Internal audit service protocol

Transcription

1 Internal audit service protocol Introduction This document sets out the process for reporting in accordance with the Operational Internal Audit Plan, which is approved by the Audit Committee annually. The University of Kent audit plan was approved by the Audit Committee on 28 September Audit assignments will be carried out in accordance with the subject areas set out in the Operational Internal Audit Plan. Any additional work will be carried out only with the approval of the University. This document considers the following: 1. The stages of an audit assignment 2. Planning 3. Fieldwork 4. Detailed reporting 5. Audit Committee reporting 6. Follow-up 7. Key performance indicators 8. Review of protocol The role of internal audit is defined in the HEFCE 2008 Accountability and Audit Code of Practice as to provide the governing body, the designated officer and other managers of the institution with assurance on the adequacy and effectiveness of risk management, control and governance arrangements. 1. The stages of an audit assignment The four key stages of a standard audit assignment can be summarised as follows: Planning discussions with management to understand the objectives of the process/system and identify the associated risks of failing to achieve those objectives; and agreement of Terms of Reference based upon the objectives and risks. Fieldwork detailed identification and documentation of process/system objectives and risks; identification, documentation and evaluation of the controls within the processes/systems to prevent identified risks from crystallising; preparation of the audit programme which details testing to be performed; and completion of audit tests, primarily compliance tests to determine whether prescribed controls are actually operating. Internal audit service protocol Page

2 Reporting reporting weaknesses, the effect of those weaknesses and recommending corrective action; agreeing with management an action plan to address weaknesses; and communicating and discussing results of audit work with the Audit Committee. Follow-up follow-up to ensure agreed management action has taken place. 2. Planning Prior to an audit assignment commencing in any area, the Head of Internal Audit, or his/her representative, will discuss the planned review with the University audit sponsor and other appropriate managers to identify relevant current issues and any matters that may impact upon the audit. The audit sponsor will be identified as the manager responsible for the area under review. Each audit will also have an audit champion who will be the member of the Executive Group responsible for the area being audited. The Head of Internal Audit will issue Terms of Reference which set out the background, audit objectives, audit scope, timing of the audit, reporting arrangements and key staff involved in the audit, to the audit sponsor. The audit sponsor will be responsible for approving the terms of reference, attending the closure meeting and collating the management responses to the draft report. Depending upon the scope of the review concerned, the audit sponsor may also contribute in the fieldwork. The Terms of Reference are copied to the following: Nominated Internal Audit contact: Frank Richardson, Deputy Director of Finance The manager responsible for the area being audited the audit sponsor; The audit champion; and Other key Member institution staff involved in the audit. 3. Fieldwork KCG will seek always to work in collaboration with system operators and managers with the aim of using their knowledge of the system processes and the skills of the internal audit team to produce a practical report which adds value. On completion of fieldwork, a member of the audit team will discuss the audit findings with the audit sponsor in a closure meeting. This meeting seeks to confirm the accuracy of our findings, identify practical solutions to issues arising and enable the audit sponsor, where appropriate, to begin necessary corrective action at an early stage. Internal audit service protocol Page

3 4. Detailed reporting Detailed audit assignment reporting will take place in two stages draft and final. A standard reporting template and three priority levels of recommendations will be used as described below. Draft A draft report will be issued to the audit sponsor for review and confirmation of factual accuracy within 10 working days of the closure meeting. The draft report will also be issued to the nominated internal audit contact Frank Richardson, and to the audit champion. On receipt of the draft report, the audit sponsor will be given 10 working days to discuss the findings with KCG and provide the Head of Internal Audit with a management response. The response to each recommendation should include: a clear acceptance or rejection of each observation and recommendation; if accepted, for each recommendation a responsible officer and proposed deadline for action should be given; where rejected, proposed alternative action, responsible officer and proposed deadline for action should be given or the reason for rejection should be provided. Final On receipt of the completed responses, the Head of Internal Audit will assess the management responses and will issue a final report within five working days. Responses will be assessed as follows: adequacy of the response in dealing with the audit observation being raised; and proposed action plan for implementation. The final report will be sent to the audit sponsor for implementation, and to other appropriate managers. The final report will also be issued to the nominated Internal Audit contact, the audit champion and the Vice-Chancellor. Priority ratings Each audit finding will generate an audit recommendation. These recommendations will be prioritised in accordance with the following criteria: Priority ratings: Priority 1 Observations refer to issues that are fundamental to the system of internal control. We believe that these issues have caused or will cause a system objective not to be met and therefore require management action as a matter of urgency. Priority 2 Observations refer mainly to issues that have an important effect on the system of internal control but do not require immediate management action. System objectives are unlikely to be breached as a consequence of these issues, although Internal audit service protocol Page

