Internal Audit Annual Assurance Report Cardiff University

Transcription

1 Internal Audit Annual Assurance Report / Cardiff University 1

2 Internal Audit Annual Assurance Report SECTION 1 BASIS FOR INTERNAL AUDIT ANNUAL OPINION Report Preparation This report of annual internal audit assurance has been compiled by the Head of the Joint Internal Audit Unit (JIAU) and the Senior Auditor based on the Chartered Institute of Internal Auditors (CIIA) standards, and the best practice guidelines presented at the Council of Higher Education Internal Auditors (CHEIA) and discussed with the Higher Education Funding Council for Wales (HEFCW). The report includes the annual overall opinion from the JIAU relating to the following key areas which are fundamental to the annual opinion:- Risk Management; Corporate Governance; Internal Control Environment; Value for money. To provide this opinion, the JIAU has used the assurance obtained from internal audit assignments, discussion with senior management and review of key documents such as Cardiff University s strategy, The Way Forward, supporting thematic strategic documents, reports prepared by the external auditors and special notifications provided to the Audit Committee. Internal Audit Assignments The internal audit programme for was agreed with the Audit Committee and based on an assessment of key areas of risk. The audit programme was designed to provide assurance over the four core areas of the annual opinion and to provide assurance to the University as part of the risk assurance process. The delivery of the programme has provided sufficient evidence to support the annual internal audit opinion and there are no significant weaknesses or issues identified from our audit findings, or limitations to the extent of audit work that inhibit the JIAU from making its annual opinion. Discussion with Senior Management The Head of the JIAU reports regularly to the Chief Operating Officer, Director of Finance, and the Director of Governance and Assurance at Cardiff University. Senior Management are invited to discuss issues which have arisen or anticipated changes which may affect the control environment, with the Head of the JIAU formally or on an ad hoc basis. Discussion with senior management is conducted with regularity and as such, the JIAU are considered to be promptly aware of the key issues affecting the institution s strategy. The JIAU have not identified issues which represent a significant risk exposure or unaddressed area of concern which could inhibit the assurance provided against the four core areas of the annual internal audit opinion. Review of Key Documents Cardiff University were in the process of further developing its systems of risk management. During the year initial strategic Risk Registers and resulting Risk Matrices had been produced both in terms of Objectives and as the Risk Owner for the risks associated with those Objectives for the areas of responsibility of: the Deputy Vice Chancellor; the Thematic Pro Vice Chancellors (Student Experience & Academic Standards; Research Innovation and Enterprise; and International & Engagement); the College Pro Vice Chancellors (Arts Humanities & Social Sciences, Biomedical & Life Sciences, and Physical Sciences & Engineering;); and the Professional Services Group (based on Risk Registers compiled at a departmental level). An internal audit of the corporate risk register was commenced in but had not been finalised at the time of writing. The JIAU has not identified significant issues or unaddressed risk exposure which limit the assurance provided against the four core areas of the annual opinion. Independence and Objectivity Independence and objectivity are integral to performing the role of auditing. The principles of the ICAEW Code of Ethics have been adopted by the JIAU as a method of ensuring the key values of integrity, objectivity, and professional competence, due care, professional behaviour and confidentiality are embedded and that the JIAU can demonstrate achievement of these values. The importance of independence is communicated to staff regularly and care is taken to ensure the team approach their audit work in an independent and objective manner. Team members do not have any additional roles at Cardiff University and are not involved in operational activities or decision-making which may inhibit the objectivity and independence that they 2

