No 6575
Wednesday 29 January 2020
Vol cl No 17
pp. 305–323
4 February, Tuesday. Discussion at 2 p.m. in the Senate-House (see below).
13 February, Thursday. Lent Term divides.
18 February, Tuesday. Discussion at 2 p.m. in the Senate-House.
22 February, Saturday. Congregation of the Regent House at 2 p.m.
23 February, Sunday. Preacher before the University at 11.15 a.m., Professor Rae Langton, N, Knightbridge Professor of Philosophy (Hulsean Preacher).
|
Discussions (Tuesdays at 2 p.m.) |
Congregations (Saturdays unless otherwise stated) |
|
4 February |
22 February, at 2 p.m. |
|
18 February |
21 March, at 11 a.m. |
|
3 March |
28 March, at 11 a.m. |
|
17 March |
The Vice-Chancellor invites those qualified under the regulations for Discussions (Statutes and Ordinances, p. 105) to attend a Discussion in the Senate-House on Tuesday, 4 February 2020 at 2 p.m., for the discussion of:
1.Second-stage Report of the Council on the refurbishment of 1 Regent Street for the Cambridge Institute for Sustainability Leadership (Reporter, 6572, 2019–20, p. 186).
2.Annual Report of the Council for the academic year 2018–19, dated 13 November 2019 (Reporter, 6573, 2019–20, p. 194).
3.Annual Report of the General Board to the Council for the academic year 2018–19, dated 5 November 2019 (Reporter, 6573, 2019–20, p. 202).
4.Reports and Financial Statements for the year ended 31 July 2019 (Reporter, 6573, 2019–20, p. 210).
5.Joint Report of the Council and the General Board, dated 20 January 2020 and 27 November 2019, on the introduction of a final degree classification (Reporter, 6574, 2019–20, p. 300).
Further information on Discussions, including details on format and attendance, is provided at https://www.governance.cam.ac.uk/governance/decision-making/discussions/.
The Registrary gives notice that she has received the following request for the discussion of a topic of concern to the University:
In light of the recent installation of dangerous and inaccessible barriers1 on the busway path leading to the Biomedical Campus, we, the undersigned, hereby request that a Discussion be held as soon as convenient in the Lent Term on the subject ‘That the Regent House, as the governing body of the University, consider how to ensure that the University enables and encourages sustainable transport modes such as cycling in all of its works and policies on and off the Estate, and how to ensure that when the University is involved in the design of transport facilities that those designs are fully accessible,2 safe, convenient and respectful of all users.’
We further request that this Discussion be open to all students and to all employees of the University Group and the Colleges, in addition to those already entitled to attend.
This request is supported by the following 25 members of the Regent House:
|
R. J. Anderson |
A. J. Hutchings |
R. M. Mortier |
|
J. J. Baumberg |
E. Kalyvianaki |
S. J. Murdoch |
|
M. Bithell |
M. A. Kleppmann |
A. S. M. Prorok |
|
J. A. Crowcroft |
M. G. Kuhn |
C. A. Stewart |
|
M. R. Danish |
I. J. Lewis |
J. Warbrick |
|
C. Ducati |
M. V. Lucas-Smith |
M. Warner |
|
S. L. Fagg |
C. Mascolo |
J. A. Zeitler |
|
L. M. Gough |
A. W. Moore |
|
|
P. M. Gray |
S. W. Moore |
The Council has agreed that this topic will be included among the matters for consideration at the Discussion to be held in the Senate-House at 2 p.m. on Tuesday, 3 March 2020. The Discussion will be open to all students and all employees of the University Group and the Colleges, in addition to those already entitled to attend.
The Council has received the Annual Report of the Audit Committee for the financial year 1 August 2018–31 July 2019. The report is published below for the information of the University. Appendices A, C, D (in part), E and F to the report are provided as a separate pdf file at https://www.admin.cam.ac.uk/reporter/2019-20/weekly/6575/AuditReport-Appendices.pdf. Appendix B and part of Appendix D are not reproduced.
I was appointed Chair of the University of Cambridge Audit Committee in January 2019, following the appointment of my predecessor, Mr Mark Lewisohn, to Deputy Chair of the University Council. 2018–19 has been a challenging year for UK Higher Education Institutions (HEIs) as they have had to adjust to new regulatory requirements and operate in a highly uncertain political environment. In this context, the University faces its own challenges in terms of the complexity of its activity, its financial sustainability and responsiveness to change. The Audit Committee plays an increasingly significant role in the University’s governance.
To help meet these challenges, the University has fundamentally reviewed its risk management framework and reformed its risk register. The Audit Committee is responsible for scrutinising and assessing the management of the risks. The Committee receives the latest version of the risk register biannually for this purpose. The risks have also driven the development of next year’s Audit Plan, 2019–20. Further detail of the risk management work is provided in Section 3.5 of the report and information about the Audit Plan is given in Section 5.1(ii).
