the university of sheffield annual report of the audit committee 2014 …/file/15-11-27_07.2.… ·...

24
THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014-15 1. Introduction The Audit Committee is required by the Higher Education Funding Council to report annually to Council on its activities. This Annual Report, for the 2014-15 session, has been prepared in accordance with HEFCE requirements and is presented to Council for consideration and approval. A copy of the Annual Report has then to be sent to the Chief Auditor of HEFCE. 2. Membership Membership of the Committee during the year was as follows: Mr David Bagley 2014- Mr Adrian Belton* 2014- Mr Kevin Cunningham 2013- Mrs Margaret Ferris 2013- Mrs Sarah Harkness* 2009- (chair from August 2011) Mrs Alison Legg* 2012- Mr Richard Mayson* 2012- Professor Christopher Spencer 2011-2015 *denotes members of the University Council during the period. Two new members, Mr Adrian Belton and Mr David Bagley, joined the Committee at the beginning of the year. Since the year end, Professor Shelagh Brumfitt has joined the Committee to replace Professor Christopher Spencer and we would like to thank him for his valuable contribution to our work. There are currently no vacancies. The Deputy Vice-Chancellor, Professor Paul White, the Chief Financial Officer, Mr Bob Rabone, and the Director of Finance, Mrs Helen Dingle, attended meetings of the Committee as observers, as did other members of Professional Service Departments as required. The Committee is grateful for their input. Mr David Swinn has acted as Secretary to the Committee and we would like to thank him for his help. 3. Committee Meetings The Committee met five times during the session. All the Committee’s meetings were attended by representatives of the University’s Internal Auditors, PricewaterhouseCoopers (PwC) and its External Auditors, KPMG. On 24 November 2014 Audit Committee met jointly with Finance Committee, to consider the draft Financial Statements for 2013-14 and KPMG’s Audit Highlight Memorandum and Management Letter. The Audit Committee continues regularly to meet in private, without University staff present. In appropriate cases the external and/or internal auditors attend. 4. Terms of Reference and Procedures There was one change to the Committee’s terms of reference during the year to reflect the specific reference to assuring data returned to the Student Loans Company. The classes of membership were similarly amended to confirm that Council members on the Committee are drawn from amongst the lay membership, which has always been our practice. The Committee continues to work to HEFCE’s guidance, as elaborated in the CUC’s Handbook for Members of Audit Committees in HEIs, and the new CUC Higher Education of Governance. In considering internal audit reports the Committee focuses on the most serious findings. In PwC’s model, these are overall report classifications of critical, high, medium or low risk, 1

Upload: others

Post on 27-Jul-2020

0 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE

2014-15 1. Introduction The Audit Committee is required by the Higher Education Funding Council to report annually to Council on its activities. This Annual Report, for the 2014-15 session, has been prepared in accordance with HEFCE requirements and is presented to Council for consideration and approval. A copy of the Annual Report has then to be sent to the Chief Auditor of HEFCE. 2. Membership Membership of the Committee during the year was as follows: Mr David Bagley 2014- Mr Adrian Belton* 2014- Mr Kevin Cunningham 2013- Mrs Margaret Ferris 2013- Mrs Sarah Harkness* 2009- (chair from August 2011) Mrs Alison Legg* 2012- Mr Richard Mayson* 2012- Professor Christopher Spencer 2011-2015 *denotes members of the University Council during the period. Two new members, Mr Adrian Belton and Mr David Bagley, joined the Committee at the beginning of the year. Since the year end, Professor Shelagh Brumfitt has joined the Committee to replace Professor Christopher Spencer and we would like to thank him for his valuable contribution to our work. There are currently no vacancies. The Deputy Vice-Chancellor, Professor Paul White, the Chief Financial Officer, Mr Bob Rabone, and the Director of Finance, Mrs Helen Dingle, attended meetings of the Committee as observers, as did other members of Professional Service Departments as required. The Committee is grateful for their input. Mr David Swinn has acted as Secretary to the Committee and we would like to thank him for his help. 3. Committee Meetings The Committee met five times during the session. All the Committee’s meetings were attended by representatives of the University’s Internal Auditors, PricewaterhouseCoopers (PwC) and its External Auditors, KPMG. On 24 November 2014 Audit Committee met jointly with Finance Committee, to consider the draft Financial Statements for 2013-14 and KPMG’s Audit Highlight Memorandum and Management Letter. The Audit Committee continues regularly to meet in private, without University staff present. In appropriate cases the external and/or internal auditors attend. 4. Terms of Reference and Procedures There was one change to the Committee’s terms of reference during the year to reflect the specific reference to assuring data returned to the Student Loans Company. The classes of membership were similarly amended to confirm that Council members on the Committee are drawn from amongst the lay membership, which has always been our practice. The Committee continues to work to HEFCE’s guidance, as elaborated in the CUC’s Handbook for Members of Audit Committees in HEIs, and the new CUC Higher Education of Governance. In considering internal audit reports the Committee focuses on the most serious findings. In PwC’s model, these are overall report classifications of critical, high, medium or low risk,

