Skip to main contentCambridge University Reporter

No 6533

Wednesday 16 January 2019

Vol cxlix No 15

pp. 306–320

Notices

Calendar

22 January, Tuesday. Discussion at 2 p.m. in the Senate-House (see below).

24 January, Thursday. End of first quarter of Lent Term.

26 January, Saturday. Congregation of the Regent House at 2 p.m.

27 January, Sunday. Preacher before the University at 11.15 a.m., Sister Jane Livesey, N, General Superior of the Congregation of Jesus.

Discussions (Tuesdays at 2 p.m.)

Congregations (Saturdays unless otherwise stated)

22 January

26 January, at 2 p.m.

  5 February

23 February, at 2 p.m.

19 February

23 March, at 11 a.m.

  5 March

30 March, at 11 a.m.

19 March

Discussion on Tuesday, 22 January 2019

The Vice-Chancellor invites those qualified under the regulations for Discussions (Statutes and Ordinances, p. 105), to attend a Discussion in the Senate-House on Tuesday, 22 January 2019 at 2 p.m., for the discussion of:

1.Annual Report of the Council for the academic year 2017–18, dated 19 November 2018 (Reporter, 6530, 2018–19, p. 181).

2.Annual Report of the General Board to the Council for the academic year 2017–18, dated 31 October 2018 (Reporter, 6530, 2018–19, p. 190).

3.Reports and Financial Statements for the year ended 31 July 2018 (Reporter, 6530, 2018–19, p. 201).

4.Report of the Council, dated 10 December 2018, on the age limit on membership of the Regent House and other related matters (Reporter, 6531, 2018–19, p. 278).

5.Report of the Council, dated 10 December 2018, on members co-opted to the Finance Committee (Reporter, 6531, 2018–19, p. 280).

6.Report of the Council, dated 10 December 2018, on the governance of the remuneration of the Vice-Chancellor and senior post-holders and other pay related matters (Reporter, 6532, 2018–19, p. 297).

Further information on Discussions, including details on format and attendance, is provided at https://www.governance.cam.ac.uk/governance/decision-making/discussions/.

‘Scarlet days’ and flying of the University Flag from the Old Schools in 2019

Scarlet days

The Vice-Chancellor wishes to remind members of the University of the days in 2019 appointed by regulation for the wearing of festal gowns by Doctors (which are also the days on which the academic dress of other universities may in general be worn). Under this regulation he is also designating 19 June (Congregation for Honorary Degrees) as an additional ‘Scarlet day’ in 2019.

21 April

Easter Day

30 May

Ascension Day

 9 June

Whitsunday

16 June

Trinity Sunday

19 June

Honorary Degrees

26, 27, 28, and 29 June

General Admission to Degrees

  1 November

All Saints’ Day

  3 November

Commemoration of Benefactors

25 December

Christmas Day

Flying of the University Flag from the Old Schools

Published for information are the days when the University Flag will usually be flown:

  6 February

Accession of HM The Queen

21 April

Birthday of HM The Queen

23 April

St George’s Day

  8 June

Official Birthday of HM The Queen

10 June

Birthday of HRH The Duke of Edinburgh

14 November

Birthday of HRH The Prince of Wales

The University Flag will also be flown on all Congregation days, including 1 October (Address by the Vice-Chancellor and Election and Admission of the Proctors), 19 June (Honorary Degrees) and General Admission to Degrees.

Dates of Discussions, 2019–20

14 January 2019

The Vice-Chancellor gives notice that Discussions will be held on the following days in the 2019–20 academic year:

Michaelmas Term 2019

Lent Term 2020

Easter Term 2020

Long Vacation 2020

  8 October

21 January

28 April

  7 July

22 October

  4 February

12 May

  5 November

18 February

26 May

19 November

  3 March

  9 June

  3 December

17 March

Annual Report of the Audit Committee for the financial year 2017–18

The Council has received the Annual Report of the Audit Committee for 2017–18. The report is published for the information of the University. Appendix A is not reproduced; appendices B–E are provided online at http://www.admin.cam.ac.uk/reporter/2018-19/weekly/6533/AuditReport_Appendices_2017-18.pdf.

1 Introduction

The Audit Committee is required to submit an annual report to the Council, the Vice-Chancellor and subsequently to the Office for Students (OfS). The report is informed by the internal audit annual report (see Appendix A [not reproduced]). It follows the guidance set out in Appendix 6 of HEFCE’s Handbook for Members of Audit Committees in Higher Education Institutions (endorsed by the OfS).

This Audit Committee Annual Report is for the financial year 1 August 2017 – 31 July 2018 and includes the opinion of the Audit Committee on the reliance to be placed on the internal control and reporting systems of the University. The opinion is based on the Committee’s consideration of the University’s Risk Register, the internal auditor’s annual report, the external auditor’s Management Letter, other work commissioned by the Committee during the year and on discussions at its meetings and workshops.

1.1 Internal auditor

Deloitte LLP is the University’s internal auditor and was reappointed from August 2014 until July 2017, with an extension to July 2019.

1.2 Internal audit reports

This report refers only to those final internal audit reports that have been received and considered by the Audit Committee during the financial year under consideration. This includes any reports that were issued in draft during 2016–17, but which were not finalised for the Committee’s consideration until 2017–18. This does not include any 2017–18 reports that have been finalised recently by internal audit but which have not yet been considered by the Audit Committee at one of its meetings.

During 2017–18 and up to the point of writing, the Committee has received and considered 28 internal audit reports, including two extra commissioned reports. Where a rating was ascribed, 72%1 of reports were given Substantial or Full assurance.

1.3 External auditor

PricewaterhouseCoopers LLP (PwC) was reappointed as the University’s external auditor.

2 Audit Committee opinion

This section provides the Audit Committee’s opinion on the adequacy and effectiveness of institutional arrangements during 2017–18 and up to the date of this report.

2.1 Opinion – risk management, control and governance

The Audit Committee has monitored and considered the effectiveness of the University’s risk management, control and governance throughout 2017–18. These arrangements support the University in fulfilling its policies, aims and objectives, enabling the University to identify, understand and manage its principal risks, and to be accountable and transparent in its governance. The Committee considers that the University and subsidiary companies have continued to make clear and sustained efforts to understand, communicate and incorporate best practice in risk management, governance and internal controls.

The Committee has agreed that the Statement of Internal Control in the Financial Statements for the year ended 31 July 2018 is an accurate reflection of the risk management, control and governance arrangements in place. The Committee is satisfied that these arrangements are adequate and effective.

2.2 Opinion – economy, efficiency and effectiveness (value for money)

The Committee has monitored the effectiveness of the University’s financial controls, systems and management structures in place for promoting efficiency, effectiveness and economy in the use of public funds and other resources.

The Committee has noted the continuing adoption of and improvement in financial procedures and management practices designed to support the achievement of value for money and institutional effectiveness. The Committee is satisfied that these arrangements are appropriate and effective.

2.3 Opinion – management and quality assurance of data

The Audit Committee monitors the effectiveness of the University’s management and quality assurance of data submitted to the Higher Education Statistics Agency, to the Student Loans Company, to the OfS, and to other bodies. Internal audit reviews of various aspects of data management form part of the three-year cycle of audits. An internal audit report on data quality in three Museums’ data returns was received in 2017–18 for which substantial assurance was given. The Committee is satisfied that the management control and quality assurance of data submitted are adequate and effective.

3 Audit Committee membership

3.1 Constitution of the Audit Committee

The constitution of the Audit Committee is set out in the Statutes and Ordinances of the University of Cambridge (see Appendix B). The membership and terms of reference of the Committee were revised in 2018 (see Section 5 below).

3.2 Membership, 2017–18

Chair:

Mr Mark Lewisohn

Secretary:

Ms Emma Rampton, Registrary

Assistant Secretary:

Dr Clara East, Audit and Regulatory Compliance Officer

There were no changes in membership over the course of the year

Table 1: Membership of the Committee, 2017–18

Class of membership

Name of member

Limit of tenure

(a) Chair, and external member of Council

Mr Mark Lewisohn

31 December 2020

(b) Members of Council

Dr Ruth Charles

31 December 2019

Dr Nick Holmes

31 December 2018

(c) External members

Mr Peter Doyle

31 December 2018

Ms Janet Legrand

31 December 2018

Ms Catherine Spitzer

31 December 2019

Mr John Aston

31 December 2019

(d) Co-opted members

Dr Keith Carne

31 December 2018

Professor John Dennis

31 December 2019

3.3 Process of appointment

Members are appointed to the Audit Committee by the Council of the University. Membership nominations are made to the University’s Council’s Advisory Committee of Committee Memberships and External Nominations except in the case of class (d) members who are co-opted by the Committee on the basis of recommendations received.

3.4 University officers and auditors

The Audit Committee invites certain senior University officers and the University’s external and internal auditors to attend unreserved meetings. It also invites other colleagues and external speakers to attend for specific agenda items or to present on a particular area of operation or risk.

The Audit Committee also invites the Chair of the Press and Assessment Board (PAB) Audit Committee2 to attend all meetings and to make biannual reports. The Chair of the PAB Audit Committee is Mr Nick Temple, who represents the PAB Audit Committee on the University Audit Committee.

The Vice-Chancellor is invited to address the Audit Committee annually.