In recent years, a specific challenge for the Audit Committee has been the timeliness of the implementation of actions agreed in response to internal audit recommendations. To address this, the Audit Committee approved a piece of work in 2018–19 in which Heads of Divisions reviewed outstanding audit actions in their area of operation with a view to ensuring that these actions were realistic, effective and achievable. This work is described in Section 3.6.
Over the last two years the Audit Committee has seen a higher number of internal audit reports with limited assurance ratings. Although this could be considered a point of concern, the Committee views this instead as a positive indication that it is looking into the right areas of operation. Moreover, the Committee’s discussion of the audit findings has helped to identify a number of emerging themes, including the tension between institutional1 autonomy under the University’s devolved structure and the need for compliance by those institutions with central policies and procedures. This also raises questions about how the central divisions of the University receive appropriate oversight and assurance over the implementation of policies and procedures at a local level. These themes are explored further in Section 2.7 under future challenges for the Committee.
As well as my own appointment, this year the Audit Committee has welcomed three other new members. Members have benefitted from induction presentations from senior officers. In addition, in July 2019, some of our external members visited one of the University’s larger departments to learn directly from senior departmental staff about Departmental operations and challenges. Further visits to a range of Departments and Schools are planned for 2019–20. The Audit Committee continues to benefit from holding its meetings in a range of venues around the University, from the University Primary School to the Sainsbury Laboratory and the Cambridge Assessment Triangle building. This has facilitated presentations and tours which help members, especially external ones, gain a deeper understanding of the work and risks encountered across different areas of the University. This is invaluable for informing members’ work and contributions to the Committee.
While keeping within the Committee of University Chairs (CUC) guidelines, the main Section of this year’s annual report has been re-structured around the Audit Committee’s key responsibilities of obtaining assurance on (1) risk management, control and governance, (2) value for money and (3) data quality. The Committee’s opinions are provided along with the assurance obtained to inform the opinions. Finally, the report incorporates the opinion of the internal auditor. The Audit Committee notes the opinion of the internal auditor and accepts that the effectiveness of controls in some areas could be enhanced. These areas are considered further under Section 2.7, ‘Challenges for 2019–20’.
Professor Sir David Greenaway,
Chair of the Audit
Committee, University of
Cambridge
The Audit Committee is required to submit an annual report to the Council2 and subsequently to the Office for Students (OfS).3 The purpose of the report is to set out the current membership and constitution of the Audit Committee, to report on its work and activity over the last financial year and to provide the Committee’s and the auditors’ opinions on the adequacy and effectiveness of the University’s systems of risk management, control, governance and value for money. The report is informed by the internal audit annual report (Appendix B [not reproduced]). It follows the guidance set out in Appendix 6 of the CUC’s Handbook for Members of Audit Committees in Higher Education Institutions4 (endorsed by the OfS).
The Audit Committee Annual Report is for the 2018–19 financial year (1 August 2018–31 July 2019), and is delivered in four sections:
•An introduction and executive summary from the Chair of the Audit Committee;
•an overview focusing on key themes arising from the work of the Audit Committee during 2018–19;
•the opinion of the Audit Committee on the reliance to be placed on the internal control and reporting systems of the University; and
•a description of the University’s arrangements for internal and external audit, including the overall opinion of the internal auditor and the findings in the external auditor’s annual report.
A copy of this report will be published in the University’s official journal, the Reporter, for the information of the University.
The Constitution of the Audit Committee is set out in the Statutes and Ordinances of the University of Cambridge. Further information on the Committee’s membership, terms of reference and meetings are provided in Appendix A.
The University’s internal auditor is Deloitte LLP and its external auditor is PricewaterhouseCoopers LLP (PwC). Further information on the University’s arrangements for internal and external audit are provided in Section 4 of the report.
The Audit Committee is required to provide an opinion on the adequacy and effectiveness of the University’s arrangements for:
•risk management, control and governance;
•economy, efficiency and effectiveness (value for money); and
•the management and quality assurance of data submitted to the Higher Education Statistics Agency, the Student Loans Company, the OfS, Research England and other bodies.
The Audit Committee’s opinion is based on the Committee’s consideration of the University’s Risk Register, the internal auditor’s annual report, the external auditor’s Management Letter, other work commissioned by the Committee during the year and on discussions at its meetings and workshops. The Committee invites senior officers in particular areas of operation to present to the Committee and answer questions. Workshops are held outside formal meetings to enable more in-depth discussion on a particular topic. The Committee receives further reports from the audit sponsors (the senior officer responsible for the area of audit) of internal audit reports which carry limited assurance ratings.
In addition to oral reports, the Committee receives a range of written reports throughout the year. These include annual reports on value for money, research grants audits, the University’s anti-bribery and corruption policy, and an annual report from the Committee on Benefactions and External and Legal Affairs.
In 2018–19, the Audit Committee has looked at a number of key areas of operational risk including buildings safety compliance, cyber security strategy, research costing and allocation, emergency and continuity planning, and student operations.
