No 6765
Wednesday 8 January 2025
Vol clv No 14
pp. 207–221
21 January, Tuesday. Full Term begins. Ballot of the Regent House, voting opens at 10 a.m. Discussion by videoconference at 2 p.m. (see below).
24 January, Friday. End of first quarter of Lent Term.
31 January, Friday. Congregation of the Regent House at 2 p.m. Ballot of the Regent House, voting closes at 5 p.m.
The Vice‑Chancellor invites members of the Regent House, University and College employees, registered students and others qualified under the regulations for Discussions (Statutes and Ordinances, p. 111) to attend a Discussion by videoconference on Tuesday, 21 January 2025 at 2 p.m. The following items will be discussed:
1.Annual Report of the Council for the academic year 2023–24 (Reporter, 6762, 2024–25, p. 152).
2.Annual Report of the General Board to the Council for the academic year 2023–24 (Reporter, 6762, 2024–25, p. 160).
3.Report of the General Board, dated 17 December 2024, on the establishment of a Department of Public Policy (Bennett School of Public Policy) (Reporter, 6764, 2024–25, p. 196).
Those wishing to join the Discussion by videoconference should email UniversityDraftsman@admin.cam.ac.uk from their University email account, providing their CRSid (if a member of the collegiate University), by 10 a.m. on the date of the Discussion to receive joining instructions. Alternatively contributors may email their remarks to contact@proctors.cam.ac.uk, copying ReporterEditor@admin.cam.ac.uk, by no later than 10 a.m. on the day of the Discussion for reading out by the Proctors,1 or may ask someone else who is attending to read the remarks on their behalf.
In accordance with the regulations for Discussions, the Chair of the Board of Scrutiny or any ten members of the Regent House2 may request that the Council arrange for one or more of the items listed for discussion to be discussed in person (usually in the Senate-House). Requests should be made to the Registrary, on paper or by email to UniversityDraftsman@admin.cam.ac.uk from addresses within the cam.ac.uk domain, by no later than 9 a.m. on the day of the Discussion. Any changes to the Discussion schedule will be confirmed in the Reporter at the earliest opportunity.
General information on Discussions is provided on the University Governance site at https://www.governance.cam.ac.uk/governance/decision-making/discussions/.
1Any comments sent by email should please begin with the name and title of the contributor as they wish it to be read out and include at the start a note of any College and/or Departmental affiliations held.
2https://www.scrutiny.cam.ac.uk/ and https://www.admin.cam.ac.uk/reporter/regent_house_roll/section1.shtml.
The Director of Governance and Compliance has received the following nomination for the Council’s Finance Committee, for election in class (b) by the Representatives of the Colleges,1 and it has been certified to her that the candidate has consented to be nominated:
Mr Martin Pierce, SID, nominated by Dr R. Anthony, JE, and Mr R. G. Gardiner, CAI.
No other candidates having been nominated, Mr Pierce is duly elected to serve as a member of the Finance Committee in class (b) from 1 January 2025 for three years.
1The list of the Representatives of the Colleges for election of members of the Finance Committee is published each year in the Members of University Bodies, Special issue of the Reporter, see https://www.admin.cam.ac.uk/reporter/university_bodies/.
Members of the Regent House and other members of the collegiate University are reminded that the deadline for fly‑sheets1 for the ballot on Grace 1 of 6 November 2024 and an amendment (post-Marking and Assessment Boycott exam review) (Reporter, 2024–25, 6761, p. 140) is 1 p.m. on Thursday, 9 January 2025. In accordance with the previously published timetable, voting in the ballot will open at 10 a.m. on Tuesday, 21 January and close at 5 p.m. on Friday, 31 January 2025 (voters will receive an email when voting opens).
1See the Council’s Notice on Discussions and Fly-sheets, reproduced in Statutes and Ordinances at p. 116.
The University Combination Room will be closed on Monday, 3 February 2025 from 1 p.m. to 5 p.m. for an event.
The Council has received the annual report of the Audit Committee for the financial year 1 August 2023–31 July 2024. The report is published below for the information of the University. Appendix A to the report is provided below; Appendices B and C are not reproduced.
The Audit Committee is required to submit an annual report to the Council.1 The purpose of the report is to set out the current membership and constitution of the Audit Committee, to report on its work and activity over the last financial year and to provide the Committee’s and the auditors’ opinions on the adequacy and effectiveness of the University’s systems of risk management, control, governance and value for money.