Table 2: Senior officers, auditors and other colleagues invited to attend meetings during 2017–18

Position

Name

Vice-Chancellor

Professor Stephen Toope

Chief Financial Officer

Mr Anthony Odgers

Director of Finance

Mr Andrew Reid (until January 2018)

Mr David Hughes (from December 2017)

Senior Pro-Vice-Chancellor

Professor Duncan Maskell (until 30 June 2018)

Professor Graham Virgo (from 1 July 2018)

Internal Auditor – Deloitte LLP

Ms Kirsty Searles

Mr Richard Neal

Mr Andrew Patterson

Mr Callum Irvine

External Auditor – PricewaterhouseCoopers LLP

Mr Stuart Newman

Ms Ali Elsley

Mr David Wildey

Director of University Information Services

Professor Ian Leslie

Chief Information Security Officer

Mr Vijay Samtani

Executive Director of Development and Alumni Relations

Ms Alison Traub

Director of Estates Strategy

Dr Jason Matthews

Interim Director of Estate Operations

Ms Jan Hand (to August 2018)

Interim Director of the Compliance Programme

Mr Graham Shaw (to August 2018)

Head of Estate Projects

Ms Beverley Weston

Director of Human Resources

Ms Emma Stone

Assistant Director of Human Resources (Operations)

Ms Andrea Hudson

Pro-Vice-Chancellor (Education)

Professor Graham Virgo

Regius Professor of Physic

Professor Patrick Maxwell

Chair of the Press and Assessment Board Audit Committee

Mr Nick Temple

4 Meetings

The table below provides information on meeting dates and attendance.

Table 3: Attendance at meetings, financial year 2017–18

Date

Members and associated class

Senior officers and guests

Auditors

Apologies3

Quorate

(a)

(b)

(c)

(d)

Total

05/10/17

0

2

4

1

7

6

Internal: 2

2

Yes

16/11/17

1

2

3

1

7

3

Internal: 2

External: 3

4

Yes

18/01/18

1

2

2

2

7

7

Internal: 3

3

Yes

08/03/18

1

2

2–3

(see apologies)

2

7–8

8

Internal: 2

External: 3

2 (unreserved business)

4 (reserved business)

Quorate for first part of unreserved business only

10/05/18

1

2

3

2

8

7

Internal: 3

3

Yes

05/07/18

1

1

2

2

6

10

Internal: 3

3 (unreserved business)

5 (reserved business)

Quorate for unreserved business only

5 Terms of reference

The Audit Committee’s terms of reference are set out in the Statutes and Ordinances.4 In 2017–18 the Audit Committee reviewed and refreshed its membership terms and terms of reference as one of the actions agreed in the Committee’s 2016 review of effectiveness.

The membership terms were amended (i) to align Council members’ terms with their Council appointments; (ii) to extend the appointments of other members (within CUC guidelines) to benefit from their experience for longer; and (iii) to introduce some clarifications.

The terms of reference were (i) amended to update the Committee’s meeting frequency, which was higher in practice than originally stated; (ii) re-ordered to reflect better the Committee’s priorities in reviewing risk management and value for money alongside internal controls; and (iii) in-part redrafted to improve the clarity of wording.

The following revised terms of reference were subsequently approved by the Regent House in March 2018 (see also Appendix B, which includes the Committee’s membership terms):

Audit Committee terms of reference

1. The Audit Committee shall meet at least once per term in each financial year. It shall be the duty of the Committee:

(a)to keep under review the University’s risk management strategy and implementation;

(b)to keep under review the effectiveness of the University’s systems of financial and other internal control;

(c)to satisfy itself that satisfactory arrangements are adopted throughout the University for promoting economy, efficiency and effectiveness;

(d)to advise the Council on matters relating to the external auditors, including their appointment, their services, their remuneration and any questions relating to the resignation or dismissal of auditors;

(e)to review annually with the external auditors the nature and scope of the external audit;

(f)to consider, in consultation with the external auditors, (i) any statements annexed to the annual accounts of the University, including the auditors’ report, and (ii) any statement provided by the Council on the governance of the University;

(g)to approve the approach to internal audit;

(h)to approve proposals for the programme of internal audit work put forward by the internal auditors and to ensure that sufficient resources are made available to implement the internal audit programme effectively;

(i)to consider any reports submitted by the auditors and to monitor the implementation of any recommendations made by the auditors, both external and internal;

(j)to monitor annually the performance and effectiveness of the external and internal auditors;

(k)to oversee the University’s policy on fraud and irregularity, and to ensure that the Committee is informed of any action taken under that policy;

(l)to ensure that all significant losses are properly investigated and that the internal and external auditors, and where appropriate, other authorities and regulators, are informed;

(m)to make an annual report to the Council, other authorities and regulators as required;

(n)to receive reports from authorities and regulators, and to advise the Council thereon;

(o)to forward minutes of their meetings to the Council.

6 Internal Audit

6.1 Provider

Deloitte LLP was reappointed as the internal auditor for the University with effect from 1 August 2014 for a three-year term until 31 July 2017. It was reappointed for a further two years until 31 July 2019.

6.2 Review of appointment

The performance of the internal auditor and its lead partner is considered annually by the Committee.

