THE UNIVERSITY OF SHEFFIELD

ANNUAL REPORT OF THE AUDIT COMMITTEE

2013-14
1.
Introduction
The Audit Committee is required by the Higher Education Funding Council to report annually
to Council on its activities. This Annual Report, for the 2013-14 session, has been prepared in
accordance with HEFCE requirements and is presented to Council for consideration and
approval. A copy of the Annual Report has then to be sent to the Chief Auditor of HEFCE.
2.
Membership
Membership of the Committee during the year was as follows:
Mr Kevin Cunningham 2013Mrs Margaret Ferris 2013Mrs Sarah Harkness* 2009- (chair from August 2011)
Mrs Alison Legg* 2012Mr Richard Mayson* 2012Professor Christopher Spencer 2011Mr Geoffrey Stevens 2011-2014
*denotes members of the University Council during the period.

Two new members, Mrs Margaret Ferris and Mr Kevin Cunningham, joined the Committee at
the beginning of the year: Mr Geoff Stevens resigned in July 2014 following his appointment
to the University Finance Committee, and we thank him for his service. Since the year end,
Mr Adrian Belton, a member of Council, and Mr David Bagley have joined the Committee.
There are currently no vacancies.
The Registrar and Secretary, Dr Philip Harvey, the Chief Financial Officer, Mr Bob Rabone,
and the Director of Finance, Mrs Helen Dingle, attended meetings of the Committee as
observers, as did other members of Professional Service Departments as required. The
Committee is grateful for their input. Mr David Swinn has acted as Secretary to the
Committee and we would like to thank him for his help.
3.
Committee Meetings
The Committee met five times during the session. All the Committees meetings were
attended by representatives of the Universitys Internal Auditors, PricewaterhouseCoopers
(PwC) and its External Auditors, KPMG.
On 25 November 2013 Audit Committee met jointly with Finance Committee, to consider the
draft Financial Statements for 2012-13 and KPMGs Audit Highlight Memorandum and
Management Letter.
The Audit Committee continues regularly to meet in private, without University staff present.
In appropriate cases the external and/or internal auditors attend.
4.
Terms of Reference and Procedures
There were no changes to the Committees terms of reference during the year. The
Committee continues to work to HEFCEs guidance, as elaborated in the CUCs Handbook for
Members of Audit Committees in HEIs.
In considering internal audit reports the Committee focuses on the most serious findings. In
PwCs model, these are overall report classifications of critical, high, medium or low risk,
together with individual finding ratings of critical, high, medium, low or advisory, applied as
appropriate to impact on operational performance, monetary or financial statement impact,
1

breaches in laws and regulations potentially resulting in material fines or consequences, and
impact on institutional reputation or brand. Departmental heads are routinely invited to
attend where opinions or findings at critical or high levels are offered in respect of their
departments. This allows joint exploration of the issues raised, the management response
and the action plan, which will normally have been formulated by the time the audit report
reaches the Committee. Recommendations of medium or low priority are taken on a by
exception basis.
The formal process of following-up and reporting outstanding audit recommendations has
continued, but in the light of the good progress made, our internal auditors are now
reporting to the committee on follow-up work only twice a year.
5.
Internal Audit Service
The 2013-14 session was the fifth in which the internal audit service was provided by
PricewaterhouseCoopers. The Universitys head of Internal Audit is Mr Ian Looker, partner in
PwC. During the year, the contract for internal audit services was put out to tender and a
Tender Evaluation Group was formed to oversee the process, which group included the
Chair of the Audit Committee and two other committee members, as well as officers of the
University. After review by the Tender Evaluation Group, including a clarification session,
Audit Committee made a recommendation to Council that PwC be reappointed on the basis
of a further three year contract with the option to extend by a further two one year periods
subject to satisfactory performance. This re-appointment was confirmed by Council in July
2014.
6.
Audit Strategy 2013-14
The Internal Audit strategy and plan for the session was formulated following discussions
between PwC and senior University managers, and subsequently with the Committee. The
planned internal audit input for the year was 251 audit days, comprising 19 planned reviews.
In the event 241 days were provided (2012-13: 228) [and 17 reviews had been completed by
the end of October 2014 with the remaining two reviews reported to Audit Committee on 24
November].
7.
Internal Audit Reports 2012-13
Three reports by PwC for the 2012-13 academic year were submitted to the Committee at its
meeting in October 2013 and one report was submitted to its November meeting. These
were reports which had not been completed and cleared during the previous session and
were considered in the Committees previous annual report. One report, on Local IT Services,
was however not submitted to the Committee until its meeting in January 2014. This audit
reviewed IT services and staff that are provided locally and exist in addition to central
provision from CICS. It resulted in an overall high risk rating comprising two high and two
medium level recommendations, and one low and one advisory level recommendation. The
Committee considered the report very carefully, noting that the issues identified were ones
previously known to CICS, and approving the agreed action plan. The Committee requested
regular updates on progress against this plan.
8.
Internal Audit Reports 2013-14
19 reports have been completed by PwC under the 2013-14 audit plan. Thirteen were
presented during the session and a further six in respect of the session at the meetings in
October and November 2014. A full list of reports is set out in the Internal Auditors Annual
Report.

[12] audits received a low risk classification, which is satisfactory. [Four] reports were
classified as medium risk and one report received an advisory rating. There were no high risk
reports, compared to one last year, which is a satisfactory improvement. Like last year, there

were no Critical or High Priority findings and the medium priority findings reduced from 20
to 13, although there was an increase in low priority findings from 21 to 30. [TBC]
Reports which contained a number of medium risk findings included Annual Subsidiary
Healthcheck, External Partnerships, VfM and Health and Safety. In each of these reports,
satisfactory management action plans have been agreed and are being implemented.
PwCs annual report for 2013-14 (attached) was received by the Committee in final form on
24 November 2014, a draft having been seen in October. Based on the work completed,
except for those areas described above, PwC believes that the University has adequate and
effective arrangements in place to support the achievement of managements objectives over:
Risk management, control and governance; and
Value for money processes.
9.
Follow-Up of Internal Audit Recommendations
Significant progress has been made in the last four years on the implementation of Internal
Audit recommendations, with the formalisation of a follow-up and reporting process led by
Finance, with testing and verification performed by PwC. By October 2014, management
assessment is that 100% of recommendations made between 2003/04 and 2009/10 have
been implemented or closed, and 71% of recommendations made between 2010/11 and 201314. During the year, the internal auditors followed up 38 recommendations in total and
agreed with management that 24 recommendations were fully implemented and 14 were
partially implemented. Of the 61 recommendations not implemented at the year-end, 22
were past the original implementation date. The Committee is pleased with the progress
made this year, but will continue to insist on rigorous follow-up of previous
recommendations. We continue to encourage the University to help managers understand
that internal audit is a management tool that should be used positively.

10.
Audit Strategy 2014-15
The Audit Committee has considered and approved the draft audit strategy for 2014-15
prepared by the Internal Auditors in consultation with University management. The Internal
Auditors have proposed, and the Committee has endorsed, the provision of 235 days in 201415 (2012-13:241).
11.

Additional Activity by PwC

PwC provided consultancy services in connection with the Northern Health Science Alliance
(NHSA) and N8 Life Sciences Strategy project at a cost of 13,074. This was a collaboration
between the University of Sheffield and other members of the NHSA and N8, and the
procurement of these services was not carried out by the University. PwC also provided
advice in connection with IP Group share valuation at a cost of 3,765.60, which was below
the threshold for obtaining competitive quotes.
12.

