Internal Audit Manual
- Last updated:
- Download this document (PDF, 575.5 KB)
Cardiff University Internal Audit Manual
Version number:V1.2
(*alignment to v0.6 of CHEIA Quality Assurance Toolkit)
Date: January 2022
Next review: September 2024
Owner: Faye Lloyd, Head of Internal Audit
1 Introduction and background
Structured to ensure compliance with relevant Internal Audit standards | * This Audit Manual has been developed in keeping with the structure of the CHEIA Internal Audit Quality Assurance Toolkit, which was originally commissioned by HEFCE on behalf of CHEIA in 2005. The toolkit is periodically updated to take account of changes to IIA Standards and related standards (e.g. Public Sector Internal Audit Standards PSIAS) and emerging good practice. |
---|---|
Outlines key operating policies and procedures that govern IA | The Manual establishes the key operating policies and procedures that govern the internal audit (IA) activity with a further view to strengthening professionalism of the function and serving as a guidance document to staff at Cardiff University on the ‘modus operandi’ of the service. |
IA function operational since 2017 with a refreshed methodology | The Internal Audit Service underwent a transformation from the Joint Internal Audit Unit (covering Cardiff and Swansea Universities) that was in operation up until March 2017. This was replaced by a refreshed service that was responsible for Cardiff University only. A new HIA and in-house team and co-sourced partners were recruited and contracted to deliver the Service. |
Purpose of IA to provide independent, objective assurance and consulting activity designed to add value and improve operations | The purpose of the Internal Audit Service at Cardiff University is to provide independent, objective assurance and consulting activity designed to add value and improve Cardiff University’s operations. The mission of internal audit is to enhance and protect organisational value by providing risk-based and objective assurance, advice, and insight. The internal audit service helps Cardiff University accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes. |
Key documents direct the IA function and approved by Audit and Risk Committee and Council |
2 Application of the Standards
QAIP Ref. and Evidence | CIIA Standard | |
---|---|---|
1. Purpose, authority and responsibility of the Internal Audit (IA) activity Internal Audit Charter | The Internal Audit Charter was agreed with the Vice-Chancellor in his role as Accountable Office, endorsed by Audit Committee in October 2020 and recommended to Council and approved in November 2020. The Charter is published on the intranet and the external facing website containing public information. The Charter in use is based upon the template issued by CIIA. | 1000 1010 1110 2100 |
2. Access within the institution Internal Audit Charter | The Head of Internal Audit (HIA) and team has full unrestricted access, and this is granted via the Internal Audit Charter, section 4 of the Charter refers to authority, “The Audit and Risk Committee authorises the internal audit service to: - Have full, free, and unrestricted access to all functions, records, property, and personnel pertinent to carrying out any engagement, subject to accountability for confidentiality and safeguarding of records and information.- Allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques required to accomplish audit objectives, and issue reports. - Obtain assistance from the necessary personnel of Cardiff University, as well as other specialised services from within or outside, in order to complete the engagement." | 1000 1111 |
3. Independence and objectivity of IA Internal Audit Charter RIPE Guidance for Advisory and Consultancy work | The HIA reports to the Chair of Audit and Risk Committee, and substantively to the Chief Operating Officer. The Head of Internal Audit holds regular 1:1s with Chair of Council. In June each year, the Audit and Risk Committee receive the IA Audit Strategy and Plan with reference to the IA service’s approach to advisory and consultancy work for approval. The internal audit planning document, the ‘Risk Identification Plan and Evaluation (RIPE)’ includes a section for disclosure of potential conflicts of interests linked to each audit assignment. Section 3 of the Internal Audit Charter refers to Independence and Objectivity of the IA service, “Internal auditors will maintain an unbiased mental attitude that allows them to perform engagements objectively and in such a manner that they believe in their work product, that no quality compromises are made, and that they do not subordinate their judgment on audit matters to others.” | 1000 1100 1110 |
4 & 6. IA activity free from executive interference and responsibilities Annual Report Internal Audit Charter | Under the HEFCW Financial Memorandum, the HIA is required to state in the Annual Report that the HIA has been unfettered in their reporting. Evidenced within section 3 of the Internal Audit Charter. | 1000 1110 1112 1130 |
