1 / 27

Durham University

Durham University. Annual Assurance Plan 2008-09. Date: October 2008. This report is CONFIDENTIAL and its circulation and use are RESTRICTED. Contents. Introduction and Background. Annual Assurance Plan 2008-09

presley
Download Presentation

Durham University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Durham University Annual Assurance Plan 2008-09 Date: October 2008 This report is CONFIDENTIAL and its circulation and use are RESTRICTED

  2. Contents

  3. Introduction and Background • Annual Assurance Plan 2008-09 • This Annual Assurance Plan 2008-09 is designed to achieve the following objectives: • To meet the University’s requirements for audit provision as set out in the HEFCE Audit Code of Practice (Circular 04/27). Also to anticipate further HEFCE requirements set out in the revised Audit Code of Practice (due to be published Autumn 2008). • To provide the University with an independent opinion of unquestionable quality over its arrangements for risk management, control, governance and the achievement of value for money. • To document the University’s Business Assurance Service’s planned internal audit provision for the academic year 2008-09 complying with professional standards as set out and promulgated by the Institute of Internal Auditors. • To set performance standards and protocols to be applied by the University’s Business Assurance Service in the delivery of the annual assurance plan. • To provide the users of the University’s Business Assurance Service, the University’s Audit Committee and University management, with a reference guide to the work of the Business Assurance Service during 2008-09. This document is also intended to make the work of the Service transparent and open to wider review and scrutiny. • This plan should be read in conjunction with the University’s Strategic Assurance Plan 2006-07 to 2009-10. The strategy puts the annual plan in context and explains in more detail the basis for the selection of reviews and their basis. It also sets out in detail the risk based methodology used to establish the plan. • University’s strategy • The University’s purpose, mission and values are expressed in the University’s Strategic Plan 2005-10. The University’s purpose is: • Creating the future through internationally recognised research, scholarship and learning within a distinctive collegiate environment. • This supports the mission: • We will be internationally recognised as a world class research university. We will build the research strength necessary to become world leaders in selected subject areas. We will work to enhance the distinctive student experience we offer to all our students, while diversifying our student body. We will enhance our international profile, while remaining mindful of our important contribution to the North East region. We will achieve this in a sustainable manner which secures our future development. • It is the intention of the Business Assurance Service, through linking its work to the University’s risk register, itself linked to the University’s strategic aims and objectives, to assist the University to achieve its objectives.

  4. Annual Assurance Plan • Structure of assurance plan • This assurance plan is designed to set out the planned assurance work to be undertaken by the University’s Business Assurance Service during 2008-09. Specifically it is designed to: • Explain the underlying basis for the annual assurance plan. • Explain the process and factors used to undertake an annual audit needs assessment. • Set out the key components of the annual assurance plan. • Identify the allocation of resource to the plan over the 2008-09 audit period. • Identify specific reviews planned over the period. • Set out agreed performance indicators for the Business Assurance Service. • Explain the framework of reporting and risk assessment to be used by the Service. • Key outputs of the annual assurance plan • The annual assurance plan is designed, ultimately, to provide sufficient evidence for the Head of Business Assurance to ‘submit to the University’s Accounting Officer (the Vice Chancellor) annually his professional opinion on the adequacy and effectiveness of the University’s risk management, control and governance processes and arrangements for the promotion of economy, efficiency and effectiveness’. HEFCE Circular 19-2008 Model Financial Memorandum between HEFCE and the institutions. This assurance plan is designed to meet both the University’s and the Accounting Officer’s duties in respect of the accountability requirements placed on the University. It is also designed to assist and monitor the University’s progress against its mission and its strategic goals and objectives. • Wider activities of the Business Assurance Service • The University, through opting to have an in-house assurance service, has more scope and ability to use its Business Assurance Service to undertake wider organisational development activity. This activity, whilst notified the University’s Audit Committee, may not result in formal reports or outputs and may take the form of ‘consultancy’ within the terms recognised by HM Treasury. This activity under the definition applied by HM Treasury does, however, contribute to the Head of Service’s annual opinion, outlined above. Compliance Process improvement / VFM Risk management Before During After

  5. Accountability Framework • University’s accountability arrangements • The HE sector, in line with wider public sector developments, is being asked to follow a ‘governance’ model of accountability. Key features of this model are: • Self governance of activities as independent bodies. • A framework of accountability focusing on broad macro policies and objectives with an emphasis on outputs rather than process and inputs. • Increased flexibility over operational and management decisions. • Increased emphasis on self regulation and risk management. • Under this model public bodies operate as independent organisations which are not controlled or managed by government but are allowed to self regulate and manage within an accountability framework. A map of the accountability framework is provided in appendix 1. The University’s accountability arrangements are outlined in: • Royal Charter 1837 and the Universities of Durham and Newcastle upon Tyne Act of 1963 – This sets out the purpose and legal powers of the University as incorporated. • HEFCE Circular Model Financial Memorandum between HEFCE and the institutions 19-2008 – The audit requirements for the University are set out in the code of practice. • TheFinancial Memorandum between the University and HEFCE – This sets out financial constraints on the University through its funding relationship with HEFCE. • HEFCECircular 05-34 How HEFCE Allocates its Funds – This outlines the detailed funding rules and methodology for the sector’s council grant funding. • GIAS (Government Internal Audit Standards) – This sets the standards and requirements for internal audit. • The role of Business Assurance (Internal Audit) • Government Internal Audit Standards (GIAS October 2001) define internal audit as a service which: • ‘provides an independent and objective opinion to the Accounting Officer on risk management, control and governance, by measuring and evaluating their effectiveness in achieving the organisation’s agreed objectives. In addition, internal audit’s findings and recommendations are beneficial to line management in the audited areas. Risk management, control and governance comprise the policies, procedures and operations established to ensure achievement of objectives and, the appropriate assessment of risk, the reliability of internal and external reporting and accountability processes, compliance with applicable laws and regulations, and compliance with the behavioural and ethical standards set for the organisation’. • Traditional internal audit has largely been defined in terms of control, the review of controls and a focus on compliance. This traditional role has developed. As an example the Treasury has recognised the consulting role of internal audit services in The GIAS Good Practice Guide: The Consultancy Role of Internal Audit (March 2003) where the guide states: • ‘[Internal Audit] provides an independent and objective opinion to the Accounting Officer on risk management, control and governance, by measuring and evaluating their effectiveness in achieving the organisation’s objectives. Internal Audit also provides an independent and objective consultancy service specifically to help line management improve the organisation’s risk management, control and governance’.

  6. Annual Audit Needs Assessment Methodology Link between the strategic and annual assurance plan Government Internal Audit Standards (GIAS) require that the work of the Business Assurance Service is planned at each level of operation. Our strategic assurance plan is based on a risk assessment (see the Strategic Assurance Plan 2006-07 to 2009-10) and we use this to develop an annual assurance plan which details the assignments we plan to perform in any given year. The annual plan is for the period 1 August 2008 to 31 July 2009. Given the breadth and complexity of the systems operated by the University coupled with the need to limit valuable resources on non-core activity, it is unlikely that any annual operational assurance plan will manage to cover all systems for managing risk in sufficient depth – this is certainly the case here. Consequently, we have developed our annual assurance plan in the ongoing and developing context of a four year strategy which demonstrates how we propose to provide audit coverage of all of the areas identified in the assurance strategy. This is year three of the Service’s four year strategy. Components of the strategic assurance plan The annual and strategic assurance plan is made up of the following elements: The annual plan is shown in appendices 3 and 4. The components of the plan are outlined in more detail in the subsequent section of this plan.

  7. Components of the Assurance Plan • Business Assurance and risk management in 2008-09 • The Business Assurance Service have provided an independent review of the risk management system in each year of the plan. Another review is planned for this year. In addition we will continue to chart and document progress against benchmark standards, in this case The Institute of Internal Auditors UK and Ireland - An approach to implementing Risk Based Internal Audit - Assessing the Organisations risk maturity. • 2008-09 is the first year in which the BAS has a formal remit to facilitate the University’s risk management system. This was agreed at a January 2008 meeting of UEC and the February 2008 meeting of the Audit Committee. • Other ongoing activity provided for in the plan will include: • Providing strategic and operational risk management facilitation. • Working with project groups to develop a risk assessment and ongoing control and management. • Working with the University’s Strategic Planning and Change Unit to continue to embed risk management into planning processes. • We will also undertake a formal risk management system review that addresses strategic risks not covered by a specific review during 2008-09. This is to meet our aim to review and provide assurance, over the period of the strategic assurance plan, covering the key risks identified by the University and our risk assessment. This approach is outlined in ‘Production of the annual plan’ in the BAS Strategic Assurance Plan 2006-10. • BusinessAssurance and corporate governance in 2008-09 • Having provided a formal review in 2005-06 over the strategic corporate governance system we have followed up this work over the last two years with work covering elements of the University’s governance system. For 2008-09 the governance work programme will focus on the efficacy of the revised committee structures. We also plan to review, in close consultation with the Chair of Council, the interface between governance and management of the University, the link between Council and UEC in particular. A general controls review of governance processes, minutes, reporting, terms of reference will also be undertaken to refresh our 2005-06 work. • Business Assurance and control systems in 2008-09 • The Service will continue both strategic and compliance level work over the University’s control systems. We will seek to comment on the application, design and appropriateness of controls systems and processes that manage the strategic and operational risks to the University. We provide specific risk based reviews for those risks identified in the strategic risk register, see ‘components of the assurance plan – risk management’. Operational control processes may be audited on a system by system basis. However we will, wherever possible, address operational systems by ‘business process’ that is end to end processing. Specific distinct control areas included here are; IT processes and systems, core financial processes and systems, fraud control systems and processes. • BusinessAssurance and value for money in 2008-09 • Havingprovided a follow up to our value for money (VFM) review in 2006-07 we undertook specific work by contributing to the student enrolment project and by reviewing staff accommodation. In 2008-09 we will continue our specific VFM reviews, including marketing spend and the use of outside consultants. Our work at all levels will have VFM awareness built into it and continue to provide an external driver for the achievement of VFM. We will report these through each review undertaken.

  8. Annual Assurance Plan Delivery Contents of the plan The annual assurance plan is set out in appendix 3. Each review is mapped to the University’s 2008-09 risk register as approved by UEC (May 2007). The high level University risk map as articulated by this register is shown at appendix 2. Business Assurance key performance indicators (KPIs) The Business Assurance Service is just that, a service, to the University. As such the Service should demonstrate good corporate and management governance and be accountable for the public resources expended on it. To this end a balanced scorecard has been developed, which is intended to align the mission and work of the Service to that of the University, whilst remaining an independent function. This focuses performance measures on those which add strategic value to the University and are aligned to the various internal and external stakeholders of the Service. The balanced scorecard and supporting metrics are shown in appendix 6. Business Assurance Reporting Our reporting structure is set out in detail the Business Assurance Briefing Note: University Assurance Arrangements (April 2008). In summary, reports received an overall conclusion about the process as designed and operated to mitigate controls. This is shown here: Reports also receive a risk grading on a four point scale which reflects the net risk faced by the University over the process: Our report format with explanations and narrative is shown in appendix 7.

  9. Appendix 1 – HE Sector Accountability Framework Financial Memorandum HEFCE Audit Service Annual Report Annual Report Management Letter Opinion on the Financial Statements

  10. Appendix 2 – University’s Strategic Risk Register (May 2007) R2 R3 R1 R5a R5c R1 R4 Likelihood of occurrence Likelihood of occurrence R5a R5c R3 R5b R4 R5b R2

  11. Appendix 3 – Annual Assurance Plan 2008-09 Process Owners

  12. Appendix 3 – Annual Assurance Plan 2008-09 Process Owners

  13. Appendix 3 – Annual Assurance Plan 2008-09 Process Owners

  14. Appendix 4 – Annual Assurance Plan 2008-09 Timing * ARG = Anthony R Garnett DC = David Claybrook RW = Rebekah Wilson

  15. Appendix 4 – Annual Assurance Plan 2008-09 Timing * ARG = Anthony R Garnett DC = David Claybrook RW = Rebekah Wilson

  16. Appendix 4 – Annual Assurance Plan 2008-09 Timing * ARG = Anthony R Garnett DC = David Claybrook RW = Rebekah Wilson

  17. Appendix 5 – Strategic Assurance Plan 2006-2010 = Changes to the original 2006-2010 strategic plan

  18. Appendix 5 – Strategic Assurance Plan 2006-2010 = Changes to the original 2006-2010 strategic plan

  19. Appendix 5 – Strategic Assurance Plan 2006-2010 = Changes to the original 2006-2010 strategic plan

  20. Appendix 5 – Strategic Assurance Plan 2006-2010 = Changes to the original 2006-2010 strategic plan

  21. Appendix 5 – Strategic Assurance Plan 2006-2010 = Changes to the original 2006-2010 strategic plan

  22. Appendix 5 – Strategic Assurance Plan 2006-2010 = Changes to the original 2006-2010 strategic plan

  23. Appendix 6 – 2008-09 Reporting and Delivery Protocol * UEC sponsor = This is the UEC member with overall accountability for the process under review. Where processes cover a number of UEC members, a ‘lead sponsor’ will be identified. It is the role of the UEC sponsor to collate and approve the University Response to be included in the final report. ** Process owner = This is the operational manager (typically a head of department) with operational accountability for the process under review. Where processes cover a number of heads of departments each process owner will respond to recommendations within their operational accountability. Each process owner will liaise with the relevant UEC sponsor to collate the University Response to be included in the final report.

  24. The revised protocol timings Step 8 – Receipt of UEC sponsor responses (University) Step 6 – Issue of draft report to process owner (BAS) Step 2 – Scope finalised (BAS / University) Step 4 – Delivery of fieldwork for period agreed in scope (BAS) 1 1 2 weeks 2 weeks week 3 weeks 5 weeks week Weeks 0 3 4 1 2 0 3 4 5 6 7 8 9 10 1 2 Step 5 - Finalisation of fieldwork (BAS) Step 7 – Receipt of process owner responses for factual accuracy (University) and distribution of draft report to UEC sponsor Step 9 –Issue of final report (BAS) Step 3 – Commencement of fieldwork (BAS) Step 1 - Scope and terms of reference issued (BAS) Appendix 6 – 2008-09 Reporting and Delivery Protocol

  25. Appendix 7 – Business Assurance Balanced Scorecard

  26. Appendix 7 – Business Assurance Balanced Scorecard Metrics

  27. Appendix 7 – Business Assurance Balanced Scorecard Metrics

More Related