3 Internal Audit Annual Assurance Report should demonstrate. A formal return reminding staff of the values of independence and objectivity is completed on an annual basis. SECTION 2 - THE ANNUAL ASSURANCE OPINION The JIAU are able to provide Substantial Assurance on the adequacy and effectiveness of Cardiff University s overall framework relating to the management of risk, governance processes, internal control systems and value for money, viz: Risk Management Cardiff University s strategic plan, The Way Forward , articulates the key objectives for the institution for Research and Innovation, Education, International, and Engagement. The strategy identifies the values that operational activities should demonstrate to facilitate the achievement of the key objectives. The risk management framework summarises risk registers at a strategic level and groups the risks according to the strategic objective. Cardiff University were in the process of further developing its systems of risk management, and had made significant progress in preparing initial strategic Risk Registers and resulting Risk Matrices for the thematic areas included in the strategic plan, the three Colleges, and the Professional Services Group. Further enhancements to risk management systems and processes and embedding across the institution were planned during 2014/15. The corporate risk register was subject to an internal audit review in and the draft report was in the process of being finalised with management. The external auditors discussed the key strategic risks identified in a survey of higher education institutions with the Audit Committee as part of the external audit plan in June 2014, and these were consistent with strategic risks faced by the institution. Each internal audit assignment undertaken by the JIAU is risk based and provides an overall level of assurance. Governance The University s corporate governance arrangements are subject to periodic review by internal audit. Audits in this area continue to provide assurance that Cardiff University has suitable governance processes in place to ensure that it is managed effectively, directed in line with appropriate strategic objectives, and that its business is conducted properly and in compliance with relevant statutes and regulations. In 2013 a review of the Effectiveness of Council was undertaken by Fiona Peel and the findings and recommendations designed to improve or refine practice have been reported to the Council and the University Executive Board for implementation. A high level of assurance was obtained in from the review of the quality of data used by Cardiff University to inform regulatory bodies. This data is used by the Welsh Government, and the HEFCW to assess the achievement of the institution s objectives and to make decisions in relation to funding. Internal Control The institution s control environment which includes its policies, procedures and operational systems and processes have been designed to: Establish and monitor the achievement of the University s objectives; Facilitate policy and decision making; Ensure the economical, effective and efficient use of resources; Ensure compliance with established policies, procedures, laws and regulations; Safeguard the University s assets and interests from losses of all kinds, including those arising from fraud, irregularity or corruption. The internal audit programme provides assurance over the internal control environment. The programme is approved by the Audit Committee on an annual basis and the findings are presented to the Audit Committee and management through an internal audit report which includes an overall assurance rating. Follow-up internal audit work is completed to provide assurance over the mitigation of risks and resolution of issues, and the findings reported to the Audit Committee. 3

4 Internal Audit Annual Assurance Report Whilst the JIAU has identified significant and fundamental issues from individual audit assignments performed in, these issues, both in isolation and together, are not of such significance that no assurance could be obtained from internal controls or an individual area under our review during the year. Value for Money (VfM) VfM is considered in a wider context across the institution and is embedded into the strategic plan, The Way Forward Within the strategy, Cardiff University has identified strategic objectives and sub-objectives which support the achievement of the key objectives for Research and Innovation, Education, International and Engagement. An internal audit of Accommodation Fees and Residencies Income was performed in and a high level of assurance was obtained in relation to the budget management and income generation. An internal audit of VfM in Purchasing was also completed during the year and a strong level of assurance was obtained from review of the processes in place to achieve economy, efficiency and effectiveness in procurement, and the institution s ability to demonstrate this to stakeholders including the HEFCW. VfM is considered throughout internal audit assignments and areas for improvement are reported to management. The JIAU has not identified any significant omissions or issues which may impact Cardiff University s achievement of value-formoney. Rhian Owens Head of the JIAU November 2014 Guy Smith Senior Auditor SECTION 3 - SUMMARY OF WORK PERFORMED AND DETAILED FINDINGS Part 1: The Internal Audit Approach Internal Audit Approach Internal audit encompasses the whole internal control system and is not limited to financial control systems. The scope of internal audit work reflects the core objectives of Cardiff University and the key risks that it faces, and as such, each audit cycle starts with a comprehensive analysis of the whole system of internal control. Activities that contribute significantly to Cardiff University s internal control system, and associated risks, may not necessarily have an intrinsic financial value. Therefore, our approach seeks not to try and measure the level of risk in activities but to assign a relative risk value. The purpose of this approach is to enable the delivery of assurance to Cardiff University over the reliability of its system of control in an effective and efficient manner. The JIAU undertook the audit needs assessment using the following process: Identifying the core objectives of Cardiff University and, where available, the specific key risks associated with the achievement of those objectives; and Determining auditable areas that impact significantly on the achievement of the control objectives. The Internal Audit Strategy is drawn out of the assessment of audit need. Auditable areas have been identified by the JIAU. Each auditable area has been assigned a simplistic priority (High, Medium or Low) to reflect: The previous audit coverage by internal audit and associated level of assurance provided; and The impact that non-compliance of internal control may have upon Cardiff University. 4