4 improved system design and/or more effective operation of controls would minimise the risk of system failure in this area. Priority 3 Observations refer to issues that would if corrected, improve internal control in general and engender good practice, but are not vital to the overall system of internal control. Table 1: Priority ratings Assurance levels The level of assurance to be applied will be based on the auditor's assessment of the extent to which system objectives are met. As a guide, the following triggers will be used. : Overall Level of assurance and definition assignment rating 1 Full Assurance There is a sound system of control designed to achieve system objectives, and the controls are being consistently applied. 2 Satisfactory Assurance There is a generally sound system of control designed to achieve system objectives, and the controls are generally being consistently applied. However, there are some weaknesses in control, and/or evidence of non-compliance, which are placing some system objectives at risk. 3 Limited Assurance There is a generally sound system of control designed to achieve system objectives, and the controls are generally being consistently applied. However, there are some significant weaknesses in control in a number of areas, and/or evidence of significant noncompliance, which are placing some system objectives at risk. 4 No Assurance The system of control is generally weak, and/ or there is evidence of significant non-compliance, which exposes the system to the risk of significant error or unauthorised activity. Trigger number of individual audit recommendations Priority 3s or no audit recommendations. Priority 2s and no Priority 1s. Between 1 and four Priority 1s and (usually) several Priority 2s. Five or more Priority 1s. Or Audit not delivered. Internal audit service protocol Page

5 5. Audit Committee reporting For each Audit Committee throughout the year, the Head of Internal Audit will present an Interim Internal Audit Report summarising the key points arising from final audit reports issued in the previous period. For each completed audit assignment, a summary of issues arising and prioritised recommendations will be included in the interim report. Draft audit reports will not be discussed at the Audit Committee unless previously agreed with the nominated Internal Audit contact. The Head of Internal Audit will prepare an Annual Internal Assurance Report for the academic year, which will include an overall opinion statement in line with current Government Internal Audit Standards Manual (GIASM) and HEFCE requirements. 6. Follow-up As a matter of course, action plans will be followed-up for progress six months after the date of the final report. Where a report has been delayed for any reason, follow-up will take place six months after the date of the draft report. Follow-up work may be brought forward at the request of the Audit Committee, the nominated Internal Audit contacts or the Head of Internal Audit. The results of follow-up work will be reported as part of the Head of Internal Audit s interim reports to the Audit Committee and on a summary basis within the Annual Internal Assurance Report. 7. Key performance indicators (KPIs) KCG will measure itself against KPIs in line with HEFCE Assurance Service recommendations. Measurement will be made based upon factual evidence, for example reporting deadlines. Information will also be collected via a Customer Questionnaire, which will be sent to the recipients of the finalised audit report for completion and return to the Head of Internal Audit. The table on page 6 details indicators and performance indicators. A summary of performance will be included in the Annual Internal Assurance Report in accordance with the following measures and summarising the results received via Customer Questionnaires. 8. Review of protocol The operation of this protocol will be reviewed after 12 months and any necessary amendments made in agreement between the University and KCG. Internal audit service protocol Page

6 Indicator Update Strategic Internal Audit Plan and Agree Operational Internal Audit Plan. Operational Internal Audit Plan achieved. Performance Prior to commencement of the financial year to which the Plan relates. Conforms to GIASM/HEFCE. Plan is fully achieved. Non achievement is fully transparent and approved by the Audit Committee. Actual days input compared to Plan. Audit reporting TOR produced within 5 days of set-up meeting. Draft report produced with 10 days of closure meeting. Management responses received within 10 days of draft report. Final report issued within 5 days of management responses. Audit recommendations Usefulness and effectiveness established by timely implementation. Timely follow-up after 6 months. Relationships Managers and auditees perceptions. Audit Committee perceptions Relations with other auditors. Results of other auditors reviews (e.g. HEFCEAS). Table 2: Internal Audit Indicators and Performance Indicators Internal audit service protocol Page