(i) Buildings safety compliance
In 2018, the Director of Health, Safety and Regulated Facilities and the Director of Estate Management instigated a review of safety compliance in buildings across the University estate. The review was conducted by the internal auditor and recommendations were made in three areas: governance, management and assurance. A Compliance Programme of work was established to address the audit findings. In July 2018, the Director of the Compliance Programme reported to the Committee that good progress had been made, particularly on ensuring that safety documentation was complete. The Committee received a further update in October 2018 from the Director of Estate Strategy and the Director of Estate Operations. Further progress had been made. They also noted a decision to adopt a revised strategy to review systems (e.g. water and power) rather than buildings, to ensure that the work was prioritised more efficiently according to the level of risk. The work was led by in‑house system experts, which had resulted in a more joined up process. The internal auditor had given assurance on the revised strategy.
The Committee was content with the work undertaken and the future proposed plans. It encouraged Estate Management to share information on buildings safety compliance with the Colleges (over which Estate Management had no oversight). The Director of Estate Management will provide a further update to the Committee in the 2019–20 academic year.
(ii) Cyber Security Strategy
In November 2018, the Committee received an internal audit report on the University’s Cyber Security Strategy. The internal auditor noted that while the strategy was a good starting framework, further work was needed, such as a cyber risk assessment. The Chief Information Security Officer (CISO) reported that work in progress included developing a better understanding of risk across the University and this this would drive prioritisation of activity. Other projects included working with institutions to achieve minimum technical standards, collaborating with Colleges to ensure greater resilience across the collegiate University, and engaging directly with the National Cyber Security Centre. The CISO noted that staff across the collegiate University were increasingly aware that cyber security was a shared risk that could only be mitigated by effective collaboration across the board. This cultural change was likely to be more helpful to improving cyber security than providing extra resources.
The Committee noted that the potential reputational damage from cyber-attacks remained significant. It agreed to continue to monitor cyber security work and in July 2019 the Committee held a workshop with the CISO and the Director of University Information Services to discuss the Cyber Security Strategy in more depth. The CISO described the five strategic goals of the Strategy with reference to the key cyber threats faced by the University. The programme of work was expected to take two to three years to implement. Cyber security will be reviewed again by the Committee as part of the 2019–20 Audit Programme of work.
(iii) Research costing and time allocation
In November 2018, the Audit Committee received an audit report on how the University costs research and monitors expenditure against costing. The work also investigated adherence to Transparent Approach to Costing (TRAC), an activity-based costing activity for HEIs. While the audit found full compliance with TRAC methodology, it also identified potential under recovery of research costs and this aspect of the report carried limited assurance.
The Committee recognised that recording time in the context of research grants in order to charge costs appropriately was problematic, as research time could not easily be ascribed to regular working hours. The Committee further noted that the University’s need to maximise cost recovery on research grants competed with the aim of funding bodies to get the best value for money. This review would fit well with separate work on a revised planning process and allocation methodology led by the Pro-Vice-Chancellor (Strategy and Planning). In addition, it was noted that the University had committed to significant investment in pre-award administration which would help deliver improvements in grants pricing. An audit focusing on research recovery rates is scheduled for 2019–20, with an audit of the pre-award research administration service to follow in 2020–21.
(iv) Emergency and continuity planning
In November 2018, the Committee received an internal audit report on Emergency and Continuity Planning which carried limited assurance. The report highlighted the need for a more robust process for overseeing Institutional Emergency Action Plans (EAPs) among other findings. The Committee endorsed a plan summarising the actions that would be taken by the Registrary’s Office in response to the report. The actions included a new process for the oversight of EAPs by the Council and General Board.
In July 2019, the Committee received an update of progress against actions. Most actions had been implemented, including the new reporting process. This had resulted in significantly improved emergency management preparation across the University. Since November 2018, 65% of all Faculties, Departments and Non-School Institutions have updated their Emergency Action Plans. 96% of Faculties, Departments and Non-School Institutions (NSIs) have Emergency Action Plans in place. It was noted that, while some actions had been delayed owing to no-deal Brexit planning, this work itself had contributed to improved preparation. The Committee noted a time plan to fully implement remaining actions.
(v) Students studying and working away, and student assessment and examinations
The Audit Committee received two internal audit reports on aspects of student operations: Students Studying and Working Away in March 2019 and Student Assessment and Examinations in May 2019. Both reports carried limited assurance.
Key findings from the students studying and working away audit related to incident management and risk assessment. The Acting Head of Student Operations reported to the Committee that substantial work had been undertaken since the audit took place. The University’s Guidance on Managing Risks from Travel, Fieldwork and Work Away from Cambridge5 had been updated and significant work had been undertaken to address the recommendations of the report. She further noted that both the University and the Colleges had important roles with respect to supporting students working away and that their respective responsibilities for health and safety and pastoral care had been considered carefully in the development of the Guidance. The Guidance would be updated in response to feedback from Colleges, Faculties and Departments. The Committee agreed that a further internal audit should take place in 12–18 months’ time to assess whether the new Guidance had been embedded effectively.