This Audit Committee Annual Report is for the 2023–24 financial year (1 August 2023–31 July 2024). The report includes any significant issues arising during the financial year and the period up to the date of the report.
A copy of this report will be published in the University’s official journal, the Reporter, for the information of the University.
The Constitution of the Audit Committee is set out in the Statutes and Ordinances of the University of Cambridge. Further information on the Committee’s membership, terms of reference and meetings are provided in Appendix A.
The University’s internal audit work was undertaken by Deloitte LLP for a fee of £467,620.50 plus VAT for delivery of the internal audit plan and a further £77,485 plus VAT for additional assurance pieces commissioned in year. The University appointed Deloitte LLP as the internal auditor from 1 August 2021 for four years (with provision for a one‑year extension) following a tender exercise. The performance of the internal auditor and their lead partner is considered annually by the Committee.
Since August 2021, the University has operated under a hybrid internal audit model. The outsourced internal audit function is facilitated by the Head of Assurance, based in the Governance and Compliance Division. This approach allows the University to combine external and independent audit expertise with an in‑depth knowledge of the academic and administrative processes at the University.
The 2023–24 audit plan was approved in July 2023. The plan provided a balance between audits focusing on key strategic risks and cyclical audits of functional areas of University operations. Different teams of auditors were assigned to undertake the work depending on the level of specialism required, and audits typically involved visits to a range of departments and institutions to follow up on particular functions.
Deloitte LLP provide an assurance rating for each internal audit report, based on their assessment of the adequacy and effectiveness of the system of internal control. The assurance ratings given are as follows:
|
Rating |
Description |
|
Full |
There is a sound system of internal control designed to achieve the University’s objectives. The control processes tested are being consistently applied. |
|
Substantial |
While there is a basically sound system of internal control, there are weaknesses, which put some of the University’s objectives at risk. There is evidence that the level of non‑compliance with some of the control processes may put some of the University’s objectives at risk. |
|
Limited |
Weaknesses in the system of internal controls are such as to put the University’s objectives at risk. The level of non-compliance puts the University’s objectives at risk. |
|
Nil |
Control processes are generally weak leaving the processes / systems open to significant error or abuse. Significant non-compliance with basic control processes leaves the processes / systems open to error or abuse. |
During 2023–24 and up until the date of this report, the Committee received and considered thirteen internal audit reports. Of these reports, eleven received an assurance rating and two were advisory. Where a rating was ascribed, 36% of reports were given Substantial assurance. A full list of internal audit reports considered by the Audit Committee during 2023–24 is provided in Appendix A.
The internal auditor’s annual report was considered by the Committee at its meeting on 10 October 2024 and is provided in Appendix B [not reproduced].
‘In the context of the work described in section 2.2 [of the Internal Audit Annual Report], taking into account the implementation status of the agreed actions to rectify the control weaknesses identified, we provide reasonable assurance that the University has an efficient and effective system of risk management and governance.
We provide limited assurance that the University has an efficient and effective system of internal control for the year ending 31 July 2024. The scope of this opinion does not include the planned Buildings Statutory Compliance, Strategic Partnerships and Cyber Security audits; these areas were not ready to audit and therefore were deferred into FY 2024/25.
The opinion is provided on the following basis:
•This year, of the eleven internal audits with an opinion, four were assigned a substantial assurance opinion and seven a limited assurance opinion. In FY 2022/23, of the eight internal audits with an opinion five were assigned a substantial assurance opinion and three a limited assurance assessment.
•Limited assurance opinions were assigned to the following areas: onboarding and induction; IT Portfolio governance; student record system; departmental processes for managing conflicts of interest; key financial controls (Month End, General Ledger, Accounts Payable and Credit Cards); procurement dispensations and savings; and export controls. Due to the timing of audit plan delivery, six of the seven limited assurance reports were finalized in the second half of the financial year; actions have been agreed and we have been informed that these are on track for completion. In total, 67 actions from these audits were agreed, 11 of which have been implemented.
•There has been continued focus during the year to implement agreed internal audit actions. On 3 October 2024, 15 of 123 open actions were overdue; compared to 18 of 150 on 30 September 2023. There will need to be continued focus on timely implementation of the agreed actions from this year’s limited assurance reports as they approach the due dates.’
The Committee discussed the audit opinion and noted that many of the limited assurance audits had been delivered towards the end of the financial year, which meant actions had been agreed but had not yet been implemented. The Committee agreed that the overall trajectory for implementation of audit actions was improving and should help to improve the University’s internal controls in the longer term. The Committee also noted that the internal audit plan showed an openness on the University’s part to identifying and tackling areas of known challenge, which influenced the number of limited assurance audit reports and overall audit opinion.
