gla.audit/audit/minutes/2008-10-2/1
Audit Committee Thursday, 2 October 2008
Capital Project Management
A review of 2 major on-going projects identified a number of areas requiring
improvement. The main issues related to: completion and reporting of project risk
registers; formalisation of project sign-off and change controls; formal capital approval
and governance guidance; project procurement transparency; formalisation of the
project decision-making responsibilities; and, consistency in the involvement of and
formal sign-off by the Territorial Management Accountants. It was agreed that a more
formal project management framework with formal guidance would provide a great
deal of benefit in this area, in particular regarding the costs involved. It was noted that
the project manager was the key person in the management of a project and that
effective project managers were required.
Bank Reconciliations
An extensive review of the bank reconciliation process had provided a reassuring
result. The main recommendation related to the need for a formalised review of bank
reconciliations by management.
IT Project Management
A high level review of the project management processes was carried out which
included controls over project management, project support and the project life cycle.
Recommendations surrounded the need to ensure consistency and control across all
University projects including greater resource planning.
Business Continuity Management
Business Continuity is a responsibility of all departments and it was noted that,
following a central initiative in 2007 to roll out good practice in Business Continuity
Management, many departments had not yet produced a Business Continuity Plan. It
was noted that the lack of progress was due to lack of resource rather than priority. The
Secretary of Court confirmed that this would be driven centrally with the involvement
of the Senior and Services Management Groups. He also informed the Committee that
there is a University Emergencies Planning Group that considers the University's
response to potential major crises.
Follow Up
Internal Audit reported the conclusion of the review of 2006/07 and prior
recommendations. The Committee noted that Internal Audit had carried out sample
testing, reviewed documentation or met with staff, to provide independent verification
in support of the system of internal follow up. It was noted that 47% of
recommendations had been fully implemented and 36% partially implemented. Two
Priority 1 recommendations had not been implemented and 18 Priority 1
recommendations had been partially implemented.
Risk Workshop
An annual risk workshop was held in September involving members of senior
management, Court and the Audit Committee. A prioritised list of the top 20 risks
impacting the University in the achievement of its objectives was identified. It was
noted that the risks identified by the University were not dissimilar to those of other
universities.
Other
The Committee noted that fieldwork had been completed or was ongoing in the
following areas: IT Network Security; Absence Management; Strategic Performance
gla.audit/audit/minutes/2008-10-2
2
Audit Committee Thursday, 2 October 2008
Management; IT Resource Management; IT Data Handling; Purchasing to Pay; and,
Commercial Pricing which would be reported under the 2008/09 plan.
Internal Audit Plan for 2008/09
The Committee approved the Internal Audit Plan for 2008/09.
AUDIT/2008/04. Statement of Recommended Practice: Accounting for Further and
Higher Education (SORP)
The Committee noted the options available for the accounting of heritage assets, valued
at c£359m, resulting from the new SORP and 2 exposure drafts which required either
capitalisation or disclosure. The options were to; seek valuations and capitalise
heritage assets; disclose the nature of heritage assets held; or, take no action until a
Standard comes into operation. The Committee noted the proposal to adopt a
disclosure only approach and that only those items required by the SORP should be
disclosed. It was agreed that after the Finance Committee had considered and approved
the approach the University should adopt, this item should be considered for approval
by the Audit Committee.
The Committee commended the Director of Finance and Group Financial Controller
for the comprehensive and excellent summary of the key issues and the options
available.
AUDIT/2008/05. Corporate Structure
The Committee thanked the Director of Finance and Group Financial Controller for
providing an informative summary of the entities associated with the University, their
role and significance. It was agreed that this should be updated and provided to the
Committee annually.
The Committee queried whether the University had a policy regarding the acquisition
of University-related website addresses. The Secretary of Court informed the
Committee that there was no formal policy but that, for example, an unused “Glasgow
Business School” address had been acquired to deter its use by others. It was agreed
that the existence of University-related website addresses should be investigated.
AUDIT/2008/06. Draft Financial Regulations
The Group Financial Controller informed the Committee that the Regulations had been
provided to the Faculties and Audit Committee for comment. Thereafter, they would
be provided to the Finance Committee for approval. The document had been compiled
so that very little change would be required to keep it up to date and it would be linked
to underlying policies. The Committee considered whether risk management should be
incorporated into the Regulations. It was agreed that where possible reference would
be make in the Regulations to responsibilities regarding risk management and that
regulations regarding risk management and internal controls should be documented
separately, to sit alongside the Financial Regulations. The Committee agreed that the
draft Financial Regulations provided a concise and informative reference document for
the main University financial requirements and that any further comments should be
communicated to the Group Financial Controller.
AUDIT/2008/07. Implementation of Outstanding Priority 1 and 2 Recommendations
The Committee were updated on the degree of implementation of the audit
recommendations.
Finance Office
gla.audit/audit/minutes/2008-10-2
3
Audit Committee Thursday, 2 October 2008
The Group Financial Controller reported that 9 action points had been completed since
the last Audit Committee meeting. Of the 79 recommendations, 41 had been
implemented (52%) and 25 had been partially implemented (32%). Systems or process
development work was required in order to implement 20 of the outstanding 38 points
and targets had been established for implementation of the remaining 18 points to be
completed within 18 months.
Departments other than the Finance Office
The Secretary of Court reported that a further 6 of the 2006/07 recommendations had
been fully implemented, bringing the total to 77 of 105. Twenty recommendations had
been partially implemented and 8 not implemented. Work was either underway or
planned with regard to campus security, disaster recovery, network management,
software management, research and development and Registry revenue. A further 6
audits had been finalised in financial year 2007/08 and, of the 42 recommendations
made, 15 remained to be implemented, including 3 Priority 1 recommendations. The
recommendations arose from audits carried out in Data Protection and HR records,
Heritage Assets, International Student Recruitment, Library Procurement, Research
Assessment Exercise and Staff Development Service. Work was underway to address
the outstanding recommendations.
The Director of IT Services attended the meeting to update the Committee on IT related
issues:
•
Disaster Recovery
Steps had been taken to improve procedures surrounding disaster recovery
including the refurbishment and enlargement of 2 main computer rooms, improved
links to back-up servers and improved availability of stores across campus. The
underpinning infrastructure had been improved with greater use of central services
by most Faculties. It was noted that work would be ongoing in this area to ensure
that all storage devices across the University meet the requirements. The Director
of IT Services informed the Committee that to test disaster recovery would be a
major undertaking. There have been 3 serious failures in recent years and in all 3
cases no data was lost. With this in mind and with a consistent proven track record,
the benefit of carrying out a major disaster recovery test was difficult to justify.
•
Network Security
The University IT infrastructure involved agreed areas of devolved authority within
a corporate framework. Work was continuing to achieve greater consistency in
network management throughout the campus and greater efficiency in the use of
resources.
•
Password Length and Policy
Historically, users had more than one username and password. Single sign-on is
now being provided with Standard Desktop Version 5 being implemented across
the University. A proposal will be submitted in 2008 regarding password policy
including the enforcement of a regular change of password.
•
Software Licencing
Due to devolved control, a large percentage of Departments bought and installed
software independently in support of diverse academic requirements. A program
has been run centrally to identify software held on approximately 5000 central
computers and the results indicated that the majority of software was covered by
licences already held by the University. This reassurance has led to a reduced
priority rating in this area by IT Services though work will continue in order to
compile and maintain a software register and ensure licences are in place.
•
Change Management Helpdesk
The adoption centrally and by Faculties of a helpdesk has been a success with a
procedure in place to record and date stamp reported incidents. This creates a basic
gla.audit/audit/minutes/2008-10-2
4
Audit Committee Thursday, 2 October 2008
platform of information which can be used to produce reports and Key
Performance Indicators.
•
Physical Access
The equipment held in the Management Information Services room will be moved
to the recently refurbished James Watt Building. Otherwise, all recommendations
have been implemented in this area.
•
Anti-Virus Software
The University will continue to use Sophos Anti-Virus Software.
The Convener thanked the Director of IT Services for providing such a detailed and
useful update on the progress of IT related recommendations.
The Convener informed the Committee that Court had been provide with an update on
Audit recommendations at its June meeting and this had been well received. The
Committee agreed that progress was being made and the reports were otherwise noted.
AUDIT/2008/08. Allegations of Research Misconduct 2007/08
The Committee noted that 3 incidences of potential Research Misconduct had been
reported in 2007/08.
AUDIT/2008/09. Any Other Business
9.1
Farewell
The Committee noted that Mr. Scott Cairns had resigned his membership of the
Committee prior to the meeting. The Convener noted thanks to him for his invaluable
contribution and assistance to the Committee.
9.2
Audit Committee Convenership
The Secretary of Court informed the Committee that the Nominations Committee
would be making a recommendation to the October meeting of Court regarding a new
Convener of Audit Committee. If approved, the new Convener would take up the
position after the November 2008 meeting.
9.3
Audit Committee Vacancies
The Committee noted that steps were being taken to replace the current and
forthcoming Audit Committee vacancies.
AUDIT/2008/10. Date of Next Meeting
Wednesday, 5 November 2008 at 10am in the Melville Room.
Prepared by: Paula Vinaccia, Clerk to Committee, x.xxxxxxxx@xxxxx.xxx.xx.xx
Last modified on: Tuesday, 14 October 2008
gla.audit/audit/minutes/2008-10-2
5