5 Internal Audit Annual Assurance Report Auditable areas that have not been reviewed by the JIAU at any time in recent years are automatically given greater prominence when being assigned prioritisation. This ensures far wider audit coverage, and that a more definitive overall level of audit assurance can be provided. The individual assignment objectives, audit findings and report are shared with local management, Senior Management and the Audit Committee. The action plan to address the findings are agreed with management and presented to the Audit Committee. In some circumstances these may be presented to the University Council. Risk Assurance Mapping The design of the internal audit plan is integrated into the risk assurance process. The plan is closely aligned to review risks derived from the strategy and other significant, underlying risks which underpin the activities of the entire institution. The risks identified against the four thematic aims - Research and Innovation, Education, International, and Engagement - forms the basis of the planning considerations for the annual programme of work. The other risks which the internal audit plan considers include underlying risks which relate indirectly to achieving these objectives. The risks which an institution should consider at a strategic level according to the Risk management in higher education: A guide to good practice, prepared for HEFCE by PricewaterhouseCoopers (February 2005) include Human Resources, Finance, Estates, Information and Communication Technology (ICT), Regulatory and Compliance, and Corporate Governance and Risk Management. The risks identified which may impact upon Cardiff University s capability to implement the enablers have been categorised by the institution as part of the risk management process. The enablers underpin Cardiff University s capability to achieve its strategic thematic aims. Internal audit considers the effectiveness of the mitigating controls identified in the risk register, the value these activities offer Cardiff University and the unmitigated or unidentified risk exposure. This is completed through internal audit activities which are predominantly internal audit reviews but may also include other assurance activities such as follow-up reviews, participation in a governing committee, group meetings or consultancy-type reviews. Audit Plan Senior Management and the Audit Committee indicate the level of prioritisation for audit assignments and the recommended audit length, and also advise on the timing of the audit assignment. Delivery of the fieldwork and reporting arrangements is overseen by the Head of the JIAU. The audit objectives by individual review are discussed and agreed with Senior Management. For unusual or higher risk audit assignments, the objectives of the review may be shared with the Audit Committee prior to commencement. The approach to gaining assurance in internal audit typically involves evaluating control design, testing controls on a sample basis or by using Computer Assisted Audit Techniques (CAATs), and assessing value for money insofar as the economy, efficiency and effectiveness of activities. On fewer occasions, internal audit assurance can vary in form, and include attendance at governance meetings such as the Clinical Trials Operational Governance meeting and Medic Assessments Task Group. The JIAU have appointed IT-related audit specialists to complete audit assignments which relate to IT controls and require expertise within internal audit. Part 2: Performance Measures Completed Audit Programme A summary of work performed by the JIAU in is included at Appendix A. Due to a high level of staff absences, there remains a proportion of the audit programme that has not been completed. Regular communication was made with the Chief Operating Officer and Audit Committee to agree a plan to address the issue. Audits of significant risk and those to be used by the external auditors or HEFCW were prioritised. Mazars LLP were engaged to complete a portfolio of audits from August 2014 to April 2015, and these have been included in the updated Internal Audit Plan 2014/15 (see Appendix B). These audits will be completed alongside the reviews which have been postponed and are not considered to be an area of significant risk exposure to the University because there are alternative risk assurance processes in place. These areas are under close management and scrutiny of the Pro Vice Chancellors and Executive Board. Regular consultation is being made with relevant management in relation to these areas and no significant risk exposures have been identified which are of a significance to impact the annual opinion. 5