The Committee also considered the outcome of the internal Head of Institution Assurance Statement exercise, which provided second line assurance of the effectiveness and consistency of internal controls operated at a devolved level. The Committee welcomed the coverage provided by this self-assessment exercise and noted the opportunities this exercise presented in terms of identifying and driving improvements to the University’s internal control environment.
On balance, the Committee was of the opinion that the University’s internal control environment was not getting worse, but that the University needed to speed up the pace in implementing audit actions and driving change in response to audits. The Committee noted that slow implementation of actions in part reflected structural and cultural challenges across the University in implementing and enforcing consistency in controls and reducing optionality at a local level. The Committee also noted that successful implementation of actions largely depended on clarity in leadership, management or governance arrangements. The Committee was of the view that the Council should discuss how the pace of change could be increased and provide greater clarity and leadership over what activities should be prioritised for action.
The Head of Assurance oversees a continuous programme of follow‑up of actions agreed in response to internal audits and to the Audit Committee on the implementation of internal audit actions at every meeting. On 30 September 2024, the number of overdue audit actions stands at fifteen, down from eighteen reported in last year’s annual report.
Two particular areas were highlighted in last year’s annual report as being high priority: Global Mobility and Travel Safety, and Health and Safety Risk Management and Assurance. The Committee has received regular progress updates on the implementation of these actions and welcomed an update from the Safety Office in July confirming that the rollout and implementation of a new travel risk assessment system and health and safety risk and hazard tool was being undertaken in a coordinated way and on a School‑by‑School basis. The Committee will continue to monitor the implementation of these actions until they have been completed.
PricewaterhouseCoopers LLP (PwC) was reappointed as the external auditor for the University for the financial year 2023–24. The fees paid for work completed in the financial year 2023–24 were £2,035,077 plus VAT for the external audit2 and £65,528 plus VAT for non-audit work. These fees are subject to final confirmation and audit.
In accordance with OfS’s terms and conditions of funding for Higher Education Institutions, the external auditor is appointed or reappointed annually. The Statutes and Ordinances of the University of Cambridge also require that the accounts of the University are audited annually by qualified accountants appointed by Grace on the nomination of the Council.
Following a market testing exercise in 2018, PwC was reappointed to provide the external audit provision (subject to annual reappointment). However, the University agreed that PwC would discontinue the audits of low materiality subsidiaries as this work was more suitable for a smaller firm. It was agreed that for the 2023–24 audit, the audit of these subsidiaries would be undertaken by a local firm, Peters Elworthy and Moore.
At its March 2024 meeting, the Committee received feedback from the University and its subsidiary organisations in regard to the performance of the external auditor. The Committee agreed to recommend to the Council that a Grace be promoted for the annual reappointment of PwC as the external auditor for the Financial Year 2023–24.
The Committee reviewed the Financial Statements with particular reference to the Corporate Governance Statement (including the Internal Control Statement), the Statement of Council’s Responsibilities and the Report of the External Auditors included within the Statements.
During 2023–24, the external auditor and PwC affiliate firms carried out non-audit work in the following area for the University: assurance of environmental sustainability data. In each significant case, the engagement was subject to the Audit Committee’s policy on non-audit services to ensure that the external auditor’s independence was not put at risk.
The Audit Committee received PwC’s external audit annual report 2023–24 at its meeting on 14 November 2024.
The Committee considered the report and was satisfied with the remarks on auditing and accounting matters, detailed control observations and other observations from around the University group.
The University’s approach to risk management is set out in its risk management policy and framework. Under this framework, the Audit Committee has risk management as a standing item on its agenda to ensure routine monitoring. The Audit Committee alerts the Council to any emerging issues arising with the management of risks as necessary.
In addition, the Committee also undertakes regular ‘deep dives’ into individual risks on a rotating basis, which provides an opportunity for risk owners and the Audit Committee to discuss the management of risks in greater depth than is otherwise provided through a review of the University Risk Register. This helps to provide the Audit Committee with assurance that risks are being actively managed.
The Audit Committee welcomes the continuing development of the University’s risk management activities and has highlighted the importance of the University Risk Register as a tool to aid strategic decision-making and prioritisation. With this in mind, the Committee recommended that a calibration of the University Risk Register should take place with the aim of ensuring that the risk scoring reflected accurately the top risks currently faced by the University. This recommendation will be taken forward by the extended senior leadership team.
