Finance Division
Internal Audit
The Higher Education Funding Council for England (HEFCE) requires all universities to have an internal audit function in order to provide independent and objective assurance on the operation of risk management, control and governance processes. The internal auditors report to the Audit Committee, which is a committee of the Council and which reports annually to HEFCE. It has close links to the Risk Steering Committee and to value for money activities and initiatives (see Value for Money).
Deloitte LLP have been appointed as the University's internal auditors for the period 1 January 2010 to July 2013.
The Purpose of Internal Audit
Each year the University's internal auditors in consultation with the Audit Committee draw up a programme of audits, which form part of an overall three-year internal audit plan. The plan is agreed with the Audit Committee and is based around a number of key risks identified by the University as well as assurances required by HEFCE. The Audit Committee meets six times a year to review the outputs of the internal auditor's work. Any issues of fundamental importance will be reported to the Council.
The Audit Process
Why is my department being audited?
Your department will be contacted either because it has been identified for audit as part of a cycle which aims to cover all departments, or because a sample of departments - for example, to look at purchasing behaviour - has been selected by the auditors. Often, School offices are consulted over the choice of Department to audit from their School. Occasionally the auditors will be asked to conduct an audit in response to a particular concern at an institution. In all cases, the audit brief will be discussed with the head of institution before any fieldwork takes place.
When will the audit take place?
The audit plan is designed to ensure that all University departments participate in some form of audit over the course of the three-year programme; most will have contact with the audit team on more than one occasion due to differing types of audit taking place. You will be given several weeks notice of the audit and efforts will be made to conduct the audit at a time which is convenient to you.
Who is involved?
Each audit has a designated sponsor. This can be the Head of Department or institution concerned, but may be a senior person with designated responsibility for a certain area (e.g. continuity planning). The audit team will work with the audit sponsor to define the scope and timing of the audit. They will also ask for recommendations of people who should be interviewed as part of the audit fieldwork. The audit sponsor will also attend key meetings during the audit and is responsible for providing written management responses to the draft audit report.
What will the audit cover?
Internal audit covers all areas of the University's operations. There are different types of audit, the most common being 'departmental' and 'thematic'. Departmental audits cover a range of processes and procedures, typically focusing on compliance with the University's and / or sponsor's regulations. Thematic audits involve a number of institutions to provide assurance on a particular area, such as purchasing or credit control. Other audits may look at systems and IT. The auditors are looking to assess compliance with regulations and to get an understanding of the mechanisms in place to manage key areas of risk. They may identify areas of best practice as well as areas for improvement.
What are the audit outputs?
When the auditors have completed their work they will make a number of recommendations ranked by priority (one being highest) and will also give an overall assurance rating for the department/area concerned. The audit sponsor will be asked to provide a response to all recommendations made before the report is finalised. As stated above, the auditors may also highlight areas of best practice which could be shared with other departments and institutions.
Who sees internal audit reports?
Draft internal audit reports are seen only by the audit sponsor, any other agreed stakeholders, the Director of Finance and his Deputy. The Audit Committee receives a copy of the final report. Copies of all audit reports are held on file by the Registrary's Office. The Council receives minutes of the Audit Committee (but not usually papers) and so will see which audits have been conducted along with a synopsis of their outcome.
What happens next?
Each of the auditor's recommendations will have a deadline for action and these will be followed up when the agreed deadline in the final report is due. The timing of the follow-up visit is dependent upon the nature and severity of the finding.
Further information
The Deloitte team has produced a guide to internal audit at the University, which is available to download as a pdf here. If you are unable to download this document, or would like a hard copy sending to you, please contact Tamsin.mann@admin.cam.ac.uk.