Frequently asked questions on internal auditing
In brief, what happens when the auditors visit?
The department will be contacted in advance of the audit visit;
Heads of audited institutions and departmental administrators will attend an initial scoping meeting where the internal auditor will explain the purpose of the audit;
The internal auditor will explain what information will be required;
After the audit takes place, a draft report will be prepared for the department to comment upon;
There will be a closing meeting which heads of institutions are encouraged to attend and they will be asked to complete and sign feedback forms for consideration by the Audit Committee;
The final report is issued.
Why is my department being audited?
Your department will be contacted either because it has been identified for audit as part of a cycle which aims to cover all departments, or because a sample of departments has been selected by the auditors to carry out a thematic audit, for example to look at purchasing processes and procedures. Often, School Offices are consulted over the choice of Department to audit from their School. Occasionally the auditors will be asked to conduct an audit in response to a particular concern at an institution. In all cases, the audit brief will be discussed with the head of institution before any fieldwork takes place.
When will the audit review take place?
The audit plan is designed to ensure that all major University departments participate in some form of audit over the course of the three-year programme; most will have contact with the audit team on more than one occasion owing to differing types of audit taking place. You will be given several weeks' notice of the audit and efforts will be made to conduct the audit at a time which is convenient to you.
Who is involved?
Each audit has a designated sponsor. This can be the Head of the Department or institution concerned, but may be a senior person with designated responsibility for a certain area (e.g. continuity planning). The audit team will work with the audit sponsor to define the scope and timing of the audit. They will also ask for recommendations of people who should be interviewed as part of the audit fieldwork. The audit sponsor will also attend key meetings during the audit and is responsible for providing written management responses to the draft audit report.
What will the audit cover?
Internal audit covers all areas of the University’s operations. There are different types of audit, the most common being 'departmental' and 'thematic'. Departmental audits cover a range of processes and procedures, typically focusing on compliance with the University’s and/or sponsor’s regulations. Thematic audits involve a number of institutions to provide assurance on a particular area, such as purchasing or credit control. Other audits may look at systems and IT. The auditors are looking to assess compliance with regulations and to get an understanding of the mechanisms in place to manage key areas of risk. They may identify areas of best practice as well as areas for improvement.
What are the audit outputs?
When the auditors have completed their work they will make a number of recommendations ranked by priority and will also give an overall assurance rating for the department/area concerned. The audit sponsor will be asked to provide a response to all recommendations made before the report is finalised. As stated above, the auditors may also highlight areas of best practice which could be shared with other departments and institutions.
Who sees internal audit reports?
Draft internal audit reports are seen only by the audit sponsor, any other agreed stakeholders, the Director of Finance and his Deputy. The Audit Committee receives a copy of the final report. Copies of all audit reports are held on file by the Registrary’s Office. The Council receives minutes of the Audit Committee (but not usually papers) and so will see which audits have been conducted along with a synopsis of their outcome. The Audit and Regulatory Compliance Officer, who is the Assistant Secretary to the Audit Committee, forwards the relevant minutes of the Committee’s discussion to the audit sponsor.
What happens next?
Each of the auditor’s recommendations will have a deadline for action and these will be followed up when the agreed deadline in the final report is due. The timing of the follow-up visit is dependent upon the nature of the finding.
The Deloitte team has produced a guide to internal audit at the University, which is available to download as a pdf. If you are unable to download this document, or would like a hard copy sent to you, please contact the Audit and Regulatory Compliance Officer, by email to firstname.lastname@example.org.