5 March 2009
File ref: T/3/7/107
Ms Diane Scott
request-8277-
[email address]
Dear Ms Scott
Thank you for your email dated 19 February 2009. I am pleased to provide
you with the following information in response to your request.
1. The annual report of our audit committee for each of the years
ended 2003 to 2008
The Audit Committee Reports can be found at the following URL:
http://www.planning.ed.ac.uk/Governance/Court/Pub/meetings.htm
To access the reports click on the link for ‘Agenda and Papers’ for the
December of the year you would like to access. Online report are available for
the years 2004/2005, 2005/2006, 2006/2007 and 2007/2008. The reports for
2002/2003 and 2003/2004 are attached.
2. The annual report of our internal auditor for each of the years
ended 2003 to 2008.
All the reports above include the internal audit report for that year.
3. The identity of our internal audit provider
The University has an in-house internal audit service.
4. The cost of our internal audit service for each of the years from
2003 to 2008.
The costs are included in the reports above – however I also attach a
summary of the costs for the years specified.
Copyright in the information you have been given belongs to the University of
Edinburgh or to another party. Copyright material must not be copied,
distributed, modified, reproduced, transmitted, published (including published
on the Internet or an intranet), or otherwise made available in whole or in part
without the prior written consent of the copyright holder.
2
C2
The University of Edinburgh
The University Court
15 December 2003
Annual Report of the Audit Committee to Court, FY 2002/2003
Brief description of the paper
The paper sets out the annual report from the Audit Committee to the University Court, on Financial Year
2002/2003, with the Internal Audit Report for 2002/03 (Annex 1, with five accompanying appendices) and
the draft minutes from the Audit Committee meeting held on 20 November 2003 (Annex 2).
Action requested
The University Court is invited to note the paper for information.
Resource implications
Does the paper have resource implications? The activities described in the paper can be met with existing
resource allocations.
Risk Assessment
Does the paper include a risk analysis? The paper describes the activities of the Audit Committee, which has
received reports on the University’s risk management controls during 2002/03 and, which has also received
internal audit reports, which have been prepared using a risk-based approach.
Equality and Diversity
Does the paper have equality and diversity implications? No.
Any other relevant information
The paper will be presented by Dr. John Markland, Convener of the Audit Committee.
Originator of the paper
Ms. S.M. Welham, Executive Secretary, Audit Committee
8 December 2003
1
Annual Report of the Audit Committee to Court for FY 2002/2003
1 Administrative
Matters
Membership and Frequency of Meetings FY 2002/2003
Membership of the Committee for the FY 2002/2003 was as follows, with Court members marked*:
Dr J Markland * (Convener)
Professor A D Milne *
Dr I P Sword * (resigned May 2003)
Mr F H Hitchman
Mr G M Murray
Mr D A Ross Stewart (resigned w.e.f. 31 July 2003)
Mr J Stretton
Dr Markland assumed his role as Convener of the Committee in 2002/03. Mr D Ross Stewart and Dr I
Sword both resigned during 2002/03 for separate reasons, which were unrelated to the work of the
Committee. The Committee expressed its grateful thanks for their participation in the work of the
Committee.
The University Secretary is Secretary to the Committee and its Executive Secretary is Ms S. Welham.
Routinely in attendance during the year were: the Director of Corporate Services, the Director of Finance,
the Chief Internal Auditor, the Assistant Director of Finance responsible for Financial Accounting, the
executive secretary of the Committee, and the external auditors, KPMG. During 2002/03 the Committee had
a presentation from Vice-Principal Dr G.R. Field on IT security issues.
The Committee met on four occasions in the course of FY 2002/2003.
2.1 Internal
Audit
Annual Report of the Internal Auditors 2002/2003
The Annual Report of the in-house internal auditors is attached as Annex 1. The Court’s attention is drawn
to Appendix E which is a new section on the assessment of the adequacy and effectiveness of risk
management within the University, and which was used to help derive the conclusion in the internal auditor’s
annual statement on the system of internal control in the University, which is endorsed by the Audit
Committee:
“On the basis of the work carried out during the year I conclude that where weaknesses were identified
these were addressed and that there is sufficient evidence of controls and procedures that are
functioning to provide reasonable assurance that the overall control environment is adequate in the
University. Risk management has been actively developed throughout the year and steps are
continuing to extend the process such that it becomes embedded further as an ongoing process.”
Chief Internal Auditor’s Annual Statement (see Annex 1)
2003/2004 Internal Audit Plan
At its meeting on 7 July 2003 the Court, on the recommendation of the Audit Committee, approved the
Strategic Audit Plan for 2003-06 and the Annual Audit Plan for 2003-04. The Chief Internal Auditor
prepared the plans in consultation with senior management, including the Principal as Chief Accounting
Officer.
2
2.2
External Audit
Appointment and Remuneration of External Auditor
At its meeting on 9 July 2001, on the recommendation of the Audit Committee, the University Court
appointed KPMG to conduct the external audit of the University for the three financial years from 2001/02.
The Audit Committee reviewed the External Auditors’ audit plan for the year ending on 31 July 2003 at its
27 February 2003 meeting. The Audit Committee reported to the Court at its 7 July 2003 meeting that the
proposed external fee for the University and Subsidiary companies for 2002/03 was £54,275 exclusive of
VAT, subject to minor adjustments for subsidiary companies.
Reports and Financial Statements for the year ended 31 July 2003
The Committee received the reports and financial statements for the year ending 31 July 2003, with the
exception of the Principal’s statement, at its meeting on 20 November 2003, together with a presentation by
KPMG on the external audit findings. The Committee noted the basis of the opinion of KPMG on the
accounts and the satisfactory nature of that opinion. The Committee concluded that the audit had been
satisfactorily performed and that there were no major issues to give significant cause for concern. The
Committee agreed for its part to commend the reports and financial statements that it had received to the
Court for adoption.
Management Letter 2002/2003
KPMG referred to the Management Letter in the report on the audit results. KPMG confirmed that, while it
highlighted various matters requiring the attention of management, which the Audit Committee is satisfied
are being addressed effectively, it contained nothing to impact on their ability to give a clean audit report on
the accounts for the year. On completion, the Management Letter will be forwarded to the Funding Council
as required by the SHEFC Code of Audit Practice.
2.3 Internal
Control
Systems
Based on the results of the work of the Internal Auditor as reported in the Internal Auditor’s Annual Report;
the External Auditors’ opinion on the financial statements as well as on the Management Letter; and direct
comments from relevant members of staff of the University, the Audit Committee considered that the
University’s internal control systems were functioning to provide reasonable assurance that the overall
control environment was adequate in the University and could be relied on by the University Court.
3
Other Committee Business
Other issues considered by the Audit Committee during 2002/2003 included: risk management, where it
received regular reports on the development of the Risk Management Strategy and Policy and the University
Overview Level Risk Register; the University’s corporate governance statement; the University’s
relationships with subsidiary and spin-out companies: Memoranda of Understanding with subsidiary
companies and the role of the University’s Nominated Officer; the Smith Report (January 2003): Audit
Committees – Combined Code Guidance; voluntary severance payments; IT security; value for money audit
reports; the Audit Committee’s terms of reference, in particular in relation to the Risk Management
Committee’s remit; and the Audit Committee’s composition and its interaction with senior University
managers. The Committee held its Annual Seminar in conjunction with the Risk Management Committee in
March 2003.
4
Fraud and Irregularity
The Audit Committee has not been made aware of any serious weaknesses in internal control systems,
significant fraud or major accounting or other control breakdowns.
Ms Welham, Executive Secretary, Audit Committee, 21 November 2003
3
University of Edinburgh
Internal Audit Annual Report 2002-03
Annex 1
Internal Audit Annual Report 2002-2003
1. Introduction
The Code of Audit Practice requires that the Audit Committee should be provided with an Annual
Report on Internal Audit's activities at the first meeting following the financial year-end. It also sets
out the minimum contents of such a report (paragraph 4.53-4.54).
2. Achievement of Annual Plan
Appendix A lists the assignments carried out during the year in the order that they were reported to
the Audit Committee. Appendix B summarises the main findings. The audit plan approved by the
Audit Committee is substantially completed (98%). Work is continuing on Postgraduate Admissions,
the School of Biomedical and Clinical Laboratory Sciences and Research Fees.
The original audit plan was designed to accommodate additional assignments arising during the year
and any unforeseen staff absences, by setting aside time to cover such eventualities (without
disrupting the scheduled assignments). This has once again worked well. Seven additional
assignments to the original plan were accommodated during the year (two did not result in a formal
report). Four assignments: IT Penetration Testing; Postgraduate Admissions; Estates & Buildings
Stores; and Corporate Governance - Compliance with Good Practice, required significantly more time
to carry out than had been planned.
3. Summary of Findings
The Code requires a summary of each audit report and these are set out in Appendix B. The more
significant
control weaknesses and
control assurances identified are set out in the table in Appendix
C. Based on audit findings during the year, Table 1 below highlights examples of where the control
environment requires enhancement.
Table 1: Examples of how and where the control environment could be enhanced
Control Environment
Assignments identifying the need for control enhancement
Accommodation Services: Commercial Income Collection,
Better Segregation of Duties
Overhead Recovery in Research and Consultancy Contracts.
Improved Organisational
IT Network Security (x2), IT Penetration Testing, Disposal of
controls
Waste.
Control over Authorisation and
Acquisition and Disposal of Land and Buildings, Senior Staff
Approval
Expenditure Claims, ICMB/Wellcome Trust Centre.
Vehicle Policy Compliance, Estates and Buildings Stores,
Improved Physical Controls
Payment of Creditors: Accounts Payable.
Estates and Buildings Stores, Payment of Creditors: Accounts
More effective Supervision
Payable.
Improved Personnel Controls
Vehicle Policy Compliance, Disposal of Waste.
Animal Houses, Accommodation Services: Commercial Income
Improved Arithmetic and
Collection, Restructuring Fund (Bond) Monies, Learning
Accounting Controls
Technology Section, ICMB/Wellcome Trust Centre.
Vehicle Policy Compliance, Estates and Buildings Stores,
Improved Management
Learning Technology Section, Payment of Creditors: Accounts
Payable, ICMB/Wellcome Trust Centre.
4
University of Edinburgh
Internal Audit Annual Report 2002-03
87% of recommendations from a programme of follow up reviews, were found to have been
implemented in full as agreed. This is up from 77% in last year’s annual report.
Positive Assurances
•
IT Network Security
•
IS/IT Disaster Recovery - Corporate Systems
•
IT Penetration Testing
•
Capital Project Planning
•
School of Engineering and Electronics
•
Pathology
•
Management of Intellectual Property
•
Legal Services VFM
4. Value for Money (VFM)
VFM is considered as a routine aspect of each assignment. Appendix C identifies those assignments
that could result in VFM opportunities for the University.
5. Staffing
There was no turnover of staff during the year. IT audit specialists were engaged to provide support
on IT related assignments.
6. Internal Audit Performance Indicators
The SHEFC Code of audit Practice states,
“The Head of Internal Audit should, in conjunction with
management and the Audit Committee, establish and implement performance measures and
indicators, whereby the efficiency and effectiveness of the service can be monitored on an ongoing
basis”.
Appendix D includes a selection of Key Performance Indicators and a summary of the responses to
Performance Questionnaires received during the year from management, following an audit in their
area.
7. Turnbull Committee Report on Internal Control
The Turnbull Committee report emphasised that it was an essential part of the Main Board’s /
Governing Body’s (Court’s) responsibility to review the effectiveness of internal control. In coming
to a view, members are expected to seek input from the Audit Committee, other constitutional
committees, senior management, external and internal audit. SHEFC requires the Court to include a
statement in the annual financial statements on corporate governance, indicating how the University
has complied with good practice in this regard. There is a separate paper from the University
Secretary on the Draft Corporate Governance Statement giving advice to members on the Statement
of Internal Control.
8. Risk Management
The University Risk Management Committee is now fully operational. The University Risk
Management Policy and Overview Risk Register have now been endorsed by Court and will be
reviewed and confirmed by CMG, FGPC, Audit Committee and Court each year. Each College and
Support Group has prepared a Risk Register which will be formally reviewed annually by the Risk
5
University of Edinburgh
Internal Audit Annual Report 2002-03
Management Committee. Copies of the College/Support Group Risk Registers have been submitted
to the Risk Management Committee for appraisal.
An assessment of the adequacy of the University of Edinburgh’s risk management process is given in
Appendix E.
9. Annual Statement on the System of Internal Control
The Code of Audit Practice requires the Head of Internal Audit to provide an opinion on the adequacy
and effectiveness of the University's internal control system (paragraph 4.54). Internal Control is
defined in the internationally recognised report from the Committee of Sponsoring Organisations
(COSO) as:
"A process, effected by an entity's board of directors, management and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives in the
following categories: effectiveness and efficiency of operations; reliability of financial
reporting; and compliance with applicable laws and regulations."
It is important to note that:
• The Annual Statement is based upon the work done during the year as summarised in Appendix
B;
• Internal Control can provide only
reasonable and not absolute assurance to management and
Court regarding achievement of the University's objectives. Internal Audit assignments have a
reasonable chance of detecting significant control weaknesses and cannot guarantee that fraud,
error or non-compliance will be detected;
• It is management's responsibility to maintain effective systems of internal control, risk
management and the detection of fraud, error or non-compliance;
• Internal audit forms part of the overall system of internal control.
