Frequently Asked Questions and Answers
1. What is the difference between Internal and External audit at the University?
Internal audit coverage at the University is provided by the University's Business Assurance Service. The Business Assurance Service is the University's independent assurance function that reports to Council and the Vice-Chancellor through the Audit Committee on the systems of control and governance, risk management, and value for money. The work of the Business Assurance Service covers both financial and non-financial aspects of the University's operations.
The role of external audit is to provide an independent opinion on the accuracy of the University's financial statements. The External Auditor reports to the University's Audit Committee.
2. What is the difference between Internal Audit and Business Assurance Service?
Traditional internal audit has largely been defined in terms of control, the review of controls and a focus on compliance. This traditional role has developed.
The focus on risk management has further broadened the role of internal audit to provide assurance over the way in which organisations manage the risks they face. This has meant a focus on business processes rather than systems and a clear link to the organisation's strategy and goals. Risk based auditing now asks not just ‘is the University doing things right? [compliance / operation of controls], but is it doing the right things? [effectiveness / design of controls]'.
An assurance service, therefore, needs to provide managers and stakeholders of the University with assurances that processes for managing risks faced by the University are reasonable. It cannot be the case that absolute assurance can be obtained from any assurance service. It is also the case that assurance must be provided by teams that have high quality staff and resources to provide assurance across all processes in the University including, but not limited to, traditional compliance checking of core financial and transactional systems.
The use of the term Business Assurance in this context therefore refers to this wider multi skilled assurance service.
3. How is the performance of the Business Assurance Service measured?
The Business Assurance Service has adopted a balanced scorecard to measure its performance. Our balanced scorecard measures and metrics are contained within our Annual Strategic Plan. These can be found on this website under 'Business Assurance Plans'. We are also subject to independent quality assurance arrangements via HEFCE's Audit Service and we have a regional arrangement with another HEI to provide detailed, quality assurance review over our independent service delivery.
4. How does the Business Assurance Service decide which areas to review?
The starting point in drawing up a strategic assurance plan is therefore the University's high level risk register. The risk register details risks which may prevent the University from achieving its strategic objectives. Over the lifetime of the four year plan all significant priority risks identified by the University will be reviewed. The contents of the Strategic Plan are also informed by the Business Assurance Service's knowledge of the University and their own risk assessment of systems.
The Business Assurance Service uses its four year strategic plan to draw up an annual plan ensuring that all areas in the strategic plan are covered over a four year period.
Workplans for the Business Assurance Service are approved by the University's Audit Committee and reported to Council. The Business Assurance Service also has a statutory right of access to information held by the University. In planning the timing of its work the Business Assurance Service makes every effort to take operational requirements of departments into consideration, it should however be noted that in some circumstances it may not be possible to meet the wishes of departments.
5. Which areas of the University's operations do Business Assurance Service reviews cover?
The Business Assurance Service's annual and strategic plans are made up of the following elements:
- Risk management
- Economy, efficiency and effectiveness
The nature of the plan in covering these areas requires the Business Assurance Service to review both financial and non-financial aspects of the University's operations.
6. What is the Business Assurance Service report I have received telling me?
Reports receive a report risk rating, this reflects the overall assurance grade being given to the report. In particular it is designed to give, at a glance, Council , Audit Committee and senior management of the University a guide as to the level of significance of the issues raised in the report. The grade is on a four point scale and is coloured via a ‘traffic light' system. Green for lower risk, red for higher risk. The risk rating identifies the residual risk associated with the control environment currently in place at the University before consideration of planned controls and actions.
The report contains a conclusion, here the report identifies whether the system is adequate in design and / or operation to control the University's risks flowing from its objectives for the process. These conclusions are mapped to the University's risk appetite and link to the risk map in appendix 1 to the report.
7. Do I have to agree with the findings of a Business Assurance Service review?
Managers responsible for areas under review have the opportunity to discuss the report with the Director of Business Assurance and the auditor. The Business Assurance Service prides itself on issuing factually accurate final reports, however there may be instances where managers do not agree with the assessments or recommendations the Business Assurance Service has made or the tone and wording of elements of the report. A draft stage with the process owner and then with the UEC sponsor to ensure its accuracy and that the recommendations, language and tone are right to achieve University objectives. This does not mean that all recommendations must be agreed and it is important that the Business Assurance Service does deliver an independent view on the process or area being reviewed.