6.3 Review of internal audit annual report

The annual report for the period 1 August 2017 to 31 July 2018 was received by the Audit Committee at its meeting of 4 October 2018 (see Appendix A [not reproduced]). Subject to the limitations of the work described in Deloitte LLP’s report, the internal audit opinion given was as follows:

‘We provide reasonable assurance that the University has an adequate and effective system of risk management, control, governance, and value for money in its systems and processes for the year ended 31 July 2018. The control issues identified during our work do not materially impact upon the assurance statement provided.

Within the context of the Annual Opinion, it is noted that the effectiveness of controls in some areas could be enhanced. We have provided supporting statements on the following pages where our recommendations for improvement have informed the overall annual assurance rating.’

6.4 Review of audit risk assessment and strategy

Internal audit plans are prepared annually on the basis of ranked risks and ownership, as set out in the University’s key risk register, and key issues identified in interviews with a selection of Committee members and senior officers. Different teams of auditors are assigned to undertake the work depending on the level of specialism required.

Audits are themed by function and involve visits to a range of departments and institutions. Fact-finding reports are commissioned where particular situations warrant further investigation. Departmental audit is primarily covered by the annual departmental self-assurance survey. The survey addresses all areas of traditional on-site departmental audits. To help validate the findings of the survey the results are followed up by face to face meetings and selected on-site testing. The results are shared with management to highlight best practices and areas for improvement. (See section 8.3(b)(ii) for further detail on the assurance survey.)

6.5 Review of audit reports

Following a recommendation arising from the Committee’s 2016 effectiveness review, the Committee discusses in detail only those reports that carry limited or nil assurance ratings. The Committee has access to all other reports through its online portal and the auditors summarize the findings of those reports in their progress report at each meeting. For reports with limited or nil assurance, the audit sponsor is invited to attend the meeting in which the report is discussed. This enables them to respond to the report and take questions.

Deloitte LLP provides an assessment of the adequacy and effectiveness of systems using the following definitions:

Full

There is a sound system of internal control designed to achieve the University’s objectives. The control processes tested are being consistently applied.

Substantial

While there is a basically sound system of internal control, there are weaknesses, which put some of the University’s objectives at risk. There is evidence that the level of non-compliance with some of the control processes may put some of the University’s objectives at risk.

Limited

Weaknesses in the system of internal controls are such as to put the University’s objectives at risk. The level of non-compliance puts the University’s objectives at risk.

Nil

Control processes are generally weak leaving the processes / systems open to significant error or abuse. Significant non-compliance with basic control processes leaves the processes / systems open to error or abuse.

Deloitte LLP classifies its recommendations as follows:

Priority 1

Issues that are fundamental to the University, for the attention of senior management and the Audit Committee.

Priority 2

Issues that are fundamental to the area subject to internal audit, for the attention of senior management and the Audit Committee.

Priority 3

Important issues to be addressed by management in their areas of responsibility.

Priority 4

Housekeeping issues or good practice suggestions.

6.6 Fees

Fees paid for work completed in the financial year 2017–18 are shown in Appendix C.

7 External audit

7.1 Provider

PricewaterhouseCoopers LLP (PwC) was reappointed as external auditor for the University for the financial year 2017–18.

7.2 Review of appointment

In accordance with the OfS’s terms and conditions of funding for Higher Education Institutions, the external auditor is appointed or reappointed annually. The Statutes and Ordinances also require that the accounts of the University are audited annually by qualified accountants appointed by Grace on the nomination of the Council.5

Following a market testing exercise carried out by a sub-group of the Audit Committee with representation from Cambridge University Press and Cambridge Assessment, PricewaterhouseCoopers LLP was reappointed to provide the external audit provision (subject to annual reappointment) for a further contract period of three years from 1 August 2019.

At its January 2018 meeting the Committee received positive feedback from the Group in regard to the performance of the external auditors. The Committee therefore agreed to recommend to the Council that a Grace be promoted for the annual reappointment of PwC as the external auditors for the Financial Year 2017–18.

7.3 Details of non-audit services

During 2017–18 the external auditor and PwC international affiliate firms carried out work in the following areas for the University: professional assistance in respect of the issuance of the University’s listed Bond, professional assistance in the winding-up of subsidiary companies in the Cambridge Assessment group, independent audit of the ClimateWise principles for 2017 and other minor engagements. In each significant case, the engagement was subject to the Audit Committee’s policy on non-audit services to ensure that the external auditor’s independence was not placed at risk.

7.4 External Auditor’s annual report to the Audit Committee

The Audit Committee received PwC’s external audit annual report 2017–18 at its meeting on 15 November 2018.

The Audit Committee considered the report and was satisfied with the remarks on auditing and accounting matters, detailed control observations and other observations from around the University group. The Audit Committee was also satisfied with the University’s management response included as an Appendix to the report.

7.5 Fees

Fees paid for work completed in 2017–18 are shown in Appendix D.