The Committee continues to be concerned about risks arising from the fragmented nature of IT infrastructure in the University, particularly in relation to cyber security, and has actively monitored progress in addressing these risks. The Committee acknowledges the alignment between defragmentation work and the mitigation of the University’s cyber security risks.
Last year, the Committee commissioned an internal audit of general IT controls in a selection of departments in order to better understand IT risks at a devolved level. The audit found that there was no defined control framework to support key IT processes across departments. The Committee recommended the report for discussion by the Information Services Committee (ISC) to determine whether University-wide action should be taken in response to the audit findings.
The ISC agreed that University-wide action should be taken to address the lack of an IT control framework across the University. The ISC reviewed the draft Systems Management Policy against the audit findings and confirmed that it was content that the relevant controls were laid out explicitly in the Policy. It was noted that management of departmental and UIS systems could be audited against the Policy requirements in the future. The Systems Management Policy set out minimum technical standards and had a two-year implementation period in recognition of the level of work required by some institutions to comply with the standards. The Committee strongly encouraged further acceleration of the implementation of the policy insofar as this was considered possible and would seek further assurances in the future.
The Committee also welcomed the introduction of a University-wide Acceptable Use Policy, developed as part of the cyber security action plan.
In January, the Committee received an update on progress with defragmentation and noted that this was being broadly welcomed by the IT community across the collegiate University. However, the Committee was disturbed by the findings of discovery work which had revealed that some locally managed infrastructure presented a higher level of operational and cyber security risk than had previously been assumed. The Committee expressed strong concern over the pace of execution of defragmentation in addressing this risk and felt that the programme lacked an overall plan to address the structural and people elements of defragmentation. The Committee’s decision to escalate its concerns to the Council was reinforced by the Clinical School Computing Service (CSCS) IT incident that occurred in February 2024.
The Committee received a further update on defragmentation in May 2024, which highlighted an overlap between this programme and CSCS recovery work and an opportunity to migrate infrastructure at scale. The Committee was informed that a full plan for defragmentation was expected in Michaelmas Term 2024. The Committee has reiterated its strong support for the defragmentation work and will continue to seek assurances on the mitigation of IT risks during 2024–25.
Last year’s annual report noted that the Audit Committee had approved a proposed approach for providing assurance over change programmes, on the recommendation of the Change and Programme Management Board (CPMB). In October, the Committee approved a proposed assurance plan for 2023–24, but it has not yet received any assurance reports arising from that plan.
In May, the Committee discussed two specific risks to delivery of the University’s change programmes: the impact of programmes outside the scope of the CPMB and the approach to and assurance on governance and management accountability for operational delivery. The Committee welcomed news that there would be a ‘step back and review’ of the change portfolio, noting the risks posed by a lack of institutional coherence. However, the Committee also emphasised the need for operational management and leadership at the portfolio level, in addition to the governance provided by the CPMB. The Committee will continue to seek assurance over the delivery of the change programmes during 2024–25.
In recent years, the Committee has identified challenges presented by the devolved nature of the University in obtaining visibility over controls and ensuring their consistent application. Last year’s annual report noted that a new Head of Institution Assurance Statement had been piloted with a small number of institutions and would be rolled out to all institutions in 2023–24. This self-assessment exercise was designed to provide assurance over controls operated at a devolved level and a better understanding of risks managed by institutions. The exercise complements and adds to the assurance received through the University’s programme of internal audit.
The Committee welcomed the results of the 2023 exercise, which provided assurance over sixteen areas of activity, including financial controls, people management and governance and compliance activities. The exercise had identified the control environments in eleven areas as strong, three as satisfactory and two as weak. Improvement actions had been agreed in respect of the weaknesses identified and progress will be monitored as part of the 2024 Assurance Statements exercise.
It was agreed that the Assurance Statements would operate on an annual basis, to provide greater visibility over responsibilities which sit at a departmental level. The Committee also agreed that the list of statements would be expanded for 2024 to provide more comprehensive coverage of the University’s internal control environment.
The 2023–24 exercise was launched in May 2024 and the outcome will be reported to the Audit Committee in Michaelmas Term 2024.
The Audit Committee monitors the effectiveness of the University’s management and quality assurance of data returns submitted to the Higher Education Statistics Agency, the Student Loans Company, the Office for Students, Research England and other bodies through its programme of internal audit and an Annual Data Return Assurance Report. This report provides the Committee with an overview of statutory data returns submitted during the year and provides with assurance that the data submitted by the University conformed to requirements and published guidance and had been subject to effective oversight and management review.
