Skip to main contentCambridge University Reporter

No 6729

Wednesday 14 February 2024

Vol cliv No 19

pp. 266–284

Notices

Calendar

21 February, Wednesday. Ballot of the Regent House, voting opens at 10 a.m.

24 February, Saturday. Congregation of the Regent House at 10 a.m.

25 February, Sunday. Preacher before the University at 11.30 a.m., The Revd Dr Harriet Harris, MBE, FRSE, Chaplain, University of Edinburgh (Hulsean Preacher).

4 March, Monday. End of third quarter of Lent Term.

Discussions (Tuesdays at 2 p.m.)

Congregations (at 10 a.m. unless otherwise stated)

5 March

19 March

24 February

23 March

6 April

Election to the Council

9 February 2024

The Vice-Chancellor announces that the following candidates have been nominated in accordance with Statute A IV 2 for election to the Council in class (c) (other members of the Regent House), and that it has been certified to her that the candidates have consented to be nominated:

Dr Stephen Michael Joy, SE
nominated by: Dr L. C. McMahon, CAI, and Ms E. L. Simmonds, TH

Dr Ella Elizabeth McPherson, Q
nominated by: Professor M. G. Moreno Figueroa, DOW, and Dr S. Srinivasan, K

Dr Thomas James Matthams, CHR
nominated by: Professor J. H. Keeler, SE, and Professor E. A. Miska, JN

There will be an election to select one from among the three candidates. The person elected will serve with immediate effect until 31 December 2024. Voting will open at 10 a.m. on Wednesday, 21 February and close at 5 p.m. on Monday, 4 March 2024. Members of the Regent House will receive an email when voting opens on 21 February.

Review of the University’s Retirement Policy

The Council and the General Board wish to update the Regent House on the current status of the review of the University’s Retirement Policy.

The Retirement Policy and EJRA Review Group was established to consider:

The operation of the University’s current Employer Justified Retirement Age, in particular whether it has been successful in meeting its aims, and

The terms of the University’s Retirement Policy, to establish whether they remain fit for purpose.

The EJRA Review Group consulted widely during Michaelmas Term 2023 and an indicative timetable was published in December last year (Reporter, 6721, 2023–24, p. 167).

The Group now wishes to give members of the University community an opportunity to hear about its findings and recommendations ahead of the publication of its full Report. Two town hall meetings have been set up for this purpose. They will take place on Tuesday, 5 March from 9.15 a.m. to 10.15 a.m., and Monday, 11 March from 2.45 p.m. to 3.45 p.m. via Microsoft Teams. Members of staff and of the Regent House can register to attend one of the meetings via the relevant online registration page:

5 March 2024: https://www.staff.admin.cam.ac.uk/retirement-policy-event-5-march

11 March 2024: https://www.staff.admin.cam.ac.uk/retirement-policy-event-11-march

The meetings will address specific issues raised in the consultation. There will be also be an opportunity to ask questions and to provide feedback on the Group’s initial findings and recommendations ahead of the final version being considered by the Council at its meeting in April, and a full Report being published after that meeting. A ballot of the Regent House on the Report’s recommendations is scheduled for June 2024.

Joint Report of the Council and the General Board on a revised procedure for the investigation of an allegation of research misconduct: Notice in response to Discussion remarks

The Council has received the remarks made at the Discussion on 23 January 2024 concerning the above Report (Reporter, 2023–24: 6721, p. 172; 6727, p. 257). The Council has consulted with the General Board in preparing this response.

Mr Allen comments on the length of the new Procedure when compared with the documentation it would replace. The more detailed Procedure is designed to provide greater support for those running the process and clarity for Respondents and Complainants. The Procedure should also ensure more consistency and fairness in the handling of cases. It provides comparable levels of information as the UK Research Integrity Office’s template ‘Procedure for the Investigation of Misconduct in Research’,1 which has been cited as an example of good practice by UKRI.

Dr Chow asks whether researchers, as defined by Paragraph 2.1 but not employed under Statute J 6, who undertake activities related to the Press, such as management and peer review, are subject to the proposed Procedure. The Council confirms that in its view the new Procedure applies to such researchers where there is an allegation of Research Misconduct (as defined in section 3 of the new Procedure) against them. Dr Chow’s enquiry has however made apparent that the new Procedure does not confirm that those employed under Statute J 6 are excluded from its scope when undertaking research in the service of the Press and Assessment Department. An amendment has been made to the Procedure to correct this omission.

Professor Evans notes that the Report proposes a new Special Ordinance on the investigation of allegations of research misconduct, but that it does not include a definition of research misconduct. Professor Evans also suggests that the Procedure itself is in Special Ordinance, which is not correct. If the Report’s proposals are approved, the Council and the General Board will keep the Procedure under review, publishing any amendments to it in the Reporter. That Procedure includes the definition of what constitutes research misconduct. The reason the definition of research misconduct is not in Special Ordinance is that the definition must remain aligned with those used by UKRI and by sponsors of research. If the Council and the General Board have any concerns about the acceptability of the definition of research misconduct to the Regent House, they will seek approval for such a change. Professor Evans also queries whether the use of ‘parties’ in the Procedure includes the University. If the Report’s recommendations are approved, the Responsible Person and other decision-makers identified in the Special Ordinance will be acting on behalf of the University and they will be parties for the purposes of the Procedure.

Professor Evans questions the level of training that will be provided for Responsible Persons, members of a Formal Investigation Committee and Appeal Managers. The Research Office will approach the UK Research Integrity Office for advice on best practice in training the various individuals with responsibility for decision-making under the Procedure and will develop training accordingly. This will include consideration of when training should be refreshed.

Mr Allen suggests that the description of the qualifications to serve as the Independent Investigator should continue to include reference to experience in the relevant field. Dr Chow also queries the clarity of the text concerning malicious or vexatious complaints and notes that there are procedures for communicating delays in the timescales in Stages 2 and 3 but not in Stage 1. Professor Evans’ review of the use of the word ‘parties’ has also indicated one instance that should be clarified. The Council and the General Board are grateful for the feedback and have agreed to make some changes to the text of the new Procedure, currently included as Annex A to the Joint Report, set out below.

By adding the following new sentence at the end of paragraph 2.1:

This procedure does not apply to staff engaged for employment under Statute J 6 when undertaking research in the service of the Press and Assessment Department.

In the definition of ‘Independent Investigator’ in section 3 by replacing the second sentence with the following:

The Independent Investigator will normally be a University officer and must have appropriate expertise, and experience in the relevant field, to investigate the case (see section A5).

By amending paragraph 4.8 to read as follows:

4.8 If a Complaint is found to be malicious or vexatious at any stage of the procedure, appropriate action may be taken against the Complainant, which may in some cases include referral to the relevant disciplinary procedure if the Complainant is an employee.

By adding the following new sentence at the end of paragraph 8.6:

Nonetheless, the Responsible Person will acknowledge receipt of the Complaint within 15 Working Days and will inform the Respondent and the Complainant if the initial screening will take longer than set out above and the reasons for this.

In paragraph 10.3(b) concerning the members of the Formal Investigation Committee by replacing the last sentence with the following:

All members must have appropriate expertise to investigate the case, experience in the relevant field, and must have no conflict of interest in, or previous involvement with, the case (see section A5).

In paragraph 10.4(c) by replacing the words ‘both parties’ with ‘the Respondent and the Complainant’.

In paragraph B2.3 of Appendix B concerning the Dispute resolution process by replacing the last sentence with the following:

The independent person should have appropriate expertise to handle the matter under consideration, experience in the relevant field, and no conflict of interest in, or previous involvement with, the case.

Finally, Mr Allen notes that the Report has only been signed by eight of the fourteen members of the General Board. This is the result of the timing of the circulation of the Report for signature, rather than a reflection on the Board’s support for the Report.

The Council is submitting a Grace (Grace 1, p. 283) to approve the recommendations of this Report, as revised by this Notice.

14 February 2024

Deborah Prentice, Vice‑Chancellor

Zoe Adams

Madeleine Atkins

Gaenor Bagley

Milly Bodfish

Sam Carling

John Dix

Sharon Flood

Alex Halliday

Heather Hancock

Louise Joy

Fergus Kirman

Scott Mandelbrote

Sally Morgan

Sharon Peacock

Vareesh Pratap

Pippa Rogerson

Jason Scott-Warren

Andrew Wathey

Michael Sewell

Pieter van Houten

14 February 2024

Deborah Prentice, Vice‑Chancellor

Caredig ap Tomos

Madeleine Atkins

Tim Harper

Ella McPherson

Patrick Maxwell

Nigel Peake

Richard Penty

Anna Philpott

Emily So

Pieter van Houten

Bhaskar Vira

Chris Young

Joint Report of the Council and the General Board on changes to Statute B I on non‑payment of University Composition Fees and resignation of membership of the University: Notice in response to Discussion remarks

The Council has received the remarks made at the Discussion on 23 January 2024 concerning the above Report (Reporter, 2023–24: 6724, p. 213; 6727, p. 259). The Council has consulted with the General Board in preparing this response.

This Report covers two matters, the first concerning non-payment of University Composition Fees, and the second on resignation of membership of the University, both of which entail changes to Statute B I. The Council notes that the majority of the remarks concern the Report’s second proposal, to end the automatic removal of degrees and other academic awards when membership of the University is removed.

Dr Rutter comments that membership of the University and holding a degree cannot be decoupled. The Council notes that they have not always been linked, and in former times, capitation fees were payable by those who wished to retain active membership of the University after graduation and exercise rights associated with their degrees, such as membership of the Senate. Current students are also members of the University, for whom removal of that membership may be considered the most appropriate disciplinary penalty or outcome in the event of non-payment of fees. Such students could include postgraduate students taking a second degree at the University. It is highly unlikely to be considered proportionate for the University to remove both the University membership and the first degree held by such a student. There are no equivalent reasons for seeking to allow individuals to retain membership of the University following renunciation or removal of their degrees and therefore this option is not being proposed.

This second proposal has not been prompted by any increase in the number of cases involving resignation and expulsion from University membership; they continue to be rare. As indicated in the Report, recent cases have highlighted the unfairness of the removal of University membership automatically resulting in the removal of degrees. Professor Evans queries whether it should not be the responsibility of the individual to decide whether to accept the consequences of their actions. The Council understands that view but notes that some cases involve mental health concerns that complicate the picture.

Dr Rutter proposes alternatives to the Report’s recommendations concerning the consequences following removal of University membership, such as the degrading of an Honours degree to an Ordinary degree, or the conversion of a full degree to a titular degree. The Council does not agree with Dr Rutter that the latter is essentially the same as the Report’s recommendations, as the individuals concerned would retain their full degrees under its proposals. Dr Skittrall suggests that it would be simpler for the University to decide to take no action against someone who continued to describe themselves as having been admitted to a degree if they had been granted their wish to resign membership of the University. This is not a viable solution, because the University would continue to have a duty to provide employers and others with factually correct information about degrees held, and it would not help in cases involving the removal of University membership as a disciplinary sanction. Dr Skittrall also suggests that the current proposal could have no effect on the membership of members of the University because the List of Members has not been published recently. The Council notes that the List of Members is available online to those with a University password at https://www.governanceandcompliance.admin.cam.ac.uk/university-record/useful-documents-record, with additions published in the Lent Term each year.

Dr Skittrall anticipates that the proposals could pave the way for the award of posthumous degrees. Under Statute A II 2, full degrees can be conferred on matriculated persons, a status ceasing upon death, while Statute A II 14 concerning titular degrees makes no provision for awards in such cases. The Council can confirm that there are no plans to introduce posthumous conferral, which would need to be the subject of a separate proposal and change of Statute.

Dr Rutter queries the absence of any mention of the impact of the proposals on University officers and College Fellows. As he notes, University officers who have matriculated are members of the University and they may also have been admitted to degrees under Statute B II 2, therefore the proposals would apply to them as members of the University. If an individual resigns membership of the University, they may reacquire it, subject to any restrictions in the relevant regulations, and there are no plans to prevent this. College Fellows are not members of the University by virtue of holding a Fellowship (though they may matriculate and therefore become members, for example, in order to enjoy M.A. status or be admitted to a degree under Statute B II 2).

Dr Rutter also makes some comments on the Report’s recommendations concerning the non-payment of fees. He notes the wording in paragraph 13(a) of the new Policy about the suspension of students in arrears from ‘all University activities, facilities and premises’. There is no intention that such students should be prohibited from accessing any areas of the University that are open to the general public, or visiting friends residing in University accommodation. To confirm this, the General Board has agreed to revise the wording of the Policy to clarify that the suspension would be limited to ‘University activities, facilities and premises related to the Student’s course of study’, adding a final new sentence: ‘The suspension will apply to all University activities, facilities and premises related to the Student’s course of study, unless the Fee-collecting Body representative agrees to make any exceptions in an individual case.’ Dr Rutter also questions why there is no reference in the Policy and Guidance to the sanctions available. Whilst those documents do not in themselves state the possible consequences of non-payment in full, the Guidance document does state that it is designed to provide operational support for the Ordinance, where the possible consequences of non-payment are stated in full. The General Board has also agreed to insert a cross-reference to the Ordinance in the Policy.

The Council is taking this opportunity to make an amendment to the original recommendations of the Report, so that members of the Regent House who are deprived of or renounce a degree entitling them to membership of the Senate or are deprived of or resign from membership of the University retain their membership of the Senate, as their membership of the Senate derives from their membership of the Regent House and therefore should remain in place.

The amendments revise Recommendation I (a) of the Report to read as follows:

(a)Statute A I (Statutes and Ordinances, 2023, p. 3): In Section 7, by amending paragraph (ii) and inserting new paragraph (iii) to read as follows:

(ii)any person other than a member of the Regent House who suffers suspension or deprivation of a degree or who renounces a degree entitling them to membership of the Senate shall not be a member of the Senate during the continuance of such suspension or deprivation or renunciation;

(iii)any person other than a member of the Regent House who suffers suspension or deprivation of membership of the University or who resigns from membership shall not be a member of the Senate during the continuance of any such suspension or deprivation or resignation.

The Council is submitting a Grace (Grace 2, p. 283) to approve the recommendations of this Report, as revised by this Notice.

14 February 2024

Deborah Prentice, Vice‑Chancellor

Zoe Adams

Madeleine Atkins

Gaenor Bagley

Milly Bodfish

Sam Carling

Anthony Davenport

John Dix

Sharon Flood

Alex Halliday

Heather Hancock

Louise Joy

Fergus Kirman

Scott Mandelbrote

Sally Morgan

Richard Mortier

Sharon Peacock

Vareesh Pratap

Pippa Rogerson

Jason Scott-Warren

Andrew Wathey

Michael Sewell

Pieter van Houten

14 February 2024

Deborah Prentice, Vice‑Chancellor

Caredig ap Tomos

Madeleine Atkins

Tim Harper

Ella McPherson

Patrick Maxwell

Nigel Peake

Richard Penty

Anna Philpott

Emily So

Pieter van Houten

Bhaskar Vira

Chris Young

Annual Report of the Audit Committee for the financial year 2022–23

The Council has received the annual report of the Audit Committee for the financial year 1 August 2022–31 July 2023. The report is published below for the information of the University. Appendices A, C, E and F to the report are provided as a separate PDF file at https://www.admin.cam.ac.uk/reporter/2023-24/weekly/6729/AuditReport-Appendices2023.pdf. Appendices B, D and G are not reproduced.

Introduction and executive summary from the Chair of the Audit Committee

The Audit Committee has a key role in providing Council with assurance over the efficiency and effectiveness of the University’s systems of risk management, internal control and governance. This Annual Report sets out how that has been achieved for the academic year 2022–23, the challenges for the year ahead and the conclusions the Committee has reached.