1

Page 2: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

together with individual finding ratings of critical, high, medium, low or advisory, applied as appropriate to impact on operational performance, monetary or financial statement impact, breaches in laws and regulations potentially resulting in material fines or consequences, and impact on institutional reputation or brand. Departmental heads are routinely invited to attend where opinions or findings at critical or high levels are offered in respect of their departments. This allows joint exploration of the issues raised, the management response and the action plan, which will normally have been formulated by the time the audit report reaches the Committee. Recommendations of medium or low priority are taken on a ‘by exception’ basis. The formal process of following-up and reporting outstanding audit recommendations has continued, but in the light of the good progress made, our internal auditors are now reporting to the committee on follow-up work only twice a year. 5. Internal Audit Service The 2014-15 session was the sixth in which the internal audit service was provided by PricewaterhouseCoopers, the first under a new three year contract with the option to renew for two further one year periods which followed the tender process that was concluded in 2013-14. The University’s Head of Internal Audit is Mr Ian Looker, partner in PwC. 6. Audit Strategy 2014-15 The Internal Audit strategy and plan for the session was formulated following discussions between PwC and senior University managers, and subsequently with the Committee. The planned internal audit input for the year was 235 audit days, comprising 18 planned reviews.

In the event 228 days were provided (2013-14: 241) and an additional review was added to the plan at the request of the Committee and University management. 7. Internal Audit Reports 2013-14 Five reports by PwC for the 2013-14 academic year were submitted to the Committee at its meeting in October 2014 and two reports were submitted to its November meeting. These were reports which had not been completed and cleared during the previous session and were considered in the Committee’s previous annual report. 8. Internal Audit Reports 2014-15 16 reports have been completed by PwC under the 2014-15 audit plan, as well as two follow-up reviews and discussion with management about the concept of assurance mapping . Nine were presented during the session and a further eight in respect of the session at the meeting in October and two in November 2015. A full list of reports is set out in the Internal Auditors’ Annual Report. Nine audits received a low risk classification, which is satisfactory and six reports were classified as medium risk. There was one high risk report that contained two high risk findings, compared to none last year, which is disappointing. As last year, there were no Critical findings. It is also disappointing that medium priority findings increased slightly from 20 to 24 and there was an increase in low priority findings from 21 to 36. One report, Identity and Access Management, received a high risk rating comprising two high, five medium and two low risk recommendations. Reports which contained two or more medium risk findings included:

Subsidiary review-Unicus Ltd Wider Subsidiaries Review Research – Shared Equipment Register International – Overseas operations AMRC Apprenticeships Student Services- Social Media; and

2

Page 3: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

Identity and Access Management. In each of these reports, satisfactory management action plans have been agreed and are being implemented. PwC’s annual report for 2014-15 (attached) was received by the Committee in final form on 26 November 2015, a draft having been seen in October. Based on the work completed, except for those areas described above, PwC believes that the University has adequate and effective arrangements in place to support the achievement of management’s objectives over:

Risk management, control and governance; and Value for money processes;

9. Follow-Up of Internal Audit Recommendations Significant progress has been made in the last four years on the implementation of Internal Audit recommendations, with the formalisation of a follow-up and reporting process led by Finance, and with testing and verification performed by PwC. By October 2015, the verified assessment is that 100% of recommendations made in 2010/11, 100% made in 2011/12, 65% made in 2012/13 and 52% made in 2013/14 have been fully implemented or closed. 24% of recommendations made during 2014/15 at the point of follow up have already been fully implemented. During the year, the internal auditors verified 63 recommendations in total and in only one instance did their assessment of progress differ from that of management. Of the 74 recommendations not implemented at the latest follow up, 38 were past the original implementation date, but of these, none are high risk recommendations. The Committee is pleased with the progress made this year, but will continue to insist on rigorous follow-up of previous recommendations. We continue to encourage the University to help managers understand that internal audit is a management tool that should be used positively. 10. Audit Strategy 2015-16 The Audit Committee has considered and approved the draft audit strategy for 2015-16 prepared by the Internal Auditors in consultation with University management. The Internal Auditors have proposed, and the Committee has endorsed, the provision of 250 days in 2015-

16 (2014-15:228 provided). 11. Additional Activity by PwC (to be updated)

In October 2014 PwC were instructed to carry out an investigation into the misappropriation of assets within one of the University’s subsidiaries. This lengthy and detailed process has now concluded and the costs incurred amounted to £54,104 plus expenses PWC also carried out an audit of the CNSiG project in connection with NAMRC at a cost of £3,000 12. External Audit KPMG continue to provide the University’s external audit service, having been appointed by competitive tender in July 2002, March 2007 and again in June 2011 for a period of three years commencing on 1 January 2012 with an option to extend the contract for a further two years, subject to satisfactory annual review of performance. The one year extension to the contract that was approved by Council in July 2014 is due to expire on 31 December 2015 and Council approved a further one year extension from 1 January 2016 at its meeting in April 2015 following consideration by the Committee. On 24 November 2014 the Audit and Finance Committees again met jointly to consider the Financial Statements for 2013-14 and the External Auditor’s Audit Highlights Memorandum and Management Letter. Audit Committee then discussed the audit aspects of the

3

Page 4: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

Statements, Finance Committee having already signed them off, and agreed to recommend the Statements to Council. Audit Committee also approved the Statement of Corporate Responsibility for inclusion in the University’s Annual Report. The annual external audit fee for 2014-15 is a lump sum fee in accordance with the original contract. It is subject to increases in line with the Retail Price Index and for any additional work carried out that was not included within the contract. In January 2015 the Committee considered a review prepared to evaluate the performance and effectiveness of the University’s external auditors. Questionnaires were completed by members of Audit Committee, Finance Committee and the Finance Department. This concluded that, overall, KPMG were meeting expectations and delivering external audit to a high standard. Written and verbal feedback was provided to KPMG on a number of issues, including discussion about the coordination of the audits of the University and its subsidiaries and the auditors’ approach to the audits themselves. Additional discussion considered the activity that KPMG might usefully undertake in future to complement that of the core audit. In 2014-15 KPMG provided additional services for the University totalling £93,097. These included £56,017 in respect of grant and loan audits, £29,580 relating to tax and related service services and £31,962 relating to other non-audit costs, including transition to FRS102 and investment advice. The Committee considered the External Audit Strategy Memorandum for the year ending 31 July 2015. The main areas of risk were identified as fraud from revenue recognition and management override of controls. The Committee was content with the overall strategy. On 26 November 2015 the Committee received the External Audit Highlights Memorandum and Management Letter relating to 2014-15, which stated that the audit was now substantially complete and KPMG anticipated being able to report in their opinion that the financial statements:

Give a true and fair view of the state of the affairs of the Group and University as at 31 July 2015 and of the Group's income and expenditure, recognised gains and losses and cash flows for the year then ended;

Have been properly prepared in accordance with United Kingdom Generally Accepted Accounting Practice; and

Have been prepared in accordance with the Statement of Recommended Practice: Accounting for Further and Higher Education.

13. Other Activities In March the Committee received a report from the Finance Department on progress made against recommendations arising from the External Auditors’ audit highlights memorandum. It was noted that good progress was being made in a number of areas. In particular, work is ongoing to improve the performance of the subsidiary CTI Ltd. The Committee has a responsibility to monitor the effectiveness of Internal Audit. Together with management, it has agreed with PwC a number of Key Performance Indicators for the internal auditors’ work, and it reviews these regularly. Process indicators, for example for meeting set timescales for delivery of reports, have generally been met during the year The Finance Department has canvassed departments involved in audits, by way of questionnaire, throughout the session. Response rates have been good and feedback mostly positive. The Committee has continued to review the University’s Corporate Risk Register at regular intervals. Seven of the audit reports performed in this academic year required testing of risk management issues, one of which, Identity and Access Management, received a high risk

4

Page 5: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

classification and included two high risk findings which the Committee discussed in detail with management in October 2015. Throughout the year the Committee has received regular briefings and updates on the developments in the sector and their implications, in particular the implications of the CUC Higher Education Code of Governance and the University’s response. 14. Audit Committee Opinions The Committee is required to offer its opinion on the adequacy and effectiveness of the University’s systems for risk management, control and governance, on value for money and on the management and quality assurance of data submitted to HESA, HEFCE and the Student Loans Company on the basis of all the information that has been placed before it, including management responses to audit reports. On this basis the Committee has considered what opinions it is able to offer Council. We are satisfied that the internal audit work carried out by PwC meets the required standards and provides an appropriate basis for the Committee’s own assurances to Council. Risk Management, control and governance: The University’s internal audit strategy continues to be based on risk assessment, drawing on the University’s Corporate Risk Register. The Committee notes the opinion of the internal auditor, PwC, that, based on the work PwC has completed, except for the areas described in paragraph 8 above, the University has adequate and effective arrangements in place to support the achievement of management’s objectives over:

Risk management, control and governance; Value for money processes; and The Audit Committee and Council continue to receive and consider regular reports on major corporate risks. The Committee is of the opinion that reliance can be placed on internal control systems (subject to the matters described in section 2 of PwC’s annual report, attached); on the University’s governance arrangements; and on its systems for the management of risk. Value for Money: The Audit Committee exercises a monitoring role in relation to value for money, to ensure the University maintains satisfactory arrangements. The Internal Auditors take account of value for money issues as part of their routine system-based auditing, with any relevant issues being examined and reported. Internal audit reports explicitly address, and report on, VfM. In the 2014-15 session one audit specifically targeted VfM in the area of philanthropic income, while other reviews were designed to include VfM themes within the audit objectives, such as Faculty financial health checks and a review of the shared research equipment register. The University’s Financial Operating Strategy identifies the adoption of a VfM Strategy as a financial objective for the University, and in 2010-11 the University adopted a Value for Money Strategy. This strategy contains 11 key actions to achieve VfM objectives, including communication and training of staff involved in policy and procurement decisions at all levels, best practice management of estates and facilities, adopting a robust approach to capital project appraisal, enforcing budgetary control procedures and developing a culture of continuous improvement. In October 2015 the Committee received an annual report on VfM activities during 2014-15, which was circulated to members of Council for information. The Committee welcomed the report as a positive piece of work which would facilitate continuous improvements in delivering value for money in all areas of the University, to which the Committee has proposed to contribute directly through the introduction of a VfM award. This report forms a separate component of the University’s annual assurance return to HEFCE.

5

Page 6: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

The Committee continues to receive annual reports on procurement, which this year included an update on progress made towards achieving the objectives set in the Procurement Strategy and a summary of planned activity for 2015/16, including supporting the procurement phase of the Student Systems Project and continuing efforts to identify and maximise opportunities for collaborative procurement activities. The Committee also now receives the University’s annual commercial report, which is reviewed in detail by the Finance Committee. The Committee is of the opinion that the University’s arrangements for VfM are adequate. Management and quality assurance of data: The Committee is also responsible for offering its opinion on the management and quality assurance of data submitted to HEFCE, HESA (the Higher Education Statistics Agency), the Student Loans Company and other funding bodies by the University. The Committee has considered this carefully. The Committee notes that TRAC and TRAC (Teaching) Returns have been prepared in accordance with the principles of the Transparency Approach to Costing and has again received an annual report from the Data Assurance Group, providing high level oversight of the University’s data assurance processes and its response to the changing data landscape. During the year, the internal auditors carried out five reviews relating specifically to data integrity, regarding the HESA staff return, Research Shared Equipment Register, AMRC apprenticeships and UKVI attendance monitoring and an assurance mapping exercise. Three of these reviews received a low risk classification whilst the AMRC apprenticeships and Research Shared Equipment register reviews were classed as medium risk. The Committee has seen and accepts the statements on internal control and governance, and on public benefit, included in the Financial Statements for 2014-15. Serious Incident reporting In October 2014 Audit Committee was informed by officers of the University that a fraud had been perpetrated at one of the University’s subsidiary companies. In line with the University’s Fraud Response Plan, legal advice was taken and an investigation by PwC was immediately instigated. As a result the audit of this subsidiary company’s 2013-14 financial statements was not completed until during the 2014-15 session but did not result in either a material impact on the University’s Group financial statements or a change to KPMG’s original audit opinion. The appropriate authorities, including HEFCE, were informed and the investigation has now concluded. The University is taking steps to recover its losses, in liaison with the relevant authorities and its insurers. Audit Committee expressed deep concern at the circumstances surrounding the incident and an additional internal audit review was added to the 2014-15 audit plan, focusing on subsidiary companies generally. The Committee is pleased with the University’s actions in response to the incident and the agreement by KPMG to make every effort to conclude the audits of subsidiaries in parallel with those of the University group accounts. November 2015

6

Page 7: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

Internal Audit

Annual Report 2014/15 Final for November Audit Committee

University of Sheffield

November 2015

7

Page 8: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

Contents

1. Executive summary 1

2. Summary of findings 3

3. Internal Audit work conducted 5

4. Follow up work conducted 8

Appendices 9

Appendix 1: Limitations and responsibilities 10 Appendix 2: Opinion types 11 Appendix 3: Basis of our classifications 12 Appendix 4: Mapping of internal audit work 14

Distribution List

For action: Members of University Executive Board and Professional Services Executive

For information Chair and Members of the Audit Committee

This document has been prepared only for University of Sheffield and solely for the purpose and on the terms agreed with University of Sheffield under our engagement letter.

8

Page 9: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

Introduction This report outlines the internal audit work we have carried out for the year ended 31 July 2015.

The Memorandum of Assurance and Accountability (“MAA”, HEFCE 2014/12) between the Higher Education Funding Council for England (HEFCE) and institutions requires that the Head of Internal Audit provides a written report and annual internal audit opinion to the Audit Committee. As such, the purpose of this report is to present our view on the adequacy and effectiveness of:

Governance, risk management and control; and

Economy, efficiency and effectiveness (value for money) arrangements.

This is achieved through a risk-based plan of work, agreed with management and approved by the Audit Committee, which should provide a reasonable level of assurance, subject to the inherent limitations described below and set out in Appendix 1. The opinion does not imply that Internal Audit has reviewed all risks relating to the organisation.

The Audit Committee agreed to a level of internal audit input which was fully delivered. Whilst this report is a key element of the framework designed to inform the Statement of Corporate Governance, there are also a number of other important sources to which the Audit Committee should look to gain assurance. This report does not override the Audit Committee’s responsibility for forming their own view on governance, risk management, control and value for money arrangements.

Head of Internal Audit Opinion We are satisfied that sufficient internal audit work has been undertaken to allow an opinion to be given as to the adequacy and effectiveness of governance, risk management and control, and economy, efficiency and effectiveness arrangements (value for money). To assist the Audit Committee in understanding how our work corresponds to their reporting responsibilities, we have mapped our work against these areas in Appendix 4.

In giving this opinion, it should be noted that assurance can never be absolute. The most that the internal audit service can provide is reasonable assurance that there are no major weaknesses in the system of internal control.

Opinion Our opinion is as follows:

Satisfactory Generally satisfactory with some improvements required

Major improvement required

Unsatisfactory

Governance, risk management and control, and value for money arrangements in relation to business critical areas is generally satisfactory. However, there are some areas of weakness and non-compliance in the framework of governance, risk management, control and value for money arrangements which potentially put the achievement of objectives at risk.

Improvements are required in those areas to enhance the adequacy and effectiveness of governance, risk management and control value for money arrangements. Please see our Summary of Findings in Section 2.

An explanation of the types of opinion that may be given can be found in Appendix 2.

1. Executive summary

9

Page 10: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

Basis of opinion Our opinion is based on:

All reviews undertaken during the year.

Any follow up action taken in respect of audits from previous periods.

Any significant recommendations not accepted by management and the resulting risks.

The effects of any significant changes in the organisation’s objectives or systems.

Any limitations which may have been placed on the scope or resources of internal audit.

What proportion of the organisation’s audit needs have been covered to date.

Any reliance that is being placed upon third party assurances.

The commentary below provides the context for our opinion and together with the opinion should be read in its entirety.

Commentary The key factors that contributed to our opinion are summarised as follows:

Medium risk rated weaknesses were identified in our individual assignments that are not significant in aggregate to the system of internal control;

High risk rated weaknesses were identified in the Identify and Access Management (“IdAM”) review that are isolated to that process;

Performance of the University in following-up previous internal audit recommendations; and

None of the individual assignment reports have an overall classification of critical risk.

We provide a summary of the key findings which support our opinion in section two of this report, with further detail in sections three and four.

Acknowledgement We would like to take this opportunity to thank University of Sheffield management and staff, for their co-operation and assistance provided during the year.

10

Page 11: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

Our annual internal audit report is timed to inform the institution’s Statement of Corporate Governance.

We completed 19 internal audit reviews. This resulted in the identification of one high, six medium and nine low risk findings to improve weaknesses in the design of controls and / or operating effectiveness.

There were also two follow-up reviews and one advisory-natured assignment (assurance mapping) where we did not issue overall risk ratings due to the nature of the work.

A summary of key findings from our programme of internal audit work for the year work is recorded in the table below.

