Why have Internal Audit?
Internal Audit provides assurance to management and the Audit and Risk Committee. Internal Audit makes recommendations for improvement in key management processes. It particularly aims to ensure that key risks are being appropriately managed.
What is risk management?
Risk is commonly defined as "the threat or possibility that an action or event will adversely or beneficially affect an organisation's ability to meet its objectives."
How do we decide what to look at?
Most audits are undertaken as part of a plan that has been agreed with senior management and the Audit and Risk Committee. Not all systems and risks can be audited regularly. However, all auditable areas are reviewed at least once every four years.
How is the plan drawn up?
The assessment of risk agreed between Internal Audit, senior management and the Audit and Risk Committee determines the frequency with which particular audits take place.
Time is also allocated for other activities such as training and technical development, as well as the follow up of previous audits. The plan includes a block of time for contingency work - requests from management to look at things which concern them, even though they are not in the agreed plan.
When does Internal Audit do work in addition to that specifically planned?
Where senior management has specific concerns about an area, it will request an audit review to address those concerns and formulate relevant recommendations. Internal Audit also assists with a variety of management initiatives designed to improve control and risk management.
What is the Audit and Risk Committee?
The Audit and Risk Committee is a Committee of the University Council and its membership is comprised entirely of lay members of Council and an external member. It is thus entirely independent of the executive management of the University.
Audit and Risk Committee meetings are attended by members of the senior management team - the Vice Chancellor or the Provost, the Registrar and Chief Operating Officer, Secretary to Council and Group Finance Director. They are, however, not members of the Committee. Committee meetings are also attended by the University's external auditors.
The Audit and Risk Committee's Terms of Reference are quite wide and require it to report to Council on all audit-related matters. Annually the Committee produces a report to Council on the state of governance, risk management, internal control and value for money within the University. Internal Audit's reports to the Committee form a key part of the evidence upon which the conclusions within the Committee's annual report are based.
What is Internal Audit's relationship to the Audit and Risk Committee?
Internal Audit also attend the Audit and Risk Committee meetings and are required to provide a report of their activities to each meeting. They must also submit their plans to the Audit and Risk Committee.
What responsibility does Internal Audit have in respect of Value for Money?
Internal Audit's annual assurance statement to the Audit and Risk Committee requires it to state whether the University's arrangements for value for money are adequate and effective. It therefore needs to obtain evidence to support this statement. This can come from value for money reviews and from value for money elements in other internal audit reviews.