8. Other work undertaken

8.1 Statement of internal control

The Council is responsible for reviewing the effectiveness of the system of internal control. The Audit Committee supports the Council in this role through the following processes:

(a)The Council receives periodic reports from the Chair of the Audit Committee concerning internal control and receives the minutes of all meetings of the Audit Committee;

(b)the Audit Committee receives regular reports from the internal auditor, which include the internal auditor’s independent opinion on the adequacy and effectiveness of the University’s system of internal control and risk management, together with recommendations for improvement. Risk management is a standing item on the Audit Committee agenda and is the driving element in the design of the annual internal audit programme of work;

(c)the Council’s review of the effectiveness of the system of internal control is informed by the work of the internal auditor. They operate to the standards defined in the OfS Terms and condititions for higher education institutions, Annex C Audit Code of Practice;

(d)the Audit Committee reviews and reports on the implementation of recommendations made and agreed in the regular audit cycle and other investigations.

Through the consideration of reports from the internal auditor and other investigations, the Audit Committee is assured that the University’s system of internal control is currently effective and is able to report its reassurance to the Council for the year 2017–18.

8.2 Review of assurances received

Deloitte LLP has confirmed its reasonable assurance that the University has an adequate and effective system of risk management, control, governance and value for money in its systems and processes for the year ended 31 July 2018. They have further confirmed that the control issues identified during their work do not materially impact upon the assurance statement provided.

Deloitte further notes that the effectiveness of controls in some areas could be enhanced and they have provided recommendations for improvement.

The Audit Committee accepts the internal auditor’s opinion and agrees that the effectiveness of controls in some areas could be improved. Management have taken steps and work is continuing (1) to improve implementation of outstanding actions arising from Internal Audit recommendations, (2) to address the shortcomings of Limited Assurance Report, (3) to define a new process for risk management, (4) to re-evaluate the actions arising from the Departmental Assurance Survey, and (5) to re-shape the value for money report. In the academic year 2018–19, further work will need to take place (i) to identify potential mechanisms for improving accountability and delegations of authority across the University as a devolved organization, (ii) to achieve greater visibility of controls operated at Departmental level, and (iii) in the area of data quality.

8.3 Review of institution’s risk management strategy

(a) The University’s approach to risk management

The University of Cambridge pursues good practice in Risk Management as given in the FRC guidance issued in 2014 as well as guidance from HEFCE/OfS and other bodies, and endeavours to comply fully with OfS and other regulatory requirements. The University’s view of acceptable risk is derived from a balanced view of all the risks in its operating environment. Risks are prioritized and assessed according to qualitative and quantitative measures. The strategy is as follows:

(i)a Risk Steering Committee (RSC) currently oversees the risk management process as a whole, on behalf of Council. In 2017–18 the Chair of the Risk Steering Committee was the Senior Pro-Vice-Chancellor (Planning and Resources). The Chair of the Audit Committee is one of three Council representatives on the RSC. In 2016–17, a second external member of the Audit Committee was invited to attend the RSC to strengthen the link between audit and risk management;

(ii)a Risk Policy is reviewed annually;

(iii)fundamental risks affecting the University and its Departments, Faculties and central bodies are reviewed biannually to ensure that the full scope of the University’s activities is covered;

(iv)the appropriate risk appetite and level of exposure for the University as a whole is determined;

(v)fundamental risks are managed and the effectiveness of those arrangements are examined. Where risk management is judged weak, poorly understood or limited in effect, controls have been and will be enhanced;

(vi)responsibility for the management of risks is allocated to senior University officers;

(vii)a review of risks and their management takes place at least once a year.

In Easter Term 2018, in light of comments from the Council, a review of the University’s set of key risks and risk management framework was initiated with a view to the implementation of a new framework by the end of the 2018–19 academic year. The review is being conducted in liaison with the internal auditors. The revised approach will focus on improving the embedding of risk management in decision making, planning, and operational management.

(b) Risk management – the role of the Audit Committee and its auditors

(i) Audit Committee

The Audit Committee provides advice to the Council on the effectiveness of the Risk Steering Committee and on the internal control system, including the University’s system for the management of risk. The Audit Committee received the Risk Steering Committee’s annual report and annual review of the University’s key risk register at its November 2017 meeting. The interim revised key risk register was received at the May 2018 meeting.

Members of the Audit Committee are invited to bring their copies of the key risk register to all meetings to help inform discussions of audit reports and the impact on risk management, and also to plan the audit cycle.

A programme of presenters to speak to the Committee about key risks and to answer questions continued during the course of 2017–18. The Committee received the following presentations:

5 October 2017

– The then Acting Director of University Information Services, Professor Ian Leslie, gave an update on the cyber security programme.

18 January 2018

– The Executive Director of Development and Alumni Relations, Ms Alison Traub, gave a presentation on the work of CUDAR and its key risks.

– The Director of Estate Strategy, Dr Jason Matthews, attended in connection with a Deloitte review commissioned by the University of a construction project to discuss lessons learned.

8 March 2018

– The Vice-Chancellor gave his first annual report to the Committee.