The Audit Committee focuses its work on particular risk areas that have been identified from previous internal audit reports and the University’s Risk Register. This includes IT systems and controls, cyber security, research funder requirements, estates and change management. The Annual Report summarises the key areas of work in these areas.

An important part of the work of the Audit Committee is to agree to the work plan of the internal audit function, to receive reports on internal audits performed during the year and to review the follow-up of internal audit recommendations. It is pleasing to note the assurance provided by a number of the reports received from Internal Audit during the year, and the overall conclusion in the Annual Internal Audit Report that they were able to provide reasonable assurance over the efficiency and effectiveness of the University’s system of risk management and governance. For internal controls, Internal Audit were also able to conclude that the efficiency and effectiveness of the University’s system of internal control was reasonable, except for estates, IT controls, compliance with research funder requirements and bursaries, all of which received a limited assurance conclusion based on the work done. The Audit Committee will continue to monitor the implementation of the recommendations arising from these reports.

As in previous years the Audit Committee report has identified the challenges presented by the devolved nature of the University in obtaining visibility over controls and ensuring their consistent application. For 2022–23, the Governance and Compliance Division piloted a new approach to working with institutions including a new simplified Head of Institution Assurance Statement. This statement is designed to be clearer and easier to complete to increase compliance from departments and thus provide visibility over controls operated at a devolved level. This worked well in the pilot institutions and as this process is rolled out further it will provide increased assurance as to the effectiveness and consistency of the internal control environment across the University.

The hybrid internal audit function has continued to work effectively during the year, with the Head of Assurance following up on overdue actions. The number of overdue actions has reduced from 23 to 18. It is particularly pleasing to note some reduction in the number of overdue actions relating to controls over cyber security, but continued oversight of this area is required. The remaining overdue priority actions mainly relate to the 2021–22 Global Mobility and Travel Safety audit and the Health and Safety Risk Management and Assurance audit. The University’s decision-making and resource allocation processes still make it challenging to implement some internal audit actions promptly. In many cases, the resolution of audit actions relies on long-term restructuring and/or systems implementation, whose implementation is in turn delayed. These delays can leave the University exposed to risk. The Audit Committee has encouraged both Internal Auditors and the relevant departments to identify intermediate actions that can provide risk mitigation in the meantime.

The Audit Committee welcomes the growing maturity of the University’s approach to risk management but has highlighted the importance of joined-up conversations about risk and strategic planning and the need for further development of risk management activities. In particular, given the amount of change the University is undertaking, and the compliance and control issues noted above, an overarching review of the risk register is needed to ensure that the key strategic risks have been appropriately identified, and the relationship between target scores and mitigating actions is more clearly defined.

In summary, the steps taken by the Governance and Compliance Division and the steps taken to resolve actions have increased the level of assurance the Committee has been able to provide. There remains work to do particularly in the key areas noted above. The Committee notes in particular the improvements needed in the organisation and capacity of the wider IT function both centrally and at the department level. This is required, both to improve the overall control environment and to facilitate the execution of the data and systems changes required to address internal audit recommendations to close internal control gaps.

Having evaluated the body of evidence, the Audit Committee concludes that, on balance, the current internal control environment adequately addresses the main risks that the University faces. The Committee is satisfied that it can provide assurance on the adequacy and effectiveness of the University’s arrangements for risk management, governance; economy, efficiency and effectiveness; and the management and quality assurance of data submitted.

Gaenor Bagley
Chair of the Audit Committee, University of Cambridge

1. Background

The Audit Committee is required to submit an annual report to the Council.1 The purpose of the report is to set out the current membership and constitution of the Audit Committee, to report on its work and activity over the last financial year and to provide the Committee’s and the auditors’ opinions on the adequacy and effectiveness of the University’s systems of risk management, control, governance and value for money. The report is informed by the internal audit annual report (see Appendix B [not reproduced]).

This Audit Committee Annual Report is for the 2022–23 financial year (1 August 2022 – 31 July 2023), and is delivered in four sections:

an introduction and executive summary from the Chair of the Audit Committee;

an overview focusing on key themes arising from the work of the Audit Committee during 2022–23;

the opinion of the Audit Committee on the reliance to be placed on the internal control and reporting systems of the University; and

a description of the University’s arrangements for internal and external audit, including the overall opinion of the internal auditor and the findings in the external auditor’s annual report.

A copy of this report will be published in the University’s official journal, the Reporter, for the information of the University.

2. Overview of the Audit Committee and its work

2.1 Role and membership of the Audit Committee

The Constitution of the Audit Committee is set out in the Statutes and Ordinances of the University of Cambridge. Further information on the Committee’s membership, terms of reference and meetings are provided in Appendix A.

2.2 Audit providers

The University’s internal auditor is Deloitte LLP, and its external auditor is PricewaterhouseCoopers LLP (PwC). Further information on the University’s arrangements for internal and external audit are provided in Section 4 of the report.

2.3 How the Audit Committee gains assurance

The Audit Committee is required to provide an opinion on the adequacy and effectiveness of the University’s arrangements for:

risk management, control and governance;

economy, efficiency and effectiveness (value for money); and

the management and quality assurance of data submitted to the Higher Education Statistics Agency, the Student Loans Company, the Office for Students (OfS), Research England and other bodies.

The Audit Committee’s opinion is based on the Committee’s consideration of the University’s Risk Register and its role in assessing and managing risk, the internal auditor’s annual report, the external auditor’s Management Letter, other work commissioned by the Committee during the year and on discussions at its meetings and workshops. The Committee routinely invites senior officers in particular areas of operation to present to the Committee and answer questions. Workshops are held outside formal meetings to enable more in-depth discussion on a particular topic. The Committee receives further reports from the audit sponsor (the senior officer responsible for the area of audit) of internal audit reports which carry limited assurance ratings.

In addition to oral reports, the Committee receives a range of written reports throughout the year. These include annual reports on value for money, research grants audits, the University’s anti-bribery and corruption policy and an annual report from the Committee on Benefactions and External and Legal Affairs. The Committee also receives regular updates from the Chair of the Press & Assessment Board Audit and Risk Committee, as set out in section 3.1(iv).

During 2022–23, the Committee has focused on how the University is progressing with actions to mitigate risks and understanding where risks remain. These discussions have been in the context of increasing expectations around compliance in the Higher Education sector which the University will need to respond to. As highlighted in the Committee’s previous annual reports, the University’s devolved structure and lack of common approach can make it difficult to understand and evidence the level of residual risk the University carries.

2.4 Key topics

The Committee has identified some common themes in its discussions, primarily around the need for clarification of roles and responsibilities within the University’s operating model (including checking that responsibilities sit in the right place), a lack of visibility or assurance over whether certain activities are operating as intended or if there is compliance across the organisation. These themes are picked up again in section 2.6 which focuses on challenges for the year ahead.

(i) IT and cyber security risks and controls

In the Committee’s last two annual reports, the challenges created by the fragmented nature of IT infrastructure in the University have been repeatedly highlighted, particularly in relation to implementing appropriate controls to mitigate risks and providing assurance over the effectiveness of these controls. The Committee has expressed concern about the pace of progress in addressing IT and cyber security risks.

(a) Cyber security

The Audit Committee held a workshop to discuss the rapid development of an action plan for recommendation to the Council detailing practical steps the University could take to mitigate cyber security risks within a short timeframe. A cyber security action plan was subsequently agreed by the Information Services Committee and the Council, which is in the process of being implemented. Cyber security training has now been mandated by the Council and rolled out to all staff. The Governance and Compliance Division is also working closely with UIS on the development of new IT policies (Acceptable Use Policy, Minimum Standards Policy and Email Account and Address Allocation Policy). These policies are on schedule to be considered by the General Board and the Council by, or shortly after, the end of the 2023 calendar year. The Audit Committee will continue to actively monitor progress in addressing cyber security risks during 2023–24.