Internal Audit has, during the year, reviewed, evaluated and tested the University's internal controls
based upon an Audit Needs Assessment approved by the Audit Committee in June 2002. Reference
has been made where appropriate to the quality standards in the Government Internal Audit Manual
(GIAM), and other recognised good practice guidance, as required by paragraph 1.7 of the Code of
Audit Practice.
On the basis of the work carried out during the year I conclude that where weaknesses were
identified these were addressed and that there is sufficient evidence of controls and procedures
that are functioning to provide reasonable assurance that the overall control environment is
adequate in the University. Risk management has been actively developed throughout the year
and steps are continuing to extend the process such that it becomes embedded further as an
ongoing process.
Hamish McKay
Chief Internal Auditor
6
University of Edinburgh
Internal Audit Annual Report 2002-03
Appendix A
Internal Audit Annual Report - List of Assignments
Date Final
Date to Audit
Audit assignment
Report Issued
Committee
Comment
Completed
1
Grounds Maintenance
14-Oct-02
Nov-02
2001-02 Annual Plan
2
Accommodation Services: Commercial
18-Oct-02 Nov-02
Income Collection
3
Restructuring Fund (Bond) Monies
15-Nov-02
Nov-02
2001-02 Annual Plan
4
Corporate Governance: compliance with good
28-Nov-02 Feb-03
practice guidelines
5
Science and Engineering Workshops
10-Jan-03
Feb-03
6
Management of Intellectual Property
31-Jan-03
Feb-03
7
Vehicle Policy Compliance
11-Feb-03
Feb-03
8
School of Engineering and Electronics
26-Feb-03
Jun-03
9
Estates and Buildings Stores
27-Feb-03
Feb-03
10 Disposal
of
Waste
28-Mar-03
Jun-03
11 Senior Staff Expenditure Claims
16-May-03
Jun-03
Added to original plan
12 Acquisition and Disposal of Land and
27-May-03 Jun-03
Buildings
13 Capital
Project
Planning
30-May-03
Jun-03
14 IS/IT Disaster Recovery - Corporate Systems
2-Jun-03
Jun-03
15 Overhead Recovery in Research and
3-Jul-03 Oct-03
Consultancy Contracts
16 IT
Network
Security
7-Jul-03
Oct-03
17 Learning
Technology
Section
7-Jul-03
Oct-03
18 CHSS: Delegated Authorisation Protocols
17-Jul-03
Oct-03
19 Animal
Houses
14-Jul-03
Oct-03
20 Pathology
06-Aug-03
Oct-03
21 Institute of Cell and Molecular
25-Aug-03
Oct-03
Added to original plan
Biology/Wellcome Trust Centre
22 Legal
Services
VFM
16-Sep-03
Oct-03
23 IT Network Security - Management
Oct-03
Added to original plan
Arrangements 17-Sep-03
24 Transparency
Review
24-Sep-03
Oct-03
25 IT Penetration Testing
26-Sep-03
Oct-03
Added to original plan
26 Identification, Assessment and Management of
29-Sep-03
Oct-03
Part of Annual Report
Business Risks
27 Payment of Creditors: Accounts Payable
30-Sep-03
Oct-03
28 Delegated Authority
==
Oct-03
No report as such
29 Postgraduate Admissions: Compliance with
==
(Oct-03)
Findings from one College to
QAA Code of Practice
October meeting
Continuing
30 Postgraduate Admissions: Compliance with
For remaining two Colleges
QAA Code of Practice
31 School of Biomedical and Clinical Laboratory
Sciences
32 Research Fees
Added to original plan
7
University of Edinburgh
Internal Audit Annual Report 2002-03
Appendix A
Follow up Reviews (15) Date
to
Audit
Recommendations
Recommendations
Committee
agreed
implemented
Continuing Education - Summer School
Oct-02
5
5
Income Recognition - CPD/Training/Consultancy
Oct-02
5
3
Accounts Receivable
Oct-02
5
2
Records Management
Feb-03
1
1
Students Association - Catering
Feb-03
1
1
English Literature
Feb-03
3
3
School of Law
Feb-03
3
3
Tropical Animal Health
Feb-03
9
8
General Practice
Feb-03
5
5
Sci-Fun Feb-03
11
11
Students Association General Expenditure, Payroll and
Jun-03 6
4
Management Accounting Arrangements
Informatics
Jun-03
8
8
Accident and Incident Reporting
Jun-03
3
2
Communication of Responsibilities to Heads of
Jun-03 1
1
Departments
Staff Appointments in Subsidiary Companies
Jun-03
1
1
67
58
87%
8
University of Edinburgh
Internal Audit Annual Report 2002-03
Appendix
B
Appendix B
SUMMARY OF FINDINGS FROM AUDIT ASSIGNMENTS DURING
2002-2003
(Listed in the order that the final report was issued)
1.
GROUNDS MAINTENANCE
While the VFM study performed by the Landscape Maintenance Officer provides assurance
that the service is being provided efficiently to the University by the Grounds Maintenance
Section, it does not demonstrate that an alternative arrangement could not provide savings to
the University through greater economy and/or effectiveness. Therefore the University
should consider making direct comparisons with the market. The service is presently supply-
led rather than demand driven and there should be a more transparent method of confirming
the levels of grounds maintenance required. Estates and Buildings senior management agreed
to conduct partial testing against the external market, although they consider Grounds
Maintenance to be a corporate service which cannot easily be devolved to Colleges.
Issued 14/10/02; 2 recommendations, both agreed.
2.
ACCOMMODATION SERVICES: COMMERCIAL INCOME COLLECTION
The existing systems in use in Accommodation Services for commercial income did not
provide an effective control environment and require considerable dependence on
supplementary checks and reconciliations such as spreadsheet records. There is therefore a
greater risk of accounting error, although we found no evidence of this in our review. There
are plans to enhance existing systems to address the control weaknesses identified. These
enhancements need to be supported by additional reconciliations and controls.
Issued 18/10/02; 11 recommendations, 10 agreed, 1 partly agreed
3.
RESTRUCTURING FUND (BOND) MONIES
Procedures for the authorisation, approval, recording of, accounting for and monitoring of the
achievement of Restructuring Fund (Bond)
funded projects are being consolidated. There
was an incomplete record of the formal authorisations and it was agreed that these would be
obtained where necessary. There was an acknowledged need to reassess the percentage of the
corporate share of the income retained through NPRAS arising from additional overseas
student fees following a Restructuring Fund project.
Issued 15/11/02; 2 recommendations, both agreed.
4.
CORPORATE GOVERNANCE-COMPLIANCE WITH GOOD PRACTICE GUIDELINES
We reviewed compliance against a list of good corporate governance indicators and found
evidence of satisfactory compliance for the majority of the indicators. The majority of the
remainder concerned implementation of an embedded culture of risk management and some
others on roles and responsibilities within the University. Significant developments are
underway that should achieve full compliance in all the areas assessed. We were able to
provide an assurance that the University can demonstrate a substantial degree of compliance
with perceived good practice on corporate governance.
Issued 28/11/02; Our suggestions were all agreed.
9
University of Edinburgh
Internal Audit Annual Report 2002-03
Appendix
B
5.
SCIENCE AND ENGINEERING WORKSHOPS
There is scope to introduce a centrally administered workshops service, which would
facilitate co-ordinated service delivery (in terms of better co-ordination of job requests,
absence cover, and career progression). Any move toward centralised administration of
workshop services will require to be supported by the ongoing collection and provision of
appropriate financial information relating to income and cost streams. There is potential to
achieve cost savings in workshop services by the introduction of e-procurement initiatives,
and to introduce efficiency gains in the stores by reducing stockholding in local
workshop/laboratory stores and larger School stores.
Issued 10/01/03; 7 recommendations, College management accepted the overarching
recommendation and the principle of the detailed recommendations in the report.
6.
MANAGEMENT OF INTELLECTUAL PROPERTY
ERI is managing the University’s Intellectual Property effectively, with appropriate regard to
maximising the University’s commercial income and to the risk of litigation arising from poor
intellectual property management. There is a need to formulate a University Policy on
Intellectual Property, and ERI would be well placed to advise on this policy.
Issued 31/01/03; 3 recommendations, all agreed.
7.
VEHICLE POLICY COMPLIANCE
While the University
Vehicle Policy should facilitate good vehicle management if adhered to,
there was evidence of non-compliance identified. A single comprehensive vehicle record
would assist compliance with the Motor Insurance Database EU 4th Directive and reduce both
risk to the University and resources involved in maintaining vehicle records. Value for
money is being compromised by the unilateral acquisition of vehicles in schools and
departments. There is considerable scope to improve available management information on
vehicle utilisation and fuel use.
Issued 11/02/03; 8 recommendations, all agreed
8.
SCHOOL OF ENGINEERING AND ELECTRONICS
We found that there are effective financial and budgetary control procedures within the
School. We also found that there were effective procedures to ensure appropriate
authorisation of expenditure commitments. We were able to obtain sufficient evidence that
there was a satisfactory control environment within the School.
Issued 26/02/03; 1 recommendation, agreed.
9.
ESTATES AND BUILDINGS STORES
There is considerable scope to achieve more economy and efficiency within the stores
functions in Estates and Buildings. Serious consideration should be given to investing in
upgrading the capability of the
EBIS stock recording system to provide better management
information. There are indications that there could be early returns from such an investment.
To maintain a network of satellite stores with the inevitable poor physical access controls,
greater management challenge of the need for items requisitions is required, combined with
more frequent stock checks of satellite stores. This should reduce local stockpiling, inhibit
10
University of Edinburgh
Internal Audit Annual Report 2002-03
Appendix
B
over ordering, release working capital tied up in stock and lead to greater accountability and
efficiency.
Issued 27/02/03; 7 recommendations, all agreed
10. DISPOSAL OF WASTE
Controls are in place to provide an assurance that waste sent for disposal by the University is
being carried out under controlled conditions. Procedures for handling waste on behalf of
associated external bodies should be tightened. There is a need to document more fully the
roles and responsibilities of the key individuals involved in hazardous waste
accidents/incidents, combined with a more robust register of who should be receiving
refresher training courses.
Issued 28/03/03; 7 recommendations and three suggestions, all recommendations agreed
11. SENIOR STAFF EXPENDITURE CLAIMS
Following the University restructuring, we identified inconsistencies in the arrangement for
authorising expense claims for senior staff and conducted a review of the existing
arrangements. There was no suggestion that any improper payments had been made, but the
University recognised the need to regularise practice to ensure that corporate governance was
not jeopardised. The Principal approved a schedule of authorisation for approval of senior
staff expenditure claims.
Issued 16/05/03; 2 recommendations, both agreed
12. ACQUISITION AND DISPOSAL OF LAND & BUILDINGS
We are able to provide an overall limited assurance that the process, procedures and controls
in place are working and that disposals are being documented and recorded accurately,
subject to improvement of current documentation and compliance issues. We were unable to
evidence structured progress towards Court’s objective of a 10% reduction in the size of the
estate over ten years to help address the projected gap between income and expenditure.
*A
udit Committee minutes (12th June 2003) noted,
•
“The University had an estates strategy and that the new Heads of Colleges and
Support Groups had been actively reviewing the estate plans in the light of the
organisational changes that had taken place.”; and
•
“ The Committee agreed that it would be helpful to discuss this issue at its
October or November 2003 meeting, drawing on current work within the
University.”
Issued 27/05/03; 8 recommendations, 6 agreed.
11
University of Edinburgh
Internal Audit Annual Report 2002-03
Appendix
B
13. CAPITAL PROJECT PLANNING
Our enquiries and testing were able to confirm that there were adequate controls in the
University to mitigate the risks arising from the IDCOM project, and where applicable, SRIF
projects generally.
Issued 30/05/03: No recommendations, although we notified some issues to Estates and
Buildings senior management.
14. IS/IT DISASTER RECOVERY - CORPORATE SYSTEMS
Based on the consistent assurances we have received from management regarding the
outcome of the January 2003 test of the Corporate Systems Disaster Recovery Plan, combined
with review of the updated Disaster Recovery Plan and the testing we performed in line with
the
CIPFA Computer Audit Guidelines, our overall conclusion is that the University has
effective plans and procedures in place to facilitate recovery of key business systems in the
event of a disaster affecting its IS/IT infrastructure.
Issued 02/06/03; No recommendations.
15. OVERHEAD RECOVERY IN RESEARCH AND CONSULTANCY CONTRACTS
Within the constraints imposed by the nature of the University’s research portfolio (which
includes work undertaken for charities and government agencies) ERI attempt to secure the
maximum overhead recovery possible when costing research and consultancy contracts. Our
testing indicated that where overheads are included in these contracts, monies were recovered
in full and timeously. The sensitivity analysis we performed on consultancy charge-out rates
indicated a risk of under-recovery of overheads in two combinations of staff grade and rate
charged. We also noted one instance where segregation of duties was being compromised by
an academic who was charging his own time as consultancy to his own research project
without the need for authorisation of the time or the charge by a line manager.