The Committee also ensures that the process used to produce the University’s Transparent Approach to Costing (TRAC) return is in compliance with guidance published by the Office for Students. Last year’s annual report commented on challenges with the collection of data concerning the physical estate. This year, the Committee welcomed the significant work undertaken by the team in Academic Planning and Financial Analysis (AFPA) in transforming these issues and in improving engagement with TRAC internally.
The Audit Committee receives an annual value for money (VfM) report, which outlines progress with a number of VfM‑related initiatives that enable, or will enable, the achievement and measurement of value for money. The Committee acknowledges that efficiency and value for money also continue to be promoted through local level and University-wide initiatives and the University also collaborates with the Colleges through the Bursars’ Committee to ensure value for money across the collegiate University.
In addition, the Committee receives assurance that the public funds received by the University from the Student Loans Company and transferred between the University and Colleges are used by the Colleges for educational purposes.
(a)Office for Students (OfS)
The Committee receives an annual assurance report about how the University complies with its Conditions of Registration with the OfS and any Reportable Events submitted to the OfS during the year. The Committee noted that further work was underway to strengthen the University’s ability to demonstrate compliance with one Condition of Registration.
(b)Research funder requirements
Last year, the Committee identified a wider ‘dialling-up’ of compliance expectations in relation to research funder requirements, with recent audits finding weaknesses in relation to incomplete documentation held by or provided by departments. The Committee has continued to monitor improvement actions to strengthen the University’s research control environment. This work was underway, and progress had been made in respect of UKRI requirements, but the Committee recognised that successful implementation remained heavily dependent on compliance within departments and that this would continue to be monitored.
(c)Estates statutory compliance
Following a deferral of a planned internal audit of buildings statutory compliance, the Committee received and discussed a report from the Director of Estates Operations on planned changes to improve compliance delivery and reporting around the University’s physical estate. The Committee expressed serious concern about the number of areas reported to be unsatisfactory or non-compliant in the report and noted that the planned improvement work was due to be completed within six months. The Committee will seek assurances that this improvement work has been completed during 2024–25, ahead of an internal audit.
The University Audit Committee has a duty to satisfy itself as to the appropriateness of risk management, assurance and audit processes of Cambridge University Press and Assessment (CUPA). CUPA is a department of the University governed by the Press and Assessment Syndicate and with its own Press and Assessment Board (PAB) Audit and Risk Committee.
The PAB Audit and Risk Committee has oversight of the internal audit arrangements for CUPA and reviews the findings of internal audit reports and the management responses. A full list of internal audits considered by the PAB Audit and Risk Committee during 2023–24 is provided in Appendix C [not reproduced]. At each Audit Committee meeting, the Chair of the PAB Audit and Risk Committee provides an oral update on the business of CUPA and the items of discussion at the latest PAB Audit and Risk Committee meeting. In addition, a written annual report of the PAB Audit and Risk Committee is received at the Audit Committee’s November meeting, and a half-year report at a meeting in Easter Term.
The Audit Committee continues to acknowledge the significant income stream that CUPA provides to the University.
Under the Financial Regulations, any member of staff must report immediately to the Registrary and the Director of Finance any suspicion of bribery, fraud or other irregularity. The Audit Committee receives an Annual Report on the implementation of the University’s Anti-Bribery and Corruption Policy and details of incidents of fraud.
In the 2023–24 academic year, across the University, the Colleges and the University’s subsidiaries, there were two reports of fraud, two external enquiries and an unsuccessful phishing attack. Both fraud cases have now been closed and plans have been agreed to tighten controls in the future.
Since 1 June 2023, there have been five new cases recorded under the Whistleblowing Policy. Investigations for four are ongoing and the fifth is unlikely to warrant a whistleblowing investigation.
In accordance with the Committee of University Chairs HE Audit Committees Code of Practice, the Committee has reached the following opinions on the adequacy and effectiveness of the University of Cambridge’s arrangements for:
(a)Risk management, control and governance
The Audit Committee is satisfied that the University’s risk management and governance arrangements support the University in fulfilling its policies, aims and objectives, enabling the University to identify, understand and manage its principal risks, and to be accountable and transparent in its governance. On balance, the Committee is satisfied that the University’s internal control environment is effective, but while the position is not deteriorating it notes the absence of significant improvement and the need for University to increase the pace in further enhancing controls in areas where weaknesses in internal controls are identified and reported.
