Appendix 1.
University of the Highlands and Islands
Internal Audit Service
Annual Internal Audit Report 2011/12
29/08/2012
Fiona M Larg
UHI Executive Office
101212
link to page 3 link to page 3 link to page 3 link to page 4 link to page 6 link to page 9 link to page 12 link to page 12 link to page 12 link to page 16 link to page 17 link to page 20 link to page 21 link to page 21 link to page 29
Internal Audit Annual Report
2011/12
CONTENTS
1.
Introduction ................................................................................................................. 3
2.
Responsibilities for Risk Management, Control, Governance and Value for Money . 3
3.
Role of Internal Audit .................................................................................................. 3
4.
Performance against the Internal Audit Plan.............................................................. 4
5.
Summary of Internal Audit Work undertaken ............................................................. 6
6.
Follow up of agreed management actions ................................................................. 9
7.
Annual opinion on the adequacy and effectiveness of the University of the
Highlands and Islands’s arrangements for risk management, control and
governance; economy, efficiency and effectiveness (value for money). ................. 12
8.
Internal Audit Key performance Indicators ............................................................... 17
9.
Internal Audit Service Quality Assurance programme ............................................. 18
10.
Conclusion ................................................................................................................ 20
Appendices
Appendix A -The Institute of Internal Auditors UK and Ireland - An approach to implementing
Risk Based Internal Audit ...................................................................................... 21
Appendix B - UHI Internal Audit Service internal quality assessment - peer reviews ................. 29
Page 2
University of the Highlands and Islands
Annual Internal Audit Report 2011/12
Internal Audit Service
Annual Internal Audit Report
2011/12
1.
Introduction
1.1.
UHI recruited an in-house Internal Auditor and established a Co-Sourced Internal Audit
Service with Henderson Loggie Chartered Accountants in February 2009. This Annual
Internal Audit Report provides a summary of the Internal Audit Service’s activities since
the 1st August 2011 for the financial year 2011/12.
1.2.
The Internal Audit Terms of Reference require the UHI Internal Auditor to give an annual
opinion to Court and Principal and Vice Chancellor, through the Audit Committee, on the
adequacy and effectiveness of UHI’s arrangements for:
•
risk management, control and governance; and for
•
economy, efficiency and effectiveness (value for money)
1.3.
The opinion is provided in section 7 of this report.
2.
Responsibilities for Risk Management, Control, Governance and Value for
Money
2.1.
Within the University of the Highlands and Islands, responsibility for risk management,
control and governance arrangements and the achievement of value for money rests
with Court and management, who should ensure that appropriate and adequate
arrangements exist without reliance on the UHI Internal Audit Service. The UHI Internal
Audit Service has no executive role, nor does it have any responsibility for the
development, implementation or operation of systems.
3.
Role of Internal Audit
3.1.
The UHI Internal Audit Service is responsible for providing an objective, independent
appraisal of all the University of the Highlands and Islands activities, financial and
otherwise. It provides a service to the whole organisation, including Court and all levels
of management. It is not an extension of, nor a substitute for, good management,
although it can have a role in advising management. The Internal Audit Service is
responsible for evaluating and reporting to the University of the Highlands and Islands
Court and the Principal and Vice Chancellor, through the Audit Committee, thereby
providing them with assurance on the arrangements for risk management, control,
governance and value for money. It remains the duty of management, not the internal
auditor, to operate these arrangements.
3.2.
The UHI Internal Auditor is required to give an annual opinion to Court and the Principal
and Vice Chancellor, through the Audit Committee, on the adequacy and effectiveness
of the arrangements for risk management, control and governance and for economy,
efficiency and effectiveness (value for money) within UHI, and the extent to which Court
can rely on these.
Page 3
University of the Highlands and Islands
Annual Internal Audit Report 2011/12
Internal Audit Service
3.3.
Independence
3.4.
The Internal Audit Service has no executive role, nor does it have any responsibility for
the development, implementation or operation of systems. The UHI Internal Auditor,
subject to any guidance from the Audit Committee is solely responsible for the
management and development of the University of the Highlands and Islands co-
sourced Internal Audit Service.
3.5.
For day-to-day administrative purposes only, the UHI Internal Auditor reports to the UHI
Principal and Vice Chancellor. The UHI Internal Auditor also has right of access to the
UHI Principal and Vice Chancellor.
3.6.
The Institute of Internal Auditors International Standards for the Professional Practice of
Auditing state that “internal audit activity should be free from interference in determining
the scope of internal auditing, performing work, and communicating results”.
3.7.
Where there are differences of opinion between Internal Audit and management, Court
(on the advice of the Audit Committee) should ultimately determine whether or not to
accept audit recommendations, recognise and accept the risks of not taking action, and
instruct management to implement recommendations.
4.
Performance against the Internal Audit Plan
4.1.
The University of the Highlands and Islands Internal Audit plan for 2011/12 plan was
prepared using a planning methodology in line with the Scottish Funding Council (SFC)
guidance and current best practice from the Committee of University Chairmen (CUC),
Institute of Internal Auditors (IIA), Higher Education Funding Council for England
(HEFCE), the Council of Higher Education Internal Auditors (CHEIA) and also in the
context of UHI’s risk management infrastructure.
4.2.
The Internal Audit Planning Methodology and proposed Internal Audit Plans were
discussed and reviewed by the External Auditor who was of the opinion that the Internal
Audit Plan and the associated methodology were of a good standard and in line with
best practice, and were clearly risk based.
4.3.
The Audit Committee approved the Internal Audit Plan for 2011/12 at its meeting in
September 2011. The audit plan was reviewed and amended with the approval of the
Audit Committee during the year to reflect the changing institutional risk profile additional
audits of the sub contract between North Highland College and Ballet West and of UHI’s
arrangements to comply with UK Borders Agency Tier 4 Licence were added. The
planned audits of Curriculum for the 21st Century and Marketing Corporate Identity,
Image, Reputation and Public Relations were deferred to accommodate these.
Audit Plan
Audit
Progress to date
days
Compliance with Legislation – Freedom of
Reported to Audit Committee 30
20
Information (Scotland) Act
November 2011.
Reported to Audit Committee 6
Student recruitment and admissions
10
March 2012.
Reported to Audit Committee 6
Department of Diabetes
15
March 2012.
Governance and Management of SDB
Reported to Audit Committee 13
10
projects
June 2012
Risk Management
7
Reported to Audit Committee 12
Page 4
University of the Highlands and Islands
Annual Internal Audit Report 2011/12
Internal Audit Service
September 2012
LIS Help Desk Reports developed
to enable internal audit to pro-
actively monitor and evidence
completion of the
241 Network
Vulnerability agreed management
actions.
IT Security
10
Internal Audit liaising with the LIS
Operations Manager to closely
monitor completion of agreed
management actions.
Reports
provided at each Audit
Committee meeting throughout
the year.
Draft report issued and awaiting
management comment.
Student Records Management
10
To
be reported to Audit
Committee November 2012.
Scope and objectives agreed.
Attended meeting on the 16th May
2012 with the Chairman of North
Highland College Board of
Management, the Chair of North
Highland College Audit and Risk
Management Committee (Member
of the North Highland College
North Highland College – Sub Contract
30
Board of Management), Principal of
with Ballet West
North Highland College and UHI
Secretary to discuss the scope and
objectives of the review.
Internal Audit fieldwork underway
report being drafted.
Visited NHC 31 May 2012.
(
Added to the plan agreed by the
Audit Committee 6 March 2012)
Internal Audit Scope and Objectives
agreed, fieldwork underway.
UKBA Tier 4 Compliance
20
(
Added to the plan agreed by the
Audit Committee June 2012)
Planning meeting completed with
the Dean of Learning and
Curriculum for the 21st Century
20
Teaching. Audit deferred June 2012
Audit Committee
Planning meeting completed with
Marketing Corporate Identity, Image,
the Director of Marketing
Reputation and Public Relations Internal
20
Communications and Planning.
Information and Communications Strategy
Audit deferred at June 2012 Audit
Committee.
Page 5
University of the Highlands and Islands
Annual Internal Audit Report 2011/12
Internal Audit Service
5.
Summary of Internal Audit Work undertaken
5.1.
The following paragraphs provide a summary of the Internal Audit work undertaken from
the Internal Audit Plan 2011/12.
5.2.
Compliance with Freedom of Information (Scotland) Act
5.3.
The purpose of the report was to record the findings of an internal audit review on
compliance with the Freedom of Information (Scotland) Act. ‘The Freedom of information
(Scotland) Act 2002 (FOISA) and the Environmental Information (Scotland) Regulations
2004 (EIR) enable the public to access information held by Scottish Public Authorities.
5.4.
The Scottish Information Commissioner wrote to the University of the Highlands to
advise that an assessment of UHI’s Freedom of Information practice was to be carried
out as part of the assessment programme for 2011/12. The assessment was scheduled
to take place on the 21 and 22 February 2012.
5.5.
UHI had a Publication Scheme in place and was making efforts to publish information
and to make it accessible to the public. The UHI Publication Scheme affirms that UHI is
committed to freedom of information and will endeavour to help applicants as best as
possible to identify the appropriate information.
5.6.
UHI had so far received a relatively low number of information requests and had adopted
a less formalised approach to the processes and procedures surrounding responding to
requests for information. There were therefore a number of opportunities to develop and
improve processes and procedures in order to better demonstrate compliance with the
Freedom of information (Scotland) Act 2002 and the Environmental Information
(Scotland) Regulations 2004.
5.7.
Fifteen recommendations for improvement in control were identified, of which 11 were
prioritised as Medium, and the remainder as low priority. Actions to improve control were
agreed by Management, with the final action due for implementation by 31 December
2012.
5.8.
In June 2012, the Scottish Information Commissioner’s carried out an assessment of
UHI’s compliance with the Freedom of Information (Scotland) Act 2002, the
Environmental Information (Scotland) Regulations 2004 and the associated Codes of
Practice. In preparation for the assessment the assessors examined the internal audit
report, the assessors noted the 15 separate recommendations made and detailed in an
action plan, signed off by the senior management team in November 2011. The
assessors welcomed the internal audit’s comprehensive evaluation of UHI’s
arrangements and practice and, having considered the audit report’s findings and
recommendations, broadly endorsed them.
5.9.
Student recruitment and Admissions
5.10.
The purpose of this report was to record the findings of an audit review on student
recruitment and admissions. UHI has the opportunity to significantly increase its fully
funded student numbers through additional funding provided by the Scottish Funding
Council and European Social Fund. In order to maximise upon this opportunity UHI
needs to increase student recruitment to meet student number targets. Failure to meet
these targets has both reputational and financial risks associated with it. Significant
management focus had been given to actions to increase recruitment in order to meet
the increased number of funded student places in 2012/13, with amended targets, a
recruitment campaign and other initiatives planned.
5.11.
UHI had a partnership admissions framework, underpinned by an Executive Office
admissions function, the UHI-wide SITS student records system, and the Admissions
Sub-Group, as well as a network of Academic Partner and Executive Office admissions
staff who meet monthly. Admissions targets were set by the Partnership Planning
Forum using information that had been provided by Academic Partners after going
through a process to ensure that these figures were robust. The recruitment process
Page 6
University of the Highlands and Islands
Annual Internal Audit Report 2011/12
Internal Audit Service
was largely undertaken by Academic Partners, who were supported by Executive Office
in certain areas, and through the Marketing and Communications Practitioners Group,
comprised of Academic Partner and Executive Office marketing and communications
staff, which met regularly.
5.12.
Thirteen recommendations for improvement in control were identified, of which none
have been prioritised as High, 10 as Medium, and the remainder as low priority. Actions
to improve control were agreed by Management, with the final action due for
implementation by 31 August 2013.
5.13.
Department of Diabetes
5.14.
The purpose of the report was to record the findings of an audit review of the
Department of Diabetes and Cardiovascular Science. The Department of Diabetes and
Cardiovascular Science represents a core element of UHI’s research activity and is
based in a state of the art research facility within the Centre for Health Science.
5.15.
Processes were in place to support and control the procurement of goods and services,
maintenance of stock, collection of income and the provision of monthly financial
management information. There were opportunities identified to further improve control
surrounding lone working procedures, maintenance of vaccination records and on
obtaining waste transfer notes for the disposal of clinical waste.
5.16.
Out with the Department of Diabetes and Cardiovascular Science there was scope
identified to further improve control surrounding asset registers and to significantly
strengthen segregation of duties between Personnel and Payroll.
5.17.
One high priority recommendation was made concerning compliance with the
Environmental Protection (Duty of Care) Regulations 1991 and maintenance of waste
transfer notes for the transfer of the controlled waste.
5.18.
Eight recommendations for improvement in control were identified, of which one was
prioritised as high, Six as medium, and the remainder as low priority. Actions to improve
control were agreed by Management, with the final action due for implementation by the
30 October 2012.
5.19.
Governance and Management of SDB projects
5.20.
The purpose of this report was to record the findings of an audit review of the
governance and management arrangements over European Union structural funds
awarded to UHI. The review has focussed on new arrangements put in place for Phase
Two of the Strategic Delivery Body (‘SDB’) project and Investing in Recovery funding.
