Draft Internal Audit Plan for Institute of Technology Blanchardstown 2017

Similar documents
ESSEX POLICE, FIRE AND CRIME COMMISSIONER, FIRE AND RESCUE AUTHORITY

INTERNAL AUDIT PLAN AND CHARTER 2018/19

Grant Thornton s annual report on the HCPC s governance, risk management and internal control systems is attached.

University Business Classification Scheme

Application and Self-evaluation Provider Guideline E & A FET 3C. E & A FET 3C 06 August 2013 Page 1

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

Effective Vendor Risk Management. April 21, Mario A. Mosse. This Training is Brought to you by ComplianceOnline. Presenter:

The Governance Arrangements of the Corporation of Sussex Coast College Hastings SCHEME OF DELEGATION

Sub-section Content. 1 Preliminaries - Post title: Head of Group Risk - Reports to: CRO - Division: xxx - Department: xxx - Location: xxx

Internal Audit Report Review of Controls Operating over Accounts Payable. Issued: 21 February 2018 Final Report

The Corporation of the City of London Quarterly Report on Internal Audit Results

University College Cork National University of Ireland, Cork Records Management Policy Version 1.0

FCAT SUPPORT PACKAGE

Scheme of Delegation

Strategic Risk Register and Action Plan

OFFICIAL. Date 18 April 2018 Pacific Quay, Glasgow General Data Protection Regulation (GDPR) Police Scotland Preparedness Item Number 11.

Customer Support Group (CSG) Invoicing and Monitoring Arrangements. April 2016

Director of Business Assurance. Business Continuity Officer

INFORMATION TECHNOLOGY STRATEGY Mission. Vision. Priorities

Internal Audit. Consultants Job Planning. February 2018

Three Year Audit Programme and 2012/13 Audit Plan

CORPORATE GOVERNANCE STATEMENT 30 JUNE 2017

NHS Grampian Internal Audit Risk Assessment and Plan 2014/2015

Student and Academic Services Group Risk Register: May 2011

NIFRS Assurance Framework

Gloucestershire Hospitals NHS Foundation Trust

Arrangements for ITT accreditation submissions

AUDIT COMMITTEE REPORT

IADT. Consultancy & External Activity Policy. IADT Research & Development Committee

CMAT Chief Operating Officer. Chief Executive Officer

UNIVERSITY OF ABERDEEN RECORDS RETENTION SCHEDULES ESTABLISHED MAY 2007 REVIEWED MARCH 2014

Job Description: CMAT Chief Operating Officer

Internal Audit Report

UNIVERSITY OF DERBY JOB DESCRIPTION. JOB NUMBER SALARY 31,604-38,833 per annum

UoD IT Job Description

Job Description and Person Specification

Hamstead Hall Academy Trust. Statement of intent

Position Description Payroll Team Leader

Audit & Risk Committee Charter

Glasgow Caledonian University Internal Audit Annual Report for the year ended 31 July 2008

Recommendations which have been implemented have been removed from this report. The original numbering of recommendations has been retained.

University of Birmingham. Finance Office Business Plan 2009/10

Scheme of Delegation

Data Protection Officer

Purpose. CSU Benefits. Objective

Interim Management Letter 2011/2012 for NHS Tayside

The SIA Approved Contractor Scheme. Self Assessment Workbook

Finance Office Induction. Xx xxxx 2013

City College Norwich - Subcontracting Policy 2018/19

29/11/2017. Risk Management Policy

Job Description Temporary Electronics Technician Panel Ref P18/20

Internal Audit Report Payroll Follow Up. Page 5. Date: June 2018

Subcontracting Policy. Supply Chain Fees and Charges Policy

Internal Audit Progress Report (as at 31 st August 2017)

Audit and Risk Management Committee Charter

Audit and Risk Committee Charter

NOT PROTECTIVELY MARKED. Item Number 5.10 Gary Devlin, Partner, Scott- Moncrieff Recommendation to Members Members are requested to note the report.