(b)Sustainability, economy, efficiency and effectiveness (value for money)
The Audit Committee is satisfied that the arrangements for economy, efficiency and effectiveness are appropriate and effective. The Committee notes the continuing adoption of and improvement in financial procedures and management practices designed to support the achievement of value for money and institutional effectiveness.
(c)The quality of data returned to regulatory bodies
The Audit Committee is satisfied that the management control and quality assurance of data returns submitted to the Higher Education Statistics Agency, the Student Loans Company, the Office for Students, Research England and other bodies are adequate and effective.
The Committee has highlighted areas it wishes to actively monitor during 2024–25, including reduction of the University’s cyber security risk and progress with defragmentation work, assurance over the delivery of the change and transformation programmes, research, and sustainability, as well as buildings statutory compliance activities. The Committee will seek updates on these during the year and will escalate any concerns about progress to the Council for further discussion.
The Committee will seek further information about the University’s approach to environmental sustainability and the detailed delivery plans in place to realise its commitments to reduce energy-related emissions. The Committee also notes that recent developments in reporting standards provide an opportunity for the University to highlight the positive impact of its activities on society and the environment.
The Committee also wishes to encourage the University to develop its thinking and articulation around a dedicated strategy (incorporating long-term objectives), as this may provide opportunities to clarify what activities should be prioritised for action. In an increasingly difficult financial landscape for the Higher Education sector and in light of the significant volume of change the University is seeking to implement through the transformation programmes, the Committee feels the University would benefit from having an agreed direction of travel that a strategy would provide.
1Specified in Chapter XIII of the University’s Statutes and Ordinances (2023, p. 1072).
2For the Academic University, Cambridge University Press & Assessment, subsidiaries, standalone CUEF financial statements and University of Cambridge Investment Management Ltd Client Asset work.
The Constitution of the Audit Committee is set out in Special Ordinance A (v) of the University’s Statutes and Ordinances, as follows:
1. There shall be a standing committee of the Council, called the Audit Committee, which shall consist of:
(a)a member of the Council in class (e) (as referred to in Statute A IV 2(e)) appointed by the Council to serve as Chair of the Committee,
(b)two members of the Council appointed by the Council from among its members who are members of the Regent House, provided that neither the Vice-Chancellor, a Pro-Vice-Chancellor, nor the Head of a School shall be eligible to serve,
(c)four persons, not being members of the Regent House or employees of the University, appointed by the Council with regard to their professional expertise and experience in comparable roles in corporate life, including at least two members with experience of finance, accounting or auditing,
(d)not more than three persons co-opted by the Committee, provided that it shall not be obligatory for the Committee to co-opt any person or persons. If there are co-opted members, at least one shall be a member of the Regent House who is not a member of the Council, and, if there is more than one, there shall be either one further member of the Regent House who is not a member of the Council and/or one external member, or two external members, provided that only one of the external members may be a member of the Council in class (e) (as referred to in Statute A IV 2(e)).
2. Members in classes (a), (b) and (c) shall be appointed in the Michaelmas Term to serve for four years from 1 January next following their appointment or for the same period plus the remainder of the term of the departing member if that remainder is less than one year. In the event that Council membership ceases, Audit Committee membership will expire simultaneously. No member may serve for more than two consecutive periods of appointment or eight consecutive years whichever is the longer. Co-opted members shall serve for such period as the Committee shall determine at the time of their co-optation.
3. No person may be a member of the Audit Committee who is a member of the Finance Committee. If a member of the Audit Committee becomes a member of the Finance Committee, her or his place shall thereupon become vacant.
4. No decision of the Audit Committee shall have any binding effect unless there are at least five members, three at least of these being external members, present at a meeting of the Audit Committee. If a decision is the subject of a vote and there is an equality of votes cast, the Chair, or Acting Chair, as the case may be, shall be entitled to give a second or casting vote.
5. In the absence of the Chair of the Committee, the Audit Committee shall elect an acting Chair from the external members present.
