Risk-based Assurance Approach
Our work will be predominantly risk-based, with the primary aim of providing an annual internal assurance opinion on the adequacy and effectiveness of risk management, control and governance and VfM. We will create a risk-based Strategic Assurance Plan, outlining our approach to providing assurance over the University’s highest risks over a period of three years. This will be supported by a more detailed Annual Assurance Plan of work.
A Terms of Reference will be prepared for each individual audit assignment and agreed with the audit sponsor and lead auditee. This will be risk-based and designed to evaluate the University’s risk exposure.
Our assurance work will review the system of control at a single point in time, and in areas with a high-volume of activity our testing will be performed on a sample basis. This means that our work can be no guarantee of the prevention or detection of fraud, but we will consider whether fraud risk has been properly considered in the design of controls and our audit testing will be undertaken with the risk of fraud in mind.
Reporting the results of audit activity
An exit meeting will be held at the end of each audit assignment with the lead auditee (and audit sponsor, where applicable) to clarify any outstanding questions and to discuss our findings and conclusions. This meeting will also capture the lead auditee’s initial thoughts and ideas for addressing any remedial risks identified and explore the root cause of any unmitigated business critical risks.
A draft assurance report will be prepared, documenting our findings and conclusions. The lead auditee (or audit sponsor) will be asked to confirm their agreement with the issues identified, our assessment of the residual risk and to provide clear, time-bound management actions to address any weaknesses identified. Once agreed with the lead auditee and the audit sponsor, the report will be issued as a final assurance report.
If findings, conclusions or management actions cannot be agreed with line management, and the issues raised are considered sufficiently serious, the report will be escalated internally to the head of service, relevant director, a UEC member or potentially to the Vice-Chancellor for consideration. If agreement still cannot be reached, the management response will be captured and highlighted to Audit Committee at the next meeting. If the issue under consideration is regarded as business critical it will be reported to the Chair of Audit Committee immediately, to consider whether the issue should be escalated to Chair of Council.
Follow up of management actions
Implementing the management actions agreed as a result of our assurance work is fundamental to maintaining a sound control environment. We recognise that circumstances, organisational priorities and management awareness can change over time and that these actions will need to be kept under review. University Assurance Service will monitor management’s progress in completing these actions and prepare a regular report for UEC and Audit Committee.
- University Assurance Service Protocol (last modified: 20 February 2017)