Issued 03/07/03; 4 recommendations, all agreed
16. IT NETWORK SECURITY
The fieldwork on this assignment was carried out in conjunction with an IT Consultant whom
we commissioned to assist us for this review. The audit work was carried out in accordance
with the CIPFA Computer Audit Guidelines. Our findings in relation to the audit work were
that at operational level there appear to be adequate and effective measures in place to protect
the security and integrity of the University’s ‘EdLAN’ network. However, we noted a
number of residual risks, relating to areas outwith the control of Computing Services and the
local Computing Officers, and which relate to the overarching University-wide management
of IT Security matters. These issues were addressed by way of a separate report to the Vice-
Principal for Knowledge Management (see item 23 below).
Issued 07/07/03; 7 recommendations, all agreed.
17. LEARNING TECHNOLOGY SECTION
There is scope to review Medical Illustration’s charging methodologies to help ensure that
costs and overheads are fully covered and a surplus generated. Control over authorisation of
12
University of Edinburgh
Internal Audit Annual Report 2002-03
Appendix
B
payments could be improved to ensure that payments made are authorised by the correct
signatory. More informed budgetary control would be achieved if budgets were notified and
profiled at the beginning of the financial year by the College.
Issued 07/07/03; 8 recommendations, all agreed.
18. CHSS: DELEGATED AUTHORISATION PROTOCOLS
Internal Audit agreed to help the College of Humanities and Social Sciences (CHSS) develop
delegated authorisation protocols. We prepared a schedule detailing various areas where
delegated authority is required to support authorisation and approval of a range of expenditure
and resource commitments, and provided comment and suggestions where appropriate. There
is potential to standardise further the procedures in the 10 Schools, and within the College
Office.
Issued 17/07/03; 16 suggestions were made. College senior management indicated their
appreciation of the suggestions, and will discuss them further at College Executive, and
potentially College Planning and Resources Committee.
19. ANIMAL HOUSES
The University is currently bearing the residual costs of animal houses, as costs are not fully
recovered from charges to users. The introduction of a uniform charging methodology for
animal houses should mitigate the risk of research sponsors withholding monies from the
University. The current arrangements increase the risk of non-compliance with EU tendering
regulations as a result of the disparate purchasing sources, and may also result in poor Value
for Money.
Issued 14/07/03; 2 recommendations, both agreed.
20. PATHOLOGY
There is a need to nominate formally a Data Protection Officer, who should be charged with
ensuring all relevant filing systems containing personal and sensitive personal data are
identified. There is a satisfactory level of financial control operating within the Division.
Issued 06/08/03; 6 recommendations; all agreed.
21. INSTITUTE OF CELL & MOLECULAR BIOLOGY /WELLCOME TRUST CENTRE
There is scope to improve the control over issues of stock and goods from stores to ensure all
charges are authorised and applied to the appropriate source of funding at the outset. The use
of Research Training Support Grants should be reviewed to ensure that funds issued to ICMB
are used in line with the conditions placed upon them. Further development is required of
E-
Financials stock management information to provide an effective means of supporting the
monitoring of a store.
Issued 25/08/03; 10 recommendations, 9 agreed, 1 not agreed in favour of an alternative
suggestion.
13
University of Edinburgh
Internal Audit Annual Report 2002-03
Appendix
B
22. LEGAL SERVICES VFM
There are several suppliers of legal services to the University. More money is being spent on
personnel legal services in absolute terms since the award of a new contract in 2002, but
indications are that this is being applied more efficiently and effectively. There is an effective
process to ensure Value For Money is received for day-to-day legal advice. With regard to
estates legal services, there is some comfort of VFM being achieved in Estates and Buildings
and the Director of Corporate Services has undertaken to address the position in
Accommodation Services in the coming year.
Issued 16/09/03; No recommendations.
23. IT NETWORK SECURITY – MANAGEMENT ARRANGEMENTS
An IT Consultant assisted us with this review. Our scheduled internal audit work on IT
network security (see item 16) identified a number of issues relating to overarching
University-wide management of IT Security matters. In particular, there appears to be a
degree of incongruence between the current functioning of the main IS/IT advisory
Committees, resulting in operational-level confusion regarding responsibility for formulating
and driving University-wide IT Security strategy and policy. The new Vice Principal
(appointed with a pan-University remit in this area) has undertaken to revisit the existing IT
Security policy, and address concerns regarding the current role and functioning of IS/IT
advisory Committees. She has also undertaken to introduce a more formal and co-ordinated
grouping of Computing Officers throughout the University in order to help minimise the risks
arising from inconsistent management of network security issues.
Issued 17/09/03; 4 recommendations, all agreed.
24. TRANSPARENCY REVIEW
We were able to confirm that the University submitted a Transparency Review costing return
for 2001-02 signed by the Principal before the agreed deadline, that the costing systems
established by management followed the recommendations in the Transparency Review
report, and that the systems were adequate, effective and applied consistently.
Issued 24/09/03; No recommendations.
25. IT PENETRATION TESTING
It was decided to test the effectiveness of the controls over electronic penetration attempts
(hacking). The testing was intended to provide Court, the Risk Management Committee and
the Audit Committee with a degree of assurance in this regard. An outside contractor was
commissioned and provided with a list of selected ‘devices’ to test. These represented a cross
section of areas and functions across the University. The contractor concluded that the
overall level of server security at Edinburgh University was better than average.
Issued 26/09/03; Of the 33 (net) findings - 17 have been actioned; 12 more are in the process
of being actioned; and it was decided that the residual risk identified was acceptable in 4 low
rated findings.
14
University of Edinburgh
Internal Audit Annual Report 2002-03
Appendix
B
26. IDENTIFICATION, ASSESSMENT AND MANAGEMENT OF BUSINESS RISKS
A specific assessment of the adequacy and effectiveness of the Risk Management process has
been included as part of the Internal Audit Annual Report.
Completed 29/09/03; No recommendations.
27. PAYMENT OF CREDITORS: ACCOUNTS PAYABLE
There is significant scope for the improvement of internal controls over the payment of
creditors through Accounts Payable. Processing performance has been reduced over a period
of time due to increased workload pressures. A number of internal controls have lapsed in
favour of local expediency to cope with workload pressures and meet payment demands.
Close supervisory monitoring has not been increased to compensate for expedient measures
taken.
Issued 30/09/03; 14 recommendations, 13 agreed and 1 alternative course of action taken.
28. DELEGATED AUTHORITY
Internal Audit continued to provide assistance to the University Secretary on the preparation
of a Delegated Authorisation Schedule.
29. POSTGRADUATE ADMISSIONS: COMPLIANCE WITH QAA CODE OF PRACTICE
College of Science and Engineering: Based on analysis of responses to our online
questionnaire, our conclusion is that most areas surveyed are prepared to demonstrate
compliance with the detailed good practice points contained in the QAA code. We have
identified opportunities for sharing good practice in Schools and areas requiring action at
College level.
College of Science & Engineering report issued 18/08/03, No recommendations.
Analysis of responses to the questionnaires in the College of Medicine and Veterinary
Medicine are ongoing, and the questionnaire is currently being rolled out in the College of
Humanities and Social Sciences.
15
University of Edinburgh
Internal Audit Annual Report 2002-03
Appendix C
Internal Controls 2002-03: Analysis of the strengths and weaknesses identified in
the Control Environment
Internal Controls
n
n
n
nt
t
y
o
i
o
&
tion
e
at
o
l
c
l
t
i
ng
uni
Ref
Audit assignment
isi
i
es
sa
r
is
oval
eti
rt
egati
rv
gem
ut
ni
o
pr
ica
m
a
p
onne
oun
c
c
ana
Segr
of D
Org
Auth
& A
Phys
Supe
Pers
Arith
A
M
VFM
Oppo
?
1 Grounds
Maintenance
Yes
Accommodation Services: Commercial Income
2
XX
X X Yes
Collection
3
Restructuring Fund (Bond) Monies
X
X
Corporate Governance: compliance with good
4
practice guidelines
5
Science and Engineering Workshops
Yes
6
Management of Intellectual Property
7
Vehicle Policy Compliance
X X XX
Yes
8
School of Engineering and Electronics
Yes
9
Estates and Buildings Stores
X
XX
X
XX
Yes
10 Disposal
of
Waste
X X
X X
11 Senior Staff Expenditure Claims
X X X
12 Acquisition and Disposal of Land and Buildings
X
X Yes
13 Capital
Project
Planning
14 IS/IT Disaster Recovery - Corporate Systems
Overhead Recovery in Research and Consultancy
15
X X
Contracts
16 IT Network Security
X
17 Learning
Technology
Section
X X
X
Yes
18 CHSS: Delegated Authorisation Protocols
19 Animal Houses
XX
Yes
20 Pathology
X
21 ICMB/Wellcome
Trust
Centre
X X X X Yes
22 Legal Services VFM
23 IT Network Security–Management arrangements
X
24 Transparency
Review
25 IT Penetration Testing
X
26 Risk
Assessment
27 Payment of Creditors: Accounts Payable
X X X
XX
X X
28 Delegated
Authority
Postgraduate Admissions: Compliance with QAA
29
Yes
Code of Practice
Key: (A blank entry indicates either not assessed, or no particular strengths or weaknesses identified.)
= Control Assurance identified, X = Control weakness identified,
= Strong Assurance identified, XX = Inadequate control identified.
Note: These assessments were made on the basis of the findings at the time of the audit.
16
link to page 19 link to page 19 link to page 19 link to page 19 link to page 19 link to page 19
University of Edinburgh
Internal Audit Annual Report 2002-03
Appendix D 1
Key Performance Indicators for Internal audit
The SHEFC Code of audit Practice states,
“The Head of Internal audit should, in conjunction
with management and the Audit Committee, establish and implement performance measures
and indicators, whereby the efficiency and effectiveness of the service can be monitored on an
ongoing basis”. “
It is for each institution to adopt or develop a set of measures and indicators
which are appropriate to its needs and circumstances”.
Year
Year
Year
Performance measures
2000-01
2001-02
2002-03
General Performance Indicators
Annual cost of service £145k1 £165k £174k2
Direct audit days available3 602 665 692
Cost per direct audit day £240 £248 £252
Number of audits 25+2
28+2
29+3
to finalise
to finalise
to finalise
Number of recommendations made 84 136 142
Number of follow up reviews 16 12 15
Performance measures indicating efficiency
University of Edinburgh income received / Internal
£70M
£71.25M £78.5M
Auditors
University employees / Internal Auditor 1457 1474 1505
% Available time applied to audit work 84% 85% 86%
% Allocated audit time actually spent conducting audit
94% 104%4 99%
work
% Completion of the annual audit plan by annual report
98% 99.5% 98%
stage
Performance measures indicating effectiveness
% Audit work undertaken by fully qualified staff 64%
63% 92%5
% Recommendations agreed by management 94%
95% 94%
% Agreed recommendations found to be implemented
94% 77% 87%
when followed up
% Audits perceived to add value6 ------- 90% 83%
1 Vacancies in 2000-01.
2 Plus £7,000 added from central Contingency Fund to meet cost of IT Penetration Test.
3 After leave, office admin & training. Includes specialist contract staff support
. 4 Less staff training in 2001-02 than anticipated.
5 All staff are at least part qualified.
6 Derived from Internal audit performance questionnaire.
17
University of Edinburgh
Internal Audit Annual Report 2002-03
Appendix D 2
Audit Committee
Formatted
16 October 2003
Internal Audit Performance Questionnaire
In response to a request from the Committee, a process was initiated in 2001-02 of
seeking feedback from managers of activities which had been the subject of internal
audit. Responses are sent direct to the University Secretary who compiled the attached
consolidated report for the Audit Committee.
Attached, for the information of members, is an analysis of responses received during
the financial year 2002/03. It includes responses to work carried out at the end of the
previous financial year and excludes assignments completed within the last two months.
October 2003
18
link to page 21 link to page 21
University of Edinburgh
Internal Audit Annual Report 2002-03
Internal Audit Performance Evaluation Questionnaires
Based upon feedback from the 19 Audit Assignments listed at the foot of the page.
YY Y N NN
Other
1. Were you given adequate notification of the audit?
13 5 1 -
2. Were you informed adequately of the audit objectives and scope?
6 11 2 -
3. Were the appropriate staff consulted for the audit area covered?
9 8 1 1
a
4. Did staff conduct themselves in a professional manner during the audit?
10 9 - -
5. Were you given the opportunity to discuss the report with the auditor
10 9 - -
prior to finalisation?
6. Were the recommendations in the report practical and realistic?
4 13 2 -
7. Was the report produced to a professional standard?
8 11 - -
8. Do you feel that the audit was worthwhile and has added value to your
3 12 3 - 1
b
work?
Percentage %
41
51
6
1
1
Key
YY fully
satisfied
Y Satisfied
N not
satisfied
NN fully
dissatisfied
Completed Audit Assignments subject to performance evaluation
Formatted
Returns received (19)
Returns not received (7)
•
General Practice
•
School of Law
•
Business Rates Management
•
Leavers from the payroll
•
Festivals Office
•
Student tuition fee income collections
•
Grounds Maintenance
•
Restructuring Fund (Bond) monies
•
Geography - Income collection & recognition
•
Management of Intellectual Property
•
Disposal of Waste
•
Overhead recovery in research & consultancy contracts
•
Accommodation Services: Commercial Income Collection
•
Workshop Services - Science & Engineering
•
IS/IT Disaster Recovery - Corporate Systems
•
Corporate Governance: Compliance with Good Practice
Guidelines
•
CHSS: Delegated Authorisation Protocols
•
Vehicle Policy Compliance
•
Capital Project Planning (IDCOM)
•
Acquisition/Disposal of Land & Buildings
•
IT Network Security
•
Estates & Buildings Stores
•
Pathology
•
Learning Technology Section
•
Engineering & Electronics - School audit
•
Animal Houses
a Outside contractors not consulted to establish cost and quality comparisons.
b Respondee no longer head of department and felt unable to comment on perceived added value.
19
University of Edinburgh
Internal Audit Annual Report 2002-03
Appendix E
Risk Management -Assessment of its adequacy and effectiveness
Requirement
The Scottish Higher Education Funding Council’s Accounts Direction in Circular HE/32/03 requires that
Institutions should disclose as a minimum that:
• There is an ongoing process for identifying, evaluating and managing the significant risks faced by
the institution.
• The process has been in place for the year under review and up to the date of approval of the Annual
Accounts.
• The governing body regularly reviews the process.
• The process accords with the Turnbull guidance.
The Turnbull guidance requires that risk assessment and internal control should be embedded in ongoing
processes. Management’s role is to implement the governing body’s policies on risk and control. The
governing body is required to review the effectiveness of internal control.
Internal audit is required to report upon the adequacy and effectiveness of the risk management process as
part of its assessment of the overall control environment. Recent guidance from the Institute of Internal
Auditors suggests assessment using the following parameters:
• The extent to which objectives of the risk management process has been set and communicated at all
levels within an organisation, and are supported by consistent business strategies, plans and budgets.
• The adequacy of the mechanisms for identifying, analysing and mitigating key business risks arising
from both external and internal sources.
• The existence of mechanisms for identifying and reacting to both routine and more dramatic changes
that could affect the organisations ability to achieve its objectives.
Findings
1. A Risk Management Committee has met throughout 2002-03.
2. Court formally approved a Risk Management Policy and Strategy on 16 December 2002.
3. Court adopted a University level overview Risk Register on 17 March 2003.
4. The overview Risk Register is profiled against the University’s main strategic objectives.
5. Risk Registers have been developed for each College, Support Group and major subsidiary
company.
6. The Registers allocate responsibilities for mitigating the risks identified to specific individuals.
7. Each Head of College, and Support Group, has signed a positive declaration stating the key risks that
have materialised in their areas of responsibility during the year. The Risk Management Committee
has reviewed these declarations.
8. The overview Risk Register and a Risk Management Guidance Manual are available on the intranet.
9. There has been a programme of seminars delivered to senior and middle managers across the
University on risk management led by the convenor of the Risk Management Committee.
10. Planning documents submitted by Colleges and Support Groups have taken cognisance of risk
assessments associated with achieving budgetary goals.
20
University of Edinburgh
Internal Audit Annual Report 2002-03
11. There are disaster recovery and business continuity plans in place to respond to any dramatic
changes affecting the University’s ability to meet its objectives.
12. Risk assessment is a standard requirement on papers for formal University committees.
13. A review of the University’s corporate governance arrangements by Internal Audit earlier in the year
provided an assurance that the University could demonstrate a substantial degree of compliance with
“perceived” good practice. In those areas where there was incomplete evidence of compliance,
mainly concerned with the embedding of risk management processes, action has now been taken, or
is in hand, to improve practices.
Conclusion
There is an ongoing process for identifying, evaluating and managing the significant risks. It is part of a
structured review process and is ultimately reviewed by Court. Guidance has been made available on how to
identify and analyse risk and what the options are to mitigate risks. The risk management process has been
actively developed throughout the year and steps are continuing to extend the process such that it becomes
embedded further as an ongoing process.
Hamish McKay
Chief Internal Auditor
26th September 2003
21
Audit Committee
Draft Minutes: 20 November 2003
Annex 2
Strictly Confidential
Minutes of the 51st Meeting of the Audit Committee held at
5.30 p.m. on Thursday 20 November 2003 in the Lord
Provost Elder Room, Old College
Present:
Dr J Markland (Convener)
Mr
F
H
Hitchman
Mr
G
Scott
Mr J Stretton
In Attendance:
The University Secretary, Mr M D Cornish
Director of Corporate Services, Mr N Paul
Director of Finance, Mr G Sutherland
Chief Internal Auditor, Mr H McKay
Assistant Director of Finance, Mr J Taylor
Internal Auditor, Mr J Thurlbeck
Mr G Macrae, KPMG
Mr M Rowley, KPMG
Mr G Russell, KPMG
Senior Vice-Principal Professor Michael Anderson (for item 2.1)
Executive Secretary to the Committee, Ms S Welham
Apologies:
Professor A D Milne
The Committee welcomed Professor Michael Anderson, Senior Vice-Principal, to the meeting for item 2.1.
1.
Minutes of the Meeting held on 16 October 2003 (Paper A)
The Minutes of the previous meeting were approved as a correct record.
2.
Matters Arising
From 12 June 2003 meeting:
2.1 From Item 5.4: Report 02/15: Acquisition & Disposal of Land & Buildings -
Space Management Report (Paper B)
The Committee received with interest the report and Senior Vice-Principal Professor Michael
Anderson’s presentation on Space Management issues. The 10% target for reduction in the use of
space had been intended as a device to focus the managerial mind. This exercise had been very
helpful to focus and clarify the target and the target itself had been a very effective way of fostering
the improvement of systems for recording, monitoring and maintaining the University’s estate.
The Audit Committee welcomed the approach taken by the University of incentives and
disincentives for changes in the use of space. The Audit Committee professed itself satisfied that
the University had appropriate systems and management arrangements to successfully manage the
University’s estate in the context of the University’s strategic objectives. The Committee thanked
Senior Vice-Principal Professor Anderson for his presentation and explanation of the work going
on in this area.
From 16 October 2003 meeting:
2.2 From Item 2.3: From Item 9: Audit Committee Membership
The University Secretary noted that he had received one suggestion from a member of the
Committee of a possible additional member. He would welcome further suggestions from
22
Audit Committee
Draft Minutes: 20 November 2003
members by the end of that week and then would discuss the proposals with the Convener and put
in place the nominations process.
[MDC]
ANNUAL ACCOUNTS
3.1 Draft Reports and Financial Statements for FY to end 31 July 2003 (Paper C.1 and tabled paper)
The Director of Finance introduced the Annual Accounts for 2002-03. He drew the Committee’s
attention to the External Auditor’s unqualified report on pages 11 and 12 of paper C.1. In his
presentation he also drew attention to the following points:
(i) on page 16 in the Income and Expenditure Account there was little flexibility in presentation and
the University required to show the £14m bottom line surplus after exceptional items. However,
the operating surplus was £1.7m. The Director of Finance anticipated that this could present PR
difficulties and he would seek to explain this in the Principal’s Report. The Communications &
Public Affairs Department had been briefed about this point;
(ii) on page 30 a £1m transfer from the Income and Expenditure Account was shown. The fall in stock
markets had reduced the value of the assets held in the University’s Staff Benefits Scheme and the
Actuarial Valuation undertaken at March 2003 highlighted a pension fund deficit. It was hoped
that recoveries in the stock markets would reduce this deficit, but the University could not rely on
this and wished to remedy a potential shortfall by injecting £1m per annum for the next ten years.
This policy would be reviewed in 3 years’ time; and
(iii) provision of a further £250k had been made for back pension claims in respect of part-time staff
who were previously excluded from the pension scheme and £1.5m had been provided against
insurance claims in respect of the South Bridge fire.
In discussion it was noted that the University did not formally underwrite the Students’ Association
although it had issued a letter of comfort to the Students’ Association’s bankers. Therefore the
Students’ Association’s accounts were not consolidated in the University’s Accounts. The Group
figures shown included the University Accounts and Subsidiaries’ Accounts. The Audit Committee
noted that:
(i) the title on page 5 should make clear that the responsibilities listed were those of the Court with
respect to financial statements;
(ii) it would be helpful to provide an explanation of the £1m which had been returned to the
benefactors listed on page 32;
(iii) an explanatory note would be added on page 37 regarding the revaluation of the STSS pensions;
and
(iv) periodic reports were made to the Finance & General Purposes Committee showing the utilisation
and planned repayment schedules of the University Bond.
Subject to some other minor corrections and noting that it had not seen the Principal’s Statement, the
Committee confirmed that it was content with the Reports and Accounts. In future years the Director
of Finance offered to ensure that the Principal’s Statement was made available to the same meeting of
the Audit Committee that received the draft Report and Accounts.
[GOS]
23
Audit Committee
Draft Minutes: 20 November 2003
The Committee confirmed that the Accounts should be focused on meeting the University’s specified
requirements. However the University was aware of the need to present and promote the University’s
activities to different audiences in the appropriate documents.
4.
Final Corporate Governance Statement for 2002-03 (Paper D)
The University Secretary introduced the Corporate Governance Statement which had been amended to
take account of discussion at the previous Audit Committee meeting and the Finance & General
Purposes Committee meeting held on 27 October 2003 and which had been seen by the Court at a
recent meeting. The Audit Committee made a number of suggestions to incorporate in the final version
of the statement:
(i) In the first paragraph references to the relevant code and the possible need to refer to the British
Universities Financial Directors’ Group should be checked.
(ii) Mr Rowley suggested some additional wording about the basis on which the University Court had
reviewed its effectiveness.
(iii) A sub-heading could be included for the Risk Management section to improve the flow of the
statement.
Subject to these points and some minor corrections, the Audit Committee approved the statement for
submission to the University Court as part of the Annual Financial Report and Accounts.
EXTERNAL AUDIT
3.2 Management
Letter (Paper C.2)
5.
Presentation by KPMG on Audit Findings
[These two items were taken together at the meeting]
KPMG gave a presentation to the Committee on their Audit findings. They welcomed the fact that it
had been possible to have consideration of the Management Letter and the Accounts at the same Audit
Committee meeting. Mr Macrae took the Committee through the sections of the Report and noted that
whilst there were some issues which management was addressing, for example regarding Risk
Management and Research Grants, there were no major control weaknesses. In discussion the Audit
Committee noted the following points:
(i) The password issue highlighted on page 9 was not a serious problem. It had been identified during
the External Auditors’ visit and was now rectified.
(ii) It might be helpful to revise the wording of the statement in section 4.1 on page 11 to note that “the
University is unable to state that it is fully compliant for the whole year as not all the necessary
policies in place at the end of the year were in place at the start.” The External Auditors welcomed
the progress the University had made on risk management issues and further encouraged the
University to take a proactive approach towards year-end reporting.
(iii) The Director of Finance and the Director of Corporate Services would be pursuing the points in
sections 4.5 and 5.6 regarding staff shortages, some of which had also been highlighted in the
Finance Department risk register. The Committee noted Mr Sutherland would report to the Audit
Committee if there were issues which would make it difficult for Finance to achieve its objectives.
[GOS if necessary]
Concluding the item Mr Macrae recorded appreciation for the cooperation KPMG had received from
the Director and Assistant Directors of Finance, the Finance Department and other areas of the
24
Audit Committee
Draft Minutes: 20 November 2003
University. Mr Sutherland also recorded his appreciation of the way in which KPMG had conducted
the external audit.
FOR DISCUSSION
6.
Annual Report of the Audit Committee to the Court for FY 2002/2003 (Paper E)
The Audit Committee suggested that the quotation provided in section 2.1 should be more clearly
defined as the Chief Internal Auditor’s annual statement; and that the section on the Management
Letter should make clear that the Audit Committee was satisfied that those issues highlighted by
KPMG were being addressed effectively. Subject to these amendments the Committee approved the
Annual Report for submission to the University Court.
7.
Combined Code on Corporate Governance (2003) (Paper F)
The Committee noted the changes to the Combined Code on Corporate Governance highlighted in
Paper F and agreed that it would return to this topic once it became clear what the Scottish Higher
Education Funding Council would require universities to do on this issue.
[HMcK]
8.
Audit Committee Annual Seminar
The Audit Committee agreed that it would hold another seminar in the spring. This would be a joint
session with members of the Risk Management Committee, looking at the Committees’ respective
roles and responsibilities and at developments in public sector corporate governance. The Convener
and Secretary would prepare a programme which would include external participation.
[JM, MDC, SW]
INTERNAL AUDIT
9.
Internal Audit Reports
9.1 Report 2002-4b Postgraduate Admissions in Medicine & Veterinary Medicine (Paper G)
Whilst noting the disappointing return rate for the questionnaire, the Committee noted that the overall
analysis remained reasonable. The report was noted.
9.2 Report 2002-4c Postgraduate Admissions in Humanities & Social Science (Paper H)
The Committee noted the report.
10.
Follow Up Reviews
10.1 Report 2001/25F Research Grants & Contracts Administration (Paper I)
The Committee noted the report.
10.2 Report 2002/06F Management of Intellectual Property (Paper J)
The Committee noted the report and asked the Internal Auditor to clarify whether the plan mentioned in
the management response to item 3.3 had been taken forward.
[HMcK]
10.3 Report 2002/09F Accommodation Services – Commercial Income Collection (Paper K)
The Committee welcomed the progress that was being made with regard to Accommodation Services.
The report was noted.
25
Audit Committee
Draft Minutes: 20 November 2003
11.
Internal Audit - Progress Report (Paper L)
The Committee noted the report.
12.
Internal Audit - Strategic Direction (Paper M)
The Committee noted that the main reason for Internal Audit to provide services to other organisations
was to provide a richer skill base in Internal Audit. The Committee welcomed that there were no plans
to take on other such activities in the short term and agreed that if another significant opportunity came
along the Audit Committee would have the opportunity to discuss the resource commitments and other
aspects of the proposal. The Committee noted that Internal Audit bore the costs of value added tax and
that its services provided under contract were covered as part of the University’s professional
indemnity insurance.
FOR INFORMATION
13.
Voluntary Severance Details 2002-03 (Paper N)
The Committee noted the paper which was reported to the Committee for information as a control
measure.
14.
Date of Next Meeting
The Committee noted that the date of the next meeting was 5.30p.m. on Thursday 19 February 2004.
15.
A.O.C.B.
There was no other competent business.
Ms S M Welham
Executive Secretary
8 December 2003
26
The University of Edinburgh
C2
The University Court
13 December 2004
Annual Report of the Audit Committee to Court, FY 2003/2004
Brief description of the paper
The paper sets out the annual report from the Audit Committee to the University Court, on Financial
Year 2003/2004, with the Internal Audit Report for 2003/04 (Annex 1, with five appendices) and the
draft minutes from the Audit Committee meeting held on 18 November 2004 (Annex 2).
Action requested
The University Court is invited to:
(i)
Note item 11 of the minutes where the Audit Committee invited the Court to consider the
harmonising of severance reporting thresholds, which are currently different for SHEFC, the
Annual Accounts and the University’s
Policy Statement on Severance Payments. The
Committee also invited the Court to consider what is the most appropriate control process.
(ii)
Note item 13 of the minutes where the Committee recommended to the University Court that
the external auditors be reappointed for an extension period of two years: 2004/05 and
2005/06. The Committee needs to conduct a market testing exercise of the external audit
service every five years, at least, and will consider the process for this in the spring.
(iii)
Note the rest of the paper for information.
Resource implications
Does the paper have resource implications? The activities described in the paper can be met with
existing resource allocations.
Risk Assessment
Does the paper include a risk analysis? The paper describes the activities of the Audit Committee,
which has received reports on the University’s risk management controls during 2003/04 and which
has also received internal audit reports, which have been prepared using a risk-based approach.
Equality and Diversity
Does the paper have equality and diversity implications? No.
Freedom of Information
Can this paper be included in open business? Yes.
Any other relevant information
The paper will be presented by Dr. John Markland, Convener of the Audit Committee.
Originator of the paper
Ms. S.M. Welham, Executive Secretary, Audit Committee, 3 December 2004
1
Annual Report of the Audit Committee to Court for FY 2003/2004
1 Administrative
Matters
Membership and Frequency of Meetings FY 2003/2004
Membership of the Committee for the FY 2003/2004 was as follows, with Court members marked*:
Dr. J. Markland * (Convener)
Professor A. D. Milne *
Mr. G. Scott *
Mr. D. Bentley (from February 2004)
Mr. F. H. Hitchman
Mr. G. M. Murray (until October 2003)
Mr. J. Stretton
Mr. G. M. Murray stepped down from the Audit Committee since he had joined the Finance &
General Purposes Committee as a University Court member. The Committee expressed its grateful
thanks for his participation in the work of the Committee.
The University Secretary is Secretary to the Committee and its Executive Secretary is Ms S. Welham.
Routinely in attendance during the year were: the Director of Corporate Services, the Director of
Finance, the Chief Internal Auditor, the Assistant Director of Finance responsible for Financial
Accounting, the Executive Secretary of the Committee, and the external auditors, KPMG. During
2003/04 the Committee had presentations and discussion sessions on:
• Information Technology security penetration testing from Sapphire Technologies, the Vice-
Principal (Knowledge Management) and an Assistant Director of Computing Services;
• Freedom of Information implications for Audit Committee business by the University’s
Records Manager; and
• Space Management by the Senior Vice-Principal.
The Committee met on four occasions in the course of FY 2003/2004. It also, via the Convener, met
the Internal and External Auditors on their own for independent discussions.
2.1 Internal
Audit
Annual Report of the Internal Auditors 2003/2004
The Annual Report of the in-house internal auditors is attached as Annex 1. The Court’s attention is
drawn to Appendix E, which provides an assessment of the adequacy and effectiveness of the
University’s Risk Management process, which was used to help derive the conclusion in the internal
auditor’s annual statement on the overall internal control environment in the University, which is
endorsed by the Audit Committee:
“On the basis of the work carried out during the year, I conclude that where weaknesses were
identified these are being addressed and there is sufficient evidence of controls and procedures
that are functioning to provide reasonable assurance that the overall control environment is
adequate in the University. Risk management has been embedded as an ongoing process
throughout the year, and steps are continuing to embed the process further.”
2003/2004 Internal Audit Plan
At its meeting on 5 July 2004 the Court, on the recommendation of the Audit Committee, approved
the Strategic Audit Plan for 2004-07 and the Annual Audit Plan for 2004-05. The Chief Internal
Auditor prepared the plans in consultation with senior management, including the Principal as Chief
Accounting Officer.
2
2.2
External Audit
Appointment and Remuneration of External Auditor
At its meeting on 9 July 2001, on the recommendation of the Audit Committee, the University Court
appointed KPMG to conduct the external audit of the University for the three financial years from
2001/02. The Audit Committee reviewed the External Auditors’ audit plan for the year ending on 31
July 2004 at its 17 June 2004 meeting. The Audit Committee reported to the Court at its 5 July 2004
meeting that the proposed external fee for the University and Subsidiary companies for 2003/04 was
£55,110 exclusive of VAT, subject to minor adjustments for subsidiary companies.
Reports and Financial Statements for the year ended 31 July 2004
The Committee received the reports and financial statements for the year ending 31 July 2004,
including the Principal’s statement, at its meeting on 18 November 2004, together with a presentation
by KPMG on the external audit findings. The Committee noted the basis of the opinion of KPMG on
the accounts and the satisfactory nature of that opinion. The Committee concluded that the audit had
been satisfactorily performed and that there were no major issues to give significant cause for
concern. The Committee agreed for its part to commend the reports and financial statements to the
Court for adoption.
Management Letter 2003/2004
KPMG referred to the Management Letter in the report on the audit results. KPMG confirmed that,
while it highlighted various matters requiring the attention of management, it contained nothing to
impact on their ability to give a clean audit report on the accounts for the year. On completion, the
Management Letter will be forwarded to the Funding Council as required by the SHEFC Code of
Audit Practice.
2.3
Internal Control Systems
Based on the results of the work of the Internal Auditor as reported in the Internal Auditor’s Annual
Report; the External Auditors’ opinion on the financial statements as well as on the Management
Letter; the Risk Management Committee’s Year-End Report on 2003/04; and direct comments from
relevant members of staff of the University, the Audit Committee considered that the University’s
internal control systems were functioning to provide reasonable assurance that the overall control
environment was adequate in the University and could be relied on by the University Court.
3
Other Committee Business
Other issues considered by the Audit Committee during 2003/2004 included: risk management, where
it received regular reports from the Risk Management Committee, including information on the
RMC’s Year-End Report, the development of an assurance map, and on revisions to the University
Risk Register; the University’s corporate governance statement; the University’s relationships with
subsidiary and spin-out companies; the Combined Code on Corporate Governance (2003); and
voluntary severance payments. In March 2004 the Committee held its Annual Seminar in conjunction
with the Risk Management Committee, which focused on developments in public sector corporate
governance.
4
Fraud and Irregularity
The Audit Committee has not been made aware of any serious weaknesses in internal control systems,
significant fraud or major accounting or other control breakdowns.
Ms Welham, Executive Secretary, Audit Committee, 19 November 2004
3
University of Edinburgh
Internal Audit Annual Report 2003-04
Annex 1
INTERNAL AUDIT - ANNUAL REPORT 2003-2004
1. Introduction
The 1999 SHEFC Code of Audit Practice requires that the Audit Committee should be provided with an
Annual Report on Internal Audit's activities at the first meeting following the financial year-end. It also
sets out the minimum contents of such a report (paragraph 4.53-4.54).
2. Achievement of Annual Plan
Appendix A lists the assignments carried out during the year in the order that they were reported to the
Audit Committee. Appendix B summarises the main findings. The audit plan approved by the Audit
Committee is substantially completed (98%). Work is continuing on Acquisitions and Implementation of
Corporate IS/IT, Electronic Receipting of Application (ERA) and Space Utilisation.
The original audit plan was designed to accommodate additional assignments arising during the year
and any unforeseen staff absences without disrupting the scheduled assignments, by setting aside time
to cover such eventualities. This has once again worked well. Five additional assignments to the
original plan were accommodated during the year (Voluntary Severance, Communications and Public
Affairs, Institute of Geography, Large Animal Hospital and Practice, and Delegated Authority). Four
assignments: Postgraduate Admissions, NHS Agreements, Medical Facilities provided by Consort and
Research Grant Claims Processing required significantly more time to carry out than had been planned.
We also invested time in successfully marketing our services on a commercial basis.
3. Summary of Findings
The Code requires a summary of each audit report and these are set out in Appendix B. The more
significant
control weaknesses and
control assurances identified are set out in the table in Appendix
C. Based on our findings during the year, Table 1 highlights examples of assignments where the control
environment required enhancement.
Table 1: Examples of how and where the control environment could be enhanced
Control Enhancement Required
Assignments identifying the need for control enhancement
Better Segregation of Duties
Institute of Geography, Communications and Public Affairs
NHS Agreements and Arrangements, Research Fees, Research
Improved Organisational
Grant Claims Processing, Office of Lifelong Learning, Endowment
controls
Funds
Improved Authorisation and
Management School and Economics, School of Biomedical and
Approval Controls
Clinical Laboratory Services
Improved Physical Controls
School of Arts, Culture and Environment
More effective Supervision
Institute of Geography
Improved Personnel Controls
Management School and Economics
Improved Arithmetic and
Veterinary Clinical Studies - Hospital for Small Animals
Accounting Controls
Research Grant Claims Processing, Medical School Facilities
Improved Management
provided by Consort, Financial and Management Information at
College Level
92% of recommendations from a programme of follow up reviews were found to have been implemented in full as
agreed. This is up from 87% in the previous year.
Page 4
University of Edinburgh
Internal Audit Annual Report 2003-04
Positive Assurances
•
Examinations and Reporting of Results
• Delegated
Authority
•
Division of Clinical Neurosciences
•
School of Arts, Culture and Environment
•
Postgraduate Admissions in Medicine and Veterinary Medicine
•
Postgraduate Admissions in Humanities and Social Science
4. Value for Money (VFM)
VFM is considered as a routine aspect of each assignment. Appendix C identifies those assignments
that could result in VFM opportunities for the University.
5. Staffing
There was no turnover of staff during the year. IT and other audit specialists were engaged to provide
support on specific assignments, to a larger extent than last year, funded by increased revenue arising
from services provided to commercial clients.
6. Internal Audit Performance Indicators
The 1999 SHEFC Code of Audit Practice states that
“The Head of Internal Audit should, in conjunction
with management and the Audit Committee, establish and implement performance measures and
indicators, whereby the efficiency and effectiveness of the service can be monitored on an ongoing
basis”.
Appendix D includes a selection of Key Performance Indicators, and provides a summary of responses
to Performance Questionnaires received during the year from management following an audit in their
area.
7. Turnbull Committee Report on Internal Control
The Turnbull Committee report emphasised that it was an
essential part of the Main Board’s /
Governing Body’s (Court’s) responsibility to review the effectiveness of internal control. In coming to a
view, members are expected to seek input from the Audit Committee, other constitutional committees,
senior management, and external and internal audit. The SHEFC Accounts Direction for 2003-04
requires the Court to include a statement in the annual financial statements on corporate governance,
indicating how the University has complied with good practice in this regard. A separate paper is being
presented by the University Secretary on the Draft Corporate Governance Statement and giving advice
to members on the Statement of Internal Control.
8. Risk
Management
The University Risk Management Committee has been fully operational during 2003-04. The University
Risk Management Policy and Overview Risk Register were endorsed by Court in 2002-03 and are
reviewed and confirmed by CMG, FGPC, Audit Committee and Court each year. Each College and
Support Group has prepared a Risk Register; these have been formally by the Risk Management
Committee as part of an annual process. The Committee has a programme of rolling reviews of each
individual corporate risk. Internal Audit was noted as having addressed 13 out of 25 risks over the
previous two years.
An assessment of the adequacy of the University of Edinburgh’s Risk Management process is given in
Appendix E.
9. Annual Statement on the System of Internal Control
The 1999 SHEFC Code of Audit Practice requires the Head of Internal Audit to provide an opinion on the
adequacy and effectiveness of the University's internal control system (paragraph 4.54). Internal Control is
defined in the internationally recognised report from the Committee of Sponsoring Organisations (COSO) as:
"A process, effected by an entity's board of directors, management and other personnel,
designed to provide reasonable assurance regarding the achievement of objectives in the
following categories: effectiveness and efficiency of operations; reliability of financial reporting;
and compliance with applicable laws and regulations."