– The Director of Human Resources, Ms Emma Stone, and Assistant Director of Human Resources (Operations), Ms Andrea Hudson, gave a response to the audit report on the University Payment System, which had received limited assurance.

10 May 2018

– The Pro-Vice-Chancellor (Education), Professor Graham Virgo, provided feedback on the topic of space utilisation in advance of the workshop on the same subject held after the meeting.

– The Director of Estate Strategy, Dr Jason Matthews, and the Head of Estate Projects, Ms Beverley Weston, gave a presentation on the University’s estate management strategy.

29 June 2018

– The Director of Estate Strategy, Dr Jason Matthews, the Interim Director of Estate Operations, Ms Jan Hand, and the Interim Director of the Compliance Programme, Mr Graeme Shaw, discussed a draft Safety Compliance Report recently commissioned from Deloitte by Estate Management.

5 July 2018

– The Regius Professor of Physic, Professor Patrick Maxwell, gave a presentation on risks relating to the Clinical School.

– The Director of Estate Strategy, Dr Jason Matthews, and the Head of Estate Projects, Ms Beverly Weston, gave their response to the follow up of the report discussed in January and about capital projects risk management more generally following an audit on the topic.

– The Interim Director of the Compliance Programme, Mr Graeme Shaw, discussed progress in relation to the Safety Compliance review, the draft report of which was received at the previous meeting.

– The Chief Information Security Officer (CISO), Mr Vijay Samtani, discussed his work as the new CISO and gave an update on progress with the cyber security programme.

(ii) Internal audit programme

The internal audit programme is responsible for providing independent and objective assurance on the University’s operations in order to evaluate and improve the effectiveness of the University’s internal control systems. The internal audit strategy is developed around the University’s objectives and assessment of its fundamental risks including an evaluation of the effectiveness of the University’s risk management process.

The reappointment of Deloitte LLP in August 2014 was subject to a refreshed service which focused more greatly on priority risk areas such as financial health, staff recruitment and retention and research funding, and sought broader assurance through the deployment of an annual departmental survey on compliance in high risk areas. The areas covered in the survey range from compliance with financial processes and HR policies to departmental management planning activity and IT controls. Visits to a sample of the strongest and weakest performing departments are carried out in order to help verify the survey findings.

The fourth Departmental assurance survey was conducted in 2017–18 and the findings were reported to the Audit Committee in July 2018. This year, for the first time, the survey was extended to most Non-School Institutions (for example, the University Information Services) and the Unified Administrative Offices (for example, the HR and Finance Divisions) to give a fuller picture of risk across the institution. The survey report enables the Audit Committee, administrative offices and Schools to see at a glance where weaker areas exist, by Institution and area. Engagement with Schools on the survey continued to be strong this year and provides useful additional feedback on the topics surveyed. The survey remains a useful method for indicating the robustness of the University’s first line risk management and control activities across the organisation. Extra focus will be given next year to reinforcing the line ownership of such activities. For example, management actions will be reviewed to ensure they are implemented effectively with new approaches deployed where appropriate.

Throughout the year the auditors attended meetings with School Secretaries, Finance Managers and Departmental Administrators, in particular to discuss the findings of the assurance survey. The Head of Internal Audit attended meetings of the Risk Steering Committee as an observer.

The current internal audit contract expires on 31 July 2019 and consideration of the process for renewing the internal audit function from 1 August 2019 is underway.

(iii) External audit

External audit informs the Audit Committee on the operation of the internal financial controls reviewed as part of the annual audit.

8.4 Other work

The Audit Committee has a number of standing agenda items: Value for Money (VfM), Fraud, Risk Management, the OfS and the Press and Assessment Board. For the first four of these items the Audit Committee requests updates from senior University officers and also seeks assurance from the internal auditors. Assurance from the Press and Assessment Board on the operations of CUP and CA is described below.

(a) Value for money

The University’s Resource Management Committee (RMC) oversees VfM reporting for the University. The Chair of RMC, the Senior Pro-Vice-Chancellor, attends Audit Committee meetings and provides statements on behalf of the RMC. However, following the departure of the previous Senior Pro-Vice-Chancellor, the new Pro-Vice-Chancellor for Strategy and Planning will chair the RMC. Economy, efficiency and effectiveness in the use of resources are considered within each system audit undertaken and recommendations are made in the individual audit reports as appropriate.

A set of value for money reporting indicators are used to track progress on the efficiency and effectiveness of resource use. The indicators focus on ‘institutional effectiveness’ at the strategic level and, by focusing on overall performance in core areas of teaching, research and administration, aim to demonstrate how effectively the University uses its resources. Various indicators are used to show how well the University is using its resources and ultimately whether the University is institutionally effective. Performance can be tracked over time and compared with that of key competitors

Efficiency and value for money values continue to be promoted through both local level and University-wide initiatives such as in the areas of procurement, estate management, energy and sustainability and financial and IT services. The University also collaborates with the Colleges through the Bursars Committee to ensure VfM across the collegiate University.