There are four types of responses to recommendations:
- Agree with risk (Agree with recommendation as stated).
- Agree with risk (Note the recommendation but propose an alternative on cost or other grounds).
- Agree with risk (Consider risk is acceptable and propose no action).
- Disagree with risk (Disagree with action identified and propose no action).
The University response will form part of the final report that is submitted to the Audit Committee
8. Does the Business Assurance Service perform any other work?
Yes. The Business Assurance Service also performs an internal consultancy role for the University providing advice on a range of aspects of the University's operations.
The Business Assurance Service also has a role in investigating reports of fraud at the University, it is a requirement of HEFCE that the following types of fraud are reported to the Chief Executive of HEFCE:
- Frauds over £20,000 in value
- The particulars of the fraud are novel, unusual or complex
- There is likely to be public interest because of the nature of the fraud or the people involved
The Business Assurance Service also has a role in providing training to University staff on risk management and fraud and value for money awareness, details of this training can be found on the training courses section of the University's website. The Business Assurance Service also facilitates the University's risk management system, attends project boards, undertakes JCR financial statement audits, grant certification and provides ad hoc advice upon request.
Wherever resources permit, the Service is happy to advise on the University's rules and procedures or on implementing new systems. Wherever possible we aim to work in partnership to improve systems for the benefit of the University.
9. How would I report any concerns about theft, fraud or corruption?
All actual or suspected incidents of fraud or irregularity should be reported without delay to the Director of Business Assurance through email, telephone or direct meetings. The University's Code of Practice on Public Interest Disclosure (Whistleblowing) sets out the procedures you should follow if you have a suspicion that you wish to report in confidence. This guidance can be found on the Business Assurance Service's section of the University's website.
10. What is the end result of a Business Assurance Service review?
For most audits or investigations, a report will be produced. This will be copied to the Vice-Chancellor and Council and presented to the Audit Committee. We also, when acting in consultancy mode, provide training, facilitation, presentations and other forms of output as requested and as appropriate.
11. Will the recommendations I agree to be followed up?
The Business Assurance Service will follow up progress made against agreed recommendations prior to the meeting of Audit Committee. The objective of the follow up review is to analyse the current position of the University in relation to the implementation of actions to mitigate risks identified in previously reported audit recommendations. This is to ensure that the University is continuing to improve and build upon highlighted areas of control weakness.
12. What are the benefits of being audited?
The risk based approach used in the Business Assurance Service will:
- Help to identify potential areas of weaknesses or inefficiency within a system, process or department.
- Help to maximise the overall effectiveness of the system, process or department's services.
- Provide an independent view of risks and issues facing University managers.
- Provide practical, imaginative and challenging observations and recommendations for consideration.
The Report produced at the end of a review:
- Provides a balanced description of good practice, key strengths and any weaknesses to be addressed.
- Provides a detailed Action Plan, so that any programme of improvements can be effectively managed.
- Helps managers to demonstrate confident and open leadership and their commitment to process improvement in their areas.
13. We were reviewed last year. Does my area really need to be reviewed again?
Our Annual Assurance Plan, Strategic Assurance Plan and level of risk help to determine what resources are needed and the frequency of each review, if an area or service is assessed as being of high impact and high risk it is possible that a review may take place annually.
14. How long does a review take?
This depends on the complexity of the report. However, we try to limit disruption that may occur during an audit and work around existing commitments wherever possible. Co-operation in arranging meetings as soon as possible also helps to minimise the time taken to complete a review.
15. What is the difference between the role of the Business Assurance Service and line management?
It is management's responsibility to establish internal control. Internal control includes the whole systems of control and methods, both financial and operational, which are established to minimise risks and their impact, safeguard assets, ensure efficiency and to encourage adherence to University policies and directives.
It is the Business Assurance Service's role to carry out an independent appraisal and evaluation of the effectiveness of these controls. The Business Assurance Service is not part of line management; it does not develop and install procedures, prepare records or engage in any activity which could compromise its independence. However, this independence does not diminish the close working relationship and need for communication between the Business Assurance Service and other functions within the University.