Mae hwn yn fersiwn HTML o atodiad i'r cais Rhyddid Gwybodaeth 'Financial Memorandum and Internal Audit'.








Internal Audit Service
Annual Report
2008/2009
 
 
 

 
 

 
 
 

          
 
 

Internal Audit Service 
2008/09 Annual Report 
 
 

      TABLE OF CONTENTS 
 
 
1 INTRODUCTION 


 

IAS: TERMS OF REFERENCE & STRUCTURE 

 

2008/09: AN OVERVIEW OF THE YEAR 

 
 
Governance 5 
Risk Management 

Internal Control Systems 

Value for Money 
10 
Other Work 
12 
 
4 AUDIT 

RESULTS 
14 
 

QUALITY ASSURANCE & PERFORMANCE MEASURES 
14 
 
 

Quality Assurance Arrangements 
14 
 
BUFDG Audit Survey Results 
16 
 
Performance – Balanced Scorecard 
17 
 
Client Satisfaction Survey Results 
18 
 

PUBLIC INTEREST DISCLOSURE POLICY 
18 
 

FREEDOM OF INFORMATION (SCOTLAND) ACT 2002 
18 
 

INTERNAL AUDIT OPINION 
19 
 
 
 
Basis of Opinion 
19 
 The 
Opinion 
20 
 
9 CONCLUSION 

20 
 
 APPENDICES 

22 
 
 
 
 


Internal Audit Service 
2008/09 Annual Report 
 
 
1 INTRODUCTION 
 
1.1 
This Annual Report is intended to meet two objectives: 
 
ƒ  To provide Court and the Principal, through the Audit Committee, with an independent and 
objective formal opinion on the adequacy and effectiveness of the University’s arrangements for:  
 
•  Governance, Risk management and control;  
•  Economy, efficiency and effectiveness. 
 
ƒ  To provide Court and the Principal, through Audit Committee, with an account of the activities 
and resources of IAS during 2008/09. 
 
1.2 
This Report covers the period from 1st August 2008 to 31st July 2009 and the schedule of work for 
the 2008/09 year. It also takes account of work undertaken up to the date of the issue of this report, 
August 2009. 
 
1.3 
The Report is grounded in the whole activity and the work of the Internal Audit Service (IAS), 
whether in terms of formal audit evidence and work, ad hoc/consultancy activity, or evidence 
gathered through being ‘part’ of the Institution as an ‘in-house’ service.   
 

IAS: TERMS OF REFERENCE & STRUCTURE 
 
2.1 
In 2008/09 the Terms of Reference for IAS were refreshed and updated to reflect more accurately 
current practice within IAS and showing clearly alignment with Sector best practice and the 
University’s Agenda for Excellence.  The full revised Terms of Reference for the IAS, approved by 
Audit Committee and Court can be found on the IAS website (www.strath.ac.uk/internalaudit).  
 
 
Mission Statement 
 
2.2 
To deliver a leading internal audit service within the higher education sector. To provide the Principal 
and Court, through the Audit Committee, with an independent and objective assurance and advisory 
service; to evaluate the adequacy and effectiveness of the University’s risk management processes, 
internal control, operations and governance processes, and provide quality advice which adds value 
and assists management at all levels in achieving their objectives that are consistent with the 
University’s strategic plan and agenda for excellence. 
 
 
Responsibilities 
 
2.3 
To provide the required assurance, the IAS will undertake a programme of work based on a 
strategy, authorised by Court on the advice of the Audit Committee. The programme will evaluate 
the arrangements in place:    
ƒ  To identify, assess and manage risks to the achievement of organisational objectives.  
ƒ  To ascertain the soundness, adequacy and application of the internal control systems.   
ƒ  To assess the effectiveness and efficiency of operations. 
ƒ  To ensure compliance with laws, regulations, contracts, established policies, procedures and 
good practice.  
ƒ  To safeguard assets from fraud, irregularity or corruption. 
ƒ  To ascertain the integrity and reliability of financial and other information provided to 
management and stakeholders, including that used in decision making.  
 
 
Independence 
 
2.4 
The IAS has no executive role, nor does it have any responsibility for the development, 
implementation or operation of systems. The Head of Internal Audit, subject to any guidance from 
the Audit Committee, is solely responsible for the management and development of the IAS. 
However, the IAS may provide independent advice on risk management, control, governance, value 
for money and related matters, subject to resource constraints and the need to maintain objectivity.  


Internal Audit Service 
2008/09 Annual Report 
 
 

For day to day administration purposes, the Head of Internal Audit reports to the University 
Secretary. The Head of Internal Audit also has direct access to the Convener of Court, the Convener 
of Audit Committee, the Treasurer and the Principal.  
 
 
Staffing Structure 
 
2.5 
The IAS had a full complement of staff throughout 2008/09; there are three full time posts in the 
department: - 
 
Head of Internal Audit: Clare Urquhart [B.Acc, CPFA] 
 
 
E-mail: x.xxxxxxxx@xxxxxx.xx.xx  
The Head of Internal Audit has overall responsibility for the management and development of IAS; 
the preparation of detailed annual audit plans; liaison with external auditors and other consultants; 
monitoring and review of all the University's management practices, operations, systems and 
procedures; preparation of the IAS Annual Report and ensuring the department's adherence to 
relevant professional auditing standards and the relevant Funding Council’s mandatory 
requirements. 
 
  
Senior Internal Auditor: John Basketter [BA (distinction), CPFA]    
E-mail: xxxx.xxxxxxxxx@xxxxxx.xx.xx 
 
The Senior Internal Auditor is responsible for his own portfolio of audits; carrying out ad-hoc 
investigations as well as deputising for the Head of Internal Audit and assisting in the development 
of the department. 
 
Internal Auditor: Margaret Gray   
E-mail: x.xxxx@xxxxxx.xx.xx 
The Internal Auditor undertakes her own portfolio of audit visits to departments as well as support 
work on other audits undertaken by the audit team and a variety of other work as directed by the 
Head of Internal Audit. 
 
Administrative Support (one day per week): Amanda Reid  
E-mail: xxxxxx.xxxx@xxxxxx.xx.xx 
Administrative support has been provided one day a week to the IAS by  Amanda Reid,  who is 
based within the Safety Services department. 
 
2.6 
Appendix A outlines the summary staff skill set of the IAS during 2008/09. The particular skill set 
which the three members of staff bring to the IAS will continue to strengthen IAS in 2009/10. 
 
 

2008/09: AN OVERVIEW OF THE YEAR 
 
3.1 
There must be sufficient evidence underpinning the IAS annual assessment to the Principal and 
Court to make it reliable. The IAS assurance methodology based on a risk based internal auditing 
approach provides the IAS with a solid basis  in which to  inform Senior Management, Audit 
Committee and Court on two main areas:-  
ƒ  Providing an annual overall independent objective opinion of the adequacy and effectiveness of 
management’s systems regarding governance, risk management, control, and value for money;   
ƒ  Highlighting the added value of the audit process by identifying those areas of the University 
activity which are providing leading examples of excellence, high standards and good practice in 
their management and use of resources; and conversely, those areas which are not yet 
achieving or have fallen short of standards expected. IAS prioritises and reports on those issues 
which require corrective action by Senior Management in either the department or wider 
University. 
 


Internal Audit Service 
2008/09 Annual Report 
 
 
 
GOVERNANCE  
 
3.2 
Our work has covered the arrangements to ensure the effective maintenance and enforcement of 
University policy including Financial Regulations, delegated authority, declaration of interests, fraud 
prevention and we have reviewed arrangements for the implementation of the strategic plan with 
regards, the revisions to the governance framework, decision making, professional services and 
Social Sciences. IAS has also undertaken an overview of current practice against the updated 
Committee of University Chairs (CUC)  Guide for Members of Higher Education Governing Bodies 
published by CUC in March 2009 (Ref: 2009/14). The outcome showed that the University is 
currently well positioned with provision for this area to be reviewed again in 2009, in order to assess 
how the new processes and governance arrangements, currently being introduced, fare against this 
standard measure of good practice.  
   
Strategic Plan Implementation 
 

3.3 
The University is undertaking an unprecedented amount of change within a relatively tight timescale. 
During 2008/09 Audit Committee required assurance that the ultimate proposals that each Strategic 
Review Group would make and present to Court would be generated within a robust and well 
managed framework. Audit Committee requested that IAS review the control mechanisms in place 
with regards three key strategic reviews, namely the review of: 
ƒ Professional 
Services 
ƒ  Social Sciences  
ƒ  Decision Making Structures and Processes 
 
3.4 
The objective of the audit exercise was to obtain assurance that each of these three reviews was 
being conducted in a structured and robust manner enabling informed outcomes to be generated 
which are based on a solid body of evidence gathered through an effective toolkit of project 
management techniques, applied across all three projects. 
 
3.5 
IAS had access to all documentation relating to each of these Review Groups. From our 
independent review of the documentation and discussion with relevant officers, IAS was satisfied 
that these Groups were managed effectively to ensure delivery of the outcomes outlined in each 
Review Groups’ terms of reference. 
 
3.6 IAS 
noted: 
ƒ  Consistency of approach in the management of the key project areas across each of the Review 
Groups. This was seen to be facilitated by regular discussions between the staff servicing the 
Review Groups thereby enabling the sharing of experiences and best practice;  
ƒ  Progression of each of the Review Groups was clearly documented via comprehensive Action 
Logs and Work Plans with actions clearly allocated within specified timeframes and an overall 
monitoring status on the action assigned;  
ƒ  Agendas, notes of meetings/minutes, consultation outcomes were all clearly documented and 
maintained;  
ƒ  Risk Logs were also found to be effectively utilised. IAS found evidence that these were very 
much ‘live’ documents, which were  revised regularly in the light of  the changing dynamics as 
each of  the reviews progressed; 
ƒ  Variety in the communication tools utilised to ensure inclusion of all interested parties (e.g. use of 
designated web pages, workshops, one to one meetings, open meetings, e-mail, strategy 
statements).  
 
Review against revised CUC Corporate Governance Guide 
 

3.7 
The Committee of University Chairs (CUC) has as its first aim, to support the higher education 
sector to develop the highest standards of governance. In 2004, CUC published a Guide for 
Members of Higher Education Governing Bodies which shared current good practice and 
encouraged adoption across the sector. A voluntary Governance Code of Practice was also 
proposed, which it was anticipated, all Institutions would be able to subscribe. The publication was 
adopted as best practice across the sector. An updated Guide (incorporating the Governance Code 
of Practice and General Principles) was published by CUC in March 2009 (Ref: 2009/14).  


Internal Audit Service 
2008/09 Annual Report 
 
 
3.8 
A Corporate Governance Checklist of the key activities and requirements benchmarked against the 
updated CUC Guidance has been produced. IAS undertook an overview of current practice against 
this checklist and reported the results to Audit Committee in June 2009. The outcome showed that 
the University is currently well positioned. It is envisaged that the exercise will be undertaken again 
in 2009/10, as part of the IAS corporate governance assurance work set out in the Internal Audit 
annual assurance plan.   
 
SFC revised Audit Requirements 
 

3.9 
Formal notification by letter, to all Principals and Directors of Scotland’s Colleges and Universities, 
regarding the withdrawal of the Codes of Audit practice, was made by the Scottish Funding Council 
(SFC) on 14th October 2008. The revised audit requirements (internal and external) now fall under 
the ‘Audit and Accounting’ section, contained within the mandatory requirements of the Financial 
Memorandum. An analysis of the requirements compared to current Institutional practice was 
undertaken by IAS with the results reported to Audit Committee in November 2008. The impact of 
the revised audit requirements, on current practices and procedures, from the internal audit 
perspective was found not to be significant. 
 
 
 
RISK MANAGEMENT   
 
3.10 
Given the changing internal and external environments that the University is currently operating 
within, the need to understand and manage risk at all levels throughout the University has never 
been greater. An embedded and robust risk management process adds real value to the University’s 
goal of being a world class technological University. 
 
3.11 
The 2008/09 year has marked a substantial change in the University’s risk management process. 
Following the adoption of the University’s Strategic Plan (2007-2011), departments, faculties and 
CAS areas submitted Strategy Statements in June 2007, followed by implementation updates in 
April 2008. This was part of the development of a University-wide annual strategic planning process. 
To ensure that the Statements could be compared across different departments and areas it was 
considered essential that each area of the University prepared detailed yet importantly comparable 
Strategy Statements. 
 
3.12 
Specific questions and elements of questions within the Strategy Statement Frameworks issued in 
January 2009 were concerned with the department/faculty approaches to the management of risk in 
order to enable the collation of risk management information to be integrated into the strategic 
planning process. Previously Faculties and some CAS areas produced Risk Registers as part of 
their annual reporting cycle. The questions detailed within the Strategy Statement Framework on risk 
were anticipated to replace the templates usually provided and provide more detailed information on 
current risk management practices by the very nature that every department would now be asked to 
consider these questions and provide appropriate responses. 
 
3.13 
During 2008/09, IAS involvement in risk management has been primarily to monitor the development 
of the new process, and to review the effectiveness of the process in practice, to date. IAS provided 
an initial detailed review of the revised risk management approach to Audit Committee in 2008/09 
and has provided advice to colleagues both in Finance Office and Planning in order to ensure that 
the revised approach provides an effective mechanism for capturing and appropriately managing the 
University’s risks both at operational and strategic level. 
 
3.14 
The objective of the IAS review was to review the Departmental and Faculty Strategy Statements 
and assess the feedback from departments with regards the specific questions and elements of 
questions that related to the management of risk. In addition, the Risk Registers produced by the 
seven key budget holders were also reviewed for completeness. 
 
3.15 
IAS found that in general: 
ƒ  The Strategy Statements submitted were highly detailed and informed documents; 
ƒ  Comprehensive SWOT analyses were found to have been undertaken; 
ƒ  There was a positivity communicated in the Strategy Statements regarding the challenges being 
faced.  


Internal Audit Service 
2008/09 Annual Report 
 
 
3.16 
IAS found that the Faculty and CAS Risk Registers did appear in general to be informed from the 
risk information contained within the departmental Strategy Statements, which in turn informed the 
generation of a draft Corporate Risk Register. 
 
3.17 
The collation of risk management information from departments, integrated within the strategic 
planning process, was seen by IAS as a positive step forward by enhancing the robustness of the 
University’s risk management processes and further embedding risk management procedures both 
at operational and strategic levels. 
 
3.18 
Despite specific questions being asked of departments with regards to risk, few departments gave 
complete responses to all questions. Some departments in response to the suite of risk questions 
provided a risk register (predominately CAS departments). Other departments identified 
risks/challenges/issues across different sections of the Strategy Statement. It was also noted that 
there was a lack of evaluation of these risks/challenges/issues with regards an assessment of the 
impact and likelihood of occurrence. As a result:- 
ƒ  The ease of reference to update these risks could be more onerous than if the identified risks had 
been contained within the specific section as indicated on the Strategy Statement Framework.  
ƒ  The lack of evaluation of these risks/challenges/issues with regards impact and likelihood could 
also make it more difficult to monitor progress and assess the effectiveness of the mitigating 
actions. 
 
3.19 
Disappointingly, there was a lack of information provided by departments with regards how risks are 
currently managed and identified. This was seen by IAS as being a particularly useful question, to 
further gauge the risk appetite both at operational and strategic level. The specific reasons for this 
are unclear, however, the question could either have been erroneously omitted  or due to the reason 
that in fact there are no specific processes currently in place within some areas.  
 
3.20 
Some points for consideration as a result of this IAS review included: 
ƒ  Clearer formatting of the Strategy Statement Framework; 
ƒ  Further consideration of alternative formats for capturing risk information within the Strategy 
Statements, in line with best practice; 
ƒ  From the responses received additional guidance would be beneficial to departments with 
regards good practice at operational risk level, advice on ongoing monitoring of risks and clarity 
on escalation procedures; 
ƒ  Given the positive feedback from departments/faculties, future risk management training should 
be developed. 
 
3.21 
In moving forward, the University clearly recognises the importance of an effective risk management 
system and have engaged external experts to assist in the further development of the University’s 
risk management processes and procedures informed by best practice.  
 
  
3.22 
The role that IAS can play within the University’s risk management process requires that the 
independence of the IAS function is maintained. However, within that framework IAS is keen to work 
with University colleagues to further enhance the University’s risk management processes and 
procedures to ensure they fully support the University in achieving its strategic goals. 
 
3.23 
Development of an IT Risk Universe and Register commenced during 2008/09, with further 
refinement via stakeholder participation scheduled for completion early in 2009/10.  
 
3.24 
Finalisation of the IT Risk Register will clarify the resource input required in order to review the key 
IT risks (anticipated to be on a rolling programme).  It is also anticipated that certain key systems 
reviewed by IAS will be further supplemented with some specialised IT audit testing (e.g. HR/Payroll 
System).  As previously discussed at Audit Committee the required specialist IT auditing skills will 
require to be sourced, outwith the IAS team.    


Internal Audit Service 
2008/09 Annual Report 
 
 

INTERNAL CONTROL SYSTEMS 
 
3.25 
In the next twelve to eighteen months, the University will embark on an unprecedented amount of 
change both structurally and procedurally as a result of the implementation of agreed 
recommendations from the various strategic review processes.  The impact of staff movement as a 
result of the ERVS scheme further adds to the change climate.  Whilst the impact of change will 
affect some areas within the University more than others, it is crucial that during the change process 
(and beyond) the University maintains the necessary robust control standards to ensure the 
University operates as efficiently and effectively as possible which is particularly relevant in the 
current challenging economic environment. 
 
3.26 
Internal controls are designed to safeguard assets, maintain accurate and reliable accounting 
information, promote operational efficiency and encourage adherence to prescribed policies and 
procedures.  The University’s internal control environment constitutes the combination of policies, 
procedures and organisational design.   
 
3.27 
IAS has continued both strategic and compliance level work over the University’s control systems. 
IAS has commented on the application, design and appropriateness of some of the control systems 
and processes that manage the strategic and operational risks to the University.  Specific distinct 
control areas included within the assurance plan included financial systems, operational systems 
and IT systems.  
 
 
3.28 
IAS has been actively engaged during 2008/09 in assessing the adequacy of the controls in two 
major projects: e-Procurement and HR/payroll. IAS has participated at both working Group and 
Steering Group level to ensure that robust procedural controls have been considered and put in 
place during the project development lifecycle. 
 
3.29 
IAS has also undertaken development work during the year with regards a potential new approach 
to internal control self assessment including the development of an annual internal Control Self 
Assessment (CSA) questionnaire that could be completed electronically (possibly via Pegasus) by 
departments. It was considered that this would be a useful tool for IAS and would complement the 
University culture of continuous improvement, in line with the Excellence Agenda. IAS noted that a 
number of Institutions have embedded the concept within their management practices, in particular 
a number of international technological Universities.   
 
3.30 
The introduction of the internal CSA questionnaire will act as a useful aid both to departments in 
assessing the robustness of their internal controls and also to IAS (and Audit Committee) with IAS 
utilising the CSA programs for gathering widespread and relevant information about risk and 
controls; enabling audit work to be further focused on high risks, unusual areas and would enable 
horizon scanning by IAS to identify more swiftly common control ‘hot spots’ thus helping to initiate 
swift corrective action. 
 
3.31 
Within each departmental review, a number of key systems are checked and assessed for 
robustness  e.g. budget monitoring, payroll, purchasing, debtors, cash, stock, research contracts, 
asset management, computer arrangements, safety, data protection, freedom of information, ethics, 
disability procedures  and any other area which may be unique to the department under review.  For 
some of the more specialised audit reviews, a more tailored audit scope and programme is prepared 
and undertaken in order to test the robustness of those particular controls. During 2008/09 IAS has 
performed testing and conducted enquiries on various internal controls throughout the University 
and performed assessments of their adequacy and the levels of compliance with them.  
 
EDF Monitoring  
 

3.32 
As a result of our ongoing liaison with senior Estates staff, IAS monitoring of large capital projects, 
has continued to be strengthened with access to the Progress Report Template used by Project 
Managers to track the progress (financial and technical) of each project. During 2008/09 the Audit 
Committee approved the approach which proposed that at each meeting of the Estates Strategy 
Committee, a summary schedule of all active major projects would be received which would detail 
the original (Gateway 1) budget, the current approved budget and the estimated outturn costs. IAS 
was asked to monitor the schedule on a regular basis and report the outcome of the monitoring 








Internal Audit Service 
2008/09 Annual Report 
 
 

exercise to each meeting of the Audit Committee. IAS staff have on-line access to the Progress 
Report Template database used by Project Managers to track the progress (financial and technical) 
of each project.  IAS was therefore able to review, on a regular basis, the status of each project. This 
information can then be used as a basis to trigger further questioning of both Finance and Estates 
colleagues.  
 
Follow-Up Activity 
  
3.33 
It is essential that audit recommendations, once accepted by management, are acted upon.  Follow 
up of internal audit reports and assessing whether agreed action arising from recommendations 
made, has been implemented, is an important aspect of the IAS.  Work has been ongoing within 
IAS to streamline the reporting format of follow up work to Audit Committee. In 2008/09, follow-up 
activity involved a review of 25 reports.  
 
Follow-Up Process 
 
3.34 
Heads of Department are asked to provide, three months following the issue of a final report, an 
update which details progress made on the implementation of agreed recommendations.  This 
process highlights thematic issues more quickly and provides assurance to the Head of Internal 
Audit that departments are taking prompt action in the light of the recommendations made. 
Conversely, it also highlights areas where little or no action has been taken which require further 
investigation by the IAS. This process enhances but does not replace the requirement to undertake 
a full follow-up audit visit to each area.  
 
3.35 
Following receipt of the three month progress report, the IAS visits the relevant department and 
performs audit work which is designed to obtain assurance on the implementation of 
recommendations.  This is achieved through sample audit testing, review of documentation and 
discussions with members of staff. IAS assess the status of the recommendations using a simple 
traffic light basis for reporting purposes e.g. fully implemented (green), partly implemented (amber) 
and not implemented (red).   
 
Follow-Up Results 
 
3.36 
On the completion of the 2008/09 follow-up exercise, it was pleasing to note that for those 
departments receiving their first follow up visit, 90% (139 out of 154) of all recommendations had 
been fully implemented. Comparison with previous years is detailed in the graph below:   
 
1st Follow Up Visit - Number and % Split of Recommendations Analysis
%
0

%
5

140
         9
%
         7
9
120
 - Implemented
100
 - In Progress
         7
r
e

80
 - Not Implemented
b
%
m
2
60
Nu
%
4

40
%
%
         2
%
%
20
       5
       5
        1
       3
       7
0
2009
2008
2007
Audit Year
 
 
 
3.37 
From an overall follow up perspective (i.e. first, second, and third follow up visits), it was noted that 
approximately 87% (181 out of 209) of all recommendations had been fully implemented. 
Comparison with previous years is detailed in the graph below:   
 








Internal Audit Service 
2008/09 Annual Report 
 
 

Overall Follow Up - Number and % Split of Recommendations Analysis
%
7

200
   8
%
180
    
3
  
7
160
    
%
 - Imple mente d
140
    
8
 7

 - In Progress
120
    
   

 - Not Imple mente d
Numbe r 100
%
80
2
60
  2
%
%
%
40
%
    
1
1
  9
4
  
%
 1
 1
20
  5
   
   
     
    
   

    
    
    
0
2009
2008
2007
Audit Ye ar
 
 
3.38 
For those areas where the recommendation was still to be implemented, departments were 
requested to notify the Head of Internal Audit, by a specific date, regarding implementation of the 
outstanding recommendations.  A summary showing the themes of outstanding recommendations is 
included in Appendix B.  
   
  VALUE FOR MONEY 
 
3.39 
‘The Institution must have a strategy for systematically reviewing management’s arrangements for 
securing value for money’.
   
SFC Financial Memorandum (Mandatory requirement 31) October 2008. 
 
3.40 
The Funding Councils, internal audit practitioners, and audit committees have recognised for a 
number of years, a need to move away from the one off style of Value for Money (VFM) reporting 
towards a more holistic review process.  In this way, management integrates its VFM activities into 
regular management processes (academic and non academic) with the ultimate aim of it being 
embedded in the Institution’s management culture in a similar fashion to risk management.  
 
3.41 
Conducting VFM studies is not the only way to show a commitment to value for money. Existing 
management practices that seek to integrate VFM principles and the active promotion of a culture of 
continuous improvement are two alternative approaches. Conducting a VFM study does not in itself 
demonstrate VFM. This is dependent on the result of the study and on any action taken in response 
to its findings. 
 
3.42 
The University has a number of mechanisms which helps to ensure consideration of the ‘3 Es’ i.e. 
Faculty Policy and Resource Committees, departmental committees, Financial Regulations, 
Purchasing Procedures and Procurement Guidelines, to name but a few.  
 
3.43 
A number of activities can also be identified as giving a wider appreciation of the University’s 
effectiveness than the more traditional market testing and bench marking of service provision. 
Examples of such activities undertaken by the University which can be viewed as facets of 
performance include: 
ƒ  Strategic planning process; 
ƒ  Key performance indicators; 
ƒ  Financial strategy and the budget setting/cost reduction process; 
ƒ  Costing and pricing policies (TRAC/fEC); 
ƒ  National Student Survey; 
ƒ  Course costing and portfolio reviews; 
ƒ  Business process reviews and systems development; 
ƒ  Performance appraisals and career development; 
ƒ Purchasing 
activities; 
ƒ  Programme quality processes. 
 
10 

Internal Audit Service 
2008/09 Annual Report 
 
 
3.44 
Two years into implementation, the Agenda for Excellence has had a very real impact not only on 
the work of IAS but across every area of the University.  Firstly, the self examination opportunity 
provided by the whole exercise has resulted, from an operational viewpoint, in further enhancements 
to day to day work practices to enable areas to do things more efficiently and effectively. Secondly, 
the knock on effect of the changes and reviews being undertaken across all University departments 
and key systems has resulted in changed priorities and enhanced streamlining.  
 
3.45 
The IAS is committed via work contained in our assurance plans to helping the University ensure 
that satisfactory arrangements are in place, via a variety of different mechanisms, to continue to 
promote and secure value for money within the University.  In 2008/09, the IAS has also undertaken 
work with some key University departments. 
 
3.46 
In liaison with Finance Office, Purchasing Services, and Information Technology Services (ITS), IAS 
continues to examine the opportunities for potential savings to the University through increased use 
of electronic commerce.  The University’s e-Procurement Strategy and the introduction of the 
PECOS e-procurement system has many VFM implications for the University. IAS’s involvement 
both on the e-procurement Working Group and Steering Group alongside representatives from 
Purchasing, Finance and ITS, ensures that opportunities are grasped whilst ensuring that the 
associated risks have been identified, measured and managed.  
 
 
3.47 
Work with Estates Management has included attendance by IAS staff at over 14 significant value 
tender openings (>£9M).  As well as ensuring that tender openings follow acceptable procedures, 
IAS involvement continues through to the receipt of the tender evaluation reports to ensure that 
evidence exists to show that the final tender award decisions are delivering best value for money to 
the University.  
 
3.48 
Within each individual departmental audit, VFM is always examined. A sample of significant value 
transactions are traced and evidence sought in the department that all relevant factors have been 
taken into account and best value obtained. Certain decisions made by audited departments in 
2008/09 were again questioned by IAS.  
 
3.49 
The implementation of the reports recommendations helps to ensure that the department can 
provide clearer evidence of providing value for money in its operation.  Where departments are able 
to provide evidence of VFM, then these instances are discussed by the Head of Internal Audit with 
the Head of Purchasing at their regular meetings. IAS staff make a variety of other 
recommendations in departmental audits which contribute towards the achievement of VFM. 
Typically these recommendations will include simplification or changes to departmental procedures 
which reduce the level of duplication which occurs. 
 
3.50 
The IAS is also able to put departments in touch with other departments to consider the sharing of 
another department’s knowledge in a certain area (e.g. departmental budgetary control procedures, 
stock control packages).  The IAS web pages also include a section for good practice templates to 
help facilitate this process further. During 2008/09, further enhancements to the IAS working 
documents have been undertaken.  The audit working papers for each section in the audit 
programme contains a specific check point for the Auditor which amongst other things requires 
specific sign off on any indications of poor value for money. 
 
3.51 
In June 2008, the Head of Internal Audit produced a briefing paper to highlight to Audit Committee 
the current changes in perspective with regards VFM contained within the new 2008 HEFCE 
Accountability and Audit: Code of Practice, and outlined how VFM is currently reviewed within the 
context of the University. Updated guidance was made available from the SFC via the revised 
mandatory requirements to the Financial Memorandum which was published in October 2008. 
During discussion around this paper it was considered that value for money was inherent in the 
University’s Strategy and Excellence Agenda.  In addition, it was recognised that there was a need 
for the University to be able to clearly demonstrate its achievements with regards value for money by 
producing a value for money strategy/policy as well as an annual report which would pull together 
and highlight value for money activities and initiatives.   
11 

Internal Audit Service 
2008/09 Annual Report 
 
 
3.52 
The Finance Director and Head of Internal Audit have had ongoing discussions with respect to VFM 
during 2008/09 and a review has also been made of practices from other Institutions and best 
practice guidance. Three papers on Value for Money were prepared for consideration by Audit 
Committee prior to full discussion and approval by University management. The papers presented 
included a draft strategy, draft annual report format and draft reporting templates to collate VFM 
initiatives across the University. 
 
3.53 
The VFM agenda is a key enabler in helping the University fulfil its ambitions detailed in its Strategic 
Plan as it seeks to appraise and challenge not only current performance but also current working 
practices. A VFM Strategy should therefore be viewed alongside the other enabling strategies within 
the corporate planning framework. 
 
3.54 
During 2008/09, the University has been considering the best way to consolidate details of its VFM 
arrangements into a more formal strategy and reporting document. A VFM Champion (a senior 
member of Finance Office staff) has been identified to further progress the effectiveness of the 
current VFM reporting arrangements during 2009/10. 
 
  
 
OTHER WORK 
 
 
  
Transparency Review/Full Economic Costing 
 

3.55 
During 2008/09, IAS has continued to review the steps taken by the University to ensure compliance 
with the requirements of the Transparent Approach to Costing (TRAC).  Work during the year was 
split into two areas; review of the annual Transparency Review Return (TR) and review of the 
ongoing process of refining the TRAC model in line with the guidance.    
 
3.56 
IAS has regular meetings (normally monthly) throughout the year with the fEC Accounting Manager.  
These meetings provide a useful forum for IAS to be kept up to date with developments and 
enhancements to the TRAC model and it enables the fEC Accounting Manager to obtain an audit 
perspective on any proposed changes and enhancements based on the most recent guidance to the 
sector. During several of these meetings, the Auditor met with the fEC Accounting Manager and 
specifically reviewed the collation of the TR Return for 2007/08 and the Quality Assurance and 
Validation (QAV) documents.  
 
3.57 
There is an increased focus on the use of TRAC data in ensuring the sustainability of both Teaching 
and Research. In December 2008, a letter from the chair of the new Financial Sustainability Strategy 
Group was issued to all heads of higher education Institutions in England, Wales, Scotland and 
Northern Ireland emphasising the importance of the TRAC data and the need to carry out validation 
and reasonableness checks of the data produced. Additional checks have been built into the TRAC 
return to ensure that reasonableness of the data is considered and there is now a requirement to 
submit a written commentary where certain criteria are met.   
 
3.58 
During 2008, audit work has been undertaken to review the updates to the TRAC model as specified 
in the Guidance and also with regard the completion of the 2007/08 TAS exercise. Work has also 
been undertaken in reviewing:  
ƒ  The Income model which is used for allocating income across the five reporting categories and 
the implementation of the Guidance updates; 
ƒ  The expenditure model which is used for allocating costs across the five reporting categories and 
the implementation of the Guidance updates; 
ƒ  The TRAC adjustments (infrastructure, which compensates for the understatement arising from 
the use of historic costs and the Return for Financing and Investment (RFI), which introduces a 
cost associated with risk and development). These adjustments which are required to be made to 
the financial statements figure, were also verified, both in terms of the basis to be applied and the 
actual calculation; 
ƒ  Approach taken by the University with regards charge out rates for Laboratory Technicians and 
Major Research Facilities (MRF); 
ƒ  The Estates Driver information including the weighted space calculation; 
ƒ  The charge out rates for Research. 
12 

Internal Audit Service 
2008/09 Annual Report 
 
 
3.59 
Audit testing of arrangements for the 2007/08 Transparency Review Return and on the general 
progress of the University meeting the TR requirements proved satisfactory. Review work has 
provided further evidence of the enhancement and refinement of the University’s calculations to 
implement the TRAC methodology robustly and comply with the TRAC Guidance. The outcome from 
the QAV review undertaken in July 2008 has also confirmed this IAS viewpoint. IAS will continue to 
monitor and review closely developments in this area during 2009/10.  
 
3.60 
HEFCE developed TRAC (T) to collect more detailed information on expenditure on teaching split 
across HESA cost centres. TRAC (T) became mandatory in England and Wales from 2006/07. The 
SFC confirmed that TRAC (T) would continue to be a voluntary exercise in Scotland for 2007/08, 
with the deadline for voluntary submission being April 2009.  IAS has reviewed the TRAC (T) 
methodology developed at Strathclyde to ensure compliance with current sector guidance. The work 
undertaken to date has proved satisfactory.   
 
EU Grant Certification 
 
3.61 
IAS also continues to undertake the audit certification of EU 6th Framework grant claims.  This has 
again proved both challenging and interesting given the diversity and complexity of contracts in 
which the University has been involved in, over the past year. The involvement of IAS has saved the 
University from the direct cash costs of external audit fees. The IAS is the only in-house Internal 
Audit Service in Scottish Higher Education currently undertaking such certification work.  Audit work 
undertaken in this area however compliments the audit review work undertaken within departments, 
particularly with regards procurement practices and expense claim certification controls. 
 
3.62 
During the course of 2008/09, a total of 52 claims (32 claims in 2007/08) amounting to c£3M, have 
been reviewed by IAS and an appropriate audit certificate, in accordance with EU guidelines has 
been provided. During 2008/09, the University‘s procedures for the compilation of EU claims 
(including audit certification) was again reviewed externally by EU appointed Auditors. The outcome 
of the review concluded that the EU Auditors were fully satisfied at the current systems and 
procedures in place within the University. During 2008/09, the Head of Internal Audit has also 
attended the Full Economic Costing Working Group EU subgroup meetings to provide audit related 
advice in relation to the more complex 7th Framework contracts. 
 
Benefits Case and Baseline Methodology (e Procurement) 
 
3.63 
The Benefits Case and Baseline Methodology were discussed by the University’s e-Procurement 
Steering Group at its meeting in December 2008. The Chair of the Steering Group suggested a 
review by IAS of the baseline measurement and benefits tracking calculations as calculated by the 
e-Procurement Project Team. This was discussed with the Convener of Audit Committee and a 
detailed review was undertaken by IAS resulting in a number of areas of improvement identified. 
 
3.64 
Three key recommendations were made which included a ‘checklist’ of measurement steps for both 
the ‘Best’ and ‘Worst’ processes produced by the Project Team to help ensure consistency in the 
core data being measured and costed. On agreement of the checklist, a ‘levelling out’ exercise was 
recommended to be undertaken by the Project Team on the data collated from the phase 1 
Departments, to ensure consistency in approach and thus allow the revised baseline figure to be, 
where necessary, adjusted and finalised. As an enhancement to the validation process, it was 
recommended that IAS should undertake to review the departmental process maps and costings 
provided by the Project Team for some of the departments, prior to the details being incorporated 
into the overall baseline calculation. All three areas identified by IAS were accepted by the Steering 
Group and have now been actioned by the Project Team. 
 
Ad Hoc Activity 
 
3.65 
The University, through its in-house IAS, has scope to utilise the varied skills set of the audit staff to 
provide advice on wider organisational development activity. This activity whilst reported to the 
University’s Audit Committee, may not result in formal reports and may take the form of ‘consultancy’ 
within the terms recognised by HM Treasury.  This activity however can contribute to the Head of 
Internal Audit’s annual opinion. 
 
13 

Internal Audit Service 
2008/09 Annual Report 
 
 
3.66 
During 2008/09, IAS has also undertaken a variety of other work which has contributed to our 
annual assurance opinion. A listing of some of our ad hoc activity is detailed in Appendix C. 
 

AUDIT RESULTS  
 
4.1 
The Service sets out an Annual Assurance Strategy and Plan. This plan is amended and flexed to 
account for the Audit Committee and University’s requirements and to make adjustments to the 
timing of the audits to provide the most effective assurance to assist both the Audit Committee and 
the University management. The Service also flexes the plan to meet the Audit Committee 
requirements specifically over issues where the Audit Committee wishes to confirm actions to 
address identified or known weaknesses in control. 
 
 
4.2 
The work of the year has encompassed both academic and administrative departments across both 
campuses.  The listing detailed at Appendix D illustrates the broad mix of different types of areas 
which have been reviewed during the course of the year across the key assurance areas and 
provides a summary analyses of the recommendations and overall audit opinion, where appropriate. 
 
4.3 
The plan delivered has varied from that set out at the commencement of the year with variations 
reported to Audit Committee. Each variation has been to accommodate Audit Committee or 
management requirements and the Service has taken a judgement to defer or reschedule work and 
done so on the basis of enhancing the overall assurance, given changing circumstances, provided in 
this report. A summary analysis of the assurance plan delivery is detailed at Appendix E.  
 
 
4.4 
The common themes which emerged from the departmental audits undertaken during 2008/09 
include some instances where: 
ƒ  Departments bypassed the University’s commitment accounting system; 
ƒ  Departments showed unfamiliarity with the University’s Purchasing Manual with regard to 
invoices not being signed or authorised correctly; 
ƒ  Departments showed some unfamiliarity with the University’s tendering procedures and the 
requirement to complete, where appropriate, a single source justification form; 
ƒ  Good housekeeping practice of scoring through unused lines on purchase orders was not always 
being performed;  
ƒ  Departments did not always have evidence to demonstrate that purchase orders/invoices are 
matched to goods received notes; 
ƒ  The University’s pro forma forms for disposal of assets was not always completed and 
authorised; 
ƒ  Departments had no mechanism in place for recording and monitoring the safety training of  
members of staff; 
ƒ  Departments did not always have sufficient evidence to demonstrate compliance with the 
University’s data protection policy. 
 
4.5 
Pleasingly, 2008/09 saw an increase in the number of audit reviews where an overall  ‘Satisfactory’ 
audit opinion could be placed on the reviews undertaken and as detailed at 3.36 the percentage of 
audit recommendations implemented at the time of the first follow up visit stood at a satisfactory 
90%. 
 

QUALITY ASSURANCE & PERFORMANCE MEASURES 
 
QUALITY ASSURANCE ARRANGEMENTS  
 
5.1 
During 2006/07, HEFCE in collaboration with CHEIA launched a self-assessment toolkit aimed at 
enhancing and developing internal audit practice across the higher education sector. Three in-house 
internal audit providers piloted the tool during 2006/07. Using feedback from the pilots, CHEIA 
agreed a definitive version of the tool for use to assess the 2007/08 year. This was again reviewed 
and updated during 2009 (taking into account the International Professional Practices Framework 
launched by the IIA in January 2009).   
14 

Internal Audit Service 
2008/09 Annual Report 
 
 
5.2 
The tool is a spreadsheet based assessment comprising of 60 questions, against which the 
assessor rates the audit service on a four point scale as either Best Practice, Good Practice, 
Partially Compliant or Potentially non-Compliant. Responses to these questions are then weighted 
across the six assessment categories resulting in a web diagram which illustrates the department’s 
operating position across the six criteria: due professional care; strategy; methodology; people; 
independence and quality assurance.  
   
 
5.3 
In 2008, the respective heads of the audit services of the original pilot Universities; Newcastle, 
Durham and Edinburgh, were joined by the Head of Internal Audit to participate in a four way 
independent review of the quality of the audit services provided at each of these Institutions.  The 
Secretary to the University and the Convener of Audit Committee both welcomed IAS’s participation 
in this process. The purpose and spirit of the review process was seen to be very much in line with 
the University’s Agenda for Excellence.  In July 2009, CHEIA included Strathclyde University within 
the peer review group to include four other Institutions (Durham, Edinburgh, Newcastle, and 
University of West of Scotland (UWS)). 
 
5.4 
The 2009 peer review process, similar to the 2008 review, involved completion of the revised 
electronic toolkit with submission to reviewers of all necessary evidence to support the assessment 
category identified in the toolkit.  Review of the individual toolkits and the submitted evidence was 
then undertaken by the other four Heads of Internal Audit with a face to face meeting held at 
Edinburgh University in July 2009 for all participants to seek clarification on any issues 
independently identified by the peer reviewers.  The outcome from the process is peer validation of 
the assessment categories generated via the toolkit.  
 
5.5 
The internal audit self assessment tool provides a percentage score, with 100% representing best 
practice. The results of the 2009 review of the IAS (including the 2008 results for comparison) are 
detailed below with the resulting web diagram for 2009 illustrated in Appendix F: 
 
Criteria IAS 
IAS 
2009 (% score) 
2008 (% score) 
Due Professional Care 
93 
80 
Strategy 93 
75 
Methodology 95 
77 
People 92 
70 
Independence 97 
84 
Quality Assurance 
90 
75 
Overall Average 
93 
77 
 
5.6 
These gradings have been agreed and validated by the heads of audit of the four other participating 
Institutions and a formal opinion has been issued by the four respective heads of audit on the IAS 
self assessment to Audit Committee. 
 
5.7 
Comparison of the Strathclyde scores against the average of the Peer review group are detailed 
below:  
 
Criteria IAS 
Ave Peer Review 
2009 (% score) 
Group (% score) 
Due Professional Care 
93 
90 
Strategy 93 
92 
Methodology 95 
90 
People 92 
91 
Independence 97 
95 
Quality Assurance 
90 
89 
Overall Average 
93 
91 
 
15 

Internal Audit Service 
2008/09 Annual Report 
 
 
5.8 
CHEIA’s Development Officer will collate provider scores submitted electronically by mid August 
2009 and these will be presented anonymously for publication at CHEIA’s annual conference in 
September 2009. The scores will be classified according to the level of participation (e.g. self 
assessment, peer review, or evidence based peer review). 
 
5.9 
As can be seen from the above results, the IAS at Strathclyde sits well, however we must never 
become complacent. A detailed action plan has been prepared and throughout 2009/10 measures 
will be put in place to increase our scoring further. The measures to be implemented have been 
reported to Audit Committee. 
 
BUFDG AUDIT SURVEY RESULTS  
 

5.10 
The latest British Universities Finance Directors Group (BUFDG) Annual Audit Survey relating to 
2007/08 was issued in February 2009. The results of the survey are used by a number of Institutions 
to help benchmark both their internal and external audit provision. The response rate of 118 
Institutions from a possible 164 gave a response rate of 72%. Like every year the figures require to 
be regarded with caution as the figures submitted by Institutions are taken at face value (i.e. the 
method of assessing days provided is not necessarily consistent, VAT is not always included in the 
Audit Firms  and the costs of internal staff are most likely not the full economic cost).   
 
 
5.11 
From the most recent BUFDG Annual Audit Survey results, an analysis of the 24 Universities from 
the 118 participating Institutions, where the gross annual expenditure was greater than £200m 
(Strathclyde’s = £210m) indicated that 42% of these Institutions utilised in-house provision of 
internal audit services. 
 
 
5.12 
The BUFDG Survey findings in relation to audit costs is detailed below: 
 
Type of Provision 
2007/08 Average 
Average nos. of days 
Cost per Day (£) 
Annual Costs (£) 
Accounting Firm 
72,110 
122 
589 
In House 
182,994 
574 
319 
HE Consortium 
135,845 
231 
588 
Other Consortium 
41,957 
95 
442 
 
5.13 
The graph below provides an indicator as to the cost of IAS against sector comparators over the 
past four years.  The IAS figure of £257 per day for 2007/08 is considerably lower than the average 
cost per day of the private firms (£589) and also compares favourably with the average cost per day 
(£319) of in-house providers and of Consortium providers whose average cost per day is £581. The 
total average cost per day across all providers is £417.  
 
 
 
Average Cost per Day
600
500
400
£
300
200
100
Private Firm
Consortium
In-House
Strathclyde
Provider
2004/05
2005/06
2006/07
2007/08
 
 
 
16 

Internal Audit Service 
2008/09 Annual Report 
 
 
5.14 
The graph below is concerned with providing a broad indicator of audit coverage relative to the size 
of the Institution. For every one audit day, private firms cover on average almost £1237k of 
University spend. In comparison, for every one audit day undertaken by Strathclyde’s IAS, it covers 
approximately £364k of University spend. Consortium providers cover approximately £665k.   
 
Average Coverage £'000 per Audit day
1000
900
800
700

'000
£

600
500
400
300
200

Private Firm
Consortium
In-House
S trathclyde
Provider
 04/05
'05/06
'06/07
'07/08
 
 
5.15 
The average of all in-house providers is £496k. The figures highlight the difference in audit coverage 
between external providers and in-house providers over the past four years.  The total average 
coverage per audit day across all providers is £635k. 
 
 
 
PERFORMANCE - BALANCED SCORECARD 
 
5.16 
IAS is required to demonstrate clearly to Senior Management and Audit Committee how the 
department measures performance and adds value to the University. Whilst numerous metrics are 
available to measure internal audit performance, the challenge faced is selecting those that are most 
meaningful to the IAS, the University and the key stakeholders.  
 
5.17 
The IAS has always sought to provide its key stakeholders with a set of performance measures 
which are appropriate to their needs and circumstances. Throughout the years these performance 
measures have evolved in line with both key stakeholder expectations and with sector best practice. 
The agreed performance measures are reported at various times (within the IAS Activity Report and 
more fully within the IAS Annual Report) throughout the audit year.  
 
5.18 
The change in SFC Code of Audit Practice in 2008, further alignment of IAS with the University’s 
excellence agenda and recognition of renewed guidance within the 2008 Committee of University 
Chairs (CUC) Audit Committee Handbook, Institute of Internal Auditors (IIA) and other professional 
Institutes, provided an opportunity during 2008/09 for the IAS performance measures to be re-
examined. As part of this exercise refreshment of the department’s reporting protocol was also 
undertaken.  
 
5.19 
A balanced scorecard framework can be used as an effective tool to link the IAS Strategy to its 
performance management system. The balanced scorecard is intended to align the mission and 
work of the Service to that of the University, whilst still remaining an independent function. In 
addition, the goal of a balanced scorecard (in a similar fashion to the CHEIA Quality Assurance 
toolkit) is to raise performance in all areas, not one area at the expense of another.   This focuses 
performance measures on those that add strategic value to the University and are aligned to the 
various internal and external stakeholders of the Service.   
17 

Internal Audit Service 
2008/09 Annual Report 
 
 
5.20 
The year 2008/09 has therefore been partly a transition year as the department moved from the 
previous format of performance reporting to the new format (agreed by Audit Committee in June 
2009). Information on performance for 2008/09 has been mapped where possible onto the refreshed 
performance measurement balanced scorecard and supporting metrics for IAS, as detailed in 
Appendix G.   
 
CLIENT SATISFACTION SURVEY RESULTS  
 
5.21 
The lasting impression which audited departments have after the completion of an internal audit is a 
key factor. Since 2006/07, a Client Satisfaction Survey has been issued by the Head of Internal 
Audit at the end of each audit exercise to the Head of Department/Director of the client department 
with the completed survey returned to the secretary to Audit Committee. The secretary to Audit 
Committee then passes a copy of the completed survey to the Head of Internal Audit for review. The 
Client Satisfaction Survey forms part of IAS’s ongoing quality assurance process. IAS aims to move 
the Client Satisfaction Survey onto an electronic format for 2009/10. 
 
5.22 
The collated results of the Client Satisfaction Surveys for 2008/09 completed to date are detailed in 
the table below:  
 
 
Highly 
Satisfactory 
Unsatisfactory 
Satisfactory 
 
 
(%) 
(%) 
(%) 
1. GENERAL 
 
 
 
 
How would you rate the overall usefulness of 
40 60   
the audit?  
 
Explanation of audit objectives 
60 
40 
 
 
Professionalism of Auditor carrying out the work 
60 
40 
 
2.  QUALITY OF AUDIT REPORT 
 
 
 
 
Overall clarity & presentation 
60 
40 
 
 
Relevance of findings and recommendations 
80 20   
reported 
3. TIMING 
 
 
 
 
Duration of audit process 
60 
40 
 
4. COMMUNICATION 
 
 
 
 
Helpfulness of Auditor 
60 
40 
 
 
Sufficient consultation during audit process 
60 
40 
 
 
Consultation on findings & recommendations 
60 
40 
 
 
5.23 
In addition, some Departments have also made use of the facility on the Survey form to supply 
‘’other comments’’ examples of which are as follows: 
ƒ 
‘‘The audit was a very useful exercise and carried out in a very professional way. We felt 
able to share any issues we had and seek support”. 

ƒ 
‘‘The audit was carried out in an unobtrusive and sympathetic manner which was much 
appreciated”. 
 

PUBLIC INTEREST DISCLOSURE POLICY 
 
 
6.1 
During 2008/09, IAS was not involved with any reviews instigated under this procedure.   
 

FREEDOM OF INFORMATION (SCOTLAND) ACT 2002 
 
 
7.1 
During 2008/09, three requests were made for information held by IAS under the Freedom of 
Information Act. The requests were not made directly to the IAS but came via the University’s 
Freedom of Information Officer. Two of these requests had a further supplementary request for 
information from IAS. The Head of Internal Audit’s Activity Report, which is submitted to each 
meeting of Audit Committee, contains, as a standing item, a Freedom of Information section which 
updates Audit Committee members with regards requests to the IAS under the Act.  
18 

Internal Audit Service 
2008/09 Annual Report 
 
 
 

INTERNAL AUDIT OPINION 
 
Basis of Opinion 
 
 
8.1 
In October 2008, the SFC revised its Code of Audit Practice and incorporated the Council’s core 
audit requirements within the mandatory requirements associated with the Financial Memorandum 
(‘Audit and Accounting’). Supporting references to good practice were also referred to, in relation to 
the detailed arrangements for internal audit. IAS staff are therefore also required to conduct audit 
activity in accordance with the professional and ethical auditing standards set out in the: 
 
ƒ  Code of Ethics  and International Standards (March 2004 and as amended for January 2009) of 
the Institute of Internal Auditors (IIA); 
ƒ  Guidance associated with the Combined Code; 
ƒ  CUC Guide for members of HE Governing Bodies; 
ƒ  Handbook for members of Audit Committees in HE Institutions; 
ƒ  Government Internal Audit Standards (GIAS) and various ‘Good Practice Guides’ (HM 
Treasury); 
ƒ  IIA Position Statement on Risk Based Internal Auditing (August 2003); 
ƒ  Codes and professional standards (CIPFA – for members of the relevant CCAB Institute). 
 
8.2 
Given the breadth and complexity of the systems operated by the University, it is unlikely that any 
annual operational assurance plan would manage to cover all systems for managing risk in sufficient 
depth – this is certainly the case at the University of Strathclyde. Consequently, our assessment 
considers, not just the work performed in each year, but the work over the period of a strategic 
assurance plan (in this case three years). In addition, the IAS Annual Assurance Plan reviews the 
corporate risks of the University against assurance coverage. 
 
8.3 
The IAS is required to provide the University Court and Principal via the Audit Committee with an 
overall opinion stating whether the University has an adequate and effective framework of 
governance, risk management and control, and has in place adequate and effective processes with 
regards economy, efficiency and effectiveness.  In giving this assessment, IAS can only provide 
reasonable, not absolute assurance that there are no major weaknesses in the University’s 
governance, risk management, control and value for money arrangements. It should also be noted 
that the primary responsibility of the provision of adequate control and the detection of fraud lies with 
University Management. In assessing the level of assurance to be given, we have taken into 
account: 
ƒ  All assurance work undertaken during 2008/09 and work undertaken in previous years over the 
period of the strategic assurance plan and in the period up to finalisation of this report; 
ƒ  All follow up action taken in respect of audits from previous periods; 
ƒ  The effects of any significant changes in the University’s control environment; 
ƒ  The results of consultancy/ad hoc work undertaken during 2008/09 specified in this report. 
 
8.4 
No factors have been identified that have impacted on the actual or perceived objectivity and 
independence of the IAS for the year. This is kept under review throughout the year and any 
changes are immediately reported to Audit Committee. 
 
8.5 
The IAS is satisfied that our work undertaken to date allows us to draw a reasonable conclusion as 
to the adequacy and effectiveness of the University’s governance, risk management, control and 
value for money processes.  
  
19 

Internal Audit Service 
2008/09 Annual Report 
 
 

The Opinion 
 
8.6 
In our opinion the University of Strathclyde has adequate and effective arrangements for: 
ƒ Governance; 
and 
ƒ Control. 
 
For each audit that has been undertaken during the year, recommendations have been made. The 
implementation of some of these recommendations will continue to improve the University’s control 
and governance systems further.  
 
8.7 
In our opinion the University of Strathclyde has adequate arrangements for: 
ƒ  Risk Management; and  
ƒ  Economy, efficiency and effectiveness. 
 
8.8 
We note that the University has taken considerable steps during 2008/09 to develop the 
effectiveness of both these areas.  The 2008/09 year has therefore been a year of transition. The 
IAS has provided audit advice on both these areas with regards the developing Risk Management 
and VFM frameworks (policy, procedure and reporting mechanisms). 
 
8.9 
It is anticipated that when the actions planned for the University’s Risk Management and VFM 
Frameworks are fully implemented; the University’s arrangements in both these areas will become 
effective. During 2009/10, IAS will seek to review how well the developed frameworks have become 
embedded. 
 
9 CONCLUSION 
 
9.1 IAS 
can and does make a difference. From departments audited, to systems reviewed and advice 
given to the general University community.  
 
9.2 
During the year a wide range of audit work, as illustrated in this annual report, has been performed. 
In addition, the feedback on the conduct of IAS activities from recipients of audit reports, the external 
auditors and audited departments, has remained very positive. Such feedback greatly encourages 
IAS. Participation for the second year in the peer review quality assurance exercise has also been of 
great benefit in assessing the department’s position against sector and professional standards. The 
contribution of every member of the IAS has been significant. 
 
9.3 
This was the fifth full year of IAS working with the Convener of Audit Committee. An effective and 
productive schedule of regular meetings is in place between the Convener of Audit Committee and 
the Head of Internal Audit in order to discuss pertinent issues outwith the scheduled Audit 
Committee meetings. This is supplemented, where necessary, with electronic communication via e-
mail and/or telephone. The Head of Internal Audit appreciates the time given by the Convener for 
these meetings. The continued support given by the Convener to the department throughout 
2008/09 is again very much appreciated.  
 
9.4 
The next financial year sees the University move forward into challenging but exciting times with 
regards the changing operating environment both externally and internally. The 2009/10 year will 
see an unprecedented amount of change internally as the implementation phase of key strategic 
reviews (Professional Services, Social Sciences, Governance and Decision Making Processes) get 
underway. IAS requires to provide assurance to Audit Committee, the Principal and Court that the 
changes and their associated risks are being appropriately managed. 
 
20 

Internal Audit Service 
2008/09 Annual Report 
 
 
9.5 
The aim for 2009/10 is therefore clear. It is to continue to enhance the quality of the IAS and to add 
value to the University. IAS shall provide advice on governance, risk management and internal 
control issues identify and encourage good practice to reduce the opportunities for waste of 
resources, fraud or irregularities which may occur.  IAS greatly looks forward to the challenges 
(known and unknown) which 2009/10 will bring. 
 
 
 
 
 
 
 
 
 

Clare Urquhart 
 
Head of Internal Audit 
 August 
2009 
21 

Internal Audit Service 
2008/09 Annual Report 
 
 
APPENDICES 

 
 

Appendix A    Staffing Skills Analysis 
 
 
Appendix B  

Analysis of Follow Up 
 
 
Appendix C 

Analysis of Ad Hoc Activity 
 
 
Appendix D 

Analysis of Audit Reviews 
 
 
Appendix E 

Assurance Plan Delivery  
 
 
 
 
Appendix F    IAS Quality Assurance Results 2009 
 
 
Appendix G 

Performance against Balanced Scorecard Metrics 
22 

Internal Audit Service 
2008/09 Annual Report 
Staffing Skills Analysis 
Appendix A 
 
Staff Member 
2008/09 
2009/10 onward 
 Current 
Qualifications Skills 
Further 
Further Skills 
Qualifications 
 
 
 
 
 
Clare Urquhart 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
 
 
 
 
  
 
 
 
 
 
 
 
 
 
 
 
 
John Basketter 
 
 
 
 
 
  
 
 
 
 
 
 
 
 
 
 
 
 
 
  
  
 
 
 
 
 
 
 
 
  
 
Margaret Gray 
 
 
 
 
 
 
 
 
  
 
 
 
 
 
23 

Internal Audit Service 
2008/09 Annual Report 
Analysis of Follow Up 
Appendix B 
 
1st Follow Up Visit 
 
No.  Report 
Themes of Outstanding Recommendations 
Ongoing 
Not Implemented 
205 Professional Development  Purchasing. 
Unit 
216  Biological Procedures Unit 
Asset Register. 
 
217  History 
Budgetary Control; and  Safety Arrangements; Budgetary Control; 
Safety Arrangements. 
and Cash. 
220 Modern 
Languages 
Safety  Arrangements;  
Data Protection; 
Staffing – Out of Office 
Working; and Personal 
Consultancy. 
 
2nd Follow Up Visit 
 
No.  Report 
Themes of Outstanding Recommendations 
Ongoing 
Not Implemented 
199 Payables 
Review of Authorised Oracle User Guides; and Invoice 
Signatories. 
Certification. 
201 Security 
Services 
Security  Environment;  
Crime Prevention; 
Computer 
Arrangements; and 
Building Logbooks. 
 
24 

Internal Audit Service 
2008/09 Annual Report 
Analysis of Ad Hoc Activity 
Appendix C 
 
AD HOC ACTIVITY 
Liaison with Management 
ƒ  The HIA has attended meetings throughout the year with the Convenor of Audit Committee, 
Deputy Secretary, Finance Director, Director of Estates, Director of IT Services, Head of 
Purchasing, Head of Safety Services, fEC Accounting Manager, Director and Deputy Director of 
Research and Innovation, Director of Student Affairs, Head of Communications Office, Change 
Management and Strategy Officer (Education Faculty), Engineering Faculty Officer, University’s 
Freedom of Information Officer, Estates Capital Accountant and the Deans; 
ƒ  The HIA has attended CAS Directors meetings re Strategic Plan developments, Holistic Review 
Procurement meetings and workshop, Procurement Process Review Group, Business Objects 
Steering Group, eProcurement Steering Group, Full Economic Costing Working Group EU 
subgroup meeting; 
ƒ  The SIA and IA have attended e-Procurement Working Group meetings to provide audit related 
advice; 
ƒ  The SIA attended an Administrators’ networking event in January 2009; 
ƒ  The IA attended Post Court and Post Senate de brief meetings throughout the year. 
 
External Liaison  
ƒ  IAS staff and the External Auditors have worked together over the years in order to ensure that 
there is co-operation and also to ensure that duplication of audit effort is avoided.  Contact has 
involved meetings (usually three; during the interim audit, year-end audit and at the audit planning 
stage), e-mail communication and telephone calls to discuss issues which effect the two groups of 
auditors. There has again been good collaboration and exchange of information during 2008/09; 
ƒ  The HIA continues to network with colleagues from a variety of Institutions (e.g. Edinburgh, 
Durham, Warwick, Newcastle, University of West of Scotland) via the Council of Higher Education 
Internal Auditors (CHEIA); 
ƒ  The HIA has continued to communicate with her counterparts from the Universities of Twente, 
Melbourne and Charles Sturt University; all of whom have visited the IAS over the course of the 
last two years. There continues to be a good exchange of relevant documentation, of interest to all 
departments; 
ƒ  The HIA and IA attended the CHEIA Northern Regional Meeting at Northumbria University in 
November 2008; 
ƒ  All members of the team attended the CHEIA Northern Regional Meeting at Edinburgh University 
in June 2009; 
ƒ  The HIA and IA attended the Scottish Audit Group meeting held in the Parish Hall, Glasgow in 
April 2009. The Group consists of members from a variety of areas (private and public sector) 
within Scotland. 
 
Conferences 
ƒ  All members of the team attended the annual CHEIA Conference at Warwick University in 
September 2008. 
 
Governance 
ƒ  The Court members Register of Interest was reviewed; 
ƒ  Use of the University Seal was reviewed. 
 
25 

Internal Audit Service 
2008/09 Annual Report 
Analysis of Ad Hoc Activity 
Appendix C 
 
 
AD HOC ACTIVITY (CONTD) 
 
Audit Training and Advice 

ƒ  The SIA undertook a training presentation in July 2009  to incoming Executive members of the 
University’s Students’ Association on the role of Internal Audit particularly in relation to the 
Association and the control standards expected, with regards club accounts and expense claims; 
ƒ  IAS has continued to undertake a number of informal training sessions within departments during 
the course of 2008/09; 
ƒ  In January 2009, the HIA along with the Convenor of Audit Committee and the Secretary to Audit 
Committee provided training to two new members of Audit committee; 
ƒ  The HIA provided advice to the Full Economic Costing Working Group EU subgroup in relation to 
the more complex 7th Framework contracts and the appropriateness and feasibility of moving from 
project costing via the additional cost model to TRAC EC-FP7;  
ƒ  IAS is regularly contacted via e-mail, phone or through the department’s ‘drop-in sessions’, for 
advice.  Advice on a range of matters has been provided to the Dean SBS, Director of the Centre 
for Executive Education, Disability Services regarding ERASMUS funding, Safety Services 
regarding Data Protection guidelines to staff and a variety of other departments with regards 
operational control and policy queries.  Full details of this work are recorded within the IAS 
Advice/Enquiry Log. 
 
Staff Training 
ƒ  In June 2009, IAS staff undertook their annual ‘away day’.  This allowed staff the opportunity to 
take a step back from the routine of auditing to help enhance our administrative and audit 
procedures further, as well as the chance to discuss trends and developments in audit; 
ƒ  Training continued in-house to ensure that all staff are fully briefed in a variety of strategic audit 
matters thus ensuring the knowledge base within the department, in these areas, is not 
concentrated on one individual; 
ƒ  The SIA attended a two day training course on Project Management techniques in September 
2008, provided via the Leadership and Organisation Development Unit; 
ƒ  The HIA and IA attended an intermediate training course, provided by Learning Services IT 
Training Section, on the use of Excel 2003 in October and November 2008; 
ƒ  All members of the team attended updated training sessions on the new Business Objects 
software (utilised by IAS for data interrogation purposes) in November 2008; 
ƒ  The SIA and IA attended an update course provided by CHEIA on Risk Based Internal Audit at 
Newcastle University in December 2008; 
ƒ  The HIA attended the Stress Management Training Course facilitated by Safety Services in 
February 2009; 
ƒ  The HIA and SIA attended an update course provided by CHEIA on IT Audit and Security at 
Edinburgh University in March 2009; 
ƒ  CIPFA continuing professional development work was undertaken throughout the year by the HIA 
and SIA. 
 
 
26 

Internal Audit Service 
2008/09 Annual Report 
Analysis of Audit Reviews 
Appendix D 
 
 Report 
Area of Review 
Audit Opinion 
Key Assurance Category /          
Reference 
Summary of Identified Weakness Areas¹ 
Governance 
Risk Controls VFM 
(Policy & 
Procedure) 

231 Management 
Requires 
√ 
 
√ 
√ 
Improvement 

232 European 
Policies 
Satisfactory 
√ 
 
√ 
√ 
Research Centre 

233 Social 
Statistics 
Satisfactory  
   √ 
Laboratory 

234 SIPBS 
Satisfactory 
√ 
 
√ 
√ 

235 
Pure and Applied 
Satisfactory 
√ 
 
 
√ 
Chemistry 

236 
Centre for Sport and 
Satisfactory 
√ 
 
√ 
 
Recreation 

237 Childhood 
and 
Primary  Satisfactory  
 √ 
 
Studies 

238 Electronic 
and 
Electrical  Requires 
√ 
 
√ 
√ 
Engineering 
Improvement 

230 Principal’s 
Office 
Requires 
√ 
 
√ 
√ 
(including Senior Officer 
Improvement 
expenses)2 
10 
222 VAT2 Satisfactory 
√ 
 
√ 
 
11 
239 Finance 
Function 
Requires 
√ 
 
√ 
√ 
Overview - USSA2 
Improvement 
12 
AC 11/08 
SFC Revised Audit 
N/A  
 
 
 
Paper 6 
Requirements 
13 
AC 11/08 
Value for Money3 Requires 
√ 
 
 
√ 
Paper 7 
Improvement 
14 
AC 11/08 
HR/Payroll 
Satisfactory  
 √ 
 
Paper 5 
Implementation Update3 
15 
AC 11/08 
E Procurement 
Satisfactory  
 √ 
√ 
Paper 5 
Implementation Update3 
16 
AC 4/09 
Review of Baseline 
Requires 
√ 
 
√ 
√ 
Paper 8 
Measurement & Benefits 
Improvement 
Tracking (Pecos Project) 
17 
AC 4/09 
TRAC ( R ) Return 
Satisfactory  
    
Paper 8 
2007/08 
18 
AC 4/09 
Risk Management 
Requires 
√ 
√ 
 
 
Paper 5.3 
Process and Reporting 
Improvement 
19 
AC 4/09 
Overview of Strategic 
Satisfactory 
√ 
 
 
 
Paper 7 
Review processes 
20 
AC 6/09 
Internal Control Self 
N/A  
 
 
 
Paper 6.3 
Assessment 
21 
AC 4/09 
Follow Up x 25 reports 
Satisfactory 
√ 
 
√ 
√ 
Paper 9 
22 
AC 6/09 
CUC Corporate 
Satisfactory  
    
Paper 6.5 
Governance Checklist 
23 
AC 6/09 
HR/Payroll 
Satisfactory 
 
 
√ 
 
Paper 8.1 
Implementation Area3 
24 
AC 6/09 
E Procurement 
Satisfactory 
 
 
√ 
√ 
Paper 8.1 
Implementation Update3 
25 
AC 6/09 
TRAC ( T ) Return 
Satisfactory  
    
Paper 8.1 
2007/08 
26 
EU Grant 
EU Grant  Certification – 
Satisfactory  
 √ 
 
Certificates 
52 certificates issued 
 
 
 
 
 
 
 1 Categorisation of IAS Recommendations: Compliance – linked to Governance; Control Improvement – linked to Controls; Good Practice – linked to Value for Money. 
2  Report currently in draft form. 
3  Audit opinion based on audit work performed to date.
27 

Internal Audit Service 
2008/09 Annual Report 
Assurance Plan Delivery 
Appendix E 
 
 
Audit Assignment 
Audit Status 
Reported to Audit 
Comments 
Committee 
Governance 
 
Strategic Plan 2007 – 2011 
Complete 
Meeting 3 (April 2009) & 
 
(Implementation & Monitoring) 
Meeting 4 (June 2009) 
Compliance PBS of Immigration (Systems 
Ongoing 
Meeting 3 (2009/10) 
Fieldwork ongoing due to 
& Procedures) 
 
evolving legislative 
framework.  Included in 
2009/10 Audit Plan. 
Compliance with Copyright Act 
Ongoing 
 
This area is reviewed and 
reported via specific 
departmental audit 
exercises. 
Ethical Review & Clinical Governance 
Ongoing 
 
This area is reviewed and 
reported via specific 
departmental audit 
exercises. 
SFC Revised Audit Requirements 
Complete 
Meeting 2 (November 2008) 
Added to original 2008/09 
Audit Plan. 
Risk Management Process & Reporting 
Complete 
Meeting 3 (April 2009) 
Added to original 2008/09 
Audit Plan. 
Overview of Strategic Review Processes 
Complete 
Meeting 3 (April 2009) 
Added to original 2008/09 
Audit Plan. 
CUC Corporate Governance Checklist 
Complete 
Meeting 4 (June 2009) 
Added to original 2008/09 
Audit Plan. 
Strategic 
 
TRAC/fEC Implementation (Research & 
Complete 
Meeting 3 (April 2009) & 
 
Teaching) 
Meeting 4 (June 2009) 
e-Procurement/Implementation of PECOS 
Complete 
Meeting 2 (November 2008) & 
 
Meeting 4 (June 2009) 
Payroll/HR System Implementation Review 
Complete 
Meeting 2 (November 2008) & 
Post implementation 
Meeting 4 (June 2009) 
review included in 2009/10 
Audit Plan  
Resource Allocation 
 
Meeting 3 (2009/10) 
Deferred to 2009/10. 
Collaborative Agreements 
 
Meeting 3 (2009/10) 
Included in 2009/10 Audit 
Plan. 
Value for Money 
 
Holistic Reviews – Business Process 
Complete 
Meeting 3 (April 2009) 
 
Streamlining 
Draft University Value for Money Strategy 
Complete 
Meeting 2 (November 2008) 
Added to original 2008/09 
and Reporting Mechanism 
Audit Plan. 
Review of Baseline Measurement & 
Complete 
Meeting 3 (April 2009) 
Added to original 2008/09 
Benefits Tracking (PECOS Project) 
Audit Plan. 
Central & Academic Areas 
 
Finance Office 
 
 
Deferred – Risk Profile to 
ƒ Superannuation 
 
be re-evaluated as part of 
ƒ  Budgeting & Planning 
2010/11 Assurance Plans. 
IRD – Library 
Ongoing 
Meeting 2 (2009/10) 
Fieldwork ongoing – to be 
included in 2009/10 Audit 
Plan. 
Management of IT Audit Review 
Ongoing 
All meetings of Audit 
 
(Outsourced) 
Committee 
EM – Space Management & Planning 
 
 
Deferred – Risk Profile to 
be re-evaluated as part of 
2010/11 Assurance Plans. 
 
28 

Internal Audit Service 
2008/09 Annual Report 
Assurance Plan Delivery 
Appendix E 
 
 
Audit Assignment 
Audit Status 
Reported to Audit 
Comments 
Committee 
HR – Staff Training & Development 
 
 
Deferred – awaiting results 
of Performance 
Management review.  Risk 
Profile to be re-evaluated 
as part of 2010 Assurance 
Plans. 
Safety Services 
 
 
Deferred – Risk Profile to 
be re-evaluated as part of 
2010/11 Assurance Plans. 
Principal’s Office 
Complete 
Meeting 2 (2009/10) 
Draft report due to be 
issued. 
Project Management 
Ongoing 
Meeting 2 (2009/10) 
Fieldwork ongoing – to be 
included in 2009/10 Audit 
Plan. 
Faculty Areas 
 
Strathclyde Institute of Pharmacy & 
Complete 
Meeting 3 (April 2009) 
 
Biomedical Sciences (SIPBS) 
Pure & Applied Chemistry 
Complete 
Meeting 3 (April 2009) 
 
Electronic & Electrical Engineering 
Complete 
Meeting 1 (2009/10) 
 
EPRC 
Complete 
Meeting 3 (April 2009) 
 
Social Statistics Laboratory 
Complete 
Meeting 1 (2009/10) 
 
Childhood & Primary Studies 
Complete 
Meeting 4 (June 2009) 
 
Faculty of Engineering 
 
 
Deferred due to the 
evolving nature of the 
University’s governance 
framework. 
Management 
Complete 
Meeting 4 (June 2009) 
Added to original 2008/09 
Audit Plan. 
Other Audit Areas 
 
Students Association – Overview of 
Complete 
Meeting 2 (2009/10) 
Draft report due to be 
Finance Function and Management/Student 
issued. 
Expenses 
Student Health Service 
Ongoing 
Meeting 2 (2009/10) 
Fieldwork ongoing – to be 
included in 2009/10 Audit 
Plan. 
Centre for Sport & Recreation 
Complete 
Meeting 3 (April 2009) 
 
Internal Control Self Assessment 
Complete 
Meeting 4 (June 2009) 
Added to original 2008/09 
Questionnaire 
Audit Plan. 
Capital Project Review 
 
AFRC 
Ongoing 
Meeting 2 (2009/10) 
Included in Project 
Management Report. 
Jordanhill Associated Works (James Weir) 
Ongoing 
Meeting 2 (2009/10) 
Included in Project 
Management Report. 
EDF Project Monitoring Overview 
Complete 
Meeting 3 (April 2009) & 
Ongoing and included in 
Meeting 4 (June 2009) 
2009/10 Audit Plan. 
EU Grant Claims 
Complete 
All meetings of Audit 
Compared with the original 
Committee 
2008/09 Audit Plan, an 
additional 27 certificates 
were issued during 
2008/09. 
Follow Up 
Complete 
Meeting 3 (April 2009) 
 
29 

Internal Audit Service 
2008/09 Annual Report 
IAS Quality Assurance Results 2009  
Appendix F 
 
 

due professional care
93%
100%
90%
80%
70%
quality assurance
60%
93%
90% 
 
50%
strategy 
40%
30%
20%
10%
0%
95%
97% 
 
methodology
independence
 
92%
people
 
30 

Internal Audit Service  
2008/09 Annual Report 
Performance against Balanced Scorecard Metrics 
Appendix G 
                                                                                                                                                           
Financial Perspective 
Goals Measures 

Metrics 
To be high 
Performance against budget 
ƒ 
To be within the pay and non pay budget set and 
quality at lowest 
agreed for the period ; 
possible cost 
Comparison of cost per day with alternative 
ƒ 
To be below the average cost per day of 
providers (BUFDG annual Audit Survey) 
alternative providers on a day rate basis ; (see 
section 5.13) 
Staff quality mix (qualified/unqualified) 
ƒ 
Minimum 65% qualified : experienced input on a 
day to day basis ; (2 out of 3 staff prof qualified) 
Comparison of Staff levels v Institutional 
ƒ 
To maintain appropriate staffing levels for delivery 
size with other Institutions 
of assurance plans ; (in line with comparable 
Institutions) 
Comparison of average coverage per audit 
ƒ 
To be above the average coverage per audit day 
day with alternative providers (BUFDG 
of alternative providers ; (see 5.14) 
annual Audit Survey) 
To deliver 
Coverage of plan 
ƒ 
90% of planned reviews to be completed within 
quantum of 
the academic year excepting for circumstances 
audit needed 
outside of the Service’s control.  In progress. 
Reasons for and quantity of variance from 
ƒ 
All changes to the plan to be notified to Audit 
the plan 
Committee ; 
ƒ 
All reasons for significant variances to plan to be 
documented and justified within the context of 
University audit requirements ; 
Productive fieldwork as a percentage of the 
ƒ 
No more than 25% of available staff time to be 
plan 
spent on internal, non ‘client facing’ work ;  
Customer Perspective 
Goals Measures 

Metrics 
Audit 
Feedback from Committee members 
ƒ 
Achievement of a satisfactory score on the Audit 
Committee 
Committee Self Assessment Questionnaire re 
satisfaction 
Internal Audit provision ; (Audit Workshop 2009) 
Annual Audit Committee report 
ƒ 
Enabling the Audit Committee to issue its annual 
report to Court inclusive of an endorsement of at 
least a satisfactory provision by the Service. No 
issues anticipated. 
Meeting of specific ad hoc requests and 
ƒ 
Meeting 100% of ad hoc requests within the 
requirements 
timescale set by Audit Committee ;  
Management 
Positive returns from client satisfaction 
ƒ 
Achievement of at least a satisfactory rating on all 
satisfaction 
surveys 
categories assessed in the Client Satisfaction 
Survey ; 
Feedback from Principal, COO, CFO and 
ƒ 
Achievement of at least satisfaction on service 
Executive Team 
delivery by University Management.  No issues 
anticipated 
Positive working relationships established 
ƒ 
Consultancy role of IAS utilised pro actively as 
allocated within the audit plan ; 
Positive management responses to audit 
ƒ 
Adoption of all final report recommendations by 
recommendations 
management for implementation ; 
ƒ 
No recommendations in final reports not accepted 
on the grounds of factual accuracy ; 
ƒ 
All agreed recommendations found to be 
implemented when followed up on the first 
occasion by IAS. 90% (see 3.36)  
Stakeholder 
SFC satisfaction (via GMAP) noted in 
ƒ 
No significant issues to be noted by SFC in the 
satisfaction 
review of IAS Annual Report 
review of the IAS Annual Report No issues 
anticipated 
External audit reliance on IAS work 
ƒ 
The Service to be considered appropriate for 
reliance by External Audit ; No issues reported to 
HIA 
 
31 

Internal Audit Service  
2008/09 Annual Report 
Performance against Balanced Scorecard Metrics 
Appendix G 
                                                                                                                                                           
 
Internal Business Perspective 
Goals Measures 

Metrics 
Zero audit 
Opinions issued to be robust and supported 
ƒ 
Positive overall quality assurance assessment by 
failure 
by clear evidence 
CHEIA QA Peer review process ; (See 5.5 & 5.7) 
Quality 
Annual review of IAS by CHEIA QA Peer 
ƒ 
Positive overall quality assurance assessment by 
assurance to be 
review process. 
CHEIA QA Peer review process with IAS results 
high 
to be higher than the sector average. Sector results 
awaited (See 5.7 and 5.8) 
SFC, ACOP / 
Annual review of IAS by CHEIA QA Peer 
ƒ 
Positive overall quality assurance assessment by 
IIA Standards / 
review process which incorporates 
CHEIA QA Peer review process with IAS results 
GIAS 
assessment against  GIAS and wider 
to be higher than the sector average. Sector results 
compliance 
requirements 
awaited (See 5.7 and 5.8). 
Continuity 
Staff to remain in post  
ƒ 
Professional staff to remain in post ; 
Impact 
Timely reporting of issues which are 
ƒ 
Reports to be issued within KPI deadlines.  (See 
adopted and implemented by management 
IAS reporting and delivery protocol) Partial due to 
change in protocol mid year 
Clarity 
Opinions clear unambiguous and well 
ƒ 
A clear opinion to be issued with all Audit Reports 
structured 
(bespoke reports may omit these) ; 
Objectivity 
Reports to be challenging and supportive 
ƒ 
All reports to be agreed with management prior to 
publication ; 
ƒ 
No issues identified from fieldwork go 
inappropriately unreported (test checked in 
CHEIA QA Peer Review) ; 
Independent QA to assess objectivity 
ƒ 
Positive overall quality assurance assessment by 
CHEIA QA Peer review process with IAS results 
to be higher than the sector average. Sector results 
awaited (see 5.7 and 5.8). 
Innovation and Learning Perspective 
Goals Measures 

Metrics 
Staff to continue 
Professional skills training to be 
ƒ 
Progression against skills analysis ; In progress 
professional 
undertaken in line with skills analysis 
development 
Attendance at regional and national 
ƒ 
All members of staff to attend CHEIA conference 
CHEIA events as well as attendance at 
in 2009 ; 
SAG, CIPFA, IIA regional and national 
ƒ 
Successful hosting/attendance at Regional 
events as appropriate 
CHEIA meetings ; 
ƒ 
Head of Internal Audit to contribute to CHEIA 
executive HIA asked to sit on CIPFA Scottish 
Executive 
All Professional Staff to undertake 
ƒ 
Institute CPD recognition ; Ongoing 
Institute led CPD activity 
 
Product review 
Further development of reporting and 
ƒ 
Full review of reporting documentation and 
auditing practice 
standards for 2009 Ongoing 
ƒ 
Positive overall quality assurance assessment 
by CHEIA QA Peer review process ; (See 5.5 & 
5.7) 
Technical 
Review of business  and sector specific 
ƒ 
Continued subscription to CIPFA, IIA and 
leadership 
journals and changing accounting and 
professional Institutes Business Review Journals 
auditing standards 

Internationalisation 
Expand on current network of links with 
ƒ 
Constructive dialogue with at least two new 
IAS functions in other international 
Institutions Progressing via CHEIA’s international 
technological Universities 
connections  
 
32 

Internal Audit Service  
2008/09 Annual Report 
Performance against Balanced Scorecard Metrics 
Appendix G 
                                                                                                                                                           
 
IAS Delivery Protocol 
Goals Measures 
Metrics 
 
 
ƒ 
Scope to be issued for each review  and agreed by the 
To be open and 
Audit Scopes to be shared and 
process owner ; 
transparent over 
notified to Senior Officer and 
 
Scope to contain:- 
process 
Process Owner 
 
Š Process 
objective 
 
Š 
Level of assurance 
 
Š 
Overview of the timing of the review 
 
 
Š 
Detail of the process being reviewed 
 
Š 
Outputs to be provided 
 
Š Indicative 
review 
milestones 
 
ƒ 
Annual assurance plan to be reviewed by Audit 
Timing of Reviews and areas 
Committee and Court ; 
reviewed to be transparent 
ƒ 
Annual Assurance plan once approved to be made 
available on the University Intranet  In progress 
ƒ 
Communication with appropriate departments/areas ; 
 
ƒ 
Risk assessment to be shared with the process owner 
Risk assessments to be shared 
and Senior Officer through the reporting process ; 
 
 
ƒ 
IAS to meet with the process owner for each review to 
Outputs to be agreed 
An adequate closure process 
feedback initial findings at the end of the audit fieldwork. 
with University  
Details of the areas discussed and outcomes from the 
meeting contained within the IAS Closure meeting 
template ; 
 
ƒ 
Draft report to be shared with the process owner before 
Draft Reports provided for 
wider distribution ; 
feedback and comment 
ƒ 
Feedback and comments on draft report to be noted and 
action taken where appropriate (for factual or 
interpretative issues) ; Detailed in Closure meeting 
documentation 
ƒ 
Draft reports to be shared with University Management 
(currently University Secretary and Finance Director) ; 
 
 
ƒ 
Where applicable, all reports to receive University 
Outputs to be agreed 
Finalised outputs to be agreed 
responses via the IAS response document.  These 
with University 
responses require to address the risk(s) identified and 
provide: ; 
Š Clear 
actions 
Š 
Timing for completion of actions 
Š 
A responsible University officer for each action 
 
33 

Internal Audit Service  
2008/09 Annual Report 
Performance against Balanced Scorecard Metrics 
Appendix G 
                                                                                                                                                           
 
IAS Delivery Protocol 
Goals Measures 
Metrics 
 
Partial  - due to change in Protocol timeframe during year  
 
 
ƒ 
Scopes to be drafted and issued by IAS 4 weeks prior to 
Timescales to meet 
Timely issue of audit scopes 
commencement of audit 
University 
Requirements 
ƒ 
Finalisation of draft scope within 2 weeks of planned 
commencement of the audit. Finalisation of scope 
undertaken at the audit opening meeting. Audit Scopes 
appropriately version controlled 
 
ƒ 
Issue of draft report within 3 weeks after finalisation of 
Timely reporting of work 
audit fieldwork 
ƒ 
Receipt of process owner responses to draft report 
within 3 weeks of issue of draft report 
ƒ 
Issue of final report within 2 weeks of final management 
response 
 
ƒ 
Issue of 3 months response document 3 months from 
Follow Up 
the date of issue of the final audit report ; 
ƒ 
Receipt of process owner response to 3 months 
response document within 3 weeks of issue of 
document. 
ƒ 
IAS follow up work to commence within 4 weeks of 
receipt of response document  
ƒ 
Issue of follow up report to process owner within 2 
weeks
 after finalisation of follow up audit fieldwork  
ƒ 
Where agreed recommendations have not been 
implemented at the time of the first follow up visit a 
second follow up visit will be undertaken within 6 weeks 
from the issue of the first follow up report 
ƒ 
Issue of 2nd follow up report to process owner within 2 
weeks
 after finalisation of second follow up audit 
fieldwork 
ƒ 
Implementation of all agreed recommendations brings 
audit cycle to a close 
 
 
 
 
 
 
 
 
 
 
 
 
34 

Document Outline