(b) IT disaster recovery

The Committee has monitored the implementation of improvement actions agreed in response to an internal audit of IT disaster recovery (ITDR) processes for four key enterprise systems (CamSIS, CUFS, CHRIS and Moodle). Whilst progress has been made in respect of these critical systems, the Committee noted that significant risks remain in respect of systems outside the visibility and scope of University Information Services, which would only start to be addressed as part of the defragmentation of IT infrastructure.

(c) Defragmentation of the digital estate

Last year’s annual report noted that the Audit Committee had sought additional assurances that IT-related risks arising from the University’s highly fragmented IT provision were being managed. A longer-term project to defragment the digital estate had commenced, but the Committee was concerned about the speed of this project and the University’s exposure to an unknown level of risk in the meantime. The Committee was particularly concerned that the University could not adequately assess whether there were sufficient controls in place to mitigate risks across all parts of the University.

The Committee therefore commissioned an audit in 2022–23 looking at how defragmentation of the IT infrastructure in the Department of Geography had contributed to the reduction of risk. The audit identified that things were moving in the right direction with defragmentation, but there had been delays with the migration project and it was difficult to provide an accurate assessment of risk reduction.

The Committee felt strongly that more thought needs to be given to benefits capture and defining the target state for defragmentation to ensure success in future migration projects. Given its concerns over the University’s devolved IT infrastructure, the Committee will continue to seek assurances over the defragmentation of the digital estate and the mitigation of IT risks during 2023–24.

(ii) Health and safety risk management and assurance

An internal audit of the University’s Health and Safety risk management and assurance arrangements identified a lack of visibility of health and safety risks across the University and a lack of assurance over compliance by devolved institutions with central policies and procedures. The Committee considered the actions arising from the audit to be high priority and noted that additional funding was required support the implementation of actions both at a central level and within devolved institutions.

Delays in implementing the agreed actions have been reported to the Committee, attributed in part to hold-ups in identifying a suitable IT system to support delivery of the actions. The Audit Committee urged the University to consider what action could be taken in the interim to address the issues raised, pending the development of an IT system. The Committee will continue to actively monitor progress until the risks have been addressed.

(iii) Research funder requirements

The Committee identified a wider ‘dialling-up’ of compliance expectations in relation to research funder requirements, with recent audits finding weaknesses in relation to incomplete documentation held by or provided by departments. Action plans have been agreed which should strengthen the University’s research control environment, but the successful implementation of these improvement actions is heavily dependent on compliance within departments. The Committee will monitor implementation of these improvement actions during 2023–24, noting the significant reputational risk to the University if compliance with research funder requirements cannot be sustained.

(iv) Change and Transformation Programmes

Last year’s annual report noted that a key challenge for the Audit Committee in the 2022–23 year would be to determine how and when it receives assurance over change and transformation programmes and the management of risks within key operational areas during a period of significant change. The report also noted the formation of the Change and Programme Management Board (CPMB). This year, an advisory internal audit report informed further improvements with the set up and governance arrangements for the CPMB. The Audit Committee also approved a proposed approach for providing assurance for change programmes, on the recommendation of the CPMB. Work is currently underway to develop an assurance plan for the 2023–24 year which will be considered by the CPMB and Audit Committee in Michaelmas Term 2023.

(v) Carbon reduction targets

The Committee discussed the findings of an internal audit report concerning the University’s assessment of its progress towards its carbon reduction targets and the approach to supporting the achievement of those targets. The audit found that whilst the University had committed to external carbon reduction targets and had short-term interventions in place, there was no detailed plan for the medium-term delivery of these targets and there were no key performance indicators to assess progress. The audit also identified a lack of allocated funding to enable the delivery of the targets and a lack of governance to support the implementation of decarbonisation interventions within a realistic timeframe.

A five-year action plan was proposed to address the audit findings, with many actions dependent on the approval of a five-year costed plan by the Council. However, the Committee acknowledged that there were challenges associated with producing a long-term costed plan (beyond 2030) that the University could commit to delivering, given the rapid development of carbon reduction technology. This was also acknowledged by the Council, and a small group has since been established to determine how to take forward the topics discussed by the Council. The Audit Committee will actively monitor progress on the implementation of the audit actions, many of which are due for completion during 2024.

(vi) Data quality – Transparent Approach to Costing (TRAC) return

TRAC is an activity-based costing methodology devised for the Higher Education Sector, which involves the attribution of income and expenditure to activity. Every Higher Education Institution (HEI) provider is required to submit an annual statutory TRAC return. The Audit Committee is responsible for ensuring that the process used to produce the TRAC return is compliant with TRAC guidance published by the OfS.

Challenges were identified with the collection of data across the devolved organisation, particularly with respect to the physical estate and with the response rate from departments in providing the space data required for the return. Initial plans to improve the process have been agreed with the Finance Division and Estates Division and the Committee will monitor delivery of those plans in the coming year.

(vii) Student and staff immigration

The Committee received positive assurance through the programme of internal audit on compliance with the requirements for the sponsorship of student and staff visas, which highlighted a very good level of compliance in respect of staff and students and was welcomed by the Committee.

(viii) North West Cambridge (NWC) cost control

Towards the end of the year, the Committee discussed the findings of an internal audit report concerning the design and operating effectiveness of processes to control expenditure for capex construction costs estimated to be remaining for Phase 1 of the North West Cambridge (NWC) development. Although the audit identified risks in relation to the operation of basic project controls and financial controls the Committee was reassured that a new project team was now in place and delivering the agreed improvement actions at pace. All the actions were due to be delivered by the end of December 2023. The Committee will monitor the implementation of these actions during Michaelmas Term 2023 and has agreed that further assurance work should be undertaken in advance of any further phases of the NWC development.

(ix) Implementation of internal audit actions

There has been a continued focus in 2022–23 on the timely implementation of internal audit actions. The Head of Assurance now reports on the status of internal audit actions orally and in writing at every Audit Committee meeting. At 30 September 2023, the number of overdue audit actions stands at 18, down from 23 reported in last year’s annual report. One action has been overdue for more than 12 months, down from three in 2022.

A revised approach to agreeing audit actions, introduced in January 2022, helps ensure that most agreed actions are realistic and achievable and are closed within the deadlines provided. However, deadline extensions are often requested, and the Committee asked for greater visibility of deadline extensions so that the reasons for these extensions can be understood.

The University’s decision-making and resource allocation processes still make it challenging to implement some internal audit actions in a timely manner, particularly where audit actions rely on long-term restructuring and/or systems implementation. This has been particularly evident in actions agreed to address the risks identified in relation to the 2021–22 Global Mobility and Travel Safety audit and the Health and Safety Risk Management and Assurance audit, both of which the Committee considered to be high priority. These delays can leave the University exposed to risk in the meantime, and often it can be difficult to understand the level of residual risk carried.

2.5 Development of the University’s internal assurance activities

The assurance team (Governance and Compliance Division) has continued to develop the University’s internal assurance activities during 2022–23.

(i) Departmental assurance

In Easter Term 2022, a new approach to departmental assurance was piloted with a small number of institutions. This exercise replaced the previous Departmental Assurance Survey conducted by the internal auditors and was intended to provide assurance over key areas of activity undertaken at a departmental level through a self-assessment exercise.

The pilot identified areas where further work was required, both centrally and at a local level, to improve the University’s control environment. Institutions who had participated in the pilot had agreed actions to be taken at a local level to address specific areas of concern, whilst a number of additional actions had been agreed centrally to address areas of weakness identified across the pilot institutions.

The Committee welcomed the direction of travel with the assurance statements, noting that self-assessment exercises were commonly used across a range of sectors to provide assurance over internal controls operated at a devolved level. The Committee approved a proposal to roll out the assurance statements to all institutions during Easter Term 2023. The outcome of the 2022–23 exercise will be reported to the Audit Committee during Michaelmas Term 2023.

The ambition is to expand the list of statements to provide more comprehensive coverage of key areas of risk and to use the exercise to drive improvements in the University’s control environment. During 2023–24, the assurance team will work with other areas of University professional services to agree an expanded list of assurance statements for roll out in Easter Term 2024.

