The overall goal of Internal Audit is to add value and improve the University's operations. The University is required to have in place a comprehensive system of risk management, control and corporate governance. As part of this, Internal Audit provides reasonable assurance to the Audit & Scrutiny Committee and management that: risks are identified and managed; financial, managerial and operational information is accurate, reliable and timely; and activity is compliant with policies and procedures and applicable laws and regulations.
The University’s responsibilities and its arrangements for internal audit
Information on these pages will be of particular interest to University of Oxford staff who are or will be involved in an internal audit, whether that be the sponsor of an audit or someone who has been asked to help prepare for or participate in an audit, or is responsible for a follow up recommendation. It is also useful for management who are looking to request an internal audit.
The University’s internal audit function is currently provided by an external firm, PricewaterhouseCoopers LLP (‘PwC’). The planning, delivery and reporting of internal audit work is supervised by the Audit and Scrutiny Committee, with delegated responsibility to the Assurance Management Group. The Assurance Management Group also considers questions relating to the independence of the auditors. All of the University’s activities (including outsourced activities) and legal entities are within scope of Internal Audit (except for the Press).
Functions/departments are selected for audit based on a risk assessment process as well as feedback from senior leaders within the University, the Audit & Scrutiny Committee and the Assurance Management Group. Consideration is given to factors such as impact on the University’s strategic objectives, size and complexity of the function/department, research activity, compliance risks, amount of cash receipts, changes in key personnel, etc. Departments or functions with higher risk will be audited more frequently than those with lower risk. Management may also request an audit.
Internal Audit conducts standard reviews as well as follow-up reviews over the following areas:
These address questions regarding internal controls, accounting and the propriety of financial transactions. Most audits are integrated encompassing financial, operational, compliance and information technology audits.
These determine the degree of adherence to laws, regulations, policies, and procedures of the University and relevant regulatory bodies.
These review the use of resources and procedures/practices in the department being audited to determine if goals and objectives are being met in the most effective and efficient manner. A key component of operational audits is to assess the internal control environment of the function/department to manage and mitigate inherent risks.
These evaluate system processing controls, data security, physical security, systems development procedures, contingency planning, and systems requirements.
These are performed in response to requests by the Assurance Management Group.
The audit process consists of four phases:
Follow the link above for additional details (including information on the follow up tool TrAction)
During this phase the objectives and scope are determined.
This phase involves conducting interviews and testing compliance with policies and procedures. Internal controls are also assessed and tested.
In this phase, a summary of audit findings and recommendations is prepared and presented to management for discussion. Once the findings/recommendations are finalised, the final report is issued.
It is very important you are comfortable with any recommended actions assigned to you, and the agreed timeframes for implementation, as these will be followed-up on this basis after the audit.
If you are unsure whether funding will be available for the action(s) for which you are accountable you should propose an alternative action which you would take should the funding for the preferred action not become available and agree this with the audit sponsor, as well as working on a plan to reduce risk in the meantime. For ‘high’ or ‘critical’ rated actions these plans will need to be agreed with Audit and Scrutiny Committee.
If you are not the person who will be delivering the action you should check with the audit team whether you are the correct action owner. If, for reasons of seniority, you are still the most appropriate action owner you should check with those who will be supporting you to deliver the action that it is appropriate and achievable within the agreed timeframe. If the action will require input across multiple units (e.g. different departments / divisions) you will need to obtain sign off from the relevant Heads of Division / Department before committing to the action.
This phase ensures that all audit recommendations have been satisfactorily implemented. Some verification procedures may be performed to ensure that recommendations have been adequately addressed. Follow-up tracking results are shared with Audit & Scrutiny Committee.
The audit duration depends on the size and complexity of the function/department being audited. Based on these factors, budget hours are established during the planning phase of each audit. Generally, audits can last from two to four months from scoping to final report submission – though much of that time will be taken up with planning. Fieldwork typically lasts between 4 – 8 weeks (depending on the complexity of the audit).
The draft audit report will be shared with management of the function/department being audited for their review and comment and copied to the Head of Risk, Compliance and Assurance / Director of Assurance for information. The draft will then be updated to take into account this feedback, before being shared with the senior management sponsor of the audit for review including the Director (or equivalent, e.g. Divisional Registrar) responsible for the function. A final version will then be submitted to the Audit & Scrutiny Committee, with copies sent to the senior management sponsor of the audit for review including the Director (or equivalent, e.g. Divisional Registrar) responsible for the function, Head of Risk, Compliance and Assurance and Director of Assurance. Following the acceptance of reports by the Audit and Scrutiny Committee, executive summaries are uploaded to the website (SSO required) and any lessons learned of broader applications will be shared with relevant parties.
Internal Audit assesses each department/function’s control environment and compliance with regulations as well as providing recommendations and suggestions to improve the overall efficiency and effectiveness of procedures and processes, which can help you achieve your goals more effectively.
An audit sponsor is the person who is ultimately accountable from the University for:
· helping define the audit scope – in consultation with internal audit and the Audit and Scrutiny Committee Lead Member (where appointed)
· the timely completion of the internal audit from the University side
· agreeing the final version of the report including the management response and agreement of actions (including timeframes and owners)
· timely completion of the agreed actions post audit (including the oversight of actions assigned to other individuals/ departments etc).
Audit sponsors are ultimately accountable to the Audit and Scrutiny Committee for audits.
Sponsors are selected based on the following criteria:
- sufficient seniority to ensure the audit scope is both practical and strategic, that the audit is completed in line with the KPIs and that agreed actions are completed in a timely fashion (usually this will be individuals at the Director level and above)
- appropriate subject matter expertise relevant to the audit scope – i.e. if the audit is on tax the CFO would be the sponsor, taking advice from the Head of Tax
- A senior representative from a division or department might act as audit sponsor if the audit was focussed purely on a division or department as a whole. Up to two representatives may share the role where an audit covers only two divisions or departments. Where the audit covers more than two divisions or departments a sponsor with University-wide responsibility for the audit topic will be identified. Where an audit covers a University-wide topic but has a focus on activity across all divisions or departments, joint sponsorship with a divisional leader will be sought. In most cases one person will take on the role of audit sponsor.
Any member of management can contact the Head of Risk, Compliance and Assurance to discuss an internal audit request or to consult on an issue. Your request will be reviewed by the Assurance Directorate and Internal Audit colleagues to decide how to best meet your needs.
WHAT IS A FUNCTION'S/DEPARTMENT'S ROLE DURING AN AUDIT? ARE THERE KEY PERFORMANCE INDICATORS WE NEED TO MEET?
Internal Audit will need to meet with key personnel of the function/department for planning and interviewing purposes, but try to accommodate any time constraints that you may have. Inevitably, some information and documentation may need to be provided, but will not require too much time of function/department staff members. The function/department will also be responsible for implementing agreed actions. For full details visit the Audit Process webpage. The function/department is also responsible for meeting the University’s Key Performance Indicators regarding timeliness of engagement and reports, as well as for closing out agreed actions. If these KPIs are not met this will be raised to the Registrar.
The University is responsible for having adequate and effective governance structures in place. Responsibility for these arrangements remains fully with Council, and Council seeks assurance on these matters from the Audit and Scrutiny Committee. The Audit and Scrutiny Committee is responsible for assuring Council about the adequacy and effectiveness of the following areas:
- risk management;
- compliance with the legal and regulatory framework the University operates within (this includes the culture and behaviour that is prevalent within the institution and arrangements that can affect reputation);
- ethical and other behaviours, including whistleblowing;
- sustainability and Value for Money (‘VFM’); and
- the management and quality assurance of data.
The Committee reports annually to Council on its opinion as to the adequacy and effectiveness of the University’s arrangements for these five areas. The Committee’s opinions on these arrangements are based on the information presented to it, including evidence Internal Audit’s reports. Internal Audit is designed to provide “reasonable assurance” in relation to the areas noted above, and cannot provide any guarantee against material errors, loss or fraud.
Yes, Internal Audit are able to respond to events or management requests that cannot be accommodated by adjusting the internal audit plan. These additional pieces of assurance work are funded by the department or function requesting the work. Any work sourced by this method will be reported to the Audit and Scrutiny Committee and should comply with the requirements for auditor independence. Please contact the Head of Risk, Compliance and Assurance before commissioning any such work.
The internal audit team conduct their activities with a view to helping the University improve its policies and processes, implement appropriate controls and manage its risks effectively. They are an independent team and bring extensive expertise both from within the Higher Education sector and beyond. While it is important that University colleagues fully explain the context for any activities being audited and ensure recommended actions are feasible within that context, please remember that the internal audit team are required to provide an annual independent opinion as to the adequacy of the University’s controls and their independence must not be compromised.
The day-to-day relationship with the internal auditors is managed by the Head of Risk, Compliance and Assurance. Colleagues are invited to contact the Head of Risk, Compliance and Assurance to discuss any concerns they may have with internal audit, or to raise areas requiring investigation. (email@example.com).
Get in touch
For queries about Risk, Compliance and Assurance, including internal audit and the Audit and Scrutiny Committee, please contact:
Director of Assurance
Internal audit plan 2022/23