2LW October 2008 4

Appendix A: Internal Audit Plan 2007/08 Planned audit cover Audit Days Status Total Recommendations Critical High Medium Low Total Full Income Budgeting 15 Complete N/A N/A N/A N/A N/A Performance Measurement 10 Complete - 1 2 1 4 Student Records Review of Project Documentation 10 Complete - - - 2 2 National Framework Agreement 15 Complete - 2-2 4 Procurement 10 Complete - 2 6 1 9 Business Unit Reviews 50 Complete - - 9 4 13 Risk Management Arrangements 10 Complete N/A N/A N/A N/A N/A Follow Up Report 7 Complete N/A N/A N/A N/A N/A Contract Management N/A 15 N/A N/A N/A N/A N/A N/A Additional Reviews Cultural Business Centre 6 Complete 4 6 - - 10 Academic Governance 10 Complete - - 4 2 6 5

Appendix B: Critical and High Risk Recommendations Procurement Arrangements 1. The procurement manual should be reviewed and updated to reflect revised procurement arrangements (High Risk). 2. Training should be provided to all relevant budget holders and staff of the procurement policy and the need to comply with procedures (High Risk). National Framework Agreement 1. Management should implement an automatic feed from the Oracle HR system to the Payroll system. Until this is established, HR data should be reconciled monthly with payroll information (High Risk). 2. A review of information held on Oracle HR should be performed to ensure that the details for each employee are accurate, up to date and complete (High Risk). Performance Measurement 1. It is recommended that the current Business Unit indicators be reviewed and made SMART where possible in order for the indicators to be reviewed and assessed for whether achieved (High Risk). Cultural Business Centre During the course of our review we identified 6 critical and 4 high risk recommendations. Recommendations included the need to define the objectives of the Centre, the need to set a realistic and achievable budget, review the process for allocating donations and agree appropriate charge out rates. Due to the nature of the findings from our review we undertook a separate follow up exercise in September 2008. Overall, good progress has been made in implementing our recommendations and further follow up will be undertaken during 2008/09. 6

Appendix C: Annual Assurance Levels and Risk Ratings Annual assurance statements Level of Assurance High Moderate Limited No Assessment rationale We will provide high assurance in our annual opinion where we have only identified low and medium rated risks during the course of our audit work on business critical systems. We will provide moderate assurance in our annual opinion where we have identified mostly low and medium rated risks during the course of our audit work on business critical systems, but there have been some isolated high risks recommendations and/or the number of medium rated risks is significant in aggregate. The level of our assurance will therefore be moderated by these risks and we cannot provide a high level of assurance. We will provide limited assurance in our annual opinion where we have identified high or critical rated risks during our audit work on business critical systems, but these risks are not pervasive to the system of internal control and there are identifiable and discrete elements of the system of internal control which are adequately designed and operating effectively. Our assurance will therefore be limited to these elements of the system of internal control. We will provide no assurance in our annual opinion where we have identified critical rated risks during the course of our audit work on business critical systems that are pervasive to the system of internal control or where we have identified a number of high rated risks that are significant to the system of internal control in aggregate. 7

Definition of risk ratings within our individual audit assignments Risk rating Critical High Medium Low Assessment rationale Control weakness that could have a significant impact upon not only the system, function or process objectives, but also the achievement of the organisation s objectives in relation to: the efficient and effective use of resources the safeguarding of assets the preparation of reliable financial and operational information compliance with laws and regulations Control weakness that has or is likely to have a significant impact upon the achievement of key system, function or process objectives. This weakness, whilst high impact for the system, function or process does not have a significant impact on the achievement of the overall organisational objectives. Control weakness that has a low impact on the achievement of the key system, function or process objectives; or This weakness has exposed the system, function or process to a key risk, however the likelihood of this risk occurring is low. Control weakness that does not impact upon the achievement of key system, function or process objectives; however implementation of the recommendation would improve overall control. 8

Appendix D: Limitations and responsibilities Limitations inherent to the internal auditor s work Internal control Internal control, no matter how well designed and operated, can provide only reasonable and not absolute assurance regarding achievement of an organisation s objectives. The likelihood of achievement is affected by limitations inherent in all internal control systems. These include the possibility of poor judgment in decision-making, human error, control processes being deliberately circumvented by employees and others, management overriding controls and the occurrence of unforeseeable circumstances. Future periods Historic evaluation of effectiveness is not relevant to future periods due to the risk that: The design of controls may become inadequate because of changes in operating environment, law, regulation or other; or The degree of compliance with policies and procedures may deteriorate. Responsibilities of management and of internal auditors It is management s responsibility to develop and maintain sound systems of risk management, internal control and governance and for the prevention and detection of irregularities and fraud. Internal audit work should not be seen as a substitute for management s responsibilities for the design and operation of these systems. We have planned our work so that we had a reasonable expectation of detecting significant control weaknesses and, if detected, we carried out additional work directed towards identification of consequent fraud or other irregularities. However, internal audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected. We have carried out sufficient procedure to confirm that we are independent from the organisation and management. Accordingly, our examinations as internal auditors should not be relied upon solely to disclose fraud, defalcations or other irregularities which may exist, unless we are requested to carry out a special investigation for such activities in a particular area. 9

Basis of our assessment In accordance with the Scottish Funding Council Code of Audit Practice, our assessment on risk management, control and governance is based upon the result of internal audits completed during the period in accordance with the Plan approved by the Audit Committee and the accountable officer. We have obtained sufficient, reliable and relevant evidence to support the assertions that we make within our assessment of risk management, control and governance. Access to this report and responsibility to third parties This report has been prepared solely for in accordance with the terms and conditions set out in our engagement contract. We do not accept or assume any liability or duty of care for any other purpose or to any other party. However, we acknowledge that this report may be made available to third parties, such as the external auditors. We accept no responsibility to any third party who may receive this report for any reliance that they may place on it and, in particular, we expect the external auditors to determine for themselves the extent to which they choose to utilise our work. 10

2008. All rights reserved. PricewaterhouseCoopers refers to the (a limited liability partnership in the United Kingdom) or, as the context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback