Skip to main content
Document

Internal Audit Manual

Cardiff University Internal Audit Manual

Version number:V1.2
(*alignment to v0.6 of CHEIA Quality Assurance Toolkit)
Date: January 2022
Next review: September 2024
Owner: Faye Lloyd, Head of Internal Audit

1 Introduction and background

Structured to ensure compliance with relevant Internal Audit standards

* This Audit Manual has been developed in keeping with the structure of the CHEIA Internal Audit Quality Assurance Toolkit, which was originally commissioned by HEFCE on behalf of CHEIA in 2005.  The toolkit is periodically updated to take account of changes to IIA Standards and related standards (e.g. Public Sector Internal Audit Standards PSIAS) and emerging good practice.

Outlines key operating policies and procedures that govern IA

The Manual establishes the key operating policies and procedures that govern the internal audit (IA) activity with a further view to strengthening professionalism of the function and serving as a guidance document to staff at Cardiff University on the ‘modus operandi’ of the service.

IA function operational since 2017 with a refreshed methodology

The Internal Audit Service underwent a transformation from the Joint Internal Audit Unit (covering Cardiff and Swansea Universities) that was in operation up until March 2017. This was replaced by a refreshed service that was responsible for Cardiff University only. A new HIA and in-house team and co-sourced partners were recruited and contracted to deliver the Service.

Purpose of IA to provide independent, objective assurance and consulting activity designed to add value and improve operations

The purpose of the Internal Audit Service at Cardiff University is to provide independent, objective assurance and consulting activity designed to add value and improve Cardiff University’s operations. The mission of internal audit is to enhance and protect organisational value by providing risk-based and objective assurance, advice, and insight. The internal audit service helps Cardiff University accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.

Key documents direct the IA function and approved by Audit and Risk Committee and Council

Internal Audit Manual Image

2 Application of the Standards

QAIP Ref.

and Evidence

CIIA Standard

1. Purpose, authority and responsibility of the Internal Audit (IA) activity

Internal Audit Charter

The Internal Audit Charter was agreed with the Vice-Chancellor in his role as Accountable Office, endorsed by Audit Committee in October 2020 and recommended to Council and approved in November 2020.  The Charter is published on the intranet and the external facing website containing public information.  The Charter in use is based upon the template issued by CIIA.

1000

1010

1110

2100

2. Access within the institution

Internal Audit Charter

The Head of Internal Audit (HIA) and team has full unrestricted access, and this is granted via the Internal Audit Charter, section 4 of the Charter refers to authority, “The Audit and Risk Committee authorises the internal audit service to:

- Have full, free, and unrestricted access to all functions, records, property, and personnel pertinent to carrying out any engagement, subject to accountability for confidentiality and safeguarding of records and information.

- Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques required to accomplish audit objectives, and issue reports.

- Obtain assistance from the necessary personnel of Cardiff University, as well as other specialised services from within or outside, in order to complete the engagement."

1000

1111

3. Independence and objectivity of IA

Internal Audit Charter

RIPE

Guidance for Advisory and Consultancy work

The HIA reports to the Chair of Audit and Risk Committee, and substantively to the Chief Operating Officer.  The Head of Internal Audit holds regular 1:1s with Chair of Council.

In June each year, the Audit and Risk Committee receive the IA Audit Strategy and Plan with reference to the IA service’s approach to advisory and consultancy work for approval.

The internal audit planning document, the ‘Risk Identification Plan and Evaluation (RIPE)’ includes a section for disclosure of potential conflicts of interests linked to each audit assignment.

Section 3 of the Internal Audit Charter refers to Independence and Objectivity of the IA service, “Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others.”

1000

1100

1110

4 & 6. IA activity free from executive interference and responsibilities

Annual Report

Internal Audit Charter

Under the HEFCW Financial Memorandum, the HIA is required to state in the Annual Report that the HIA has been unfettered in their reporting.

Evidenced within section 3 of the Internal Audit Charter.

1000

1110

1112

1130

5. Council satisfied with status of HIA to fulfil responsibilities

HIA Job Description

The HIA is appointed as per the original job description ‘with a level of gravitas appropriate within the organisation', appointed on the senior salary scale and subject to remuneration committee review for salary amendments annually, as per an annual paper to Audit and Risk Committee and approved by Council.

HIA receives circulation of UEB papers and attends Professional Services Leadership Network (PLSN).

1110

7. Individual objectivity and organisational independence maintained

RIPE

Annual Report

A requirement for internal auditors to declare any conflicts is included within the planning of each audit assignment via the RIPE.

Formal declaration is made within the Annual Report.

All staff are required to declare any declarations of interest within the corporate system, Core HR.

Consultancy assignments undertaken by IA are subject to issued guidance to ensure objectivity is maintained.  In such instances, any subsequent related assurance assignments would typically be carried out by a different member of staff or externally sourced.

1120

1130

8 & 30. Knowledge, skills and competencies of IA resource

Recruitment

Induction and PDR

All IA in-house staff are required to be professionally qualified.

The probation and performance development reviews are used to document training needs, aligned to the annual IA programme.

Skills assessments are completed for each audit assignment via the RIPE to identify any training requirements.

External firms are engaged, in line with the procurement policy to undertake areas of work which fill a skills gap or where technical expertise is required, such as IT audit resource.

1210

2030

2230

9. IA resources apply a risk-based approach

Recruitment

Induction and PDR

All staff are required to be professionally qualified.

The recruitment process incorporates a risk-based assessment.

PDR process for continuous improvement and development.

1210

10 & 42. Anti-fraud skills, resource and process

Incident Assessment Form

Counter-Fraud Policy

RIPE

Internal Audit have devised an Incident Assessment Form to allow a risk-based decision to be made and evidenced at the institution.  Should specialist counter-fraud expertise be required for complex frauds, professional services firms are utilised. *

The institution’s Counter-Fraud Policy includes a Fraud Response Plan, which allows for an assessment to be made by a Panel* as to the most appropriate resource to be used (including the potential for an External specialist) to undertake specialist investigations. All procedures have been tested during live incidents.

Through planned audit work, the RIPE form used at the planning stage, has a section that requires an assessment of fraud risks.

The Counter-Fraud/Anti-Bribery internal control environment operating at the institution is subject to periodic review by IA.

1210

2040

2120

2210

11. IT skills and resource

IA Strategy

The IT programme is delivered by an external provider. There is budget available to allow key risks to be identified and assessed (for example using COBIT) and covered in a rolling programme of work.

In-house IT related skills are kept up to date through skills assessments completed via the RIPE for each audit assignment and visibility of reporting from the external provider.

1210

12 & 31. Consistency of IA approach and use of IT and audit tools (e.g. data analytics)

Shared drive – file structure

PAD

RIPE

IA Strategy

Version Control

All audit files are held electronically, which facilitates the agility of the team, and enables location flexible working .

Each audit holds a unique reference number e.g. ‘202x/xx_Cxx’, the file structure on the shared drive is set up at the start of each year.  The process of version control is captured in a separate document.

Audit templates are held on the shared drive, key to the consistent approach and delivery of each audit are the PAD and RIPE.  File reviews are completed and evidenced within these documents for all assignments to support and drive  consistency.

The use of data analytics and other tools is severely limited by the maturity of data quality across the institution.  This was initially addressed by the audit programme 2018/19 and is considered annually. IA are unable to progress maturity in this area until institutional maturity improves.  However, consideration is given to the use of data analytics for each audit assignment via the RIPE.

1210

2040

13 & 22. Skills / experience /qualifications of the HIA

HIA Job Description

The HIA Job Description requires that the post holder has significant relevant experience and be professionally qualified.

Further details of required qualifications, experience and skills is detailed within the job description.

1210

1230

14. Professional due care is exercised by the IA function (experience, objectivity, training and judgement)

Annual Report

PAD

Shared drive – file structure

File review of each audit assignment is the predominant control over the due professional care exercised by the IA function.  The HIA reviews the work of staff and in turn they review work completed by the HIA.  All reviews are evidenced, which are held within the relevant audit assignment folder on the shared drive.

Reference to conformance with the standards also given within the annual report, section 1.49 for example in 2020/21 version.

1200

1220

1311

15. IA relevant knowledge of working context (HE Sector)

Induction and PDR Objectives

Induction Checklist

RIPE

Knowledge of the sector and ways of achieving this are given as objectives within probation and PDR reviews.  Induction programme available for new starters drives knowledge acquisition.

The in-house team are members of key sector groups,  BUFDG, WONK HE and CHEIA and receive appropriate regular sector updates. This extends to  Welsh context specific requirements.

All in-house staff attend either the HIA Forum or the Practitioner’s Forum of CHEIA.

Assessment of skills and knowledge is considered for each audit assignment via the RIPE.

1230

16. Training and continuing professional development of IA staff

IA Strategy

PDR

All staff are professionally qualified and are required to maintain CPD to retain professional membership.

Training and CPD is also included within the probation and PDR process, referenced within the Audit Strategy.

A training budget is determined from the PDR and the programme of work, which is included within the funding requirement put to the Audit and Risk Committee in June each year.

1230

17. IA appetite for innovation and new working practices to enhance service provision

IA Strategy

The HIA actively keeps abreast of current developments in the audit profession and considers application to service delivery.

The HIA regularly maintains contact with other HIAs both in the HE sector via CHEIA and outside the sector via CIIA events, and the Wales HIA networking group.  CIIA HIA forum membership and attendance at events at national level.

Working practices and templates are considered at regular points including at team audit planning sessions and in advance of the new academic year.

Appetite to incorporate data analytics into assignments where data maturity allows.

1230

1300

18 & 20. Internal and External Assessments of IA

Quality Assessment and Improvement Programme (QAIP)

Internal review is completed for all work undertaken as part of day-to-day supervision prior to report release, as noted on the PAD and all published reports.

IA completes the CHEIA peer review self-assessment annually and maintains a ‘Quality Assurance and Improvement Programme’ (QAIP).  Annually the Audit and Risk Committee receive the QAIP action plan, results and next steps (typically October) and this is included in the Annual Report.

Formal external review is planned for 2021/22, to be determined by the Audit and Risk Committee, paper presented outlining HEFCW Financial Management Code requirements  in October 2021.

1300

1310

1311

1320

1321

1322

2000

2240

2430

2431

19. Auditees opinion of quality of service received

Annual Report

Feedback is gathered via several informal mechanisms, collated and reported annually to the Audit and Risk Committee (at their request) and included within the Annual Report.

1311

21. Appointment, removal and resignation of auditors

HEFCW Financial Management Code

Ordinances

The HEFCW Financial Management Code details requirements for the appointment, removal, or resignation of internal and external auditors, where governing bodies are responsible for the appointment and removal of both internal and external auditors.

Audit and Risk Committee advise on the appointment and termination of the Head of Internal Audit.

Ordinances of the Audit and Risk Committee outline their responsibility to advise the governing body on the appointment of audit providers.

1110

23 & 33. Development and progress of a risk-based Audit Strategy and Plan

UEB Risk Register

Audit Universe

IA Strategy and Plan

Progress Report

Risk Assurance Map

The University Executive Board’s (UEB) Risk Register forms the starting point for the Audit Strategy and Plan.  The risk register is laid over the Audit Universe and there is direct line of sight from the higher-level risks through to the Audit Programme for the year.

Extensive consultation is undertaken during the planning process with management and governors.

Risk assurance mapping processes are considered as they become embedded into the institution.

The programme is reviewed quarterly by UEB and the Audit and Risk Committee, and changes proposed are documented.  KPIs are included within the progress report and notes any limitations.

A level of contingency days are built into the plan to enable the service to respond to emerging risks.

1111

2010

2060

24. Knowledge transfer available to support the IA function

Contracts for co-sourced provision

The IA function is supported by two co-sourced partners to address any gaps in the plan.

1210

25. Processes to ensure IA are kept informed of institutional changes impacting the risk environment

UEB, Council, committees of Council and sub-committee papers

IA is on the distribution list for UEB, committees of Council and other sub-committees as required.  Regular diarised meetings between HIA and the Chief Operating Officer, University Secretary, Director of Financial Operations and Chair of Council
Annual planning meetings are held between the HIA and the Vice-Chancellor and Pro Vice-Chancellors as a minimum.

2010

26. Audit Universe coverage of the institution and associated activities

Audit Charter

Audit Universe

IA Charter specifically refers to 'Cardiff University and its affiliates' in section 6.

The audit universe incorporates associated activities of the university, including the Student Union, joint ventures and subsidiary companies, and continues to be extended.

1000

2010

2100

2201

27. IA resource adaptable to changing risk profile

IA Strategy

The ‘IA Strategy, Plan and Budget’ is presented to Audit and Risk Committee for review, endorsement and recommendation to Council, including that 'the resources are sufficient bearing in mind the University's risk profile’; and, proposed areas of coverage etc.

Any additional requirements would be taken to Audit and Risk Committee for consideration if and when required.

1110

2010

2030

2230

28. Communication of the approved IA Strategy

IA Strategy

The IA Strategy is received by University Executive Board, Audit and Risk Committee, and Council.

2020

29. No limitations to scope of IA coverage

IA Strategy

IA audit coverage determined in the strategy and amendments approved by Audit and Risk Committee.

2020

2030

32. IA overview of other assurance providers

Annual Report

RIPE

A high-level risk assurance map has been completed to aid oversight of other assurance providers across the institution. Any external sources of assurance available are considered for each audit assignment via the RIPE.
Time is built into the Audit Plan to accomplish an overview of other assurance providers and liaise with such providers, including discussions with external auditors, Wellcome and UKRI.

The co-ordination and alignment of external assurance sources is being led by IA at present.  There is an increasing maturity of institutional assurance frameworks.

Known assurance providers to IA include: UKRI funding assurance review, HTA external visit, HEPCW VfM report, C. G. Lees research funding assurance and the work of the KPMG data returns (commissioned by HEFCW).

2050

34. Annual Report to Audit and Risk Committee for period under review

HEFCW Financial Management Code

Annual Report

Annual Report presented to Audit and Risk Committee in October each year.  In advance of this, the Annual Report is presented to University Executive Board for discussion and comment.

In accordance with the HEFCW Financial Management Code the Annual Report provides an opinion of governance, risk management, internal controls, data quality and value for money, regards adequacy and effectiveness.

1000

1111

1300

2060

35 & 59. Audit and Risk Committee monitor effectiveness and performance of IA

Quarterly progress report

QAIP

CUC Audit Committee Code of Practice

Quarterly progress report to each Audit and Risk Committee, which includes operational KPIs for monitoring purposes.

Regular in camera meetings with the Audit and Risk Committee and the Chair in line with scheduled committee meetings.
IA self-assessment completed annually.

The Chair of Audit and Risk Committee provides input to the HIA PDR, which feeds into HIA pay review.

The CUC Audit Committee Code of Practice (May 2020), refers to committee oversight of internal audit effectiveness, specifically ‘Element 8: The Audit Committee exercises effective oversight of internal audit’.

1100

2060

2070

36. Mechanisms to promote adherence to ethical standards

IA Charter

RIPE

Processes to direct adherence to ethical standards are embedded within the audit methodology including: the IA Charter (Section 2), independence and objectivity considerations for each assignment via the RIPE, and the requirement for all in-house staff to be qualified which require annual declarations to be made of conformance to ethical standards of relevant bodies.

1100

1120

1210

1220

1300

1311

1322

2000

2040

2431

37. IA consideration of institutional governance

IA Charter

IA Strategy

IA Annual Report

Included within the IA Charter, Strategy and opinion within the Annual Report.

Annual governance audit carried out to meet HEFCW FMC requirements for opinion.  The annual report draws together emerging governance themes in the root cause analysis of themes.

Council effectiveness review conducted periodically.  Last review completed in 2020/21 which is included in the opinion.

1000

2100

2110

2201

38. IA consideration of risk management

IA Charter

IA Strategy

IA Annual Report

Included within the IA Charter, Strategy and opinion within the Annual Report.

Annual risk management audit carried out to meet HEFCW FMC requirements for opinion.  The annual report draws together emerging risk management themes.

1000

2100

2120

2201

39. IA consideration of internal controls

IA Charter

IA Strategy

IA Annual Report

Included within the IA Charter, Strategy and Opinion within the Annual Report.

Every audit considers the internal control environment which feeds into the annual opinion. The annual report draws together emerging themes via a root cause analysis.

1000

2100

2130

2201

40. IA consideration of value for money

IA Charter

IA Strategy

IA Annual Report

Priority ratings of recommendations

Included within the IA Charter, Strategy and opinion within the Annual Report.

Every audit considers value for money arrangements which feeds into the annual opinion.  The annual report draws together emerging themes in the root cause analysis.

The internal audit methodology includes the ability to raise VfM points within each audit, as well as looking to audit specific areas with a VfM slant.

Management assurances and external forms of assurances are considered in deriving theVfM opinion.

1000

2100

2130

2201

41. Documented work programmes to achieve engagement objectives

RIPE

PAD

Terms of Reference (ToR)

At the planning stage of each audit the methodology requires the completion of a RIPE and PAD (Process Analysis and Design) form.  Both of these are the foundation for the completion of the Terms of Reference which outlines risks, objectives covered and requirements of testing including the tools and techniques used.  Each piece of work is bespoke.  The same methodology is applied for consultancy/advice engagements.

2200

2210

2230

2240

43. Planning of individual audit assignments

RIPE

PAD

ToR

Initial conversations are held with members of UEB when the HIA holds annual planning meetings.  The HIA assigns an auditor who completes desk-based research to commence the completion of the PAD and RIPE.

Planning meetings with key contacts are to be arranged to discuss the audit area and associated risks to facilitate the completion of the RIPE and PAD, which leads to the development of a Terms of Reference.

Each audit is assigned a UEB Sponsor, determined by the risk register in most instances.  Once the RIPE and draft ToR have been reviewed by HIA (or reviewer), a draft of the ToR will be shared with the UEB sponsor for agreement, which includes; scope (including any limitations where relevant), objectives, risks, deliverables and proposed timelines.

The audit will only commence once a final ToR has been released following agreement of the draft.

2200

2210

2220

2230

44, 47, 48 & 50. Reports provide full and complete disclosure of material facts. Recommendations are identifiable from the PAD to IA report

PAD

RIPE

Report Templates

Shared drives

Assurance ratings

The PAD/RIPE are the key documents to connect the audit from planning through to the report.  The summary of the PAD informs the overall conclusion of the audit.  Audit close meetings are held for all assignments including advisory work. Format of close meetings differs depending on the assignment, PowerPoint presentation used for large assignments to relay findings through the discussion.

HIA/alternate undertakes review of all working papers and evidence of this review is presented on the PAD. Paper files are not created, all information is held on the shared drive within the relevant audit assignment folder.  
Report templates are in place for assurance / advisory assignments, to be tailored as required and must demonstrate the link to audit risks from the ToR and PAD.  Standard wording for conclusions agreed by Audit and Risk Committee and applied to all assignments within these templates.

A separate follow-up template is in place.  The style of reporting is extended to the external contractors, who badge their own reports but utilise our methodology and style.

KPI’s are used to monitor performance of the reporting process which are monitored by Audit and Risk Committee.

1311

2300

2310

2320

2330

2340

2400

2410

2421

2440

45 & 51. Supervision of audit engagements and quality assurance

RIPE

PAD

Report Template

QAIP

Audit review is captured for all assignments electronically, file review is evidenced on the RIPE, PAD and draft report, prior to release.   In the instance where the HIA undertakes audit work, a review is undertaken by another member of staff.

External sub-contracted auditors follow their agreed in-house QA protocols.

Team meetings provide opportunity to discuss lessons learned from each assignment, to continuously improve working practices.

QAIP conducted annually by HIA as a peer-reviewed self-assessment.

1300

1311

2340

2420

2430

46. Appropriate control over access to engagement records

Management and protection of data: mandatory actions for internal auditors

Shared drive – file structure

Audit assignment engagement records are held on the shared drive.  There is restricted access to the shared drive with only IA team members having access. An IA TEAMS site is available for use also for convenience and accessible to IA staff only.  The shared drive remains the definitive and authoritative information source.

IA only release audit ToR’s and reports to the UEB Sponsor and Lead Contact, unless advised to circulate further or where required for completion of management response, e.g. a recommendation requires action from more than one department/school.

Further details are provided in the ‘Management and Protection of Data’, which is mandatory for all IA staff.
IA document retention and data policy maintained by IA, last updated April 2021.

All university staff are required to annually complete mandatory ‘Information Security’ e-learning.

2040

2330

49, 56 & 57. Management agreement of recommendations and procedures for dealing with disagreements

Report templates

Audit and Risk Committee ToR

IA Charter

The reporting requirements are set out in the ToR for each piece of work undertaken.  Management have 10 working days to provide a management response to the draft report, which requires a response to each recommendation (unless advisory), confirming if they agree or disagree with recommendations.  On return, IA check for reasonableness of responses and timeliness of completion, prior to issuing as a final report.  On receipt of the management responses IA will aim to issue the final report within 5 working days.

In instances where recommendations are not accepted, Audit and Risk Committee will be made aware of the discrepancy, and that management choose to accept the risk by not implementing the recommendation.

Section 3 of the IA Charter refers, if there is interference with reporting or communication of risks and section 6, “the HIA will report periodically to senior management and the Audit and Risk Committee any response to risk by management that may be unacceptable to Cardiff University.”  This is undertaken routinely via the Tracker.

1111

2400

2410

2600

52. Exclusion of recommendation from the report

PAD

Reviewed draft report

This is not common practice but may happen if recommendations are grouped into an action category.  All decisions are clearly documented on the PAD and reviewed audit report, providing direct line of sight from the RIPE and PAD, through to the final report.

2330

2420

2440

53. Audit opinions

Assurance ratings

Assurance ratings are documented and appended to every report, which were approved by the Audit and Risk Committee, 'Review of Internal Audit Assurance Ratings for 2017/18 - 17/34’ to align directly with the risk management framework.

The HIA reviews all internally and externally produced work for consistency with this framework.

2040

2210

2410

2450

54. Follow-up of prior year / in year IA recommendations

Tracker

FUP report

UEB and thereafter the Audit and Risk Committee (at each meeting) receives a report of the highly rated recommendations, ‘the Tracker’.  The Tracker lists all Priority-1 recommendations, highlighting those outstanding and an IA assessment of the risk remaining to the business if recommendations are not implemented. The number of items on the tracker also contributes to the IA Opinion.

The Tracker paper also captures the progress of undertaking follow-ups of each audit assignment, where all categories of recommendation are followed up on and released as a separate report.

2500

2600

55. Mechanisms in place to timetable the completion of audit work and deliverables

IA Strategy

ToR

The IA Strategy and Programme outlines the timetable for completion of audit work. Regular updates are made to the Audit and Risk Committee as a standing item through the progress report, and amendments to the plan clearly shown and requested from the committee.

Each audit assignment terms of reference details proposed timelines and deliverables.

2000

2200

58. Benchmarking of IA costs

IA Strategy

Benchmarking of IA costs is included within Audit Strategy and Plan annually and compared to the BUFDG survey and to external firms.

1110

2230

60. Audit and Risk Committee’s assessment of the performance of IA

QAIP

Audit and Risk Committee self-evaluation

Audit and Risk Committee Annual Report

The Audit and Risk Committee receive the results of the QAIP for review and discussion, minutes of the meeting record the committee’s response with regard to performance.

Audit and Risk Committee self-evaluation would also provide insight to performance of IA.

Audit and Risk Committee Chair Annual Report to Council states “the committee has satisfied itself that reliance can be placed on the reporting made by the Internal Audit function in place during the year”

1311

3 Key documents and evidence

  1. Cardiff University Website – Internal Audit
  2. Cardiff University Intranet – Internal Audit Service
  3. Cardiff University Website – Audit and Risk Committee Terms of Reference

Audit and Risk Committee approval

  1. Internal Audit Charter (October 2020 Meeting Book)
  2. Internal Audit Strategy and Plan (Approved annually in October Meeting Book)
  3. Internal Audit Annual Report (Approved annually in November Meeting Book)
  4. Progress Reports (Presented at each Audit and Risk Committee Meeting)
  5. Tracker Report (See Audit and Risk Committee Meeting Book)
  6. Quality Assessment and Improvement Programme (QAIP) (Approved annually in October Meeting Book)
  7. Guidance for Advice and Consultancy Arrangements (Approved in Paper 17’564 in June 2018 Audit and Risk Committee Meeting)

Internal Audit Methodology and Templates

  1. Audit Universe 2020/21 (IA Teams Site - Audit Universe)
  2. Risk Identification Plan and Evaluation (RIPE)
  3. Process Analysis and Design (PAD)
  4. Terms of Reference (ToR)
  5. Report Templates:
    1. Assurance or Advisory Template
    2. Follow-up Template
  6. Assurance Ratings and priority ratings of recommendations
  7. Incident Assessment Form
  8. Shared Drive – File Structure
  9. Management and protection of data: mandatory actions for internal auditors
  10. Version Control

Internal Audit Resourcing

  1. Head of Internal Audit Job Description
  2. Senior Internal Auditor Job Description
  3. Contracts for co-sourced provision – Internal audit shared drive

HR and corporate processes

  1. PDR and Induction process (See intranet)


    External documents

  2. HEFCW Financial Management Code (HEFCW FMC)
  3. CUC Higher Education Audit Committees Code of Practice (May 2020)