Internal Audit

 

What is Internal Audit?

Internal Audit, as defined by the Institute of Internal Auditors (IIA), is:

 

"An independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."

 

The main purpose of Internal Audit activity within HE institutions is to provide the Audit Committee with an objective evaluation and opinion on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control. Internal Audit may also be used by management as an expert internal management consultancy to assist, for example, with the development of strategic risk management processes for the organisation. It is important to note that Internal Audit is neither a substitute for management ownership of risk nor a substitute for an embedded review system carried out by the various institutional staff who have executive responsibility for the achievement of organisational objectives.

 

The background in Higher Education

The Higher Education (HE) sector continues to face a challenging strategic outlook - significantly reduced funding from HEFCE for tuition and capital expenditure, more concentrated and metrics based research funding, increasing regulatory demands and requirements, pressures to increase academic quality, ensure financial sustainability, to meet the increasing expectations of students, marketisation of student demand and true internationalisation of the UK HE sector. The management and assurance of data quality continues to be a major issue in the sector and which can have a significant impact on student recruitment. Institutions are responding by becoming more business-like, developing more efficient and effective back-office processes, increased specialisation and professionalisation of support services, web-enabled processes and improved data and information. The sector has experienced evolution towards an increasingly "managerial" and "corporate" style of operations.

 

Internal Audit needs to respond to these challenges in the sector and raise standards, moving away from its traditional transaction-based and compliance role to being more proactive and strategic, making a more positive and demonstrable contribution to the achievement of institutional strategic objectives. In this way, Internal Audit can genuinely “add value” and assist in promoting institutional performance improvement.

 

Internal Audit must be involved in facilitating institutional change and helping to affect more effective top-level decision making, assisting institutions to manage risk, and continually helping to improve control systems and attain value of money in the delivery of its activities.

 

Major regulatory changes mean that Internal Audit must assist the governing body to become more effective in the discharge of its roles and responsibilities, to adapt quickly to new institutional risks, in addition to helping facilitate timely responses to various institutional and sector-wide issues.

 

How do we work as effective Internal Auditors in Higher Education?

An effective Internal Audit function will become an integral part of the institution, identifying and assisting to mitigate risk, supporting management, identifying potential efficiency gains and working to optimise costs, revenue and customer service so that the institution can achieve its strategic objectives.

 

At KCG, we are established as an integral part of our Member institutions. Through joint employment, we form part of the "staff" of our Member institutions, which is important for us to be able to absorb institutional culture and working practices.  Our staff work at all levels of our Member institutions' organisational structures with particular focus on strong working relationships with governing bodies and sub-committees, Vice Chancellors and Executive/ senior management teams.

 

Every HE institution has established governance and assurance structures. A model that is often deployed to clarify roles is the ‘three lines of defence’ model, which illustrates that assurance can derive from a number of different sources as follows:

 

• Front-line activity, in terms of evidence that policies, processes, controls and checks are in place. This would feature in senior managements’ stewardship reporting arrangements and could incorporate elements of control risk self-assessment. Staff in the first line of defence have direct responsibility for the management and control of risk (i.e. staff and management working within or managing academic departments or professional and support departments).

• A secondary line of assurance can come from separate arrangements that management has put in place to assure itself that procedures and controls are operating as they should be. These could include mechanisms such as quality management arrangements, programme and project assurance and health and safety inspections. Staff in the second line of defence co-ordinate, facilitate and oversee the effectiveness and integrity of the risk management framework (i.e. the Risk Management Committee).

• The third line of defence within an institution is an independent and objective internal audit function. In providing assurance on the framework of risk management, value for money, control and governance, Internal Audit should consider the other mechanisms in place within the first and second lines of defence and the extent to which audit can rely upon them. Staff in the third line of defence provide independent assurance and challenge across all activities in respect of the integrity and effectiveness of the risk management framework (eg Internal Audit and External Audit).

 

The following diagram illustrates these roles and responsibilities:

 

 

As Internal Auditors, we contribute towards the third line of defence although our role and responsibilities also allow us to assist institutions to develop and strengthen their first and second lines of defence.

 

In carrying out our work, we are required to comply at all times with the HEFCE audit requirements contained within the HEFCE Financial Memorandum and the Audit Code of Practice - HEFCE Code of Practice (June 2010/19), the Government Internal Audit Standards (GIAS - published by the Treasury), and other industry best practice and professional standards, including the Institute of Internal Auditors (IIA) Standards.

 

Co-source internal audit - It is not always possible for an institution to keep its own internal audit department sufficiently staffed or up-to-date with the relevant skills or experience to consistently deliver a value-added service. Institutions which find themselves in this situation are turning to other providers to deliver assistance for their in-house team and benefit from the greater independence and flexibility afforded by an external resource.

 

KCG not only has experience of providing internal audit services to the HE sector, we can work alongside an in-house function to provide valuable skilled support wherever it is required. We offer a positive partnering approach that can take many forms, from the conduct of individual audits or groups of audits to specialist audits (e.g. IT, HR, tax, procurement and contracts, EU funding, VFM, counter fraud etc.) and the provision of internal audit management etc.

 

We can provide staff on direct secondment or enter into more complex partnership arrangements to provide:

 

Skill transfers

Best practice methodologies

Additional training

Consultancy services

Audit and risk software solutions