Staff are obliged to assist Internal Audit in its work, as outlined in section 4.5 of the University’s Financial Regulations. This guide is aimed at staff who are hosting or contributing to an audit undertaken by the University’s internal audit function. The following information has been brought together to explain some background about the audit process, what you can expect during the course of an audit and to advise on how you can make the audit run smoothly and as useful as possible for improving and enhancing the work of your area.
Why do we have Internal Audit?
The overall goal of Internal Audit is to improve the University's operations across its various systems, policies and procedures and ensure that these provide value for money. As part of the regulatory requirements of its registration with the Office for Students, the University is required to have in place a comprehensive system of risk management, control and corporate governance. Internal Audit provides a mechanism to give internal assurance to the University. In this context, ‘internal’ means that the reports from these audits are for the University’s Audit Committee, Council and the University’s senior management, to provide them with assurance that:
- management and operational information and data is accurate,
- risks are appropriately identified, mitigated and managed;
- and that the University’s operations are compliant with its own policies and procedures as well as the applicable laws and regulations.
Internal Audit reports are not generally shared outside the University.
Who are the Internal Auditors and who manages them?
The University’s internal audit function is currently provided by an external firm, PricewaterhouseCoopers LLP (‘PWC’). PWC were appointed following an open competitive tender process. The contracts for internal and external audit are awarded by the Council rather than the University’s management, but the Director of Strategic Planning and Governance acts as the day-to-day management contact with the appointed firm, supported by the Head of Governance Services.
The contract with PWC contains confidentiality clauses and the firm has undertaken a GDPR risk assessment with the University’s DPO. In handling personal data, the audit partner will anonymise and delete data appropriately meaning that any information can be shared with them in confidence. The sharing of data with the audit partner is addressed in the University’s privacy notice
The work of the internal audit function is planned and overseen by the University’s Audit Committee on behalf of Council. The typical output of Internal Audits’ work is a report recognising good practice and making recommendations where areas for improvement have been identified. All of the University’s activities (including subsidiary companies and related bodies in receipt of significant funds - i.e. the Students’ Union) could potentially be subject to an internal audit. The use of a large professional service firm to deliver the internal audit function provides access to a broad range of professional expertise across the firm, including specialists in areas such as legal and cyber security.
The types of audit work typically undertaken
Internal Audit conducts standard reviews with an established reporting format and may be asked to undertake follow-up reviews to establish whether recommendations have been adopted. Typically, audits will cover the following aspects:
- Finance: Financial audits will typically focus on the implementation and operation of internal controls, and the propriety of financial transactions/related approvals, checks and balances to ensure this. Examples include audits focused on procurement activities, staff expenses, fees invoicing, research grant costing.
- Data: Data audits will normally be focused on the accuracy, use, completeness, security and retention of data. Examples of such audits would include those directed toward the University’s statutory returns of student, staff and financial data to the OfS, data holdings within departments or data relating to specified areas of compliance.
- Compliance: Compliance audits assess the extent to which the University’s process adhere to relevant laws, regulations, policies, and procedures of the University and relevant regulatory bodies.
- Operations: The focus of operations audits is the deployment of resources and procedures/practices in the department, division or process subject to audit. The intention is to assess whether the University’s aims and objectives are being delivered in an effective and efficient manner and to identify any potential areas for improvement. Typically, such audits will include some analysis of the relevant internal controls and the extent to which these are effective in managing and mitigating relevant risks.
- IT: IT audits will evaluate system process controls, scrutinise data security, the physical security of equipment, practices and processes around in-house software development and external procurement, the resilience/contingency planning/emergency response around IT and the extent to which existing systems meet existing business requirements and may meet future needs.
The majority of audits will combine two or more elements from the list above. As well as specific recommendations, we would seek also to gain a view on how the University benchmarks against others in the sector or elsewhere depending on the topic.
How are areas or processes identified for inclusion in the auditor’s work?
Specific areas of activity are selected for audit based on a risk assessment process, a regular schedule of audits of critical areas (e.g. data returns to the OfS) and suggestions from University Executive Board (UEB) and Audit Committee. These various inputs contribute to the production of an annual Audit Plan, approved by the Audit Committee, with a number of days allocated to each audit. At this stage a UEB or Professional Services Executive Group (PSEG) lead officer and an operational lead are also identified.
In drawing together this annual audit plan, a range of additional factors are considered, including the University’s Risk Register, specific activity that has the potential to impact on the University’s strategic objectives (e.g. a major building programme or new partnership), the scale, size and complexity of an activity in the context or the University’s turnover, regulatory compliance risks, proportion of turnover, changes in management or other key personnel, with the effect that areas or activities representing higher risk will be audited more frequently than those identified to be lower risk. UEB and PSEG are normally briefed on the draft plan put before Audit Committee as well as the final outcome in order to aid areas planning for the coming twelve months. On occasion, UEB or the management within a division or department may request an audit of a particular activity under its responsibility.
The four stages of an audit
A typical audit will consist of four stages:
Preparation
- The UEB and operational sponsors will be contacted by Internal Audit
- A scoping meeting is timetabled and held to identify the areas of focus for the work
- Following this, the Auditors will produce a draft audit scope and objectives for the University’s leads to comment on
- The Auditors will consider management feedback and finalise an audit Terms of Reference and indicative time table for the work. This document will normally include an information request list, this is normally provided in advance of the fieldwork to ensure smooth running of the process.
Fieldwork
- Review of policy/process documentation
- Interviews with identified relevant staff
- Undertake audit test work of processes and controls
- Ongoing communication on audit progress and potential findings with University leads
Audit Report
- A closing meeting is held with the UEB and operational leads at which the Auditor’s observations and recommendations are discussed
- A risk-rated draft report is then issued to the UEB and operational leads for any feedback and a requirement to identify the University’s actions in response to the identified recommendations, including those responsible and the timescale for completion of these
- Following receipt of the University’s planned response, the auditors will issue a final report to function/department and senior management with the management responses included
- This report is then provided to UEB and PSEG for information and before being put before the Audit Committee for consideration
- The UEB and operational leads are asked to provide any feedback on the internal audit process
Follow-up
- The agreed management actions and timescales are input to the TrAction online tool
- Individuals responsible for actions will receive periodic reminders and will be required to evidence to indicate
- Internal audit will periodically be in touch with relevant individuals obtain an update on report recommendation progress and this is also monitored by the Director of Strategic Planning and Governance and Audit Committee scrutinises management progress with these actions in dialogue with the VC, Deputy Chief Executive (Operations) and Director of Finance.
- On occasion additional testing or a follow-up audit to assess progress may be required.
In general, the most effective audits are those where the relevant University staff engage most fully. Key aspects of this include, establishing a constructive working relationship with the auditor, ensuring the auditors have the relevant information and access they require and following up on actions promptly with the provision of appropriate evidence of completion. Ideally the relevant staff will have a continued involvement at each stage, so those involved understand the audit’s purpose, why it has been carried out and that it is well-informed and so able to reach authoritative conclusions. The operational lead is particularly important in this regard as they will be providing the context for the audit to other University staff the auditors will interact with. The following advice is intended to assist the UEB and operational leads in making the most of each stage of the process.
Preparation and scoping
UEB and PSEG members should review the published Audit Plan each year, noting topics relevant to their responsibilities and to which Audit Committee meeting relevant reports are due and communicating this to those likely to be involved. Audits will typically be conducted in the 3 months prior to the scheduled committee date.
When you become aware of an upcoming audit in an area/activity for which you are responsible, do consider any issues you would like to be reviewed, or if there are areas where you think the activity or process would particularly benefit from information on best practice elsewhere in the HE or other sectors. This prior consideration can be helpful in making the audit process useful, but do bear in mind the auditors have limited days to deliver the audit and may need to focus on key elements to provide the Audit Committee with the assurance it requires. Where there is insufficient time to accommodate all requirements, the Audit Sponsor will take a final view on scope, in consultation with the Director of Strategic Planning and Governance who will consider the Audit Committee's requirements and the advice of the Audit Partner.
The purpose of the scoping meeting is to review and refine the broad scope agreed with the Audit Committee, discuss timescales and objectives of the audit in order to develop a Terms of Reference for the audit. This is the point at which you should query anything you feel is being overlooked, consider what policies, standard operating procedures or other written information will assist the auditors in their work (do not assume they will identify this themselves), identify key staff who can provide authoritative information in interview and discuss any concerns or potential additional items for inclusion in the scope. You will also want to discuss areas of risk in the relevant process – the purpose of internal audit is to assist in mitigating risk by testing and strengthening the University’s processes and systems.
Fieldwork
The nature of fieldwork will depend on the type of audit itself, but this is essentially an evidence gathering exercise. This may involve some generic information for context of the operations and internal controls, but may also include transaction testing, examination of system log files as well as interviews with staff involved in the process. The auditors use this collective information to determine whether the controls identified are operating effectively and in keeping with policy, procedures or the relevant external regulations. It is important to note that while the auditors are experienced in the sector and in working with Lancaster University, they are not investigators and if there is evidence or policy/procedures that will assist them in making their assessment, the operational lead and the staff identified for interview should take the lead in making sure the auditors are made aware of such and have access to it.
As the fieldwork progresses, the auditors will discuss findings, in particular any significant findings with the function/department. This should be a conversation and provide the operational lead with the opportunity to alert the auditors to any aspects that they may have overlooked and to work with the auditor to determine the most appropriate way to respond to findings and improve systems and processes. When the fieldwork is complete the auditors will look to schedule time to summarise the audit’s findings, conclusions, and recommendations. This provides the operation lead and their team with the opportunity to review these alongside other key staff who may have participated in the audit process.
Reporting
A written report is the primary output of each audit exercise. In this document the auditors will provide their opinions, present the audit findings, recommendations and agreed management actions to deliver improvement. When fieldwork is completed, Internal Audit will meet with the UEB and operational leads plus other key staff to discuss the draft report, identify areas for clarification or correction, and agree agreed management actions, responsibilities and timescales. All audit information should be treated as confidential and is reported only to University staff who need to be aware. Each report receives an overall risk rating based on the audit partner’s opinion and follows a standard format based around the following sections:
- Background and Scope
- Executive Summary (including the overall RAG risk rating)
- Findings (individually RAG risk-rated and with the agreed actions and related responsible individuals and deadlines (tbc at this stage))
The draft audit report is sent to the UEB and operational leads for review and comment and copied to the Director of Strategic Planning & Governance for information. The leads have the opportunity to provide a written response to the draft report and should finalise the text of agreed actions, the individuals responsible and the deadline for completion. It is critically important that the leads and others named as responsible for the actions are:
- Clear on what the action means, that the person responsible has the authority and resources to implement it and is clear how the action will be progressed in practical terms.
- That the action can and will be delivered in the timescale
- The means by which completion of the action will be evidenced to the auditors on behalf of Audit Committee
With this feedback and confirmation on the actions, the final draft report goes to PSEG and UEB for information and comment. A final version is then submitted to the Audit Committee for review. Given this high-level scrutiny by senior management and governors, you will want to take time to ensure you are content with the content of the report and that this accurately reflects the situation. Do, however, note that one aspect of the value of the auditors provide to the Audit Committee is their independence from management and at times they will exercise their professional judgement and may make recommendations that those involved in the audit may not always welcome.
Audit Follow-Up and action completion
This final stage is focused on the completion of the agreed management actions. Progress against agreed actions is scrutinised by Audit Committee on a regular basis, with overdue actions highlighted and a presumption against extensions to agreed deadlines in the interest of minimising risk and maintaining an effective control environment. The University uses the online PWC TrAction service to manage progress against actions.
Once the report has been through Audit Committee, the actions are uploaded onto the TrAction system and the relevant deadlines any action owners added. It is important that when the email notification about an action is received that the action owner creates an account on TrAction (if they do not already have one). If support is required in using TrAction to refer to the guidance, or contact the Director of Strategic Planning and Governance or Head of Governance Services who can arrange a session with PWC to explain the system.
This system enables those responsible for action to provide status updates on progress as required and to upload evidence of action completion to the auditors. The auditors will then review and verify whether they regard an action to be complete prior to either requesting additional evidence, or closing the action and reporting the action as complete to Audit Committee.
As indicated above, the type of evidence of action completion that will be provided should be considered and, if necessary discussed with the auditors when the draft report is being finalised. of Examples of evidence might include copies of revised policies, screenshots of changed systems functionality, updated software code, or written confirmation of compliance received from relevant officers. More rarely, it may be determined that a follow-up audit should be conducted to verify actions have been completed.
The Audit Committee’s clear expectation is that actions are normally completed to the schedule agreed in the relevant Audit Report. In exceptional circumstances, those responsible may need to seek an extension to the completion date. Extension requests should be submitted to the Director of Strategic Planning and Governance who will liaise with other Audit Committee attendees from management (the Vice-Chancellor, Deputy Chief Executive Operations and Director of Finance) about the extension and, if there is agreement from this group, an extension request will be submitted to the Audit Committee via the auditor’s update report at the next meeting of the Committee.
Additions or changes to the Audit Committee’s agreed schedule of audits
Any Dean, Director or Head of Department can approach the Director of Strategic Planning and Governance to discuss whether their area/process/policy might be considered for inclusion in the annual Internal Audit Plan and considered alongside other risk areas and fixed periodic audits. Very occasionally and where there is a pressing risk identified, management may seek Audit Committee’s agreement to revise the annual programme to accommodate such an audit, or agree to fund additional audit days to respond to such a need.
Timescale for audits
The length of time needed to complete an audit depends on the size and complexity of the area or process being audited. A number of PWC auditor days are allocated during annual planning and the overall time will be determined by staff availability, complexity and logistics, but two to four months between the scoping meeting to production of the final report is typical. The auditors will be working to deliver reports to a timetabled meeting of the Audit Committee (and preceding meetings of PSEG and UEB) and so your work with them should be prioritised to ensure this doesn’t slip.
The audit partner’s typical working practice
Internal audits are generally conducted remotely, and this will be the audit team’s presumption. However, if there are any elements of the process which you think would benefit from being done face to face, raise this with the audit team who will be happy to accommodate this as needed.
Impact on normal business operations
The auditors will need to meet with relevant staff for planning and interviewing purposes, but will look to accommodate any peaks of workload in an area or time constraints staff may have. Through discussion of the draft Annual Plan at UEB and PSEG senior staff should be aware of audits relevant to their area and briefing others who need to know. Fundamentally the internal audit process is an operational requirement and should be planned for and should not unduly disrupt work and should be regarded as one element of continuous improvement to the University’s policies, systems and services.
Audit Committee
Details of the University’s Audit Committee, its terms of reference and membership can be found on the Council sub-committee page.