(ii) Compliance with OfS Conditions of Registration

The assurance team also conducted an assurance mapping exercise to document roles, responsibilities and assurance mechanisms to ensure compliance with the Office for Students’ Conditions of Registration. The outcome of this exercise was reported to the Audit Committee to provide assurance about how the University complies with its conditions of registration. This report will be received on an annual basis to ensure ongoing monitoring of the University’s compliance with the Conditions of Registration.

2.6. Challenges for 2023–24

The Committee has previously commented on the tension between institutional autonomy under the University’s devolved structure, and the need for the University to demonstrate that it has appropriate mechanisms in place to comply with regulatory requirements and to manage its risks effectively. The University has highlighted the need to better define what the minimum standards are for compliance and who is responsible for ensuring they are met (e.g. through policies, procedures and training) and to develop internal mechanisms to monitor compliance with policies and procedures and to provide assurance that compliance requirements have been met. These themes continue to stand out in the findings and information provided to the Audit Committee, with common issues identified around a lack of clarity over roles, responsibilities or minimum standards (e.g. TRAC data, research funder requirements) and/or a lack of visibility or assurance over activities taking place at a local level (e.g. IT controls, health and safety). The roll out of the new Head of Institution Assurance Statement exercise to all departments will start to provide visibility over controls operated at a devolved level and will be used to identify improvement actions across the University and inform the programme of internal audit. This exercise will also help to identify areas where roles and responsibilities are unclear or where a minimum standard has not been effectively communicated leading to significant variation across the University in areas of high risk. The Committee will consider the outcome of the 2022–23 exercise in Michaelmas Term and will agree next steps in the future development of this important internal assurance mechanism.

Last year’s annual report highlighted the number of change and transformation programmes underway at the University. The Committee acknowledges the positive work that has taken place in establishing the Change and Programme Management Board and the Audit Committee has agreed how it will receive assurance over these change programmes. However, the Committee is particularly concerned with the number of audit findings where the mitigation proposed is a long-term restructuring and/or systems implementation with a resolution date a year or more away. The scale of transformation currently underway at Cambridge and the challenges of implementing multiple change programmes in a large, devolved organisation will therefore remain high on the Audit Committee’s work plan for 2023–24. The Committee also acknowledges that the transformation programmes present opportunities for the University to rethink how it gains assurance over key operational activities, to clarify roles and responsibilities and to improve visibility over controls operated at the devolved level.

As outlined in section 2.4(i) above, the Committee continues to be concerned about the level of potential risk carried by the University as a result of its fragmented IT infrastructure. The Committee is keen to see demonstrable progress in addressing issues identified through earlier internal audit work and to receive further assurance over progress with the defragmentation programme, clarification of roles and responsibilities and minimum standards for IT controls. In order to better understand IT risks within departments, the Committee commissioned an internal audit of general IT controls in a selection of departments, the outcome of which will be reported to the Committee early in 2023–24.

3. Audit Committee’s opinions, 2022–23

3.1. Opinion: Risk Management, Control and Governance Arrangements

The Audit Committee keeps under review the University’s risk management strategy and implementation, and effectiveness of the University’s systems of financial and other internal controls and governance as follows.

(i) Risk management

The University is committed to ensuring it has a robust and comprehensive system of risk management in line with the requirements of the Office for Students and follows good practice in risk management. A summary of how risks are identified and evaluated, and how risk management is embedded in ongoing operations is provided below.

(a)The University’s senior leadership team is responsible for identifying and managing risks across the University’s activities, within the context of the University’s priorities and objectives. The review of risks encompasses business, operational, compliance, financial and reputational risks.

(b)All identified risks are evaluated using a common framework for scoring that considers both the likelihood and impact of risks becoming a reality. The scoring guidance for evaluating risks prompts risk owners to consider the following categories of impact: finance, compliance, safety, service delivery (operational), reputation and people.

(c)The risk management framework applies across the University’s institutions, with further guidance and information provided to those who own or manage University, School, Non-School Institution (NSI), Faculty or Departmental risks (primarily through web-based resources and training). Risk assessment underpins the University’s programme of internal audit and is embedded as part of the University’s annual planning processes.

(d)The University’s Risk Register identifies those risks that are considered to have a fundamental impact on the University’s ability to deliver its mission or to operate effectively. The risk register is considered and formally approved by the Council at least annually, enabling it to receive direct updates on the evaluation and management of risks.

(e)A discussion on the status of each risk on the University Risk Register and progress with mitigating actions takes place with risk owners as part of a schedule of monthly meetings.

(f)The Audit Committee formally reviews the University Risk Register at least twice a year and makes a recommendation to the Council as to whether the risk register and the management of risks is appropriate.

Under the risk management framework, the Audit Committee has risk management as a standing item on its agenda to ensure routine monitoring. The Audit Committee alerts the Council to any emerging issues arising with the management of risks as necessary.

In addition, the Committee also undertakes regular ‘deep-dives’ into individual risks on a rotating basis, which provides an opportunity for risk owners and the Audit Committee to discuss the management of risks in greater depth than is otherwise provided through a review of the University Risk Register. This helps to provide the Audit Committee with assurance that risks are being actively managed.

The Audit Committee welcomes the growing maturity of the University’s approach to risk management but has highlighted the importance of joined‑up conversations about risk and strategic planning and the need for further development of risk management activities. Specifically, the Committee requested a review of the overarching risks in the preamble to the University Risk Register, better tracking of risk mitigations, defining the relationship between target scores and mitigating actions more clearly and ensuring the risk register informs the work of the internal and external auditors. These suggestions would be taken forward for consideration in the next cycle of risk updates during 2023–24.

(ii) Corporate governance and internal control

The Council is responsible for ensuring that a sound system of internal control is maintained. The Statement of Internal Control, included in the Financial Statements and provided in Appendix C, sets out the University’s arrangements for the prevention and detection of corruption, fraud, bribery and other irregularities. It also includes an account of how the principles of internal control have been applied.

The Council is also responsible for reviewing the effectiveness of the system of internal control. The Audit Committee supports the Council in this role as described below.

(a)The Chair of the Audit Committee provides periodic reports to the Council concerning internal control and risk management.

(b)Risk management is a standing item on the Audit Committee agenda and is the driving element in the design of the annual internal audit programme of work. The Audit Committee considers the effectiveness of the risk management framework and reports on this annually.

(c)The Council receives minutes of all meetings of the Audit Committee.

(d)The Audit Committee receives regular reports from the University’s internal auditor, which includes the internal auditor’s independent opinion on the adequacy and effectiveness of the University’s system of internal control and risk management, together with recommendations for improvement.

(e)The Audit Committee reviews and reports on the implementation of actions in response to recommendations for improvement made as part of the regular audit cycle and other investigations as required.

(f)he Audit Committee reviews the University’s policy against bribery and corruption on an annual basis and considers the effectiveness of the University’s arrangements for the prevention and detection of corruption, fraud, bribery and other irregularities.

The University’s internal auditors have provided reasonable assurance that the University has an efficient and effective system of risk management and governance, and reasonable assurance in relation to internal controls, except for the following areas: departmental IT controls, specific aspects of estates, compliance with research funder requirements and bursaries. The Audit Committee welcomes the improved opinion in respect of internal controls since the 2021–22 annual report but continues to emphasise that further steps need to be taken in the short and medium term to reinforce and improve internal controls, particularly in respect of the areas highlighted above. The Committee notes that the University has agreed action plans to address the areas of weakness highlighted above and will actively monitor the implementation of these actions in the coming year. The Committee further notes that there will be opportunities to enhance and standardise associated controls across the devolved University through the ongoing functional transformation programmes.

(iii) Fraud, bribery and corruption

The Audit Committee oversees the University’s Policy against Bribery and Corruption. Under the Financial Regulations, any member of staff must report immediately to the Registrary and the Director of Finance any suspicion of bribery, fraud or other irregularity. Certain instances of bribery, fraud or other irregularities that are considered to be material must be reported to OfS in line with the regulator’s guidance on reportable events.

