This is an HTML version of an attachment to the Freedom of Information request 'Financial Memorandum and Internal Audit'.



 
 
 
 
 
 
 
Internal Audit Service  
Annual Report 
2012/13 
Raft Annual 
 
 
 
 
 
 
Internal Audit Service 
the place of useful learning  
The University of Strathclyde is a charitable body, registered in Scotland, number  C015263 
   
 
 
 
 
 
 
 
 
  
 
 
 
 
 
 
 
 
 

Internal Audit Service 
 
               Annual Report 2012/13 
 
 
Table of Contents 
 
Introduction 

 
IAS: Terms of Reference & Structure 

 
Faculty Audits 

Strathclyde Business School 
4
 
Faculty of Engineering 

Faculty of Science 

Summary of Faculty Audit Findings 

Accountability & Assurance Checklist 

Other Audit Reports 
HR/Payroll Review 

University of Strathclyde Students Association (USSA) 

Information Security Review 

Follow-Up Activity 

Value for Money 

Other Work 

Transparent Review/Full Economic Costing 

Risk Management 

Technology & Innovation Centre (TIC) 

Development of the new Finance System 

Quality Control 

Audit Survey 

Client Satisfaction Survey Results 
10 
Freedom of Information (Scotland) Act 2002 
10 
Basis of Internal Audit Opinion 
10 
Internal Audit Opinion 
12 
Appendices  
  
1: 
Analysis of Audit Reviews 

2:  
Customer satisfaction Survey Results 


 

Internal Audit Service 
 
               Annual Report 2012/13 
 
 

1.  Introduction  
1.1 The Internal Audit Annual Report has two key objectives. These are to provide Court and 
the Principal, through the Audit Committee, with : 
 
1)  an independent opinion on the adequacy and effectiveness of the University’s 
arrangements for Governance, Risk Management, Control, and Value for Money; 
 
2)  a summary of the activities and resources of the Internal Audit Service (IAS) during 
2012/13. 
 
1.2 Universities are also required to provide the Scottish Funding Council (SFC) with a copy of 
their Internal Audit Annual Report.  This allows the SFC to have a review of trends and 
common themes, which they then feedback to the sector. 
 
2.  Internal Audit Service: Terms of Reference & Structure 
2.1.  The fundamental role of the IAS is in independently reviewing the arrangements in place 
which: 
 
  Identify, assess and manage risks to support the achievement of organisational 
objectives; 
 
  Confirm the soundness, adequacy and application of the internal control systems; 
 
  Assess the effectiveness and efficiency of operations and ensure that value for 
money is achieved; 
 
  Ensure compliance with laws, regulations, contracts, established policies, 
procedures and good practice; 
 
  Safeguard assets from fraud, irregularity or corruption; 
 
  Provide assurance on the integrity and reliability of financial and other information 
provided to management and stakeholders, especially that used in decision making. 
 
2.2.  The IAS has no executive role, and has no responsibility for the development, 
implementation or operation of systems. The Head of Internal Audit, subject to any 
guidance from the Audit Committee, is responsible for the management and development 
of the IAS. For administration purposes, the Head of Internal Audit reports to the Chief 
Operating Officer.  IAS reports directly to the Audit Committee.  The Head of Internal 
Audit also has direct access to the Convener of Court, the Convener of the Audit 
Committee, the Treasurer and the Principal.  


Internal Audit Service 
 
               Annual Report 2012/13 
 
 
2.3.  The IAS operated with a complement of 2.6 FTE staff in 2012/13. All staff are CCAB 
qualified and have relevant experience of internal and external audit in large organisations. 
 
3.  Faculty Audits 
3.1.  In line with the Strategic Audit Plan developed in 2011/12 the key objective for this year 
was to complete the reviews of the four academic faculties. The faculty review process 
involves an audit of every department/area in the faculty and provides a composite report 
on all of the findings to the Dean.  This was achieved with the reviews of the Business 
School, Engineering and Science Faculties reported to the Audit Committee in September 
2013. This work involved 33 independent departmental/area audits and consumed most 
of the available audit resource for the year. 
 
3.2.  Strathclyde Business School 
3.2.1.  The audit review identified significant weaknesses in financial control, and concerns 
regarding purchasing and procurement arrangements.  Findings also identified 
potentially insufficient monitoring of Tier 4 international students as required by 
UKBA. 
 
3.2.2.  The Faculty has responded positively to all audit recommendations. Two radical reviews 
of operational practices across the Faculty have been undertaken, concentrating on those 
departments where weaknesses were identified. A further progress report will also be 
prepared by the Dean by the end of October 2013. Internal Audit will review progress at 
this point and will also undertake an effectiveness review of all agreed management 
actions in early 2014. 
 
3.3.  Faculty of Engineering 
3.3.1.  The audit did not identify any high level control risks. Common weaknesses were 
identified across the Faculty with regard to the adequacy of asset registers and purchasing 
and procurement.  
 
3.3.2.  The Faculty have accepted all audit recommendations and these are being actioned by 
departments under the lead of the Faculty Executive Team. The Faculty have also 
usefully identified and collated areas of current practice which can be improved from 
the user’s perspective. 


Internal Audit Service 
 
               Annual Report 2012/13 
 
 

 
3.4.  Faculty of Science 
3.4.1.  The audit identified that three departments had no functioning asset register. However 
staff are now being trained with a view to establishing robust asset registers as part of the 
University’s new Real Asset Management system. Fully functioning asset registers should 
therefore be available soon. There were some other weaknesses identified in the 
Faculty, but none with a high risk rating. 
 
3.4.2.  All recommendations have been accepted and an action plan established to address 
these. 
 
3.5.  Summary of Faculty Audit Findings 
3.5.1.  To help inform the Audit Committee’s understanding of the governance and internal 
control environment across the University, a summary spreadsheet of audit findings was 
produced. This indicated the global spread of the different areas of weakness across the 
Faculties on a rudimentary basis.  This spreadsheet will be updated by IAS as 
recommended actions are implemented and will provide an overview of internal control 
and governance arrangements across the faculties. 
 
3.5.2.  Addressing the issues identified from the audit reviews will mean that there will be, for 
the first time, a corporate, consistent and current benchmark of internal control and 
governance arrangements in place across the University. The use of the Accountability & 
Assurance Checklist by Departments will help maintain this level with a minimum of 
direct internal audit involvement. 
 
3.5.3.  During the course of the Faculty audits, IAS also highlighted areas of good practice in 
specific departments in order that these elements could be shared Faculty-wide. 
Examples included efficient monitoring arrangements in place for Tier 4 students, 
excellent governance arrangements and robust budgetary control practices. 
 
3.6.  Accountability & Assurance Checklist 
3.6.1.  Critical to the whole Faculty audit approach was the roll out of the self-assessment 
checklist developed by IAS. This clearly identifies the key areas of internal control and 
governance for departments and is cross referred to current University policies, 


Internal Audit Service 
 
               Annual Report 2012/13 
 
 

procedures and guidelines. The Checklist was well received by departments and the 
intention is that this will now be used by them on an annual basis.  Going forward, this 
will allow Heads of department to provide statements of assurance to the Dean on the 
adequacy of internal control and governance arrangements, and subsequently for Deans 
to provide assurance statements to the Principal. 
 
3.6.2.  The annual Accountability and Development Review process undertaken by all staff also 
allows for serious weaknesses in governance and internal control to be taken into 
account in assessing staff performance.  
 
4  Other Audit Reports 
4.1  HR/Payroll Review 
4.1.1  The HR/Payroll system operates effectively in terms of ensuring that staff are paid 
accurately and timeously thanks to controls put in place by Payroll and HR staff. However 
during the audit process, a number of areas of concern were highlighted and 
recommendations have been made which would improve control arrangements, working 
practices, compliance with legislation and value for money considerations.  
 
4.1.2 
A management action plan was agreed.  This includes a further review of management 
processes and procedures as part of the Unipart Business Improvement Initiative. 
 
4.2  University of Strathclyde Students Association (USSA) 
4.2.1 
The University provides substantial funding to the USSA each year.  In 2012/13, the 
figure was £1.4m.  Accordingly, IAS carries out annual reviews of differing aspects of the 
Association’s internal control and governance arrangements. A number of operational 
control weaknesses were identified, especially regarding purchase order authorisation and 
invoice certification procedures. These have been accepted by USSA and plans have 
been put in place to address audit recommendations. 
 
5  Information Security Review 
5.1  At the request of the Audit Committee, Ernst & Young undertook an information 
security review, focussing on the Science Faculty.  The report noted a number of areas of 
good control and the current development of a range of initiatives designed to bring 
about greater consistency in the management and protection of important University 


Internal Audit Service 
 
               Annual Report 2012/13 
 
 

information.  However, there were also a number of information security risks identified 
that may need a stronger approach from a policy and governance perspective. 
 
5.2  An action plan to address the recommendations arising from the report has been agreed 
with the faculty and central IT. 
 
6  Follow-Up Activity 
6.1 A report on outstanding actions from audit reports was presented to the Audit 
Committee in March 2013.  The Committee requested that future Management Action 
Tracker Reports provide clarity on the criticality of partially completed actions and an 
estimated completion date.  These changes will be effected for 2013/14 follow up activity 
reports.  
 
7  Value for Money 
7.1  Ensuring that the University receives best value from its use of resources is a key objective 
in all audit reviews. There were clear value for money issues identified in a number of 
audit reports, especially the procurement elements of the Faculty reports. As a direct result 
of the audit work carried out in the Business School a review of procuring contractors has 
been initiated with a view to ensuring that a consistent and transparent approach is adopted 
across the Faculty. 
 
8  Other Work 
8.1  Other areas of audit review in the year included: 
  REF: ongoing review of risk management arrangements and supporting 
documentation. 
  Efficient Government Return: validation of the figures used to provide the 
University’s estimated efficiency gains to the Scottish Government. 
  Estates Development Framework: ongoing monitoring of major EDF projects 
throughout the year. 
 
9  Transparency Review/Full Economic Costing 
9.1  During 2012/13, IAS has continued to review the steps taken by the University to ensure 
compliance with the requirements of the Transparent Approach to Costing (TRAC). 


Internal Audit Service 
 
               Annual Report 2012/13 
 
 

Regular meetings were held with the fEC Accounting Manager to keep up to date with 
developments and modifications to the TRAC process and consider how these would 
impact on the audit process.  The final TRAC return to be signed by the Principal was 
audited and assurance provided on the methodology and accuracy of the figures. 
 
10 Risk Management 
10.1  Risk management is becoming embedded in most departments across the University.  
The faculty audit approach has further contributed to this process through face to face 
meetings with all Heads of Departments at which the necessity of managing risk was re-
enforced and the University process clarified.  An action plan to address areas of 
weakness in departmental risk registers has been agreed with the Heads of Department.  
Many of the actions have already been addressed and the others will be shortly.  This will 
set the standard of 100% compliance across the faculties. 
 
11 Technology & Innovation Centre (TIC) 
11.1  The Head of IAS meets regularly with the Head of the TIC project and the Capital 
Accountant.  Performance and Risk Management arrangements are kept under review 
throughout the year. 
 
12 Development of the new Finance System 
12.1  During 2012/13, a member of the IAS team has been involved in several of the design 
workshops for the University’s new Finance system, due to be implemented in August 
2014. Drawing on cumulative experience of financial and operational systems from 
across the University, and specifically the findings from the Faculty audit reviews, IAS has 
communicated weaknesses identified by past and current audits. The Senior Auditor will 
be actively involved as part of the Finance User Group during 2013/14. 
 
13 Quality Control 
13.1   The Public Sector Internal Audit Standards (PSIAS) became applicable on 1 April 2013. 
The key objectives of the Standards are to: 
  Define the nature of internal auditing within the UK public sector; 
  Set basic principles for carrying out internal audit in the UK public sector; 


Internal Audit Service 
 
               Annual Report 2012/13 
 
 

  Establish a framework for providing internal audit services, which add value to the 
organisation, leading to improved organisational processes and operations;  
  Establish the basis for evaluation of the internal audit performance and to drive 
improvement planning. 
 
13.2   Whilst the Higher Education Sector is not part of the UK public sector, these Standards 
are principle based and promote a professionally endorsed framework for the approach 
of an Internal Audit service. IAS has reviewed the Standards and intends to adopt them 
into its audit practice commencing 2013/14. 
 
13.3  The Council for Higher Education Internal Auditors have engaged BDO to develop an 
assessment tool for Internal Audit Services in the Higher Education sector. It had been 
expected that this would be available for use in 2012/13, however the project has been 
further delayed.  If available, IAS will use this in 2013/14, but if not, another 
methodology will be identified and applied in agreement with the Audit Committee. 
 
14 Audit Survey 
14.1  The British Universities Finance Directors Group Annual Audit Survey relating to 
2011/12 was issued in April 2013. The results of the survey are used by a number of 
Institutions to help benchmark both their internal and external audit provision. There 
were 91 responses this year, up from 86 in the year prior. As in previous years, the results 
come with a significant health warning as returns are taken at face value. Examples of 
potential inconsistencies in data interpretation include VAT, direct/indirect costs, and 
staff on-costs. 
 
14.2  This year’s results for the provision of Internal Audit Services are outlined below: 
 
Type of Provision 
2011/12 Average Daily Costs 
(£) 
Accounting Firm1 610 
HE Consortium1 522 
Strathclyde IAS2 301 
 
                                                            
1 British Universities Finance Directors Group, March 2013 
2 Total salary & running cost of IAS Department/ number of audit days (2011/12) 


Internal Audit Service 
 
               Annual Report 2012/13 
 
 

The IAS costs are below the average for Accounting Firms and Consortia. There was no 
separate average costs provided this year for in-house providers. The figures are useful as 
indicative comparative cost differentials for alternative service delivery options. 
Acknowledging the caveat on data integrity, the IAS results are satisfactory. 
 
15 Client Satisfaction Survey Results  
 
15.1  The Client Satisfaction Survey forms part of IAS’s ongoing quality assurance process.  
This year an electronic questionnaire was introduced to improve the user-friendliness 
and response time of client feedback. The feedback received is positive, with 100% of 
auditees finding IAS work to be very useful and 100% stating that the quality and nature 
of the service they receive being very satisfactory. 89% of those who responded also rated 
the standard of reporting as very satisfactory. The number of survey forms returned to 
date is 8 for 2012/13. The collated results of the Client Satisfaction Surveys are 
summarised in Appendix 2. 
 
16 Freedom of Information (Scotland) Act 2002 
16.1  During 2012/13, no requests were received for information held by IAS under the 
Freedom of Information Act.  
 
17 Basis of Internal Audit Opinion 
17.1   IAS staff are required to conduct audit activity in accordance with the professional and 
ethical auditing standards set out in the following: 
 
  Public Sector Internal Audit Standards (PSIAS). 
 
  Guidance associated with the Combined Code. 
 
  Committee of University Chairmen Guide for members of HE Governing Bodies. 
 
  Handbook for members of Audit Committees in Higher Education Institutions. 
 
  Government Internal Audit Standards and various ‘Good Practice Guides’ (HM 
Treasury). 
 
  Institute of Internal Auditors Position Statement on Risk Based Internal Auditing. 
 
  Codes and professional standards (Chartered Institute of Public Finance and 
Accountancy). 
10 

Internal Audit Service 
 
               Annual Report 2012/13 
 
 
 
 17.2  Given the breadth and complexity of the systems operated by the University, it is unlikely 
that any annual operational assurance plan would manage to cover all systems for 
managing risk in sufficient depth every year. Consequently, our assessment considers not 
just the work performed in each year, but the work undertaken in prior years.  In 
addition, the IAS Annual Assurance Plan reviews the corporate risks of the University 
against assurance coverage. 
 
17.3 The IAS is required to provide the University Court and Principal, via the Audit 
Committee, with an overall opinion stating whether the University has an adequate and 
effective framework of governance, risk management and control, and has in place 
adequate and effective processes with regards to economy, efficiency and effectiveness.  In 
giving this assessment, IAS can only provide reasonable, not absolute, assurance that there 
are no major weaknesses in the University’s governance, risk management, control and 
value for money arrangements. The primary responsibility of the provision of adequate 
control and the detection of fraud lies with University Management. In assessing the level 
of assurance to be given, we have taken into account: 
  All assurance work undertaken by IAS during 2012/13 and in previous years up to 
finalisation of this report. 
 
  All follow up action taken in respect of audits from previous periods. 
 
  The effects of any significant changes in the University’s control environment. 
 
  The results of consultancy/ad hoc work undertaken during 2012/13. 
 
17.4   No factors have been identified that have impacted on the actual or perceived objectivity 
and independence of the IAS for the year. This is kept under review throughout the year 
and any changes are immediately reported to Audit Committee. 
 
17.5  The IAS is satisfied that the work undertaken to date allows a reasonable conclusion to 
be drawn as to the adequacy and effectiveness of the University’s governance, risk 
management, control and value for money processes.  
 
 
 
11 

Internal Audit Service 
 
               Annual Report 2012/13 
 
 
18    Internal Audit Opinion 
18.1  In our opinion, the University of Strathclyde has appropriate and effective arrangements 
for: 
  Risk Management. 
  Control. 
  Governance. 
  Value for Money. 
 
18.2   It is planned that the programme of regular meetings between the Convener of the Audit 
Committee and Head of Internal Audit will continue in 2013/14. These have provided 
the opportunity for effective and productive discussions on emerging risks and audit 
findings.  
Bill Convery 
 Head of Internal Audit Service 
4 September 2013 
12 

Internal Audit Service 
 
               Annual Report 2012/13 
 
 
Analysis of Audit Reviews 
 
 
       Appendix 1 
 
Review 
Status 
Comments 
Planning 
Fieldwork 
Draft 
Final 
Phase 
Report 
Report 
HR/Payroll 
September 
September 
November 
March  
Report 
to 
Audit 
System 
2012 
2012 
2012 
2013 
Committee 
in 
March 
2013. 
Strathclyde 
October  –  November 
May 
May 2013 
Report 
to 
Audit 
Business 
November 
2012  
2013 
Committee  in  September 
School 
2012 
2013 
Faculty 
of  November 
January 
June 
September
Report 
to 
Audit 
Engineering 
2012 
2012  
2013 
2013 
Committee 
September 
2013 
UKBA 
February 
March 
May 2013 
August 
Included 
in 
Faculty 
2013 
2013 
2013 
Reports 
IT Security  
March 
March 
May 2013 
September 
Expected  in  September 
 E &Y 
2013 
2013  
2013 
2013 
SFC Return 
n/a 
n/a 
n/a 
n/a 
Deferred until 2013/14 
Expenses 
March 
April 2013 
May 2013 
August 
Included 
in 
Faculty 
2013 
2013 
Reports 
Payroll 
n/a 
n/a 
n/a 
March 
Covered  by  HR/Payroll 
2013 
System Report 
Financial 
March 
April 2013 
May 2013 
August 
Included 
in 
Faculty 
Management  2013 
2013 
Reports 
USSA 
March 
June 2013 
August 
September 
Report 
to 
Audit 
2013 
2013 
2013 
Committee  in  September 
2013 
Faculty 
of  February 
March 
August 
September 
Report 
to 
Audit 
Science 
2013 
2013 
‐  2013 
2013 
Committee  in  September 
ongoing 
2013 
Outcome 
n/a 
n/a 
n/a 
n/a 
Deferred  and  is  included 
Agreement 
in 2013/14 Audit Plan 
 
 
Source: IAS Activity Report August 2013
13 

Internal Audit Service 
 
               Annual Report 2012/13 
 
 
Client  Satisfaction Survey Feedback (2012/13 Audits) 
 
       Appendix 2 
                 
General 
Yes 
No 
(%) 
(%) 
Were the Audit Objectives and 
 
 
Scope clearly communicated before 
100 
the start of the audit? 
 
Very Useful 
Useful 
Not Very Useful 
(%) 
(%) 
(%) 
Did you find the Audit process 
 
 
 
useful and added value? 
100 
Conduct & Communication 
Very Satisfactory 
Satisfactory 
Unsatisfactory 
(%) 
(%) 
(%) 
Professionalism of the Auditor 
100 
 
 
Helpfulness of the Auditor 
100 
 
 
Feedback provided during the 
100  
 
course of the Audit 
Explanations of the Findings and 
100  
 
Recommendations 
Audit Report 
Very Satisfactory 
Satisfactory 
Unsatisfactory 
(%) 
(%) 
(%) 
Relevance of Findings 
89 
11 
 
Clarity of Recommendations 
89 
11 
 
Presentation  
100 
 
 
 
Source: Internal Audit Client Satisfaction Questionnaires 
14