PUBLIC SERVICES REFORM (SCOTLAND) ACT 2010: DUTIES ON PUBLIC BODIES TO PROVIDE INFORMATION

Subcontracting Policy Supply Chain Fees and Charges Policy

Informa PLC TERMS OF REFERENCE AUDIT COMMITTEE. Adopted by the Board on

Informa PLC TERMS OF REFERENCE AUDIT COMMITTEE. Effective 1 st January

GUIDELINES FOR REMUNERATION POLICY INCLUDING GUIDELINES FOR INCENTIVE PAY

Certificate in Internal Audit IV

April Finance survey of the Higher Education sector Clear focus

Business Capabilities Definitions

UCD Human Resources. UCD HR Privacy Statement - Employee

Qualifications Wales Business Plan 2017/18

HEA Procurement Review

Guidance Note on the College Internal Audit Service

University-wide. Staff Only Students Only Staff and Students. Vice-Chancellor. Chief Operating Officer. Director, Human Resources

Principal Lecturer, Interim Course Leader Performance Arts, Course Leader BA Drama, Applied Theatre and Education.

SOCIAL PROTECTION PUBLIC WORKS PROGRAMS OVERVIEW OF FINDINGS PROGRAM

Quality of Advice Process in Firms Offering Financial Advice

Ibstock plc. (the Company) Audit Committee - Terms of Reference

Financial Reporting Council BDO LLP AUDIT QUALITY INSPECTION

Relocation Assistance Policy and Procedure. Version 4.0

Annual Compliance Statement 2017 and Board of Directors / Governing Body and Corporate Governance Requirements

IIII HILLGROVE RESOURCES LIMITED IIII ACN

The Gym Group plc. (the Company ) Audit and Risk Committee - Terms of Reference. Adopted by the board on 14 October 2015 (conditional on Admission)

JOB DESCRIPTION. Facilitate, coordinate, plan and deploy resource requirements including maintaining robust budget control.

Guidance on Arrangements to Support Operational Continuity in Resolution

We look forward to participating in any follow up discussion on this submission.

Subcontracting Supply Chain Fees and Charging Policy

QUALITY MANUAL PLASSEY CAMPUS CENTRE. Quality Manual Rev. 1

Procurement Strategy

Post: Governance Secretary Department/Region: Corporate Services Location: London, UK

Company Monitoring Framework Risks, Strengths and Weaknesses Statement January 2017

PURPOSE NATURE & SCOPE JOB DESCRIPTION. Leeds (with occasional travel to London) Assistant Director of Finance. Date Prepared: August 2017

ROLE OF CEO IN AN EDUCATIONAL INSTITUTION ASHOK KUMAR CEO INDIAN HIGH SCHOOL (GROUP OF SCHOOLS) DUBAI

GDPR journey: from ready to compliant GDPR survey results

Standard on Quality Control (SQC) 1. Presentation to the ICAI January 18, 2014

Internal Audit Report

Job Training Institute. Skills for Victoria Contract Compliance Audit Report. Date 3 November Loice Njanja, Director, Job Training Institute

Loch Lomond and The Trossachs National Park Authority. Key Controls Report

Senior Academy Business Manager

Loch Lomond and The Trossachs. National Park Authority. Review of Internal Controls 2015/16. Prepared for Loch Lomond and The Trossachs.

Working Together. ICT Change. Management Policy. August Uncontrolled Copy. ICT Change Management Policy

Dexia Group Audit Charter

CDM COMPETENT QUESTIONNAIRE FOR PRINCIPAL DESIGNERS Companies with less than 5 employees

End to End Operational Resilience

Transcription:

Draft Internal Audit Plan for Institute of Technology Blanchardstown 2017

Contents 1. Introduction and Approach 4 2. Principal Risks 5 3. Proposed areas of focus for Internal Audit 6 4. Draft Internal Audit Plan for 2017 9 Appendix A Risks Identified 10 Appendix B Internal Audit Universe 12 ITB Draft Internal Audit Plan PwC 3

1. Introduction and Approach Introduction PricewaterhouseCoopers (PwC) were appointed Internal Audit service provider to the Institutes of Technology Ireland (IOTI) (now known as THEA - The Technological Higher Education Association) in November 2015. Our initial tasks centred on the completion of a risk identification exercise, which facilitated the creation of a three year internal audit plan for the Institute of Technology Blanchardstown (ITB or the Institute). Following our appointment, a risk identification exercise was performed in order for us to gain an understanding of the areas of concern and challenge, the strategic objectives and the associated risks within the Institute. The results of this risk assessment formed the basis of a three-year internal audit plan covering the period 2016 to 2018 inclusive. A programme of internal audit work for 2016 was included in the plan, which was approved by the Audit Committee on 22 March 2016. We set out in this paper a proposed programme of internal audit work for 2017 for consideration by the Audit Committee. Approach The 2017 proposed internal audit plan has been created in light of ITB s risk environment, our increased understanding of Institute operations and our audit coverage over the past year. The proposed 2017 plan as articulated in this document is: risk based, focusing Internal Audit resources on key risk areas so that the Institute will derive maximum benefit from its investment in Internal Audit; designed to provide the Institute with end-to-end assurance over key risk areas; flexible, focusing on current and emerging risks; and, comprehensive, covering key risks of the Institute. Our approach to developing the 2017 internal audit plan involved: Obtaining an update on key changes to the Institute s risk profile based on discussions with ; Reviewing the status of findings arising from previous audits completed and audit coverage over the year; Understanding planned changes for the coming year; and, Considering what worked well in the delivery of audits to date. The list of audits proposed will be subject to further detailed discussion and review with and the Audit Committee as part of the ongoing delivery of the internal audit plan over the course of 2017. Detailed written terms of reference for each audit will be developed and agreed before the audits commence to reflect the most current information available in relation to the areas under review. ITB Draft Internal Audit Plan PwC 4

2. Principal Risks Following our appointment, we identified a number of key risks facing the Institute. At that time we reviewed and analysed the risks identified, cross-referenced them to the Institute s risk register and sense checked them based on our previous experience. A number of the principal risks identified remain relevant to the Institute today and are: Failure to deliver on ITB s strategic plan and to meet the targets as set out in the TU4Dublin strategy due to financial restrictions and absence of capital investment; Failure to achieve the criteria for TU designation arising from a lack of investment in staff training & development; Non-compliance with the Code of Governance for the Irish Institutes of Technology or with relevant legislation including Health & Safety, Data Protection, EU and public procurement guidelines; Failure to recruit staff resources with the required skills, competencies and relevant experience as a result of constraints posed by the Employment Control Framework; Inability to attract / retain students (and staff) as a result of failure to invest or implement new and emerging technologies in teaching methodologies and programme delivery; Unavailability of staff resources to deliver on ITB core activities as a result of deployment to the TU4Dublin project; Reduction in fee income as a result of not attracting / retaining domestic and international students; Reduction in grants and funding based on student numbers; Delays in decision making and reporting to external bodies due to absence of adequate MIS reporting; Failure of IT systems due to equipment age and absence of robust Disaster Recovery / Business Continuity Plan in the event of an incident; Absence of up to date IT policies and procedures for students and staff that may result in unauthorised or inappropriate IT activity; and, Inappropriate or unauthorised access to data and systems due to poor IT security access and controls. For the purposes of developing the internal audit plan, we based our categorisation of risks on good practice and industry risk management standards as defined by the Federation of European Risk Associations (FERMA) and ISO31000. These categories are: Strategic Regulatory / Industry Compliance Operational Financial, and Information Technology. ITB Draft Internal Audit Plan PwC 5