6 Internal Audit Annual Assurance Report Days Delivered Against Budget Against a budget of 311 days for, only 261 (or 84%) have been delivered (see Appendix A). This represents a shortfall of 50 days in total audit provision which can largely be explained by the prolonged absence of members of the JIAU Team due to illness. Audits that were not commenced in have been included in the Audit Programme 2014/15 with an additional 50 days being assigned to the basic allocation to enable the back-log to be cleared (see Appendix B). In addition to the audit assignments, the JIAU has delivered a further 50 days in respect of the review of EU grant submissions. Recommendations Agreed with Management Internal audit assignment objectives are aligned to the risk of the institution and as such, management are typically welcoming to addressing areas for improvement. Management is not obliged to accept recommendations made by the JIAU. In the event of disagreement to a recommendation, the JIAU will discuss the issue and risk arising with management in the first instance. If there is considered to be a continuing risk exposure but management do not agree to either the finding or recommendation, the JIAU will discuss the matter with the Director of Finance and the Director of Governance & Assurance for escalation. All recommendations relating to an unmitigated risk exposure or which may impinge on the University s ability to meet its objectives are reported to the Audit Committee regardless of whether the issue has been agreed with management. Significantly all of the recommendations are agreed with management shortly after the issue of the draft report. There have been some instances where recommendations were not agreed and these are presented to the Audit Committee. If the Audit Committee is not satisfied with the response of management and does not consider the risk exposure to be limited, the Head of the JIAU will follow up the recommendation and report to the Chief Operating Officer or other delegated officer. During the year, 97% of recommendations (109 of 113) contained within internal audit reports were agreed to be implemented by management. There were 4 recommendations which were not agreed as management felt that the issue identified was of a low significance of risk and the actions to be taken to mitigate the risk are impractical to implement. Part 3: High Risk Issues Risk of Fraud Fraud may arise externally, from third parties trying to defraud the institution, or internally, such as through manipulation of reporting of the institution s financial position or management override of controls to perpetrate fraud. Conditions under which fraud may occur are as follows: Management or other employees have an incentive or are under pressure; Circumstances exist that provide opportunity - ineffective or absent controls and / or management ability to override controls; and Culture or environment enables management to rationalise committing fraud; attitude or values of those involved, or pressure that enables them to rationalise committing a dishonest act. The University has internal controls and governance arrangements to deter fraudulent activity, identify fraud and respond to fraud. Serious Fraud or Governance Failing The JIAU Team are provided with guidance in identifying and managing fraud which is aligned to the institution s financial regulations. The JIAU did not identify issues of serious fraud or governance failing which were significant in nature and which could impact on Cardiff University achieving its strategic objectives. The JIAU was not made aware of such issues from discussion with management. Fundamental (High) Recommendations A total of 16 recommendations had been assigned the highest priority Fundamental - were raised in 5 internal audit assignments during, viz: 6

7 Internal Audit Annual Assurance Report Audit No. Audit Topic Number of Fundamental Recommendations Overall Level of Assurance 1314/C14A Cash Handling : Cash Office Procedures 8 Limited 1314/C16 HR and Payroll CORE System : Processing of Standing & Variable Data Changes 1 Limited 1314/C17 Voluntary Severance Scheme: Risk of Re-Engagement 1 Limited 1314/C23 VfM in Purchasing 2 Substantial 1314/C25 UKVI Student Monitoring 4 Full / Limited The JIAU do not consider there to be significant omissions or risk exposure in relation to the identified issues due to the response of management in addressing the required mitigating actions. The area of internal control weakness, recommendation and progress of implementation are summarised at Appendix C. Significant or Fundamental Recommendations Not Agreed with Management The JIAU did not identify high risk or fundamental findings which were not agreed with management. Part 4: The Internal Audit Team and Resources Team Composition The Head of the JIAU was appointed in February 2013 and prior to this the department was led by the Head of Assurance Services. Both individuals are ACA qualified and are experienced in internal audit in the higher education sector. The Head of the JIAU is responsible for ensuring that staff are qualified and equipped to complete their assigned tasks. Performance is measured within the team as part of the appraisal process, regular meetings and feedback is provided to team members on the submission of each internal audit assignment. The team consists of one Senior Auditor; two Internal Auditors, one Senior Audit Assistant and one Audit Assistant. Members of the team hold a variety of qualifications which include part-qualified ACCA, CIMA Finalist, Member of the Institute of Chartered Secretaries and Administrators, PIIA and AAT qualified. Continuing Professional Development Continuing professional development is fundamental and team members have participated in events to gain further experience in the following areas:- HESA training for auditors; UKVI staff RTW training; IDEA software training; CHEIA Regional Meetings; HEFCW Annual Risk Assurance Update; HEFCW Student Data and Systems Meeting; EU Grants: FP7 and INTERREG. Part 5: Internal Audit Costs The costs relating to the provision of services by the Joint Internal Audit Unit for the financial year totalled 304,351. The costs charged directly to Cardiff University for service provision was 186,689 during the year ( 170,891 in 2012/13). An invoice was raised to recharge a proportion of the costs to Swansea University in accordance with the joint agreement - 130,351 (including VAT of 12,690). The JIAU generated income of 10,639 and 11,765 from the recharge of costs relating to the audit of EU grants including FP6, FP7, INTERREG and Marie Curie at Cardiff University and Swansea University respectively. 7

