Prescription Pricing Authority
Download
Report
Transcript Prescription Pricing Authority
Durham University
Business Assurance Service
Annual Assurance Plan 2009-10
Date: 25 June 2009
This report is CONFIDENTIAL and its circulation and use are RESTRICTED
Distribution
UEC sponsor
Prof C Higgins, Vice Chancellor
Process owner
UEC
Copy to
Audit Committee*
External Audit*
Mrs C Fowler, Registrar
Mrs P Lubacz, Treasurer
* Final only
Version 1.1
4-6-09
Contents
Page
Executive Summary
Introduction and Background
3
Annual Assurance Plan
4
Accountability Framework
5
Annual Audit Needs Assessment Methodology
6
Components of the Assurance Plan
7
Delivery of the Assurance Plan
8
Appendices
1 – HE Sector Accountability Framework
9
2 – Annual Assurance Plan 2009-10
10
3 – Strategic Assurance Plan 2006-2010
13
4 – Reporting and Delivery Protocol and PIs
20
5 – Business Assurance Balanced Scorecard
22
2
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
Introduction and Background
Annual Assurance Plan 2009-10
This Annual Assurance Plan 2009-10 is designed to achieve the following objectives:
• To meet the University’s requirements for audit provision as set out in the Financial Memorandum
between the HEFCE and Institutions (June 2008) in its Accountability and Audit Code of Practice.
• To provide the University with an independent opinion of unquestionable quality over its
arrangements for risk management, control, governance and the achievement of value for money.
• To document the Business Assurance Service’s planned internal audit provision for the academic
year 2009-10 complying with professional standards as set out and promulgated by the Institute of
Internal Auditors (as prescribed by the HEFCE).
• To set performance standards and protocols to be applied by the University’s Business
Assurance Service in the delivery of the annual assurance plan.
• To provide the users of the University’s Business Assurance Service, the University’s Audit
Committee and University management, with a reference guide to the work of the Business
Assurance Service during 2009-10. This document is also intended to make the work of the
Service transparent and open to wider review and scrutiny.
This plan should be read in conjunction with the University’s Strategic Assurance Plan 2006-07 to
2009-10. The strategy puts the annual plan in context and explains in more detail the basis for the
selection of reviews and their basis. It also sets out in detail the risk based methodology used to
establish the plan.
University’s strategy
The University’s purpose, mission and values are expressed in the University’s Strategic Plan
2005-10. This strategy is currently being revised with a new strategy to be approved at the July
2009 meeting of Council. The University’s purpose is:
Creating the future through internationally recognised research, scholarship and learning within a
distinctive collegiate environment.
This supports the mission:
We will be internationally recognised as a world class research university. We will build the
research strength necessary to become world leaders in selected subject areas. We will work to
enhance the distinctive student experience we offer to all our students, while diversifying our
student body. We will enhance our international profile, while remaining mindful of our important
contribution to the North East region. We will achieve this in a sustainable manner which secures
our future development.
It is the intention of the Business Assurance Service, through linking its work to the University’s risk
register, itself linked to the University’s strategic aims and objectives, to assist the University to
achieve its objectives.
3
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
Annual Assurance Plan
Structure of this assurance plan
This assurance plan is designed to set out the planned assurance work to be undertaken by the
University’s Business Assurance Service during 2009-10. Specifically it is designed to:
• Explain the underlying basis for the annual assurance plan.
• Explain the process and factors used to undertake an annual audit needs assessment.
• Set out the key components of the annual assurance plan.
• Identify the allocation of resource to the plan over the 2009-10 audit period.
• Identify specific reviews planned over the period.
• Set out agreed performance indicators for the Business Assurance Service.
• Explain the framework of reporting and risk assessment to be used by the Service.
Key outputs of the annual assurance plan
The annual assurance plan is designed, ultimately, to provide sufficient evidence for the Head of
Business Assurance to ‘submit to the University’s Accounting Officer (the Vice Chancellor) annually
his professional opinion on the adequacy and effectiveness of the University’s risk management,
control and governance processes and arrangements for the promotion of economy, efficiency and
effectiveness’. HEFCE Circular 19-2008 Model Financial Memorandum between HEFCE and the
institutions. This assurance plan is designed to meet both the University’s and the Accounting
Officer’s duties in respect of the accountability requirements placed on the University. It is also
designed to assist and monitor the University’s progress against its mission and its strategic goals
and objectives.
Wider activities of the Business Assurance Service
The University, through opting to have an in-house assurance service, has more scope and ability
to use its Business Assurance Service to undertake wider organisational development activity. This
activity, whilst notified the University’s Audit Committee, may not result in formal reports or outputs
and may take the form of ‘consultancy’ within the terms recognised by IIA:
Advisory and related client service activities, the nature and scope of which are agreed with the
client, are intended to add value and improve an organisation’s governance, risk management and
control processes without the internal auditor assuming management responsibility. Examples
include counsel, advice, facilitation and training. Definition of Internal Auditing Code of Ethics International Standards for the Professional Practice of Internal
Auditing (January 2009)
This activity under the definition applied by the IIA does, however, contribute to the Head of
Service’s annual opinion, outlined above.
Compliance
Process improvement / VFM
Risk management
Before
During
4
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
After
Accountability Framework
University’s accountability arrangements
The HE sector, in line with wider public sector developments, is being asked to follow a
‘governance’ model of accountability. Key features of this model are:
• Self governance of activities as independent bodies.
• A framework of accountability focusing on broad macro policies and objectives with an emphasis
on outputs rather than process and inputs.
• Increased flexibility over operational and management decisions.
• Increased emphasis on self regulation and risk management.
Under this model public bodies operate as independent organisations which are not controlled or
managed by government but are allowed to self regulate and manage within an accountability
framework. A map of the accountability framework is provided in appendix 1. The University’s
accountability arrangements are outlined in:
Royal Charter 1837 and the Universities of Durham and Newcastle upon Tyne Act of 1963 –
This sets out the purpose and legal powers of the University as incorporated.
HEFCE Circular Model Financial Memorandum between HEFCE and the institutions 19-2008
– The audit requirements for the University are set out in annex A, the code of practice.
The IIA’s Definition of Internal Auditing Code of Ethics International Standards for the
Professional Practice of Internal Auditing (January 2009) – This sets ‘attribute’ (the attributes of
organisations and individuals performing internal audit services) and ‘performance’ (the nature of
internal audit services and quality criteria against which the performance of these services can be
measured) standards for internal audit practice.
The role of Business Assurance (Internal Audit)
The Institute of Internal Auditors defines internal auditing as:
Internal auditing is an independent, objective assurance and consulting activity designed to add
value and improve an organisation’s operations. It helps an organisation accomplish its objectives
by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control and governance processes. Definition of Internal Auditing Code of Ethics
International Standards for the Professional Practice of Internal Auditing (January 2009)
Business assurance is the application of a risk-based approach to internal audit. It fundamentally
looks towards the University’s business objectives and provides a business analysis of the risks to
the achievement of these objectives covering governance, risk management, controls and value for
money.
The value proposition of Business Assurance comes from two fundamental and unique factors held
by the BAS; independence and objectivity.
5
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
Annual Audit Needs Assessment Methodology
Link between the strategic and annual assurance plan
The IIA’s Standards require that the work of the Business Assurance Service is planned at each
level of operation. Our strategic assurance plan is based on a risk assessment (see the Strategic
Assurance Plan 2006-07 to 2009-10). This is re-reviewed annually and, based on a revised risk
assessment, this is used to develop an annual assurance plan which details the assignments we
plan to perform in the current year.
The annual plan is for the period 1 August 2009 to 31 July 2010. Given the breadth and complexity
of the systems operated by the University coupled with the need to limit valuable resources on noncore activity, it is unlikely that any annual operational assurance plan will manage to cover all
systems for managing risk in sufficient depth – this is certainly the case here. Consequently, we
have developed our annual assurance plan in the ongoing and developing context of a four year
strategy which demonstrates how we propose to provide audit coverage of all of the areas
identified in the assurance strategy. This is year four of the Service’s four year strategy.
Components of the strategic assurance plan
The annual and strategic assurance plan is made up of the following elements:
Overall opinion
Risk management
Control
Governance
Economy. efficiency and
effectiveness
Risk based reviews
Core financial systems
and processes
Formal governance
reviews
Value for money reviews
Review of University wide
process
Operational systems and
processes
Strategic process reviews
and benchmarking
Review of University wide
process
Strategic risk
assessments – facilitation
IT systems and processes
Anti fraud cultural controls
Review of policies and
processes
Operational risk
assessments – facilitation
Review of strategic control
systems including IT
Review of Council and
Senate processes
Specific reviews
requested
Project risk assessments
Review of policies and
processes
Review of subcommittees
Risk management training
Compliance testing and
the verification of
application of controls
Review of whistle blowing
and public interest
disclosure
Benchmarking
Consideration of fraud
controls and
investigations
Third party and special
purpose vehicles
Other
Follow up
Audit Committee
Reporting
Quality Assurance
Reviews
Liaison with other auditors
/ planning
Consultancy
Work for DSU
Work for JCRs
Work for Independent
Colleges
Other work as
commissioned by UEC
The annual plan is shown in appendices 3 and 4. The components of the plan are outlined in more
detail in the subsequent section of this plan.
6
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
Components of the Assurance Plan
Business Assurance and risk management in 2009-10
The Business Assurance Service has provided an independent review of the risk management
system in each year of the plan. Another review is planned for this year. In addition we will continue
to chart and document progress against benchmark standards, in this case The Institute of Internal
Auditors UK and Ireland - An approach to implementing Risk Based Internal Audit - Assessing the
Organisation’s risk maturity.
2009-10 is the second year in which the BAS has a formal remit to facilitate the University’s risk
management system. This was agreed at a January 2008 meeting of UEC and the February 2008
meeting of the Audit Committee.
Other ongoing activity provided for in the plan will include:
• Providing strategic and operational risk management facilitation.
• Working with project groups to develop a risk assessment and ongoing control and management.
• Working with the University’s Strategic Planning and Change Unit to continue to embed risk
management into planning processes.
We will also undertake a formal risk management system review that addresses strategic risks not
covered by a specific review during 2009-10. This is to meet our aim to review and provide
assurance, over the period of the strategic assurance plan, covering the key risks identified by the
University and our risk assessment. This approach is outlined in ‘Production of the annual plan’ in
the BAS Strategic Assurance Plan 2006-10.
Business Assurance and corporate governance in 2009-10
Having provided a formal review in 2005-06 over the strategic corporate governance system we
have followed up this work over the last three years with work covering elements of the University’s
governance system. For 2009-10 the governance work programme will focus on academic
governance and structures within academic departments. We will also review the changed
governance arrangements with DSU and the independent colleges. A general controls review of
governance processes, minutes, reporting, terms of reference will also be undertaken to refresh
our 2008-09 work.
Business Assurance and control systems in 2009-10
The Service will continue both strategic and compliance level work over the University’s control
systems. We will seek to comment on the application, design and appropriateness of controls
systems and processes that manage the strategic and operational risks to the University. We
provide specific risk based reviews for those risks identified in the strategic risk register.
Operational control processes may be audited on a system by system basis. However we will,
wherever possible, address operational systems by ‘business process’ that is end to end
processing. Specific distinct control areas included here are; IT processes and systems, linking to
the University’s planned enhancements to this area, core financial processes and systems, fraud
control systems and processes.
Business Assurance and value for money in 2009-10
We will continue our specific VFM reviews, focusing on museums and merchandising activity. Our
work will at all levels continue to have VFM awareness built into it and continue to provide a driver
for the University’s achievement of VFM. We will report VFM observations within each review
undertaken.
7
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
Annual Assurance Plan Delivery
Contents of the plan
The annual assurance plan is set out in appendix 2. Each review is mapped to the University’s
2009-10 risk register as approved by Council (May 2009).
Business Assurance key performance indicators (KPIs)
The Business Assurance Service is just that, a service, to the University. As such the Service
should demonstrate good corporate and management governance and be accountable for the
public resources expended on it.
To this end a balanced scorecard has been developed, which is intended to align the mission and
work of the Service to that of the University, whilst remaining an independent function. This focuses
performance measures on those which add strategic value to the University and are aligned to the
various internal and external stakeholders of the Service.
The balanced scorecard and supporting metrics are shown in appendix 5.
Business Assurance Reporting
Our reporting structure is set out in detail the Business Assurance Briefing Note: University
Assurance Arrangements (April 2008). In summary, reports received an overall conclusion about
the process as designed and operated to mitigate controls. This is shown here:
Conclusion
Based on the results of our review, we consider that adequate controls have (not) been developed
and are (not) operating over the risks identified with management over the XXXXXX process.
Reports also receive a risk grading on a four point scale which reflects the net risk faced by the
University over the process:
Risk rating
Good
There is an adequate and effective system of risk management, control and
governance to address the risk that objectives are not fully achieved.
Satisfactory
There is some risk that objectives may not be fully achieved. Slight improvements
are required to enhance the adequacy and / or effectiveness of risk management,
control and governance.
Weak
There is considerable risk that the system will fail to meet its objectives. Significant
improvements are required to improve the adequacy and effectiveness of risk
management, control and governance and to place reliance on the process for
corporate governance assurance.
Unacceptable
The process has failed or there is a real and substantial risk that the process will fail
to meet its objectives. Immediate action is required to improve the adequacy and
effectiveness of risk management, control and governance.
8
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
Appendix 1 – HE Sector Accountability Framework
HEFCE
Required to demonstrate:
Effective risk management
Effective controls
Adequate Governance Arrangements
Efficiency and Effectiveness (VFM)
Internal Audit
Report on:
• Effective
risk
management
• Effective
controls
• Adequate
Governance
Arrangements
• Efficiency and
Effectiveness
(VFM)
Scope
Whole of risk
management
control
and
governance
arrangements of
the HEI.
Not to question
policy
but
to
review how policy
is derived and the
means used by
the University to
deliver
its
objectives.
Definition:
‘Independent
objective
assurance
and
consulting activity
designed to add
value
and
improve
an
organisation’s
operations’.
Responsibility
to:
Consider
adequacy
of
arrangements for
the
prevention
and detection of
fraud.
Financial Memorandum
HEFCE Audit Service
University of Durham
Required to demonstrate that the Council has taken reasonable steps to
ensure there are sound arrangements for:
Effective risk management
Effective controls
Effective Governance Arrangements
Efficiency and Effectiveness (VFM)
Council
Annual Report
External Audit
Audit Committee
Require assurance to report to the Governing
Body on:
Annual Report The adequacy and effectiveness of the
institution’s arrangements for the following:
Effective risk management (including statement
of Internal Control in the Institution’s Financial
Statements)
Effective controls
Adequate Governance Arrangements
Economy Efficiency and Effectiveness (VFM)
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
Other Auditors
HEFCE, QAA, IIP
9
Management Letter
Opinion on the Financial
Statements
Report on
Financial
Statements
including:
Consistency of
Statement of
Internal Control
with their
knowledge of
the University’s
arrangements.
Also to:
Review the
work and extent
of reliance to be
placed on
internal audit.
Appendix 2 – Annual Assurance Plan 2009-10
UEC Sponsor
Process Owner
2009-10
Days
Risk
no.
Financial
Quantum
£’000
Registrar
Various
5
5b.8
230
Deputy Warden
G Cox
5
5b.2ii
823
Council members training
Registrar
K Deeming
5
5b.2
TBC
Governance controls review
Registrar
K Deeming
5
5b.2
446
Academic governance and support
Registrar
Academic
Registrar
15
5b.2
1,651
Deputy Warden
E Dodds
5
5b.2
TBC
Risk management facilitation
Vice Chancellor
S Chadwick
15
5b.2
199
Risk management training and
development (strategic and operational)
Vice Chancellor
S Chadwick
10
5b.2
199
Risk management reporting
Vice Chancellor
S Chadwick
5
5b.2
199
Risk management system review (strategic
risks not covered by review)
Vice Chancellor
S Chadwick
5
5b.2
199
Risk management benchmarking (IIA Risk
Maturity Framework)
Vice Chancellor
S Chadwick
5
5b.2
199
Treasurer
A Grant
5
5b.2
100
Procurement project
Treasurer
A Holmes
5
5a.14
3,760
Fixed assets
Treasurer
B Steemson
5
5a.11
3,760
Investments and treasury management
Treasurer
B Steemson
10
5a.16
3,760
Resource allocation model
Treasurer
J Waterfield
10
5a.3
232,508
Funding Body Data Returns
Registrar
S Chadwick
20
5b.6
381
fEC – model
Treasurer
J Waterfield
5
5b.6
232,508
Standing Financial Data Interrogation
Treasurer
B Steemson
5
5a.2
232,508
Student records
Registrar
Academic
Registrar
15
5b.3
1,651
Cash and banking and cashflow
management
Treasurer
B Steemson
5
5a.4
232,508
Access and hardship funds
Registrar
E Lovett
7
2.7
3,761
Payroll inputs
Treasurer
B Steemson
5
5a.3
TBC
Utilities management
Treasurer
P Robinson
5
5a.4
4,561
Business area of review
Corporate governance
Irregularity policies, fraud, plagiarism, PID
Independent college controls assurance
review
DSU Governance review
Risk management
Incident Response
Controls – core financial systems
10
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
Appendix 2 – Annual Assurance Plan 2009-10
UEC Sponsor
Process Owner
2009-10
Days
Risk
no.
Financial
Quantum
£’000
CASSS Project Post Sungard Due
Diligence of ITS
PVC L&T
L Beddie
10
5b.1
4,601
CASSS Project Post Sungard Due
Diligence of Mitre
PVC L&T
L Beddie
7.5
5b.1
4,601
CASS Project Transformation Delivery
PVC L&T
L Beddie
7.5
5b.1
4,601
IT Service Improvement Project governance
and set up
PVC L&T
L Beddie
7.5
5b.1
4,601
IT Service Improvement Project review of
phase 1 deliverables
PVC L&T
L Beddie
10
5b.1
4,601
IT Disaster Recovery for the University Main
Machine Room
PVC L&T
L Beddie
5
5b.1
4,601
IT Service Improvement Project review of
phase 2 deliverables
PVC L&T
L Beddie
7.5
5b.1
4,601
E learning strategy (VLE / DUO)
PVC L&T
L Beddie
7.5
5b.1
4,601
Website and intranet and internet controls
PVC L&T
L Beddie
10
5b.1
4,601
BAS attendance at IT programme board
PVC L&T
L Beddie
5
5b.1
4,601
Audit certifications, trusts, grants, other
Treasurer
Various
5
5a.2
TBC
Cash handling
Treasurer
Various
3
5a.1
19,966
Timetabling and examinations
Registrar
R Harrison
10
2.6
1,651
Departmental administration
Registrar
Various
20
PVC L&T
J Boyd
10
5c.1
2,574
Regional engagement
PVC RS & QC
B Tanner
10
4.1
676
Knowledge transfer (patents / IP /
consultancy support/ KTPs)
PVC RS & QC
B Tanner
10
4.2
676
Student discipline
Deputy Warden
Various
10
2.4
1,651
Research ethics and misconduct
PVC Research
W Harle
5
1.15
491
Media
Registrar
M Lavery
5
5b.3
1,059
Public affairs
Registrar
M Lavery
5
5b.3
1,059
International office and strategy
Registrar
S Proctor
10
3.1
800
Sport Provision
Deputy Warden
P Warburton
10
2.16
2,262
Queen’s campus administration
Deputy Warden
D Fionda
13.5
5b.4
663
Registrar
J Boyd
5
5c.1
710
Business area of review
Controls – IT systems / processes
Controls – operational systems / processes
TBC
Risk based reviews
HR Establishment Resourcing including pay
review
Nursery
11
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
Appendix 2 – Annual Assurance Plan 2009-10
UEC Sponsor
Process Owner
2009-10
Days
Risk
no.
Financial
Quantum
£’000
Counselling services
Registrar
Academic
Registrar
5
2.8
338
Points Based Immigration and Student
Identity Fraud
Registrar
S Proctor
5
5b.6
800
Payment card industry requirements
Treasurer
B Steemson
5
5b.6
TBC
Foundation Centre
PVC RS & QC
Various
8
2.4
718
School Academies
PVC RS & QC
M Pennington
8
2.4
91
PVC L&T
Deputy Warden
10
2.7
4,400
Registrar
J Purcell
10
2.8
6504
Vice Chancellor
P Robinson
10
5a.12
60,000
Subsidiary companies
Treasurer
B Steemson
10
5a.2
TBC
Museums
Registrar
J Purcell
5
2.13
TBC
Deputy Warden
H Strangward
5
2.13
TBC
Registrar
J Purcell
5
-
TBC
DSU assurance programme
Deputy Warden
Registrar
5
2.14
TBC
St Chad’s assurance programme
Deputy Warden
Registrar
5
2.10
TBC
St John’s assurance programme
Deputy Warden
Registrar
5
2.11
TBC
JCR and other student bodies financial
audits
Deputy Warden
Registrar
30
2.14
TBC
-
-
5
5b.7
-
Registrar
Fraud Response
Group
20
5b.8
199
Reporting
-
-
10
-
-
Liaison with management and Council
-
-
15
-
-
Liaison with external audit
-
-
5
-
-
Quality assurance of Assurance Service
-
-
5
-
-
Training and development
-
-
40
-
-
Conferences
-
-
10
-
-
Contingency
-
-
15
-
-
Business area of review
Risk based reviews (cont’d)
Education (student employability)
Value for money
Library services and special collections
Durham project
Merchandising
Journals subscriptions
Consultancy
Other
Fraud training
Fraud investigations and anti fraud controls
work
Total
647
12
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
Appendix 3 – Strategic Assurance Plan 2006-2010
2006-07
Days
2007-08
Days
2008-09
Days
2009-10
Days
Risk no.
Senate review
-
12
-
-
5b.2
Third party and special purpose vehicles (HEFCE Circular 2005/48)
0
15
-
-
5b.2
Durham Students’ Union controls
10
-
-
-
5a.2
Durham Students’ Union governance
-
10
-
-
5b.2
Irregularity policies, fraud, plagiarism, PID
-
-
-
5
5b.8
Independent college controls assurance review
5
-
-
5
5b.2ii
Council members training
5
5
-
5
5b.2
Governance committees review
-
-
5
-
5b.2
Management / governance interface
-
-
5
-
5b.2
Governance controls review
-
-
5
5
5b.2
Academic governance and support
-
-
-
15
5b.2
DSU Governance review
-
-
-
5
5b.2
Maintained colleges governance
-
10
-
-
5b.2
Risk management facilitation
10
5
10
15
5b.2
Risk management training and development (strategic and
operational)
10
5
5
10
5b.2
Risk management reporting
5
5
5
5
5b.2
Operational risk management facilitation – colleges risk
management
20
20
10
0
5b.2
Risk management system review (strategic risks not covered by
review)
5
5
5
5
5b.2
Risk management benchmarking (IIA Risk Maturity Framework)
5
5
5
5
5b.2
Incident Response
5
5
-
5
5b.2
Business area of review
Corporate governance
Risk management
= Changes to the original 2006-2010 strategic plan
13
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
Appendix 3 – Strategic Assurance Plan 2006-2010
2006-07
Days
2007-08
Days
2008-09
Days
2009-10
Days
Risk no.
15
10
10
5
5a.14
Management information
-
-
-
0
5b.3
Debtors, credit control and student invoicing
-
15
-
-
5a.4
Student invoicing and fees
-
-
-
0
5a.4
Fixed assets
-
-
-
5
5a.11
Inventories
0
15
-
-
5a.11
Insurance
10
-
-
-
5a.17
Investments and treasury management
-
-
-
10
5a.16
Capital programme management
-
10
-
-
5a.11
Business area of review
Controls – core financial systems
Procurement project
Capital programme management (major equipment)
5
5a.11
Capital programme management (IT equipment)
0
0
0
5a.11
Resource allocation model
0
-
-
10
5a.3
Budget accountability and monitoring
-
-
15
-
5b.3
Funding Body Data Returns
-
10
10
20
5b.6
TRAC T
-
5
-
-
5b.6
RCUK QAV Return
-
5
-
-
5b.6
fEC – model
-
5
5
5
5b.6
High level financial controls (ledger)
-
-
10
-
5a.4
Standing Financial Data Interrogation
-
15
-
5
5a.2
Maintenance
-
-
10
-
5a.11
Financial procedures review
-
5
-
-
5a.2
Grant income strategy and controls
-
-
15
-
5a.4
Student records
-
-
-
15
5b.3
Cash and banking and cashflow management
-
-
-
5
5a.4
Access and hardship funds
-
-
-
7
2.7
Full cost research and course controls
-
-
-
-
5a.6
Payroll inputs
-
-
-
5
5a.3
Expenses
-
-
5
-
5a.3
Utilities management
-
-
-
5
5a.4
= Changes to the original 2006-2010 strategic plan
14
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
Appendix 3 – Strategic Assurance Plan 2006-2010
2006-07
Days
2007-08
Days
2008-09
Days
2009-10
Days
Risk no.
IT Governance
15
-
-
-
5b.1
IT position audit (with ITS)
25
-
-
-
5b.1
IT policies (ARMEd project)
20
-
-
-
5b.1
CASSS Project
-
15
0
0
5b.1
CASSS Project Post Sungard Due Diligence of ITS
-
-
-
10
5b.1
CASSS Project Post Sungard Due Diligence of Mitre
-
-
-
7.5
5b.1
CASSS Project Transformation Delivery
-
-
-
7.5
5b.1
IT network management
-
-
0
-
5b.1
CASSS Project Phase 2 governance and set up
-
-
10
-
5b.1
IT Service Improvement Project governance and set up
-
-
10
-
5b.1
IT Service Improvement Project review of phase 1
deliverables
-
-
-
10
5b.1
Central Infrastructure Upgrade
-
-
7
-
5b.1
IT Disaster Recovery for the University Main Machine
Room
-
-
-
7.5
5b.1
IT Service Improvement Project review of phase 2
deliverables
-
-
-
10
5b.1
IT security (hardware / software)
-
-
-
0
5b.1
E learning strategy (VLE / DUO)
-
-
-
7.5
5b.1
Website and intranet and internet controls
-
-
-
10
5b.1
Software licensing
-
-
5
-
5b.1
IT helpdesk(s)
-
-
0
-
5b.1
IT budgeting and procurement
-
-
-
0
5b.1
IT governance
-
15
-
-
5b.1
BAS attendance at IT programme board
-
10
10
7.5
5b.1
IT strategic planning
-
-
-
0
5b.1
IT software development
-
-
-
0
5b.1
Business area of review
Controls – IT systems / processes
= Changes to the original 2006-2010 strategic plan
15
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
Appendix 3 – Strategic Assurance Plan 2006-2010
2006-07
Days
2007-08
Days
2008-09
Days
2009-10
Days
Risk no.
Health and safety department review (including new fire
regs)
10
-
-
-
5c.5
JCR and other student bodies financial audits
20
35
-
-
2.14
Gardens and grounds
-
-
10
-
5a.12
College bars
-
20
-
-
2.14
Cleaning and portering
-
10
-
-
2.14
Audit certifications, trusts, grants, other
10
5
5
5
5a.2
Cash handling
10
5
5
3
5a.1
Timetabling and examinations
-
-
-
10
2.6
Records management
-
10
-
-
5b.3
Departmental systems – School of Health
-
0
-
-
1.7
Business School Management Information
0
15
-
-
2.6
Departmental systems – Department of Law
-
-
0
-
1.11
Departmental systems – Modern Languages
-
-
-
0
1.4
Departmental systems – Geography
-
-
5
0
1.4
Departmental systems – Education
-
-
0
0
1.4
Departmental systems – Physics
-
-
-
-
1.4
Departmental systems – Biological and Biomedical
sciences
-
-
5
-
1.4
Departmental systems – Chemistry
-
-
-
-
1.4
Departmental administration
-
-
-
20
1.4
PG Admissions process
-
-
10
-
2.6
College systems – University College
-
-
-
-
2.10
College systems
-
0
-
-
2.10
SCRs
-
-
10
-
2.15
Business area of review
Controls – operational systems / processes
= Changes to the original 2006-2010 strategic plan
16
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
Appendix 3 – Strategic Assurance Plan 2006-2010
2006-07
Days
2007-08
Days
2008-09
Days
2009-10
Days
Risk no.
-
-
-
-
5c.1
Postgraduate recruitment process
20
-
-
-
2.6
Strategic marketing
20
-
-
-
5b.4
-
-
-
-
5b.4
HEFCEAS preparation
20
-
-
-
5b.6
UUK Code of Practice on student accommodation
10
10
-
-
2.5
-
-
10
-
5b.6
10
-
-
-
5c.3
Staff appraisal and performance management
-
15
-
-
5c.1
Departmental strategy – Business School
-
0
15
-
2.6
Flexible working
-
-
10
-
5c.3
10
-
-
-
5b.6
Equal pay and grading systems (ARMEd project)
-
15
-
-
5c.3
Strategic HR planning
-
-
10
-
5c.1
HR Establishment Resourcing including pay review
-
-
-
10
5c.1
Staff training and development
-
-
10
-
5c.1
Staff recruitment and retention
-
10
-
-
5c.2
Research strategy and fEC
-
-
-
-
1.2
Research Quality Assurance
-
0
0
-
1.15
Research planning and finance
-
0
7.5
-
1.2
Research marketing
-
0
7.5
-
1.12
Research support
-
-
0
0
1.5
Regional engagement
-
-
-
10
4.1
Estates strategy
-
-
10
-
5a.12
Accommodation planning and utilisation
-
-
15
-
5a.12
Security arrangements
-
-
10
-
5c.5
Knowledge transfer (patents / IP / consultancy support/
KTPs)
-
-
-
10
4.2
Student complaints and feedback
-
-
10
-
2.4
Student discipline
-
0
0
10
2.4
Research ethics and misconduct
-
-
-
5
1.15
Business area of review
Risk based reviews
HEFCE people management self assessment tool Circular
2005/17
Strategic planning
Operational planning
Diversity and equality – academic activity
Durham bursary scheme development / OFFA compliance
= Changes to the original 2006-2010 strategic plan
17
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
Appendix 3 – Strategic Assurance Plan 2006-2010
2006-07
Days
2007-08
Days
2008-09
Days
2009-10
Days
Risk no.
Internal communications
-
-
10
-
5b.3
Media and public affairs
-
-
0
10
5b.3
Research institutes
-
-
15
-
1.10
10
-
-
-
1.6
Student placements
-
-
-
0
2.8
Widening participation
-
-
10
-
5b.6
International office and strategy
-
-
0
10
3.1
Alumni marketing and 175 events
-
0
-
-
5a.20
175 Events
-
7.5
-
-
5a.5
Alumni Development
-
7.5
-
-
5a.20
Resource attraction marketing (relationship / stakeholder
marketing)
-
-
-
0
5a.5
International marketing
-
-
-
0
3.2
Net Park
-
0
10
-
4.2
Sport Provision
-
-
-
10
2.16
Nursery
-
-
-
5
5c.1
Queen’s campus administration
-
-
-
13.5
5b.4
Careers service
-
-
-
0
2.8
Counselling services
-
-
-
5
2.8
Student tutorial system
-
0
10
-
2.8
Points Based Immigration and Student Identity Fraud
-
-
-
5
5b.6
Payment card industry requirements
-
-
-
5
5b.6
Education (QA procedures)
-
0
-
0
2.4
Foundation Centre
-
-
-
8
2.4
School Academies
-
-
-
8
2.4
Education (student employability)
-
-
-
10
2.7
Environmental policies and governance
-
-
10
-
5a.9
Catering provision
-
-
10
-
2.7
Student accommodation marketing and demand
management
-
-
10
-
2.7
CEM Centre
-
-
0
0
1.7
Butler College – post implementation review
-
-
15
-
2.11
Business area of review
Risk based reviews (cont’d)
Research grants process
= Changes to the original 2006-2010 strategic plan
18
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
Appendix 3 – Strategic Assurance Plan 2006-2010
2006-07
Days
2007-08
Days
2008-09
Days
2009-10
Days
Risk no.