3. Proposed areas of focus for Internal Audit We set out in this section a list of proposed areas for internal audit focus for the period 2017 to 2018 inclusive. A status update on audits completed in 2016 is also provided. Internal Audit s plan of work remains flexible and will change as the requirements of the Institute and change. The areas below are indicative and are based on the information available to us at this time. We expect these areas to alter and new areas of focus to be added, either as a follow on from audit work completed or because of changes in the Institute. Ref Audit Area Link to Risks 2016 2017 2018 Strategic S01 Review of Risk Framework Review of the Risk framework including a review of governance structure, policies and procedures, and processes for identifying, assessing, managing, monitoring and reporting on risks. Failure to deliver on ITB s strategic plan and to meet the targets as set out in the TU4Dublin strategy due to financial restrictions and absence of capital investment Non-compliance with the Code of Governance for the Irish Institutes of Technology or with relevant legislation. Completed Regulatory / Industry Compliance RC01 Operational Compliance with Code of Governance of Irish Institutes of Technology Review Detailed review of compliance with the Code of Governance of Irish Institutes of Technology with the aim of providing assurance to the Audit Committee that ITB is compliant with the Code of Governance. Non-compliance with the Code of Governance for the Irish Institutes of Technology or with relevant legislation including Health & Safety, Data Protection, EU and public procurement guidelines X Op01 Student Identification & Retention Review Review the practices, policies, systems and facilities in place to identify and attract students and to retain them for the duration of their programme. The review will assess the mechanisms that are in place to identify and attract students to ITB, understand the methods employed to engage with and retain students, in particular in their first year and to explore and make recommendations on how the student journey can be improved. As part of the review, we will identify and assess ITB in its delivery of the moments that matter in the student journey which include Arrival; Community and Enrichment; Advice & Guidance; Academic Delivery; Assessment and Feedback; Employability, and Graduation to Alumni. Inability to attract / retain students (and staff) as a result of failure to invest or implement new and emerging technologies in teaching methodologies and programme delivery Reduction in fee income as a result of not attracting / retaining domestic and international students Reduction in grants and funding based on student numbers X We will gain an understanding of the progression rates for each school and the strategies employed for student retention. We will review the following against good practice guidelines: ITB Draft Internal Audit Plan PwC 6

Ref Audit Area Link to Risks 2016 2017 2018 ITB policies on student retention Systems and processes in place for identify and monitoring progression issues, and The facilities in place to improve non-progression rates of students within the Institute Financial FN01 Review of the Internal Control Framework Review of the Internal Control framework in place including governance, structures, key processes and controls and monitoring. In 2016, the review focussed on testing procedures and controls identified by management in the internal control framework over key financial areas including compliance with procurement regulations, payroll, accounts payable, state grant income and tuition fee income. Failure of the Institute to meet its legal requirement and comply with the Code of Governance for the Irish Institutes of Technology Non-compliance with the Code of Governance for the Irish Institutes of Technology or with relevant legislation Completed X X Information Technology IT01 IT Systems Security and Controls Review Review of the IT General Controls environment in operation over the key systems - Banner, Core, and Agresso. Areas of focus will include IT security, system resilience, Disaster Recovery and Business Continuity. We reviewed IT policies and procedures that are in place against good practice and the application of these policies and controls in the areas of change management, password security, user access administration, systems monitoring, systems reconciliation and data transfer mechanisms. Risk of insufficient IT Systems and support for ITB to fulfil their role Inappropriate or unauthorised access to key systems Inadequate business continuity planning in case of system breakdown leading to excessive recovery time delays and outages Non-compliance with Data Protection Acts or data breach due to poor IT / system controls Completed Other OT01 Findings Follow-up Follow-up review on the implementation of previously raised internal audit findings to provide assurance to the Audit Committee that has adequately addressed previous internal audit findings. Weaknesses identified in past internal audit reports are not implemented resulting in a weakened control environment *Postponed to early 2017 X X *Given the late commencement of the work plan for 2016 it was agreed with to postpone the findings follow up audit until early 2017. ITB Draft Internal Audit Plan PwC 7

Additional areas of potential focus In addition to the Internal Audit areas of focus set out earlier, we have included below brief overviews of extra audits that we can complete if required by and the Audit Committee over the 2017 2018 period. An indication of the number of additional mandays for each is provided. Ref Potential Additional Audit Area Link to Risks Days Operational Op02 Staff Utilisation & Timetabling PwC to conduct a review of the timetabling process and related utilisation levels of academic staff in the delivery of courses. Inability to attract / retain students (and staff) as a result of failure to invest or implement new and emerging technologies in teaching methodologies and programme delivery 9 Failure to recruit staff resources with the required skills, competencies and relevant experience as a result of constraints posed by the Employment Control Framework Op03 Estates Review Review of controls over estates and facilities management with a particular focus on the governance processes in place to ensure effective management of the Institute s buildings, facilities and estates and to ensure compliance with key legislation including Health and Safety regulations Failure of the Institute to meet its legal requirement and comply with the Code of Governance for the Irish Institutes of Technology Non-compliance with the Code of Governance for the Irish Institutes of Technology or with relevant legislation 9 Op04 Academic Quality Systems review Review of the policies, processes and system in place for Academic Quality within the Institute. Areas of focus will include: Governance and oversight including roles and responsibilities; Academic quality systems framework review including its operation, monitoring, data capture & storage mechanisms, follow-up and improvement plan Lack of clarity in Academic Quality Assurance procedures due to lack of regular review 9 RC02 Data Protection Compliance review Review of compliance with Data Protection Acts. This will include detailed testing of the design and operating effectiveness of key controls and associated processes in place to achieve compliance with Data Protection regulatory requirements. We will also obtain a high-level understanding of the Institute s approach to preparing for the implementation of the EU General Data Protection Regulation (GDPR). Non-compliance with Data Protection Acts or data breach Non-compliance with relevant Data Protection legislation 9 ITB Draft Internal Audit Plan PwC 8