External Audit

KPMG continue to provide the Universitys external audit service, having been appointed by
competitive tender in July 2002, March 2007 and again in June 2011 for a period of three
years commencing on 1 January 2012 with an option to extend the contract for a further two
years, subject to satisfactory annual review of performance. This contract is due to expire on
31 December 2014. The Committee recommended to Council that the contract should be
extended by one further year and this was approved by Council at its meeting in April 2014.
On 25 November 2013 the Audit and Finance Committees again met jointly to consider the
Financial Statements for 2012-13 and the External Auditors Audit Highlights Memorandum

and Management Letter. Audit Committee then discussed the audit aspects of the
Statements, Finance Committee having already signed them off, and agreed to recommend
the Statements to Council. Audit Committee also approved the Statement of Corporate
Responsibility for inclusion in the Universitys Annual Report.
The annual external audit fee for 2013-14 is a lump sum fee in accordance with the original
contract. It is subject to increases in line with the Retail Price Index and for any additional
work carried out that was not included within the contract.
In January 2014 the Committee considered a review prepared to evaluate the performance
and effectiveness of the Universitys external auditors. Questionnaires were completed by
members of Audit Committee, Finance Committee and the Finance Department. This
concluded that, overall, KPMG were meeting expectations and delivering external audit to a
high standard. Written feedback was provided to KPMG on a number of issues, including
discussion of critical accounting policies with relevant staff and committees, and how the
differences between the actual and forecast financial results were addressed.
In 2013-14 KPMG provided additional services for the University totalling 125,968. These
included 49,491 in respect of grant and loan audits, 36,000 relating to a review and tender
for investment services, 12,600 for advice and training on the transition to FRS102 and
18,582 relating to IT service delivery.
The Committee considered the External Audit Strategy Memorandum for the year ending 31
July 2014. The main areas of risk were identified as fraud, estate valuation and subsidiary
companies. The Committee was content with the overall strategy.
On 24 November 2014 the Committee received the External Audit Highlights Memorandum
and Management Letter relating to 2013-14, which stated that the audit was now
substantially complete and KPMG anticipated issuing an unqualified audit opinion for the
year on the University and subsidiary financial statements, following approval of the financial
statements by the Finance Committee and Council. [TBC]

13.
Other Activities
In March the Committee received a report from the Finance Department on progress made
against recommendations arising from the External Auditors audit highlights memorandum.
It was noted that good progress was being made in a number of areas. In particular, work is
ongoing to improve processes around the use of the online equipment register. The
Committee expressed its willingness to support the Universitys efforts in this area.
The Committee has a responsibility to monitor the effectiveness of Internal Audit. Together
with management, it has agreed with PwC a number of Key Performance Indicators for the
internal auditors work, and it reviews these regularly. Process indicators, for example for
meeting set timescales for delivery of reports, have generally been met during the year. The
Finance Department has canvassed departments involved in audits, by way of questionnaire,
throughout the session. Response rates have been good and feedback mostly positive.
The Committee has continued to review the Universitys Corporate Risk Register at regular
intervals. Three of the audit reports performed in this academic year required testing of risk
management issues but none of the reports received a high risk classification or included any
high risk findings.
Throughout the year the Committee has received regular briefings and updates on the
development and implications of the new HEFCE Memorandum of Assurance and
Accountability.

14.

Audit Committee Opinions

The Committee is required to offer its opinion on the adequacy and effectiveness of the
Universitys systems for risk management, control and governance, on value for money and
on the management and quality assurance of data submitted to HESA and HEFCE on the basis
of all the information that has been placed before it, including management responses to
audit reports. On this basis the Committee has considered what opinions it is able to offer
Council. We are satisfied that the internal audit work carried out by PwC meets the required
standards and provides an appropriate basis for the Committees own assurances to Council.
Risk Management, control and governance: The Universitys internal audit strategy
continues to be based on risk assessment, drawing on the Universitys risk register. The
Committee notes the opinion of the internal auditor, PwC, that, based on the work PwC has
completed, except for the areas described in paragraph 8 above, the University has adequate
and effective arrangements in place to support the achievement of managements objectives
over:
Risk management, control and governance; and
Value for money processes.
The Audit Committee and Council continue to receive and consider regular reports on major
corporate risks.
The Committee is of the opinion that reliance can be placed on internal control systems
(subject to the matters described in section 2 of PwCs annual report, attached); on the
Universitys governance arrangements; and on its systems for the management of risk.
Value for Money: The Audit Committee exercises a monitoring role in relation to value for
money, to ensure the University maintains satisfactory arrangements. The Internal Auditors
take account of value for money issues as part of their routine system-based auditing, with
any relevant issues being examined and reported. Internal audit reports now explicitly
address, and report on, VfM. In the 2012-13 session one audit specifically targeted VfM in the
area of procurement, while other reviews were designed to include VfM themes within the
audit objectives, such as departmental health checks and a review of the Process
Improvement Unit.
The Universitys Financial Operating Strategy identifies the adoption of a VfM Strategy as a
financial objective for the University, and in 2010-11 the University adopted a Value for Money
Strategy. This strategy contains 11 key actions to achieve VfM objectives, including
communication and training of staff involved in policy and procurement decisions at all levels,
best practice management of estates and facilities, adopting a robust approach to capital
project appraisal, enforcing budgetary control procedures and developing a culture of
continuous improvement. In [October 2014 the Committee received an annual report on VfM
activities during 2013-14, which was circulated to members of Council for information. The
Committee welcomed the report as a positive piece of work which would facilitate
continuous improvements in delivering value for money in all areas of the University.] This
report forms a separate component of the Universitys annual assurance return to HEFCE.
The Committee continues to receive annual reports on procurement, which this year
included an update on progress made towards achieving the objectives set in the
Procurement Strategy and a summary of planned activity for 2014/15, including continued
engagement with collaborative framework agreements and preparing for changes in working
practices that are likely to arise as a result of regulatory changes during 2015.
The Committee is of the opinion that the Universitys arrangements for VfM are adequate.

Management and quality assurance of data: The Committee is also responsible for
offering its opinion on the management and quality assurance of data submitted to HEFCE,
HESA (the Higher Education Statistics Agency) and other funding bodies by the University.
The Committee has considered this carefully. The Committee notes that TRAC and TRAC
(Teaching) Returns have been prepared in accordance with the principles of the
Transparency Approach to Costing.
During the year, the internal auditors carried out three reviews relating specifically to data
integrity, two regarding the TRAC returns, and one regarding Real Time Information and Auto
Enrolment. These reviews received a low risk classification, with two in respect of the first
two reviews and four in respect of the second.
The Committee benefited in 2008-9 from the mapping exercise undertaken by the then
internal auditor, to log all systems to HEFCEs assurance requirement and to indicate the
high-level controls that should be in place in respect of each of these. The University has
again been asked to provide assurance that during the 2012-13 session these controls were
properly and fully implemented, and it has done so in the form of an annual report to the
Committee from its Data Assurance Group. On the basis of that assurance and other
relevant audit work during the session the Committee is of the opinion that the Universitys
systems for management and quality control of its data returns are adequate.
The Committee has seen and accepts the statements on internal control and governance,
and on public benefit, included in the Financial Statements for 2013-14.
November 2014

www.pwc.co.uk

Internal Audit
Annual Report
2013/2014
(Draft)
University of Sheffield
October 2014

Annual Report 2013/2014

Draft

Contents
1. Executive summary

2. Summary of findings

3. Internal Audit work conducted

4. Follow up work conducted

Appendices

Appendix 1: Limitations and responsibilities

Appendix 2: Basis of our opinion and classifications
Appendix 3: Mapping of internal audit work

9
10
12

Distribution List
For information:

Audit Committee

This document has been prepared for the intended recipients only. To the extent permitted by
law, PricewaterhouseCoopers LLP does not accept or assume any liability, responsibility or
duty of care for any use of or reliance on this document by anyone, other than (i) the intended
recipient to the extent agreed in the relevant contract for the matter to which this document
relates (if any), or (ii) as expressly agreed by PricewaterhouseCoopers LLP at its sole discretion
in writing in advance.

PwC Contents

Internal Audit Annual Report 2012/13 for University of Sheffield

Draft

1. Executive summary
Background
The Financial Memorandum between the Higher Education Funding Council for England (HEFCE) requires
that the Head of Internal Audit provides a written report and annual internal audit opinion to the Audit
Committee. As such, the purpose of this report is to present our view on the adequacy and effectiveness of:

Risk management, control and governance; and

Economy, efficiency and effectiveness (value for money) arrangements.

Whilst this report is a key element of the framework designed to inform the Audit Committees Annual Opinion,
there are also a number of other important sources to which the Audit Committee should look to gain
assurance. This report does not override the Audit Committees responsibility for forming their own view on
governance, risk management, control and value for money arrangements.
This report covers the period to the financial year ended 31 July 2014. The specific time period covered by our
work for each individual audit is recorded in Section 3.

Scope
Our findings are based on the results of the internal audit work performed as set out in the Risk Assessment
and Internal Audit Plan approved by the Audit Committee in October 2013 and any subsequent amendments
that were approved at subsequent Audit Committees, specifically:

an additional review of General Ledger CAATs was introduced at the request of management as
part of the CAATs review of Accounts Receivable and Accounts Payable; and
the review of Faculty performance management has been changed to a review of postgraduate
recruitment within the Faculty of Arts.

Our opinion is subject to the inherent limitations of internal audit (covering both the control environment and
the assurance over controls) as set out in Appendix 1.
Internal audit work was performed in accordance with PwC's Internal Audit methodology which is designed to
conform with the requirements of the Financial Memorandum between HEFCE and institutions. As a result,
our work and deliverables are not designed or intended to comply with the International Auditing and
Assurance Standards Board (IAASB), International Framework for Assurance Engagements (IFAE) and
International Standard on Assurance Engagements (ISAE) 3000.

Opinion
Our opinion is based on our assessment of whether the controls in place support the achievement of
management's objectives as set out in the Risk Assessment and Internal Audit Plan and each individual
assignment report.
We have completed the program of internal audit work for the financial year ended 31 July 2014.
Based on the work we have completed, except for the areas described in Section 2, we believe the University has
adequate and effective arrangements in place to support the achievement of managements objectives over:

Risk management, control and governance; and

Value for money processes.

A summary of the key findings are described in further detail on pages 2 and 3.

Acknowledgement
We would like to take this opportunity to thank Universitys staff, for their co-operation and assistance provided
during the year.
Annual Internal audit report for
University of Sheffield

PwC 1

Internal Audit Annual Report 2012/13 for University of Sheffield

Draft

2. Summary of findings
A summary of key findings from our programme of internal audit work for the year work is recorded in the table
below:

Description

Detail

Overview
We completed 17 internal audits. This resulted in the
identification of nil critical, nil high, 20 medium and
21 low risk findings to improve weaknesses in the
design of controls and / or operating effectiveness.

No high risk recommendations or reports have been

raised in the 2013/14 audit programme.

Note two reports are still yet to be completed so the

above number of risk findings will change.
Internal Control Issues
During the course of our work we have not identified
any high risk reports and therefore we propose that
there are no matters for inclusion in the Annual
Governance Statement.
Other weaknesses
We have identified an additional 41 medium and low
risk control weaknesses within the organisations
governance, risk management, control and value for
money processes.

Follow up
During the year we have undertaken quarterly follow
up work on previously agreed actions.

PwC

No high risk recommendations or reports have been

raised in the 2013/14 audit programme.

We raised 13 medium risk rated findings in relation to:

Procurement Strategy Measurement of

performance and KPIs;

Annual health-check (Intend Limited)

Implementation
of
2010/11
recommendations, purchasing controls;

Accounts Payable CAATs purchasing orders

with outstanding GR/IR;

Access agreements - Monitoring of targets and

milestones;

External Partnerships Management of risks

and developing a project plan;

Value for Money (PIU) Development of

actions plans and documenting Value for
Money improvements;

Accounts Receivable CAATs Customer data

maintenance

Health and Safety Quality review of training

courses and system for maintaining training
records;

Employability Sharing best practice across

departments.

We have followed up a total of 38 recommendations in

the year (27 implemented and 11 partially
implemented recommendations) and performed
verification work on the assessment given by
management. We have agreed that 24
recommendations were implemented and 14 were

Internal Audit Annual Report 2012/13 for University of Sheffield

Draft

partially implemented.
At the year-end 22 recommendations remain
outstanding and overdue, of these none are high risk
recommendations.

PwC

Internal Audit Annual Report 2012/13 for University of Sheffield

Draft

3. Internal Audit work conducted

Introduction
The table below sets out the results of our internal audit work and implications for next years plan.

Results of individual assignments

Number of findings
Report
status

Report
classification

Critical

UUK Housing code

Final

Low

Student Retention

Final

Low

Departmental health check s

Final

Low

Data TRAC Return

Final

Low

Data RTI/Auto enrolment

Final

Low

Data - TRAC(T)

Final

Low

Procurement strategy

Final

Low

Annual health check - Intend

Final

Medium

Accounts Payable CAATs

Final

Low

General Ledger CAATs

Final

Low

Access Agreements

Final

Low

External partnerships

Final

Medium

Value for Money Lean Unit

Final

Medium

Accounts Receivable CAATs

Final

Low

Fraud Risk workshop

Final

Advisory

Health and Safety

Final

Medium

Employability

Final

Low

Faculty of Arts PGR

TBC

TBC

Cyber Security

TBC

TBC

Audit unit

PwC

High

Medium Low

Internal Audit Annual Report 2012/13 for University of Sheffield

Draft

Total

13

30

To assist the Audit Committee in understanding how our work corresponds to their reporting responsibilities,
we have mapped our work against these areas in Appendix 4.

Direction of control travel

Finding
rating

Trend between
current and
prior year

Number of findings
2013/14

2012/13

2011/12

2010/11

2009/10

Critical

High

Medium

13

20

15

36

41

Low

30

21

21

21

33

Total

43

41

39

61

80

Comparison of planned and actual activity

We have performed all of our planned audits in line with our original Strategic and Operational Plan agreed at
Audit Committee on in October 2013, with the following amendments as approved at subsequent Audit
Committee meetings:
1.

We also reviewed General ledger CAATs as part of the planned CAATs review of Accounts
Payable and Accounts Receivable;

2. The planned review of performance management of Faculties on a cyclical basis was replaced with
a review of postgraduate recruitment within the Faculty of Arts.
This has taken the number of audit days delivered in the year from the planned 251 (including 15 contingency
days) to an actual number of 241.

PwC

Internal Audit Annual Report 2012/13 for University of Sheffield

Draft

4. Follow up work conducted

Within the Strategic and Operational Plan for 2013/14, 10 days were assigned for bi-annual following up of
recommendations raised during previous periods in order to assess whether agreed actions had been
implemented by management. Recommendations that were classified as high, medium and low and due for
implementation were assessed by management and followed up by substantive testing. The table below
summarises the follow up work performed.

Results of follow up work

Phase

Total
number
assessed
and
validated

Status of agreed actions

Implemented

Partially
implemented

Not
implemented

No longer
relevant

One

18

15

Two

20

11

Total

38

24

14

Direction of travel from validation work

Status of recommendations
Finding status

2013/14

2012/13

2011/12

2010/11

Implemented

63%

68%

75%

73%

Partially implemented*

37%

26%

13%

16%

Not implemented

0%

0%

5%

6%

No longer relevant

0%

6%

0%

5%

Not validated on review

0%

0%

7%

0%

100%

100%

100%

100%

Total

* this is higher than in previous years because in phase 2, we also followed up on 11 partially implemented
recommendations (as assessed by management) to verify the status of these recommendations. In previous
years, we have mainly followed up recommendations assessed as fully implemented by management.
Follow up work was not undertaken on advisory recommendations or on the following reports because these
areas have only been finalised after the beginning of the follow up process;

Accounts Payable CAATs

Access agreements

Value for Money Lean Unit

PwC

Internal Audit Annual Report 2012/13 for University of Sheffield

Accounts Receivable CAATs

Employability

Health and Safety

Draft

These reports will be followed up in the first part of the 2014/15 internal audit programme.

Summary
The results of our validation work show that 24 out of 27 recommendations which were assessed as
implemented and validated through follow up in the period have been completed. We tested a further 11
partially implemented recommendations and confirmed the status was appropriate in all cases. In total there
were 11 medium risk recommendations and 11 low risk recommendations outstanding at the year end.
We recommend that further work is conducted by the University to ensure all previously agreed
recommendations which are overdue are implemented at the earliest opportunity.

PwC

Internal Audit Annual Report 2012/13 for University of Sheffield

Draft

Appendices

PwC

Internal Audit Annual Report 2012/13 for University of Sheffield

Draft

Appendix 1: Limitations and

responsibilities
Limitations inherent to the internal auditors work
We have prepared the Internal Audit Annual Report and undertaken the agreed programme of work as agreed
with management and the Audit Committee, subject to the limitations outlined below.

Responsibilities of management and internal auditors

It is managements responsibility to develop and maintain sound arrangements and systems for risk
management, internal control and governance. Additionally, management is responsible for putting in place
proper arrangements to secure economy, efficiency and effectiveness in its use of resources, to ensure proper
stewardship and governance. Management is responsible for review regularly the adequacy and effectiveness of
these arrangements.
Management is responsible for the prevention and detection of irregularities and fraud. Internal audit work
should not be seen as a substitute for managements responsibility for the design and operation of these
controls.
We endeavour to plan our work so that we have a reasonable expectation of detecting significant control
weaknesses and, if detected, we shall carry out additional work directed towards identification of consequent
fraud or other irregularities. However, internal audit procedures alone, even when carried out with due
professional care, do not guarantee that fraud will be detected, and our examinations as internal auditors
should not be relied upon to disclose all fraud, defalcations or other irregularities which may exist.

Opinion
The opinion is based on the work undertaken as part of the agreed Risk Assessment and Internal Audit Plan
which provided for 18 internal audits in 236 days. The work addressed the control objectives agreed for each
individual internal audit assignments as set out in our Risk Assessment and Internal Audit Plan. However,
where other matters have come to our attention which we consider relevant, they have been taken into account
when forming our conclusion.
There might be weaknesses in the system of internal control that we are not aware of because they did not form
part of our programme of work, were excluded from the scope of individual internal audit assignments or were
not brought to our attention. As a consequence management and the Audit Committee should be aware that our
opinion may have differed if our programme of work or scope for individual audits was extended or other
relevant matters were brought to our attention.

Internal control:
Internal control systems, no matter how well designed and operated, are affected by inherent limitations. These
include the possibility of poor judgment in decision-making, human error, control processes being deliberately
circumvented by employees and others, management overriding controls and the occurrence of unforeseeable
circumstances.

Future periods:
Our assessment of controls relating to University of Sheffield is for the year ended 31 July 2014. Historic
evaluation of effectiveness may not be relevant to future periods due to the risk that:

PwC

the design of controls may become inadequate because of changes in operating environment, law,
regulation or other; or
the degree of compliance with policies and procedures may deteriorate.

Internal Audit Annual Report 2012/13 for University of Sheffield

Draft

Appendix 2: Basis of our opinion

and classifications
Assignment Report classifications
Assignment report classifications are determined by allocating points to each of the findings included in the
report:

Findings rating

Points

Critical

40 points per finding

High

10 points per finding

Medium

3 points per finding

Low

1 point per finding

Report classification

Points

Critical risk

40 points and over

High risk

16 39 points

Medium risk

7 15 points

Low risk

6 points or less

Individual finding ratings

Finding rating Assessment rationale
Critical

A finding that could have a:

High

A finding that could have a:

PwC

Critical impact on operational performance; or

Critical monetary or financial statement; or
Critical breach in laws and regulations that could result in material fines or
consequences; or
Critical impact on the reputation or brand of the organisation which could
threaten its future viability.

Significant impact on operational performance; or

Significant monetary or financial statement impact; or
Significant breach in laws and regulations resulting in significant fines and
consequences; or
Significant impact on the reputation or brand of the organisation.

10

Internal Audit Annual Report 2012/13 for University of Sheffield

Medium

A finding that could have a:

Low

PwC

Moderate impact on operational performance; or

Moderate monetary or financial statement impact; or
Moderate breach in laws and regulations resulting in fines and consequences; or
Moderate impact on the reputation or brand of the organisation.

A finding that could have a:

Advisory

Draft

Minor impact on the organisations operational performance; or

Minor monetary or financial statement impact; or
Minor breach in laws and regulations with limited consequences; or
Minor impact on the reputation of the organisation.

A finding that does not have a risk impact but has been raised to highlight areas of
inefficiencies or good practice.

11

Internal Audit Annual Report 2012/13 for University of Sheffield

Draft

Appendix 3: Mapping of internal

audit work
Reporting responsibilities
The table below maps our internal audit work against the Audit Committees reporting responsibilities.
Audit Unit

Governance

Risk
management

Control

Value for
money

Data

UUK Housing code

Student Retention

Departmental health check s

Data TRAC Return

Data RTI/Auto enrolment

Data - TRAC(T)
Procurement strategy

Annual health check - Intend

Accounts Payable CAATs

General Ledger CAATs

Access Agreements

External partnerships

Value for Money Lean Unit

Accounts Receivable CAATs

Fraud Risk workshop

Health and Safety

Employability

Faculty of Arts PGR

Cyber Security

Key

N/A

PwC

Testing focused on this area

Testing was peripheral
Not tested

12

Internal Audit Annual Report 2012/13 for University of Sheffield

Draft

Data submission
It is of particular note that the Audit Committees Annual Report must include an opinion on the adequacy and
effectiveness of arrangements for the management and quality assurance of data submissions to the Higher
Education Statistics Agency, HEFCE and other funding bodies. To assist the Audit Committee prepare its
Annual Report, we have outlined above where our work assessed the arrangements for the management and
quality assurance of data submissions (see the table on this page). We provide no conclusions or opinion on
data quality.

PwC

13

In the event that, pursuant to a request which University of Sheffield has received under the Freedom of Information Act
2000 (as the same may be amended or re-enacted from time to time) or any subordinate legislation made thereunder
(collectively, the Legislation), it is required to disclose any information contained in this terms of reference, it will notify
PwC promptly and consult with PwC prior to disclosing such information. University of Sheffield agrees to pay due regard to
any representations which PwC may make in connection with such disclosure and to apply any relevant exemptions which
may exist under the Act to such information. If, following consultation with PwC, University of Sheffield discloses any such
information, it shall ensure that any disclaimer which PwC has included or may subsequently wish to include in the
information is reproduced in full in any copies disclosed.
2014 PricewaterhouseCoopers LLP. All rights reserved. In this document, "PwC" refers to PricewaterhouseCoopers LLP
(a limited liability partnership in the United Kingdom), which is a member firm of PricewaterhouseCoopers International
Limited, each member firm of which is a separate legal entity.