Value for money policy framework follow up
5
-
-
-
5a.2
Review of Repairs, Maintenance and Minor Works to the
Estate
20
-
-
-
5a.12
Student enrolment project
30
15
-
-
2.8
Marketing spend
-
-
10
-
5a.6
Consultancy
-
-
10
-
5a.15
Library services and special collections
-
-
-
10
2.8
Durham project
-
10
-
10
5a.12
Subsidiary companies
-
-
-
10
5a.2
Visitor attractions (Botanic gardens / Museums)
-
-
-
0
2.13
Museums
-
-
-
5
2.13
Merchandising
-
-
-
5
-
Journals subscriptions
-
-
-
5
1.5
Conferencing and event management
-
-
10
-
5a.14
University staff accommodation
-
5
-
-
5a.13
DSU assurance programme
-
-
15
5
2.14
St Chad’s assurance programme
-
-
-
5
2.10
St John’s assurance programme
-
-
-
5
2.11
JCR and other student bodies financial audits
-
-
45
30
2.14
Fraud policy and framework
5
-
-
-
5b.8
Fraud training
5
5
5
5
5b.7
Fraud investigations and anti fraud controls work
-
5
20
20
5b.8
Reporting
10
10
10
10
-
Liaison with management and Council
15
15
15
15
-
Liaison with external audit
5
5
5
5
-
Quality assurance of Assurance Service
5
5
5
5
-
Training and development
35
40
40
40
-
Conferences
10
10
10
10
-
Contingency
5
30
5
15
-
465
562
647
647
Business area of review
Value for money
Consultancy
Other
Total
= Changes to the original 2006-2010 strategic plan
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
19
Appendix 4 – 2009-10 Reporting and Delivery Protocol
Delivery protocol
Goals
Measures
Metrics
To be open
and
transparent
over process
Audit scopes to be shared,
notified and agreed with UEC
sponsor and Process Owner
Scope to be issued for each review and agreed by the
process owner and UEC sponsor*
Formal sign off although it should be noted that the review
is risk based and, in addressing risks, the review should
be free to report and evaluate all relevant data
Scope should contain
- Process objective
- Process sub objectives
- Overview of assurance process
- Overview of timing of the review
- UEC sponsor, process owner and other key contacts recorded
- Detail of the process being reviewed
- Outputs to be provided
- Indicative review milestones
- Other significant issues
- Level of assurance to be provided
Timing of reviews and areas
reviewed to be transparent
Annual assurance plan to be reviewed by UEC
Annual assurance plan to be made available on the
University intranet
Annual assurance plan to be approved by the Audit
Committee
Outputs to be
agreed with
the University
Risk assessments to be shared
Risk assessments to be shared with process owner and
sponsor through the reporting process
An adequate closeout process
BAS to meet with process owners ** for each review to
feedback initial findings at the end of the fieldwork
Draft report to be shared with the process owner** ONLY
before wider distribution. Initial feedback and comments
on draft reports to be noted and action taken where
appropriate (for factual issues)
Draft reports provided for
feedback and comment
All draft reports subject to process owner** review prior to
submission to the UEC sponsor (for factual accuracy)
Following agreement with the process owner** the draft
report should be submitted to the UEC sponsor
Further distribution at the discretion of the UEC sponsor* /
Head of BAS
Where appropriate, University comments to be
incorporated into reports
* UEC sponsor = This is the UEC member with overall accountability for the process under review. Where processes
cover a number of UEC members, a ‘lead sponsor’ will be identified. It is the role of the UEC sponsor to collate and
approve the University Response to be included in the final report.
** Process owner = This is the operational manager (typically a head of department) with operational accountability for
the process under review. Where processes cover a number of heads of departments each process owner will respond to
recommendations within their operational accountability. Each process owner will liaise with the relevant UEC sponsor to
collate the University Response to be included in the final report.
20
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
Appendix 4 – 2009-10 Reporting and Delivery Protocol
Delivery protocol
Goals
Measures
Metrics
Outputs to be
agreed with
the University
Finalised outputs to be agreed
Where applicable all reports to receive University
responses. These responses to address the risk(s)
identified and provide:
• Clear actions
• Timing for completion of actions
• A responsible University officer for each action
Timescales to
meet
University
requirements
Timely issue of audit scopes
Scopes to be drafted and issued by BAS at least 4
weeks prior to commencement of audit
Sign off of scope at least 2 weeks prior to planned
commencement of the audit
Timely reporting of work
Issue of draft report 3 weeks after finalisation of
fieldwork
Process owner to consider draft report for factual
accuracy and to liaise with BAS within 2 weeks of
issue of draft report
Receipt of UEC sponsor* agreed University
responses within 4 weeks of the issue of the report
to the UEC sponsor *following process owner
review
Issue of final report within 1week of receipt of final
University responses
The revised protocol timings
Step 2 –
Scope
finalised
(BAS /
University)
2 weeks
2 weeks
Weeks 0
1
Step 1 - Scope
and terms of
reference
issued (BAS)
2
3
4
Step 3 –
Commencement
of fieldwork
(BAS)
0
1
2
Step 5 Finalisation of
fieldwork (BAS)
1
4 weeks week
2
weeks
3 weeks
21
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
Step 8 –
Receipt of
UEC
sponsor
responses
(University)
Step 6 –
Issue of draft
report to
process
owner (BAS)
Step 4 –
Delivery of
fieldwork for
period agreed in
scope (BAS)
3
4
5
6
7
Step 7 –
Receipt of
process
owner
responses
for factual
accuracy
(University)
and
distribution of
draft report
to UEC
sponsor
8
9
10
Step 9 –
Issue of
final
report
(BAS)
Appendix 5 – Business Assurance Balanced Scorecard
Financial perspective
Goals
Measures
To be high quality at lowest Performance against budget
possible cost
Comparison of cost per day with alternative providers
Staff quality mix (qualified: unqualified)
To deliver quantum of audit Coverage of plan
needed
Reasons for and quantity of variance from the plan
Productive fieldwork as a percentage of the plan
Customer perspective
Internal business perspective
Goals
Measures
Goals
Measures
Audit
committee
satisfaction
Feedback from
committee members
Zero audit
failure
Opinions issued to be
unquestioned and
supported by clear
evidence
Quality
assurance
to be high
Review of Service by
University of Newcastle
IAS against GIAS and
wider requirements
Management
satisfaction
Vision and strategy
Annual Audit Committee
report
University’s purpose
Meeting of specific ad
hoc requests and
requirements
Creating the future through internationally
recognised research, scholarship and
learning within a distinctive collegiate
environment.
Positive returns from
audit satisfaction
surveys
Feedback from VC,
Registrar and UEC
Positive working
relationships established
Business Assurance Service’s purpose
Delivery of the higher education sector’s
leading internal audit service providing
strategic, risk based assurance to the
University’s management team, allied with
ongoing consultancy support and advice
aligned to the University's strategy to deliver
an opinion of unquestionable quality.
Positive management
responses to audit
recommendations
Stakeholder
satisfaction
HEFCE satisfaction
noted in HEFCE
correspondence
External audit reliance
statement
Innovation and learning perspective
Goals
Measures
Staff to continue
professional development
Phd, MBA, MIIA, PIIA and skills training to be
undertaken
Attendance at regional and national CHEIA events
Product review
Development of reporting and auditing practice
Technical leadership
Review of business journals and changing accounting
and auditing standards
22
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
Positive HEFCEAS
review
IIA
Review of Service by
compliance University of Newcastle
IAS against IIA and wider
requirements
Continuity
Staff to remain in post
Impact
Timely reporting of
issues which are adopted
and implemented by
management
Clarity
Opinions clear
unambiguous and well
structured.
Objectivity
Reports to be
challenging and
supportive
Independent QA to
assess objectivity
Appendix 5 – Business Assurance Balanced Scorecard Metrics
Financial perspective
Goals
Measures
Metrics
To be high
quality at
lowest
possible cost
Performance against budget
To be within the pay and non pay budget set and
agreed for the period.
Comparison of cost per day with
alternative providers
To be 20% cheaper than alternative providers on a
day rate basis.
Staff quality mix (qualified: unqualified) Minimum 40% qualified: experienced input on a
day basis.
To deliver
quantum of
audit needed
Coverage of plan
85% of planned reviews to be completed within the
academic year excepting for circumstances outside
of the Service’s control.
Reasons for and quantity of variance
from the plan
All changes to the plan to be notified to the Audit
Committee.
All reasons for significant variances to plan to be
documented and justified within the context of
University audit requirements.
Productive fieldwork as a percentage
of the plan
No more than 25% of available staff time to be
spent on internal, non ‘client facing’ work.
Customer perspective
Goals
Measures
Metrics
Audit
committee
satisfaction
Feedback from committee members
Achievement of an overall score of >2 (satisfactory)
on a feedback survey for the Service by Members
Annual Audit Committee report
Enabling the Audit Committee to issue its annual
report to Council inclusive of an endorsement of at
least satisfactory provision by the Service.
Meeting of specific ad hoc requests
and requirements
Meeting 90% of ad hoc requests within the
timescale set by Audit Committee.
Positive returns from audit satisfaction
surveys
Achievement of an overall score of >2 (satisfactory)
on a feedback survey for the Service by University
management.
Management
satisfaction
Feedback from VC, Registrar and UEC Achievement of an overall score of >2 (satisfactory)
on a feedback survey for the Service by University
Senior management.
Positive working relationships
established
The absence of serious complaints regarding the
Service to senior management.
Positive management responses to
audit recommendations
No recommendations in final reports not accepted
on the grounds of factual accuracy.
Adoption of 75% of final report recommendations
by management for implementation.
Stakeholder
satisfaction
HEFCE satisfaction noted through
HEFCE correspondence
No significant issues to be noted by HEFCE in any
comment or review.
External audit reliance statement
The Service to be considered appropriate for
reliance by External Audit.
23
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.
Appendix 5 – Business Assurance Balanced Scorecard Metrics
Internal business perspective
Goals
Measures
Metrics
Zero audit failure
Opinions issued to be unquestioned Positive overall quality assurance assessment by
and supported by clear evidence
Newcastle University’s Audit Service
Quality assurance Review of Service by University of
to be high
Newcastle IAS against GIAS and
wider requirements
Positive overall quality assurance assessment by
Newcastle University’s Audit Service
Positive HEFCEAS comment
No significant issues to be noted by HEFCE in
during 2009-10
HEFCE ACOP /
IIA Standards /
GIAS compliance
Review of Service by University of
Newcastle IAS against GIAS and
wider requirements
Positive overall quality assurance assessment by
Newcastle University’s Audit Service
Continuity
Staff to remain in post in 2007-08
Professional staff to remain in post during 2009-10
Impact
Timely reporting of issues which are 85 % reports to be issued within KPI deadlines.
adopted and implemented by
(See reporting and delivery protocol for PIs)
management
Clarity
Opinions clear unambiguous and
well structured.
A clear opinion and risk rating to be issued with all
Audit Reports (bespoke reports may omit these)
Objectivity
Reports to be challenging and
supportive
All reports to be agreed within management prior
to publication
No significant issues identified from fieldwork go
inappropriately unreported (ref positive QA from
Newcastle University Audit Service)
Independent QA to assess
objectivity
Positive overall quality assurance assessment by
Newcastle University’s Audit Service
Innovation and learning perspective
Goals
Measures
Metrics
Staff to continue
professional
development
Phd, ACCA, MIIA and skills
training to be undertaken
All professional staff to complete assigned training
programme during 2009-10.
Attendance at regional and
national CHEIA events
All professional staff to attend CHEIA conference in
2009-10
Successful hosting / attendance at Regional CHEIA
meetings
Product review
Development of reporting and
auditing practice
Full review of reporting documentation and standards
for 2009-10
Implementation of revised documentation standards for
2009-10 (confirmed by QA process).
Technical
leadership
Review of business journals
and changing accounting and
auditing standards
Continued subscription to ACCA, ACA, IIA,
Accountancy Age and Harvard Business Review
Journals
24
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2009 University of Durham. All rights reserved. Printed in the United Kingdom.