Description Detail

Internal Control Issues for inclusion in the Statement of Corporate Governance

During the course of our work we report any significant weaknesses that we consider should be reported in your Statement of Corporate Governance.

No issues were identified in our view that would require inclusion in your Statement of Corporate Governance.

We do however highlight the higher risk areas from our programme of work below.

Identity and Access Management (“IdAM”)

This report overall received a high risk report rating, with two high risk findings, five medium risk, and two low risk. The two high risk recommendations in summary relate to:

1) IdAM Governance (high risk) - The University does not have a

defined access control strategy or governance function that is aligned with the University’s business objectives. The lack of a council or sub-committee driven governance and strategy has also meant that access control risks have not been considered when on boarding new kinds of users into University systems.

2) Single point of failure (high risk) - CRISP is the system used to perform user account administration for most of its computer-based services and applications. There is only one individual who has the capability to make complex changes to CRISP. The University users’ requirements are constantly changing and CiCS helpdesk staff continually find themselves having to call on this individual to help administer the system, therefore a capacity and single point of failure risk. There is also a lack of documentation showing how the system was built and is maintained or administered.

Other weaknesses

Other weaknesses were identified within the organisation’s governance, risk management and control processes.

A summary of the main medium risk reviews and individually medium risk recommendations has been detailed opposite.

We have raised a total of 24 medium risk recommendations during 2014/15 as outlined in section three of this report. These include the following findings amongst others, as examples of some of the main issues within those recommendations:

UNICUS Ltd – staff performance management (medium risk)

- Staff appraisals should be completed for all staff who have been employed for greater than 12 months. However at the time of the review, appraisal documentation could only be confirmed for two of the 27 members of staff requiring a performance review in 2014.

Research Asset Management - governance and responsibilities (medium risk) – there was no steering group or committee structure in place which oversees the effective use and maintenance of the equipment register by staff. There was also a common finding of some missing information on that asset register.

2. Summary of findings

11

Page 12: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

Sheffield International – CITY College financial management (medium risk) – the existing contract needed to be updated to clarify the financial relationship and funding arrangements between the two institutions.

AMRC apprenticeships – maintenance of learner files (medium risk) – we identified various issues with missing learner file evidence and we also recommended a process of periodic exception reporting be implemented.

Corporate social media strategy (medium risk) - The University does not currently have a social media strategy or policy and this area is not covered elsewhere (for example in an approved digital strategy). Such documentation is needed to establish the intended purpose of social media for the University, how it will enable achievement of University objectives, and how social media should be managed across the University.

Follow up

During the year we have undertaken follow up work on previously agreed actions.

We have undertaken two follow-up reviews during the year, reported in February and October 2015.

Our approach has been to assess the extent of progress made by the University with regards the implementation of recommendations which have been assessed as fully or partially implemented by management, intended to validate management’s own self-assessment.

In summary, across the two phases of follow-up work, we tested a sample of 64 recommendations, and in only one instance our assessment of progress differed from that of the University.

This related to “Faculty performance management - Work allocation models” which we have assessed to be partially implemented, but was assessed as fully implemented by management.

A summary of the University’s self-assessment and our validation of that assessment can be found at section four of this report.

Good practice

We also identified a number of areas where few weaknesses were identified and / or areas of good practice.

Clear governance framework with balanced Board and University oversight, and regular budget monitoring of financial performance operationally and at Board level for a number of the subsidiaries and other activities such as the AMRC we looked at.

Research assets are subject to regular checks to ensure that assets are appropriately safeguarded and information retained is up to date.

The identification of low risk findings on our UKVI compliance review, an area where we commonly find higher risk issues at other institutions.

Analysis performed on the time and effort spent by the research and prospecting team as part of the overall Development, Alumni Relations & Events fundraising activities.

A clear internationalisation strategy in place which links explicitly to the overall strategic plan for the University.

We also reported overall low risk report ratings for TUOS Car Parking Ltd, Sports Sheffield (Cash), Data Quality (HESA Staff), and the Faculty review at Social Sciences.

12

Page 13: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

Introduction The table below sets out the results of our internal audit work and implications for next year’s plan. We also include a comparison between planned internal audit activity and actual activity.