8 Internal Audit Programme APPENDIX A Type of Audit Audit No. (1314) Audit Topic Audit Days Audit Recommendations Made Status Assurance Planned Actual Category Total High Medium Low VfM Corporate Governance & Risk Management Corporate Governance Risk Management C1 C2 C3 Fraud Risk: Mitigation through Operational Controls Project Management: Registry: Admissions & Assessments Corporate Risk Management 5 0 Delayed until next year Audit 1415/C2 : Fraud Risk Management Delayed until next year Audit 1415/C7 : Admissions Process (Confirmation & Clearing) Completed - Draft report prepared presently being discussed by management. Student Experience Education C4 C5 Assessment Process & Recording: MEDIC MBBCh Biosciences Assessments Graduate Employability 12 2 No additional new audit work undertaken. Previous review was subject to a follow-up Delayed until next year Audit 1415/C9 : Graduate Employability (DLHE Data Collection) Research & Innovation Research C6 C7 C8 Information Security Framework: Management of Key Research Partner Interests Clinical Trials Units : Quality Assurance & Corporate Governance Research Integrity : Concordat Delayed until next year Audit 1415/C4 : Information Security Framework (Research Partner Interests) Delayed until next year Audit 1415 / C32 : Research Integrity Concordat & Application (Clinical Trials Units) Completed Substantial

9 Internal Audit Programme APPENDIX A Type of Audit Audit No. (1314) Audit Topic Audit Days Audit Recommendations Made Status Assurance Planned Actual Category Total High Medium Low VfM Engagement Engagement C9 C10 Project Management: Engagement Projects : Centre for Community Journalism (C4CJ) Widening Participation: Strategic Objectives Completed Full Delayed until 2015/16. International International C11 International Student Experience: Outward Mobility 12 0 Delayed until next year Audit 1415/C10 : International Student Experience : Outward Mobility. (1213) C12 Tuition Fees Completed Full Financial Core Financial Systems C12 Income: Accommodation Fees Completed Full C13 Financial Reporting : Monthly Closedown Procedures 15 0 Delayed until next year Audit 1415/C26 : Financial Reporting : Monthly Closedown Procedures. 9

10 Internal Audit Programme APPENDIX A Type of Audit Audit No. (1314) Audit Topic Audit Days Audit Recommendations Made Status Assurance Planned Actual Category Total High Medium Low VfM C14A Cash Handling : Cash Office Procedures Completed Limited Financial (Cont) New College Structure C14B C15 Cash Handling : Spot Checks Management Information & Reporting Completed Substantial Delayed until next year Audit 1415/C32 : Colleges : Budget Management & Management Information. PEOPLE MANAGEMENT Human Resources C16 C17 C18 HR and Payroll CORE system: Processing of Standing and Variable Data Changes VSS: Management of the Risk of Engagement UKVI : Staff Right to Work Completed Limited Completed Limited Completed Substantial Estates Utilities Project Development (1213) C9 C19 Energy Management (Electricity & Gas Supply) TBA with the new Director of Estates 0 0 Completed Substantial Delayed until next year Audit 1415/C20 & C21 : Topics to be agreed with the Chief Operating Officer and Director of Estates. ICT System Security C20 Change Management Both draft reports have been agreed with the Chief Operating Officer and Director of IT. Management responses are being requested from each college and these will be C21 Server Management presented to the next meeting of the Audit Committee. C22 Cyber Security 6 0 Audit postponed. To be re-scheduled in consultation with the Chief Operating Officer and the Director of IT. 10

11 Internal Audit Programme APPENDIX A Value for Money Purchasing C23 VfM in Purchasing 10 9 Completed Substantial Returns to Funding Bodies C24 HEFCW (Student Numbers) Completed Substantial Regulatory & Compliance Law & Regulations C25 C26 UKVI: Student Monitoring Staff Compliance: Disclosure of Interest Full Completed / Limited 10 0 Delayed until next year Audit 1415/C20 & C29 : Disclosure of Interests. C27 Staff Compliance: Mandatory Training 10 0 Delayed until next year Audit 1415/C16 : Staff Compliance : Mandatory Training. Other - Attendance at Clinical Trials Operational Governance Committee, Environmental Officer 7 7 Not Applicable Follow- Up Reviews Follow Up - Previous Recommendations Not Applicable EU Grants First Level Control - FP6 / FP7 / INTEREGG III Not Applicable TOTAL DAYS

12 APPENDIX B TO BE INSERTED WHEN AUDIT PROGRAMME 2014/15 IS APPROVED BY THE AUDIT COMMITTEE SEE DRAFT AUDIT PROGRAMME AT APPENDIX E OF THE AUDIT STRATEGY 12