The audit report on student assessment and examination had identified differing practice across Faculties and Departments with respect to administrative processes. The Acting Head of Student Operations noted the lack of technology for delivering the examination process. A new Examinations and Assessment Committee was undertaking an end-to-end process review to identify improvements and was looking at alternative forms of assessment. The Committee encouraged the Acting Head of Student Operations to resume discussions with Cambridge Assessment on potential collaborations with regard to the delivery of examinations and assessments. The Committee will receive an update on progress during 2019–20.
During 2018–19, the University introduced a new risk management policy and framework,6 following a review, in consultation with the University’s senior leadership team and with support from the University’s internal auditor, Deloitte. The new processes are designed to enable the senior leadership team to consider the University’s key risks in a more meaningful way and within the context of the University’s evolving priorities, prior to scrutiny and approval of the University’s risk register through the Audit Committee and the Council. The Audit Committee now plays a greater role in scrutinising risks on the University’s risk register and challenging senior officers on the management of those risks.
The new risk management policy has been cascaded through the University to Schools and Non-School Institutions. The policy sets out a broad expectation of how Schools and NSIs should identify and review risks. However, the policy acknowledges that risks will vary widely across the University, and so allows room for Schools, Faculties, Departments and other institutions to determine how best risk should be managed locally in a manner appropriate to each institution. School and NSI risk registers will be reviewed centrally by the senior leadership team at least annually. A relevant management committee (i.e. the Council of the School or equivalent) is expected to scrutinise School/NSI risks on a more regular basis throughout the year to ensure risks are being appropriately managed.
In parallel to the review described above, the University’s senior leadership team identified a revised set of University risks, comprising risks that are considered to be fundamental to the University’s ability to deliver its mission. In May 2019, the Audit Committee received the new University risk register, and subsequently recommended the risk register to the Council for approval. The revised University risk register was approved by the Council in May 2019, and shared with Schools, Non-School Institutions, the Colleges and relevant Committees for information during Easter Term. A copy of the University’s risk register is available on the Registrary’s Office webpages for all members of the University.7 The new risk register was used to inform the development of the internal audit programme for 2019–20.
During 2018–19, the Committee has focused on reviewing and rationalising outstanding internal audit actions, partly in recognition of the fact that action owners do not always have sufficient leverage to effect change to processes that take place at School, Faculty or Department level. The Committee approved a new approach in which senior officers and Heads of UAS Divisions reassessed open actions on the basis of the level of risk presented by the underlying problems, the effectiveness of the proposed actions and the available resources and other priorities and commitments.
As a result of this review, 39% of the outstanding actions were confirmed as having been completed and 51% were retained or amended with new deadlines agreed for completion. University management agreed with Deloitte that it was prepared to accept the risk for 10% of the outstanding actions, on the basis that the proposed actions were no longer considered to be high risk, or were not considered a priority in the context of available resources.8
In order to improve the timely implementation of internal audit actions in the future, the Registrary’s Office will work more closely with audit sponsors and the internal auditor at an earlier stage in the audit process. This earlier involvement is intended to ensure that the agreed scope of audits is appropriate and that recommendations are sensible and deliverable within the context of the University’s devolved structure and the culture of the University.
Over the course of 2018–19, a number of themes have emerged from audit findings and information provided through presentations to the Audit Committee. Two themes in particular stand out. The first is the tension between institutional autonomy under the University’s devolved structure and the need for compliance by those institutions with central policies and procedures. The second theme is the consideration of how far the University’s culture of academic freedom extends into non-academic areas, particularly in relation to areas of growing reputational risk to the University such as cyber security.
The tension between institutional autonomy and compliance with central policies and procedures raises questions about how the central divisions of the University receive appropriate oversight and assurance over the implementation of policies and procedures at a local level. These issues are highlighted in the findings of a number of internal audit reports. The internal auditor has recommended use of technology to facilitate oversight, for example in the audit on Student Assessment and Examination using technology throughout the examination cycle for the secure sharing and storage of exam questions and marks between Faculties and Departments. Better IT systems would also help HR monitor compliance with HR policies and procedures such as works paid through the University Payment System.
The need for clearer guidance and setting out of responsibilities between the central divisions and devolved institutions is also important. This was illustrated in the audits on Students Studying and Working Away, Student Wellbeing, Procurement and the review of Safety Compliance. In each case guidance needed to be updated and made clearer so that Institutions could understand the requirements in order to comply with them.
The second theme, on how far the University’s culture of academic freedom (which applies only to academic activity) extends into non-academic areas, emerges particularly in areas of growing reputational risk such as cyber security, bribery and the corporate criminal offence. Training in all these areas helps to increase awareness and encourage a sense of shared risk. However, targeting training more effectively and making it easier to complete may help further, particularly in the case of the anti-bribery and corruption policy.
The Audit Committee will consider how best to address and monitor these areas in 2019–20 and will update its work plan accordingly.