Results of individual assignments

Review

Report classification

Total number of findings

Number of findings

Critical High Medium Low Advisory

Subsidiary review - UNICUS Limited

Medium 7 - - 2 4 1

Departmental health check s Low 3 - - 1 1 1

Data – Staff HESA Return Low 3 - - - 2 1

Subsidiaries review Medium 8 - - 2 6 -

Research – shared equipment register

Medium 3 - - 3 - -

AMRC – Governance review Low 3 - - 1 1 1

Follow up phase 1 n/a 1 - - - 1 -

Assurance Mapping n/a n/a - - - - -

International: UKVI Compliance Low 2 - - 1 1 -

VfM: Philanthropic income Low 2 - - - 2 -

International – overseas operations

Medium 7 - - 3 4 -

AMRC apprenticeships Medium 5 - - 2 3 -

CICS – identity and access management

High 9 - 2 5 2 -

Faculty review – Social Sciences Low 3 - - - 3 -

EFM – Sports Sheffield Cash Low 1 - - - 1 -

Follow-up (phase 2) n/a - - - - - -

TUOS Car Parking Ltd Low 2 - - 1 1 -

Finance - continuous auditing Low 4 - - - 4 -

Student Services – Social Media Medium 3 - - 3 - -

Total 66 0 2 24 36 4

3. Internal Audit work conducted

13

Page 14: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

Direction of control travel

Finding rating

Trend between current and prior year

Number of findings

2014/15 2013/14 2012/13 2011/12 2010/11 2009/10

Critical 0 0 0 0 0 0

High 2 0 0 3 4 6

Medium 24 20 20 15 36 41

Low 36 35 21 21 21 33

Total 62 55 41 39 61 80

0

5

10

15

20

25

30

35

40

45

Critical High Medium Low

Profile of recommendation risk ratings 2009/10 to 2014/15

2009/10 2010/11 2011/12 2012/13 2013/14 2014/15

14

Page 15: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

0.00.1

1.0

1.4

2.6

0.00.1

1.3

1.9

3.3

0.0

0.5

1.0

1.5

2.0

2.5

3.0

3.5

Critical High Medium Low Total

Average profile of recommendations per report

Average

Institution2014/15actual

0.0%

7.0%

23.8%

51.3%

17.9%

0.0%

5.3%

31.6%

47.4%

15.8%

0.0%

10.0%

20.0%

30.0%

40.0%

50.0%

60.0%

Critical High Medium Low No Opinion /advisory

Average profile of assignment report overall classifications

Average

Institution2014/15actual

15

Page 16: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

Introduction In order for the organisation to derive maximum benefit from internal audit, agreed actions should be implemented. In accordance with our internal audit plan, we followed up a sample of recommendations made in prior years to ascertain whether action had been taken. The table below summarises the follow up work performed.

Results of follow up work A summary of the results from our two follow-up reviews is outlined below:

Recommendation Status Self-Assessment Audit Status

A – Fully Implemented 49 48

B – Partially implemented 14 15

C – Not implemented - -

D - No longer relevant/ Not accepted 1 1

E – Not validated - -

Total 64 64

Summary In line with our 2014/15 operational audit plan, we have undertaken the two bi-annual reviews to assess the extent of progress made by University staff with regards to the implementation of recommendations which have been previously raised.

The University Financial Accountant has reviewed the responses from staff and information provided and assessed the status of the findings. Following this review, we have tested a sample of 64 recommendations which were due and self-assessed as fully or partially implemented in the period to verify the University’s assessment.

In only one instance our assessment of progress differed from that of the University. This related to “Faculty performance management - Work allocation models” which we have assessed to be partially implemented, but was assessed as fully implemented by management.

4. Follow up work conducted

16

Page 17: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

Appendices

17

Page 18: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

Limitations inherent to the internal auditor’s work Our work has been performed subject to the limitations outlined below.

Opinion The opinion is based solely on the work undertaken as part of the agreed internal audit plan. There might be weaknesses in the system of internal control that we are not aware of because they did not form part of our programme of work, were excluded from the scope of individual internal audit assignments or were not brought to our attention. As a consequence management and the Audit Committee should be aware that our opinion may have differed if our programme of work or scope for individual reviews was extended or other relevant matters were brought to our attention.

Internal control Internal control systems, no matter how well designed and operated, are affected by inherent limitations. These include the possibility of poor judgment in decision-making, human error, control processes being deliberately circumvented by employees and others, management overriding controls and the occurrence of unforeseeable circumstances.

Future periods Our assessment of controls relating to University of Sheffield is for the 2014/15 financial year. Historic evaluation of effectiveness may not be relevant to future periods due to the risk that:

the design of controls may become inadequate because of changes in operating environment, law, regulation or other; or

the degree of compliance with policies and procedures may deteriorate.

The specific time period for each individual internal audit is recorded within section3 of this report.

