Internal Audit

 

What is Internal Audit?

Internal Audit, as defined by the Institute of Internal Auditors (IIA), is:

 

"An independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."

 

The main purpose of Internal Audit activity within HEIs is to provide the Audit Committee with an objective evaluation and opinion on the overall adequacy and effectiveness of the organisation’s framework of governance, risk management and control. Internal Audit may also be used by management as an expert internal management consultant to assist with the development of strategic risk management processes for the organisation. It is important to note that Internal Audit is neither a substitute for management ownership of risk nor a substitute for an embedded review system carried out by the various staff who have executive responsibility for the achievement of organisational objectives.

The background in Higher Education

The Higher Education (HE) sector continues to face a challenging strategic outlook - more concentrated and metrics based research funding, increasing regulatory demands and requirements, the future de facto de-regulation of undergraduate fees, marketisation of student demand and true internationalisation of the UK HE sector. The integrity of data quality is also a major issue in the sector currently and which can have significant effects on an institution's funding arrangements. Institutions are responding by becoming more business-like, developing more efficient and effective back-office processes, increased specialisation and professionation of support services, web-enabled processes and improved data. The sector has experienced evolution towards an increasingly "managerial" and "corporate" style of operations.

 

Internal Audit needs to respond to these challenges in the sector and raise standards, moving away from its traditional transaction-based and compliance role to being more proactive and strategic, making a more positive and demonstrable contribution to the achievement of institutional strategic objectives. In this way, Internal Audit can genuinely “add value” and assist in promoting institutional performance improvement.

 

Internal Audit must now be more involved in facilitating institutional change and helping to affect more effective top-level decision making, assisting institutions to protect themselves against risk, and continually helping to improve control systems and attain value of money in the delivery of its activities.

 

Major regulatory changes mean that Internal Audit must now assist the governing body to become more effective in the discharge of its roles and responsibilities, to adapt quickly to new institutional risks, in addition to helping facilitate timely responses to various institutional and sector-wide issues.

How do we work as effective Internal Auditors in Higher Education?

An effective Internal Audit function will become an integral part of the institution, identifying and assisting to mitigate risk, supporting management, identifying potential efficiency gains and working to optimise costs, revenue and customer service so that the institution can achieve its strategic objectives.

 

At KCG, we are established as an integral part of our Member institutions. By virtue of our joint employment, we form part of the "staff" of our Member institutions, which is important for us to be able to absorb institutional culture and working practices.  Our staff work at all levels of our Member institutions' organisational structures with particular focus on strong working relationships with governing bodies and sub-committees, Vice Chancellors and Executive/ senior management teams.

 

Every HE institution has now established governance and assurance structures. A model that is often deployed to clarify roles is the ‘three lines of defence’ model, which illustrates that assurance can come from a number of different sources as follows:

 

• Front-line activity, in terms of evidence that policies, processes, controls and checks are in place. This would feature in senior managements’ stewardship reporting arrangements and could incorporate elements of control risk self-assessment. Staff in the first line of defence have direct responsibility for the management and control of risk (i.e. staff and management working within or managing academic departments or professional and support departments).

• A secondary line of assurance can come from separate arrangements that management has put in place to assure itself that procedures and controls are operating as they should be. These could include mechanisms such as quality management arrangements, programme and project assurance and health and safety inspections. Staff in the second line of defence co-ordinate, facilitate and oversee the effectiveness and integrity of the risk management framework (i.e. the Risk Management Committee).

• The third line of defence within an institution is an independent and objective internal audit function. In providing assurance on the framework of risk management, value for money, control and governance, Internal Audit should consider the other mechanisms in place within the first and second lines of defence and the extent to which audit can rely upon them. Staff in the third line of defence provide independent assurance and challenge across all activities in respect of the integrity and effectiveness of the risk management framework (eg Internal Audit and External Audit).

 

The following diagram illustrates these roles and responsibilities:

 

 

As Internal Auditors, we contribute towards the third line of defence although our role and responsibilities also allow us to assist institutions to develop and strenghten their first and second lines of defence.

 

In carrying out our work, we are required to comply at all times with the HEFCE audit requirements contained within Accountability and Audit - HEFCE Code of Practice (June 2008/19), the Government Internal Audit Standards (GIAS - published by the Treasury in October 2001), and other industry best practice and professional standards, including the Institute of Internal Auditors (IIA) Standards.