In July 2023, the Committee received an annual report on the implementation of the University’s Anti-Bribery and Corruption Policy and details of incidents of fraud. In the 2022–23 academic year, across the University, the Colleges and the University’s subsidiaries, there has been one report of fraud, three reports of cyber fraud and one loss of £800. One of the fraud cases remains under investigation.

Bribery Act training is conducted through the University’s online Anti-Bribery and Corruption training module, which was simplified in 2021–22 with the aim of increasing participation. Participation in the online Anti-Bribery and Corruption training module between 1 June 2022 and 31 May 2023 remained stable compared with the same period in 2021–22. Responsibility for determining which members of staff should undertake training is delegated to Heads of Institutions. The new Head of Institution Assurance Statement exercise, rolled out to all institutions in Easter Term 2023, asks institutions to confirm whether relevant staff are undertaking the training and will provide broad coverage of how well this is working across the University. The outcome of this exercise will be reported to the Audit Committee during Michaelmas Term 2023 and reflected in next year’s annual report.

Since 1 June 2022, there have been four new cases recorded under the Whistleblowing Policy. Three are now closed and the outcome is awaited on the final one.

(iv) Cambridge University Press and Assessment

Cambridge University Press & Assessment (CUP&A) is governed by the Press & Assessment Syndicate, which has a Press and Assessment Board (PAB) and various sub-committees including the PAB Regulatory Compliance Committee and the PAB Audit and Risk Committee.

The PAB Audit and Risk Committee has oversight of the internal audit arrangements for CUP&A and reviews the findings of internal audit reports and the management responses. A full list of internal audits considered by the PAB Audit and Risk Committee during 2022–23 is provided in Appendix G [not reproduced]. The Chair of the PAB Audit and Risk Committee attends the University Audit Committee to provide assurance on the respective governance, control and risk management practices of both the Press and Assessment.

At each Audit Committee meeting, the Chair of the PAB Audit and Risk Committee provides an oral update on the business of CUP&A and the items of discussion at the latest PAB Audit and Risk Committee meeting. In addition, a written annual report of the PAB Audit and Risk Committee is received at the Audit Committee’s November meeting, and a half-year report at a meeting in Easter Term. Under the PAB Audit and Risk Committee’s Terms of Reference, the Chair of the PAB Audit and Risk Committee has direct access to the Chief Financial Officer as Chair of the PAB and to the Vice-Chancellor as Chair of the Press & Assessment Syndicate.

A report on the organisation’s activities and controls in relation to its Anti-Bribery and Corruption policies is incorporated within the University’s annual Bribery Policy report.

The Audit Committee continues to acknowledge the significant income stream that CUP&A provides to the University.


Audit Committee opinion: Risk management, control and governance: The Audit Committee has monitored and considered the effectiveness of the University’s risk management, control and governance arrangements throughout 2022–23. On the whole, these arrangements support the University in fulfilling its policies, aims and objectives, enabling the University to identify, understand and manage its principal risks, and to be accountable and transparent in its governance. The Committee notes that the University is taking steps to further enhance controls in areas where weaknesses in internal controls were identified and reported during internal audit work. Improvement actions have been agreed and the Committee will continue to actively monitor the implementation of these actions in the coming year.

The Audit Committee has agreed that the Statement of Corporate Governance and the Statement of Internal Control provided in Appendix C and included in the Financial Statements for 2022–23 is an accurate reflection of the risk management, control and governance arrangements in place. Notwithstanding the above, the Committee is satisfied that these arrangements adequately address the main risks the University faces.


3.2. Opinion: Economy, efficiency and effectiveness (value for money)

The Audit Committee considers whether arrangements adopted throughout the University for promoting economy, efficiency and effectiveness in the use of public funds and other resources are satisfactory, by monitoring the following financial controls, systems and management structures. The Committee is required to relay its view on the University’s arrangements for achieving value for money to the Council in its annual report.

(i) Value for money

The Resource Management Committee (RMC) is responsible, on behalf of the Council, for overseeing the University’s arrangements to obtain best value for money in its expenditure and use of resources. The RMC reviews the University’s Value for Money (VfM) Strategy and Policy annually.

The Audit Committee receives an annual VfM report, which outlines progress with a number of VfM‑related initiatives that enable, or will enable, the achievement and measurement of value for money. This includes updates on Enhanced Financial Transparency (EFT), Expenses Management, Strategic Procurement and Purchasing (SPP), Financial Systems Replacement, the HR Transformation Programme, Transforming Research Support, Reimagining Professional Services and Reshaping our Estate.

Efficiency and value for money also continue to be promoted through local level and University-wide initiatives and the University also collaborates with the Colleges through the Bursars’ Committee to ensure value for money across the Collegiate University.

(ii) Assurance on Colleges’ use of student fees for educational purposes

The Committee receives assurance that the public funds received by the University from the Student Loans Company and transferred between the University and Colleges are used by the Colleges for educational purposes. An annual meeting takes place between College and University representatives and the Chair of the Audit Committee to review expenditure on education by the Colleges against their total educational income. The Committee agreed that the analysis provided reasonable assurance that the money was spent for the purposes intended.


Audit Committee opinion: Economy, efficiency and effectiveness (value for money): The Committee has monitored the effectiveness of the University’s financial controls, systems and management structures in place for promoting efficiency, effectiveness and economy in the use of public funds and other resources.

The Committee has noted the continuing adoption of and improvement in financial procedures and management practices designed to support the achievement of value for money and institutional effectiveness. The Committee is satisfied that these arrangements are appropriate and effective.


3.3. Opinion: Management and quality assurance of data returns

The Audit Committee monitors the effectiveness of the University’s management and quality assurance of data returns submitted to the Higher Education Statistics Agency, the Student Loans Company, the OfS, Research England and other bodies through its programme of internal audit and other assurance reports received by the Committee.

In 2022–23, the Audit Committee received an Annual Data Returns Assurance Report for the first time. This report provided the Committee with an overview of statutory data returns submitted during 2022–23 and was intended to provide assurance that the data submitted by the University during the 2022–23 reporting cycle conformed to requirements and published guidance and had been subject to effective oversight and management review. The Committee welcomed the report approved a proposal that the report be received annually.

In addition to the assurance reports noted above, internal audit reviews of various aspects of data management also form part of the programme of internal audit. The table below summarises the results of data quality audits undertaken over the past five years. No specific data quality internal audit was conducted during 2022–23.

Academic year

Audit area

Assurance rating

2021–22

HE-BCI follow up

Substantial

2020–21

HESES return

Substantial

TRAC process

Substantial

2019–20

HE-BCI

Limited

2018–19

HESA staff return

Substantial

(i) Transparent Approach to Costing (TRAC) return

TRAC is an activity-based costing methodology devised for the Higher Education Sector, which involves the attribution of income and expenditure to activity. Every Higher Education Institution (HEI) is required to submit an annual statutory TRAC return. In March 2022, the Audit Committee agreed to assume responsibility for ensuring that the process used to produce the TRAC return was compliant with TRAC guidance published by the OfS. This was in response to the OfS amending its requirements for the TRAC return.

In October 2022, the Audit Committee received its first annual report on the TRAC return. The Committee noted challenges associated with the collection of data across the devolved organisation, particularly with respect to the physical estate. A further update was received in January 2023 which outlined continued challenges with the response rate from departments. The Committee noted its concern in relation to the lack of response from departments and agreed that it would expect to see significant improvements to the process used to produce the 2022–23 TRAC return to ensure it was fully compliant with TRAC requirements.

In July 2023, the Committee received a further report outlining significant engagement with School Secretaries on TRAC requirements and a planned approach to engaging further with departments to explain what was required in respect of the space. The Committee will receive a further update on progress as part of the annual report on the TRAC process in October 2023.


