Cambridge University Reporter


STATEMENT OF INTERNAL CONTROL

1. The Council is responsible for maintaining a sound system of internal control that supports the achievement of policies, aims, and objectives, while safeguarding the public and other funds and assets for which the Council is responsible, in accordance with the Statutes and Ordinances and the Financial Memorandum with the HEFCE.

2. The system of internal control is designed to manage rather than eliminate the risk of failure to achieve policies, aims, and objectives; it therefore provides reasonable but not absolute assurance of effectiveness.

3. The system of internal control is designed to identify the principal risks to the achievement of policies, aims, and objectives, to evaluate the nature and extent of those risks and to manage them efficiently, effectively, and economically. This process was in place for the year ended 31 July 2008 and up to the date of approval of the financial statements, and accords with HEFCE guidance.

4. The Council is responsible for reviewing the effectiveness of the system of internal control. The following processes have been established:

(a) The Council meets ten times throughout the year to consider the plans and strategic direction of the University.
(b) The Council receives periodic reports from the Chairman of the Audit Committee concerning internal control and the minutes of all meetings of the Audit Committee.
(c) The Council's Risk Steering Committee oversees risk management. The Council receives periodic reports from the Chairman of the Risk Steering Committee and the minutes of all meetings of the Risk Steering Committee. Risk management is a standing item on the agenda for meetings of the Council.
(d) The Audit Committee receives periodic reports from the internal auditors, which include the internal auditors' independent opinion on the adequacy and effectiveness of the University's system of internal control and risk management, together with recommendations for improvement.
(e) The University offers a formal programme of risk management and awareness-training and individual training to risk managers as required.
(f) A system of indicators has been developed for the University's key risks.
(g) A robust risk prioritization methodology based on risk ranking and cost-benefit analysis has been established.
(h) A University-wide risk register is maintained.
(i) Key risks have been assigned to risk owners and reporting channels established.

5. The Council's review of the effectiveness of the system of internal control is informed by the work of the internal auditors Grant Thornton. They operate to the standards defined in Accountability and Audit: HEFCE Code of Practice.

6. The Council's review of the effectiveness of the system of internal control is also informed by the work of the senior officers and the risk owners within the University, who have responsibility for the development and maintenance of the internal control framework, and by comments made by the external auditors in their management letter and other reports.