The Audit Committee’s terms of reference are set out in Chapter XIII of the University’s Statutes and Ordinances (2023, p. 1072), as follows:
1. The Audit Committee shall meet at least once a term in each financial year. It shall be the duty of the Committee:
(a)to keep under review the University’s risk management strategy and implementation;
(b)to keep under review the effectiveness of the University’s systems of financial and other internal control;
(c)to satisfy itself that satisfactory arrangements are adopted throughout the University for promoting economy, efficiency, and effectiveness;
(d)to advise the Council on matters relating to the external auditors, including their appointment, their services, their remuneration, and any questions relating to the resignation or dismissal of auditors;
(e)to review annually with the external auditors the nature and scope of the external audit;
(f)to consider, in consultation with the external auditors, (i) any statements annexed to the annual accounts of the University, including the auditors’ report, and (ii) any statement provided by the Council on the governance of the University;
(g)to approve the approach to internal audit;
(h)to approve proposals for the programme of internal audit work put forward by the internal auditors and to ensure that sufficient resources are made available to implement the internal audit programme effectively;
(i)to consider any reports submitted by the auditors and to monitor the implementation of any recommendations made by the auditors, both external and internal;
(j)to monitor annually the performance and effectiveness of the external and internal auditors;
(k)to oversee the University’s policy on fraud and irregularity, and to ensure that the Committee is informed of any action taken under that policy;
(l)to ensure that all significant losses are properly investigated and that the internal and external auditors, and where appropriate, other authorities and regulators, are informed;
(m)to satisfy itself as to the appropriateness of risk management, assurance and audit processes of Cambridge University Press and Assessment;
(n)to make an annual report to the Council, and to other authorities and regulators as required;
(o)to receive reports from authorities and regulators, and to advise the Council thereon;
(p)to forward minutes of the Committee’s meetings to the Council
Chair: Professor Andrew Wathey
Secretary: Dr Elle Bateman, Head of Assurance
Assistant Secretary: Ms Rowena van Asselt, Risk and Assurance Manager
There were changes in membership over the course of the year which are noted in the table below.
|
Class of membership |
Name of member |
Limit of tenure |
|
(a) Chair and External member of Council |
Professor Andrew Wathey |
31 December 2027 |
|
(b) Members of the Council |
Dr Pieter van Houten |
31 December 2026 |
|
Baroness Sally Morgan |
31 December 2026 |
|
|
(c) External members |
Ms Suzi Brennan (from 1 February 2024) |
31 December 2027 |
|
Mr Gary Ernest |
31 December 2027 |
|
|
Mr David Germain |
31 December 2024 |
|
|
Ms Elly Hardwick |
31 December 2024 |
|
|
(d) Co-opted members |
Ms Nicola Robert (from 1 October 2023) |
31 December 2025 |
|
Professor Tony Green (until 30 September 2024) |
31 December 2024 |
(a) Process of appointment
Members are appointed to the Audit Committee by the Council of the University. Membership nominations are made to the University’s Council’s Advisory Committee of Committee Memberships and External Nominations, except in the case of class (d) members who are co-opted by the Committee on the basis of recommendations received.
(b) University officers and auditors
The Audit Committee invites certain senior University officers and the University’s external and internal auditors to attend unreserved meetings. It also invites other colleagues and external speakers to attend for specific agenda items or to present on a particular area of operation or risk.
The Audit Committee also invites the Chair of the Press and Assessment Board (PAB) Audit and Risk Committee to attend all meetings and to make biannual reports. The Chair of the PAB Audit and Risk Committee is Mr Jonathan Scott, who represents the PAB Audit and Risk Committee on the University Audit Committee.
The Vice-Chancellor is invited to address the Audit Committee annually.