Audit Committee opinion: Management and quality assurance of data returns: The Audit Committee is satisfied that the management control and quality assurance of data returns submitted to the Higher Education Statistics Agency, the Student Loans Company, the Office for Students, Research England and other bodies are adequate and effective.


4. Audit arrangements and auditor opinions

4.1 Internal audit

(i) Provider

Since August 2021, the University has operated under a hybrid internal audit model, comprising a single external internal audit firm and a dedicated senior University member with a broad understanding of the University and of internal audit acting as facilitator. The outsourced internal audit function is facilitated by the Head of Assurance, based in the Governance and Compliance Division. This approach allows the University to combine external and independent audit expertise with an in-depth knowledge of the academic and administrative processes at the University.

The University went out to tender for its internal audit provider during 2020–21, and reappointed Deloitte LLP as the internal auditor with effect from 1 August 2021 for a four-year term until 31 July 2025, with provision for a one‑year extension.

The performance of the internal auditor and their lead partner is considered annually by the Committee.

The fees paid for internal audit work completed in the financial year 2022–23 are shown in Appendix E.

(ii) Internal audit programme

The internal audit programme provides independent and objective assurance on the University’s operations in order to evaluate and improve the effectiveness of the University’s internal control systems. A draft internal audit plan is developed around the University’s objectives and assessment of its fundamental risks, as identified by the University’s senior leadership team.

The 2022–23 audit plan was approved in two six-month plans, as had been the case since the Covid‑19 pandemic. The plan for 2022–23 sought to return to a more balanced audit plan focusing on key strategic risks and cyclical audits of functional areas of University operations. Different teams of auditors were assigned to undertake the work depending on the level of specialism required, and audits typically involved visits to a range of departments and institutions to follow up on particular functions.

(iii) Internal audit reports and assurance ratings

Deloitte LLP provide an assurance rating for each internal audit report, based on their assessment of the adequacy and effectiveness of the system of internal control. The assurance ratings given are as follows:

Full

There is a sound system of internal control designed to achieve the University’s objectives. The control processes tested are being consistently applied.

Substantial

While there is a basically sound system of internal control, there are weaknesses, which put some of the University’s objectives at risk. There is evidence that the level of non‑compliance with some of the control processes may put some of the University’s objectives at risk.

Limited

Weaknesses in the system of internal controls are such as to put the University’s objectives at risk. The level of non-compliance puts the University’s objectives at risk.

Nil

Control processes are generally weak leaving the processes / systems open to significant error or abuse. Significant non-compliance with basic control processes leaves the processes / systems open to error or abuse.

Where recommendations are made as part of the internal audit process, Deloitte LLP classifies their recommendations as follows:

Priority 1

Issues that are fundamental to the University, for the attention of senior management and the audit committee.

Priority 2

Issues that are fundamental to the area subject to internal audit, for the attention of senior management and the audit committee.

Priority 3

Important issues to be addressed by management in their areas of responsibility.

Priority 4

Housekeeping issues or good practice suggestions.

During 2022–23, Deloitte also conducted three ‘agreed upon procedures’ assignments, whereby the auditors test compliance with a set of standards agreed with the University. The results of these tests are reported in a factual way, including any exceptions to the standards, without presenting a conclusion or opinion on the findings.

(iv) Audit Committee review of internal audit reports

The Audit Committee is provided with access to all internal audit reports through its online portal and the internal auditor summarises the findings of those reports in a progress report provided to each meeting of the Audit Committee. However, the Committee only discusses in detail those reports that carry limited or nil assurance ratings. In such cases, the audit sponsor is invited to attend the meeting in which the report is discussed, to enable them to respond to the report and answer questions that members of the Committee may have.

During 2022–23, the Committee has received and considered 14 internal audit reports. Of these reports, eight received an assurance rating, three were advisory pieces and three were conducted as an ‘agreed upon procedures’ assignment. Where a rating was ascribed, 37.5% of reports were given Substantial assurance. This is down from 50% in 2021–22. This report refers only to those final internal audit reports that have been received and considered by the Audit Committee between 1 August 2022 and 31 July 2023.2 A full list of internal audit reports considered by the Audit Committee during 2022–23 is provided in Appendix A. The internal auditor’s annual report provided in Appendix B [not reproduced] focuses on all audits reported to the Audit Committee between December 2022 and October 2023.

(v) Internal auditor opinion

The annual report for the period 1 August 2022 to 31 July 2023 was received by the Audit Committee at its meeting on 12 October 2023 (see Appendix B [not reproduced]). The internal auditor’s annual report refers to internal audits where the fieldwork took place during 2022–23. However, the final reports for all audits were not all considered by the Committee during the 2022–23 academic year and so the number of completed assignments may differ to the figure provided in section 4.1(iv). A full list is provided in Appendix A.

Subject to the limitations of the work described in Deloitte LLP’s report, the internal audit opinion given was as follows:

In the context of the scope of the work described in section 2.2, taking into account the implementation status of the agreed actions to rectify the control weaknesses identified, we provide reasonable assurance that the University has an efficient and effective system of risk management and governance.

In addition, we provide reasonable assurance that the University has an efficient and effective system of internal control for the year ending 31 July 2023, except for the following areas: departmental IT controls; cost control and sustainability of the estate; compliance with research funder requirements and bursaries. Management have agreed and are taking forward actions to address the findings raised in these areas. The scope of this opinion does not include the planned Buildings Statutory Compliance and Export Controls audits; these areas were not ready to audit and therefore were deferred into FY2023/24.

The opinion is provided on the following basis:

Of the eight internal audits with an opinion, five were assigned a substantial assurance opinion and three a limited assurance assessment. In FY 2021/22, of the seven audits with an opinion, one was assessed as substantial assurance, five as limited assurance and one as nil assurance.

In relation to IT, a Departmental General IT Controls audit reported limited assurance and identified a lack of a defined control framework to support Departmental IT processes and thematic control issues in the sampled departments. Further, an assignment that considered the Department of Geography migration project identified a lack of visibility of the contribution to the mitigation of IT defragmentation risks. In addition, there are 22 Priority 1 and 2 ongoing open actions in respect of IT Disaster Recovery, Software Asset Management and Cyber Security, including six overdue.

In relation to estates, the NWC Cost Control audit reported limited assurance and identified weaknesses in the change and risk management approaches and the quality of project information to enable effective decision‑making and oversight. A planned audit of Building Statutory Compliance was deferred due to known challenges with a new provider of maintenance and statutory compliance activities. In addition, there are 10 Priority 1 and 2 ongoing open actions in respect of Carbon Reduction, including two overdue.

In relation to research funder requirements, the UKRI’s funding assurance report provided limited assurance over compliance with the terms and conditions of its research funding. UKRI’s follow up visit in 2023 confirmed improvements had been made; however, improvements were still required. In addition, in 2022 the European Anti-Fraud Office identified a failure to meet the residency and secondment requirements of a Marie‑Sklodowska Curie Actions (MCSA) fellowship. Following this, an internal audit identified that evidence of compliance with the mobility and secondment requirements for other MSCA fellowships was not consistently available.

A limited assurance assessment was issued for the Cambridge Bursary Scheme with weaknesses in processes to manage user access to the system, to oversee manual bursary payments and to identify anomalous bursaries.

There has been continued focus during the year to implement agreed internal audit actions. At 28 September 2023, 18 actions were overdue; the figure at 1 November was 23. Therefore, there needs to be a continued focus on implementing the agreed actions in a timely manner to further reduce the number of overdue actions.’

(vi) Review of assurances received

The Committee welcomes the improved opinion in respect of internal controls since the 2021–22 annual report. However, it recognises that further work needs to be done to arrive at an acceptable level of risk particularly in relation to IT controls, research funder requirements and health and safety risks. The Committee will continue to actively monitor whether and how actions are implemented to address the areas of weakness in the University’s operations identified through internal audit work.

