Beruflich Dokumente
Kultur Dokumente
Two new members, Mrs Margaret Ferris and Mr Kevin Cunningham, joined the Committee at
the beginning of the year: Mr Geoff Stevens resigned in July 2014 following his appointment
to the University Finance Committee, and we thank him for his service. Since the year end,
Mr Adrian Belton, a member of Council, and Mr David Bagley have joined the Committee.
There are currently no vacancies.
The Registrar and Secretary, Dr Philip Harvey, the Chief Financial Officer, Mr Bob Rabone,
and the Director of Finance, Mrs Helen Dingle, attended meetings of the Committee as
observers, as did other members of Professional Service Departments as required. The
Committee is grateful for their input. Mr David Swinn has acted as Secretary to the
Committee and we would like to thank him for his help.
3.
Committee Meetings
The Committee met five times during the session. All the Committees meetings were
attended by representatives of the Universitys Internal Auditors, PricewaterhouseCoopers
(PwC) and its External Auditors, KPMG.
On 25 November 2013 Audit Committee met jointly with Finance Committee, to consider the
draft Financial Statements for 2012-13 and KPMGs Audit Highlight Memorandum and
Management Letter.
The Audit Committee continues regularly to meet in private, without University staff present.
In appropriate cases the external and/or internal auditors attend.
4.
Terms of Reference and Procedures
There were no changes to the Committees terms of reference during the year. The
Committee continues to work to HEFCEs guidance, as elaborated in the CUCs Handbook for
Members of Audit Committees in HEIs.
In considering internal audit reports the Committee focuses on the most serious findings. In
PwCs model, these are overall report classifications of critical, high, medium or low risk,
together with individual finding ratings of critical, high, medium, low or advisory, applied as
appropriate to impact on operational performance, monetary or financial statement impact,
1
breaches in laws and regulations potentially resulting in material fines or consequences, and
impact on institutional reputation or brand. Departmental heads are routinely invited to
attend where opinions or findings at critical or high levels are offered in respect of their
departments. This allows joint exploration of the issues raised, the management response
and the action plan, which will normally have been formulated by the time the audit report
reaches the Committee. Recommendations of medium or low priority are taken on a by
exception basis.
The formal process of following-up and reporting outstanding audit recommendations has
continued, but in the light of the good progress made, our internal auditors are now
reporting to the committee on follow-up work only twice a year.
5.
Internal Audit Service
The 2013-14 session was the fifth in which the internal audit service was provided by
PricewaterhouseCoopers. The Universitys head of Internal Audit is Mr Ian Looker, partner in
PwC. During the year, the contract for internal audit services was put out to tender and a
Tender Evaluation Group was formed to oversee the process, which group included the
Chair of the Audit Committee and two other committee members, as well as officers of the
University. After review by the Tender Evaluation Group, including a clarification session,
Audit Committee made a recommendation to Council that PwC be reappointed on the basis
of a further three year contract with the option to extend by a further two one year periods
subject to satisfactory performance. This re-appointment was confirmed by Council in July
2014.
6.
Audit Strategy 2013-14
The Internal Audit strategy and plan for the session was formulated following discussions
between PwC and senior University managers, and subsequently with the Committee. The
planned internal audit input for the year was 251 audit days, comprising 19 planned reviews.
In the event 241 days were provided (2012-13: 228) [and 17 reviews had been completed by
the end of October 2014 with the remaining two reviews reported to Audit Committee on 24
November].
7.
Internal Audit Reports 2012-13
Three reports by PwC for the 2012-13 academic year were submitted to the Committee at its
meeting in October 2013 and one report was submitted to its November meeting. These
were reports which had not been completed and cleared during the previous session and
were considered in the Committees previous annual report. One report, on Local IT Services,
was however not submitted to the Committee until its meeting in January 2014. This audit
reviewed IT services and staff that are provided locally and exist in addition to central
provision from CICS. It resulted in an overall high risk rating comprising two high and two
medium level recommendations, and one low and one advisory level recommendation. The
Committee considered the report very carefully, noting that the issues identified were ones
previously known to CICS, and approving the agreed action plan. The Committee requested
regular updates on progress against this plan.
8.
Internal Audit Reports 2013-14
19 reports have been completed by PwC under the 2013-14 audit plan. Thirteen were
presented during the session and a further six in respect of the session at the meetings in
October and November 2014. A full list of reports is set out in the Internal Auditors Annual
Report.
[12] audits received a low risk classification, which is satisfactory. [Four] reports were
classified as medium risk and one report received an advisory rating. There were no high risk
reports, compared to one last year, which is a satisfactory improvement. Like last year, there
were no Critical or High Priority findings and the medium priority findings reduced from 20
to 13, although there was an increase in low priority findings from 21 to 30. [TBC]
Reports which contained a number of medium risk findings included Annual Subsidiary
Healthcheck, External Partnerships, VfM and Health and Safety. In each of these reports,
satisfactory management action plans have been agreed and are being implemented.
PwCs annual report for 2013-14 (attached) was received by the Committee in final form on
24 November 2014, a draft having been seen in October. Based on the work completed,
except for those areas described above, PwC believes that the University has adequate and
effective arrangements in place to support the achievement of managements objectives over:
Risk management, control and governance; and
Value for money processes.
9.
Follow-Up of Internal Audit Recommendations
Significant progress has been made in the last four years on the implementation of Internal
Audit recommendations, with the formalisation of a follow-up and reporting process led by
Finance, with testing and verification performed by PwC. By October 2014, management
assessment is that 100% of recommendations made between 2003/04 and 2009/10 have
been implemented or closed, and 71% of recommendations made between 2010/11 and 201314. During the year, the internal auditors followed up 38 recommendations in total and
agreed with management that 24 recommendations were fully implemented and 14 were
partially implemented. Of the 61 recommendations not implemented at the year-end, 22
were past the original implementation date. The Committee is pleased with the progress
made this year, but will continue to insist on rigorous follow-up of previous
recommendations. We continue to encourage the University to help managers understand
that internal audit is a management tool that should be used positively.
10.
Audit Strategy 2014-15
The Audit Committee has considered and approved the draft audit strategy for 2014-15
prepared by the Internal Auditors in consultation with University management. The Internal
Auditors have proposed, and the Committee has endorsed, the provision of 235 days in 201415 (2012-13:241).
11.
PwC provided consultancy services in connection with the Northern Health Science Alliance
(NHSA) and N8 Life Sciences Strategy project at a cost of 13,074. This was a collaboration
between the University of Sheffield and other members of the NHSA and N8, and the
procurement of these services was not carried out by the University. PwC also provided
advice in connection with IP Group share valuation at a cost of 3,765.60, which was below
the threshold for obtaining competitive quotes.
12.
External Audit
KPMG continue to provide the Universitys external audit service, having been appointed by
competitive tender in July 2002, March 2007 and again in June 2011 for a period of three
years commencing on 1 January 2012 with an option to extend the contract for a further two
years, subject to satisfactory annual review of performance. This contract is due to expire on
31 December 2014. The Committee recommended to Council that the contract should be
extended by one further year and this was approved by Council at its meeting in April 2014.
On 25 November 2013 the Audit and Finance Committees again met jointly to consider the
Financial Statements for 2012-13 and the External Auditors Audit Highlights Memorandum
and Management Letter. Audit Committee then discussed the audit aspects of the
Statements, Finance Committee having already signed them off, and agreed to recommend
the Statements to Council. Audit Committee also approved the Statement of Corporate
Responsibility for inclusion in the Universitys Annual Report.
The annual external audit fee for 2013-14 is a lump sum fee in accordance with the original
contract. It is subject to increases in line with the Retail Price Index and for any additional
work carried out that was not included within the contract.
In January 2014 the Committee considered a review prepared to evaluate the performance
and effectiveness of the Universitys external auditors. Questionnaires were completed by
members of Audit Committee, Finance Committee and the Finance Department. This
concluded that, overall, KPMG were meeting expectations and delivering external audit to a
high standard. Written feedback was provided to KPMG on a number of issues, including
discussion of critical accounting policies with relevant staff and committees, and how the
differences between the actual and forecast financial results were addressed.
In 2013-14 KPMG provided additional services for the University totalling 125,968. These
included 49,491 in respect of grant and loan audits, 36,000 relating to a review and tender
for investment services, 12,600 for advice and training on the transition to FRS102 and
18,582 relating to IT service delivery.
The Committee considered the External Audit Strategy Memorandum for the year ending 31
July 2014. The main areas of risk were identified as fraud, estate valuation and subsidiary
companies. The Committee was content with the overall strategy.
On 24 November 2014 the Committee received the External Audit Highlights Memorandum
and Management Letter relating to 2013-14, which stated that the audit was now
substantially complete and KPMG anticipated issuing an unqualified audit opinion for the
year on the University and subsidiary financial statements, following approval of the financial
statements by the Finance Committee and Council. [TBC]
13.
Other Activities
In March the Committee received a report from the Finance Department on progress made
against recommendations arising from the External Auditors audit highlights memorandum.
It was noted that good progress was being made in a number of areas. In particular, work is
ongoing to improve processes around the use of the online equipment register. The
Committee expressed its willingness to support the Universitys efforts in this area.
The Committee has a responsibility to monitor the effectiveness of Internal Audit. Together
with management, it has agreed with PwC a number of Key Performance Indicators for the
internal auditors work, and it reviews these regularly. Process indicators, for example for
meeting set timescales for delivery of reports, have generally been met during the year. The
Finance Department has canvassed departments involved in audits, by way of questionnaire,
throughout the session. Response rates have been good and feedback mostly positive.
The Committee has continued to review the Universitys Corporate Risk Register at regular
intervals. Three of the audit reports performed in this academic year required testing of risk
management issues but none of the reports received a high risk classification or included any
high risk findings.
Throughout the year the Committee has received regular briefings and updates on the
development and implications of the new HEFCE Memorandum of Assurance and
Accountability.
14.
The Committee is required to offer its opinion on the adequacy and effectiveness of the
Universitys systems for risk management, control and governance, on value for money and
on the management and quality assurance of data submitted to HESA and HEFCE on the basis
of all the information that has been placed before it, including management responses to
audit reports. On this basis the Committee has considered what opinions it is able to offer
Council. We are satisfied that the internal audit work carried out by PwC meets the required
standards and provides an appropriate basis for the Committees own assurances to Council.
Risk Management, control and governance: The Universitys internal audit strategy
continues to be based on risk assessment, drawing on the Universitys risk register. The
Committee notes the opinion of the internal auditor, PwC, that, based on the work PwC has
completed, except for the areas described in paragraph 8 above, the University has adequate
and effective arrangements in place to support the achievement of managements objectives
over:
Risk management, control and governance; and
Value for money processes.
The Audit Committee and Council continue to receive and consider regular reports on major
corporate risks.
The Committee is of the opinion that reliance can be placed on internal control systems
(subject to the matters described in section 2 of PwCs annual report, attached); on the
Universitys governance arrangements; and on its systems for the management of risk.
Value for Money: The Audit Committee exercises a monitoring role in relation to value for
money, to ensure the University maintains satisfactory arrangements. The Internal Auditors
take account of value for money issues as part of their routine system-based auditing, with
any relevant issues being examined and reported. Internal audit reports now explicitly
address, and report on, VfM. In the 2012-13 session one audit specifically targeted VfM in the
area of procurement, while other reviews were designed to include VfM themes within the
audit objectives, such as departmental health checks and a review of the Process
Improvement Unit.
The Universitys Financial Operating Strategy identifies the adoption of a VfM Strategy as a
financial objective for the University, and in 2010-11 the University adopted a Value for Money
Strategy. This strategy contains 11 key actions to achieve VfM objectives, including
communication and training of staff involved in policy and procurement decisions at all levels,
best practice management of estates and facilities, adopting a robust approach to capital
project appraisal, enforcing budgetary control procedures and developing a culture of
continuous improvement. In [October 2014 the Committee received an annual report on VfM
activities during 2013-14, which was circulated to members of Council for information. The
Committee welcomed the report as a positive piece of work which would facilitate
continuous improvements in delivering value for money in all areas of the University.] This
report forms a separate component of the Universitys annual assurance return to HEFCE.
The Committee continues to receive annual reports on procurement, which this year
included an update on progress made towards achieving the objectives set in the
Procurement Strategy and a summary of planned activity for 2014/15, including continued
engagement with collaborative framework agreements and preparing for changes in working
practices that are likely to arise as a result of regulatory changes during 2015.
The Committee is of the opinion that the Universitys arrangements for VfM are adequate.
Management and quality assurance of data: The Committee is also responsible for
offering its opinion on the management and quality assurance of data submitted to HEFCE,
HESA (the Higher Education Statistics Agency) and other funding bodies by the University.
The Committee has considered this carefully. The Committee notes that TRAC and TRAC
(Teaching) Returns have been prepared in accordance with the principles of the
Transparency Approach to Costing.
During the year, the internal auditors carried out three reviews relating specifically to data
integrity, two regarding the TRAC returns, and one regarding Real Time Information and Auto
Enrolment. These reviews received a low risk classification, with two in respect of the first
two reviews and four in respect of the second.
The Committee benefited in 2008-9 from the mapping exercise undertaken by the then
internal auditor, to log all systems to HEFCEs assurance requirement and to indicate the
high-level controls that should be in place in respect of each of these. The University has
again been asked to provide assurance that during the 2012-13 session these controls were
properly and fully implemented, and it has done so in the form of an annual report to the
Committee from its Data Assurance Group. On the basis of that assurance and other
relevant audit work during the session the Committee is of the opinion that the Universitys
systems for management and quality control of its data returns are adequate.
The Committee has seen and accepts the statements on internal control and governance,
and on public benefit, included in the Financial Statements for 2013-14.
November 2014
www.pwc.co.uk
Internal Audit
Annual Report
2013/2014
(Draft)
University of Sheffield
October 2014
Draft
Contents
1. Executive summary
2. Summary of findings
Appendices
9
10
12
Distribution List
For information:
Audit Committee
This document has been prepared for the intended recipients only. To the extent permitted by
law, PricewaterhouseCoopers LLP does not accept or assume any liability, responsibility or
duty of care for any use of or reliance on this document by anyone, other than (i) the intended
recipient to the extent agreed in the relevant contract for the matter to which this document
relates (if any), or (ii) as expressly agreed by PricewaterhouseCoopers LLP at its sole discretion
in writing in advance.
PwC Contents
Draft
1. Executive summary
Background
The Financial Memorandum between the Higher Education Funding Council for England (HEFCE) requires
that the Head of Internal Audit provides a written report and annual internal audit opinion to the Audit
Committee. As such, the purpose of this report is to present our view on the adequacy and effectiveness of:
Whilst this report is a key element of the framework designed to inform the Audit Committees Annual Opinion,
there are also a number of other important sources to which the Audit Committee should look to gain
assurance. This report does not override the Audit Committees responsibility for forming their own view on
governance, risk management, control and value for money arrangements.
This report covers the period to the financial year ended 31 July 2014. The specific time period covered by our
work for each individual audit is recorded in Section 3.
Scope
Our findings are based on the results of the internal audit work performed as set out in the Risk Assessment
and Internal Audit Plan approved by the Audit Committee in October 2013 and any subsequent amendments
that were approved at subsequent Audit Committees, specifically:
an additional review of General Ledger CAATs was introduced at the request of management as
part of the CAATs review of Accounts Receivable and Accounts Payable; and
the review of Faculty performance management has been changed to a review of postgraduate
recruitment within the Faculty of Arts.
Our opinion is subject to the inherent limitations of internal audit (covering both the control environment and
the assurance over controls) as set out in Appendix 1.
Internal audit work was performed in accordance with PwC's Internal Audit methodology which is designed to
conform with the requirements of the Financial Memorandum between HEFCE and institutions. As a result,
our work and deliverables are not designed or intended to comply with the International Auditing and
Assurance Standards Board (IAASB), International Framework for Assurance Engagements (IFAE) and
International Standard on Assurance Engagements (ISAE) 3000.
Opinion
Our opinion is based on our assessment of whether the controls in place support the achievement of
management's objectives as set out in the Risk Assessment and Internal Audit Plan and each individual
assignment report.
We have completed the program of internal audit work for the financial year ended 31 July 2014.
Based on the work we have completed, except for the areas described in Section 2, we believe the University has
adequate and effective arrangements in place to support the achievement of managements objectives over:
A summary of the key findings are described in further detail on pages 2 and 3.
Acknowledgement
We would like to take this opportunity to thank Universitys staff, for their co-operation and assistance provided
during the year.
Annual Internal audit report for
University of Sheffield
PwC 1
Draft
2. Summary of findings
A summary of key findings from our programme of internal audit work for the year work is recorded in the table
below:
Description
Detail
Overview
We completed 17 internal audits. This resulted in the
identification of nil critical, nil high, 20 medium and
21 low risk findings to improve weaknesses in the
design of controls and / or operating effectiveness.
Follow up
During the year we have undertaken quarterly follow
up work on previously agreed actions.
PwC
Draft
partially implemented.
At the year-end 22 recommendations remain
outstanding and overdue, of these none are high risk
recommendations.
PwC
Draft
Report
classification
Critical
Final
Low
Student Retention
Final
Low
Final
Low
Final
Low
Final
Low
Data - TRAC(T)
Final
Low
Procurement strategy
Final
Low
Final
Medium
Final
Low
Final
Low
Access Agreements
Final
Low
External partnerships
Final
Medium
Final
Medium
Final
Low
Final
Advisory
Final
Medium
Employability
Final
Low
TBC
TBC
Cyber Security
TBC
TBC
Audit unit
PwC
High
Medium Low
Draft
Total
13
30
To assist the Audit Committee in understanding how our work corresponds to their reporting responsibilities,
we have mapped our work against these areas in Appendix 4.
Trend between
current and
prior year
Number of findings
2013/14
2012/13
2011/12
2010/11
2009/10
Critical
High
Medium
13
20
15
36
41
Low
30
21
21
21
33
Total
43
41
39
61
80
We also reviewed General ledger CAATs as part of the planned CAATs review of Accounts
Payable and Accounts Receivable;
2. The planned review of performance management of Faculties on a cyclical basis was replaced with
a review of postgraduate recruitment within the Faculty of Arts.
This has taken the number of audit days delivered in the year from the planned 251 (including 15 contingency
days) to an actual number of 241.
PwC
Draft
Total
number
assessed
and
validated
Partially
implemented
Not
implemented
No longer
relevant
One
18
15
Two
20
11
Total
38
24
14
2013/14
2012/13
2011/12
2010/11
Implemented
63%
68%
75%
73%
Partially implemented*
37%
26%
13%
16%
Not implemented
0%
0%
5%
6%
No longer relevant
0%
6%
0%
5%
0%
0%
7%
0%
100%
100%
100%
100%
Total
* this is higher than in previous years because in phase 2, we also followed up on 11 partially implemented
recommendations (as assessed by management) to verify the status of these recommendations. In previous
years, we have mainly followed up recommendations assessed as fully implemented by management.
Follow up work was not undertaken on advisory recommendations or on the following reports because these
areas have only been finalised after the beginning of the follow up process;
Access agreements
PwC
Employability
Draft
These reports will be followed up in the first part of the 2014/15 internal audit programme.
Summary
The results of our validation work show that 24 out of 27 recommendations which were assessed as
implemented and validated through follow up in the period have been completed. We tested a further 11
partially implemented recommendations and confirmed the status was appropriate in all cases. In total there
were 11 medium risk recommendations and 11 low risk recommendations outstanding at the year end.
We recommend that further work is conducted by the University to ensure all previously agreed
recommendations which are overdue are implemented at the earliest opportunity.
PwC
Draft
Appendices
PwC
Draft
Opinion
The opinion is based on the work undertaken as part of the agreed Risk Assessment and Internal Audit Plan
which provided for 18 internal audits in 236 days. The work addressed the control objectives agreed for each
individual internal audit assignments as set out in our Risk Assessment and Internal Audit Plan. However,
where other matters have come to our attention which we consider relevant, they have been taken into account
when forming our conclusion.
There might be weaknesses in the system of internal control that we are not aware of because they did not form
part of our programme of work, were excluded from the scope of individual internal audit assignments or were
not brought to our attention. As a consequence management and the Audit Committee should be aware that our
opinion may have differed if our programme of work or scope for individual audits was extended or other
relevant matters were brought to our attention.
Internal control:
Internal control systems, no matter how well designed and operated, are affected by inherent limitations. These
include the possibility of poor judgment in decision-making, human error, control processes being deliberately
circumvented by employees and others, management overriding controls and the occurrence of unforeseeable
circumstances.
Future periods:
Our assessment of controls relating to University of Sheffield is for the year ended 31 July 2014. Historic
evaluation of effectiveness may not be relevant to future periods due to the risk that:
PwC
the design of controls may become inadequate because of changes in operating environment, law,
regulation or other; or
the degree of compliance with policies and procedures may deteriorate.
Draft
Findings rating
Points
Critical
High
Medium
Low
Report classification
Points
Critical risk
High risk
16 39 points
Medium risk
7 15 points
Low risk
6 points or less
High
PwC
10
Medium
Low
PwC
Advisory
Draft
A finding that does not have a risk impact but has been raised to highlight areas of
inefficiencies or good practice.
11
Draft
Governance
Risk
management
Control
Value for
money
Data
Student Retention
Data - TRAC(T)
Procurement strategy
External partnerships
Cyber Security
Key
N/A
PwC
12
Draft
Data submission
It is of particular note that the Audit Committees Annual Report must include an opinion on the adequacy and
effectiveness of arrangements for the management and quality assurance of data submissions to the Higher
Education Statistics Agency, HEFCE and other funding bodies. To assist the Audit Committee prepare its
Annual Report, we have outlined above where our work assessed the arrangements for the management and
quality assurance of data submissions (see the table on this page). We provide no conclusions or opinion on
data quality.
PwC
13
In the event that, pursuant to a request which University of Sheffield has received under the Freedom of Information Act
2000 (as the same may be amended or re-enacted from time to time) or any subordinate legislation made thereunder
(collectively, the Legislation), it is required to disclose any information contained in this terms of reference, it will notify
PwC promptly and consult with PwC prior to disclosing such information. University of Sheffield agrees to pay due regard to
any representations which PwC may make in connection with such disclosure and to apply any relevant exemptions which
may exist under the Act to such information. If, following consultation with PwC, University of Sheffield discloses any such
information, it shall ensure that any disclaimer which PwC has included or may subsequently wish to include in the
information is reproduced in full in any copies disclosed.
2014 PricewaterhouseCoopers LLP. All rights reserved. In this document, "PwC" refers to PricewaterhouseCoopers LLP
(a limited liability partnership in the United Kingdom), which is a member firm of PricewaterhouseCoopers International
Limited, each member firm of which is a separate legal entity.