The Audit Committee keeps under review the University’s risk management strategy and implementation, and the effectiveness of the University’s systems of financial and other internal controls and governance as follows:
(i) Risk management
The University is committed to ensuring that it has a robust and comprehensive system of risk management in line with the requirements of the Office for Students, and follows good practice in risk management. A summary of how risks are identified and evaluated, and how risk management is embedded in ongoing operations is provided below.
(a)The University’s senior leadership team is responsible for identifying and managing risks across the University’s activities, within the context of the University’s priorities and objectives. The review of risks encompasses business, operational, compliance, financial and reputational risks.
(b)All identified risks are evaluated using a common framework for scoring that considers both the likelihood and impact of risks becoming a reality. The scoring guidance for evaluating risks prompts risk owners to consider the following categories of impact: finance, compliance, safety, service delivery (operational), reputation and people.
(c)The risk management framework applies across the University’s institutions, with further guidance and information provided to those who own or manage University, School, Faculty or Departmental risks (primarily through web-based resources and training). Risk assessment underpins the University’s programme of internal audit and is embedded as part of the University’s annual planning processes.
(d)The University’s risk register identifies those risks that are considered to have a fundamental impact on the University’s ability to deliver its mission or to operate effectively. The risk register is considered and formally approved by the Council at least annually, enabling it to receive direct updates on the evaluation and management of risks.
(e)From June 2019 onwards, a discussion on the status of each risk on the University risk register and progress with mitigating actions has taken place with risk owners as part of a schedule of monthly meetings.
Under the new risk management framework introduced during 2018–19, the Audit Committee will continue to consider risk management as a standing item in its meetings to ensure routine monitoring. The Audit Committee will report to the Council on internal controls and alert the Council to any emerging issues as necessary. In addition, the Audit Committee will formally review the University risk register at least twice a year, and make a recommendation to the Council as to whether the risk register and the management of risks is appropriate.
It is acknowledged that the University is at a early stage of maturity in relation to its approach to risk management. The recent changes made to the risk management framework are the first step of a process that is expected to develop and evolve over time, with a long term aim to map out and understand how the University gets assurance over the processes and controls that it has put in place to mitigate risk.
Risk management training seminars are delivered twice a year through the Personal and Professional Development training programme, and offered to staff across the University. A new online risk management training course was launched in October 2019 and is available for all University staff.
(ii) Corporate governance and internal control
The Council is responsible for ensuring that a sound system of internal control is maintained. The Statement of Internal Control, included in the Financial Statements and provided in Appendix C, sets out the University’s arrangements for the prevention and detection of corruption, fraud, bribery and other irregularities. It also includes an account of how the principles of internal control have been applied.
The Council is also responsible for reviewing the effectiveness of the system of internal control. The Audit Committee supports the Council in this role as described below.
(a)The Chair of the Audit Committee provides periodic reports to the Council concerning internal control and risk management.
(b)Risk management is a standing item on the Audit Committee agenda and is the driving element in the design of the annual internal audit programme of work. The Audit Committee considers the effectiveness of the risk management framework and reports on this annually.
(c)The Council receives minutes of all meetings of the Audit Committee.
(d)The Audit Committee receives regular reports from the University’s internal auditor, which includes the internal auditor’s independent opinion on the adequacy and effectiveness of the University’s system of internal control and risk management, together with recommendations for improvement.
(e)The Audit Committee reviews and reports on the implementation of actions in response to recommendations for improvement made as part of the regular audit cycle and other investigations as required.
(f)The Audit Committee reviews the University’s policy against bribery and corruption on an annual basis and considers the effectiveness of the University’s arrangements for the prevention and detection of corruption, fraud, bribery and other irregularities.
Through the consideration of reports from the internal auditor and other investigations, the Audit Committee is assured that the University’s system of internal control is currently effective and is able to report its reassurance to the Council for the year 2018–19.
(iii) Fraud, bribery and corruption
The Audit Committee oversees the University’s Policy against Bribery and Corruption. Under the Financial Regulations, any member of staff must report immediately to the Registrary and the Director of Finance any suspicion of bribery, fraud or other irregularity. Instances of bribery and fraud that involve sums of over £25,000 must be reported to the OfS under its terms and conditions of funding for higher education institutions.
In the 2018–19 academic year, across the University, the Colleges and the University’s subsidiaries, there has been one known alleged case of bribery and three known cases of fraud. One of the cases of fraud was reported to the OfS as it was over the reporting threshold. A further new case of fraud was reported to the Chair of the Audit Committee and the internal auditor in September 2019 and is currently under investigation.
In July 2019, the Committee received an annual review of the University’s Policy against Bribery and Corruption. Bribery Act training is conducted through the University’s online Bribery and Corruption training module. The course was re-designed in 2017 to focus on more relevant examples and to incorporate material on the legislation on two new Corporate Criminal Offences introduced in the UK in September 2017. The Committee agreed actions, including to simplify the course, to help improve future participation. In June 2019 the Registrary sent her annual reminder to all staff, via Secretaries of Schools and Heads of Institutions, to undertake training.
(iv) Cambridge University Press and Cambridge Assessment
Cambridge University Press is governed by the Press Syndicate, and Cambridge Assessment by the Local Examinations Syndicate. Both Syndicates have delegated their powers to the joint Press and Assessment Board (PAB) which has various sub-committees including the PAB Regulatory Compliance Committee and the PAB Audit Committee. The Chair of the PAB Audit Committee attends the University Audit Committee to provide assurance on the respective governance, control and risk management practices of both the University Press and Cambridge Assessment.
At each Audit Committee meeting, the Chair of the PAB Audit Committee provides an oral update on the business of Cambridge Assessment and Cambridge University Press and the items of discussion at the latest PAB Audit Committee meeting. In addition, a written annual report of the PAB Audit Committee is received at the Audit Committee’s November meeting, and a half-year report at its May meeting. Under the PAB Audit Committee’s Terms of Reference, the Chair of the PAB Audit Committee has direct access to the Chief Financial Officer as Chair of the PAB and to the Vice-Chancellor as Chair of both the Press Syndicate and Local Examinations Syndicate.
Under the new risk framework, the Audit Committee will review the two organisations’ risk registers as part of its biannual review of the University’s risk register. A report on each of the organisations’ activities and controls in relation to their Anti-Bribery and Corruption policies is incorporated within the University’s annual Bribery Policy report.
Further assurance on the activities of the two organisations was gained in January 2019. The Committee received a presentation from the Chief Executives of each company in which they described their respective operations, issues and key risks and their collaborative development of strategy and sharing of expertise.
Audit Committee opinion – Risk management, control and governance arrangements: The Audit Committee has monitored and considered the effectiveness of the University’s risk management, control and governance arrangements throughout 2018–19. These arrangements support the University in fulfilling its policies, aims and objectives, enabling the University to identify, understand and manage its principal risks, and to be accountable and transparent in its governance. The Committee considers that the University and subsidiary companies have continued to make clear and sustained efforts to understand, communicate and incorporate best practice in risk management, governance and internal controls.
The Audit Committee has agreed that the Statement of Corporate Governance and the Statement of Internal Control provided in Appendix C and included in the Financial Statements for 2018–19 is an accurate reflection of the risk management, control and governance arrangements in place. The Committee is satisfied that these arrangements are adequate and effective.
The Audit Committee considers whether the arrangements adopted throughout the University for promoting economy, efficiency and effectiveness in the use of public funds and other resources are satisfactory, by monitoring the following financial controls, systems and management structures. The Committee is required to relay its view on the University’s arrangements for achieving value for money to the Council in its annual report.
(i) Value for Money
The Council has the responsibility to put in place arrangements that will ensure value for money (VFM) is being sought. To help discharge this responsibility, the University’s Resource Management Committee (RMC) is responsible for providing advice to the Council on VFM matters, and for keeping the Council and the Audit Committee advised of VFM issues.
The University’s Value for Money Strategy9 sets out how the University will achieve value for money in line with the requirements of the OfS. This is supported by the Value for Money Policy,10 which explains the University’s underlying approach to value for money. The Strategy and Policy were re-endorsed by the RMC in November 2019.
At its meeting in November 2019, the Audit Committee received the VFM annual report, which described a number of specific VFM related initiatives that had taken place during 2018–19. The report also included a set of value for money reporting indicators showing the University’s performance in a number of areas, including financial sustainability, research, education and the administration and workforce.
In addition to the internal VFM report, economy, efficiency and effectiveness in the use of resources are considered as part of each system audit undertaken by the University’s internal auditor, with recommendations made as part of the individual audit reports as appropriate.
Efficiency and value for money continue to be promoted through both local level and University-wide initiatives, such as in the areas of procurement, estate management, energy and sustainability and IT services. The University also collaborates with the Colleges through the Bursars’ Committee to ensure value for money across the Collegiate University.
(ii) Assurance on Colleges’ use of student fees for educational purposes
The Committee has agreed a protocol enabling the Director of Finance, on an annual basis, to provide assurance to the Audit Committee that the public funds received by the University from the Student Loans Company and transferred between the University and Colleges are used by the Colleges for the intended educational purposes. An annual meeting takes place between the Chair of the Audit Committee, the Chair of the Colleges’ Committee, the Registrary, and the Chair of the Bursars’ Committee to review the total expenditure on education by Colleges against their total educational income including the College fee. A note of this year’s meeting, held on 13 September 2019, was provided to the Audit Committee at its October meeting. The Committee agreed that the analysis provided reasonable assurance that the money was spent for the purposes intended.
The Committee also received the annual report by the General Purchasing sub-Committee to the Bursars Committee on Value for Money (see Appendix D [report not reproduced]). The Report described (1) how the Colleges worked together to maximise value for money through information sharing and collective purchasing arrangements and (2) collaborative projects between the University and Colleges. The Colleges and University worked collaboratively in areas such as waste management, IT and student counselling.
Audit Committee opinion – Economy, efficiency and effectiveness (value for money):The Committee has monitored the effectiveness of the University’s financial controls, systems and management structures in place for promoting efficiency, effectiveness and economy in the use of public funds and other resources.
