Prescription Pricing Authority
Download
Report
Transcript Prescription Pricing Authority
Durham University
Business Assurance Service
The Business Assurance Process –
Auditee Guidance Note
(2007-08)
Date: November 2007
Preamble
This document is intended to provide University officers and staff with an overview of the role,
purpose, and work of the Business Assurance Service. This document is further supported by the
Annual Assurance plan 2007-08. Additional information regarding the Business Assurance Service
can also be found on the University’s intranet pages http://www.dur.ac.uk/internal.audit/
2
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
Content
1.
Introduction …………………………………………………………………………………….. 4
2.
Role of the Business Assurance Service …………………………………………………. 6
3.
The Purpose of Business Assurance …………………………………………………….... 9
4.
Risk Based Auditing ………………………………………………………………………… 10
5.
Assurance Plans ……………………………………………………………………………... 11
6.
The Audit Process …………………………………………………………………………… 12
7.
Other Services ………………………………………………………………………………... 22
3
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
1. Introduction
1.1 What is the Business Assurance Service?
The Business Assurance Service provides an independent, objective assurance and consulting
activity designed to add value and improve the University’s overall control, governance, risk
management and value for money arrangements.
1.2 What does the Business Assurance Service do?
The mission of the Business assurance Service is to provide: 'Delivery of the higher education
sector's leading internal audit service providing strategic, risk based, assurance to the University's
management team, allied with ongoing consultancy support and advice aligned to the University's
strategy to deliver an opinion of unquestionable quality.‘
1.3 How does the Business Assurance Service do it?
The HEFCE regard the independence of assurance services to be an important characteristic of
efficacy. As a consequence the Service is able to select any area or activity for evaluation, without
restriction, and has full access to records, assets, personnel and premises, and are authorised to
obtain whatever information and explanations are considered necessary by the Head of the
Business Assurance Service to complete its work.
The Business Assurance Service is independent of University management to protect the
objectivity and independence of its work. The Head of the Business Assurance Service formally
reports to the Vice Chancellor and to the University's Audit Committee; although de facto the Head
of the Service reports to the Registrar for ongoing liaison and resource planning. All members of the
Business Assurance Service staff are accredited members of the Institute of Internal Auditors, UK
and Ireland and hold professional qualifications from the IIA. The Business Assurance Service
adheres to the professional International Standards for the Professional Practice of Internal Auditing
and Code of Ethics set out by the Institute.
1.4 How is the effectiveness of the Business Assurance Service monitored?
The Business Assurance Service has a balanced scorecard of measures and metrics against which
progress and achievements are monitored. The balanced scorecard is contained within the
Business Assurance Service’s Annual Assurance Plan 2007-08.
1.5 Who audits the auditors?
The work of the Business Assurance Service is subject to independent quality assurance
arrangements via the HEFCE's Audit Service and through a regional arrangement with two other
HEIs to provide independent quality assurance review over the Service’s delivery standards and
quality of processes and documentation.
4
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
1. Introduction
1.6 Why have a Business Assurance Service?
The University is accountable for its public funds, under its financial memorandum with HEFCE,
HEFCE require that in their Audit Code of Practice that each HEI should have an Internal Audit
Service (paragraph 89).
The role of the Service is set out in the Higher Education Funding Council's (HEFCE's) Circular
2004/27 Audit Code of Practice (2004, amended 2005) where it states:
95. 'Accordingly, within the HE sector the prime responsibility of the Internal Audit service is to
provide the governing body, the designated officer and the other managers of the HEI, with
assurance over the adequacy and effectiveness of risk management, control and governance
arrangements. Responsibility for these arrangements remains fully with management, who should
recognise that Internal Audit can provide 'reasonable assurance' and cannot provide any guarantee
against material errors, loss or fraud. Internal audit also plays a valuable role in helping
management to improve risk management, control and governance, so reducing the effects of any
significant risks faced by the HEI.
96. Internal Audit can also provide independent and objective consultancy advice specifically to
help management improve risk management, control and governance, so contributing to the
achievement of corporate objectives. Such advisory work contributes to the opinion which Internal
Audit provides on risk management, control and governance.'
The circular also sets out the role of the Business Assurance Service in the monitoring of the
achievement of economy and effectiveness (value for money) and the University's arrangements in
the case of fraud. This is formally reported, on an annual basis, to the University's Council, via its
Audit Committee. This report should cover:
108. 'The Internal Audit annual report should include the Internal Auditor's opinion on the adequacy
and effectiveness of the HEI's arrangements for: risk management, control and governance, and
economy, efficiency and effectiveness.'
Appendix 1 sets out the University’s accountability framework and where the Business Assurance
Service sits within the framework.
1.7 Who in the Business Assurance Service?
The Business Assurance Service team’s contact details are set out below:
Business Assurance Service
Anthony Garnett
David Claybrook
Rebekah Wilson
Head of Business Assurance
0191 334 4516
[email protected]
Ext 44516
Business Assurance Senior
0191 334 4517
[email protected]
Ext 44517
Auditor
0191 334 4518
[email protected]
Ext 44518
Website
http://www.dur.ac.uk/internal.audit/
5
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
2. Role of The Business Assurance Service
2.1 Internal audit
Government Internal Audit Standards (GIAS October 2001) define internal audit as a service which:
‘provides an independent and objective opinion to the Accounting Officer on risk management,
control and governance, by measuring and evaluating their effectiveness in achieving the
organisation’s agreed objectives. In addition, internal audit’s findings and recommendations are
beneficial to line management in the audited areas. Risk management, control and governance
comprise the policies, procedures and operations established to ensure achievement of objectives
and, the appropriate assessment of risk, the reliability of internal and external reporting and
accountability processes, compliance with applicable laws and regulations, and compliance with the
behavioural and ethical standards set for the organisation’.
