240 likes | 788 Views
The Internal Audit Process Sarah Marsh Senior Internal Auditor Grant Thornton LLP. Agenda. Introduction – why we have internal audit Types of internal audit reviews available The audit process How you can prepare for an audit Summary. How do you perceive internal audit?.
E N D
The Internal Audit ProcessSarah MarshSenior Internal AuditorGrant Thornton LLP
Agenda • Introduction – why we have internal audit • Types of internal audit reviews available • The audit process • How you can prepare for an audit • Summary
How do you perceive internal audit? 1___________________________________________________10 Policeman Consultant
Why do universities have internal audit? • Public money • Government funding and other funding bodies • HEFCE Code of Audit Practice, which all universities have to comply with.
HEFCE Audit Code of Practice • This requires Audit Committees annually to have an opinion on four key areas: • Risk management, • Controls, • Governance and • Value for money. • Going forward from 2008/09 it is likely this will be extended to data integrity regarding the HESA/HESIS return. Audit Committees may request third parties to scrutinise this.
What is internal audit? Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Different types of internal audit provision • In-house • Co-sourced • Out-sourced • Consortium
The role of the university, management and internal audit The Board Audit Committee Management Internal audit • Other assurances • H&S • Academic quality • Consultants • etc External audit
Internal audit are concerned with • Helping management and the Board. • Promoting efficiency and effectiveness. • Risk management, internal control and governance.
Internal audit are not • Policemen, • Bean counters, • Only concerned about money, • Or there to do management's job.
Internal audit's key obligation is to provide Audit Committee with assurance. To achieve this, internal audit: • Needs to understand what the department seeks to achieve and what it seeks to prevent occurring; • Seek to challenge whether arrangements support objectives and are effective in managing risks. • Does this by talking, researching, testing and reporting.
Library areas that could be audited • Service provision – e.g. strategy, governance, risk management, performance indicators. • Specific subject areas – e.g. income, security, compliance with legislation, IT systems, grants/donations, stock rotation and environmental controls. • VFM – e.g. customer satisfaction, procurement, partnerships. • Consultancy – e.g system implementation, business re engineering • Investigation – e.g. fraud including theft of money or other assets and expense claims.
Audit length • The number of days allocated to an audit can vary from 2 days to 50 days depending on the organisation and depth of the review requested. • This will include research, on site work and reporting.
Example of library related reviews undertaken by Grant Thornton LLP At Middlesex University we undertook a service review of LRS and covered in 8 days: • The management structure,reporting lines and management information; • Risk management arrangements; • Value for money arrangements including staffing arrangements* and use of casual staff*; • Budgetary control framework; • Expenditure and income, including cash handling; and • Succession planning.*
At another university we also……… • Undertook a review to assess the adequacy of strategic and operational arrangements as several different library services were merging together. • Areas that were examined included: • Adequacy of strategies in place, • Framework/relationship documentation, • Reporting structure, • Project plans and arrangements, • Security and disaster recovery arrangements, and • Financial Management.
At another institution we looked at Operational risks • Journal purchases across the university, • Disaster recovery and business continuity plans, • Security issues, both technological and physical, • Processes surrounding historical artefacts, Financial risks • Financial management and control processes, • Control of donations, trust funds and research funds, • Income generating and trading activities including cash handling and banking arrangements, • Ordering, procurement and payment processes, • Accounting for, recording and disposal of assets.
In our experience we have found • Libraries do not usually get audited on their own but instead as part of a departmental review. • Generally libraries are well organised and we have in the past recommended efficiency savings or streamlining advice as they tend to be over controlled!
The audit process A typical internal audit review could include all or some of these stages • Scoping meeting • Issuing of an audit brief or planning document • Opening meeting • Testing (interviews, walk through tests, substantive testing) • Wash up meeting/informal feedback • Formal report (draft and final) • Follow-up
RememberMake sure the auditors include your own areas of concern.
How to prepare for an audit (1) • In theory the more information you can provide before the start of an audit the less time the auditor should be on site. • Inform key staff so they can make themselves available while the auditor is on site, if required. • Make sure the auditor understands how much time you have available. • Be prepared to be challenged.
How to prepare for an audit (2) • Challenge the auditor's understanding of the university, departmental issues and best practice in the sector. • Ensure your auditor provides value, for example review a specific area of your concern or benchmark against best practice. • Be kind to your auditor and get them on your side by providing appropriate accommodation and facilities (e.g. power point, photocopier, drinks).
Internal audit – a win win situation For the university: • Assurance that controls and risk managed are working as expected or where further enhancements are required. For management: • A fresh pair of eyes giving an independent and objective overview of their area. • Confirmation where things are working well or areas for improvement. For internal audit: • A chance to share or increase their knowledge of best practice (internal and external). • A better understanding on how the university operates.
Summary • There should be no such thing as standard internal audit review. Each review should be tailor made. • The primary customer for internal audit is the university Audit Committee and Board. The secondary customer is management. • Good relationships between the auditee and auditor is key in ensuring everyone's objectives are satisfactorily met. • Internal audit should not be viewed as 'policemen' but are there to help the university and audit area achieve its objectives.
Finally………. Questions and/or observations