Why am I being audited?
Normally this is because the Internal Audit plan indicates that your department/function is due to be audited.
Where the audit is a special review commissioned by management, then you will be informed of this and the reasons for it at the start of the audit process.
How does the audit process start?
Your Head of Department will be contacted by a member of Internal Audit to explain that your department is due for audit. The Auditor will arrange to meet the Head of Department to explain the audit process and to discuss the possible scope. The Head of Department will then be informed in writing of the scope of the audit.
How is it decided what aspects of my department/function are audited?
This depends on the result of the initial meeting as well as the review of key documents relating to your department/function. These will include your current risk register, budgets and five year plans and other documents as appropriate. Following discussions with your Head of Department or function, the Auditor will draw up an outline plan and incorporate this into an audit scope for your information.
The University guarantees Internal Audit access to all records and to all personnel.
What happens during the audit?
We begin the fieldwork with interviews of those staff who manage the risks and controls we will be reviewing. We will then spend time documenting key parts of these interviews and reflecting upon what they tell us about risk management and control.
Where appropriate we will then test particular systems by reviewing a sample of transactions or decisions to establish whether the controls and risk management processes described to us in interview are operating in practice. We may ask for further clarification from staff at this point. We will then document the results of our work and prepare our draft report.
How long will the audit last?
The time budgets for individual internal audits vary from five to 25 days. That is the total time for the audit. We do not spend all of that time in your department. Quite a lot of the information we require can be obtained centrally. Where we do need access to records in your department, much of the work can be done without a need for supervision by departmental staff.
The elapsed time for the audit is also likely to be longer than the time budget. This is because we do not complete the entire process from start to finish in one go. Our audits overlap and we will sometimes need to spend time completing the final stages of an earlier audit. All this means that we do not stay in a department for weeks or even days at a time and staff will have plenty of time to get on with other tasks during the audit process.
Who will we talk to?
We talk to all those involved in managing the risks and controls that we are reviewing. Who they are will differ according to the type of audit. They will normally include the Head of Department or function and (where there is one) the relevant financial manager. We also talk to a variety of other people depending on the audit - including commercial managers, sales staff, purchasing staff, storekeepers and many more.
What happens at the end of the audit?
A draft report is drawn up and usually is the basis for a discussion with management. Where key issues are found during the audit, these will be discussed at the time they are discovered. The draft report will thus normally contain relatively straightforward issues that require action by management.
What goes in the report?
The report provides some background to the audit, an executive summary setting out the main findings and conclusions and then a summary of detailed findings which lead to a recommendation. Each recommendation is graded according to the level of risk to which it exposes the department and University if left un-actioned.
The report provides an overall conclusion on the risk management and control within the audited unit. Please refer to the Categorisation of Recommendations for an explanation of the gradings used in our reports. Draft reports are discussed with management and amendments made where appropriate.
Management formally respond to the recommendations and sign the report to signify their willingness to carry out the actions shown on the responses. They also provide a date by which they will implement the agreed recommendations.
Who sees the final report?
The final report goes to the members of the Audit and Risk Committee, the Vice Chancellor, Provost, Registrar, Secretary to Council, Group Finance Director and Finance Director. Copies are also made available to the Finance Manager, Banking and Compliance. Management of the unit concerned also receive a copy of the final report.
Does anything further happen after that?
Management are then free to complete the implementation process in accordance with the timetable shown in the report. They may occasionally get queries from senior university managers when they receive their copy of the report.
Between six and eighteen months after the report is agreed in draft, Internal Audit will follow up the agreed recommendations. A follow up report is then produced, which goes to the same senior management group as the original report.
Can I have my say about the audit process?
The managers of each department audited are provided with an electronic feedback form which allows them to express their views of the internal audit process.
We value your feedback. All forms are reviewed and the Audit and Risk Committee is made aware of the results arising from this process.