|
Position |
Name |
|
Vice-Chancellor |
Professor Deborah Prentice |
|
Registrary |
Emma Rampton |
|
Chief Financial Officer |
Anthony Odgers |
|
Director of Finance |
David Hughes |
|
Senior Pro-Vice-Chancellor |
Professor Andy Neely |
|
Director of the Governance and Compliance Division |
Dr Regina Sachers |
|
Internal Auditor – Deloitte LLP |
Morag Childs Nicholas Fosh |
|
External Auditor – PricewaterhouseCoopers LLP |
Claire Lake Andy Grimbly Danel Hugo Liesha Meyer |
|
Chair of the Press and Assessment Board Audit and Risk Committee |
Jonathan Scott |
|
Apprentice, Governance Apprenticeship Programme |
Sherene Jose |
|
Head of Data and Information Compliance, Governance and Compliance Division |
Dr James Knapton |
|
Director of Recruitment, Admissions and Participation |
Mike Nicholson |
|
Programme Manager, Change and Programme Management Office |
KC Wilson |
|
External Member of Council |
Gaenor Bagley |
|
Head of Group Financial Reporting, Finance Division |
Stephen Peacock |
|
Director of Research Services |
Dr Peter Hedges |
|
Head of Research Operations Office and Deputy Head of the Research Office |
Dr Jo Dekkers |
|
Group Financial Controller and Deputy Director of Finance, Finance Division |
Daniel Benham |
|
Head of Resourcing, Human Resources Division |
Sarah Botcherby |
|
Director of Health, Safety and Regulated Facilities |
Dr Martin Vinnell |
|
Director of Safety Governance and Assurance |
Anne-Marie Farmer |
|
Director of University Information Services |
Professor Ian Leslie |
|
Chief Information Security Officer (Policy and Assurance) |
Vijay Samtani |
|
Chief Information Security Officer for Technology and Operations |
Dr Gabriela Ahmadi-Assalemi |
|
Head of Group Procurement |
Ken Bruce |
|
Interim Director of University Information Services (from 1 June 2024) |
Chris Russell |
|
Head of Strategic Change and Delivery, Change and Programme Management Office |
Lucy Hargreaves |
|
Director of Research Services (from 1 May 2024) |
Dr Andrew Jackson |
|
Assistant Director, Assurance, Risk and Compliance, Research Office |
Sebastian Ashenden-Field |
|
Chief Operating Officer, University of Cambridge Investment Management |
Karen Whinney |
|
Chief Executive, Cambridge University Press and Assessment |
Peter Phillips |
|
Deputy Head of Education Services |
Catherine Fage |
|
Interim Head of the Safety Office |
John Dalton |
|
Head of Safety Assurance and Auditing, Safety Office |
Rory Feilen |
|
Head of Business Information and Strategic Insights, Academic and Financial Planning and Analysis |
Dr Katya Samoylova |
|
Director of Estates Operations, Estates Division |
Andrew Smart |
|
Head of Business Continuity, Governance and Compliance Division |
Dr Clara East |
The table below provides information on meeting dates and attendance.
|
Date |
Members and associated class |
Senior officers and guests |
Auditors |
Apologies1 |
Quorate |
||||
|
(a) |
(b) |
(c) |
(d) |
Total |
|||||
|
12/10/2023 |
1 |
2 |
3 |
1 |
7 |
11 |
Internal: 2 External: 3 |
3 |
Yes |
|
16/11/2023 |
1 |
2 |
3 |
2 |
8 |
13 |
Internal: 2 External: 3 |
1 |
Yes |
|
18/01/2024 |
1 |
2 |
3 |
2 |
8 |
14 |
Internal: 2 External: 1 |
4 |
Yes |
|
14/03/2024 |
1 |
2 |
4 |
1 |
8 |
13 |
Internal: 2 External: 1 |
1 |
Yes |
|
09/05/2024 |
1 |
2 |
4 |
1 |
8 |
17 |
Internal: 2 External: 3 |
1 |
Yes |
|
04/07/2024 |
1 |
2 |
4 |
1 |
8 |
16 |
Internal: 2 External: 1 |
4 |
Yes |
The table below lists those internal audit reports considered by the Audit Committee at its meetings during the 2023–24 academic year.
|
Audit Committee meeting |
Audit title |
Included in the Internal Auditor’s 2023–24 Annual Report? |
|
12 October 2023 |
Conflicts of Interest |
No |
|
General Departmental IT Controls |
No |
|
|
Student Bursaries |
No |
|
|
Estates Financial Contract Management |
No |
|
|
18 January 2024 |
Onboarding and Induction |
Yes |
|
9 May 2024 |
Data Protection |
Yes |
|
IT Portfolio Governance |
Yes |
|
|
Key Financial Controls |
Yes |
|
|
4 July 2024 |
Visitor Agreements |
Yes |
|
HESA Data Futures |
Yes |
|
|
Student Record System |
Yes |
The table below lists those internal audits where fieldwork was completed during the 2023–24 academic year, but which were reported to the Committee during the 2024–25 academic year.
|
Audit Committee meeting |
Audit title |
Included in the Internal Auditor’s 2023–24 Annual Report? |
|
10 October 2024 |
Conflicts of Interest |
Yes |
|
Estates Lifecycle Works |
Yes |
|
|
Procurement |
Yes |
|
|
Export Controls |
Yes |
|
|
UKRI Timesheets |
Yes |
|
|
MRC Assurance Framework |
Yes |
1Figures refer to Committee members, senior officers and the Chair of the Press and Assessment Board Audit and Risk Committee.