Microsoft Word - 3.IAS annual report2005final.doc

Internal Audit Services Unit

Annual Report 2004/2005

Ian Brennan BA FCCA MBA

November
2005

1 Introduction

This is a much shorter annual report than in previous years, reflecting the fact that the
resources available to Internal Audit are considerably reduced from previous levels.
2
Planned Audit Work

2.1 Summary

The following assignments have been issued arising from the 2004/2005 programme
of work. Details are given in Table 1.

Table 1 – 2004/2005 Audit Plan: Completed Assignments to Date

Audit Area
Valuable Collections
Faculty of Education
Full Economic Costing
Conference & Visitor Services
Faculty of Social Sciences
Court Office
Computer Security Review
Faculty of Information and Mathematical Sciences
Faculty of Medicine
Freedom of Information
Administrative Review – Student Recruitment & Admissions Service

2.1.1 Faculty of Education

We carried out a comprehensive review of the internal control system within the
Faculty of Education. The following areas were covered:

•
expense claims;
•
income;
•
assets;
•
purchasing regulations;
•
variable payroll payments;
•
other services rendered;
•
discretionary funds;
•
financial management;
•
management and business planning; and
•
building controls;

We noted three Fundamental matters and 20 which we classified as Significant. The
former were as follows:

Personal Transactions: There were a number of instances where staff had used
University funds to purchase personal items and then refunded the money to the
University. We recommended that personal purchases should never be made using
University funds.

Income: We identified a lack of segregation of duties in relation to the handling of
income. There was a risk that monies could be misappropriated and the audit trail
altered to conceal the misappropriation.

Asset Register Maintenance: Our review of items purchased showed a significant
incidence of items not recorded on the asset register. Insufficient information was
recorded against each asset and the information that was recorded was not always
accurate.

The follow up audit which is about to commence will measure the success of
the faculty in implementing the agreed recommendations.

2.1.2 Full Economic Costing

This review was carried out following a report by KPMG which indicated that the
University had two significant issues to address in its system of full economic costing
before it could apply estates charges or use its own indirect cost rate.

The objective of the review was to gain an understanding of the circumstances which
had led the QA team to draw the significant conclusions that they reported and to
determine whether the University had addressed the points raised. This review was
not a full audit of the system – this is currently taking place.

In order to gain an understanding of the system for allocating costs we carried out a
review of the manner in which the two significant issues had been addressed in the
compilation of the return for the year ended 31 July 2004 (submitted to the Funding
Council in January 2005).

We obtained detailed management representations from the Finance Office Costing
Manager and the Assistant Director of Finance with responsibility for full economic
costing as to how they had addressed the two significant points identified in the QA
report.

We then compared the practice outlined in the management representations with the
current regulations as set out in the guidance. Following this we examined the
relevant section of the calculations underlying the return for the year ended 31 July
2004.
We concluded that:
• the practices outlined in the management representations had been followed: and

• the practices adopted were in accordance with the relevant guidance

2.1.3 Computer Security Review

During the year Internal Audit engaged a specialist firm to identify the gaps between
University practice and best practice in relation to the management of information
security. Following a competitive process Boldon James were chosen to benchmark
University practices against BS7799, the standard chosen by the University as a result
of the Information Strategy.

The main issues can be summarised as follows:

Risk Management: There are shortcomings in the way in which risk is currently
managed in relation to information security. The methodology that the University uses
is not comprehensive. Also, while there is use of risk registers in relation to information
security, there is not a high level corporate risk register, approved by the governing
body, into which the most serious matters from individual risk registers are transferred
and ranked in the context of the University’s overall risk profile and appetite.

Information Security Policy: The University has many policies that govern
information security but there is no structure to the data set, there is no evidence that the
University’s senior management own and drive the policy and there is no evidence that
policy is reviewed on a regular basis to keep up with events in this fast moving area. It
is recommended that policy documents are controlled via a document management
system.