5. Council satisfied with status of HIA to fulfil responsibilities HIA Job Description | The HIA is appointed as per the original job description ‘with a level of gravitas appropriate within the organisation', appointed on the senior salary scale and subject to remuneration committee review for salary amendments annually, as per an annual paper to Audit and Risk Committee and approved by Council. HIA receives circulation of UEB papers and attends Professional Services Leadership Network (PLSN). | 1110 |
7. Individual objectivity and organisational independence maintained RIPE Annual Report | A requirement for internal auditors to declare any conflicts is included within the planning of each audit assignment via the RIPE. Formal declaration is made within the Annual Report. All staff are required to declare any declarations of interest within the corporate system, Core HR. Consultancy assignments undertaken by IA are subject to issued guidance to ensure objectivity is maintained. In such instances, any subsequent related assurance assignments would typically be carried out by a different member of staff or externally sourced. | 1120 1130 |
8 & 30. Knowledge, skills and competencies of IA resource Recruitment Induction and PDR | All IA in-house staff are required to be professionally qualified. The probation and performance development reviews are used to document training needs, aligned to the annual IA programme. Skills assessments are completed for each audit assignment via the RIPE to identify any training requirements. External firms are engaged, in line with the procurement policy to undertake areas of work which fill a skills gap or where technical expertise is required, such as IT audit resource. | 1210 2030 2230 |
9. IA resources apply a risk-based approach Recruitment Induction and PDR | All staff are required to be professionally qualified. The recruitment process incorporates a risk-based assessment. PDR process for continuous improvement and development. | 1210 |
10 & 42. Anti-fraud skills, resource and process Incident Assessment Form Counter-Fraud Policy RIPE | Internal Audit have devised an Incident Assessment Form to allow a risk-based decision to be made and evidenced at the institution. Should specialist counter-fraud expertise be required for complex frauds, professional services firms are utilised. * The institution’s Counter-Fraud Policy includes a Fraud Response Plan, which allows for an assessment to be made by a Panel* as to the most appropriate resource to be used (including the potential for an External specialist) to undertake specialist investigations. All procedures have been tested during live incidents. Through planned audit work, the RIPE form used at the planning stage, has a section that requires an assessment of fraud risks. The Counter-Fraud/Anti-Bribery internal control environment operating at the institution is subject to periodic review by IA. | 1210 2040 2120 2210 |
11. IT skills and resource IA Strategy | The IT programme is delivered by an external provider. There is budget available to allow key risks to be identified and assessed (for example using COBIT) and covered in a rolling programme of work. In-house IT related skills are kept up to date through skills assessments completed via the RIPE for each audit assignment and visibility of reporting from the external provider. | 1210 |
12 & 31. Consistency of IA approach and use of IT and audit tools (e.g. data analytics) Shared drive – file structure PAD RIPE IA Strategy Version Control | All audit files are held electronically, which facilitates the agility of the team, and enables location flexible working . Each audit holds a unique reference number e.g. ‘202x/xx_Cxx’, the file structure on the shared drive is set up at the start of each year. The process of version control is captured in a separate document. Audit templates are held on the shared drive, key to the consistent approach and delivery of each audit are the PAD and RIPE. File reviews are completed and evidenced within these documents for all assignments to support and drive consistency. The use of data analytics and other tools is severely limited by the maturity of data quality across the institution. This was initially addressed by the audit programme 2018/19 and is considered annually. IA are unable to progress maturity in this area until institutional maturity improves. However, consideration is given to the use of data analytics for each audit assignment via the RIPE. | 1210 2040 |
13 & 22. Skills / experience /qualifications of the HIA HIA Job Description | The HIA Job Description requires that the post holder has significant relevant experience and be professionally qualified. Further details of required qualifications, experience and skills is detailed within the job description. | 1210 1230 |
14. Professional due care is exercised by the IA function (experience, objectivity, training and judgement) Annual Report PAD Shared drive – file structure | File review of each audit assignment is the predominant control over the due professional care exercised by the IA function. The HIA reviews the work of staff and in turn they review work completed by the HIA. All reviews are evidenced, which are held within the relevant audit assignment folder on the shared drive. Reference to conformance with the standards also given within the annual report, section 1.49 for example in 2020/21 version. | 1200 1220 1311 |
15. IA relevant knowledge of working context (HE Sector) Induction and PDR Objectives Induction Checklist RIPE | Knowledge of the sector and ways of achieving this are given as objectives within probation and PDR reviews. Induction programme available for new starters drives knowledge acquisition. The in-house team are members of key sector groups, BUFDG, WONK HE and CHEIA and receive appropriate regular sector updates. This extends to Welsh context specific requirements. All in-house staff attend either the HIA Forum or the Practitioner’s Forum of CHEIA. Assessment of skills and knowledge is considered for each audit assignment via the RIPE. | 1230 |
16. Training and continuing professional development of IA staff IA Strategy PDR | All staff are professionally qualified and are required to maintain CPD to retain professional membership. Training and CPD is also included within the probation and PDR process, referenced within the Audit Strategy. A training budget is determined from the PDR and the programme of work, which is included within the funding requirement put to the Audit and Risk Committee in June each year. | 1230 |
17. IA appetite for innovation and new working practices to enhance service provision IA Strategy | The HIA actively keeps abreast of current developments in the audit profession and considers application to service delivery. The HIA regularly maintains contact with other HIAs both in the HE sector via CHEIA and outside the sector via CIIA events, and the Wales HIA networking group. CIIA HIA forum membership and attendance at events at national level. Working practices and templates are considered at regular points including at team audit planning sessions and in advance of the new academic year. Appetite to incorporate data analytics into assignments where data maturity allows. | 1230 1300 |
18 & 20. Internal and External Assessments of IA Quality Assessment and Improvement Programme (QAIP) | Internal review is completed for all work undertaken as part of day-to-day supervision prior to report release, as noted on the PAD and all published reports. IA completes the CHEIA peer review self-assessment annually and maintains a ‘Quality Assurance and Improvement Programme’ (QAIP). Annually the Audit and Risk Committee receive the QAIP action plan, results and next steps (typically October) and this is included in the Annual Report. Formal external review is planned for 2021/22, to be determined by the Audit and Risk Committee, paper presented outlining HEFCW Financial Management Code requirements in October 2021. | 1300 1310 1311 1320 1321 1322 2000 2240 2430 2431 |
19. Auditees opinion of quality of service received Annual Report | Feedback is gathered via several informal mechanisms, collated and reported annually to the Audit and Risk Committee (at their request) and included within the Annual Report. | 1311 |
21. Appointment, removal and resignation of auditors HEFCW Financial Management Code Ordinances
| The HEFCW Financial Management Code details requirements for the appointment, removal, or resignation of internal and external auditors, where governing bodies are responsible for the appointment and removal of both internal and external auditors. Audit and Risk Committee advise on the appointment and termination of the Head of Internal Audit. Ordinances of the Audit and Risk Committee outline their responsibility to advise the governing body on the appointment of audit providers. | 1110 |
23 & 33. Development and progress of a risk-based Audit Strategy and Plan UEB Risk Register Audit Universe IA Strategy and Plan Progress Report Risk Assurance Map | The University Executive Board’s (UEB) Risk Register forms the starting point for the Audit Strategy and Plan. The risk register is laid over the Audit Universe and there is direct line of sight from the higher-level risks through to the Audit Programme for the year. Extensive consultation is undertaken during the planning process with management and governors. Risk assurance mapping processes are considered as they become embedded into the institution. The programme is reviewed quarterly by UEB and the Audit and Risk Committee, and changes proposed are documented. KPIs are included within the progress report and notes any limitations. A level of contingency days are built into the plan to enable the service to respond to emerging risks. | 1111 2010 2060 |
24. Knowledge transfer available to support the IA function Contracts for co-sourced provision | The IA function is supported by two co-sourced partners to address any gaps in the plan. | 1210 |
25. Processes to ensure IA are kept informed of institutional changes impacting the risk environment UEB, Council, committees of Council and sub-committee papers | IA is on the distribution list for UEB, committees of Council and other sub-committees as required. Regular diarised meetings between HIA and the Chief Operating Officer, University Secretary, Director of Financial Operations and Chair of Council | 2010 |