4. Draft Internal Audit Plan for 2017 This section sets out the proposed Internal Audit focus areas for 2017. The estimated number of days required to complete each audit is included. As agreed with we will conduct the findings follow up audit from 2016 in early 2017. Ref Audit Area Man-days estimate FN01 Review of Internal Control Framework 9 Op01 Student Identification & Retention Review 9 OT01 Findings Follow-up 2 20 days Breakdown of PwC Internal Audit days The estimated level of days proposed for 2017 for the delivery of PwC Internal Audit work is 25 days. A breakdown of days for all Internal Audit activity for 2017, including and Audit Committee meeting attendance is set out in the table below. Internal Audit Activity No Days Mobilisation, Planning, Audit Preparation & Meetings 3 Preparation and Attendance at Audit Committee meetings 2 Delivery of 2017 Internal Audits and Follow-up 20 Number of man-days for 2017 plan: 25 Overall Cost (ex VAT) - at agreed rate 700 per day: 17,500 ITB Draft Internal Audit Plan PwC 9

Appendix A Risks Identified In the table that follows, we have captured a summary of the risks identified at the start of our appointment under each of the risk categories. No Key Risks 1 Strategic Failure to deliver on ITB s strategic plan and to meet the targets as set out in the TU4Dublin strategy due to financial restrictions and absence of capital investment; Unavailability of staff resources to deliver on ITB core activities as a result of deployment to the TU4Dublin project; Failure to achieve the criteria for TU designation arising from a lack of investment in staff training & development; Failure to recruit staff resources with the required skills, competencies and relevant experience as a result of constraints posed by the Employment Control Framework; Inability to attract / retain students (and staff) as a result of failure to invest or implement new and emerging technologies in teaching methodologies and programme delivery; Reduction in funding resulting in reputational damage which may impact student numbers 2 Regulatory / Industry Compliance Non-compliance with the Code of Governance for the Irish Institutes of Technology or with relevant legislation including Health & Safety, Data Protection, EU and public procurement guidelines; Lack of clarity in Academic Quality Assurance procedures due to lack of regular review Failure to identify and maintain compliance with all relevant legislation (i.e. Employment Law, Health & Safety, Prompt Payments, Freedom of Information) Impact of any requirements / restrictions CORU may place on existing and future student numbers for health and social care professionals attending ITB 3 Operational Academic: Failure to recruit/retain staff with required skills, competencies, experience Failure to recruit / retain staff resources with the required skills, competencies and relevant experience Delays in decision making and reporting to external bodies due to absence of adequate MIS reporting Risks associated with the constraints posed by Employment Control Framework Risk of critical staff with specialist skills, knowledge and experience leaving the Institute and not being replaced due to ECF restrictions Inability to provide adequate staff development and training programmes for staff resulting in staff departures Lack of clarity on the examination procedures and appeal process resulting in examination process being compromised Insufficient monitoring of academic quality Failure to attract and maintain domestic and international students / failure to correctly map or align the qualifications of incoming international students to ITB programmes Risks associated with Intellectual Property theft / mismanagement Facilities: Lack of investment in teaching facilities which may impact ITB s reputation and impact ability to attract / retain students Failure of physical and ICT infrastructure to meet the needs of staff and students Increased number of accidents/incidents resulting in claims Failure to develop and maintain the Institute s buildings and estates ITB Draft Internal Audit Plan PwC 10

