Internal Audit at the University of Cambridge.

Transcription

1 Internal Audit at the University of Cambridge.

2 Contents Introduction to Deloitte 1 Our team 2 What is Internal Audit? 4 Our approach to Internal Audit 5 Authority and reporting lines 7 Planning 8 Ad Hoc Requests 9 Reporting and Follow up 10 Contact details 11

3 Introduction to Deloitte Deloitte has been appointed to provide outsourced Internal Audit services to the University of Cambridge from 1 January Deloitte is one of the Big Four accounting firms and has a long standing association with the University of Cambridge, including as its external auditor. Our relationship with the university is headed overall by Stuart Henderson, a senior partner in Deloitte s Cambridge office. The internal audit service, on which the remainder of this guide focuses, is led by Kirsty Searles, a Cambridge alumni and partner leading internal audit and risk services to major organisations across the UK. Your Head of Audit for the delivery of the contract is Richard Evans, who leads our Internal Audit services to Higher Education across the UK. This guide sets out the service that we provide to the University, and the respective roles and responsibilities of our team and of management. The information included in this guide is intended to assist with the smooth delivery of our service. Please contact us if you would like to discuss any of the information included. University of Cambridge 1

4 Our team University of Cambridge 2

5 Kirsty Searles Engagement Partner As Engagement Partner, Kirsty has overall responsibility for the delivery of our services to you. Kirsty s role is to ensure the overall quality of our service delivery and she meets with management regularly to discuss Deloitte activities and provide guidance, ideas and our experiences of working with other organisations Kirsty s role includes: Oversight of the audit planning process; Oversight of the scopes of all audit assignments; Attendance at all Audit Committees and quarterly contract review meetings; and Final review of all deliverables. Mike Barber Engagement Partner Maternity From Christmas 2009, Kirsty is on maternity leave, and we have identified Mike Barber to act as Engagement Partner during her absence. During this time, Mike has lead responsibility for our all aspects of our service delivery. Richard Evans Engagement Director As Engagement Director, Richard is your Head of Internal Audit. Richard is responsible for technical development and quality control of the internal audit services we provide. Supervision and monitoring of the contract is through: development of relationships with key University staff; review of all draft reports prior to issue; definition of performance standards and targets for the Contract Audit Manager against which performance can be measured. Such targets reflect the specific requirements of the University; review of performance statements; regular meetings with the Director of Finance and other delegated officers; and client feedback, either via discussions with the contract managers or through meetings with key staff at the University. Richard Neal Engagement Senior Manager Richard works closely with Richard Evans and Mike/Kirsty to ensure that the internal audit services provided are of the highest standard. Richard is also responsible for day-to-day contract management including liaising with the Director of Finance and other delegated officers, and allocating work to ensure the most effective use of resources. He reviews the quality of our audit work in detail and is your immediate point of contact during the course of the contract. This role includes: Establishing relationships with management across the University; Review of audit assignments to ensure compliance with professional standards as set out by the HEFCE Code of Practice and guidance issued by the Auditing Practices Committee, our internal procedures, and that all objectives have been satisfactorily met; Allocating appropriate resources to individual audits to ensure that the best possible results are achieved from each audit; and Close liaison with the Director of Finance and internal clients on any operational issues arising during the course of the audits undertaken. Dan Bonner Audit Manager Dan will support Richard in the management of our service, and in particular will lead on the co-ordination and delivery of school visits. Cliff Breadnam Technology Manager Our IT internal audit team is led by Cliff Breadnam. Cliff is supported by a team of IT internal audit specialists drawn from our dedicated PSIA IT internal audit practice. University of Cambridge 3

6 What is Internal Audit? The Higher Education Funding Council for England requires Higher Education Institutions to have an internal audit function. The Institute of Internal Auditing, in their Standards for Professional Practice of Internal Audit, describes the role of Internal Audit as: An independent, objective assurance and consulting activity designed to add value and improve an organisation s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. We work to provide the Audit Committee with an opinion on risk, control, governance and value for money on an annual basis. To do this we undertake a number of projects based on an agreed plan derived from the some of the key risks to the University. In our work we seek to provide assurance as to the operation of systems whilst also highlighting potential areas for improvement based on best practice and discussions with management, and we are often used to assist in changes to processes. In terms of audit projects, there are a number of different types we may undertake: o Systems audits assessing the control systems in place within a specific area, to support the achievement of the areas objectives; o Compliance audits assessing compliance against an agreed set of standards, e.g. compliance with the Financial Regulations; o Project Management Assurance undertaking work to confirm that projects have appropriate controls in place to help ensure delivery; o Contract audit auditing large scale procurement projects and capital programmes, assessing compliance with best practice; o IT Audit assessing the IT control systems in place, including using specific software to assess the entire IT system, such as looking at system security for the Finance system; o Advisory projects at the request of management we may undertake work to provide advice as to new developments and what impacts the new processes and systems may have upon existing operations; o Thematic Work to be undertaken across a number of departments, identifying areas of good practice and producing an overall report for all areas of the University to learn from. University of Cambridge 4

7 Our approach to Internal Audit We have undertaken an exercise to complete a three year audit plan, which has been agreed by the Audit Committee in July A brief explanation of our approach to delivery (steps four and five) is set out below: Having agreed the Audit Plan, we follow a defined set of procedures: identifying the Audit Sponsor - we agree with University management the name of the Audit Sponsor for each audit. The sponsor should be at Director level, and their role includes agreeing the terms of reference and the draft report and management responses. The identification of an Audit Sponsor has several key advantages. In particular, it raises the profile of our work and subsequent recommendations to senior level, and ensures that our work takes account of risks and concerns at all levels. planning the scope - we discuss with University management and the Audit Committee the scope of each assignment to ensure that our understanding of the objectives of the audit agrees with management's and that we are taking all relevant matters, including management and staff concerns, into account. All scopes are reviewed by Mike/Kirsty and Richard (Evans) before they are finalised to ensure appropriate coverage of the area being audited. University of Cambridge 5

8 The content of each audit is developed through discussion with the department/business unit managers and this is then formally documented in the terms of reference for each audit. Systems based auditing - our approach involves the following processes: determining the objectives of the system and documenting the system; identifying the risks by discussion with management, and from our knowledge of the systems in place within the University and elsewhere; identifying possible causes of error for each risk identified; describing and categorising the controls. For each cause of error we identify the controls that prevent the error, by means of a risk evaluation matrix; and audit programmes. Our audit programmes detail the specific procedures, which we use to test the key controls identified in the risk evaluation matrices. Richard (Neal) reviews the detailed plans for each individual audit before fieldwork commences. He agrees target dates for the key stages on each assignment with the audit clients in accordance with the proposed audit protocols. Richard (Neal) monitors the progress of the audit work, to identify areas of potential overrun, for example due to areas of weakness being identified that require more extensive audit testing. In each case, Richard Neal liaises with the Assistant Director of Finance to agree any additional work required and an appropriate time budget. We operate a no surprises approach to our audit. We provide continuous feedback on the results to the Audit Sponsor of our work and any significant recommendations are raised immediately. IT Systems - we confirm our understanding of the important elements of the computer environment in which the computer-based IT systems operate. The principal elements of the computer environment include: the type and location of important computers, networks and service organisations and how these communicate with each other; the general organisation of the processing function, and types of activity performed, e.g. computer operations, systems development and maintenance, control and security functions; and the overall manner in which the processing organisation is managed. University of Cambridge 6

9 Authority and reporting lines The scope of our work is set by the University Audit Committee. This body (made up of both internal and external members) meets six times a year to discuss, among other things, the Internal Audit programme and to review the outputs of our work. The Chair of the Audit Committee reports issues of fundamental importance to the Council. Internal Audit has the right of access to any information/documentation held by the University. A series of regular meetings are also held with senior University staff: Monthly progress meetings take place between the Director of Finance and the Assistant Director of Finance and the Internal Audit Manager and Director. Quarterly update meetings take place between the Registrary, the Director of Finance, the Assistant Registrary, the Internal Audit Manager, Director and Partner. An annual liaison meeting is held between the Engagement Partner and the Vice-Chancellor. The Engagement Partner also has direct access to the Chair of the Audit Committee, should it be required. Other assurance providers Internal audit operates as part of a suite of assurance providers to you. At Deloitte we aim to ensure that your assurance providers adopt a joined up approach to risk and assurance. We already know your external audit provider, PWC, through working with them for a number of years at other institutions. As part of our work for the 2010/11 programme, we have met with the external auditors to agree a process for ongoing liaison, and will continue to do so regularly to discuss the plan and share the results of our work. In doing so we aim to minimise areas of duplicate assurance and identify potential areas where external audit may rely on our work. In these areas we work with external audit to structure our work, including documentation, specific tests and sample sizes, to meet their needs where practical. University of Cambridge 7

10 Planning When will I be audited? Our work plan for the year is defined in the annual internal audit plan which is approved by the Audit Committee. The plan is designed to ensure that all University departments participate in some form of audit over the course of our three year cycle. Most departments have contact with our team on more than one occasion over a three year period. At the beginning of the academic year, officers in the Secretariat notify senior management in the areas scheduled for audit that they have been included in the annual audit plan. At this point the Secretariat is able to advise the term in which the audit is scheduled to take place. Where possible, we ensure that the timing of our audit assignment is convenient to you. Who is involved? The Head/Chair of the Department/Faculty/Institution/Division takes overall responsibility for the audit (known as the audit sponsor). Daily liaison with our team may be delegated to another staff member but as a minimum, the Head/Chair is required to formally agree the scope of the work, attend key meetings and provide written management responses to the draft audit report. We agree a draft timetable with you, setting out: - The specific risk areas for review - The people we may need to meet with - How we will address any particular concerns you may have - Expected key dates for the audit, including completion and issue of our draft report. Prior to the start of each term, we contact senior management to finalise the exact timing and undertake a planning and scoping meeting. Scoping meetings are held at least three weeks prior to the start of an audit. University of Cambridge 8

11 Ad Hoc Requests Reasons for Additional Work As referred to above, there are a number of different types of Internal Audit work which are completed as part of the Annual Plan. Although we determine the coverage based on a number of requirements, we also include an element of our work programme for ad hoc requests for Internal Audit involvement. Making Requests Should you wish to request a specific Internal Audit into an area or Internal Audit involvement, please contact the Assistant Director of Finance or Engagement Director to discuss. There are a number of reasons for request for additional audit work, for example: Advice on risk and control in respect of project work, either in providing assurance around project management arrangements or attending project boards; Advice on risk and control in relation to new developments in systems and processes, where it is useful to obtain an independent perspective on the implications on system changes; Internal audit work into areas which are highlighted as a potential concern by officers and/or management; and Consideration of benchmarking exercises with other relevant organisations. University of Cambridge 9

12 Reporting and Follow Up Draft report Our draft report is sent to the audit sponsor (Head/Chair of Department/Faculty/Institution/Division). The report is issued within 15 working days of the closing meeting held at the end of the audit. We require formal written responses and clarification of the accuracy of our findings as well as an action plan, including responsibilities for action, and timescales. Responses are required within 15 working days of receipt of the draft report. Ratings of individual recommendations Each recommendation is graded as Priority 1, 2, 3 or 4. This defines the importance of the recommendation. Priority 1 recommendations are those which are fundamental to the University, for the attention of senior management and the audit committee; The opinion The opinion we give in our report summarises our overall view of the design of the controls for the audit area and how well those controls are functioning. Our opinion, i.e. the level of assurance that we are able to provide on the adequacy and effectiveness of controls, is also graded as full, substantial, limited or nil. Final Report This is a formal record of the findings and recommendations from the audit, including management responses. The final report is issued within 10 working days of receipt of management responses. It is agreed with the Audit Sponsor and is presented to the Audit Committee. Follow Up The recommendations are revisited after the audit, to ensure that agreed actions have been undertaken. Priority 2 recommendations are those which are fundamental to the area subject to audit, for the attention of senior management and the audit committee; Priority 3 recommendations are those which are important to the area subject to audit, to be addressed by management within that area. Priority 4 recommendations are administrative issues, either from a best practice perspective or to address minor non compliance with existing control systems. University of Cambridge 10

13 Contact Details Kirsty Searles 2 New Street Square London EC4A 3BZ Tel: Mike Barber New Street Square London EC4A 3BZ Tel: Richard Evans 2 New Street Square London EC4A 3BZ Tel: Richard Neal 3 Victoria Square Victoria Street St Albans Herts, AL1 3TF Tel: Dan Bonner 3 Victoria Square Victoria Street St Albans Herts, AL1 3TF Tel: Cliff Breadnam 3 Victoria Square Victoria Street St Albans Herts, AL1 3TF Tel: University of Cambridge 11

14 This document is confidential and prepared solely for your information. Therefore you should not, without our prior written consent, refer to or use our name or this document for any other purpose, disclose them or refer to them in any prospectus or other document, or make them available or communicate them to any other party. No other party is entitled to rely on our document for any purpose whatsoever and thus we accept no liability to any other party who is shown or gains access to this document. Deloitte & Touche Public Sector Internal Audit Limited. Registered in England & Wales with registered number Registered office: Hill House, 1 Little New Street, London EC4A 3TR, United Kingdom. Deloitte Public Sector Internal Audit Limited is a subsidiary of Deloitte LLP, which is the United Kingdom member firm of Deloitte Touche Tohmatsu ( DTT ), a Swiss Verein, whose member firms are legally separate and independent legal entities. Please see for a detailed description of the legal structure of DTT and its member firms Deloitte Public Sector Internal Audit Limited. Private and confidential University of Cambridge 12