26. Audit Universe coverage of the institution and associated activities Audit Charter Audit Universe | IA Charter specifically refers to 'Cardiff University and its affiliates' in section 6. The audit universe incorporates associated activities of the university, including the Student Union, joint ventures and subsidiary companies, and continues to be extended. | 1000 2010 2100 2201 |
27. IA resource adaptable to changing risk profile IA Strategy | The ‘IA Strategy, Plan and Budget’ is presented to Audit and Risk Committee for review, endorsement and recommendation to Council, including that 'the resources are sufficient bearing in mind the University's risk profile’; and, proposed areas of coverage etc. Any additional requirements would be taken to Audit and Risk Committee for consideration if and when required. | 1110 2010 2030 2230 |
28. Communication of the approved IA Strategy IA Strategy | The IA Strategy is received by University Executive Board, Audit and Risk Committee, and Council. | 2020 |
29. No limitations to scope of IA coverage IA Strategy | IA audit coverage determined in the strategy and amendments approved by Audit and Risk Committee. | 2020 2030 |
32. IA overview of other assurance providers Annual Report RIPE | A high-level risk assurance map has been completed to aid oversight of other assurance providers across the institution. Any external sources of assurance available are considered for each audit assignment via the RIPE. The co-ordination and alignment of external assurance sources is being led by IA at present. There is an increasing maturity of institutional assurance frameworks. Known assurance providers to IA include: UKRI funding assurance review, HTA external visit, HEPCW VfM report, C. G. Lees research funding assurance and the work of the KPMG data returns (commissioned by HEFCW). | 2050 |
34. Annual Report to Audit and Risk Committee for period under review HEFCW Financial Management Code Annual Report | Annual Report presented to Audit and Risk Committee in October each year. In advance of this, the Annual Report is presented to University Executive Board for discussion and comment. In accordance with the HEFCW Financial Management Code the Annual Report provides an opinion of governance, risk management, internal controls, data quality and value for money, regards adequacy and effectiveness. | 1000 1111 1300 2060 |
35 & 59. Audit and Risk Committee monitor effectiveness and performance of IA Quarterly progress report QAIP CUC Audit Committee Code of Practice | Quarterly progress report to each Audit and Risk Committee, which includes operational KPIs for monitoring purposes. Regular in camera meetings with the Audit and Risk Committee and the Chair in line with scheduled committee meetings. The Chair of Audit and Risk Committee provides input to the HIA PDR, which feeds into HIA pay review. The CUC Audit Committee Code of Practice (May 2020), refers to committee oversight of internal audit effectiveness, specifically ‘Element 8: The Audit Committee exercises effective oversight of internal audit’. | 1100 2060 2070 |
36. Mechanisms to promote adherence to ethical standards IA Charter RIPE | Processes to direct adherence to ethical standards are embedded within the audit methodology including: the IA Charter (Section 2), independence and objectivity considerations for each assignment via the RIPE, and the requirement for all in-house staff to be qualified which require annual declarations to be made of conformance to ethical standards of relevant bodies. | 1100 1120 1210 1220 1300 1311 1322 2000 2040 2431 |
37. IA consideration of institutional governance IA Charter IA Strategy IA Annual Report | Included within the IA Charter, Strategy and opinion within the Annual Report. Annual governance audit carried out to meet HEFCW FMC requirements for opinion. The annual report draws together emerging governance themes in the root cause analysis of themes. Council effectiveness review conducted periodically. Last review completed in 2020/21 which is included in the opinion. | 1000 2100 2110 2201 |
38. IA consideration of risk management IA Charter IA Strategy IA Annual Report | Included within the IA Charter, Strategy and opinion within the Annual Report. Annual risk management audit carried out to meet HEFCW FMC requirements for opinion. The annual report draws together emerging risk management themes. | 1000 2100 2120 2201 |
39. IA consideration of internal controls IA Charter IA Strategy IA Annual Report | Included within the IA Charter, Strategy and Opinion within the Annual Report. Every audit considers the internal control environment which feeds into the annual opinion. The annual report draws together emerging themes via a root cause analysis. | 1000 2100 2130 2201 |
