HEFCE’s requirements for internal audit
HEFCE’s requirements for internal audit (continued during the OfS transition period) are set out in the Audit Code of Practice, Annex A to the Memorandum of assurance and accountability. The responsibility of an internal audit service is described as follows (paragraphs 11-12).
‘11. Internal audit is a vital element in good corporate governance since it provides governing bodies, audit committees and accountable officers with independent assurance about the adequacy and effectiveness of risk management, control and governance, and VFM.
12. Consequently each HEI must have a suitably resourced internal audit function which must comply with the professional standards of the Chartered Institute of Internal Auditors. Internal audit terms of reference must make clear that its scope encompasses all the HEI’s activities, the whole of its risk management, control and governance, and any aspect of VFM delivery.’
The University’s internal audit service is required to plan and deliver its audit work and to provide assurance to the Committee in compliance with all relevant standards, regulations and legislation.
The University’s internal audit function
The University’s internal audit function is currently provided by an external firm, PricewaterhouseCoopers LLP (“PwC”), under an outsourcing arrangement. While the internal auditors are external to the University, the planning, delivery and reporting of their work is supervised by the Audit and Scrutiny Committee. The internal audit plan is developed in collaboration with, and is approved by, the Committee, and adopts a risk-based approach to focus audit work on the Committee’s priorities and the key risks facing the University.
In order to be effective, the internal auditors have access to the Chair of the Audit and Scrutiny Committee, the Vice-Chancellor, the Registrar and other senior officers as necessary. In addition, departments and other units that receive visits from the internal auditors are required to assist them in the scoping, planning and delivery of their audit work so that the resulting report is of maximum possible value both to the audited unit and to the Audit and Scrutiny Committee.
The internal auditors undertake audit work and submit reports to the Audit and Scrutiny Committee during the year. In addition, an annual report is produced at the end of the financial year, advising the Committee on the internal auditors' opinion in the five key areas:
- risk management
- economy, efficiency and effectiveness (value for money)
- data quality
The internal audit contract
The Internal Audit protocol has been developed to set out clearly the responsibilities of the internal auditors and audited units, and to define the responsibilities, timetables and processes that govern the internal audit process.
The Head of Assurance and Risk Management provides liaison and support in the planning, delivery and reporting of audit work and manages the relationship between the internal auditors and the University on a day-to-day basis. The Audit Management Group, comprised of University officers and senior PwC staff, is responsible for the operation of the audit contract (membership of this Group and a brief description of its operation is given in Part A of the Internal Audit protocol. Overall responsibility for the internal audit contract lies jointly with the Director of Finance and the Registrar.
Audit independence and objectivity
The University has adopted a policy to protect the independence and objectivity of the two audit firms that provide audit services to the University: KPMG (the external auditors) and PwC (the internal auditors).
Ensuring the independence and objectivity of the external and internal audit firms is a regulatory requirement and an essential part of good governance. The 'Policy to Safeguard the Independence of the External and Internal Auditors' sets out conditions for
- engaging the external or the internal auditors to supply goods or services to the University;
- seeking or receiving gifts, donations, or sponsorship, in any form, from the external or the internal auditors;
- supplying any courses, consultancy and other academic services to the audit firms and to their staff; and
- undertaking any research or other work jointly with either of the audit firms.
Staff are asked to contact Lukasz Bohdan (Director of Assurance) for advice in the event of any contact with either of the audit firms. Further information on engagement of the internal auditors is given in Part D of the Internal Audit protocol.