13 Appendix C(1) Fundamental Recommendations Contained within Internal Audit Reports Audit 1314/C14A - Cash Handling : Cash Office Procedures (January 2014) Scope of Review: To assess the effectiveness of the Income Section (Cash Office) against the University s Financial Regulations (FR) and Financial Policies and Procedures (FP&P) for cash handling. Audit Findings JIAU Recommendation Latest Update Segregation of Duties The cashing up and banking was completed by the same member of staff the majority of the time and therefore there was no segregation of duties. Recommendation 3 The cashing up and preparation of banking should be done by two members of staff. Implemented February 2014 Two staff members complete the cashing-up and banking process. Safe Security The safe was unlocked and open during time of the visit. General Security The security arrangements of the cash office had not been reviewed. Recommendation 10 The safe should remain locked at all times. Recommendation 11 The security arrangements should be reviewed and a report provided to the Director of Finance. Implemented February 2014 The safe is locked when not in use. Implemented March 2014 The security arrangements of the Cash Office have been reviewed by the University s insurers with an additional 2 recommendations being made (one-way glass and an additional panic alarm at the back desk) and these are presently being considered by the Finance Department. 13

14 Audit Findings JIAU Recommendation Latest Update Contents of Safe The safe contained cash equivalent items that possibly were not insured and it may be more appropriate to be retained elsewhere. Authorisation of Documentation The batch control forms and supporting documentation were not checked and signed off by an approved signatory or nominee. Independent Review The Income Section (Cash Office) petty cash float of 6,000 was only checked by one member of staff without any independent review. Recommendation 13 The safe contents should be reviewed; and Establish whether the gold medallions are insured and whether they will have an effect on the insurance threshold limit. Recommendation 15 The batch control forms and supporting documentation in relation to the daily taking reconciliation should be checked and signed by an approved signatory or nominee. Recommendation 18 The entire cash float should be checked daily by two members of staff. Implemented February 2014 The contents of the Cash Office safe have been reviewed and the gold medallions independently valued. The gold medallions are still held securely in the safe. Implemented February 2014 Daily takings batch control forms and supporting documentation are reconciled every day. Implemented February 2014 The cash float is checked daily by two members of staff. Cash Float Forms Non-standard, ad hoc cash float forms were completed but not signed by the person responsible and could destroyed periodically. Income Reconciliation A reconciliation was not performed between the Oracle report and the cash float reconciliation spreadsheet. Recommendation 19 Cash float forms should be completed daily, approved by Management and retained for a period agreed by the Director of Finance. Recommendation 24 A reconciliation should be performed between the Oracle report and the cash float reconciliation spreadsheet. This should be signed off as evidence. Implemented February 2014 Cash float forms are completed daily, and approved by the Senior Finance Officer Cash float forms are retained for 12 months. Implemented February 2014 The Oracle report and the cash float reconciliation spreadsheet is reconciled and duly signed-off. 14

15 Appendix C(2) Fundamental Recommendations Contained within Internal Audit Reports Audit 1314/C16 HR and Payroll CORE System : Processing of Standing & Variable Data Changes (November 2014) Scope of Review: To assess the adequacy of the design of controls and the effectiveness of the controls for HR and payroll data which is held on the integrated HR / payroll system. Audit Findings JIAU Recommendation Latest Update Non-remunerated Posts Persons who were not directly employed by Cardiff University, e.g. honorary appointments, could be shown as being non-remunerated upon the University s live main payroll, so that they could be granted access to the CORE system. Recommendation 17 Staff that are not remunerated should not be included on the Cardiff University Main payroll. If this cannot be facilitated, consideration should be given to appropriate controls to prevent and detect payment in error or potential fraud. Implemented Unfortunately when an employee has had a historical employment with the University within the same tax year the change of payroll cannot be facilitated. However the approval of the nonremunerated post can be completed at appointment stage this will ensure that the employee is not paid incorrectly. 15

16 Appendix C(3) Fundamental Recommendations Contained within Internal Audit Reports Audit 1314/C17 Voluntary Severance Scheme: Risk of Re-Engagement (November 2014) Scope of Review: To assess the adequacy of the design of controls and the effectiveness of the controls for the Voluntary Severance Scheme Audit Findings JIAU Recommendation Latest Update Severance Instruction Template The settlement instructions to Payroll were often manually written and this increased the risk of error. Recommendation 3 A standardised instruction template should be devised to ensure a consistent formatting approach and to minimise potential transposition errors for future VSS payments. Report being finalised with management. 16

17 Appendix C(4) Fundamental Recommendations Contained within Internal Audit Reports Audit 1314/C23 VfM in Purchasing (September 2014) Scope of Review: To ensure that the University procurement function facilitates the achievement of value for money in procurement and supports the Principles of Welsh Public Procurement Policy. Audit Findings JIAU Recommendation Latest Update Strategic The level of strategic importance the University places on its commitment to deliver the objectives of the Welsh Public Procurement Policy is not clearly demonstrated across the University as a whole. General Procurement Principle Procurement best practice should be adopted by the University as a whole to ensure full compliance with University policies and legislative requirements. Recommendation 1 Procurement Services should be represented at Project/Programme Steering Group level in order to have greater involvement in planning and decision making activities and consequently raising the strategic profile of the Welsh Public Procurement Policy. Recommendation 9 In order for the University to be assured of full compliance with University procedures, policy and legislative requirements standard operating procedures relating to pre-market analysis, tendering activity and contract management must be agreed and consistently applied to procurement related activities. To be Implement within 3 Months The Programme Management Office, IT Services and Estates will be made aware of this recommendation. To be Implement within 12 Months Standard Operating Procedures (SOP s) for pre-market appraisal, tender exercises and contract management will be developed (with the Purchasing Section as a lead) with Estates, Campus Services and Programme Management Office. Joint ownership of SOP s between the University Department and Purchasing Section will be established. 17

18 Appendix C(5) Fundamental Recommendations Contained within Internal Audit Reports Audit 1314/C25 UKVI Student Monitoring (February 2014) Scope of Review: To assess the effectiveness of the design of controls and operational efficiency in monitoring students against the UKVI requirements. This review has focused on students studying at Cardiff University that hold a Confirmation of Acceptance for Studies (CAS) and which the University has a responsibility to monitor as a Trusted Sponsor. Audit Findings JIAU Recommendation Latest Update Framework for Student Engagement There was no overarching framework in place to provide guidance on key aspects of monitoring student engagement for students with a CAS. Reliance is placed on the student engagement principles as set out in the Student Regulations. Schools have escalated concerns to varying degrees about the adequacy of the activities they perform, the design of which has been interpreted from the student engagement principles in the Student Regulations. As a result, the monitoring processes at a school level may not be wholly compliant or consistent for UKVI monitoring. Recommendation 1 The University should agree and approve a framework which identifies the key procedures and responsibilities of staff in professional services, colleges and schools for managing student visitors and complying with UKVI. Implemented July 2014 Framework for monitoring and managing student engagement has been developed in partnership with College Deans/Registrars and to complement and be aligned with Senate Regulations for Student Attendance and Academic Progress Monitoring and Absence Procedures. Guidance & Training Limited formal guidance and training has been provided to staff deployed to engagement monitoring at a school level. Recommendation 2 Training needs within colleges and schools should be established, and training should be provided appropriate to the needs of schools. Implemented September 2014 Training needs of school staff established in partnership with College Registrars and a plan for delivery confirmed. 18

19 Audit Findings JIAU Recommendation Latest Update Engagement Monitoring The process for responding to students that have not engaged should be clearly articulated and aligned to the UKVI monitoring process to ensure the engagement monitoring activities lend themselves to UKVI monitoring requirements. Recommendation 12 Schools should ensure that the procedures for responding to students that have not engaged are articulated and appropriate evidence is retained of the process to demonstrate compliance with UKVI requirements. Implemented July 2014 Information relating to engagement to be included in the Student Handbook. Re-engaging Students UKVI expects the University to respond to lack of engagement identified from monitoring, and to facilitate the re-engagement of students. Schools have informal procedures for re-engaging students. Whilst this is a crucial initial step in re-engaging students, it is not clearly articulated or formulated in the monitoring process at all schools. Recommendation 13 The framework should include clear guidance on the procedures to take in responding to a student s failure to engage. School procedures should address the risk of student visitors who are failing to engage and allow for escalation of the issue. Implemented July 2014 Framework for monitoring and managing student engagement has been developed in partnership with College Deans/Registrars and to complement and be aligned with Senate Regulations for Student Attendance and Academic Progress Monitoring and Absence Procedures. 19X