The Internal Auditing Process Sarah Marsh Senior Internal
Download
Report
Transcript The Internal Auditing Process Sarah Marsh Senior Internal
The Internal Audit Process
Sarah Marsh
Senior Internal Auditor
Grant Thornton LLP
© Grant Thornton UK LLP. All rights reserved.
Agenda
•
•
•
•
•
Introduction – why we have internal audit
Types of internal audit reviews available
The audit process
How you can prepare for an audit
Summary
© Grant Thornton UK LLP. All rights reserved.
How do you perceive internal audit?
Policeman
Consultant
1___________________________________________________10
© Grant Thornton UK LLP. All rights reserved.
Why do universities have internal audit?
• Public money
• Government funding and other funding bodies
• HEFCE Code of Audit Practice, which all
universities have to comply with.
© Grant Thornton UK LLP. All rights reserved.
HEFCE Audit Code of Practice
• This requires Audit Committees annually to have
an opinion on four key areas:
– Risk management,
– Controls,
– Governance and
– Value for money.
• Going forward from 2008/09 it is likely this will be
extended to data integrity regarding the
HESA/HESIS return. Audit Committees may
request third parties to scrutinise this.
© Grant Thornton UK LLP. All rights reserved.
What is internal audit?
Internal auditing is an independent, objective assurance
and consulting activity designed to add value and
improve an organisation's operations. It helps an
organisation accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control,
and governance processes.
© Grant Thornton UK LLP. All rights reserved.
Different types of internal audit provision
•
•
•
•
In-house
Co-sourced
Out-sourced
Consortium
© Grant Thornton UK LLP. All rights reserved.
The role of the university, management and
internal audit
The Board
Audit Committee
Management
Internal audit
External audit
© Grant Thornton UK LLP. All rights reserved.
Other assurances
• H&S
•Academic quality
•Consultants
•etc
Internal audit are concerned with
• Helping management and the Board.
• Promoting efficiency and effectiveness.
• Risk management, internal control and
governance.
© Grant Thornton UK LLP. All rights reserved.
Internal audit are not
•
•
•
•
Policemen,
Bean counters,
Only concerned about money,
Or there to do management's job.
© Grant Thornton UK LLP. All rights reserved.
Internal audit's key obligation is to provide Audit
Committee with assurance.
To achieve this, internal audit:
• Needs to understand what the department seeks to
achieve and what it seeks to prevent occurring;
• Seek to challenge whether arrangements support
objectives and are effective in managing risks.
• Does this by talking, researching, testing and
reporting.
© Grant Thornton UK LLP. All rights reserved.
Library areas that could be audited
• Service provision – e.g. strategy, governance, risk
management, performance indicators.
• Specific subject areas – e.g. income, security, compliance
with legislation, IT systems, grants/donations, stock rotation
and environmental controls.
• VFM – e.g. customer satisfaction, procurement,
partnerships.
• Consultancy – e.g system implementation, business re
engineering
• Investigation – e.g. fraud including theft of money or other
assets and expense claims.
© Grant Thornton UK LLP. All rights reserved.
Audit length
• The number of days allocated to
an audit can vary from 2 days to
50 days depending on the
organisation and depth of the
review requested.
• This will include research, on site
work and reporting.
© Grant Thornton UK LLP. All rights reserved.
Example of library related reviews undertaken by
Grant Thornton LLP
At Middlesex University we undertook a service review of LRS
and covered in 8 days:
• The management structure,reporting lines and
management information;
• Risk management arrangements;
• Value for money arrangements including staffing
arrangements* and use of casual staff*;
• Budgetary control framework;
• Expenditure and income, including cash handling; and
• Succession planning.*
© Grant Thornton UK LLP. All rights reserved.
At another university we also………
• Undertook a review to assess the adequacy of strategic
and operational arrangements as several different library
services were merging together.
• Areas that were examined included:
– Adequacy of strategies in place,
– Framework/relationship documentation,
– Reporting structure,
– Project plans and arrangements,
– Security and disaster recovery arrangements, and
– Financial Management.
© Grant Thornton UK LLP. All rights reserved.
At another institution we looked at
•
•
•
•
•
•
•
•
•
Operational risks
Journal purchases across the university,
Disaster recovery and business continuity plans,
Security issues, both technological and physical,
Processes surrounding historical artefacts,
Financial risks
Financial management and control processes,
Control of donations, trust funds and research funds,
Income generating and trading activities including
cash handling and banking arrangements,
Ordering, procurement and payment processes,
Accounting for, recording and disposal of assets.
© Grant Thornton UK LLP. All rights reserved.
In our experience we have found
• Libraries do not usually get
audited on their own but
instead as part of a
departmental review.
• Generally libraries are well
organised and we have in
the past recommended
efficiency savings or
streamlining advice as they
tend to be over controlled!
© Grant Thornton UK LLP. All rights reserved.
The audit process
A typical internal audit review could include all or some of
these stages
•Scoping meeting
•Issuing of an audit brief or planning document
•Opening meeting
•Testing (interviews, walk through tests, substantive testing)
•Wash up meeting/informal feedback
•Formal report (draft and final)
•Follow-up
© Grant Thornton UK LLP. All rights reserved.
Remember
Make sure the
auditors include
your own areas of
concern.
© Grant Thornton UK LLP. All rights reserved.
How to prepare for an audit (1)
• In theory the more information you can provide
before the start of an audit the less time the auditor
should be on site.
• Inform key staff so they can make themselves
available while the auditor is on site, if required.
• Make sure the auditor understands how much time
you have available.
• Be prepared to be challenged.
© Grant Thornton UK LLP. All rights reserved.
How to prepare for an audit (2)
• Challenge the auditor's understanding of the
university, departmental issues and best practice in
the sector.
• Ensure your auditor provides value, for example
review a specific area of your concern or
benchmark against best practice.
• Be kind to your auditor and get them on your side
by providing appropriate accommodation and
facilities (e.g. power point, photocopier, drinks).
© Grant Thornton UK LLP. All rights reserved.
Internal audit – a win win situation
For the university:
• Assurance that controls and risk managed are working as
expected or where further enhancements are required.
For management:
• A fresh pair of eyes giving an independent and objective
overview of their area.
• Confirmation where things are working well or areas for
improvement.
For internal audit:
• A chance to share or increase their knowledge of best
practice (internal and external).
• A better understanding on how the university operates.
© Grant Thornton UK LLP. All rights reserved.
Summary
• There should be no such thing as standard internal audit
review. Each review should be tailor made.
• The primary customer for internal audit is the university
Audit Committee and Board. The secondary customer is
management.
• Good relationships between the auditee and auditor is key
in ensuring everyone's objectives are satisfactorily met.
• Internal audit should not be viewed as 'policemen' but are
there to help the university and audit area achieve its
objectives.
© Grant Thornton UK LLP. All rights reserved.
Finally……….
Questions
and/or
observations
© Grant Thornton UK LLP. All rights reserved.