5.21.
UHI had obtained significant funding from the European Union Structural Funds
including SDB funding through ESF and ERDF and Investing in Recovery Funding
through ESF Challenge Funds. Most phase one projects had been completed, with
some continuing until the end of December 2012.
5.22.
The Grants and Contracts Team was formed in May 2011 from the SDB Project
Management Team when operational responsibility was transferred from Finance to the
Research and Enterprise Office. Significant changes were made to the Grants and
Contracts Team as a result of changes to structure and staff.
5.23.
An appropriate management structure had been implemented with clearly defined roles,
responsibilities and delegated authorities. Staff were aware of their roles and
responsibilities. However, an opportunity was noted to develop a Community of Practice
to help strengthen communication and engagement between the Development and
Enterprise team and Structural Fund project staff in Academic Partners and UHI
Executive Office.
5.24.
Business processes were in place to ensure that expenditure was reviewed for eligibility,
however there were areas where eligibility matters needed clarification and further
controls were required to ensure that all required documentation was retained.
Page 7
University of the Highlands and Islands
Annual Internal Audit Report 2011/12
Internal Audit Service
Opportunities were identified to further strengthen administrative processes, record
keeping, as well as providing further guidance and training to staff on risk management
and on retention of documentation to evidence eligibility.
5.25.
Management had recognised a need to mitigate the risk of any clawbacks and had
formed an Audit Group consisting of the Grants and Contracts Team, Programme
Accountant and Director of Development and Enterprise to review current procedures
and requirements to ensure they meet funders audit requirements, as well as
considering whether documentation retained for phase one SDB projects was adequate.
The Audit Group review highlighted that not all required documentation had been kept,
or in some cases documentation had been mis-filed.
5.26.
A risk-based auditing programme was required to be put in place once documentation
and eligibility requirements for all phase one and two projects had been clarified to
ensure that the evidence base retained was appropriate to mitigate the risk of any
clawbacks.
5.27.
The following three High priority recommendations were made:
•
to improve training to those involved in compliance checking covering eligibility
and what is considered adequate supporting documentation;
•
to improve EU Structural Funds procurement guidance covering what
documentation is required and what evidence is acceptable; and
•
to ensure that a risk-based auditing programme is put in place to ensure that the
evidence base retained is appropriate to mitigate the risk of any clawbacks.
5.28.
18 recommendations for improvement in control were identified, of which 3 were
prioritised as High, 8 as Medium, and the remainder as low priority. One action was
immediately completed and 16 actions to improve control were agreed by Management,
with the final action due for implementation by 31st October 2012.
5.29.
Risk Management
5.30.
The purpose of this report is to record the findings of an audit review on Risk
Management. The scope and objectives of the review were discussed and agreed with
the Secretary.
5.31.
The Internal Audit Review was undertaken using a template provided by the Institute of
Internal Auditors which helps to enable an assessment of an organisations risk maturity
to be undertaken. The assessment helps to underpin the Internal Audit planning
process by determining to what extent Internal Audit can place reliance on UHI’s risk
management processes.
5.32.
The revised process for risk identification and management provides a sound starting
point to define and formalise UHI’s risk management framework processes and
procedures. The formation and work of the Risk Review Group is providing a continuing
impetus to improve risk management processes and is better enabling the provision of
timely risk information to the Finance and General Purposes Committee and Court.
5.33.
One High priority recommendation was made to further improve control by improving
processes to collate information on partnership risk from Academic Partners.
5.34.
In total, Seven recommendations for improvement in control have been identified, of
which one was prioritised as high, five as medium and the remainder as low priority.
Actions have been agreed by Management, with the final action due for implementation
by the 31st of December 2012.
5.35.
On conclusion of the assessment it is the Internal Auditor’s opinion that UHI’s risk
maturity could be classified as ‘Risk Defined’. The IIA describe the key characteristics of
being risk defined as having the “strategy and policies in place and communicated. Risk
appetite defined”. The IIA suggest that in these circumstances Internal Audit’s approach
Page 8
University of the Highlands and Islands
Annual Internal Audit Report 2011/12
Internal Audit Service
should be to “facilitate risk management / liaise with risk management and use
management assessment of risk where appropriate”.
6.
Follow up of agreed management actions
6.1.
As part of the normal Internal Audit process the Internal Audit Service follows up the
implementation of agreed management actions to provide assurance to the Audit
Committee that actions to improve control or further mitigate risk are being implemented
on a timely basis.
6.2.
The UHI Internal Audit Service records all agreed management actions to improve
control in a follow-up database. The follow-up database is used to provide managers
with a monthly reminder/update of their agreed management actions. The Internal
Auditor provides the Audit Committee with a follow-up report at each meeting which the
Committee uses to closely monitor the implementation of agreed management actions.
6.3.
The following table describes the categories used to prioritise recommendations to
improve control.
Categorisation of Definition of category
recommendation
High
Inadequate systems and controls which if not addressed could
expose the institution to significant financial, operational or
reputational risk and adversely impact on implementation of its
strategic plan.
Medium
Systems and controls which are not fully effective, and failure to
improve them could adversely affect operational plans at
departmental level.
Low
Good practice dictates that some enhancements to existing
systems and controls are desirable.
6.4.
The following table shows the total number of agreed management actions by Audit
Year and priority.
Priority
2008-9
2009-10
2010-11
2011-12
Total
High
17
7
33
5
62
Medium
26
34
78
40
178
Low
17
55
31
15
118
60
96
142
60
358
Page 9
The University of the Highlands and Islands
Internal Audit Service
Annual Internal Audit Report 2011/12
6.5.
The following table provides a summary of
all the agreed management actions by audit since February 2009. It is important to note that the table includes
agreed management actions that are
not yet due for completion.
High
Medium
Low
Audit
Total
Percentage
Audit Title
Total Completed
Total
Completed
Total Completed Total
Ref
Completed
completed
09-01
Risk Management 2009
3
3
4
4
3
3
10
10
100%
09-02
Review of the Strategic Delivery Body
4
4
3
3
6
6
13
13
100%
09-03
Curriculum Development and Review
1
1
5
5
6
6
100%
09-04
Business Continuity Planning
6
6
9
7
4
4
19
17
89%
Data Management Information Accessibility and
10-09
5
2
12
10
6
5
23
17
74%
Security
09-06
Monitoring Academic Partners' financial position
3
2
5
4
4
4
12
10
83%
10-07
Student Fees
5
5
37
37
42
42
100%
10-19
Transparent Approach to Costing
3
3
3
3
100%
10-05
HR Payroll
3
3
3
3
6
6
100%
10-03
Research Business Planning and Development
1
1
7
5
4
3
12
9
75%
10-06
Student retention and management of withdrawals
2
2
4
4
2
2
8
8
100%
10-08
IT Network Vulnerability Test
10
10
21
20
13
13
44
43
98%
10-04
Business Transformation
3
3
4
4
7
7
100%
10-11
Risk Management 2010
1
1
1
1
1
1
3
3
100%
11-05
Health and Safety
3
3
3
3
6
6
100%
11-01
Procurement
3
3
6
6
1
1
10
10
100%
11-06
Project Management
11
6
2
1
13
7
54%
11-07
Compliance with Equality Law
2
5
4
1
1
8
5
63%
11-11
Risk Management 2011
1
1
3
3
4
4
100%
Page 10
The University of the Highlands and Islands
Internal Audit Service
Annual Internal Audit Report 2011/12
High
Medium
Low
Audit
Audit Title
Total Completed
Total
Completed
Total Completed Total
Total
Percentage
Ref
Completed
completed
11-04
Strategic Planning
2
3
1
1
1
6
2
33%
11-03
IT Network Vulnerability Test - Follow Up
10
9
22
14
11
5
43
28
65%
12-08
Compliance with Freedom of Information Act
11
8
4
2
15
10
67%
Department of Diabetes and Cardiovascular
12-09
1
1
6
1
1
1
8
3
38%
Research
12-06
Student Recruitment and Admissions
10
3
1
13
1
8%
12-10
Risk Management 2012
1
5
1
7
0
0%
12-04
Governance and management of SDB
3
2
8
3
6
17
5
29%
Total
62
51
178
126
118
98
358
275
77%
Percentage Complete
High 82%
Medium 71%
Low 83%
Total 77%
Page 11
The University of the Highlands and Islands
Annual Internal Audit Report
2011/12
Internal Audit Service
7.
Annual opinion on the adequacy and effectiveness of the University of the
Highlands and Islands arrangements for risk management, control and
governance; economy, efficiency and effectiveness (value for money).
7.1.
The Internal Audit Terms of Reference require the UHI Internal Auditor to give an annual
opinion to Court and Principal and Vice Chancellor, through the Audit Committee, on the
adequacy and effectiveness of UHI’s arrangements for:
•
risk management, control and governance;
•
economy, efficiency and effectiveness (value for money).
7.2.
It is important to note that:
•
The opinion is based upon the internal audit work undertaken since the 1st August
2011 from the Internal Audit Plan 2011/12, summarised earlier in section five.
•
Internal control can provide only a reasonable and not absolute assurance to
management and Court regarding achievement of UHI’s objectives.
•
Responsibility for risk management, control and governance arrangements and
the achievement of value for money rests with Court and management, who
should ensure that appropriate and adequate arrangements exist without reliance
on the University of the Highlands and Islands Internal Audit Service.
•
Internal Audit reviews have a reasonable chance of detecting significant control
weaknesses but cannot guarantee that fraud, error or non compliance will be
detected.
7.3.
Adequacy and Effectiveness of the University of the Highlands and Islands
arrangements for Risk Management, Control and Governance
7.4.
Findings
Risk Management
7.5.
An internal Audit Review of Risk Management was undertaken during the year and a
summary of the review was included in paragraphs 5.31 to 5.36. Appendix A also
includes the internal audit assessment on UHI’s risk maturity.
7.6.
The review concluded the revised process for risk identification and management
provides a sound starting point to define and formalise UHI’s risk management
framework processes and procedures. The formation and work of the Risk Review
Group is providing a continuing impetus to improve risk management processes and is
better enabling the provision of timely risk information to the Finance and General
Purposes Committee and Court.
7.7.
One High priority recommendation was made to further improve control by improving
processes to collate information on partnership risk from Academic Partners.
7.8.
In total, seven recommendations for improvement in control have been identified, of
which one was prioritised as high, five as medium and the remainder as low priority.
Actions have been agreed by Management.
Control
7.9.
During the year the Internal Audit Service has reviewed and tested many of UHI’s
internal controls based upon the Internal Audit Plan. A summary of the findings of these
reviews is included in section 5.
Page 12
The University of the Highlands and Islands
Annual Internal Audit Report
2011/12
Internal Audit Service
7.10.
All of the internal audits undertaken during the year have resulted in recommendations
being made to improve control. The following table shows the categorisation of internal
audit recommendations.
Categorisation
Definition of category
Number of
Percentage of
of
recommendations
recommendations
recommendation
made
agreed by
management
High
Inadequate systems and
controls which if not
addressed could expose
the institution to significant
financial, operational or
5
100%
reputational risk and
adversely impact on
implementation of its
strategic plan.
Medium
Systems and controls
which are not fully effective,
and failure to improve them
40
100%
could adversely affect
operational plans at
departmental level.
Low
Good practice dictates that
some enhancements to
16
94%
existing systems and
controls are desirable.
Total
61
98%
7.11.
There were no significant internal audit recommendations that the Internal Audit Service
consider had not received adequate management attention. The implementation of the
agreed management actions corresponding to the recommendations will continue to
improve UHI’s internal control arrangements.
Governance
7.12.
In August 2011 the Post Title Working Group commissioned with the approval of Court
Capita Consulting to undertake a review to prepare an outline business case for a new
UHI operating model. The review was completed in the course of September to
December 2011 and a report published on the 10 January 2012. Court met on the 22
February 2012 to consider its response to the Capita Consulting report on Options for
Change in the light of responses from Academic Partner Boards. Court recognised the
need to progress the implementation of the recommendations in the Capita Consulting
report on the University operating model and established a Transformation
Implementation Group to oversee the implementation of the recommendations. The
Transformation Implementation Group established a membership consistent with that
agreed by Court in March 2012 and held its first meeting on 3 July 2012.
Page 13
The University of the Highlands and Islands
Annual Internal Audit Report
2011/12
Internal Audit Service
7.13.
The Transformation Implementation Group has considered each of the 65
recommendations of the Capita report which cover a range of activities. These activities
have been divided into seven areas, or work streams. Some of which were already being
progressed:
1.
Governance, (through the working group above)
2.
Shared services, through a cross partnership group
3.
Leadership development programme
4.
Research structures
5.
Student voice
6.
Financial sustainability and transparency
7.
Integrated planning and delivery
7.14.
The Transformation Implementation Group is scheduled to meet again in September
2012.
7.15.
During the year there have been significant changes in government policy and strategy
within the higher education and further education sector. These are encapsulated in the
consultation document Putting Learners at the Centre – Delivering our Ambitions for
Post-16 Education and in two separate independent reviews of the governance of
universities and colleges published in February 2012.
7.16.
The Cabinet Secretary for Education and Lifelong Learning had taken an active interest
in the UHI Options for Change process in the context of government plans to review and
overhaul governance arrangements for delivery of higher education and further
education and had invited all Academic Partner Chairs, the Principal & Vice Chancellor,
University Secretary, the Chair and Vice Chair of Court and Chief Executive of the
Scottish Funding Council to attend a meeting on 31 January 2012 to discuss future
governance arrangements. The Cabinet Secretary for Education and Lifelong Learning
proposed a novel solution for the integrated delivery of higher education and further
education within the Highlands and Islands region. The Cabinet Secretary for Education
and Lifelong Learning subsequently instructed the Scottish Funding Council to examine
the detail and to progress a working proposal for consideration at a meeting planned for
the 16 April 2012.
7.17.
The Cabinet Secretary for Education and Lifelong Learning met the Principals/Directors,
and Chairs of the Governing Bodies of UHI and its Academic Partners on the 16 April
2012. At this meeting further definition and agreement was confirmed to the principles
agreed at the January 2012 meeting. The Scottish Government and Scottish Funding
Council officials were to form a working group to take the agreed structure forward.
Court met on the 3 May 2012 to consider the note of the meeting on the 16 April and
welcomed the proposals as a basis for improving the delivery of both higher and further
education in the Highlands and Islands.
7.18.
The Cabinet Secretary for Education and Lifelong Learning’s working group on
governance and management has been formed and the group is to report to the Cabinet
Secretary by the end of September 2012. The working group is to provide proposals for
the implementation of the governance structure agreed at the April 2012 meeting
attended by representatives of the university and its academic partners, specifically
addressing:
1.
The structure remit and powers of the University Court
2.
The structure remit and powers of the new FE Regional Board
3.
The roles and responsibilities of the University Court, the FE Regional Board,
and the Boards of Academic Partners, and the relationship of these bodies
with each other.
4.
How positive and effective interaction between these bodies can be secured
and maintained.
Page 14
The University of the Highlands and Islands
Annual Internal Audit Report
2011/12
Internal Audit Service
5.
The development and implementation of a single outcome agreement
covering provision of Higher Education, Further Education and Research
(including knowledge exchange) across the region.
6.
How the responsibility of Accountable Officer to the Scottish Funding Council
should be allocated.
7.19.
During 2011-12 there have been substantial processes and significant effort expended
in reviewing and evaluating UHI’s Governance structure and business model. Work in
this area is still progressing.
7.20.
Opinion
On the basis of the work carried out since 1 August 2011, the UHI Internal Auditor
concludes that where scope to improve controls was identified management
actions have been agreed to address these. There is sufficient evidence of
controls and procedures to provide reasonable assurance that UHI has adequate
and effective arrangements for risk management, control and governance.
7.21.
Adequacy and Effectiveness of the University of the Highlands and Islands
arrangements for economy, efficiency and effectiveness (value for money)
7.22.
Findings
7.23.
The Scottish Funding Council Financial Memorandum mandatory requirements effective
from the 14 October 2008, state that the ‘institution must have a strategy for
systematically reviewing management’s arrangements for securing value for money. As
part of its internal audit arrangements, the institution must obtain a comprehensive
appraisal of management’s arrangements for achieving value for money’.
7.24.
At its meeting on the 23 June 2009, Court approved a Value for Money Strategy, as
agreed by Finance and General Purposes Committee on 9 June 2009. On the 29
November 2011 Finance and General Purposes Committee approved a revised Value
for Money Policy and Procedur
es.
7.25.
A zero based budgeting exercise had been carried out and had informed the preparation
of operational budgets for financial years 2011-12 and 2012-13. The purpose was to
ensure resources were aligned to UHI’s strategic and operational priorities. The process
involved a constructive challenge of each departmental budget.
7.26.
The UHI Procurement Policy was approved by the Finance and General Purposes
Committee at its meeting on the 30 August 2011, the purpose of the procurement policy
was to provide details of UHI:
•
Procurement leadership and governance;
•
People;
•
Procurement strategy and objectives;
•
Approach to defining its supply needs, including the specification of goods and
services;
•
Sourcing strategy and use of collaborative procurement;
•
Purchasing processes and systems, and
•
Contract management.
Page 15
The University of the Highlands and Islands
Annual Internal Audit Report
2011/12
Internal Audit Service
7.27.
The policy was further amended in November 2011 to include information on sustainable
procurement.
7.28.
UHI participates in the Advanced Procurement for Universities and Colleges (APUC)
Procurement Capability Assessment. The Procurement Capability Assessment seeks to
assist organisations in improving their structure, capability, processes and ultimately
performance, by attaining the best standards that are appropriate to the scale and
complexity of their business. The Assessment is independently assessed by APUC staff
and identifies areas for improvement. To date UHI had completed two full assessments
in February 2010 and April 2011 with a further interim assessment in December 2011.
UHI had continued to demonstrate improved performance at each assessment. The next
full assessment was scheduled for November 2012.
7.29.
In the course of the year UHI had progressed a number of strategic initiatives. The
following two UHI strategic initiatives provide examples of areas where business process
developments will promote achievement of value for money outcomes:
•
Throughout the year Learning and Information Services have progressed
arrangements towards establishing a shared Learning and Information Service. A
Learning and Information Services Shared Services Board was established in July
2011 to oversee this development.
•
UHI continued to advance a strategic programme to develop a Curriculum for the
21st Century (C21C). C21C is focussed on the development and use of internal
resources to enhance the student experience via the concentration of resources,
shared development, wider access, a broader range of approaches to learning
and greater consistency / equivalence across the network. It aims to increase the
sustainability of UHI’s curriculum and delivery via increased co-operation in the
development and delivery of a more networked curriculum.
7.30.
Opinion
On the basis of the work carried out since 1 August 2011, the UHI Internal Auditor
concludes that UHI has in place a Value for Money Policy and Procedures which
confirms UHI’s commitment to achieving value for money from all of its activities,
regardless of the method of funding. It further defines the scope, responsibilities,
concept of value for money and approaches to assessing value for money to help
promote and secure value for money within UHI.
There is sufficient evidence (subject to compliance with the Value for Money
Policy and Procedures) that there are processes and procedures to provide
reasonable assurance that UHI has adequate and effective arrangements to
promote economy, efficiency and effectiveness (value for money).
Page 16
The University of the Highlands and Islands
Annual Internal Audit Report
2011/12
Internal Audit Service
8.
Internal Audit Key Performance Indicators
8.1.
The Internal Audit Terms of Reference require the UHI Internal Auditor to implement
measures to monitor the effectiveness of the Internal Audit Service. The Key
Performance Indicators were discussed and agreed with the Secretary. They are derived
from Key Performance Indicators suggested in the Committee of University Chairmen,
Handbook for Members of Audit Committees in Higher Education.
Internal Audit Performance indicator
Target
Actual 2011/12
Percentage of audit work delivered by
60%
100%
qualified staff.
Internal Audit Plan to be submitted by June
Final Audit Plan for
each year.
2011/12 approved
June of each
by Audit Committee
year
at its September
2011 meeting.
Follow-ups to be performed within 3 months
Management are
of the last action date of recommendations
provided with a
made.
regular updates on
Within 3 months
their agreed
of the last action
management
date of
actions and a follow
recommendation up report is provided
to each meeting of
the Audit
Committee.
Issue of draft reports within 30 days of work 30 working days
100%
being completed.
Issue of final report within 10 working days 10 working days
100%
of receipt of management responses.
Recommendations made compared with
80%
98%
recommendations accepted.
Internal audit reviews that added value.
90%
100%
Internal audit attendance at audit committee
100%
100%
meetings.
Issue of internal audit annual report.
Report provided to
September of
September 2012
each year
Audit Committee
Page 17
link to page 20
The University of the Highlands and Islands
Annual Internal Audit Report
2011/12
Internal Audit Service
9.
Internal Audit Service Quality Assurance programme
9.1.
The UHI Internal Audit Service is required through its Terms of Reference to perform
internal audit work with due professional care, in accordance with appropriate
professional auditing practice and with regard to Treasury and the Institute of Internal
Auditors standards (see later paragr
aph 9.11).
9.2.
The letter of agreement established between the University of the Highlands and Islands
and the co-sourced internal audit partner Henderson Loggie affirms that the co-sourced
internal audit partner will perform internal audit services in accordance with relevant
professional standards and guidelines and in accordance with the Scottish Funding
Council Financial Memorandum.
9.3.
Compliance with the Institute of Internal Auditors, International standards requires the
UHI Internal Auditor to develop and maintain a quality assurance and improvement
program that covers all aspects of the internal audit activity. The Institute of Internal
Auditors International standards requires that the Internal Audit Service Quality
Assurance Programme must include both internal and external assessments.
9.4.
The UHI Internal Audit Service has established a two tier approach to its quality
assurance and improvement program:
•
The ongoing process of monitoring the performance of internal audit activity.
•
Internal Audit Annual Quality Assurance assessments. An internal review
undertaken by the Principal and Vice Chancellor and the Secretary and an
external evidence based peer review assessment.
9.5.
Ongoing Performance Monitoring of Internal Audit Activity
9.6.
The UHI Internal Auditor manages the provision of the co-sourced Internal Audit Service
on an ongoing basis. A monthly reporting process is in place to keep the Principal and
Vice Chancellor informed of Internal Audit’s progress. The Internal Audit Service has
introduced Internal Audit Performance Questionnaires that are issued to management
and staff at the conclusion of internal audit work. Feedback from management and staff
on the performance of Internal Audit reviews is valued by the Internal Audit Service and
helps enable the service provided to be improved and assists the Audit Committee in
forming an opinion on the efficiency and effectiveness of the Internal Audit Service.
Page 18
The University of the Highlands and Islands
Annual Internal Audit Report
2011/12
Internal Audit Service
9.7.
The table below presents a summary of the Internal Audit Performance Questionnaire
responses received. The responses illustrate that on the whole 97% of the respondents
were either fully satisfied or satisfied.
Internal Audit Performance
Fully
Not
Fully
Satisfied
N/A
Questionnaire
Satisfied
Satisfied
Dissatisfied
1. Were you given adequate
25%
50%
25%
0%
0%
notification of the audit?
2. Were you adequately
informed of the audit scope
25%
75%
0%
0%
0%
and objectives?
3. Were the appropriate staff
consulted for the audit area
0%
100%
0%
0%
0%
covered?
4. Did the auditor display a
professional, constructive 0%
100%
0%
0%
0%
and positive approach
during the review?
5. Did the auditor discuss key
results/findings with you
0%
100%
0%
0%
0%
during the review?
6. Were you given the
opportunity to discuss the
0%
100%
0%
0%
0%
draft report with the auditor
prior to finalisation?
7. Was the report produced to
0%
100%
0%
0%
0%
a professional standard?
8. Overall, were you satisfied
with the review? Has it been
0%
100%
0%
0%
0%
worthwhile and added value
to your work?
Percentage Totals
6%
91%
3%
0%
0%
9.8.
Annual Internal Audit Quality Assurance Reviews
9.9.
In January 2009, the Institute of Internal Auditors launched its International Professional
Practices Framework. This is a revised version of the IIA Standards and Guidance. The
revised requirements state that the Internal Audit Service Quality Assurance Programme
must include both internal and external assessments.
Internal Quality Assessment Reviews
9.10.
The Committee of University Chairmen guide for members of Audit Committees in
Higher Education provides useful templates to help in the annual evaluation of internal
audit. The Principal and Vice Chancellor and Secretary completed assessments in
August 2012, which provide an independent internal evaluation of the Internal Audit
Service. The UHI Internal Audit Service internal quality assessments are included in
Appendix B.
Page 19
The University of the Highlands and Islands
Annual Internal Audit Report
2011/12
Internal Audit Service
External Quality Assessment reviews
9.11.
The UHI Internal Audit Service participated in an external evidence based peer-reviewed
assessment to provide independent external assurance to the Audit Committee over
quality control of the UHI Internal Audit Service and to demonstrate compliance with the
IIA standards.
9.12.
The Council of Higher Education Internal Auditors (CHEIA), with the support of the
Higher Education Funding Council England (HEFCE) leadership fund, piloted an internal
audit ‘self assessment’ tool in 2006/07 which was developed by RSM Robson Rhodes;
this was then rolled out from 2007/08. The self assessment tool provides a means of
benchmarking service delivery against recognised best practice and helps to achieve
and maintain an even higher quality internal audit service in the higher education sector.
9.13.
The self assessment tool is a spreadsheet-based assessment comprising of 60
questions, against which the assessor is required to rate the audit service on a four point
scale, from ‘best practice' to ‘potentially non-compliant'. To ensure consistency of
completion the assessment requires a response to be provided to all 60 questions
regardless of whether they best fit an individual institution’s Internal Audit Service
arrangements or not. Responses to these questions are then weighted and calculated to
deliver percentage scores against six criteria: due professional care; strategy;
methodology; people; independence and quality assurance. The tool can be completed
in three ways, by self assessment, peer reviewed self assessment and finally by an
evidence based peer-review process. The tool is in widespread use across the UK and
Ireland as promulgated by HEFCE and CHEIA.
9.14.
The UHI Internal Auditor attended a meeting on the 7 August 2012 in Edinburgh with the
Heads of Internal Audit of Newcastle University and the University of Edinburgh to have
an evidence based peer-review of the UHI Internal Audit Service carried out. The
following table presents the results of the assessment.
Assessment Criteria
%
Key
Due professional care
87
90% - 100% Best Practice
Strategy
88
60% - 90% Good Practice
Methodology
90
20% - 60% Partially Compliant
People
79
0% - 20% Potentially Non-Compliant
Independence
89
Quality assurance
78
Overall average 85
9.15.
The results of the UHI Internal Audit Service evidence based peer-reviewed assessment
show that the UHI Internal Audit Service represents
Good Practice.
10. Conclusion
10.1.
The co-sourced Internal Audit Service was established in February 2009. The Internal
Audit Service is continuing to develop its role within the University of the Highlands and
Islands and seeks to assist the University in progressing towards achievement of its
objectives by providing independent, objective assurance on risk management, control
and governance.
Page 20
The University of the Highlands and Islands
Annual Internal Audit Report 2011/12
Appendix A - The Institute of Internal Auditors UK and Ireland - An approach to implementing Risk Based Internal Audit
Assessing the University's risk maturity -This assessment was made by reviewing the University of the Highlands and Islands’s practices, processes and relevant
supporting documentation such as the risk management strategy, policy and risk registers.
Risk Maturity
Risk naive
Risk aware
Risk defined
Risk managed
Risk enabled
Sample audit
Summary of findings
test
Key
No formal
Scattered silo
Strategy and
Enterprise
Risk
characteristics.
approach
based approach policies
in approach to risk management and
developed for to risk
place and
management
internal controls
risk
management.
communicated.
developed and
fully embedded
management.
Risk appetite communicated.
into the
defined
operations.
The
Possibly.
Yes - but may be
Check the
UHI’s objectives are defined in
organisation's
no consistent
Yes
Yes
Yes
organisation's
the UHI Strategic Plan.
objectives are
approach.
objectives are
defined.
determined by
Court and have
been
communicated to
all staff. Check
other objectives
and targets are
consistent with
the organisation's
objectives.
Management
No
Some limited
Interview
Managers were aware of risk
have been
training.
Yes
Yes
Yes
managers to and their responsibility for
trained to
confirm their managing it. Whilst some
understand
understanding of
managers were maintaining up
what risks are,
risk and the to date risk registers for their
and their
extent to which
areas of responsibility others
responsibility
they manage it.
were not. However, managers
for them.
confirmed that they carried out
activities to actively manage risk.
Page 21
The University of the Highlands and Islands
Annual Internal Audit Report 2011/12
A scoring
No
Unlikely, with no
Check the
Court has defined a scoring
system for
consistent
Yes
Yes
Yes
scoring system system for assessing risks this
assessing risks
approach
has been
has been recently reviewed by
has been
defined.
approved
the Risk Review Group.
defined.
communicated
and is used.
The risk
No
No
Check the
Court has defined its risk
appetite of the
Yes
Yes
Yes
document on appetite and also set tolerance
organisation
which the
levels for approval of risks via its
has been
controlling body
risk scoring system. The risk
defined in terms
has approved the
appetite has recently been
of the scoring
risk appetite. reviewed by the Risk Review
system.
Ensure it is Group and efforts made to
consistent with augment the process by
the scoring
developing a portfolio approach
system and has
to risk management. The Risk
been
Review Group recognised that at
communicated.
any one time UHI may be
carrying a high level of risks in
one or more parts of its
business, however, UHI should
ensure that the number of areas
exposed to high risk at any time
are minimised and balanced with
a low risk approach in other
areas.
Processes have No
Unlikely
Yes, but may Yes
Yes
Examine the
A key part of the Risk Review
been defined to
not apply to the
processes to Group role is to ‘ensure that the
determine risks,
whole
ensure they are
identification and evaluation of
and these have
organisation.
sufficient to
key risks that threaten
been followed.
ensure
achievement of UHI’s objectives
identification of is carried out, and that a register
all risks. Check
of these risks is maintained’. The
they are in use,
Risk Review Group has met
by examining the
throughout 2011/12 and has
output from any
invited risk owners to give
workshops.
presentations on the
management of risks within their
particular sphere of
Page 22
The University of the Highlands and Islands
Annual Internal Audit Report 2011/12
responsibility. The Risk Review
Group has reviewed and
updated the high level risk
register at each meeting
throughout 2011-12 after
consideration of risk amendment
forms for risks with a score of 12
and above. The on-going work
of the Risk Review Group has
improved the process of
identifying, assessing and
reporting of high level risks via
the UHI High level risk Register.
However, there remained scope
to improve processes to ensure
that departmental and Faculty
risk registers were being kept up
to date and to consider whether
there
were additional risks
arising from implementation of
the Strategic Plan 2012-17.
The Risk Review Group had
recognised the need to try and
achieve a more joined up and
standardised approach to
partnership risk information and
had requested the Finance
Directors Practitioners Group to
progress arrangements to begin
sharing data on a 6 monthly
basis.
All risks have No
Some incomplete Yes, but may Yes
Yes
Examine the Risk The process approved by Court
been collected
lists may exist.
not apply to the
Register. Ensure
defined a governance framework
into one list.
whole
it is complete,
with responsibilities for review
Risks have been
organisation.
regularly
and approval of risks above
allocated to
reviewed
defined scores. The High Level
specific job
assessed and Risk Register shows that where
used to manage
Page 23
The University of the Highlands and Islands
Annual Internal Audit Report 2011/12
titles.
risks. Risks are
risks have been collated, that
allocated to
they have been allocated to a
managers.
Risk Owner.
There was potentially a risk that
the High Level Risk Register
may not be complete as
processes to collate information
on partnership risk from
Academic Partners were not yet
in place and processes to
maintain and update lower level
risk registers were not being
complied with. The Risk Review
Group had also noted that there
was currently no methodology
for automatically collating risk
information from all the risk
registers. However, the Risk
Review Group process requiring
risk owners (e.g. Senior
Management Group) to provide
information on new risks and to
review and update the High
Level Risk Register ahead of
each quarterly meeting of the
Risk Review Group may help to
mitigate this.
All risks have No
Some incomplete Yes, but may
Check the
Risks were being assessed in
been assessed
lists may exist.
not apply to the
Yes
Yes
scoring applied to
accordance with the defined
in accordance
whole
a selection of
scoring system.
with the defined
organisation.
risks is consistent
scoring system.
with the policy.
Look for
consistency (that
is similar risks
have similar
scores).
Responses to
No
Some responses Yes, but may Yes
Yes
Examine the Risk Review of the high level risk
Page 24
The University of the Highlands and Islands
Annual Internal Audit Report 2011/12
the risks have
identified.
not apply to the
Register to
register highlighted that
been selected
whole
ensure
responses to risks had been
and
organisation appropriate
recorded for each risk. Many of
implemented.
responses have
the mitigating controls described
been identified.
required on-going commitment
to provide mitigation. It was
noted that differing approaches
were taken to recording the
person responsible and action
timescale for further actions. For
some risks a person responsible
had been recorded with no
timescale, for other risks an
action had been recorded with
no person responsible or
timescale and for some high
residual risks had no further
actions were detailed.
Management
No
Some monitoring Yes, but may
Yes
Yes
For a selection of A Risk Review Group had been
have set up
controls.
not apply to the
responses,
established and processes were
methods to
whole
processes and in place to facilitate the review of
monitor the
organisation.
actions, examine
the High Level Risks in the
proper
the monitoring Register. Risk Owners had
operation of key
control(s) and provided presentations to the
processes,
ensure
Risk Review Group on their risks
responses and
management
and the actions being taken to
action plans
would know if the
mitigate them, the constraints
(monitoring
responses or and issues faced and to help
controls).
processes were
identify any further support
not working or if
needed to help better manage
the actions were
risk. The minutes of the Risk
not implemented.
Review Group were reported to
the Finance and General
Purposes Committee, Audit
Committee and Court together
with the updated risk register.
Risks are
No
Some risks are Regular
Regular reviews,
Regular reviews, Check for
Responsibilities for Committees
regularly
reviewed, but
reviews,
probably
probably
evidence that a
to review risks at different levels
Page 25
The University of the Highlands and Islands
Annual Internal Audit Report 2011/12
reviewed by the
infrequently.
probably
quarterly.
quarterly.
thorough review
throughout the UHI had been
organisation.
annually.
process is
defined by Court. Processes
regularly carried
were in place to facilitate the
out.
review of UHI’s high level risks
via the Risk Review Group,
Finance and General Purposes
Committee and by Court itself.
However, it was noted that some
lower level departmental and
Faculty risk registers were not
being reviewed and kept up to
date. The consequence of this
may be a failure to identify,
manage and report on risk on a
timely basis.
Management
No
No
Yes, but may
Yes
Yes
For risks above
The current risk management
report risks to
be no formal
the risk appetite,
process uses the initial risk
directors where
process.
check that Court
assessment (the gross risk) to
responses have
has been formally
define when risk should be
not managed
informed of their
reported to the Risk Review
the risks to a
existence.
Group for review and approval.
level acceptable
The Risk Review Group requires
to Court.
information from risk owners on
the actions being taken to
mitigate risk, the constraints and
issues faced and to identify
support needed from the group
or the organisation to help
manage risk. Court has been
presented regularly with the
High Level Risk Register and
had noted its contents. However,
there were currently no
formalised processes to define
the risk appetite (the level
acceptable to Court) for each
risk.
Page 26
The University of the Highlands and Islands
Annual Internal Audit Report 2011/12
All significant
No
No
Most projects.
All Projects.
All
Pr
ojects.
Ex
ami
ne pr
oj
ec
t
Pr
oc
es
s
es
had been defined,
new projects are
proposals for an
communicated and implemented
routinely
analysis of the
to help ensure that all new
assessed for
risks which might
projects were assessed for risk.
risk.
threaten them.
Some information on project risk
was being provided through the
risk update form. However, there
remained an opportunity to
better develop mechanisms for
the Risk Review Group to
routinely receive information on
project risk and its management.
Responsibility
No
No
Limited.
Most job
Yes
Examine job
Responsibilities for the
for the
descriptions.
descriptions.
management of risk were not
determination,
Check the
being routinely incorporated into
assessment,
instructions for
job descriptions for new
and
setting up job
appointments.
management of
descriptions.
risks is included
in job
descriptions.
Managers
No
No
No
Some managers. Yes
Examine the
Risk Owners have attended
provide
assurance
meetings of the Risk Review
assurance on
provided. For key
Group to explain the actions
the
risks, check that
being taken to mitigate their
effectiveness of
controls and the
risks.
their risk
management
management.
system of
monitoring, are
operating.
Managers are
Some managers.
Yes
Examine a
The Head of Human Resources
assessed on
No
No
No
sample of
confirmed that the appraisal
their risk
appraisals for process for staff did not routinely
management
evidence that involve an assessment of their
performance.
risks
risk management performance.
management was
The Principal and Vice-
Page 27
The University of the Highlands and Islands
Annual Internal Audit Report 2011/12
properly
Chancellor and UHI Secretary
assessed for confirmed that management
performance.
appraisals may incorporate
discussion on individual
manager’s risk management
performance where necessary.
Internal Audit
Promote risk
Promote
Facilitate risk Audit risk
Audit risk
approach
management
enterprise- wide
management / management
management
and rely on approach to risk
liaise with risk processes and
processes and
alternative
management and
management
use management use management
Audit Planning rely on alternative
and use
assessment of
assessment of
method
Audit Planning
management
risk as
risk as
method.
assessment of appropriate.
appropriate.
risk where
appropriate.
Page 28
AC12-
Appendix 1
Appendix B - UHI Internal Audit Service internal quality assessment - peer
reviews
Fiona M Larg
UHI Executive office
11210
AC12-
Appendix 1
Fiona M Larg
UHI Executive office
11210
AC12-
Appendix 1
Fiona M Larg
UHI Executive office
11210
AC12-
Appendix 1
Fiona M Larg
UHI Executive office
11210
AC12-
Appendix 1
Fiona M Larg
UHI Executive office
11210
AC12-
Appendix 1
Fiona M Larg
UHI Executive office
11210
AC12-
Appendix 1
Fiona M Larg
UHI Executive office
11210
AC12-
Appendix 1
Fiona M Larg
UHI Executive office
11210
AC12-
Appendix 1
Fiona M Larg
UHI Executive office
11210
Document Outline
- 1 INTRODUCTION
- 2 INTERNAL AUDIT
- 2.1 Annual report of the Internal Auditor 2011/12
- 2.2 Internal Audit Plan
- 3 GOVERNANCE
- 4. EXTERNAL AUDIT
- 4.1 Statement of Accounts for the Period 1 August 2011 to 31 July 2012
- The Committee considered a draft statement of annual accounts and discussed in detail aspects of the accounts including the increased pension liability. The Committee affirmed their view that the University Court had satisfactorily discharged the Gove...