The Committee has noted the continuing adoption of and improvement in financial procedures and management practices designed to support the achievement of value for money and institutional effectiveness. The Committee is satisfied that these arrangements are appropriate and effective.
The Audit Committee monitors the effectiveness of the University’s management and quality assurance of data returns submitted to the Higher Education Statistics Agency (HESA), the Student Loans Company, the OfS, Research England and other bodies through its programme of internal audit.
Internal audit reviews of various aspects of data management form part of the three-year cycle of audits. In 2018–19, an internal audit report on data quality with respect to the University’s HESA Return received substantial assurance. The table below summarises the results of data quality audits undertaken over the past five years.
|
Academic year |
Audit area |
Assurance rating |
|
2018–19 |
HESA Staff Return |
Substantial |
|
2017–18 |
Research Costing and Time Allocation (TAS and TRAC processes) |
Full |
|
2016–17 |
Museum Data Quality |
Substantial |
|
2015–16 |
HESA Return |
Substantial |
|
2014–15 |
HESES Return |
Substantial |
Audit Committee opinion – Management and quality assurance of data returns: The Audit Committee is satisfied that the management control and quality assurance of data returns submitted to the Higher Education Statistics Agency, the Student Loans Company, the OfS, Research England and other bodies are adequate and effective.
(i) Provider
Deloitte LLP is the University’s internal auditor. Deloitte was reappointed as the internal auditor for the University with effect from 1 August 2014 for a three-year term until 31 July 2017. It was reappointed for a further two years until 31 July 2019, which was subsequently extended until 31 July 2021, pending the outcome of a review of the University’s internal audit provision.
The performance of the internal auditor and their lead partner is considered annually by the Committee.
The fees paid for internal audit work completed in the financial year 2018–19 are shown in Appendix E.
(ii) Internal audit programme
The internal audit programme provides independent and objective assurance on the University’s operations in order to evaluate and improve the effectiveness of the University’s internal control systems. A draft internal audit plan is developed around the University’s objectives and assessment of its fundamental risks, as identified by the University’s senior leadership team.
The internal audit plan comprises a programme of cyclical audits, thematic audits and the departmental assurance survey. Different teams of auditors are assigned to undertake the work depending on the level of specialism required, and audits typically involve visits to a range of departments and institutions to follow up on particular functions.
Assurance over departmental controls is primarily provided via the annual departmental self-assurance survey, which addresses a range of key topic areas from compliance with financial processes and HR policies to departmental management planning activity and IT controls. To help validate the findings of the survey, the results are followed up by selected on-site testing and face-to-face meetings. The results of the survey are shared with management, together with a number of recommendations for improvement. The findings of the 2018–19 survey and management responses were reported to the Audit Committee in July and October 2019 respectively.
The approach to departmental assurance for the 2019–20 academic year will be re-evaluated, with a view to thoroughly reviewing the survey questions with topic owners in order to ensure the 2019–20 survey has a greater focus on key controls and areas of risk.
(iii) Internal audit reports and assurance ratings
Deloitte LLP provide an assurance rating for each internal audit report, based on their assessment of the adequacy and effectiveness of the system of internal control. The assurance ratings given are as follows:
|
Full |
There is a sound system of internal control designed to achieve the University’s objectives. The control processes tested are being consistently applied. |
|
Substantial |
While there is a basically sound system of internal control, there are weaknesses, which put some of the University’s objectives at risk. There is evidence that the level of non-compliance with some of the control processes may put some of the University’s objectives at risk. |
|
Limited |
Weaknesses in the system of internal controls are such as to put the University’s objectives at risk. The level of non-compliance puts the University’s objectives at risk. |
|
Nil |
Control processes are generally weak leaving the processes / systems open to significant error or abuse. Significant non-compliance with basic control processes leaves the processes / systems open to error or abuse. |
Where recommendations are made as part of the internal audit process, Deloitte LLP classifies their recommendations as follows:
|
Priority 1 |
Issues that are fundamental to the University, for the attention of senior management and the Audit Committee. |
|
Priority 2 |
Issues that are fundamental to the area subject to internal audit, for the attention of senior management and the Audit Committee. |
|
Priority 3 |
Important issues to be addressed by management in their areas of responsibility. |
|
Priority 4 |
Housekeeping issues or good practice suggestions. |
(iv) Audit Committee review of internal audit reports
The Audit Committee is provided with access to all internal audit reports through its online portal and the internal auditor summarises the findings of those reports in a progress report provided to each meeting of the Audit Committee. However, the Committee only discusses in detail those reports that carry Limited or Nil assurance ratings. In such cases, the audit sponsor is invited to attend the meeting in which the report is discussed, to enable them to respond to the report and answer questions that members of the Committee may have.