Page 5
University of Edinburgh
Internal Audit Annual Report 2003-04
It is important to note that:
• The Annual Statement is based upon the work performed during the year as summarised in
Appendix B;
• Internal Control can provide only
reasonable and not absolute assurance to management and
Court regarding achievement of the University's objectives. Internal Audit assignments have a
reasonable chance of detecting significant control weaknesses but cannot guarantee that fraud,
error or non-compliance will be detected;
• It is management's responsibility to maintain effective systems of internal control, risk management
and the detection of fraud, error or non-compliance;
•
Internal audit forms part of the overall system of internal control.
During the year, the Internal Audit Service has reviewed, evaluated and tested the University's internal
controls based upon an Annual Audit Plan approved by the Audit Committee in June 2003. Reference
has been made where appropriate to the quality standards in recognised good practice guidance, as
required by paragraph 1.7 of the Code of Audit Practice.
On the basis of the work carried out during the year, I conclude that where weaknesses were identified these
are being addressed and that there is sufficient evidence of controls and procedures that are functioning to
provide reasonable assurance that the overall control environment is adequate in the University. Risk
management has been embedded as an ongoing process throughout the year, and steps are continuing to
embed the process further.
Hamish McKay
Chief Internal Auditor
Page 6
University of Edinburgh
Internal Audit Annual Report 2003-04
Appendix A
Internal Audit Annual Report - List of Assignments
Date Final
Date to Audit
Audit assignment
Report Issued
Committee
Comment
Completed
1 Postgraduate Admissions in Medicine and
11-Nov-03
Nov-03
2002-03 Annual Plan
Veterinary
2
Postgraduate Admissions in Medicine
11-Nov-03
Nov-03
2002-03 Annual Plan
Humanities and Social Science
3
Voluntary Severance 2002-03
11-Nov-03
Nov-03
Added to original plan
4 Edinburgh University Press - Corporate
3-Dec-03 Feb-04
Governance
5 School of Biomedical and Clinical
12-Jan-04
Feb-04
2002-03 Annual Plan
Laboratory Sciences
6
Transparency Review return 2002-03
22-Jan-04
Feb-04
7 Handling Enquiries from Overseas
26-Jan-04 Feb-04
Postgraduate Students
8
Office of Lifelong Learning 6-Feb-04
Feb-04
9
Research Fees
6-Feb-04
Feb-04
2002-03 Annual Plan
10 Research Grant Claims Processing
9-Feb-04
Feb-04
11 Veterinary Clinical Studies - Hospital for
10-Feb-04 Feb-04
Small Animals
12 Library Ordering Systems
11-Feb-04 Jun-04
13 Communications and Public Affairs
2-Apr-04
Jun-04
Added to original plan
14 Examinations and Reporting of Results
2-Apr-04
Jun-04
15 Edinburgh Student Portal
31-May-04 Jun-04
16 Division of Clinical Neurosciences
4-Jun-04 Jun-04
17 Management School and Economics
8-Jun-04 Jun-04
18 Medical School Facilities provided by Consort
8-Jun-04 Jun-04
19 NHS Agreements and Arrangements
8-Jun-04 Jun-04
20 Biomedical Research Resources
9-Jun-04 Jun-04
21 Endowment Funds
9-Jun-04 Jun-04
22 Institute of Geography
28-Jun-04
Oct-04
Added to original plan
23 Large Animal Hospital and Practice
30-Jul-04
Oct-04
Added to original plan
24 Control of Staff Appointments in College
16-Sep-04 Oct-04
and Support Groups
25 Ordering and Payments processes
16-Sep-04
Oct-04
26 School of Arts, Culture and Environment
23-Sep-04
Oct-04
27 Financial and Management Information at
5-Oct-04
Oct-04
College Level
28 Delegated Authority
N/A
N/A
Added to original plan and
no report as such
Continuing
29 Acquisition and Implementation of
Corporate IS/IT
30 Electronic Receipting Application
31 Space
Utilisation
Page 7
University of Edinburgh
Internal Audit Annual Report 2003-04
Appendix A
Follow up Reviews (14) Date
to
Audit
Recommendations Recommendations
Committee
agreed
implemented
Festival Lets
Oct-03
25
25
Estates and Buildings: Financial Control Section
Oct-03
8
8
Business Rates Management
Oct-03
5
5
Research Grants and Contracts Administration
Nov-03
7
7
Management of Intellectual Property
Nov-03
3
3
Accommodation Services - Commercial Income
Nov-03 8
5
Collection
Integrity of Access to Key University Systems
Jun-04
12
12
Disposal of Waste
Jun-04
7
3
Corporate Governance
Jun-04
6
6
Vehicle Policy Compliance
Jun-04
6
5
Overhead Recovery in Research and Consultancy
Jun-04 4
4
Contracts
Pathology Jun-04
6
6
School of Engineering and Electronics
Jun-04
1
1
ICMB Wellcome Trust Centre
Jun-04
9
8
107
98
92%
Page 8
University of Edinburgh
Internal Audit Annual Report 2003-04
Appendix B
SUMMARY OF FINDINGS FROM AUDIT ASSIGNMENTS DURING
2003-2004
(Listed in the order that the final report was issued)
1. POSTGRADUATE ADMISSIONS IN MEDICINE AND VETERINARY MEDICINE
Based on analysis of responses to our online questionnaire, for the most part, staff involved in
postgraduate admissions in the College of Medicine and Veterinary Medicine felt able to demonstrate
compliance with the Code of Practice, should they be required to do so by the QAA. Some areas
relating to Admissions policies and procedures would benefit from clarification.
Issued 11/11/03; No recommendations.
2. POSTGRADUATE ADMISSIONS IN HUMANITIES AND SOCIAL SCIENCE
Based on analysis of responses to our online questionnaire, for the most part, staff involved in
postgraduate admissions in the College of Humanities and Social Science felt able to demonstrate
compliance with the Code of Practice, should they be required to do so by the QAA. Some areas
relating to Admissions policies and procedures would benefit from clarification.
Issued 11/11/03; No recommendations.
3. VOLUNTARY
SEVERANCE
2002-03
As required by the University's Policy Statement on Severance Payments we provided the full details to
the Audit Committee of all severance arrangements for staff earning more than £50k per annum, based
on details provided by the Director of Human Resources and the relevant Human Resources Managers.
Issued 11/11/03; No recommendations.
4. EDINBURGH UNIVERSITY PRESS - CORPORATE GOVERNANCE
We made a number of specific recommendations for consideration by the Board, and one overarching
recommendation to the Managing Director that our report should be presented to the next Board
meeting. Subject to implementing our recommendations, we were satisfied that the Board had
appropriate and effective processes and procedures in place to support the production of their Annual
Corporate Governance Statement to the University Court. In making our recommendations we sought
to take into account the proportionality of the recommended action to the size of the Company, and the
residual risk which would remain if the issue was not addressed. The Managing Director confirmed in
May 2004 that appropriate action has indeed been taken.
Issued 3/12/03; 9 recommendations, all agreed.
5. SCHOOL
OF
BIOMEDICAL
AND
CLINICAL LABORATORY SCIENCES
There was scope to improve management scrutiny of payments made for the reimbursement of staff
expenses. A review of
E-Financials electronic access and authorisation levels would help to ensure that
staff are only able to conduct transactions up to the level designated by the Head of School.
Procedures should be developed to help provide a framework for ensuring compliance with the Data
Protection Act (2000).
Issued 12/01/04;5 recommendations, all agreed.
Page 9
University of Edinburgh
Internal Audit Annual Report 2003-04
6. TRANSPARENCY REVIEW RETURN 2002-03
Funding Councils and the Research Councils have indicated that they propose to seek validation that
Institutions have implemented the methodology appropriately. Therefore this year we reviewed and
assessed the robustness of the costing methodology applied in greater detail. This year’s exercise used
updated time allocation data, substituted the 2002-03 financial data and applied similar cost drivers to
allocate the expenditure. We were able to confirm that the University submitted a Transparency Review
costing return for 2002-03 to the Funding Council signed by the Principal before the deadline of 31st
January 2004, that the costing systems established by management followed the recommendations in
the TRAC report, and that the systems were adequate, effective and applied consistently.
Issued 22/01/04; No recommendations.
7. HANDLING ENQUIRIES FROM OVERSEAS POSTGRADUATE STUDENTS
Specific value-for-money issues identified include avoidable costs which are inherent in the current
system (e.g. need to streamline administration of multiple or blanket enquiries by the same student, the
scope for ‘filtering’ of enquiries centrally, and independent maintenance of local records), and potential
income being foregone if enquirants ‘fall through the net’. We identified two specific risks to the
University in terms of compliance with the Data Protection Act and Freedom of Information
requirements. Our report was issued to the Director of Registry for consideration in relation to the work
of the Student Systems Project Board, and to the Convener of the Senatus Postgraduate Studies
Committee for discussion. Both agreed to take the findings on board in support of their ongoing work in
this area.
Issued 26/01/04; 1 recommendation, agreed.
8. OFFICE OF LIFELONG LEARNING
There would be benefits from restructuring the Office of Lifelong Learning to unify the administrative
systems through improved financial control, economies of scale and clarity of procedures. The
imminent appointment of a new Chief Administrative Officer was expected to help in this regard. There
was a need to adjust current procedures for Continuing Professional Development pricing (which were
under active discussion) and Continuing Personal Education staff appointment processing (which we
were advised was in hand).
Issued 06/02/04; 8 recommendations, all agreed.
9. RESEARCH
FEES
While there was no reason to suspect that Research Fees are being set at inappropriate levels or
remitted without good cause, much could be done to improve the transparency of the process for
costing of Research Fees, remission of fees, and processing of fees. The recommendations related to
the role played by Registry in these processes. We wrote separately to the Convener of the Senatus
Postgraduate Studies Committee recommending that the need to improve transparency of these
processes should be discussed, and appropriate action agreed, by that Committee.
Issued 06/02/04; 3 recommendations, all agreed.
10. RESEARCH GRANT CLAIMS PROCESSING
There was an opportunity to strengthen lines of accountability and responsibility through greater
involvement of Heads of Schools in managing research grants within their area of responsibility. This
should help the Research Grants Section in the Finance Department resolve disputed research grant
expenditure.
Issued 09/02/04; 7 recommendations, all agreed.
Page 10
University of Edinburgh
Internal Audit Annual Report 2003-04
11. VETERINARY CLINICAL STUDIES - HOSPITAL FOR SMALL ANIMALS
Much work had already been done by Hospital Staff to improve processes and procedures for invoicing,
credit control, and stock control. A number of other issues were highlighted in this report, which
required further management action. We noted a number of significant issues arising from the financial
capabilities of the local Finance and Practice Management System used within the Hospital. These
were reported to the Hospital for the specific consideration of the new IT manager. We also found that
the value for money achieved by the Hospital’s commercial arrangements could not be quantified.
Issued 10/02/04; 3 recommendations, all agreed.
12. LIBRARY ORDERING SYSTEMS
There was scope to improve the monthly budgetary information provided to the Director of Library
Services by the incorporation of commitment information. Budgetary control information was accessed
from two sources; the Director of Library Services relied on information derived from
E-Financials and
the Liaison Librarians rely on information derived from the
Voyager system. Initial reconciliations
highlighted variances between the
Voyager and
E-Financials data sets. Library staff were continuing to
reconcile the two data sets in order to understand the reasons for the variances. Until this is achieved, it
is not possible to be confident that transactions occurring in the
Voyager system are accurately
represented in
E-Financials.
Issued 11/02/04; 3 recommendations, 2 agreed, 1 rejected.
13. COMMUNICATIONS AND PUBLIC AFFAIRS
There was scope to improve the procedures relating to cashing up and stocktaking by introducing an
element of segregation of duties. The development and implementation of appropriate ‘change control’
procedures (preventing and detecting unauthorised changes to core stock and price data) for the new
Electronic Point of Sale System needed to be considered as a matter of priority.
Issued 02/04/04; 8 recommendations; all agreed.
14. EXAMINATIONS AND REPORTING OF RESULTS
Effective control appeared to be in place over the processing and reporting of examination results by
Registry. There was a need for Registry to maintain awareness of the residual process risks inherent in
their system, relating to evidence of authority of external examiners, double-keying of data, and
exception reporting.
Issued 2/04/04; 1 recommendation, agreed.
15. EDINBURGH STUDENT PORTAL
The Edinburgh Student Portal (ESP) has been developed and maintained in a controlled manner and its
use did not appear to present a significant risk to the University, either financially or reputationally. The
ownership of the various elements of the ESP should be formally agreed and documented in order to
ensure that the ongoing development and eventual incorporation into MyED is not slowed down or
compromised by any future misunderstanding, and that any functionality that allows students to update
information via ESP should not be introduced without careful consideration of improving the strength of
current password security features.
Issued 31/05/04: 2 recommendations, both agreed.
Page 11
University of Edinburgh
Internal Audit Annual Report 2003-04
16. DIVISION OF CLINICAL NEUROSCIENCES
There was a satisfactory level of control within the Division. However, there was scope to improve
efficiency of local monitoring and reconciliation procedures. Some other issues relating to local
administrative procedures were noted by the Head of Division.
Issued 4/06/04; 2 recommendations, both agreed.