The Committee also notes that the number of overdue internal audit actions continues to fall and has welcomed greater transparency over the implementation status of internal audit actions through the reports that it receives at each meeting. The Committee is of the view that the University needs to continue to focus on implementing audit actions in a timely manner so that risks can be mitigated appropriately, and the number of overdue actions continues to fall.

4.2. External audit

(i) External audit provider

PricewaterhouseCoopers LLP (PwC) was reappointed as the external auditor for the University for the financial year 2022–23. External audit informs the Audit Committee on the operation of the internal financial controls reviewed as part of the annual audit. The fees paid for work completed in the financial year 2022–23 are shown in Appendix F.

(ii) Review of appointment

In accordance with OfS’s terms and conditions of funding for Higher Education Institutions, the external auditor is appointed or reappointed annually. The Statutes and Ordinances of the University of Cambridge also require that the accounts of the University are audited annually by qualified accountants appointed by Grace on the nomination of the Council.3

Following a market testing exercise in 2018, PwC was reappointed to provide the external audit provision (subject to annual reappointment). However, the University agreed that PwC would discontinue the audits of low materiality subsidiaries as this work was more suitable for a smaller firm. It was agreed that for the 2022–23 audit, the audit of these subsidiaries would be undertaken by a local firm, Peters Elworthy & Moore.

At its May 2023 meeting, the Committee received feedback from the University and its subsidiary organisations in regard to the performance of the external auditor. The Committee agreed to recommend to the Council that a Grace be promoted for the annual reappointment of PwC as the external auditor for the Financial Year 2022–23.

(iii) Details of non-audit services

During 2022–23, the external auditor and PwC affiliate firms carried out non-audit work in the following areas for the University: Financial Conduct Authority client asset work on behalf of Cambridge Investment Management Limited and provision of assurance of environmental sustainability data. In each significant case, the engagement was subject to the Audit Committee’s policy on non-audit services to ensure that the external auditor’s independence was not put at risk.

(iv) External Auditor’s annual report to the Audit Committee

The Audit Committee received PwC’s external audit annual report 2022–23 at its meeting on 16 November 2023.

The Audit Committee considered the report and was satisfied with the remarks on auditing and accounting matters, detailed control observations and other observations from around the University group.

Footnotes

  • 1Specified in Chapter XIII of the University’s Statutes and Ordinances (2023, p. 1072).


  • 2This includes any reports that were issued in draft during 2021–22, but which were not finalised for the Committee’s consideration until 2022–23. It does not include any 2022–23 reports that have been finalised recently by internal audit but were not considered by the Audit Committee during 2022–23. 


  • 3See Statute F I 5 (Statutes and Ordinances, 2023, p. 47).


Information security policies under development

12 February 2024

The University is developing a set of information security policies as part of a series of actions to reduce cyber security risk. Cyber crime is a persistent and ever-changing threat to the University and its people. Defining how the University should use IT services is a significant step in protecting the user community and resources from harm.

The University has concentrated work first on developing an Information Services Acceptable Use Policy and a Systems Management Policy. That is because they will make the biggest short-term difference to the cyber security risks that the University faces. The Email Address Allocation and Retention Policy, on which the University has been working and consulting, will ensure that access to our information systems is for authorised users only.

University Information Services (UIS) will communicate and oversee implementation of these policies.

Information Services Acceptable Use Policy: Update

Further to the Notice published on 25 October 2023 (Reporter, 6715, 2023–24, p. 68), the General Board and the Council approved an Information Services Acceptable Use Policy (AUP) at their respective meetings of 20 and 27 November 2023. The AUP will be effective from 1 April 2024, starting with a transition period of a year in which the AUP will set expectations but not requirements. This phased implementation will allow for the development and rollout of supportive communications and guidance, and give staff and students the time to understand and adapt to the Policy.

The AUP will replace other, now outdated, guidance: the ‘Rules made by the Information Services Committee’, last updated in 2000–01, which will no longer be reproduced in Statutes and Ordinances; guidelines on the acceptable use of computers published in the Reporter in 2002; and elaboration on these two existing sources elsewhere on the University’s webpages.1 This will also help consolidate and clarify advice to staff and students on secure, fair, and legal use of information services.

Information about the AUP, the text of the approved version, and a summary of feedback from focus groups during the consultation process, is available on the UIS’s webpages at https://help.uis.cam.ac.uk/acceptable-use-policy (Raven required).

Systems Management Policy

The University’s Information Services Committee (ISC) recommended a Systems Management Policy (SMP) to the General Board and the Council for approval. These committees approved the SMP at their respective meetings on 17 January and 12 February 2024. The SMP covers minimum security standards for the University’s multi‑user computer systems. Examples of multi‑user systems are library systems, finance systems, research group computer clusters, and systems to run scientific equipment used by multiple researchers. Personal computers are not in scope. The SMP sets out how all those who manage the day‑to‑day running of multi‑user systems – including IT staff and where applicable academic research staff – can help prevent cyber security‑related incidents.

The ISC oversaw focused consultation with expert and stakeholder groups across the University to ensure that it heard from those best placed to comment on this more technical policy. This included:

helpful discussion on policy contents and implementation with School IT Leads throughout development, and with School Secretaries at key points;

valuable insight and comment from School-level committees – where applicable, School-level IT committees, and, where not possible, from head of department meetings;

comment and endorsement from the Research Policy Committee, given that many multi-user computer systems directly support research work.

The University and Colleges’ Joint Committee received regular updates on the development of the SMP.

The main concern raised during consultation was the resource burden of implementing the SMP. In response, the ISC approved implementation plans that take a supportive approach to compliance and phase change in over time, set out in an appendix to the SMP. These include:

a two-year transition period after implementation, with the intention of staggering workload across that period to make compliance more manageable;

release of technical standards underpinning the SMP in phases over the two years, with standards accompanied by: step‑by‑step guidance on how to comply; a summary of UIS‑provided services that would enable the system to comply; and related communications and training;

UIS to work with volunteer ‘early adopter’ institutions during the first six months to test guidance, support and other measures, in close collaboration with the School IT Leads;

checkpoints every six months during the transition (1 October 2024, 1 April 2025, 1 October 2025) for UIS to review progress on the implementation plans and timeline; use the review to enhance communications, guidance, and services; and adapt plans as necessary.

The effective implementation date is 1 April 2024 and the two‑year transition runs to 1 April 2026. Information about the SMP, including the text of the approved version, is available on the UIS’s webpages at https://help.uis.cam.ac.uk/policies/systems-management-policy (Raven required).

Email Address Allocation and Retention Policy: Update

Further to the Notice published on 26 July 2023 (Reporter, 6710, 2022–23, p. 885), the pilot of the approved policy is now underway. The Information Services Committee (ISC) is grateful to the participating institutions: Downing College, Selwyn College, and users of the Clinical School Computing Service. The ISC is receiving regular updates and will review the policy in the light of the experiences of the participating institutions before any wider implementation. Wider implementation may now be later than 2024–25 in order to ensure that there is sufficient data for a robust trial.

Updates on the policy and the timeline will continue to be available on the UIS’s webpages at https://help.uis.cam.ac.uk/service/email/address-allocation-policy (Raven required).

Footnote

Update on eduroam

The Director of University Information Services (UIS) would like to thank all members of the University who use eduroam wifi for refreshing their connection profiles for the service during January. He would also like to thank computer officers and other IT staff across the collegiate University for their help in supporting students and staff in this effort.

The Director of UIS would like to apologise for the inconvenience caused by the need to carry out this exercise, which was the result of a UIS error in the administration of the digital certificate that authenticates the service’s identity. UIS conferred with Jisc, the University’s internet service provider, and the National Cyber Security Centre (NCSC) at the time the error was identified. Both confirmed that the approach UIS was taking would resolve the issue. There is no indication that there has been a security compromise.

Independently of the exercise just completed, UIS is planning to move to a new system later this year that will also require University members to update their eduroam connection profiles, but will then obviate the need for further updates in the future. UIS will consult with representatives of the Colleges, Schools and non-School institutions on the timing of this transition.