The HEFCE Publication 2004/27 Accountability and Audit: HEFCE Code of Practice states that:
‘Each HEI is required by its financial memorandum with HEFCE to have an internal audit function.’
2.2 Consultancy
Tolley’s Internal Auditor’s Handbook (A.Chambers, 2005) defines consultancy services as:
‘advisory in nature, and are generally performed at the specific request of an engagement client.
The nature and scope of the consulting engagement are subject to agreement with the engagement
client. Consulting services generally involve: (1) the person or group offering advice – the internal
auditor, and (2) the person or group seeking and receiving the advice – the engagement client.
When performing consulting services the internal auditor should maintain objectivity and not
assume management responsibility.’
2.3 Role of The Business Assurance Service
The work of the Business Assurance Service is designed, ultimately, to provide sufficient evidence
for the Head of Business Assurance to ‘submit to the University’s Accounting Officer (the Vice
Chancellor) annually, his professional opinion on the adequacy and effectiveness of the University’s
risk management, control and governance processes and arrangements for the promotion of
economy, efficiency and effectiveness’. The University, through opting to have an in-house
assurance service, has more scope and ability to use its Business Assurance Service to undertake
wider organisational development activity. This activity, whilst notified the University’s Audit
Committee, may not result in formal reports or outputs and may take the form of ‘consultancy’.
The scope of the Business Assurance Service is:
'The whole internal control system of the institution, including all its operations, resources, staff,
services and responsibilities for other bodies. It should cover all activities associated with the
institution, including those not funded by the HEFCE.' (HEFCE Audit Code of Practice 2004/27
Paragraph 65.)
6
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
Role of the Business Assurance Service
2.4 Business assurance
Traditional internal audit has largely been defined in terms of control, the review of controls and a
focus on compliance. This traditional role has developed. As an example the Treasury has
recognised the consulting role of internal audit services in The GIAS Good Practice Guide: The
Consultancy Role of Internal Audit (March 2003) where the guide states:
‘[Internal Audit] provides an independent and objective opinion to the Accounting Officer on risk
management, control and governance, by measuring and evaluating their effectiveness in achieving
the organisation’s objectives. Internal Audit also provides an independent and objective consultancy
service specifically to help line management improve the organisation’s risk management, control
and governance’.
The focus on risk management has further broadened the role of internal audit to provide assurance
over the way in which organisations manage the risks they face. This has meant a focus on business
processes rather than systems and a clear link to the organisation’s strategy and goals. It is
becoming clear that risk management is only part of the answer to an increasingly complex world.
Risk management certainly provides a useful tool for the consideration, handling and management
of organisational risk.
An assurance service, therefore, needs to provide managers and stakeholders of the University with
assurances that processes for managing risks faced by the University are reasonable. It cannot be
the case that absolute assurance can be obtained from any assurance service. The use of the term
‘business assurance’ in this context therefore refers to this wider multi skilled assurance service.
The figure below presents a range of enterprise-wide risk management activities and indicates which
roles and effective professional business assurance function should and, equally importantly should
not, undertake. The key factors to take into account when determining the Business Assurance
Service’s role are whether the activity raises any threats to the service’s independence and
objectivity and whether it is likely to improve the organisation’s risk management, control and
governance processes.
Effectiveness
Consolidated reporting on risks
Core Business Assurance
roles in regard to ERM
Legitimate Business Assurance
roles with safeguards.
Roles Business Assurance should not
take management responsibility for
Source: Institute of Internal Auditors, (2004) Position Statement: The Role of Internal Auditors in Enterprise Risk Management, London: IIA
7
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
2. Role of the Business Assurance Service
2.5 Are we doing it right?
The role of the Business Assurance Service to provide assurance that controls are adequately
operating to ensure compliance with policies, frameworks, standards and legislation.
2.6 Are we doing the right things?
The role of the Business Assurance Service is also to provide assurance over the design and
effectiveness of controls that are operating to mitigate risks.
Adequacy = Compliance
Effectiveness = Consultancy
8
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
3. The Purpose of Business Assurance
3 .1 Governance
The University is accountable for its public funds, under its financial memorandum with the HEFCE,
the HEFCE require that in their Audit Code of Practice that each HEI should have an Internal Audit
Service (paragraph 89).
The role of the Service is set out in the Higher Education Funding Council's (HEFCE's) Circular
2004/27 Audit Code of Practice (2004, amended 2005) where it states:
95. 'Accordingly, within the HE sector the prime responsibility of the Internal Audit service is to
provide the governing body, the designated officer and the other managers of the HEI, with
assurance over the adequacy and effectiveness of risk management, control and governance
arrangements. Responsibility for these arrangements remains fully with management, who should
recognise that Internal Audit can provide 'reasonable assurance' and cannot provide any guarantee
against material errors, loss or fraud. Internal audit also plays a valuable role in helping
management to improve risk management, control and governance, so reducing the effects of any
significant risks faced by the HEI.
96. Internal Audit can also provide independent and objective consultancy advice specifically to
help management improve risk management, control and governance, so contributing to the
achievement of corporate objectives. Such advisory work contributes to the opinion which Internal
Audit provides on risk management, control and governance.'
The circular also sets out the role of the Business Assurance Service in the monitoring of the
achievement of economy and effectiveness (value for money) and the University's arrangements in
the case of fraud. This is formally reported, on an annual basis, to the University's Council, via its
Audit Committee. This report should cover:
108. 'The Internal Audit annual report should include the Internal Auditor's opinion on the adequacy
and effectiveness of the HEI's arrangements for: risk management, control and governance, and
economy, efficiency and effectiveness.'
Appendix 1 sets out the University’s accountability framework and where the Business Assurance
Service sits within the framework.
9
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
4. Risk Based Internal Auditing
4.1 Risk based internal auditing
The Business Assurance Service uses a Risk Based Internal Auditing (RBIA) methodology. The objective of RBIA is to provide
independent assurance to the University’s Council that:
• The risk management processes which management has put in place within the University (covering all risk management processes at corporate,
divisional, business unit, business process level, etc.) are operating as intended.
• These risk management processes are of a sound design.
• The responses which management has made to risks which they wish to treat are both adequate and effective in reducing those risks to a level
acceptable to the Council.
• That a sound framework of controls is in place to sufficiently mitigate those risks which management wishes to treat.
Risk based internal auditing starts with the business objectives and then focuses on those risks that have been identified by management that may
hinder their achievement. The role of the Business Assurance Service is to assess the extent to which a robust risk management approach is adopted and
applied, as planned, by management across the University to reduce risks to a level that is acceptable to the Council (the risk appetite). While the
Business Assurance Service’s main contribution is to provide assurance on management’s treatment of risk (through governance and control processes) it
may also advise management on other aspects of their response to risks such as decisions to terminate, transfer or tolerate risk.
•Key points:
• The scope of risk-based internal auditing includes strategic and business risks.
• The key starting point is to determine that appropriate objectives have been set by the organisation and then to determine whether or not the
organisation has an adequate process in place for identifying, assessing and managing the risks that impact on the achievement of these objectives.
• In a mature risk management environment the focus of internal audit work may be auditing the risk management infrastructure.
• Carrying out individual audit assignments that are predominantly about specific risks.
• In less mature risk management environments, where individual audit assignments predominantly focus on complete systems, processes or business
units, internal audit needs to review business objectives and risk management processes within each of these auditable entities.
• Where risk management processes are adequate and embedded, internal audit aims to rely, where possible, on the organisation’s own view of the
risks in order to determine the audit work that it needs to carry out.
• Where the risk management processes cannot be relied on, internal audit needs to undertake its own risk assessment (in conjunction with
management) to determine the precise level of the work required and then focus on how management assures itself that the risk management activities
are operating as intended.
• The end result of each audit assignment should be to give assurance that risks are being managed to an acceptable level (as determined by the risk
appetite) or to facilitate and/or agree improvements as necessary.
(The Institute of Internal Auditors UK& Ireland – Position Statement on Risk Based Internal Auditing 2003)
10
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
5. Assurance Plans
5.1 How are business assurance plans decided?
Government Internal Audit Standards (GIAS) require that the work of the Business Assurance
Service is planned at each level of operation. Our strategic assurance plan is based on a risk
assessment (see the Strategic Assurance Plan 2006-07 to 2009-10) and we use this to develop an
annual assurance plan which details the assignments we plan to perform in any given year.
Given the breadth and complexity of the systems operated by the University coupled with the need
to limit valuable resources on non-core activity, it is unlikely that any annual operational assurance
plan will manage to cover all systems for managing risk in sufficient depth – this is certainly the
case here. Consequently, we have developed our annual assurance plan in the ongoing and
developing context of a four year strategy which demonstrates how we propose to provide audit
coverage of all of the areas identified in the assurance strategy.
5.2 Where the plans be found?
Strategic Assurance Plan 2006-2010
The University has agreed a Strategic Assurance Plan which is designed to set out the planned
assurance work to be undertaken by the University’s Business Assurance Service over the period
2006-07 to 2009-10. Specifically it is designed to:
• Explain the underlying basis for the strategic assurance plan.
• Explain the process and factors used to undertake an audit needs assessment.
• Set out the key components of the assurance plan.
• Identify the allocation of resource to the plan over the strategic audit period.
• Identify specific reviews planned over the period.
• Set out performance indicators for the Business Assurance Service.
• Explain the framework of reporting and risk assessment to be used by the Service.
Annual Assurance Plan
The Service draws up an Annual Assurance Plan based on the Strategic Assurance Plan outlined.
This plan should be read in conjunction with the University’s Strategic Assurance Plan 2006-07 to
2009-10. The strategy puts the annual plan in context and explains in more detail the basis for the
selection of reviews and their basis. It also sets out in detail the risk based methodology used to
establish the plan.
5.3 Key outputs of the assurance plan
The assurance plan is designed, ultimately, to provide sufficient evidence for the Head of Business
Assurance to ‘submit to the University’s Accounting Officer (the Vice Chancellor) annually his
professional opinion on the adequacy and effectiveness of the University’s risk management,
control and governance processes and arrangements for the promotion of economy, efficiency and
effectiveness’. HEFCE ACOP 04-27. This assurance plan is designed to meet both the University’s
and the Accounting Officer’s duties in respect of the accountability requirements placed on the
University. It is also designed to assist and monitor the University’s progress against its mission and
its strategic goals and objectives.
11
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
6. The Audit Process
6. The Audit Process
6.6
University
response
and action
planning
6. 7
Reporting the
status of
recommendations
6.5
Business
assurance
reporting
6.1
Initiating the
audit process
6.4
Risk assessment
and grading
of
recommendations
6.2
Scoping the
audit review
6.3.
Undertaking audit
fieldwork
12
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
6. The Audit Process
6.6
University
response
and action
planning
6. 7
Reporting the
status of
recommendations
6.5
Business
assurance
reporting
6.1
Initiating the
audit process
6.4
Risk Assessment
and grading
of
recommendations
6.2
Scoping the
audit review
6.3.
Undertaking audit
fieldwork
6.1 Initiating the audit process
Before the start of the audit a member of the Business Assurance Service staff will arrange a meeting with the UEC Sponsor and Process Owner to discuss
the scope and objectives of the audit. UEC Sponsors and Process Owners are documented in the Business Assurance Service Annual Plan.
UEC Sponsor (the member of UEC who is responsible for the area under review) and Process Owner (the member
of staff who manages the area subject to review) input at this stage is important to as it helps establish areas of risk that should be
included in the scope of the work. The UEC Sponsor and Process Owner will also have the opportunity to raise any issues or areas of special concern that
could be covered as part of the audit. The meeting will be used to establish information about the area being reviewed and other relevant information.
It is helpful to the Service, at this stage, to identify staff who can assist in the audit fieldwork and to identify any information that the auditor is likely to
need access to.
The information gained from the initial planning meeting (above) is used in conjunction with other relevant information about the business process in order
to obtain a general overview of operations. This may include information on budgets and strategic plans as well as past audit reports.
All of this information is then used to make a preliminary assessment of the risks and controls for the business process and area of risk under review.
13
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
6. The Audit Process
6.6
University
response
and action
planning
6. 7
Reporting the
status of
recommendations
6.5
Business
assurance
reporting
6.1
Initiating the
audit process
6.4
Risk Assessment
and grading
of
recommendations
6.2
Scoping the
audit review
6.3.
Undertaking audit
fieldwork
6.2 Scoping the audit review
An audit scope sets out the following:
1
1
• Overall process objectives
• The role of the Business Assurance Service and approach to the audit
1
2
4
31weeks
2 3week4
0
• Project scope (details of areas which the review will specifically cover)
5
6
57weeks
8 9week
10
• Level of assurance (full or part)
• An overview of the assurance process
• Contact details for the review
• A detailed description of the process being reviewed
• Agreed outputs
• Timing of the review in accordance with the agreed reporting protocol (see figure 6.2)
A scoping memorandum will be issued to both the UEC sponsor and process owner for consideration and agreement.
14
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
6. The Audit Process
Figure 6.2 – Reporting Protocol Timings
Step 2 –
Scope
finalised
(BAS /
University)
2 weeks
2 weeks
Weeks 0
1
2
1
3 weeks
4
Step 3 –
Commencement
of fieldwork
(BAS)
Step 1 - Scope
and terms of
reference
issued (BAS)
Weeks 0
3
2
3
4
0
1
2
Step 5 Finalisation of
fieldwork (BAS)
1
5 weeks week
1
week
3
4
5
6
Step 7 –
Receipt of
process
owner
responses
for factual
accuracy
(University)
and
distribution of
draft report
to UEC
sponsor
1
31weeks
2 3week4
0
15
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
Step 8 –
Receipt of
UEC
sponsor
responses
(University)
Step 6 –
Issue of draft
report to
process
owner (BAS)
Step 4 –
Delivery of
fieldwork for
period agreed in
scope (BAS)
5
7
8
9
10
Step 9 –
Issue of
final
report
(BAS)
1
6
57weeks
8 9week
10
6. The Audit Process
6.6
University
response
and action
planning
6. 7
Reporting the
status of
recommendations
6.5
Business
assurance
reporting
6.1
Initiating the
audit process
6.4
Risk Assessment
and grading
of
recommendations
6.2
Scoping the
audit review
6.3.
Undertaking audit
fieldwork
6.3 Undertaking Audit Fieldwork
The Business Assurance Service will undertake fieldwork which focuses on determining how well business process risks are being managed and to review
controls to ensure that they are adequately designed and operating to mitigate risks. Fieldwork can take a variety of forms including interviews and detailed
testing and analysis of documents or transactions. Upon completion of the fieldwork the auditor will assess the identified net risk, in accordance with the
University’s risk management framework. Any significant risks which are not being adequately managed or identified control weaknesses will be raised in a
draft audit report.
Prior to the issue of a draft report a member of the Business Assurance Service will usually have arranged to discuss any key issues with the audit Process
Owner before completion of the fieldwork.
16
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
6. The Audit Process
6.6
University
response
and action
planning
6. 7
Reporting the
status of
recommendations
6.5
Business
assurance
reporting
6.1
Initiating the
audit process
6.4
Risk Assessment
and grading of
recommendations
6.2
Scoping the
audit review
6.3.
Undertaking audit
field work
6.4 Risk Assessment and grading of recommendations
The formal grading system used by University’s Business Assurance Service in its audit
engagements is intended to be compliant with Government Internal Audit Standards (GIAS) and is
designed to provide a system by which the University can easily understand and respond to the
findings of the Business Assurance Service. It is intended to meet the following objectives:
• To be intellectually consistent with the underlying audit approach.
• To be meaningful to University staff, stakeholders (including HEFCE) and specifically the
University’s Council and Audit Committee.
• To provide clarity over actions required from respondents to the Business Assurance report.
• To clearly express a level of assurance over the process reviewed.
• To provide clarity over the priority and significance of recommendations made.
Assurance statements
Reports provided by Business Assurance Service contain an assurance statement. This is
contained in the executive summary of each report. It follows a standard wording:
Conclusion
Based on the results of our review, we consider that adequate controls have (not) been
developed and are (not) operating over the risks identified with management over the XXXXXX
process.
The statement provides an assurance over the adequacy of the control systems over a process,
as designed and as operated. This statement concludes whether the process is either adequate or
not. In exceptional cases, and as agreed with the University, we may provide a partial reliance
statement, where specific objectives of the review have not been met. Typically, however, the
reliance statement is designed to be firm, specific and clearly understood.
17
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
6. The Audit Process
Report Risk Ratings
Report risk ratings are allocated to either a good, satisfactory, weak, or unacceptable category. The
net risk is assessed as the risk profile extant at the time the review was undertaken. It does not take
into account mitigating actions taken since the audit fieldwork, or as promised in University
responses to the report.
The allocation of a risk rating is judgemental and is grounded in the risk assessment underpinning
the report.
Risk rating
Good
There is an adequate and effective system of risk management, control and
governance to address the risk that objectives are not fully achieved.
Satisfactory
There is some risk that objectives may not be fully achieved. Slight improvements
are required to enhance the adequacy and / or effectiveness of risk management,
control and governance.
Weak
There is considerable risk that the system will fail to meet its objectives. Significant
improvements are required to improve the adequacy and effectiveness of risk
management, control and governance and to place reliance on the process for
corporate governance assurance.
Unacceptable
The process has failed or there is a real and substantial risk that the process will fail
to meet its objectives. Immediate action is required to improved the adequacy and
effectiveness of risk management, control and governance.
Grading of recommendations
One of Business Assurance Service’s key objectives in working across the University is for
Business Assurance to be seen as a critical friend, that is, a useful objective tool of management to
assist in the achievement of the University’s objectives. In this we are a tool of performance
management. The grading of recommendations is, therefore, vital to provide the University’s
management teams with direction to allocate resources and priority to Business Assurance
recommendations for improvement. In order to engage the wider staff of the University in the
process, the terminology is intuitive and simple, grading recommendations either ‘high’, ‘medium’ or
‘low’. It may be considered, in general terms, that ‘high’ recommendations are those against which
action should be prioritised in both resources and speed of implementation
Collaborative grading
The Business Assurance Service’s approach emphasises joint working with the University’s
management teams whose processes and systems the Service audits. This provides not only an
audit grounded in co-operation and mature consideration of the true risk map, but also engages the
manager being audited in consideration of process improvements, performance management and
risk management processes. As a result the grading structure is specifically designed around the
agreed risk grading system provided by the University’s own risk management policy. This provides
comparability across the University and clarity to external stakeholders.
The format of a standard audit report is detailed in Appendix 2.
18
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
6. The Audit Process
6.6
University
response
and action
planning
6. 7
Reporting the
status of
recommendations
6.5
Business
assurance
reporting
6.1
Initiating the
audit process
6.4
Risk Assessment
and grading
of
recommendations
6.2
Scoping the
audit review
6.3.
Undertaking audit
fieldwork
6.5 Business Assurance Reporting
Business Assurance reviews typically result in a formal audit report. The purpose of each report is to identify the current systems and processes in
place for the area under review and make recommendations on how governance, control, risk management, and value for money arrangements can
be improved. They are also designed to provide clear assurance statements to University Council and management.
There are three stages to the reporting process:
• Feedback meeting – The feedback meeting is held after fieldwork is completed and is a chance for to discuss the Service’s findings and conclusions
with the process owner and to consider the likely recommendations that have arisen from the review).
• Draft Report – A draft report will be issued to the process owner. The Business Assurance Service will work collaboratively with the process owner
to ensure that the report is factually accurate. This report will then be issued to the UEC sponsor to provide a University response to the
recommendations set out in the report.
• Final Report – Once the response to the draft report has been agreed and a completed action received, The Business Assurance Service publish the
final report. The final report is distributed to the Vice-Chancellor, UEC Sponsor, process owners, external audit and the University’s Audit
Committee).
19
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
6. The Audit Process
6.6
University
response
and action
planning
6. 7
Reporting the
status of
recommendations
6.5
Business
assurance
reporting
6.1
Initiating the
audit process
6.4
Risk Assessment
and grading
of
recommendations
6.2
Scoping the
audit review
6.3.
Undertaking audit
fieldwork
6.6 University response and action planning
The Business Assurance Service has an agreed a reporting protocol, which includes a reasonable
time scale for University management to respond to the issues raised and recommendations set
out in an audit report. Issues identified in reports provoke four reactions:
Include in
report
Delivery protocol
University response to risk
identified
University response to suggested recommendation
1
Agree with risk
Agree with recommendation as stated
2
Agree with risk
Note the recommendation but propose an
alternative on cost or other grounds
3
Agree with risk
Consider risk is acceptable and propose no action
4
Disagree with risk
Disagree with action identified and propose no
action
Type
The agreed reporting protocol allows time for items under type 4 to be removed from reports
(where factually inaccurate) or escalated (where a genuine difference of risk assessment is
present). There must also be time to ensure that the risk and the recommended action is grounded
in the context of current University management agendas and both current and planned actions.
The protocol reflects a realistic delivery timetable. It is also intended to balance the need to report
on a timely basis but to provide adequate opportunity to ensure the accuracy and quality of
reporting and assurance given.
University responses to issues and recommendation should clearly document any agreed actions,
proposed alternative actions or justification for no action to be taken. Actions should be supported
by realistic timescales and should identify the person(s) responsible for carrying out the actions.