17. MANAGEMENT SCHOOL AND ECONOMICS
There was a satisfactory level of control within the School. However, there was scope to improve
guidance on non-standard payments and to improve controls over income collection in the Management
School section. Following an Internal Audit special investigation in 1999-2000, the recommendations to
address the systems weaknesses identified at the time had generally been actioned, and the control
environment had significantly improved.
Issued 08/06/04; 5 recommendations, all agreed.
18. MEDICAL SCHOOL FACILITIES PROVIDED BY CONSORT
The University is paying a premium to achieve risk transfer to the private sector under the PFI scheme
for managing the facilities at the New Royal Infirmary at Little France. The risk transfer cannot be fully
effective until the performance monitoring data is available. There was a need for the University to
pursue Consort regarding their contractual requirements on performance monitoring data.
Issued 8/06/04; 1 recommendation, agreed.
19. NHS AGREEMENTS AND ARRANGEMENTS
There is a considerable number of agreements and relationships between various University and NHS
departments. The complexity of the intertwined relationship, the disparate lines of coordination and
control, the mismatch of authority and responsibility as evidenced by the
Delegated Authorities
Schedule, the numerous separate resourcing arrangements, and the lack of clear understanding of
overall resources committed, meant that the University was not in a position to secure maximum value
for money. There was a risk that the University’s interests would be jeopardised by a lack of overall
negotiating leverage. It was also difficult to provide an assurance that the University was paying only for
services received and recovering the full cost of services it provided to the NHS. We concluded that
there was a strong case for investing time and effort in quantifying the net costs/benefits of the
arrangements with the NHS. This would allow the University to achieve better value for money from the
relationships, or confirm that the University is already a net beneficiary.
Issued 08/06/04; 9 recommendations, 8 agreed, 1 was agreed in principle but seen as difficult to
achieve (relating to all charges to the NHS being immediately charged to a dedicated NHS cost centre)
and was therefore rejected.
20. BIOMEDICAL RESEARCH RESOURCES
The introduction of best practice such as the use of Risk Assessment, Performance Indicators and Disaster
Recovery/Business Continuity Planning
would help to make operations more resilient and increase the level of
assurance available to management. There was some scope to review processes and achieve more efficient
workflows and provide a better level of control.
Issued 09/06/04; 9 recommendations, 7 agreed, the remaining two will be put to the Ethical Review
Committee for consideration.
Page 12
University of Edinburgh
Internal Audit Annual Report 2003-04
21. ENDOWMENT FUNDS
There was a need to review communications and reporting mechanisms for the control of endowment-
based expenditure, in order to ensure that Heads of Schools are more closely involved in the monitoring
process. Practices were resulting in various inconsistent procedures for monitoring endowments,
duplication of effort in maintaining records, and inadequate management information.
Issued 09/06/04; 4 recommendations, all agreed.
22. INSTITUTE OF GEOGRAPHY
We found that nine recommendations from the Internal Audit review of the Department of Geography in
March 2002 had not been implemented. Agreed procedures to improve control over petty cash and
income collection had lapsed with the advent of the restructuring process. The restructuring process
and amalgamation of the Institute of Geography within the School of Geosciences had required staff
reorganisation. Documented procedure notes had not been established to aid the continuation of good
working practices. Full implementation of the recommendations would help to improve the level of
control surrounding petty cash and income collection. Random supervisory checks were to be initiated
by the School Finance Manager to provide assurance that new procedures were being complied with.
Issued 28/06/04; 9 recommendations, all agreed.
23. LARGE ANIMAL HOSPITAL AND PRACTICE
For the most part, we were satisfied that financial control within the Large Animal Hospital and Large
Animal Practice was satisfactory. However, we have made a number of recommendations for
improvement of the control environment. We also noted that there was significant scope for shared
arrangements with the Small Animal Hospital and Practice in respect of IT systems and stock control,
which may result in VFM improvements.
Issued 30/07/04; 9 recommendations, all agreed.
24. CONTROL OF STAFF APPOINTMENTS IN COLLEGE AND SUPPORT GROUPS
The new staff appointment process under the Reengineering the Employment Lifecycle Processes
(RELP) project has resulted in improved arrangements to help ensure that funding for staff
appointments is available. There may be an opportunity to enhance control over research grant staff
appointments by using the system to ensure that two areas are involved in the appointment process.
This would achieve a more disciplined process to help ensure that research appointments are made
within the level of funding that is available.
Issued 16/09/04; No recommendations, we communicated our views on research grant staff
appointments to the Director of Corporate Services, who will consider them as part of a comprehensive
review of research grants processing.
25. ORDERING AND PAYMENTS PROCESSES
We identified opportunities for efficiency gains through improved ordering practices and procedures. We
provided Colleges and Support Groups with detailed information in order that they could better target for
review those areas where improvements could be made.
Issued 16/09/04; no recommendations, but have identified opportunities for efficiency gains.
Page 13
University of Edinburgh
Internal Audit Annual Report 2003-04
26. SCHOOL OF ARTS, CULTURE AND ENVIRONMENT
We found that, subject to implementation of our recommendations, there is a satisfactory level of
internal control in place throughout the School. There was a particular issue with physical security of
cash.
Issued 23/09/04; eleven recommendations, all agreed.
27. FINANCIAL AND MANAGEMENT INFORMATION AT COLLEGE LEVEL
We found an apparent gap between the needs and aspirations of the College Management Teams and
the plans and solutions available from systems and support staff. There is therefore an ongoing risk that
the management information needs of the College will not be fulfilled. The number of local workarounds
in place also highlights the risk that the University may not be leveraging best value for money from its
substantial investment in corporate systems. To mitigate these risks, there would appear to be a need
to improve articulation of the needs and aspirations of the College Management Teams, and of the
plans and solutions available from systems and support staff, with a view to achieving clearer mutual
understanding of management information needs in support of decision-making in the short to medium
term.
Issued 5/10/04; no recommendations, we propose to highlight these risks at the next meeting of the
Central Management Group.
28. DELEGATED AUTHORITY
Internal Audit continued to provide assistance to the University Secretary on the preparation of a
Delegated Authorisation Schedule and related initiatives. The
Delegated Authorities Schedule was
approved by Court in November 2003. A related
Schedule of Delegated Authority: Procurement paper
was approved by Central Management Group in September 2004.
Continued input during the year, no report as such.
Page 14
University of Edinburgh
Internal Audit Annual Report 2003-04
Appendix C
Internal Controls 2003-04: Analysis of the strengths and weaknesses identified in
the Control Environment
Internal Controls
nt
ty
t
ion
l
a
l
&
t
ion
t
i
on
ion
s
a
a
t
ic
ing
me
uni
Ref
Audit assignment
a
is
ov
is
g
i
e
al
e
nis
i
c
r
v
ge
s
onne
hme
ount
gr
hor
port
Dut
ga
r
s
c
na
Se
of
Or
Aut
& Appr
Phy
Supe
Pe
Arit
Ac
Ma
VFM
Op
?
Postgraduate Admissions in Medicine and Veterinary
1
Medicine
Postgraduate Admissions in Humanities and Social
2
Science
Voluntary Severance 2002-03
3
Edinburgh University Press - Corporate
4
x
Governance
School of Biomedical and Clinical Laboratory
5
x
x
Yes
Sciences
Transparency Review return 2002-03
6
Handling Enquiries from Overseas Postgraduate
7
Yes
Students
Office of Lifelong Learning
8
x x
x
Research Fees
9
x x x
Research Grant Claims Processing
10
x x
x
Veterinary Clinical Studies - Hospital for Small
11
xx
Yes
Animals
Library Ordering Systems
12
x
x
Communications and Public Affairs
13
x
x
Examinations and Reporting of Results
14
Yes
Edinburgh Student Portal
15
Division of Clinical Neurosciences
16
Management School and Economics
17
x
x x
Medical School Facilities provided by Consort
18
x x x
Yes
NHS Agreements and Arrangements
19
x
xx
Yes
Biomedical Research Resources
20
x x
Yes
Endowment Funds
21
x x
Yes
Institute of Geography
22
x x x x x x
Large Animal Hospital and Practice
23
x
Yes
Control of Staff Appointments in College and
24
x
Support Groups
Ordering and Payments processes
25
x
Yes
School of Arts, Culture and Environment
26
x x
Financial and Management Information at College
27
x
Yes
Level
28 Delegated
Authority
Key: (A blank entry indicates either not assessed, or no particular strengths or weaknesses identified.)
= Control Assurance identified, X = Control weakness identified,
= Strong Assurance identified, XX = Inadequate control identified.
Note: These assessments were made on the basis of the findings at the time of the audit.
Page 15
link to page 44 link to page 44 link to page 44 link to page 44 link to page 44
University of Edinburgh
Internal Audit Annual Report 2003-04
Appendix D 1
Key Performance Indicators for Internal audit
The SHEFC Code of audit Practice states,
“The Head of Internal audit should, in conjunction with
management and the Audit Committee, establish and implement performance measures and indicators,
whereby the efficiency and effectiveness of the service can be monitored on an ongoing basis”. “
It is for each
institution to adopt or develop a set of measures and indicators which are appropriate to its needs and
circumstances”.
Year 2000-
Year 2001-
Year 2002-
Year 2003-
Performance measures
01
02
03
04
General
Performance
Indicators
Annual cost of service
£145k
1
£165k £174k
2
£177k
Direct audit da
ys available3
602 665 692 717
Cost per direct audit day
£240
£248
£252
£247
Number of audits
25+2
28+2
29+3
28+3
to finalise
to finalise
to finalise
to finalise
Number of recommendations made
84
136
142
109
Number of follow up reviews
16
12
15
14
Performance measures indicating efficiency
University of Edinburgh income received / Internal
£70M
£71.25M
£78.5M
£86.8M
Auditor
University employees / Internal Auditor
1457
1474
1505
1510
% Available time applied to audit work
84%
85%
86%
85%
% Allocated audit time actually spent conducting audit
94% 104% 99% 106%
work
4
% Completion of the annual audit plan by annual report
98% 99.5% 98% 98%
date
Performance measures indicating effectiveness
% Audit work undertaken by fully qualified staff
64%
63%
92%
100%
% Recommendations agreed by management
94%
95%
94%
98%
% Agreed recommendations found to be implemented
94% 77% 87% 92%
when followed up
% Audits perceived to add value
5
------- 90% 83% 78%
1 Staff vacancies in 2000-01.
2 Not including £7K added from central Contingency Fund to meet cost of IT Penetration Test.
3 After leave, office admin and training. Includes specialist contract staff support
. 4 If over 100%, then less training than anticipated.
5 Derived from Internal Audit performance questionnaire.
Page 16
University of Edinburgh
Internal Audit Annual Report 2003-04
Appendix D 2
Audit Committee
14 October 2004
Internal Audit Performance Questionnaire (updated)
In response to a request from the Committee, a process was initiated in 2001-02 of
seeking feedback from managers of activities which had been the subject of internal
audit. Responses are sent direct to the University Secretary who compiled the
attached consolidated report for the Audit Committee.
Attached, for the information of members, is an analysis of responses received during
the financial year 2003/04. It includes responses to work carried out at the end of the
previous financial year and excludes assignments completed within the last two
months. This updated version incorporates a further eight returns received late.
November 2004
Page 17
University of Edinburgh
Internal Audit Annual Report 2003-04
Internal Audit Performance Evaluation Questionnaires (updated)
Based upon feedback from the 27 Audit Assignments listed at the foot of the page.
YY Y N NN
Other
1. Were you given adequate notification of the audit?
14 12 1
2. Were you informed adequately of the audit objectives and scope?
13 13 1
3. Were the appropriate staff consulted for the audit area covered?
10 15 2
4. Did staff conduct themselves in a professional manner during the
15 11 1
audit?
5. Were you given the opportunity to discuss the report with the
11 15 1
auditor prior to finalisation?
6. Were the recommendations in the report practical and realistic?
6 15 4 2
7. Was the report produced to a professional standard?
11 14 2
8. Do you feel that the audit was worthwhile and has added value to
8 13 4 2
your work?
Percentage %
41
50
6
3
Key
YY fully
satisfied
Y Satisfied
N
not satisfied
NN fully
dissatisfied
Completed Audit Assignments subject to performance evaluation
Returns received (27)
Returns not received (8)
•
Biomedical & Clinical Lab Science School
• Endowment
Funds
•
Biological Research Resources
•
Handling enquiries & applications from os / pg applicant
•
Clinical Vet Services – Large Animal Hospital
•
Legal Services VFM
•
Clinical Vet Services – Small Animal Hospital
• Library
Ordering
System
•
CPA / EPOS
•
Payment of Creditors – Accounts Payable
•
Division of Clinical Neurosciences
•
Postgraduate Admissions – MVM
•
Edinburgh Student Portal (x2)
•
Research Fees (Bench Fees)
•
Examinations & reporting of results
•
Research Grant Claims Processing
• Geography
•
ICMB/Wellcome Trust Centre
•
IT Penetration Testing (x2)
•
Management School & Economics
•
Medical School facilities provided by Consort (x3)
•
NHS Agreements & Arrangements (x4)
•
Office of Lifelong Learning
•
Postgraduate Admissions – HSS
•
Postgraduate Admissions – Science & Engineering
•
Subsidiary Companies – UoE Press
•
Transparency Review 2001/02
•
Transparency Review 2002/03
Page 18
University of Edinburgh
Internal Audit Annual Report 2003-04
Appendix E
Risk Management - Assessment of its adequacy and effectiveness
Requirement
The model Corporate Governance statement included in the Scottish Higher Education Funding
Council’s Accounts Direction in Circular HE/21/04 requires that Institutions should disclose as a
minimum that:
• There is an ongoing process for identifying, evaluating and managing the significant risks
faced by the institution.