(b) Fraud

Under the Financial Regulations, any member of staff must report immediately to the Registrary and the Director of Finance any suspicion of bribery, fraud or other irregularity. Instances of bribery and fraud that involve sums of over £25,000 must be reported to the OfS under its terms and conditions of funding for higher education institutions.

In the 2017–18 academic year, there have been no reports of bribery, one case of financial fraud, and one allegation of malpractice which was closed following satisfactory investigation; one of the cases was reported to the regulator (then HEFCE) in September 2017 as under investigation and the conclusions of the investigation were notified to HEFCE in April 2018. A potential departmental breach of Financial Regulations was reported to Internal Audit in August 2018 and is currently under investigation.

(c) Risk management

Risk management is a standing item on the Audit Committee agenda. As noted in Section 8.3(a) the University has embarked on a review of its key risks and risk management framework with the aim of linking risk management better to decision making, planning and operational management.

The Head of Internal Audit from Deloitte LLP attended the October and June Risk Steering Committee meetings in 2017–18. This gave the internal auditors better insight into the University’s approach to and discussions about risk.

The Audit Committee is also considering how to address the balance between academic freedom and collective organizational risk, particularly in relation to areas of growing reputational risk to the University, such as cyber security, bribery and the corporate criminal offence.

The risk management training seminars delivered through the Personal and Professional Development (PPD) training programme and offered to staff across the University were continued in Michaelmas Term 2017 and Easter Term 2018. A Departmental Administrator attended the Michaelmas Term seminar to champion the benefits of risk management at a local level and to help promote best practice and consistency of approach.

A desktop exercise for the University Silver Team was carried out in Michaelmas Term 2017. A number of key lessons were identified in the subsequent debrief session. The Silver Team was also convened on two further occasions in relation to student occupations of the Old Schools and Greenwich House and further lessons learned. UAS offices’ continuity arrangements have been strengthened in light of the recent experience. In addition, the current Emergency Action Plan template used by all institutions is being further developed to include a template for working through continuity management arrangements.

(d) HEFCE/OfS

(i)HEFCE’s Assessment of institutional risk

The Committee received a copy of HEFCE’s annual assessment of institutional risk at its March 2018 meeting. The University’s financial sustainability, good management and governance matters were assessed as ‘not at higher risk’. The assessment was subsequently submitted to Council.

(ii)Assurance on Colleges’ use of student fees for educational purposes

The Committee has agreed a protocol enabling the Director of Finance, on an annual basis, to provide assurance to the Audit Committee that the public funds received by the University from the Student Loans Company and transferred between the University and Colleges are used by the Colleges for the intended educational purposes. The calculation for 2017–18 was considered by the Audit Committee at its meeting in July 2018. The exercise involved looking at the total expenditure on education by Colleges against their total educational income including the College fee. Reasonable assurance could be given that the money was spent for the purposes intended.

In support of the mechanism described above, an annual meeting takes place between the Chair of the Audit Committee, the Chair of the Colleges’ Committee, the Registrary and the Chair of the Bursars’ Committee. An agreed note of the meeting is submitted to the Audit Committee. The annual report by the General Purchasing sub-Committee to the Bursars Committee on Value for Money is also submitted to the Audit Committee. The meeting took place in June 2018 (see Appendix E).

The Chair of the Bursars’ Committee Value for Money sub-Committee reported on a number of collectively managed purchasing arrangements between the Colleges, including catering, utilities and insurance contracts, with further initiatives looking at pensions, environmental planning, tax and development activities. Joint collaborative initiatives between the Colleges and the University included waste management and counselling services, and joint discussion groups involving the University’s Head of Procurement were valuable in respect of potential new joint engagements.

(e) Press and Assessment Board

Cambridge University Press is governed by the Press Syndicate, and Cambridge Assessment by the Local Examinations Syndicate. Both Syndicates report to the joint Press and Assessment Board (PAB), as do other joint committees including the PAB Regulatory Compliance Committee and the PAB Audit Committee. The Chair of the PAB Audit Committee attends the University Audit Committee to provide assurance on the respective governance, control and risk management practices of both the Press and Assessment. This assurance is given through a number of oral and written reports to the Audit Committee throughout the year.

At each Audit Committee meeting the Chair of the PAB Audit Committee provides an oral update on the business of Cambridge Assessment and Cambridge University Press and the items of discussion at the latest PAB Audit Committee meeting. In addition, a written annual report of the PAB Audit Committee is received at the Audit Committee’s November meeting, and a half-year report at its May meeting. Under the PAB Audit Committee’s Terms of Reference, the Chair of the PAB Audit Committee has direct access to the Chief Financial Officer as Chair of the PAB and to the Vice-Chancellor as Chair of both the Press Syndicate and Local Examinations Syndicate.

Assurance on risk management practices is obtained through the annual submission of Cambridge University Press’s and Cambridge Assessment’s individual risk registers to the University’s Risk Steering Committee, the minutes of which are sent to the Audit Committee. In addition, a statement on each of the organisations’ activities and controls in relation to their Anti-Bribery and Corruption policies is incorporated within the University’s annual Bribery Policy report which is received by the Audit Committee at its July meeting.

Further assurance and opportunity to discuss the activities of the two organisations more deeply is gained through periodic presentations from their respective Chief Executives and/or Chief Financial Officers, the next of which is planned for early 2019.

(f) Non-standard items

In addition to the standing agenda items, the Audit Committee has considered the following items as part of its business during the 2017–18 financial year:

(i)OfS Assurance Review

The Assurance Review took place on 25 June 2018 and involved interviews with the Chair and other attendees of the Audit Committee. The Review Report gave an overall conclusion that reliance could be placed on the University’s accountability information for the purpose of satisfying current regulatory requirements. Five key findings were made, all of which were accepted by management and are either implemented or are progressing towards implementation by the end of 2018.

(ii)Policy against bribery and corruption

The Committee received an annual review of the University’s policy against bribery and corruption at its July 2018 meeting. There had been no reports of bribery across the University Group. Cambridge University Press and Cambridge Assessment separately provided assurance to the Audit Committee that their own policies against bribery and corruption were compliant with the University’s policy.

Bribery Act training is conducted through the University’s online Bribery and Corruption training module. The course was re-designed in Michaelmas Term 2017 with a focus on more relevant examples and to incorporate material on the two new Corporate Criminal Offences which came into force in September 2018. A reminder to undertake training was issued by the Registrary in February 2018 to all Heads of Institutions and Departmental Administrators. The message highlighted the importance of individuals’ participation in the training and clarified who should undertake the training.

(iii)Estate safety and compliance review

The University’s Estate Management Division commissioned a review on safety and compliance in late 2017. The review was initiated in order to provide the University with confirmation that its building estate is systematically subjected to key safety relevant activities, including statutory inspection, assessment, and maintenance. The review was carried out by the internal auditors, Deloitte. A number of recommendations were made with actions relating to the strengthening of governance, management and assurance. An update on progress made against actions was received by written and oral report from the Director of Estate Strategy and his colleagues at the July 2018 meeting and a similar update will be provided at the Committee’s October 2018 meeting.

(iv)Review of effectiveness

The Committee commissioned an externally led review of its effectiveness in 2016. A number of recommendations were made which have continued to influence how the Committee has operated in 2017–18. In particular, full consideration of internal audit reports in meetings is restricted to the ‘limited’ or lower assurance reports only. This has enabled greater time for discussion of key topics such as cyber security.

In addition, meetings have been held at different venues across Cambridge. This has allowed members to visit key sites of operation, for example the Cambridge biomedical campus where the Committee’s July meeting was held. The different venues are also helpful for receiving presentations from senior officers based in those locations; for example at the July meeting the Regius Professor of Physic presented to the Committee on the key risks of the Clinical School. Continuing this theme, meetings at Cambridge Assessment, Cambridge University Press and Eddington (North West Cambridge) are planned for next year. Finally, presentations from senior officers on key areas of operation have continued, and as noted above, the Executive Director of Development and Alumni Relations presented to the Committee on risks in the area of fundraising.

8.5 Workshops

Audit Committee workshops are opportunities to discuss strategic issues in more depth, often based around an expert presentation. These workshops operate in part as professional development opportunities for the Committee’s members.

Following its May 2018 meeting the Committee held a workshop on the topic of Space Utilisation. Mr Paul Milliner, Head of Estate Strategy, and Mr Chris Edwards, Assistant Director of UIS presented, with Dr Jason Matthews, Director of Estate Strategy, Professor Ian Leslie, Director of UIS, and Ms Catherine Fage, Head of the Student Registry, contributing to discussions.

After its July 2018 meeting, a workshop was held on the USS pensions scheme. Mr Mark Packham, Director, PwC, and Mr Steve Blackmore, Pensions Partner, PwC, presented to discuss the latest developments. Mr Jonathan Seed, the University’s independent actuary, and Ms Sue Curryer, Head of Pensions Administration, contributed to the discussions.

In addition, the Vice-Chancellor met with the external members of the Committee separately after its November 2017 meeting.

Footnotes

  • 1This figure differs from the equivalent figure given in the Internal Auditor’s Annual Report which is 50%. The Internal Auditor’s figure refers only to finalized audit reports commissioned under the 2017–18 Audit Plan which represents a more limited range of reports.

  • 2This is the joint audit committee of Cambridge Assessment and Cambridge University Press which was established in summer 2017 under the newly formed Press and Assessment Board.

  • 3Figures refer to Committee members, senior officers and the Chair of the Press and Assessment Board Audit Committee.

  • 4See the Audit Committee regulations in Chapter XIII Finance and Property at Statutes and Ordinances, 2018, p. 1057.

  • 5Statutes and Ordinances, 2018, p. 46.