20
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
6. The Audit Process
6.6
University
response
and action
planning
6. 7
Reporting the
status of
recommendations
6.5
Business
assurance
reporting
6.1
Initiating the
audit process
6.4
Risk Assessment
and grading
of
recommendations
6.7 Reporting the status of audit recommendations
6.2
Scoping the
audit review
6.3.
Undertaking audit
fieldwork
The objective of the follow up review is to analyse the current position of the University in relation to
the implementation of actions to mitigate risks identified in previously reported audit
recommendations. This is to ensure that the University is continuing to improve and build upon
highlighted areas of control weakness.
A key element of this work is to ensure that not just the letter but the spirit of the recommendations
are implemented. This report is designed to provide University management and the Audit
Committee with the assurance that approved actions have been undertaken in response to audit
recommendations and that where alternative courses of action have been taken that these meet the
spirit and objective of the agreed action.
For audit to be effective an agreed understanding of the quantum and nature of evidence to
demonstrate implementation of recommendations and the categorisation of recommendations is
key. The framework and categorisation of progress against recommendations is outlined below:
Recommendation Risk Rating
Implemented– The design of the additional control or mitigating action is sufficient to
address the risk the audit recommendations identified. Also the operation of the additional
control or mitigating action is demonstrable and grounded in evidence.
No Longer Applicable - The original recommendation and risk no longer exists as identified
by the audit and it is agreed through the follow up process that further action is not required.
In Progress – Some of the actions meet the criteria to be classed as implemented. Actions
have either begun or are in progress and are on target to meet the original agreed
implementation date.
Ongoing – Actions do not yet meet the criteria to be classed as implemented or partially
implemented. Actions have begun but there is a significant risk that the original
implementation date may not be achieved. Commentary on progress may be added under
this categorisation.
Outstanding – There has been no significant action taken against the risk identified and/or
the recommendation is passed its original agreed implementation date.
21
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
7. Other Services
7.1 Operational risk assessment workshops
Operational Risk Management (ORM) can be defined as, ‘the risk of loss resulting from inadequate or failed processes, people, and systems or from
external events. The definition includes legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical
standards and contractual obligations. It also includes exposure to litigation from all aspects of an institutions activities.’ (Basel II: International
Convergence of Capital Measurement and Capital).
Operational risk management is a tool for making smart decisions, used by people at all levels. Each person has a role to play in managing risk for the
unit and each role is vital to success.
As part of the University’s risk management strategy operational risk management is beginning to be further embedded. Operational risk reporting is
currently managed at a faculty and divisional level through the planning process, it feeds into strategic risk reporting mechanisms where appropriate.
The Business Assurance Service is available to facilitate operational risk workshops to support colleges, departments and other units in developing and
documenting operational risk registers.
7.2 Project risk assessment workshops
‘The principles of project risk management can be stated very simply. Any project organisation is
subject to risks. One which finds itself in a state of perpetual crisis, is failing to manage risks
properly. Failure to manage risks is characterised by inability to decide what to do, when to do it,
and whether enough has been done. Risk Management is a facet of quality, using basic techniques
of analysis and measurement to ensure that risks are properly identified, classified, and managed.’
(American Risk and Insurance Association).
The Business Assurance Service is available to facilitate project group sessions and to support
project teams in developing and documenting a project risk log.
7.3 The role of the Business Assurance Service in addressing fraud risk
The Business Assurance Service plans their work to consider the risk of fraud at the University. The
Business assurance Service are required by HEFCE to:
'assess the adequacy of the arrangements to prevent and detect irregularities, fraud and corruption.
However, the primary responsibility for preventing and detecting corruption, fraud and irregularities
rests with management, who should institute adequate systems of internal control, including clear
objectives, segregation of duties and proper authorisation procedures.' HEFCE Audit Code of
Practice Circular 2004/27
HEFCE require that all accountable staff in the University should report suspected or actual
weaknesses. These reports can be made in confidence to the Head of Business Assurance under
the terms of the University's Public Interest Disclosure and Whistle Blowing policies.
Following receipt of a reported fraud the Head of Business Assurance will perform any investigatory
work he deems necessary and will report the outcomes of this work to the University’s fraud
response group.
22
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
7. Other Services
7.4 Risk management awareness
The University faces an external environment which is increasingly fast moving and where financial and wider challenges require University action to
manage their impact. Risk management is the process by which challenges to the University are assessed and managed. It is a key requirement of the
HEFCE for universities to have robust and embedded risk management processes.
This workshop covers the basic principles of risk management. It takes workshop participants through the concepts and definitions of risk management
in a theoretical context. Participants are then invited to score the top risks faced by the University using the concepts learned.
The second half of the session covers risk practice and looks at the governance framework and practical systems put in place at the University to
manage its risks. Participants are then invited to score risks faced in their work at the University and are invited to consider controls which manage
those risks.
This workshop is useful for all managers, project leaders, and all those who are responsible for assessing and managing risks to the University’s
operations or projects.
7.5 Fraud awareness
This workshop presents practical examples of fraud that have actually occurred to help participants consider fraud in their areas of work and to
identify steps that can be taken to reduce the likelihood of fraud occurring and where fraud does occur increase the chances of detection.
The workshop explains the legislative background to the University’s approach to fraud including the legislation that is used to prosecute cases of fraud
and the requirements placed on the University in respect of fraud by funding bodies. The workshop also provides an introduction to money laundering
explaining what money laundering is, how it is undertaken and the implications of money laundering legislation for the University and its employees.
The workshop is aimed at all staff across the University and will be of particular use to those staff that manage procurement processes or who are
responsible for implementation of financial and management controls.
7.6 Value for money awareness
The Value for Money Awareness workshops are designed to raise awareness of the University's Value for Money systems and show how they impact
upon departments and colleges. Attendees will have an opportunity to raise any specific issues relating to their own departmental and college issues and
gain insight into identifying, assessing and embedding effective value for money processes.
These workshops are useful for all managers, project leaders, and all those who are responsible for resource allocation and management.
23
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
Appendix 1
Accountability Framework
HEFCE
Required to demonstrate:
Effective risk management
Effective controls
Adequate Governance Arrangements
Efficiency and Effectiveness (VFM)
Internal Audit
Report on:
• Effective
risk
management
• Effective
controls
• Adequate
Governance
Arrangements
• Efficiency and
Effectiveness
(VFM)
Scope
Whole of risk
management
control
and
governance
arrangements of
the HEI.
Not to question
policy
but
to
review how policy
is derived and the
means used by
the University to
deliver
its
objectives.
Definition:
‘Independent
objective
assurance
and
consulting activity
designed to add
value
and
improve
an
organisation’s
operations’.
Responsibility
to:
Consider
adequacy
of
arrangements for
the
prevention
and detection of
fraud.
Financial Memorandum
HEFCE Audit Service
University of Durham
Required to demonstrate that the Council has taken reasonable steps to
ensure there are sound arrangements for:
Effective risk management
Effective controls
Effective Governance Arrangements
Efficiency and Effectiveness (VFM)
Council
Annual Report
External Audit
Audit Committee
Require assurance to report to the Governing
Body on:
Annual Report The adequacy and effectiveness of the
institution’s arrangements for the following:
Effective risk management (including statement
of Internal Control in the Institution’s Financial
Statements)
Effective controls
Adequate Governance Arrangements
Economy Efficiency and Effectiveness (VFM)
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
Other Auditors
HEFCE, QAA, IIP
24
Management Letter
Opinion on the Financial
Statements
Report on
Financial
Statements
including:
Consistency of
Statement of
Internal Control
with their
knowledge of
the University’s
arrangements.
Also to:
Review the
work and extent
of reliance to be
placed on
internal audit.
Appendix 2
Audit Report Format
Report risk rating
This reflects the overall
assurance grade being given
to the report. In particular it is
designed to give, at a glance,
Council , Audit Committee
and senior management of
the University a guide as to
the level of significance of the
issues raised in the report.
The grade is on a four point
scale and is coloured via a
‘traffic light’ system. Green for
lower risk, red for higher risk.
Overall Report Risk Rating
Good
Durham University
Business Assurance Service
Audit Review - XXXX
Report number and year
This shows the number and
year of the report to assist in
recommendation tracking and
monitoring.
DRAFT Report XX-08 (2007-08)
Date: XX XXXXXX 200X
This report is CONFIDENTIAL and its circulation and use are RESTRICTED
Report tracking
Planned date
Actual date
Distribution
Scope issued
UEC sponsor
Scope agreed
Process owner
Fieldwork completed
Copy to
Mrs P Lubacz, Treasurer
Audit Committee*
Draft report issued
External Audit*
Management responses
Prof C Higgins, Vice Chancellor
Revised draft report issued
Mr L Sanders, Registrar
Final management responses
Mrs P Lubacz, Treasurer
Final report issued
Current version
1.0
Date issued
Financial quantum of area under review (Budgeted
figures 2007-08)
XX-XX-XX
* Final only
£XXm
Report workflow
The workflow makes clear the
timescales for scoping,
delivery and reporting of the
audit work. This will show
delivery against planned
timescales which will be
related to the key
performance indicators set out
in our annual assurance plan.
Distribution list
This shows the lists of people
to whom the report is copied
within the University and
whether they receive the draft
and final report.
This also lists the process
owner and UEC sponsor. The
process owner is responsible
for providing formal
management responses and
an action plan for the points
raised in the report.
Financial quantum
This gives and indication of
the financial size of the
process being reviewed
Version
The report shows version
control data for monitoring of
report distribution.
25
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
Appendix 2 – Audit Report Format
Introduction and background
Area subject to audit
This review of XXXX…. general description of the background to the area/ process reviewed
Rationale for the audit
Our assurance plan is designed to meet the requirements of HEFCE’s Audit Code of Practice. The
assurance plan is designed to provide assurance, on a cyclical basis, over risks faced by the
University. A number of process level business risks have been considered and addressed as part
of the internal audit and these are detailed in appendix 1.
The strategic risks for the University that can be associated with the area subject to review….
Strategic Risk 4: To not enhance contribution to the economic, social, cultural, and educational life
of the North East through our position as an international research institute.
And also sub risks:
4Aii: Failure to manage corporate based and academically based consultancy units involving:
a) Corporate based consultancy
b) Academic based consultancy units (i.e. IADET, Language Centre)
Objectives of the review
This review had the following process objectives:
•
To ensure that XXXX.
The sub objectives of the review were to ensure that:
•
XXXX.
•
XXXX.
Approach to the review
The review involved a review of XXXX policies and records. Discussions on processes and
procedures were also held with members of the XXXX Department. Testing covered the following
areas:
•
XXXX
•
XXXX.
Key contacts
Area subject to audit
This section identifies the
processes and systems under
review for the purposes of the
reader and to provide a
context in which to read the
report.
Rationale for the audit
The Business Assurance
audit plan is primarily risk
based, that is it is focused on
risks identified by the
University and will review the
processes and controls that
manage these risks.
There are reasons why this
may not be the case, for
example, specific project
work, proactive support,
review of core financial
systems and specific
circumstances, for example,
identification of a fraud.
This will be identified here.
The key contacts for this review were:
•
•
XXXXX.
Objective and approach of
the review
In this section the objective of
the audit is reviewed and a
description of the
methodology used to produce
the report. This is the scope
agreed for the audit review.
XXXXX
2
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
Key contacts
Here the report identifies the
main
University
staff
contacted during the review.
26
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
Appendix 2 – Audit Report Format
Executive Summary
Lead BAS reviewer
XXXX
Conclusion
This review examined the XXXX.
Conclusion
Based on the results of our review, we consider that adequate controls have not been developed
and are not operating over the risks identified with management over the XXXX processes.
Our detailed assessment of gross and residual risks arising from the University’s current systems
over the XXXX process is provided in appendix 1 to this report.
Risk rating
Good
There is an adequate and effective system of risk management, control and
governance to address the risk that objectives are not fully achieved.
Satisfactory
There is some risk that objectives may not be fully achieved. Slight improvements
are required to enhance the adequacy and / or effectiveness of risk management,
control and governance.
Weak
There is considerable risk that the system will fail to meet its objectives. Significant
improvements are required to improve the adequacy and effectiveness of risk
management, control and governance and to place reliance on the process for
corporate governance assurance.
Unacceptable
The process has failed or there is a real and substantial risk that the process will fail
to meet its objectives. Immediate action is required to improved the adequacy and
effectiveness of risk management, control and governance.
Through a detailed consideration of XXXX processes, controls operating over the key process risks
have been considered for effectiveness and efficiency in reducing the gross risks inherent in the
process.
Conclusion
Here the report identifies
whether the system is
adequate in design and / or
operation to control the
University’s risks flowing from
its objectives for the process.
These conclusions are
mapped to the University’s
risk appetite and link to the
risk map in appendix 1 to the
report.
Risk rating
The report identifies the
residual risk associated with
the control environment
currently in place at the
University before
consideration of planned
controls and actions. It is
graded on a four point scale.
Rationale for the risk
assessment
Here the sets out how the risk
assessment has been arrived
at.
Rationale for the risk assessment
XXXX.
3
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
27
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
Appendix 2 – Audit Report Format
Executive Summary
Key issues
The following key issues are raised from this review:
No. Issue
1
Page
No.
XXXX
Key issues
Here the report summarises
the key recommendations
contained in the body of the
report.
X
XXXXXXX
2
XXXX
X
XXXXXXX
3
XXXX
X
XXXXXXX
Good practices identified
We identified the following good practices:
•
XX
•
XXX
•
XX
Good practices identified
The report identifies good
practice identified and
provides context for the
recommendations for
improvement.
4
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
28
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
Appendix 2 – Audit Report Format
Issues and Recommended Actions
Issue no. 1
Priority: High
Medium
Low
(order
points
by
priority)
XXXX (summary of the point being raised)
Issue / risk
XXXXX (what is the area / activity being commented on i.e. what do they do)
XXXXX (what is the problem with what they do :
• XXXXX (use bullets to make distinct points)
• XXXXX
• XXXXX
There is a risk that XXXXX (what is the problem with what they do)
Recommendation
XXXXX (make clear recommendations that cannot be misinterpreted but which are not too
prescriptive):
1. XXXXX (use numbers to make distinct points)
2. XXXXX
3. XXXXX
University action to address recommendations:
Person(s)
responsible:
Due
date(s):
5
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
29
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
Issues and recommended
actions
This forms the body of the
report. This section contains
specific report points which
identify current practice, our
observation regarding that
practice and the risk flowing
from it.
It is linked to a
recommendation for action to
address the risk identified.
Each point is graded as high,
medium or low. These grades
are judgemental and reflect
both the risk being addressed
and the urgency of priority of
action required.
Appendix 2 – Audit Report Format
Appendix 1 – risk analysis
The risk assessment of
controls over the process
against impact and likelihood
is presented here. It is
grounded in the audit work
performed and is intended to
be a summary only of key
risks considered during the
audit. It is designed to support
the rationale for the report
conclusion and the risk
assessment grading allocated
to the report. This is agreed
with management and is
aligned to the definitions used
by the University in its risk
management system. (see
appendix 1 to this briefing
note).
Appendix 1 – Risk Map
Risk Map
Risk map – XXXX process (selected risks)
Almost certain
Likely
R3
R2
R1
Likelihood of occurrence
R3
R6
Possible
R2
R5
R4
R6
Unlikely
R5
Rare
Insignificant
Minor
Moderate
Major
Catastrophic
Quantum of Impact
The process risk map shows a summary of risks agreed with the University’s management during this review. The map
shows in black, the gross risk (risk faced by the University bef ore the application of controls), in white, the net or
residual risk (the risk faced by the University following the application of current controls). The arrow between the two
demonstrates the effect of current controls and mitigating actions against the risk.
No.
Risk
No. Risk
1
2
3
6
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
30
This Report is CONFIDENTIAL and its circulation and use are RESTRICTED.
© 2007 University of Durham. All rights reserved. Printed in the United Kingdom.
Further appendices
The BAS’s work is bespoke
and will cover a number of
areas of the University’s
operations and employ a
number of different
approaches. Further bespoke
appendices will be used to
expand and illustrate the
BAS’s findings.