Information Security Infrastructure: There is a need for an Information Security
Officer role that reports directly to senior management and is ultimately responsible for
all information security matters and is given recognised authority across the University.
Also, at present, there is no evidence of proper authorisation procedures for new and
revised information processing facilities. (In the past certain faculties have inserted
measures such as firewalls without the knowledge or consent of the centre).

User Training: There is a need for user training to raise awareness of information
security policy across the University.

Compliance Auditing: the present arrangement whereby there is regular liaison
between the Internal Audit and the Computer Emergency Response Team (CERT) staff
to discuss security matters should be formalised and supported by a properly resourced
program of compliance auditing.

Protection against Malicious Software: There is a serious risk from malicious
software arising from the fact that approximately three quarters of staff use unmanaged
client devices which may lack firewall, anti-virus and software patch protection. There
is an urgent need to increase the penetration of managed desktops.

At the time of writing the consultants are about to make a presentation to the
University’s senior IT staff. There may be some fine tuning of the final conclusions but
it is clear that there will be significant challenges for the University in addressing the
issues identified in the review.
2.1.4  Faculty of Information and Mathematical Sciences

This was a comprehensive review of the faculty examining the same areas as were
considered in the review of the faculty of Education (see 2.1.1 above) The review
showed that in general the faculty was well managed with compliance in most of the
areas which we examined.

The most serious of the issues were as follows:

Asset Register - The asset register was incomplete: some items were not recorded
and some detailed information was missing or incorrect. We recommended that one
person should be responsible for maintaining a complete asset register detailing all
relevant assets. We also recommended that a suitable system should be implemented
so that assets are easily identified and accurately recorded and updated on the asset
register.

Purchasing Training – Only one person (from 22) with delegated purchasing officer
authority, had obtained the required level of training. We recommended that only
people who have obtained the relevant training should be provided with delegated
financial authority and that purchases should be sourced by a trained departmental
buyer.

Purchasing – Purchasing procedures were not always observed and there were a
number of occasions where non approved suppliers were used.

Expense Claims – Expense claims were used on a number of occasions to purchase
goods. We recommended that claims should be made for incidental expenses only
regarding costs incurred during travel on University business.

2.1.5  Freedom of Information (FOI)

The Freedom of Information (Scotland) Act (2002) came into force on 1 January
2005. The Act creates significant challenges - it introduces new rights for any person
to access information held by the University. Subject to certain, fairly restricted,
statutory exemptions the University is obliged to supply any information which it
holds on any matter on receipt of a request to do so by any person anywhere in the
world.

The University has set in place a number of initiatives in relation to the FOI
legislation. Specifically we have set up a publication scheme, established a network
of FOI co-ordinators and allocated responsibility for FOI at institutional level to a
team based in the Archives. However early experience indicated that the University
would require more than basic compliance mechanisms if it was to address the
strategic impact of freedom of information upon the institution as a whole. With that
in mind I worked in conjunction with one of the University vice principals to produce
a series of recommendations to the Senior Management Group. These covered areas
such as email management, data protection, quotations and tenders, consistency of
response and reputation management.

The Senior Management Group remitted the paper and recommendations to the
Secretary of Court to devise “an appropriate and proportionate response to the
matters highlighted”. In addition to the measures outlined in the SMG paper I have
also recommended the following additional measures to the Secretary of Court:
•
the introduction of a risk assessment process prior to the release of potentially
sensitive information; and
•
a procedure whereby a person (or persons) is given recognised authority to
make a final decision as to whether particular information should be released.
The University has attracted press coverage, some of it unfavourable, following the
release of information that had not been recognised as potentially problematic. The
statutory framework leaves the University with very little discretion as to whether
particular information is disclosed. However implementing the measures
recommended would improve the University’s ability to put information released in
its proper context and to respond in the event that inaccurate inferences are drawn
from information released.
During the year the University, in common with many other higher education
institutions, received requests for internal audit reports. Some other institutions have
invoked exemptions in order to withold this material and the matter has been referred
to the Office of the Scottish Information Commissioner for a decision. However the
legal advice that we received led us to believe that there were no exemptions that
applied and the reports requested should be released in full.

2.1.6 Student Recruitment & Admissions Service

Internal Audit participated in the group which examined the operations of the Student
Recruitment and Admissions Service (SRAS). This was part of the initiative
established by the Secretary of Court to review the operations of AIMS Departments
The objective of the programme is, in relation to each function, to advise the
Secretary of Court as to the performance of the function in delivering a service that
is:

Responsive:
Meeting stakeholder needs effectively
Efficient:
Using resources well
Progressive:
achieving continuous improvement
Corporate:
aligned with the University’s priorities

The final report concluded:

“The key message in relation to each of these categories is:

Responsive: There is clear evidence of staff within SRAS striving to be
increasingly responsive to the needs of stakeholders. Two factors in particular
serve to limit the responsiveness of the department:
•
A lack of clarity about what the department has to offer in areas such as
marketing; and
•
A lack of functionality from key IT systems

Efficient: There are serious questions about the efficiency of current management
arrangements. There is ambiguity about the line management arrangements for
the Director. There is also a lack of a clear underlying logic for resource allocation
with the department with certain sections appearing generously staffed in relation
to their responsibilities and others lacking sufficient staffing to carry out their roles.

Progressive: There was evidence of a progressive culture within the department
with a number of initiatives designed to improve the manner of interaction with
stakeholders. Clearly this is an area where continuous self improvement will be
the norm – the group identified a number of areas for further development.

Corporate: There are two main obstacles to the ability of SRAS to act in a
corporate manner. Firstly there is a lack of clarity with regard to the University’s
expectations. The department itself identified areas such as CPD where the
University’s objectives must be made clearer. The other obstacle is the fact that
the relationship between SRAS and the Faculties is characterised by a degree of
ambiguity and uncertainty about the respective roles and responsibilities of each.”

The recommendations are currently with the Secretary of Court for consideration.

2.1.7 Conference & Visitor Services (Follow Up)

The programme of agreed action following the original audit identified no
Fundamental areas for improvement but there were 16 areas that we classified as
Significant. The follow up review found that 11 recommendations had been fully
implemented.

The following improvements have been effected as a consequence:

Business Planning: The business plan for the CVSO did not contain performance
indicators, roles and responsibilities of key officers and arrangements for contingency
planning. These matters have now been addressed.

Documentation: Costing documentation has been expanded and is now retained.

Expense claims: Expense claims are now appropriately authorised and submitted
timeously.

Overtime: Overtime has been reduced and work is now prioritised in an attempt to
carry out key tasks during core working hours.

Income: A record of safe income is maintained and safe access has been reduced.

Asset Management:  The asset register is now in the correct format and a procedure
has been implemented so that it is kept up to date.

The following matters remain unresolved or partially unresolved:

Pricing Policy: The original audit found that there was no documented pricing
policy. We recommended that a pricing policy should be documented, reviewed on a
regular basis and updated where required. At the outset of the follow up review the
recommendation had not been implemented. In the course of responding to the
review the department drew up a draft policy. This represents useful progress but we
believe that work remains outstanding on this. We have recommended that the advice
of the Finance Office territorial accountant is sought to complete this matter.

Delegation of Authority: There was no up to date delegation of financial authority
form.  The most recent delegation of financial authority form, dated January 2003,
does not include the current staff.

Purchasing Expertise: A single Purchasing Officer has not been appointed within
the department and purchasing continues to be carried out by several people. Five of
the eight members of staff have a purchasing card and have purchasing and invoice
payment authority. Purchasing card logs are often inappropriately authorised.
2.1.8  Faculty of Social Sciences (Follow Up)

We identified 34 recommendations which were classified as Fundamental or
Significant. By the time of the follow up review 8 had been fully implemented. The
following improvements were effected as a result:

Waived Fees: There was proper control over waived or reduced fees charged to
conference delegates.

Income Handling: The original audit noted a number of shortcomings in the
handling of income. Following the audit staff with financial responsibilities have
been trained in the correct procedures for recording income.

Reconciliations: Transactions are reconciled against the Finance Office printouts.

Access Issues:  Problems with access to the University’s financial system have been
addressed.

Overtime: Controls in relation to overtime were not satisfactory. Overtime is now
pre-authorised.

However there remain many matters of concern that were raised in the original audit
that have not been satisfactorily addressed. The most serious matters are as follows:

Segregation of Duties – Conference Income: The original audit highlighted a lack
of segregation of duties which meant that it would be possible for errors or
irregularities to occur without being detected. The position was unchanged at the
follow up audit.

We were informed that the lack of segregation is compensated by checks that are
carried out at the end of the conference. However, a review of the paperwork would
be difficult to carry out as the records, that is the database and manual records, are
not always complete.

Purchasing Procedures: We had noted a number of breaches of the University’s
purchasing procedures. Quotations or tenders were not sought when it was
appropriate to do so, non-approved suppliers were used and a warranty was
completed with the details of the member of staff rather than in the name of the
University. The position was unchanged at the follow up audit.

Asset Management: We noted a number of shortcomings in asset management - we
were unable to identify a substantial number of acquisitions on the asset registers.
The follow up audit highlighted that there had been no improvement since the
original audit.

Our sample identified instances where essential details (serial number, amount,
budget centre) were not recorded. There was no evidence that asset registers were
checked although we received assurances that this did happen.

Receipt of Goods and Services: The original audit found that  receipts were not
always retained for purchases and no other evidence of receipt and checking was
recorded. The follow up audit found that there had been no improvement.

Invoice Authorisation: In the original audit we reported that we could not confirm
that invoices had been appropriately authorised as the delegation of financial

authority form had not been completed or was not provided to us. In the follow up
review, in 10 instances from a sample of 15 the invoice was authorised by someone
other than the budget holder. We were unable to determine whether the authorisation
was appropriate because there is no delegation of financial authorities form in the
Finance Office or the Faculty for financial year 2003/04. In 9 instances, from a
sample of 10 where an order form had been raised, the invoice authoriser has also
signed the order form as purchase officer. In 6 instances, from a sample of 10 where
an order form had been raised, the order number was not recorded on the apron slip.

Duplicate Payments: In the original audit we noted that a duplicate payment was
made when an invoice was sent to the Finance Office twice for payment. Within the
follow up audit we noted a duplicate payment was made when an advance was
obtained to pay a conference fee and an invoice was also processed for the same
payment.  The error was only detected when the supplier returned the overpayment.
This situation would not have occurred if the purchasing procedures had been applied
as required.

Discretionary Funds Debit Balances: The original audit found that prior Finance
Office approval had not been obtained for debit balances on two budget centres. In
the follow up audit we found that two budget centres (16464 and 18862) had debit
balances (£17,690.38 and £194.24 respectively).  We were informed by the Finance
Office that prior agreement for the deficits was not obtained.

Discretionary Funds: Use of Funds: The original audit found that income which
should have been credited to a discretionary fund was credited to a departmental
running cost budget centre so that it could be used to pay for, for example a
departmental Christmas meal. Management should ensure that income is credited to
the appropriate budget centre. During the follow up we reviewed a number of
departmental running cost budget centres and found evidence that they were being
used to fund departmental Christmas hospitality and gifts.

Data Protection: Registration forms for courses containing personal data did not
feature any reference to the University’s data protection policies. The follow up audit
showed that the position was unaltered. We also noted that a database held within one
department had not been registered with the Data Protection Officer, in breach of the
University’s policy.

Management of Budget Centres: The original audit found that many of the people
recorded as budget holders were ex-employees of the University, and some of the
budget centres were no longer used (see below). A number of “other services
rendered” budget centres had little or no movement, a zero balance or a debit
balance. The follow up audit showed that the position was largely unchanged with
former employees still being listed as budget holders and many accounts which had
little or no movement over long periods.

Raising Order Forms: The follow up audit showed that the original concerns that
we had raised in this regard had not been addressed. On five occasions, from a
sample of 15, an order form was not raised. In one of these instances this had led to
the University paying twice for the same service.

Overtime Pre-Authorisation: The original audit found that overtime was not pre-
authorised in writing and no record was maintained of all overtime worked.  We
recommended that overtime should be pre-authorised in writing and a controlling
record should be maintained of overtime worked so that it can be checked against
overtime claimed, prior to authorisation. The follow up review showed progress on
this matter but there remained one department where overtime was not pre-
authorised.

2.1.9  Court Office (Follow Up)

The programme of agreed action identified five Significant matters which required
attention. Three recommendations had been implemented with one being partially
implemented and the other not implemented.

The following improvements have been effected as a consequence:

Purchasing Procedures: The original audit found a number of weaknesses in the
application of the purchasing procedures. The most serious concerned a decision to
choose the most expensive supplier from a number of quotations which had been
sought. The reason for the choice was not documented. The follow up illustrated
compliance with purchasing procedures.

Expense Claims: We noted serious deficiencies in the application of expense claim
procedures. On occasions the authoriser was not of sufficient line authority in relation
to the claimants. In addition we noted that two senior officers were authorising each
other’s expense claims. The follow up illustrated compliance with the University’s
expense claim procedures.

The main matters of concern remaining are as follows:

Commitment Accounting: Not all commitments were recorded. The member of staff
responsible for updating the financial records was not informed about all transactions.
The record of expenditure, against which printouts were reconciled, was not up-to-
date (due to time constraints and a lack of resources).

Asset Management: The original audit found a number of shortcomings in relation to
asset management, for example valuable silverware, administered by the Court Office
was not recorded on the asset register.

There had been some improvement since the original audit but some issues remain.
For example we found that the register was not updated – the previous Secretary of
Court was still recorded as the asset keeper of one of the assets long after his
departure from the University.
2.1.10 Faculty of Medicine (Follow Up)

The original audit had identified 14 Fundamental matters and 18 Significant matters
which had to be addressed. The follow up showed that three fundamental
recommendations and four significant recommendations had been implemented. The
remainder were either not implemented or partially implemented.

The following improvements have been effected as a result of the original audit:

Duplicate Payments: In the original audit we identified a number of payments to
suppliers that had been made twice, in error. We identified the internal control
shortcoming that made this possible and made recommendations that were designed to
address this. As a result a system has been modified to minimise the risk of duplicate
payments.

Sales Invoices: The original audit identified instances where money had been lost as
a result of a failure to raise sales invoices in respect of conference income. The follow
up audit showed that this matter had been addressed.

Doubtful Debt Recovery: Divisional staff attempted to recover slow moving debts
themselves rather than pass to the Sales Ledger section in the Finance Office.
Following our recommendation this has been addressed.

Income: We noted a number of deficiencies in relation to the processing and
recording of income. Following the audit income is recorded accurately and sequential
numbering is applied to sales invoices issued.

However many matters remain unresolved. The most serious are:

Expense Claims: The system of internal control over expense claims continues to fall
far short of an acceptable standard. From a small sample we identified claims which
included personal travel, claims which were inappropriately authorised (for example
by junior staff), claims which were incomplete as to the detail required and claims
were made for items which should have been bought through purchasing procedures.
In two instances members of staff repaid monies to the University after Internal Audit
had demonstrated that the expenditure was of a personal nature.

Purchasing Procedures: We noted a high incidence of failure to obtain written
quotations when this was appropriate. We also noted a continuing high incidence of
expenditure with non approved suppliers where there was a readily available approved
supplier.

Conference Fees: There was a lack of control over conference fee waivers which had
been granted. Our recommendation, that there should be an audit trail and appropriate
documentation had not been implemented.

Payroll Overpayments: Due to a clerical error large over-payments had been made
to a number of staff. Letters were issued pursuing repayment totalling approximately
£33,000. At the time of the original audit almost £11,000 was recorded as repaid.
However there was evidence that cast serious doubts upon the accuracy of the records
that were maintained in respect of the overpayments. We recommended that adequate
records should be retained to ensure that accurate payments were made for work done
and that all overpaid amounts should be identified and recovered.

We found no new overpayments but the previous overpayments have not all been
recovered and there are insufficient records to conclude exactly how much remains
outstanding.

Asset Management: The original audit identified that there had been a complete
failure to record assets within the new medical building in a systematic way. The
follow up audit noted some improvement but there remains major shortcomings. We
obtained a sample of 10 recently purchased assets to determine whether they had been
recorded on the asset register. Five items, one reclaimed via expenses, were not
recorded on the asset register (a camcorder, an iPAQ, a portable minidisk recorder, a
transcriber and a scanner).

One item was added to the asset register 10 months after it had been purchased (a
colour printer). It was identified by the department when the asset register check was
carried out. Two items, from a sample of 10 identified from the department’s asset
register, could not be located (a desktop computer and a Viglen hard disk).

Removal and Disposal Procedures: Assets have been removed from the department
without written authorisation from the Head of Division, including a number of sales
to members of staff. We were informed that the sales were agreed verbally. We
recommended that assets should only be removed, sold or disposed of after written
approval has been obtained from the Head of Department. The reason for the removal
should be documented on the asset register.

Payment to Family Member: We identified an additional finding whilst carrying out
the follow up review. A member of staff employed a family member to carry out
casual administrative work and authorised the sundry fee payment form (£171). Other
payments had been made to the family member from other budget centres of which
the authoriser is the budget holder. We were informed that students are also employed
to carry out this type of work (for example, applying labels to envelopes and filling
envelopes) and they are paid the same fee per hour. We recommended that the Head
of Section should be informed of situations where a member of staff is employing a

relative to carry out ad hoc work. Fee payments must not be authorised by an
employee who is a close relative and alternative authorisation must be obtained.

The Secretary of Court has held discussions recently with faculty management in an
attempt to address these issues.
2.1.11 Valuable Collections (Follow Up)

We considered that all of the seven recommendations that we had classed as
“Fundamental” could be regarded as partially implemented. The position in relation to
each of the points was as follows:

Cataloguing: An original deadline of October 2003 for the completion of cataloguing
was missed. Some progress has been made since the original audit and a revised
deadline of 2008 has been set.

Accountability and Responsibility: We identified a lack of clarity with regard to
responsibility and accountability for the maintenance of the University’s artworks
throughout the campus. Following the audit this matter was raised by staff within the
Hunterian and subsequently discussed at the then University Management Group. No
clear conclusion was reached. The position therefore remains that accountability and
responsibility for the maintenance of a comprehensive register has not yet been
established.

Management Information System: We noted that the Hunterian Museum and Art
Gallery lacked a proper management information system and that the management of
loans was particularly badly served. Following the original audit the Hunterian
management sought an external review of procedures and practice and this had
identified the lack of resource as the limiting factor in progressing the
recommendation.

Insurance Cover: In the original audit we identified that the insurance cover did not
match the value of the collections. Since then an overall museum collection valuation
estimate has been obtained. However there remain issues outstanding and discussions
between staff within the Hunterian and the Finance Office are continuing to ensure
that we have the appropriate cover in place.

Location of Collections on Campus: In the original audit we identified that certain
items had not been located for some time. Hunterian staff have been compiling a list
of such “missing” items but they believe that additional resources will be required to
address this issue fully.

Contingency Planning: In the original audit we noted a lack of contingency planning
and risk management. Following the issue of the report a paper recommending a
University-wide course of action was sent to the then Secretary of Court. The issue

was also raised with the Loss Prevention Committee. The matter was not progressed
by the then Secretary of court prior to his departure.

Resources – Hunterian management were strongly of the view that they had
inadequate resources to address properly the matter of conservation. In the original
audit report we recommended that they attempted to quantify the shortfall. Some
progress has been made but there is as yet no clear indication of the resources that are
required.

Since the report was issued the Secretary of Court has had extensive discussions with
staff within the Hunterian on how to progress the outstanding issues. Management
representations made in April 2005 suggest that genuine progress has been made
although that 'partially implemented' will remain the case against several
recommendations in that they will be acted upon over time and as resources permit.
2.2 Investigations
2.2.1 Anonymous
Allegations

Earlier this year Audit Scotland received anonymous allegations in relation to the
University. The allegations were passed to SHEFC who asked the Secretary of Court
for responses to five specific questions in relation to the allegations. It was clear from
the nature of the allegations that the person making the allegation was likely to be a
member of staff.

At the request of the Secretary of Court I carried out an investigation that was
designed to elicit sufficient information to enable him to respond to SHEFC. A copy
of that response has gone to SHEFC. We have not yet received a reply.

In my report to the Committee two years ago I expressed disappointment that,
following an investigation of a serious irregularity by a senior member of staff,
colleagues who suspected that the person’s conduct was contrary to the University’s
rules did not deem it appropriate to use the University’s policy on public interest
disclosure. Again, in this instance, it would be preferable if members of staff were to
use the University’s policy on public interest disclosure rather than making allegations
anonymously to external agencies. I recommend that senior management consider
how best to publicise the fact that the University has a policy on public interest
disclosure and that staff and students should use it to air legitimate matters of concern.
2.2.2 Dispute with Company

At the request of the Secretary of Court we carried out an investigation into the
University’s dealings with a company which was a spin-out from the Medical
Research Council (MRC). The purpose of the investigation was to assist the Secretary
of Court to form a view upon the legitimacy of a claim from the company that the
University owes it a considerable sum of money. The money was provided for the

purposes of advancing research but remained unspent at the date of the departure from
the University of the member of staff in charge of the research. As at July 2005 there
was a balance of £312,593 on the account into which the funding was paid.

The issue is complex. University rules were not followed in applying overheads to the
monies received from the company and there was a large transfer of expenditure from
the account to a grant account with a lack of supporting working papers. We made
two recommendations to assist the University in managing the claim from the
company. The full report is with the Secretary of Court who is managing the matter in
conjunction with the Vice-Principal (Research & Enterprise).
3
Matters Arising From Previous Work

We continue to monitor progress on matters arising from previous work. This section
outlines the more significant of these.
3.1 Clinical
Trials

In last year’s report I noted that there was a considerable amount of work to be done to
establish a suitable regulatory and management framework which adequately protects
the University’s interests in respect of the management of clinical trials involving the
participation of University staff. I have not been able to establish the University’s
progress in setting in place an appropriate framework to manage the risks arising in this
area.

3.2 Risk
Management

The obligations placed upon the University by the requirement to comply with the
Combined Code make it necessary for the Court to approve a corporate risk register
which has been compiled by management. The University Court has not yet approved a
corporate risk register which covers the main risks at institutional level.

The lack of a corporate risk register also creates certain difficulties for internal audit.
According to SHEFC, Internal Audit in higher education institutions should be
conducted in accordance with the Government Internal Audit Manual (GIAM). Within
GIAM the starting point for Internal Audit should be the organisation’s own, duly
approved, risk register. Full compliance with GIAM therefore depends upon the
Court’s approval of a corporate risk register.

3.3 Software
Licensing

Internal Audit reported upon the follow up to this matter in May 2004. We concluded
that there had been some progress since the original audit but that there was much that
remained to be done to improve the internal control system in this important area.

One of the key recommendations was the appointment of a named senior member of
staff, as the person with management responsibility for ensuring University-wide
compliance. This was addressed by nominating the Director of Information Services as
the member of staff with overall responsibility. The Director of Information Services
left the University earlier this year and the Secretary of Court has assumed
responsibility for this matter as an interim measure.

Another key recommendation was the adoption of a University-wide policy on software
licensing. In 2003 the University Court approved a policy which stated:

"All software on computers owned by the University or attached to the University's
network must be properly licensed, and all students, staff and visitors using these
computers must comply with the licence terms. Copying of software contrary to
licence terms is potentially software piracy and may result in disciplinary or legal
action."

The remaining recommendations were being addressed by the University’s Technology
Review Group (TRG). The TRG set up a working group to address this matter. The
TRG has now endorsed an audit tool which should be used to enforce internal control
but work remains to be done to design and implement the processes and controls to
support the use of the tool.

The overall objective of the audit recommendations was to develop a consistent
system of management control across the University. The system was required to
provide reasonable assurance that the institution is not in material breach of software
licensing conditions which would render the University vulnerable to action from
suppliers seeking substantial financial redress. This remains the final objective.

3.4
Physical Resources System

We identified serious problems within the Maintenance Section in Estates &
Buildings in the course of our last audit of this area (April 2002). We reported 39
areas where improvement was required.

Shortly afterwards a senior Administrator was transferred to Estates & Buildings.
Part of his remit was to address the issues raised by the audit. Overwhelmingly
though it was clear that many of the problems that we had identified were symptoms
of a common cause, the lack of a proper management information system, supported
by sound well engineered business processes. The then Director of Estates discussed
the matter fully with the then Secretary of Court and they initiated a project to
develop a new Physical Resources System (PRS). This aimed to address the

underlying problem of the lack of a proper management information system,
supported by sound well engineered business processes.

It was originally envisaged that the PRS would be a three year project with
implementation of the priority areas taking place during 2004. There has been
considerable slippage from that timetable.

The follow up audit, reported to the Committee this time last year, showed that the
failure to make progress on the PRS had had an effect on the ability of Estates staff to
address the matters identified in the original audit report. However there has been
some progress recently and at a recent meeting of the Project Board for the Physical
Resources project a decision was taken to purchase a software package and a
resourced implementation plan was approved. In the course of that meeting I asked
the Project Manager to ensure that implementation of the audit recommendations is
addressed in the project plan.

4
Statement on the Adequacy and Effectiveness of the
institution’s internal control system

The assignments completed this year by Internal Audit have identified a number of
areas where there is scope for improvement in the University’s system of internal
control. The most important matters are detailed in this annual report.

When the recommendations made in these reports have been fully implemented the
system of internal control in the areas concerned will be adequate and effective.

Monitoring of implementation is an integral part of the work of Internal Audit and the
success of departments and faculties in this regard will be reported to the Committee
in due course.
5
Future
Planning

The Secretary of Court asked me to prepare an annual plan within the resource
constraints that currently apply to Internal Audit. The plan which we agreed is as
shown below.

Hours
1 Regularity

Biological Services
20
Principal’s Office
20
Governance
20
Full Economic Costing
20
Purchasing
20

2 Risk
Based

Risk 1
10
Risk 2
10
Risk 3
10

Risk 4
10
Risk 5
10

3 Specialist
Support

Environmental Compliance
10
Security Management & Administration of Corporate Systems
10
Review 3
10

4
Value for Money

Use of Storage Area Network
10
Catering & Cleaning
20
Admin Review 2
15
Admin Review 3
15

5 Capital

Horizontal Audit
10
Vertical Audit
40

6 Ad
Hoc
30

7 Follow
Ups

IBLS
10
Physical Sciences
10
Education
10
FIMS
10

8
Completion of Outstanding Work
30

Appendix – Statistical Data

New Audits - Recommendations by Category

F
S
MA
Total for Year
3
32
19
Previous Year
19
60
30

Key
MA Merits
Attention
S Significant
F Fundamental

Implementation of Recommendations – Follow Up Audits

Report F
P
N
T
%
Valuable
Collections
4 10 1 15 60
Social Sciences
11
21
9
41
52
Medical Faculty
8
11
16
35
39
Conference & Visitor Centre
13
2
4
19
74
Court
Office
10 4 2 16 75
Total 46
48
32
126
56

Implementation of Recommendations – by Category

Status F
P
N
T
%
Previous
Year
Fundamental
9 16
10
35
49 53
Significant 24
27
16
67
56
42
Merits Attention
13
5
6
24
70
67
Total
46
48
32
126
56
51

Key
T Total
N Not
Implemented
P Partially
Implemented
F Fully
Implemented