During 2018–19 and up to the point of writing, the Committee has received and considered 24 internal audit reports, including three extra commissioned reports. Where a rating was ascribed, 53% of reports were given Substantial or Full assurance.11
(v) Internal auditor opinion
The annual report for the period August 2018 to 31 July 2019 was received by the Audit Committee at its meeting of 3 October 2019 (see Appendix B [not reproduced]). Subject to the limitations of the work described in Deloitte LLP’s report, the internal audit opinion given was as follows:
Based on the conclusions of our work, we can provide the University of Cambridge with a reasonable, but not absolute, level of assurance in relation to the organisation’s arrangements for risk management, governance, internal control and value for money for the year ended 31 July 2019. The control issues identified during our work do not materially impact upon the assurance statement provided.
Within the context of the Annual Opinion, it is noted that the effectiveness of controls in some areas could be enhanced. We have provided supporting statements on the following pages where our recommendations for improvement have informed the overall annual assurance rating.
(vi) Review of Assurances Received
The Audit Committee accepts the internal auditor’s opinion and agrees that the effectiveness of controls in some areas could be improved. The Committee particularly notes the challenges stemming from the devolved nature of the University and the need to develop and update the University’s internal processes and systems in some areas to support greater visibility and transparency in the monitoring of controls implemented across the devolved University.12 University management have identified two large transformational programmes; the Finance Business Transformation Programme, which is underway; and the HR Improvement Programme, for which preliminary discussions are taking place. These programmes will aid in simplifying and improving key processes, reducing the need for local variation and improving transparency in monitoring controls.
In addition, work is ongoing to (1) improve implementation of outstanding actions arising from internal audit recommendations, (2) to address the shortcomings raised in Limited Assurance reports, and (3) to review the Departmental Assurance Survey to provide a greater focus on departmental compliance with key controls in areas of high risk.
In the academic year 2019–20, further work will take place to identify potential mechanisms for improving accountability and delegations of authority across the University as a devolved organisation and to achieve greater visibility of controls operated at departmental level.
(i) External audit provider
PricewaterhouseCoopers LLP (PwC) was reappointed as the external auditor for the University for the financial year 2018–19. External audit informs the Audit Committee on the operation of the internal financial controls reviewed as part of the annual audit.
The fees paid for work completed in the financial year 2018–19 are shown in Appendix F.
(ii) Review of appointment
In accordance with the OfS’s terms and conditions of funding for Higher Education Institutions, the external auditor is appointed or reappointed annually. The Statutes and Ordinances of the University of Cambridge also require that the accounts of the University are audited annually by qualified accountants appointed by Grace on the nomination of the Council.13
Following a market testing exercise in 2018, PwC was reappointed to provide the external audit provision (subject to annual reappointment). However, the University agreed that PwC would discontinue the audits of low materiality subsidiaries as this work was more suitable for a smaller firm. It was agreed that for the 2018–19 audit, the audit of these subsidiaries would be undertaken by a local firm, Peters Elworthy & Moore.
At its January 2019 meeting, the Committee received positive feedback from the University and its subsidiary organisations in regard to the performance of the external auditor. The Committee therefore agreed to recommend to the Council that a Grace be promoted for the annual reappointment of PwC as the external auditor for the Financial Year 2018–19.
(iii) Details of non-audit services
During 2018–19, the external auditor and PwC international affiliates firms carried out non‑audit work in the following areas for the University: Financial Conduct Authority client asset work on behalf of Cambridge Investment Management Ltd; agreed upon procedures in relation to a statement of creditors for Cambridge India Research Foundation; agreed upon procedures in relation to Trademark and TV Licences at Cambridge University Press South Africa (Pty) Limited and the independent audit of the ClimateWise principles for 2019. In each significant case the engagement was subject to the Audit Committee’s policy on non-audit services to ensure that the external auditor’s independence was not placed at risk.
(iv) External auditor’s annual report to the Audit Committee
The Audit Committee received PwC’s external audit annual report 2018–19 at its meeting on 18 November 2019.
The Audit Committee considered the report and was satisfied with the remarks on auditing and accounting matters, detailed control observations and other observations from around the University group. The Audit Committee was also satisfied with the University’s management response included as an Appendix to the report.
Audit Committee Annual Report 2018–19: Appendices
1i.e. at a School, Faculty or Departmental level.
2Specified in Chapter XIII of the University’s Statutes and Ordinances, 2018, p. 1057.
3The Audit Committee Annual Report is submitted to the OfS in December as part of the University’s annual assurance return.
6https://www.registrarysoffice.admin.cam.ac.uk/files/risk_management_policy_approved_21.01.19.pdf
8Figures correct as at May 2019.
9https://www.prao.admin.cam.ac.uk/resource-allocation/value-money/value-money-strategy
10https://www.prao.admin.cam.ac.uk/resource-allocation/value-money/value-money-policy
11This report refers only to those final internal audit reports that have been received and considered by the Audit Committee during the financial year under consideration. This includes any reports that were issued in draft during 2017–18, but which were not finalised for the Committee’s consideration until 2018–19. This does not include any 2018–19 reports that have been finalised recently by internal audit, but which have not yet been considered by the Audit Committee at one of its meetings.
13Statute F I 5, Statutes and Ordinances, 2018, p. 46.