Planning an Internal Audit
Internal Audit Approach
Internal audit provides assurance which combined with other activities, forms parts of the University’s risk assurance activities. The individual assignment objectives, audit findings and report are shared with local management, Senior Management and the Audit Committee. The action plan to address the findings are agreed with management and presented to the Audit Committee. In some circumstances these may be presented to the University Council on Council request.
The audit plan has been developed from review of the 2012 - 17 Strategic Plan and from consultation with key staff. The three year strategy is agreed with Senior Management Team and the Audit Committee, and the annual plan is subject to approval as part of the Internal Audit Annual Programme procedures. This is presented to the Senior Management Team and the Audit Committee in June for the forthcoming academic year, to which the annual audit plan is aligned.
The key areas for consideration and inclusion into the strategic plan are summarised below. These are based on our understanding of the key risks and strategic aims, the methodology of which is discussed below, in “Risk Assurance Mapping”. The audit areas of interest identified in the strategic internal audit plan will be reviewed as an audit assignment. Thus the strategic plan will be developed into annual plans whereby the internal audit assignments are woven into the risk assurance process.
Risk Assurance Mapping
The design of the internal audit plan will be integrated into the risk assurance process. The plan will be closely aligned to review risks derived from the strategy and other significant, underlying risks which underpin the activities of the entire institution.
The risks identified against the four thematic aims will form the basis of the planning considerations for the internal audit plan. The four thematic aims are research, student experience, knowledge-led economy & society targets and internationalisation. The strategic risks by theme are included in appendix B.
The other risks which the internal audit plan will consider include underlying risks which relate indirectly to achieving these objectives. The risks which an institution should consider at a strategic level include human resources, finance, estates, information & communication technology, regulatory & compliance, and corporate governance & risk management.
Internal audit will consider the effectiveness of the mitigating controls identified in the risk register, the value these activities offer the University and consider the unmitigated or unidentified risk exposure. This will be completed through internal audit activities which are predominantly internal audit reviews but may also include other assurance activities such as follow up reviews, participation in governing committee or group meetings and consultancy-type reviews.
Senior Management and the Audit Committee will indicate the level of prioritisation for audit assignments and the recommended audit length. Senior Management and the Audit Committee will also advise on the timing of the audit assignment, delivery of the fieldwork and reporting arrangements all of which will be overseen by the Head of Internal Audit. The audit objectives by individual review will be discussed and agreed with Senior Management. For unusual or higher risk audit assignments, the objectives of the review will be shared with the Audit Committee prior to commencing the audit.
The approach to gaining assurance in internal audit typically involves evaluating control design, testing controls on a sample basis or by using Computer Assisted Audit Techniques (CAATs), and assessing value-for-money insofar as the economy, efficiency & effectiveness of activities.
The Internal Audit Service have appointed IT-related audit specialists to complete audit assignments which relate to IT controls and require specialist skills within internal audit.