40. IA consideration of value for money IA Charter IA Strategy IA Annual Report Priority ratings of recommendations | Included within the IA Charter, Strategy and opinion within the Annual Report. Every audit considers value for money arrangements which feeds into the annual opinion. The annual report draws together emerging themes in the root cause analysis. The internal audit methodology includes the ability to raise VfM points within each audit, as well as looking to audit specific areas with a VfM slant. Management assurances and external forms of assurances are considered in deriving theVfM opinion. | 1000 2100 2130 2201 |
41. Documented work programmes to achieve engagement objectives RIPE PAD Terms of Reference (ToR) | At the planning stage of each audit the methodology requires the completion of a RIPE and PAD (Process Analysis and Design) form. Both of these are the foundation for the completion of the Terms of Reference which outlines risks, objectives covered and requirements of testing including the tools and techniques used. Each piece of work is bespoke. The same methodology is applied for consultancy/advice engagements. | 2200 2210 2230 2240 |
43. Planning of individual audit assignments RIPE PAD ToR | Initial conversations are held with members of UEB when the HIA holds annual planning meetings. The HIA assigns an auditor who completes desk-based research to commence the completion of the PAD and RIPE. Planning meetings with key contacts are to be arranged to discuss the audit area and associated risks to facilitate the completion of the RIPE and PAD, which leads to the development of a Terms of Reference. Each audit is assigned a UEB Sponsor, determined by the risk register in most instances. Once the RIPE and draft ToR have been reviewed by HIA (or reviewer), a draft of the ToR will be shared with the UEB sponsor for agreement, which includes; scope (including any limitations where relevant), objectives, risks, deliverables and proposed timelines. The audit will only commence once a final ToR has been released following agreement of the draft. | 2200 2210 2220 2230 |
44, 47, 48 & 50. Reports provide full and complete disclosure of material facts. Recommendations are identifiable from the PAD to IA report PAD RIPE Report Templates Shared drives Assurance ratings | The PAD/RIPE are the key documents to connect the audit from planning through to the report. The summary of the PAD informs the overall conclusion of the audit. Audit close meetings are held for all assignments including advisory work. Format of close meetings differs depending on the assignment, PowerPoint presentation used for large assignments to relay findings through the discussion. HIA/alternate undertakes review of all working papers and evidence of this review is presented on the PAD. Paper files are not created, all information is held on the shared drive within the relevant audit assignment folder. A separate follow-up template is in place. The style of reporting is extended to the external contractors, who badge their own reports but utilise our methodology and style. KPI’s are used to monitor performance of the reporting process which are monitored by Audit and Risk Committee. | 1311 2300 2310 2320 2330 2340 2400 2410 2421 2440 |
45 & 51. Supervision of audit engagements and quality assurance RIPE PAD Report Template QAIP | Audit review is captured for all assignments electronically, file review is evidenced on the RIPE, PAD and draft report, prior to release. In the instance where the HIA undertakes audit work, a review is undertaken by another member of staff. External sub-contracted auditors follow their agreed in-house QA protocols. Team meetings provide opportunity to discuss lessons learned from each assignment, to continuously improve working practices. QAIP conducted annually by HIA as a peer-reviewed self-assessment. | 1300 1311 2340 2420 2430 |
46. Appropriate control over access to engagement records Management and protection of data: mandatory actions for internal auditors Shared drive – file structure | Audit assignment engagement records are held on the shared drive. There is restricted access to the shared drive with only IA team members having access. An IA TEAMS site is available for use also for convenience and accessible to IA staff only. The shared drive remains the definitive and authoritative information source. IA only release audit ToR’s and reports to the UEB Sponsor and Lead Contact, unless advised to circulate further or where required for completion of management response, e.g. a recommendation requires action from more than one department/school. Further details are provided in the ‘Management and Protection of Data’, which is mandatory for all IA staff. All university staff are required to annually complete mandatory ‘Information Security’ e-learning. | 2040 2330 |
49, 56 & 57. Management agreement of recommendations and procedures for dealing with disagreements Report templates Audit and Risk Committee ToR IA Charter | The reporting requirements are set out in the ToR for each piece of work undertaken. Management have 10 working days to provide a management response to the draft report, which requires a response to each recommendation (unless advisory), confirming if they agree or disagree with recommendations. On return, IA check for reasonableness of responses and timeliness of completion, prior to issuing as a final report. On receipt of the management responses IA will aim to issue the final report within 5 working days. In instances where recommendations are not accepted, Audit and Risk Committee will be made aware of the discrepancy, and that management choose to accept the risk by not implementing the recommendation. Section 3 of the IA Charter refers, if there is interference with reporting or communication of risks and section 6, “the HIA will report periodically to senior management and the Audit and Risk Committee any response to risk by management that may be unacceptable to Cardiff University.” This is undertaken routinely via the Tracker. | 1111 2400 2410 2600 |
52. Exclusion of recommendation from the report PAD Reviewed draft report | This is not common practice but may happen if recommendations are grouped into an action category. All decisions are clearly documented on the PAD and reviewed audit report, providing direct line of sight from the RIPE and PAD, through to the final report. | 2330 2420 2440 |
53. Audit opinions Assurance ratings | Assurance ratings are documented and appended to every report, which were approved by the Audit and Risk Committee, 'Review of Internal Audit Assurance Ratings for 2017/18 - 17/34’ to align directly with the risk management framework. The HIA reviews all internally and externally produced work for consistency with this framework. | 2040 2210 2410 2450 |
54. Follow-up of prior year / in year IA recommendations Tracker FUP report | UEB and thereafter the Audit and Risk Committee (at each meeting) receives a report of the highly rated recommendations, ‘the Tracker’. The Tracker lists all Priority-1 recommendations, highlighting those outstanding and an IA assessment of the risk remaining to the business if recommendations are not implemented. The number of items on the tracker also contributes to the IA Opinion. The Tracker paper also captures the progress of undertaking follow-ups of each audit assignment, where all categories of recommendation are followed up on and released as a separate report. | 2500 2600 |
55. Mechanisms in place to timetable the completion of audit work and deliverables IA Strategy ToR | The IA Strategy and Programme outlines the timetable for completion of audit work. Regular updates are made to the Audit and Risk Committee as a standing item through the progress report, and amendments to the plan clearly shown and requested from the committee. Each audit assignment terms of reference details proposed timelines and deliverables. | 2000 2200 |
58. Benchmarking of IA costs IA Strategy | Benchmarking of IA costs is included within Audit Strategy and Plan annually and compared to the BUFDG survey and to external firms. | 1110 2230 |
60. Audit and Risk Committee’s assessment of the performance of IA QAIP Audit and Risk Committee self-evaluation Audit and Risk Committee Annual Report | The Audit and Risk Committee receive the results of the QAIP for review and discussion, minutes of the meeting record the committee’s response with regard to performance. Audit and Risk Committee self-evaluation would also provide insight to performance of IA. Audit and Risk Committee Chair Annual Report to Council states “the committee has satisfied itself that reliance can be placed on the reporting made by the Internal Audit function in place during the year” | 1311 |
3 Key documents and evidence
- Cardiff University Website – Internal Audit
- Cardiff University Intranet – Internal Audit Service
- Cardiff University Website – Audit and Risk Committee Terms of Reference
Audit and Risk Committee approval
- Internal Audit Charter (October 2020 Meeting Book)
- Internal Audit Strategy and Plan (Approved annually in October Meeting Book)
- Internal Audit Annual Report (Approved annually in November Meeting Book)
- Progress Reports (Presented at each Audit and Risk Committee Meeting)
- Tracker Report (See Audit and Risk Committee Meeting Book)
- Quality Assessment and Improvement Programme (QAIP) (Approved annually in October Meeting Book)
- Guidance for Advice and Consultancy Arrangements (Approved in Paper 17’564 in June 2018 Audit and Risk Committee Meeting)
Internal Audit Methodology and Templates
- Audit Universe 2020/21 (IA Teams Site - Audit Universe)
- Risk Identification Plan and Evaluation (RIPE)
- Process Analysis and Design (PAD)
- Terms of Reference (ToR)
- Report Templates:
- Assurance or Advisory Template
- Follow-up Template
- Assurance Ratings and priority ratings of recommendations
- Incident Assessment Form
- Shared Drive – File Structure
- Management and protection of data: mandatory actions for internal auditors
- Version Control
Internal Audit Resourcing
- Head of Internal Audit Job Description
- Senior Internal Auditor Job Description
- Contracts for co-sourced provision – Internal audit shared drive
HR and corporate processes
- PDR and Induction process (See intranet)
External documents - HEFCW Financial Management Code (HEFCW FMC)
- CUC Higher Education Audit Committees Code of Practice (May 2020)