1. The Council has responsibility for maintaining a sound system of internal control that supports the achievement of policies, aims and objectives, while safeguarding the public and other funds and assets for which the Council is responsible, in accordance with the Statutes and Ordinances and the Financial Memorandum with the HEFCE.
2. The system of internal control is designed to manage rather than eliminate the risk of failure to achieve policies, aims and objectives; it can therefore only provide reasonable and not absolute assurance of effectiveness.
3. The system of internal control is based on an ongoing process designed to identify the principal risks to the achievement of policies, aims and objectives, to evaluate the nature and extent of those risks and to manage them efficiently, effectively and economically. This process was in place for the year ended 31 July 2007 and up to the date of approval of the financial statements, and accords with HEFCE guidance.
4. The Council has responsibility for reviewing the effectiveness of the system of internal control. The following processes have been established:
| (a) | The Council meets ten times throughout the year to consider the plans and strategic direction of the University. |
| (b) | The Council receives periodic reports from the Chairman of the Audit Committee concerning internal control and receives the minutes of all meetings of the Audit Committee. |
| (c) | The Council's Risk Steering Committee oversees risk management. The Council receives periodic reports from the Chairman of the Risk Steering Committee and receives the minutes of all meetings of the Risk Steering Committee. Risk management is a standing item on the agenda for meetings of the Council. |
| (d) | The Audit Committee receives regular reports from the internal auditors, which include the internal auditors' independent opinion on the adequacy and effectiveness of the University's system of internal control and risk management, together with recommendations for improvement. |
| (e) | The University has a continuing programme of risk management and awareness courses. |
| (f) | A system of risk indicators has been developed for the University's key risks. |
| (g) | A robust risk prioritization methodology based on risk ranking and cost-benefit analysis has been established. |
| (h) | A University-wide risk register is maintained. |
| (i) | Key risks have been assigned to risk owners and risk reporting channels established. |
5. The Council's review of the effectiveness of the system of internal control is informed by the work of the internal auditors Grant Thornton. They operate to the standards defined in Accountability and Audit: HEFCE Code of Practice.
6. The Council's review of the effectiveness of the system of internal control is also informed by the work of the senior officers and the risk owners within the University, who have responsibility for the development and maintenance of the internal control framework, and by comments made by the external auditors in their management letter and other reports.