The University of Exeter
Annual Internal Audit Plan 2015-16
Proposed final for Audit Committee meeting
October 2015
CONTENTS
Page
1. Background
3
2. Approach to Audit Planning
5
3. Internal Audit Approach
6
4. Annual Plan 2015-16
7
5. Three year coverage summary 2014-17
12
Appendix 1 - Internal Audit Charter
16
Restrictions of use
The matters raised in this report are only those which came to our attention during the course of our audit and are not necessarily a comprehensive statement of all the
weaknesses that exist or all improvements that might be made. The report has been prepared solely for the management of the organisation and should not be quoted in
whole or in part without our prior written consent. BDO LLP neither owes nor accepts any duty to any third party whether in contract or in tort and shall not be liable, in
respect of any loss, damage or expense which is caused by their reliance on this report.
University of Exeter – 2015/16 Internal Audit Plan – October 2015
Page 2
1. BACKGROUND
Introduction
BDO LLP (BDO) were appointed as internal auditors to the University of Exeter
from 1 August 2014. In order to deliver a soundly based programme of audit
coverage and to comply with the requirements of Accountability and Audit:
HEFCE Code of Practice, an Internal Audit Strategy will be prepared for
consideration and approval by the University’s Audit Committee.
The purpose of this paper is to set out our updated Internal Audit Annual Plan for
second year of the Strategy period, 2015-16, following consideration by the Audit
Committee of an earlier draft at its meeting of 12th June 2015. To this end, this
paper sets out the following:
•
Our scope and responsibilities
•
The approach to internal audit planning
•
The draft annual internal audit plan
•
A summary of audit work delivered and planned across the period 2014-17
At the Audit Committee meeting on 12th June 2015 a draft of an updated Internal
Audit Annual Plan for second year of the Strategy period, 2015-16, was presented
for consideration.
Following that meeting we have incorporated comments raised by committee
members and PSMG and VCEG and we are presenting the 2015-16 plan for
approval at the 2nd October meeting of Audit Committee.
The proposed plan for 2015/16 has been prepared through rolling forward the
planned areas for audit for our second year, as described within the approved
Strategic Audit Plan; modified to consider the impact from work undertaken in
2014/15, discussion with management as outlined above, and the nature and
scale of the University’s transformation and change agenda.
The internal audit year runs from August to July each year, in line with the
University’s financial year.
University of Exeter – 2015/16 Internal Audit Plan – October 2015
Page 3
Scope and responsibilities
Internal audit is an independent, objective assurance and consulting activity
designed to add value and improve an organisation’s operations. It helps an
organisation accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management, control
and governance processes.
The HEFCE Code of Practice describes the prime responsibility of the internal
audit service as providing the governing body, the designated officer and the
other managers of the HEI with assurance on the adequacy and effectiveness of
risk management, control and governance arrangements.
Responsibility for these arrangements remains fully with management, who
should recognise that internal audit can only provide ‘reasonable assurance’ and
cannot provide any guarantee against material errors, loss or fraud. Internal
audit also plays a valuable role in helping management to improve risk
management control and governance, so reducing the effects of any significant
risks faced by the HEI.
In accordance with the Code of Practice, internal audit can also provide
independent and objective consultancy advice specifically to help management
improve risk management, control and governance, so contributing to the
achievement of corporate objectives. Such advisory work contributes to the
opinion which internal audit provides on risk management, control and
governance.
1. BACKGROUND
Scope and responsibilities (cont)
The scope of the internal audit service includes the whole of the University’s risk
management, control and governance arrangements, including all its operations,
resources, staff, services and responsibilities for other bodies.
It should cover all activities associated with the University, including those not
funded by HEFCE. For example, it should consider controls that protect the
University in its dealings with any subsidiary or associated company or student
union, or any other activity in which the HEI has an interest.
It is not internal audit’s role to question policy objectives, but to consider the
effects of and risks arising from policy, how policy objectives have been
determined and the means for delivering those objectives.
The establishment and maintenance of effective risk management, control and
governance arrangements is the responsibility of management.
Internal audit may also assess the adequacy of the arrangements to prevent and
detect irregularities, fraud and corruption. However, the primary responsibility
for preventing and detecting corruption, fraud and irregularities rests with
management who should institute adequate systems of internal control,
including clear objectives, segregation of duties and proper authorisation
procedures.
University of Exeter – 2015/16 Internal Audit Plan – October 2015
Page 4
2. APPROACH TO AUDIT PLANNING
General approach to planning
We develop internal audit strategies that provide you with an objective evaluation of, and opinions on, the effectiveness of your risk management,
control and governance arrangements. We tailor our internal audit plan to meet your specific audit needs by understanding your strategic objectives
and using our knowledge of risk, along with your risk analysis to develop a balanced plan.
The audit plan is reviewed with you throughout the year to ensure that it remains comprehensive and relevant.
We outline below the main points we cover in the planning phase.
What are the key risks that will
prevent you achieving your
objectives?
What are the University’s
objectives?
•
•
Review of strategic business
plans and related
documentation.
•
Review of risk registers.
•
Auditor knowledge of
comparable organisations.
Discussion with senior
managers.
•
Discussions with management
and staff.
What are your fundamental
business processes?
•
•
Identify the fundamental
business processes in place
that support the delivery of
your strategic objectives.
•
Agree immediate and future
priorities for review.
•
Establish the necessary
resource requirements.
Establish the risks associated
with failure of these key
processes.
•
Agree balance between riskbased and core audit work.
PRODUCTION AND AGREEMENT OF THE INTERNAL AUDIT PLAN
5
University of Exeter – 2015/16 Internal Audit Plan – October 2015
Page 5
What is the most effective way of
providing assurance?
3. INTERNAL AUDIT APPROACH
Internal audit assignment approach
Monitoring and reporting
We will meet with nominated lead officer(s) responsible for the area being
reviewed prior to the commencement of each assignment. The detailed scope of
the review will be discussed and management will be given the opportunity to
provide comments and feedback to ensure a shared understanding of the focus of
the audit.
A report, presented in an agreed standard format, will be issued for each audit
undertaken. Recommendations made as a result of each audit will be given a
significance rating of high, medium or low. We will also give separate opinions
on the level of assurance we are able to provide on the design of the overall
system of internal control and the effectiveness of the controls reviewed in the
area assessed.
We shall then identify and evaluate the design and effectiveness of the controls
currently in place in the area under review. At the conclusion of each assignment
we will produce a report that will formally conclude on the effectiveness of the
control environment under review, making recommendations for improvement
where it is considered to be inadequate. We will also report where controls are
disproportionate, excessive or duplicated with a view to improving the efficiency
of the processes under review.
We shall agree an action plan with management to ensure that recommendations
are addressed by the appropriate member(s) of staff within an appropriate
timescale. We accept that on occasion the University may choose not to
implement a recommendation and accept the related risk.
At each Audit Committee meeting (and at interim points if necessary) we shall
provide a summary of all audit work carried out in the year, recommendations
made and progress with their implementation.
On an annual basis we will give an overall opinion on the control environment in
place within the University.
University of Exeter – 2015/16 Internal Audit Plan – October 2015
Page 6
Reports will be issued in draft format to management for comment and to enable
management to identify responsible officers and dates for completion of the
implementation of each recommendation.
Proposed management responses to our reports will be reviewed by the senior
management team before being finalised for inclusion in Audit Committee
papers.
The Audit Committee will also receive copies of audit reports of the Internal
Audit work undertaken, which will include a list of the recommendations made.
We will provide regular reports of progress against the agreed plan to the Audit,
as well as an annual report on internal audit coverage, accompanied by an
opinion statement on internal control, risk management, governance and value
for money.
4. ANNUAL PLAN 2015-16
Audit area
Days
(Proposed) Outline scope
VFM
Focus
Proposed
delivery month
To Audit
Committee
January 2016
February
2016
Chief Financial Officer
March 2016
June 2016
Chief Financial Officer
January 2016
February
2016
Chief Financial Officer
Senior Management lead
Financial and business systems
Key financial controls
7
Focused review of aspects of the University's core financial
processes including key transactional systems, main ledger
system driving financial management and reporting. Areas
for inclusion on a rolling basis to include tuition fee
income, non-tuition fee income, accounts payable,
treasury management and investments, ledger
management.
Budgetary Control
8
We propose to assess the framework for budget setting,
profiling, budget management and accountability, and
financial reporting.
5
The Audit Committee is required to assure itself and
report annually on the quality of data. A new requirement,
with effect from the August 2014 ‘Memorandum of
assurance and accountability between HEFCE and
institutions’ relates to assurance on data submitted to the
Student Loans Company, and we propose to review
controls in this area in 2015/16.
Data Quality - SLC
University of Exeter – 2015/16 Internal Audit Plan – October 2015
Page 7
4. ANNUAL PLAN 2015-16
Audit area
Days
(Proposed) Outline scope
VFM
Focus
Proposed
delivery
month
To Audit
Committee
April 2016
June 2016
Chief Operating Officer
March
2016
June 2016
Chief Financial Officer
December
2015
February
2016
Chief Operating Officer
October
2015
February
2016
Chief Operating Officer
April 2016
June 2016
Chief Operating Officer
Senior Management lead
Governance, leadership and management
7
Annual review of the integrity and reliability of the
University’s risk management framework, including
risk identification, mitigation and reporting processes
for Corporate, College and Professional Services risks.
10
The Future Finance project has been tasked with
delivering transformational change through a new
finance operating model within a single finance
‘family’ regardless of which University organisational
unit staff are physically sited in and an optimised suite
of financial systems with automatic interfacing and a
new finance system at its core. We will look to assess
project implementation and governance arrangements
as the project moves into a key delivery phase.
Transformation
Programme
13
Through consultation with the COO and
Transformation Project Director we will review key
risks relating to the professional services
transformation, as new structures and ways of working
begin to be implemented.
Voluntary Severance
Scheme
5
Deferred from 2014/15. A review to provide
independent assurance over the management of risks
within the VSS programme undertaken in 2014/15.
Business Continuity
8
A review of cross-University business continuity and
contingency and incident planning arrangements in
place.
Risk Management
Future Finance
University of Exeter – 2015/16 Internal Audit Plan – October 2015
Page 8


4. ANNUAL PLAN 2015-16
Audit area
Proposed
delivery
month
To Audit
Committee
7
We propose to review the University processes for
capturing feedback from students and for identifying
enhancements and actions to improve the student
experience whilst at the University.
September
2015
November
2015
Director of Academic
Services and Deputy Chief
Operating Officer
10
We will review the process in place for development
of the research strategy and how this translates into
targeted research applications and income budgets.
We will review the processes in place for oversight and
management of the research portfolio for the
University as a whole and at College level.
Sept 2015
Feb 2016
DVC (Research and
Knowledge Transfer)
16
We will continue the rolling programme of cross
cutting reviews to consider risk management, internal
control processes, procedures and systems within two
Colleges each year. In 2015/16 we will audit CEMPS
and CLES.

April 2016
June 2016
DVC (Education)
Review of the University’s space management and
planning arrangements, including the categorisation of
teaching and office space, bookable and non-bookable
space and space ownership. We will also assess the
effectiveness of the University's process for measuring
space utilisation.

Oct 2015
Feb 2016
Chief Operating Officer
Days
(Proposed) Outline scope
VFM
Focus
Senior Management lead
Core activities
Student Experience
Research Planning and
Income Projections
Academic Colleges
Infrastructure – Space
Management
8
University of Exeter – 2015/16 Internal Audit Plan – October 2015
Page 9
4. ANNUAL PLAN 2015-16
Audit area
Days
(Proposed) Outline scope
VFM
Focus
Proposed
delivery
month
To Audit
Committee
Senior Management lead
October
2015
Feb 2016
Director of Communications
and Corporate Affairs
Core activities
Business Engagement
/Commercial relationships
Recommendation Follow
up
8
A review of the extent to which links with businesses
are captured, assessed and exploited; with focus on
ensuring the University understands the risks before
entering into any relationship.
A key part of internal audit’s work is to independently
confirm that recommendations accepted by
management have been implemented.
12
We will work with the University to follow up on
previously agreed recommendations bi-annually to
provide assurance that control improvements have
been effected.
University of Exeter – 2015/16 Internal Audit Plan – October 2015
Page 10
November
2015
July 2016
February
2016
All
October
2016
4. ANNUAL PLAN 2015-16
Audit area
Days
(Proposed) Outline scope
VFM
Focus
Proposed
delivery
month
To Audit
Committee

September
2015
November
2015
December
2015
February
2016
February
2016
June
2016
October
2015
February
2016
Senior Management lead
Estates infrastructure and services
Estates Strategy & Capital
programme
12
A review of controls operating to ensure that the
University’s capital programme is operating with
effective arrangements for procurement, contract
management and monitoring, and contractor
performance assessment.
Chief Operating Officer
ICT assurance
IT Strategy, IT service
delivery
IT system resilience and
disaster recovery
7
Review of the framework for the planning and delivery
of the One Exeter IT work stream within professional
services transformation.
7
We propose to consider the resilience of the
University’s ICT infrastructure including the adequacy
of measures in relation to system and network
security.
14
A review of the University’s workforce management
and performance management framework, including
people development and recognition processes and
performance management and assessment.

CIO
CIO
Human Resources
Recruitment and
retention, reward and
recognition, training and
development,
performance management
and staff engagement
Management, planning,
reporting and liaison
Annual Total
16
180
University of Exeter – 2015/16 Internal Audit Plan – October 2015
Page 11

Chief Operating Officer
5. THREE YEAR COVERAGE SUMMARY 2014-17
Internal audit strategy 2014 - 2017
Outlined below is a summary of audit work delivered and planned across 2014-17, which is shown on the following pages in full, to show the mix of audit work
between the key areas of coverage.
2014/15
Actual
2015/16
Proposed
2016/17
Proposed
Financial and business systems
38
20
28
Governance, leadership and management
23
43
33
Core Activities
49
61
38
Area
Estates infrastructure and services
16
12
29
ICT assurance
6
14
8
Human resources
0
14
8
132
164
144
18
16
16
150
180
160
Total audit days – assignment delivery
Planning, liaison, committee attendance and reporting
Total days
University of Exeter – 2015/16 Internal Audit Plan – October 2015
Page 12
5. THREE YEAR COVERAGE SUMMARY 2014-17
2014/15
Actual
days
2015/16
2016/17
Proposed Proposed
Days
Days
Link to University Corporate
Risk Register @ April 2015
Financial and business systems
Key financial controls
Budgetary control
Payroll and expenses
Cash Handling
10
Taxable Benefits – P11Ds
10
Data quality
Total
Governance, leadership and management
8
5
8
38
20
28
Corporate Governance
Corporate Planning
Risk management
Fraud resilience, Anti-Bribery, Anti-Money Laundering
Future Finance
Conflicts of interest and additional payments
Transformation Programme
Voluntary Severance Scheme
7
8
10
10
10
10
7
7
Page 13
4, 8
10
12, 23, 28
6, 10, 12, 23
7
6
10
5
13
5
All
17
15, 23
28
23
23
8
4, 16, 28
KPI Reporting
University of Exeter – 2015/16 Internal Audit Plan – October 2015
15
15
15
15
5, 15
8
Business continuity
Committee Review
Total
5,
5,
5,
5,
5, 6, 18
8
28
43
33
28
5. THREE YEAR COVERAGE SUMMARY 2014-17
2014/15
Actual
days
2015/16 2016/17
Proposed Proposed
Days
Days
Link to University Corporate
Risk Register @ April 2015
Core Activities
7
Student experience
Research Applications, Awards and Administration
Research Planning and Income Projections
Research Governance
Academic Colleges
Student Number Planning & Recruitment Monitoring
Research Institutes
Infrastructure – Space Management
Business Engagement/Commercial relationships
Workload Planning - SWARM
Teaching Quality
Recommendation Follow Up
Total
Estates infrastructure and services
Estates Strategy & Capital programme
Student accommodation / UUK Code of Practice compliance
Waste Management
Facilities including: Conferences and lettings, Catering services
Sport and recreation
Contract Management
Leases with third parties
Fundraising
Communication, marketing and brand awareness
Procurement, Project Management and Tendering
Total
University of Exeter – 2015/16 Internal Audit Plan – October 2015
Page 14
7, 8, 10
12
10
5
16
16
16
10
8
8
15
48
12
61
12
38
12
8
9
8
8
16
12
12
29
18
18
21, 28
6, 23
6
18
9
24
22
10
All
5, 9, 14, 27
22, 27
14
9
7
15
5
5, 12, 28
17
15
5. THREE YEAR COVERAGE SUMMARY 2014-17
2014/15
Actual
days
2015/16 2016/17
Proposed Proposed
Days
Days
Link to University Corporate
Risk Register @ April 2015
ICT assurance
IT Strategy, IT service delivery
Project management, system developments and implementation
IT system and asset security, information security
IT system resilience and disaster recovery
Total
HR
Recruitment and retention, reward and recognition, Training and
development, performance management and staff engagement
Legislation and codes of practice / personnel policies and procedures
Absence management
Health and Safety
Total
6
7
9, 20
8
6
7
14
8
14
8
0
14
8
Planning, liaison, management, committee attendance and
reporting
17
16
16
TOTAL AUDIT DAYS
153
175
160
University of Exeter – 2015/16 Internal Audit Plan – October 2015
Page 15
9, 20
4
4, 15, 16, 20
22
22
22
21
APPENDIX I
Internal audit charter
Purpose of this Charter
Internal audit’s authority
This Charter formally defines internal audit’s purpose, authority and
responsibility. It establishes internal audit’s position within the University
of Exeter and defines the scope of internal audit activities.
The Head of Internal Audit and internal audit staff are authorised to:
•
Have unrestricted access to all of the University’s records, property,
and personnel relevant to the performance of engagements
•
Obtain the necessary assistance of the University’s personnel in
relevant engagements, as well as other specialised services from
within or outside the University.
Internal audit’s purpose
Internal audit provides an independent, objective assurance and consulting
activity designed to add value and improve the University’s operations. It
helps the organisation accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk
management, control and governance processes.
Internal audit acts primarily to provide the Audit Committee with
information necessary for it to fulfil its own responsibilities and duties.
Implicit in internal audit’s role is that it supports the University’s
management to fulfil its own risk, control and compliance responsibilities.
Internal audit has no authority or management responsibility for any of its
engagement subjects.
Internal audit will not make any management decisions or engage in any
activity which could reasonably be construed to compromise its
independence.
Internal Audit’s Responsibility
The Head of Internal Audit is responsible for all aspects of internal audit
activity, including strategy, planning, performance, and reporting.
The Head of Internal Audit will:
Strategy
University of Exeter – 2015/16 Internal Audit Plan – October 2015
Page 16
•
Develop and maintain an Internal Audit Strategy
•
Review the Internal Audit Strategy at least annually with management
and the Audit Committee.
APPENDIX I
Internal audit charter
Planning
•
Establish and maintain appropriate internal auditing procedures
incorporating best practice approaches and techniques
•
Monitor delivery of the Internal Audit Plan against the budget
•
Ensure the ongoing effectiveness of internal audit activities.
•
Develop and maintain an Internal Audit Plan to fulfil the requirements
of this Charter and the Internal Audit Strategy
•
Engage with management and consider the University’s strategic and
operational objectives and related risks in the development of the
Internal Audit Plan
Reporting
•
Review the Internal Audit Plan periodically with management
•
•
Present the Internal Audit Plan, including updates, to the Audit
Committee for periodic review and approval
Issue a report to management at the conclusion of each engagement
to confirm the results of the engagement and the timetable for the
completion of management actions to be taken
•
Prepare an internal audit budget sufficient to fulfil the requirements
of this Charter, the Internal Audit Strategy, and the Internal Audit Plan
•
Provide periodic reports to management and the Audit Committee
summarising internal audit activities and the results of internal audit
engagements
•
Submit the internal audit budget to the Audit Committee for review
and approval annually
•
•
Coordinate with and provide oversight of other control and monitoring
functions, including risk management, compliance and ethics, and
external audit
Provide periodic reports to management and the Audit Committee on
the status of management actions taken in response to internal audit
engagements
•
Report annually to the Audit Committee and management on internal
audit performance against goals and objectives
Consider the scope of work of the external auditors for the purpose of
providing optimal audit coverage to the University .
•
Report as needed to the Audit Committee on management, resource,
or budgetary impediments to the fulfilment of this Charter, the
Internal Audit Strategy, or the Internal Audit Plan
•
Inform the Audit Committee of emerging trends and practices in
internal auditing.
•
Performance
•
Implement the Internal Audit Plan
•
Maintain professional resources with sufficient knowledge, skills and
experience to meet the requirements of this Charter, the Internal
Audit Strategy and the Internal Audit Plan
•
Allocate and manage resources to accomplish internal audit
engagement objectives
University of Exeter – 2015/16 Internal Audit Plan – October 2015
Page 17
APPENDIX I
Internal audit charter
Independence and internal audit’s position within the University
Internal audit’s scope
To provide for internal audit’s independence, its personnel and external
partners report to the Head of Internal Audit, who reports functionally to
the Audit Committee. The Head of Internal Audit has free and full access to
the Chair of the Audit Committee.
The scope of internal audit activities includes all activities conducted by
the University . The Internal Audit Plan identifies those activities that have
been identified as the subject of specific internal audit engagements.
The Head of Internal Audit reports administratively to the Chief Financial
Officer who provides day-to-day oversight.
The appointment or removal of the Head of Internal Audit will be
performed in accordance with established procedures and subject to the
approval of the Chair of the Audit Committee.
The internal audit service will have an impartial, unbiased attitude and will
avoid conflicts of interest.
If the independence or objectivity of the internal audit service is impaired,
details of the impairment should be disclosed to either the Vice-Chancellor
or the Chair of the Audit Committee, dependent upon the nature of the
impairment.
The internal audit service is not authorised to perform any operational
duties for the University; initiate or approve accounting transactions
external to the internal audit service; or direct the activities of any the
University employee not employed by the internal auditing service, except
to the extent such employees have been appropriately assigned to service
or to otherwise assist the internal auditor.
University of Exeter – 2015/16 Internal Audit Plan – October 2015
Page 18
Assurance engagements involve the objective assessment of evidence to
provide an independent opinion or conclusions regarding an entity,
operation, function, process, system or other subject matter. The nature
and scope of the assurance engagement are determined by internal audit.
Consulting engagements are advisory in nature and are generally performed
at the specific request of management. The nature and scope of consulting
engagement are subject to agreement with management. When performing
consulting services, internal audit should maintain objectivity and not
assume management responsibility.
Standards of internal audit practice
Internal audit will perform its work in accordance with the International
Professional Practices Framework of the Chartered Institute of Internal
Auditors. This Charter is a fundamental requirement of the Framework.
Approval and validity of this Charter
This charter shall be reviewed and approved annually by management and
by the Audit Committee on behalf of the Board of Governors of the
University .
BDO LLP, a UK limited liability partnership registered in England and Wales under number OC305127, is a member of BDO
International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent
member firms. A list of members' names is open to inspection at our registered office, 55 Baker Street, London W1U 7EU. BDO
LLP is authorised and regulated by the Financial Conduct Authority to conduct investment business.
BDO is the brand name of the BDO network and for each of the BDO Member Firms.
BDO Northern Ireland, a partnership formed in and under the laws of Northern Ireland, is licensed to operate within the
international BDO network of independent member firms.
Copyright ©2015 BDO LLP. All rights reserved.
www.bdo.co.uk