• The process has been in place for the year under review and up to the date of approval of
the Annual Accounts.
• The governing body regularly reviews the process.
• The process accords with the Turnbull guidance.
The Turnbull guidance requires that risk assessment and internal control should be embedded in
ongoing processes. Management’s role is to implement the governing body’s policies on risk and
control. The governing body is required to review the effectiveness of internal control.
Internal audit is required to report upon the adequacy and effectiveness of the risk management
process as part of its assessment of the overall control environment. Guidance from the Institute
of Internal Auditors suggests assessment using the following parameters:
• The extent to which objectives of the risk management process has been set and
communicated at all levels within an organisation, and are supported by consistent
business strategies, plans and budgets;
• The adequacy of the mechanisms for identifying, analysing and mitigating key business
risks arising from both external and internal sources; and
• The existence of mechanisms for identifying and reacting to both routine and more dramatic
changes that could affect the organisations ability to achieve its objectives.
Findings
Risk Management Committee
1. The Risk Management Committee (RMC) met throughout 2003-04 and will continue to
meet for the foreseeable future. During 2003-04 their work has focussed on consolidating
and further developing the Risk Management processes in the University.
2. The Annual Report of the RMC was presented to the Central Management Group (CMG)
on 22 September 2004, and will be considered by the University’s Audit Committee on 14
October and by the Finance and General Purposes Committee (FGPC) on 18 October. The
report will support the Audit Committee and Court in their assessment of the effectiveness
of the overall framework of internal control, and will inform the production of the Corporate
Governance Statement for inclusion in the Annual Report and Accounts.
19
University of Edinburgh
Internal Audit Annual Report 2003-04
Risk Registers
3. All risks included in the first University Risk Register have been reviewed; the outcome was
reported to and discussed by RMC.
4. The overview Risk Register is profiled against the University’s main strategic objectives.
5. The Overview Risk Register and Risk Management Guidance Manual are published on the
University’s intranet.
6. All Registers allocate responsibilities for mitigating the risks identified to specific individuals.
7. Work on the College, Support Group, and Subsidiary Company Risk Registers has been
completed. Ownership of these registers has been devolved to the relevant management
team, and they are reviewed regularly and on an ongoing basis by RMC.
Other assurances
8. Each Head of College, and Support Group, has signed a positive declaration stating the
key risks that have materialised in their areas of responsibility during the year. RMC has
reviewed these declarations and is satisfied that no major risks relating to the adequacy of
the risk management process have materialised.
9. Planning documents submitted by Colleges and Support Groups continue to take
cognisance of risk assessments associated with achieving budgetary goals.
10. Disaster recovery and business continuity plans are in place to respond to any dramatic
changes affecting the University’s ability to meet its objectives.
11. Risk assessment continues to be a standard requirement on papers for formal University
committees.
12. A risk assurance map has been drawn up by RMC, identifying the sources of assurance
they used to come to their opinion on the University’s management of its key risks. This
map indicates that assurance has been taken from internal audit work for 13 out of 25
(52%) of the risks identified in the risk register.
13. We have also reviewed progress against the route map presented to the RMC (RMC 02-03
5 B) for implementing an embedded risk management culture. We are satisfied that all
items on the map have been implemented as planned.
Conclusion
There is an ongoing process for identifying, evaluating and managing the University’s significant
risks. It is part of a structured review process and is ultimately reviewed by Court. Guidance is
available on how to identify and analyse risk and what the options are to mitigate risks. The risk
management process has matured throughout the year and steps are continuing to ensure that risk
management becomes embedded further as an ongoing process.
Hamish McKay
Chief Internal Auditor
7th October 2004
20
Annex 2
5C 01
For information: open business
Draft Minutes of the 55th Meeting of the Audit Committee to be
held at 5.30 p.m. on 18 November 2004 in the Lord Provost Elder
Room, Old College
Present:
Dr J. Markland (Convener)
Mr G. Scott
Mr F. Hitchman
Mr J. Stretton
Mr D. Bentley
In Attendance:
The University Secretary, Mr M. Cornish
Chief Internal Auditor, Mr H. McKay
Assistant Director of Finance, Mr J. Taylor
Mr G. Macrae, KPMG
Mr M. Rowley, KPMG
Mr D. Rennie, KPMG
Mr. D. Stainbank, KPMG
Executive Secretary to the Committee, Ms S. Welham
Apologies:
Professor A.D. Milne
The Committee welcomed Mr D. Rennie and Mr D. Stainbank of KPMG who were attending the meeting.
1.
Minutes of the Meeting held on 14 October 2004 (Paper A)
The Minutes of the previous meeting were approved as a correct record.
2.
Matters Arising:
From 14 October 2004 meeting:
2.1
From Item 3: Internal Audit Annual Report 2003-04: Performance Evaluation (Paper B)
The Committee noted the updated results for the Internal Audit performance questionnaire.
2.2 From Item 7.1: Report 2003-09: Financial and Management Information at College Level
(Paper C)
The Committee noted that the Central Management Group had discussed the Internal Audit
report on Financial and Management Information at College level and that the Internal Auditor
had been asked to undertake additional work in this area, as noted in Paper C.
2.3
From Item 7.5: Report 2003-36F: Institute of Geography: Report from Head of College
The Head of the College of Science and Engineering had confirmed that action had been taken
on the remaining recommendations in Report 2003-36F.
ANNUAL ACCOUNTS
3
Draft Reports and Financial Statements for FY to end 31 July 2004 (Paper D)
The Assistant Director of Finance introduced the Annual Accounts for 2003-04. He drew the
Committee’s attention to the External Auditor’s unqualified report on pages 14 and 15 of Paper D.
21
The Committee went through the draft reports and financial statements in great detail and made a
number of drafting points which would be taken into account when the report was redrafted for
submission to the Finance and General Purposes Committee on 29 November 2004.
[JT]
Finance would consider for the 2004/05 reports whether to increase the information provided in the
Taxation Status section to include some categories that the University was not formally required to
provide.
[JT]
Finance had experienced difficulties in preparing the full amount of information for the external
auditors in a timely manner because of staff illness. The Committee noted the concerns which Finance
and the external auditors expressed about this. Finance, with the assistance of KPMG, would review
operational matters following the completion of the 2003-04 accounts, to improve processes for next
year. The new Director of Finance would be considering such matters as resourcing within his first
few months of appointment. The Committee would wish to receive a report on the outcome of that
exercise.
[JT]
As a separate issue, not connected with the approval of the 2003-04 accounts, the Committee would
welcome a statement from the Finance and General Purposes Committee noting that the University had
considered its financial exposure arising from pensions schemes and that this was adequately reflected
and appropriate action was being taken.
[JT]
The Committee noted that in addition to the annual accounts the University produced some summary
information for inclusion in the Annual Review, which contained extracts from the reports and
accounts. The Committee noted that it was helpful to be clear on the purposes of the various
documents, and to clarify how to obtain the full accounts. The University would discuss relevant
issues with the Convener of the Audit Committee if this seemed appropriate.
[MDC, NALP]
4.
Final Corporate Governance Statement for 2003-04 (Paper E)
The University Secretary introduced the Corporate Governance Statement which had been amended to
take account of discussion at the previous Audit Committee meeting and the Finance & General
Purposes Committee meeting held on 18 October 2004 and which had been seen by the Court at a
recent meeting. The Committee noted the supporting documents, including extracts from the
Combined Code on Corporate Governance as amended by the British Universities Finance Directors
Group (BUFDG), and their relationship to the component parts of the Scottish Higher Education
Funding Council’s (SHEFC) Accounts Direction. Subject a minor change to the opening sentence, the
Audit Committee approved the statement for submission to the University Court as part of the Annual
Financial Report and Accounts.
EXTERNAL AUDIT
5
Presentation by KPMG on Audit Findings and Management Letter (Paper F)
KPMG gave a presentation to the Committee on their Audit findings and took the Committee through
each section of the Report. KPMG noted that the University was at the “top end of the sector” in the
way in which risks were recorded and documented and had “the most robust approach [to risk] in any
institution [with which they were associated]”. The University had made great advances during the
year. The Committee noted that a number of corrections would be made to the final report and made
the following points in discussion:
(i)
SHEFC “required” rather than “requested” that Universities specify how they met the
requirements of the principles in Section 1 of the Combined Code on Corporate Governance
22
issued by the London Stock Exchange in June 1998, incorporating internal control guidance as
amended by BUFDG. Thus far, SHEFC had chosen not to adopt the Committee of University
Chairmen (CUC) Guide for Members of Governing Bodies of Universities and Colleges. The
expectation was that SHEFC would require Universities to comply with the CUC Guide, or to
explain why they differed from its provisions. At the appropriate stage the management action
would be to take the CUC Guide to Court for consideration. (section 4.1, page 11)
(ii) KPMG would discuss with management and the Audit Committee the external auditor’s
responsibility to consider fraud (International Standard on Auditing ISA 240, section 5.2.1,
Pages 16-17) for next financial year.
[JT]
(iii)
The Audit Committee would discuss value for money activities during the coming year. (section
5.3, page 18)
[MDC, HMcK]
(iv) The Finance Department had analysed and pursued debts for uncollected funds of subsidiaries
and was actively managing current debt. Management and the external auditors were
considering whether it was now appropriate to write off the irrecoverable debts which were five-
to-six years old, for which full provision had been made.
FOR DISCUSSION
6.
Annual Report of the Audit Committee to the Court for FY 2003-04 (Paper G)
Subject to the addition of the topic for its 2004 annual seminar, the Committee approved the Annual
Report for submission to the University Court.
7.
Audit Committee Annual Seminar
The University Secretary had discussed the possibility of a joint seminar with his counterparts at
Heriot-Watt University, Napier University and Queen Margaret University College. They had
welcomed the suggestions. The seminar would focus on comparisons of audit committee business and
operation to develop good practice and an external speaker would be invited to make a presentation. It
was hoped to hold the seminar in late March or early April.
[MDC, SMW]
INTERNAL AUDIT
8.
Internal Audit Reports
8.1 Report 2003/14: Electronic Receipt of Payments (Paper H)
The Committee noted the report.
8.2 Report 2003/16: Acquisition and Implementation of IS/IT (Paper I)
The Committee noted the report.
8.3 Report 2004/41: Disposal of Waste (2) (Paper J)
The Committee noted the report and that there appeared to be valid justifications for the delays in
meeting some of the delivery dates.
23
9.
Follow Up Reviews
9.1 Report 2002/16F: IT Network Security (Paper K)
The Committee noted the report.
9.2 Report 2002/18F: Estates and Buildings Stores (Paper L)
The Committee noted the report.
9.3 Report 2002/21F: Learning Technology Section (Paper M)
The Committee noted the report.
9.4 Report 2003/22F: Library Ordering Systems (Paper N)
The Committee noted the report.
9.5 Report 2003/35F: Communications and Public Affairs (Paper O)
The Committee noted the report.
10.
Internal Audit - Progress Report (Paper P)
The Committee noted the report. It was agreed that the Internal Auditor would hold discussions with
one of the members of the Committee about the scope for sequencing follow-up reviews to pursue high
priority recommendations before those of a lower priority.
[HMcK]
FOR INFORMATION
11.
Voluntary Severance Details 2003-04 (Paper Q)
The Committee noted the paper which was reported to the Committee for information as a control
measure. The Committee invited the Court to consider the harmonising of severance reporting
thresholds, which were currently different for SHEFC, the Annual Accounts and the University’s
Policy Statement on Severance Payments. The Committee also invited the Court to consider what was
the most appropriate control process.
[MDC]
12.
Law and Regulation Return (Paper R)
The Committee noted the paper which was reported to the Committee for information.
13.
External Auditors: Term of Office (Paper S)
KPMG confirmed that they would be prepared to continue in office for a further one or two years if
requested to do so.
[
The External Auditors then left the room.]
The Audit Committee, mindful of the need to formally review external audit arrangements at least
every three years, as set out in the SHEFC Code of Audit Practice, considered whether to recommend
the reappointment of the current external auditors. The Committee agreed that it should recommend to
the University Court that the external auditors be reappointed for an extension period of two years:
2004/05 and 2005/06. The Committee needed to conduct a market testing exercise of the external audit
service every five years, at least, and would consider the process for this in the spring.
[MDC, JT]
24
14.
Date of Next Meeting:
The Committee noted that the date of the next meeting was 5.30 p.m. on Thursday 10 February 2005.
15.
A.O.C.B.
There was no other competent business.
Ms. S Welham
Executive Secretary
3 December 2004
25
University of Edinburgh
Summary of Internal Audit service provision
Requested under FOI
Year Cost Supplier
2003-04
£177K
in house team
2004-05
£182K
in house team
2005-06
£188K
in house team
2006-07
£201K
in house team
2007-08
£215K
in house team
Kate Crichton
26 February 2009
Document Outline
- ScottResponseletter20090302v3.doc
- Paper C2 AnnualReport0203.doc
- Paper C2 - Audit Committee0304.doc
- Internal Audit - summary of costs.doc