No Key Risks Other: No Key Risks 4 Financial Failure to have and implement effective Health and Safety procedures throughout the ITB Lack of appropriate and up to date crisis management / incident management and response plan resulting in operational disruptions Loss of organisational / corporate knowledge due to staff absence or turnover Failure to regularly review, update and approve policies and procedures throughout the Institute Inadequate oversight and monitoring of outsourced contracts / facilities management services Failure to attract and retain the right participants / students to the Learning and Innovation Centre (LINC) Reduction in fee income as a result of not attracting / retaining domestic and international students; Reduction in grants and funding based on student numbers; Reduction in State Grant funding Failure of financial controls resulting in financial error / failure to maintain a robust system of internal control Poor financial management resulting in cash flow shortage and inability to fund investments and working capital Non-compliance with Revenue guidelines in relation to tax calculation and payment 5 Information Technology Failure of IT systems due to equipment age and absence of robust Disaster Recovery / Business Continuity Plan in the event of an incident; Absence of up to date IT policies and procedures for students and staff that may result in unauthorised or inappropriate IT activity; and, Inappropriate or unauthorised access / data breach to data and systems due to poor IT security access and controls; Non-compliance with Data Protection Acts or data breach due to poor IT / system controls Poor change management procedures result in data loss and inadequate records of system changes Inadequate monitoring of service level agreements for provision of IT services and systems Over reliance on EduCampus for the provision of systems support and upgrading systems with all the other Institutes Absence of a coherent IT strategy for higher education sector / bodies Inappropriate access or changes made to systems and data including the examinations systems as a result of poor IT controls Risk of obsolescence of Banner, Agresso and Core systems and systems not being fit for purpose ITB Draft Internal Audit Plan PwC 11

Appendix B Internal Audit Universe Governance Finance HR Academia Development IT Building & Estates Governance IOT Acts 1992-2006 Code of Governance Best Practice Guidelines Subsidiary Companies Academic Institutional Review / Enhancement Plan Programmatic Review Course Approval Process Academic Quality Procedures Academic and Student Regulations Corporate Strategic Plan / KPIs Risk Quality Internal Audit Internal Control Framework (IFC) Policy Framework Major Returns Annual Return / Programmes & Budgets Public Sector Numbers / Quotas (ECF) Unit Costing & RGAM Space Utilisation / Energy Efficiency Income Budgeting Financial Controls Expenses Policy Procurement Treasury Resource Allocation IFC Section 4, 5.3, 5.4, 6.2 Employment Control Framework Payroll Pensions Records Staff Performance/ Development Recruitment Industrial Relations Non-Salaried Staff Curriculum Academic Quality Planning of course delivery Student Experience Admissions Records Library Marketing IFC Section 3.3 Innovation / Incubation External Engagements Alumni Intellectual Property / Tech Transfer Research & Consultancy 3 rd Party Contract Compliance IFC Section 3.3.2 Contract Business Continuity IT Security ITS Change Windows AD IFC Section 3.4 & 6.3 Health & Safety Campus Maintenance Campus Development Space Timetabling Facilities & Contract IFC Section 5.4 IFC- Section 6.1 Committees Governing Body GB Committees Executive Board Academic Council HEA Student Record System (SRS) IFC Section 2 IFC Section 5 IFC Section 6.3 & 6.4 Student Employment Leave IFC Section 3.1, 3.2 Review in the coming 3 years to be performed by PwC ITB Draft Internal Audit Plan PwC 12

This document has been prepared for the intended recipients only. To the extent permitted by law, PricewaterhouseCoopers does not accept or assume any liability, responsibility or duty of care for any use of or reliance on this document by anyone, other than (i) the intended recipient to the extent agreed in the relevant contract for the matter to which this document relates (if any), or (ii) as expressly agreed by PricewaterhouseCoopers at its sole discretion in writing in advance. 2016 PricewaterhouseCoopers. All rights reserved. 'PricewaterhouseCoopers' refers to PricewaterhouseCoopers (a limited liability partnership in Ireland) or, as the context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback