The Internal Audit Process

Role of the Internal Auditors

The aim of the internal audit function is to provide the University’s Council and the President and Vice Chancellor and other senior managers with assurance on the adequacy and effectiveness of the University’s arrangements for:

  • Risk management
  • Control
  • Governance

The internal audit function provides a judgement on reasonable assurance, the responsibilities for control, risk management and governance in the University lie with the University’s management.

Whilst the role of Internal Audit is simply to review the arrangements that the University has put in place to provide the necessary assurance, the internal auditors do have a role in assisting management to improve risk management.
In addition, the internal audit function also has a role in providing HEFCE with the required assurance in the specific areas of:

  • data returns to HESA; and
  • the University’s ‘value for money’ arrangements.

The internal auditors report to Audit Committee and they are the principal tool of Audit Committee

Summary of the process

The annual internal audit plan is determined by the University following consultation with senior lay and executive officers. Audit reviews take approximately 10 to 12 days, including a 4 to 5 day on-site audit and provide a written report with recommended actions to be followed up. Before the reports are finalised, the University management are invited to comment on each individual recommendation, either accepting it or rejecting it. Where a recommendation is accepted the Department/Division must identify a responsible officer and indicate a date by which the recommendation will be implemented. This date represents a ‘contract’ to provide Audit Committee with assurance that identified issues will be addressed in a timely fashion and care should therefore be taken in the initial management response to ensure that implementation dates are in fact achievable. In the rare cases where an audit recommendation is rejected, a process of negotiation with the internal auditors is required to justify the rejection to the auditor’s satisfaction. In any dispute the Registrar and Secretary will determine the position to be taken by the University.

Audit Timeline

Internal Audit planning is based on an annual cycle that runs in line with each academic year. Each Internal Audit cycle will cover all key activities of the institution at least once and some areas that are considered to be high risk or high priority are often covered more than once. Each summer the Internal Auditors agree with management the annual audit plan for the coming academic year identifying the areas for review, taking cognizance of the risk register.

The Annual Audit Plan identifies around 12 specific areas of the University to be audited over the coming year. It also includes provision for a follow up audit of the previous year’s audits. The plan is ultimately approved by Audit Committee. Colleges and Corporate Services are provided with a copy of the plan at the start of the academic year.
Most audits follow a fairly well-established pattern that consists of:

  • Planning
  • Fieldwork
  • Reporting
  • Follow-up

The step-by-step guide below identifies the stages of an audit and highlights the areas in which staff should become involved in the process.

Staff involvement is crucial at each of the four stages identified above. Audits should not be viewed as something that “happens to” a section or service but a process in which staff have a significant input and influence, and which can help them to improve their operations.

Stage one: Planning

Step 1 – Preliminary audit meeting between internal auditors and Head of Department/Division

Purpose – Agree terms of reference for the audit (Can be agreed by exchange of emails)

Follow Up - Agreed terms of reference written up by the internal auditors and supplied to the University at least 2 weeks prior to the commencement of the audit.

Near the start of the audit the Internal Auditors will arrange a meeting with appropriate staff to discuss the scope and objectives of the audit. The input of those staff at this stage is important as it helps establish areas of risk that should be included in the scope of the work. This is also an opportunity for staff to raise any issues or areas of special concern that could be covered as part of the audit. In this meeting, the Internal Auditors establish information about the area being reviewed - this typically includes personnel, finance and other relevant information, including the unit’s strategic objectives and a discussion of the risks on the local risk register. This information is used to help determine the possible risks that exist which may affect the achievement of objectives and how best these can be managed through the use of internal controls.

At this point it will be necessary to identify staff who can assist the Internal Auditors in their work and any information to which they are likely to need access. A nominated audit contact is a useful way of managing the audit jointly so that issues can be raised and cleared on an on-going basis as the audit progresses.

The information gained from the initial planning meeting is used in conjunction with other relevant information about the unit in order to obtain a general overview of operations. This may include information on budgets and strategic plans as well as past audit reports. There are certain risks that will always be reviewed to ensure that they are being adequately controlled and managed - these include financial transactions, local risk management, business continuity planning and data assurance processes.

This information is then used to make a preliminary assessment of the risks and controls for the unit. The internal auditors use this preparatory work to produce an Audit Programme – this is an internal document that specifies detailed work that needs to be undertaken as part of the fieldwork.

Stage two: Fieldwork
Step 2. Audit takes place –typically takes approximately 10 to 12 days, including a 4 to 5 day on-site audit.

The auditors’ fieldwork concentrates on determining how well a unit is managing the risks identified at the planning stage and what controls are operating to help them do this. This can take a variety of forms that includes interviews and detailed testing / analysis of documents or transactions. Where the auditors request information during the fieldwork stage of an audit, Departments / Divisions are required to provide this within the time envelope specified for that field work and not send it to the auditors at a later date.

Step 3. Audit exit meeting – Following the conclusion of the audit, the audit findings will be discussed with the nominated audit contact and a clear indication will be given of the main points to be included in the draft report.

Once the fieldwork stage has been completed, the auditors will usually have a list of significant findings that will be used to prepare a draft audit report. However, prior to this the auditors will usually hold an Audit exit meeting to discuss any key issues with the nominated audit contact before completion of the fieldwork. The University encourages this aspect of the audit as the nominated contact can offer insights and work with the auditors to determine the best method of resolving any issues that arise. Usually these communications are oral. However, sometimes, they are written in order to ensure full understanding (i.e. the draft audit report should hold no surprises).

Stage three: Reporting
Step 4. Publication of the Draft Audit Report – Within 4 weeks of the audit exit meeting, the internal auditors will issue the draft audit report to the relevant Head of Department / Division and the Head of Financial Accounting and Treasury

Once the fieldwork is completed, the auditors draft a report. A feedback meeting may be held with the unit being audited to discuss the audit findings, conclusions, and recommendations – the unit will be asked to provide comments on the findings and reach an agreement on any recommendations identified – before the formal draft report is produced.

The report will include an overall assurance rating and individual recommendations will include a rationale for the recommendation that is being made, together with a statement of the risk that has been identified. Recommendations will also be allocated a priority rating defined as follows:

 Recommendation Priorities

Step 5. Recommendation Action Plan –to be drafted by the Head of Department / Division for each audit recommendation within TWO weeks.

A Recommendation Action Plan for each recommendation in the report is required within two weeks of receiving the draft report and action plan. This timescale prevents the audit process from becoming unnecessarily protracted. The Action Plan will be included in the final audit report

The Action Plan must include:

a. The management response to the audit recommendation

This should set out the specific action to be taken in addressing the audit recommendation

b. The Responsible Officer (and where appropriate the Actioning Officer)

Whilst the action to be taken in response to an audit recommendation may be delegated to an operational manager within a Department / Division,  the Head of Department / Division, remains the Responsible Officer, who must take responsibility for ensuring that recommendations are implemented within the agreed timeframe

c. The date by which the action to be taken in response to the recommendation will be completed.

The action should be taken in a timely manner but the completion date must be realistically achievable.  Any subsequent request for an extension to the timeframe will require a written justification, and will be subject to approval by the Registrar & Secretary/ Audit Committee.

The completed Action Plan should be sent to the Head of Financial Accounting and Treasury within 2 weeks of receipt of the Draft Audit Report

Any areas where the Department/Division disputes the findings of the auditors must be identified and queried with the auditors at this stage. (Both the HoD and Head of Financial Accounting and Treasury to be involved in this process).

In the rare cases where the Department/Division considers that the appropriate management response is to reject an audit recommendation, a process of negotiation with the internal auditors is required to justify the rejection to the auditor’s satisfaction. Such negotiations should involve the Head of Financial Accounting and Treasury at the outset. If the rejection cannot be justified to the auditors satisfaction the Registrar and Secretary will determine the position to be taken by the University.

Step  6. Local audit management meeting between Head of Department/Division and Head of Financial Accounting and Treasury

Recommendation Action Plans will be reviewed to ensure overall consistency of compliance and ensure that implementation dates are realistic and centrally acceptable (can be by exchange of emails)

Agreed Action Plans are then sent to the Internal Auditors for inclusion in the final report

Step 7. Final Audit Report Issued
• The final audit report, including the agreed action plans to be produced within 10 days of receipt of the action plans by the internal auditors 
• The final audit report goes to the next available meeting of Audit Committee

Once the final report is prepared, copies are supplied to the nominated contact in the unit and to the Director of Finance. The University’s Audit Committee also receives summary reports of work for each audit undertaken, and a copy of the completed action plan.

If an audit report reveals matters of significant concern the Director of Finance will arrange for a copy to be sent to the University Leadership Team (ULT) to discuss the contents, together with the senior member (or members) of staff from the area that has been audited, if appropriate. At this meeting the implications of the audit findings will be reviewed and the adequacy of the management response considered. A written note will be produced summarising the agreed action for each audit recommendation, the person responsible for implementation and the deadline for such action.

Where the outcome of an audit report is “no assurance” or “partial assurance” then the full audit report, including the action plan and, where relevant, the notes of the outcome of the meeting with ULT will be sent to the next meeting of Audit Committee for consideration. The internal auditors will introduce their report to the Committee and outline their views on the audit findings, recommendations and management action plans. In cases where the audit findings are of particular concern (priority high ranking) or where a significant number of recommendations has been made, the Director of Finance may request the relevant Head of College, Director of Corporate Service etc. to attend the Audit Committee meeting to discuss the contents of the audit report, the recommendations made, and the commitment needed to address the action plan.

Where the audit outcome results in “significant assurance”, the executive summary from the auditor’s report is sent to the Audit Committee together with a summary list of the recommendations showing a description of the recommendations, the priority rating, the responsibility for action (ie post-holder) and approved timescale for action. In these cases there is no presentation by the internal auditors of the contents or related discussion; specific questions may however be addressed to the auditors or University management by Committee members.

Stage four: Follow-up

Clearly, the most critical aspect of “follow up” after an audit is the implementation and delivery of any remedial actions and improvement work identified within the audit report. Due consideration should be given to the priority level attached to the recommendations in the audit report and the timescales for action to which the University is committed. The Director of Finance will ensure that a register of actions and dates of implementation is maintained and seek regular confirmation of timely implementation. In the event of inaction the matter may be elevated to ULT.

Step 8. Progress Reports
The Finance Division undertakes an on-going exercise, monitoring the status of individual recommendations and will request regular progress updates from the nominated responsible officer. These progress reports are reported to each meeting of Audit Committee.


Progress reports will have one of 4 levels of status

PROVISIONALLY COMPLETED – the department/division believes that it has implemented the recommendation (signing off by the Head of Department / Division). Evidence of completion will be required to be sent to the Head of Financial Accounting and Treasury.

IN PROGRESS – within the agreed timeframe for implementation of the recommendation and on schedule to meet the agreed implementation date. No written update required. If during this period it becomes apparent that implementation is slipping, Audit Committee will require a written explanation of the current status of the recommendation to be supplied to the Head of Financial Accounting and Treasury for discussion with the Registrar and Secretary.

IN PROGRESS BUT OVERDUE– beyond the agreed implementation date and not yet implemented. requires a written explanation of the current status to be supplied to the DDF for discussion with the Registrar and Secretary.

NOT AGREED / SUPERSEDED – In exceptional circumstances there may be cases where a recommendation is better implemented through a wider project which has arisen after the initial drafting of the management response. In these cases, agreement is required from the Registrar and Secretary and a written explanation for the delay must be provided so that Audit Committee can consider granting a variation to the established ‘contract’

Step 9. Follow Up Review – The internal auditors will carry out a follow up review within 12 months of the initial audit. The aim of this is to be a signing off process whereby the status of recommendations can be changed from Provisionally Completed to Completed and therefore it is the expectation that all recommendations will be implemented before the follow up review is undertaken.

Each year the auditors select a sample of previous audits for a follow-up review. The purpose of the reviews is to check progress on the recommendations made from the last audit. During these reviews the completed action plan is used as a basis for the work to be undertaken and to examine the progress on the agreed recommendations.

The reporting process for follow-up work follows a similar pattern to that of the routine reporting processes  and units have the opportunity to respond to the audit findings prior to issue of the final report.


Share this page: