Tel 0141 848 3000
Our ref: F15/090 25th June 2015
Dear Mr Gould Freedom of Information (Scotland) Act 2002 - Partial release
I am writing with regard to your request of 27th May 2015, in which you asked for information
on SFC Financial Memorandum and Internal Audit. Unfortunately the University is able to
meet only part of your request and that information is being released to you now.
1. Who is/was the Head of Internal Audit for the years 2006-2014 in each of those
Elaine Johnstone 2006 – March 2014
David Williamson March 2014 – present day
2. Who is the current Head of Internal Audit?
Please see above.
3. Please provide copies of the Head of Internal Audit’s annual report for each of
the above years as presented to the Audit Committee and Scottish Funding
This information is not held for the year 2007/08 and for prior years. The annual reports
for the other years are attached.
Please note that the annual reports refer to the resources available within the Internal
Audit Services (IAS), which may include personal data about the staff, e.g. absences.
Thus some information relating to audit staff has been redacted since the release of
this personal information would be in breach of the data protection principles as defined
in the Data Protection Act 1998. Therefore the following exemption from release of this
information applies: Section 38(1)(b) Personal Information. This exemption is an
absolute exemption under the Freedom of Information (Scotland) Act 2002 and is not
subject to the public interest test.
Other information within the most recent reports that has been redacted relates to
progress reports about audit investigations which are still ongoing at the time of the
FOI request. We believe the release of this information into the public domain would
prejudice substantially the effective conduct of public affairs. This information is
exempt from disclosure in terms of Section 30(b) & (c) of the Freedom of Information
(Scotland) Act 2002. The Internal Audit Service (IAS) must not be constrained when
highlighting weaknesses in policies and processes as this could substantially prejudice
the taking of any steps to learn and improve. For an internal audit to be effective staff
and auditors must be able to communicate freely and frankly in order that current
policies and practices of the area being audited are accurately described and that any
recommendations that are made are full and relevant. While remedial actions are still
being implemented, release of information referring to the nature of issues identified
may impact on the ability of the University to conduct its business effectively.
The University recognises the public interest in our operations. However, we consider
that the public interest is served by having effective governance through the internal
reporting to the Audit and Risk Committee. In addition the public interest is in ensuring
the on-going efficiency and continuing successful operation of the University by
maintaining its ability to conduct effective audits and full and frank investigations into
4. The Financial Memorandum between HEIs and the Scottish Funding Council
states that ‘The institution must have in place an effective internal audit service.
The operation and conduct of the internal audit service must conform to the
professional standards of the Chartered Institute of Internal Auditors’. Please
provide details of how the Internal Audit Service is set up to conform to this
Please see the Terms of Reference in Appendix 1.
5. The names of all the members of the Audit Service currently and in each of the
years in question.
Identities of past members of the Internal Audit Service, other than the Head of IAS,
are considered to be personal information and therefore Exemption S38(1)(b) applies,
as above. The individuals have not consented to release of this information nor would
they expect the University to disclose the information requested. These individuals are
not involved in key decisions on behalf of the University and do not have a public-facing
role. We do have consent from the current members of IAS. They are:
David Williamson, Head of Internal Audit; and
John Davidson, Senior Internal Auditor
6. Details of the qualifications of the Head of Internal Audit and members of the
Internal Audit Service and particularly if in each case they are members of, or
hold qualifications from, the Chartered Institute of Internal Auditors.
The current Head of the Internal Audit Service has an honours degree in Management
Science and is a Fellow of the Institute of Chartered Accountants in England and
Wales, as well as holding membership of the Chartered Institute of Internal Auditors.
The Senior Internal Auditor has the qualifications CPFA and FMAAT.
If you are not satisfied with the handling of your enquiry you have a right to review under the
Act as laid out in the notices below.
Copyright in original materials contained in the information supplied resides with the University
of the West of Scotland. The supply of documents under Freedom of Information does not
give the person or organisation that receives them, an automatic right to re-use the documents
in a way that would infringe copyright. The information supplied is not to be copied, distributed,
modified, reproduced, transmitted, published or otherwise made available in whole or in part
without the prior written consent of the creating institution.
FOI & Records Manager
1. Right of Review
In the event that you are dissatisfied with the handling of your request for information, you may require
us to review our actions and decisions relating to your request (‘Review Request’).
Your Review Request must be made to us in writing or in other durable form, stating your name and
address for correspondence, specifying the request for information to which your Review Request
relates and the matters that have given rise to your dissatisfaction.
It must be provided to us within 40 working days (which phrase excludes Saturdays, Sundays,
Christmas Day and Scottish Bank Holidays) after the expiry of the period within which we were obliged
under the Act to respond to your request for information.
You may withdraw your Review Request by notice to us in writing at any time.
Assuming your Review Request is not withdrawn, we are required to conduct our review and respond
to you (‘Review Response’) within 20 working days (which phrase excludes Saturdays, Sundays,
Christmas Day and Scottish Bank Holidays) after the date on which we received your Review
Request. The request for review should be addressed to:
Donna McMillan, University Secretary and Registrar, University of the West of Scotland, Paisley
Campus, Paisley, PA1 2BE Email: email@example.com
2. Right of Appeal
In the event that you have not withdrawn your Review Request and we have failed to respond to you
within the proscribed time, or you are dissatisfied with our Review Response, you may apply to the
Scottish Information Commissioner for a decision as to whether we have dealt with your request in
accordance with the Act (‘Appeal Application’).
Your Appeal Application must be made to the Scottish Information Commissioner in writing or in other
durable form, stating your name and address for correspondence, specifying the request for information
to which your Appeal Application relates and the matters that have given rise to your dissatisfaction.
It must be provided to the Scottish Information Commissioner within six months after the date you
received our Review Response or, in the event that we did not provide you with a Review Response
within the proscribed time, within six months after the expiry of that period. The address of the Scottish
Information Commissioner is:
Scottish Information Commissioner, Kinburn Castle, Doubledykes Road, St Andrews, Fife, KY16 9DS
Tel 01334 464 610; Fax 01334 464 611; email: firstname.lastname@example.org; www.itspublicknowledge.info
Internal Audit Service
Terms of Reference
Internal auditing is an independent, objective assurance and consulting service designed
to add value and improve the organisation’s operations. It helps the organisation
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control and governance processes.
It is a condition of the University’s funding from the Scottish Funding Council that
appropriate internal audit arrangements are in place. The University has established an
in-house Internal Audit Service (‘IAS’) to support it in meeting this obligation.
These Terms of Reference set out the purpose, responsibility and authority of IAS, and the
scope of its remit. Purpose
The purpose of IAS is to provide independent and objective assurances to the University
concerning the effectiveness, efficiency, and economic use of resources in its
arrangements for governance, risk management, and control throughout the University’s
operations, and to provide recommendations for improvements to those arrangements
The independence of IAS is achieved through its organisational reporting and
accountability lines, the scope of the function’s responsibilities, and the authority assigned
to it. Responsibility
It is the responsibility of Court, the Principal and management to design, implement and
operate arrangements for governance, risk management, controls and value for money.
The Head of IAS is responsible for giving an annual opinion to Court and the Principal,
through the Audit & Risk Committee, on the adequacy and effectiveness of those
arrangements. As a basis for forming this opinion, the Head of IAS is responsible for
undertaking an annual risk-based programme of assurance activities, authorised by the
Audit & Risk Committee on behalf of Court. This risk-based methodology should consider
risk and control concerns identified by management.
The programme of assurance activities will have the following objectives:
• Appraisal of the soundness, adequacy, and application of arrangements for governance, risk
management and internal controls;
• Confirmation of the extent to which systems of internal control ensure compliance with laws,
regulations, policies and procedures;
• Confirmation of the extent to which assets and interests entrusted to or funded by the University
are properly controlled and safeguarded from loss arising from improprieties, including fraud,
corruption and other irregularities;
• Confirmation that accounting and other information is reliable as a basis for producing financial,
statistical and other reports used for external and internal reporting and decision making;
• Confirmation that systems of control are laid down and operate to promote the economic, efficient
and effective use of resource.
The IAS has no executive role, nor does it have any direct authority over or responsibility
for the design, implementation or operation of the systems, processes or procedures
reviewed. Other than for the operational management needs of the IAS function itself, the
IAS does not prepare records, make management decisions, or engage in any other
activity that could be reasonably construed to compromise independence.
The Head of IAS is responsible for:
• Maintaining a professional audit staff with sufficient knowledge, skills, and experience to meet
the requirements of these terms of reference;
• Issuing periodic reports to the Audit & Risk Committee summarising the results of audit activities;
• Assisting in the investigation of suspected fraudulent activities within the University;
• Providing consulting and advisory services to management that add value and improve the
University’s governance, risk management and control processes, subject to independence,
objectivity and competency considerations and without assuming management responsibility;
• Establishing a quality assurance and improvement programme to ensure the effective operation
and development of internal audit activities;
• Advising the Audit & Risk Committee of emerging trends and successful practices in matters of
governance, risk management, controls, and value for money.
The Head of IAS reports to the Chair of the Audit & Risk Committee. For day to day
administrative purposes, the Head of IAS reports to the University Secretary & Registrar.
The IAS has authority to access all of the institution’s records, information, and physical
assets which it considers necessary to fulfil its responsibilities. Equivalent rights of access
to records, information and physical properties held by other bodies funded by the
University should be in place, secured as a condition of funding.
The Head of IAS has a right of direct access to the Chair of Court, the Chair of the Audit &
Risk Committee, and the Principal. Accountability
The Head of IAS is accountable to the Principal and Court, through the Audit & Risk
Committee, for the performance of the service.
The Head of IAS is required to submit an annual report to Court and the Principal through
the Audit & Risk Committee. The report must relate to the University’s financial year and
include any significant matters affecting the opinion up to the date of preparing the report.
A summary progress report will be presented at each of the Audit & Risk Committee’s
scheduled meetings, highlighting key issues and recommendations from audits completed
in the period, future plans, and other pertinent matters. Copies of all reports will be
included with the summary progress report.
The Head of IAS will promptly report any serious weaknesses in internal control systems,
significant fraud, or other major risk or control exposures identified in the course of audit
work to the University Secretary & Registrar, who will, as appropriate, report to the
Principal, the Chair of the Audit & Risk Committee, or the Chair of Court.
The Head of IAS will advise Court, (through the Audit & Risk Committee) of the risks to
which it and the University may be exposed through any limitation of audit scope or
coverage. Where the Head of IAS believes that such limitations are unacceptable, this will
be formally reported to the Chair of Court, the Chair of the Audit & Risk Committee, and
The Head of IAS will implement measures to monitor the effectiveness of the service and
compliance with standards. The Audit & Risk Committee will consider and approve these
performance measures and may also seek an independent assessment of the
effectiveness of IAS.
All of the University’s operations and activities fall within the remit of IAS, irrespective of
the source of funding of those operations and activities. The scope of work will not be
restricted to the audit of systems, procedures and controls necessary to form an opinion
on the financial statements, but will also include operational arrangements in the
management and delivery of teaching, learning, research, and professional support
The operations and activities of the University’s agents and collaborative partners are
within the IAS remit to the extent that:
• The third party is applying funds sourced from or through the University to deliver the University’s
• The third party is utilising the University’s systems or other resources to deliver its own objectives.
It is not within the remit of IAS to question the appropriateness of strategy, policy or
academic judgement. However, the IAS remit does include examination of the
arrangements through which strategy, policy and academic decisions are made,
communicated, monitored and reviewed, and related risks are identified and managed.
The inclusion of any operation or activity within the scope of the IAS remit does not
necessarily mean that all operations and activities will be subject to audit review, but that
the operations and activities will be evaluated as part of an annual risk based assessment
of audit needs and priorities and may be incorporated into the programme of work
presented to the Audit & Risk Committee for approval based on the results of that
The IAS may also conduct special reviews or provide other advice on governance, risk
management, control or value for money matters requested by Court, the Audit & Risk
Committee, or management, subject to resource constraints and the need to maintain
independence and objectivity at all times. Any such advice is to be provided without
prejudice to IAS’s right to review and reappraise the areas for assurance purposes at a
It is the responsibility of IAS to draw to management’s attention any identified issues
regarding the effective, efficient or economic operation of arrangements for governance,
risk management, or controls and to make recommendations for improvements.
It is management’s responsibility to consider those recommendations and to:
• Agree to implement the recommended action, or to suggest and agree an alternative action that
addresses the issue; or
• Decide not to implement any change and to accept the identified risk exposures.
Where IAS fail to reach an agreement with management on the appropriateness of
management’s response to a recommendation, the matter will be escalated through the
Principal, the Audit & Risk Committee and ultimately Court to determine whether to accept
the risks of not taking any action or to implement suitable mitigating actions. Standards and Approach
The work of IAS will be undertaken in accordance with the mandated requirements of the
International Professional Practices Framework of the Institute of Internal Auditors as
augmented by UK Public Sector Internal Audit Standards and other regulations and
standards specified by the University’s funding bodies.
All activities will be conducted in accordance with the UWS Internal Audit Procedures
Manual which is based on the applicable external standards and regulations. Liaison with other auditors
The IAS will liaise with the University’s external auditors and will take appropriate steps to
ensure that the work of internal and external auditors is co-ordinated to avoid unnecessary
duplication of effort and to optimise the assurances obtained by the University from its
internal and external audit services.
The IAS will also liaise with the audit functions of the University’s funding bodies.
Approval of these Terms of Reference
The Head of IAS is responsible for performing an annual review of the Terms of Reference
to confirm that these remain aligned to relevant standards and regulations, the priorities
and practices determined by the Audit & Risk Committee and other relevant factors.
Following completion of each review, the Head of IAS is responsible for submitting the
Terms of Reference, incorporating any proposed revisions as necessary, for consideration
and endorsement by the Audit & Risk Committee and approval by Court.
Prepared by Head of IAS:
23 January 2015
Endorsed by Audit & Risk Committee:
10 March 2015
Approved by Court:
28 April 2015