Responsibilities of management and internal auditors It is management’s responsibility to develop and maintain sound systems of risk management, internal control and governance and for the prevention and detection of irregularities and fraud. Internal audit work should not be seen as a substitute for management’s responsibilities for the design and operation of these systems.

We endeavour to plan our work so that we have a reasonable expectation of detecting significant control weaknesses and, if detected, we shall carry out additional work directed towards identification of consequent fraud or other irregularities. However, internal audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected, and our examinations as internal auditors should not be relied upon to disclose all fraud, defalcations or other irregularities which may exist.

Appendix 1: Limitations and responsibilities

18

Page 19: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

The table below sets out the four types of opinion that we use, along with an indication of the types of findings that may determine the opinion given. The Head of Internal Audit will apply his/her judgement when determining the appropriate opinion so the guide given below is indicative rather than definitive.

Type of opinion Indication of when this type of opinion may be given

Satisfactory A limited number of medium risk rated weaknesses may have been identified, but generally only low risk rated weaknesses have been found in individual assignments; and

None of the individual assignment reports have an overall report classification of either high or critical risk.

Generally satisfactory with some improvements required

Medium risk rated weaknesses identified in individual assignments that are not significant in aggregate to the system of internal control; and/or

High risk rated weaknesses identified in individual assignments that are isolated to specific systems or processes; and

None of the individual assignment reports have an overall classification of critical risk.

Major improvement required

Medium risk rated weaknesses identified in individual assignments that are significant in aggregate but discrete parts of the system of internal control remain unaffected; and/or

High risk rated weaknesses identified in individual assignments that are significant in aggregate but discrete parts of the system of internal control remain unaffected; and/or

Critical risk rated weaknesses identified in individual assignments that are not pervasive to the system of internal control; and

A minority of the individual assignment reports may have an overall report classification of either high or critical risk.

Unsatisfactory High risk rated weaknesses identified in individual assignments that in aggregate are pervasive to the system of internal control; and/or

Critical risk rated weaknesses identified in individual assignments that are pervasive to the system of internal control; and/or

More than a minority of the individual assignment reports have an overall report classification of either high or critical risk.

Disclaimer opinion An opinion cannot be issued because insufficient internal audit work has been completed. This may be due to either:

o Restrictions in the audit programme agreed with the Audit Committee, which meant that our planned work would not allow us to gather sufficient evidence to conclude on the adequacy and effectiveness of governance, risk management and control; or

o We were unable to complete enough reviews and gather sufficient information to conclude on the adequacy and effectiveness of arrangements for governance, risk management and control.

Appendix 2: Opinion types

19

Page 20: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

Report classifications The report classification is determined by allocating points to each of the findings included in the report

Findings rating Points

Critical 40 points per finding

High 10 points per finding

Medium 3 points per finding

Low 1 point per finding

Report classification Points

Critical risk 40 points and over

High risk 16– 39 points

Medium risk 7– 15 points

Low risk 6 points or less

Appendix 3: Basis of our classifications

20

Page 21: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

Individual finding ratings

Finding rating Assessment rationale

Critical A finding that could have a:

Critical impact on operational performance; or

Critical monetary or financial statement impact; or

Critical breach in laws and regulations that could result in material fines or consequences; or

Critical impact on the reputation or brand of the organisation which could threaten its future viability.

High A finding that could have a:

Significant impact on operational performance; or

Significant monetary or financial statement impact; or

Significant breach in laws and regulations resulting in significant fines and consequences; or

Significant impact on the reputation or brand of the organisation.

Medium A finding that could have a:

Moderate impact on operational performance or

Moderate monetary or financial statement impact or

Moderate breach in laws and regulations resulting in fines and consequences or

Moderate impact on the reputation or brand of the organisation

Low A finding that could have a:

Minor impact on the organisation’s operational performance; or

Minor monetary or financial statement impact; or

Minor breach in laws and regulations with limited consequences; or

Minor impact on the reputation of the organisation.

Advisory A finding that does not have a risk impact but has been raised to highlight areas of inefficiencies or good practice.

21

Page 22: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

Appendix 4: Mapping of internal audit work Reporting responsibilities The table below maps our internal audit work against the Audit Committee’s reporting responsibilities.

Audit Unit Governance Risk

management

Control Value for

money

Data

submission

Subsidiary review - UNICUS Limited

4 4

Departmental health checks

4 4

Data – Staff HESA Return

4 4

Subsidiaries review 4 4 4

Research – shared equipment register

4 4 4

AMRC – Governance review

4 4 4

Follow up phase 1 4 4 4 4 4

Assurance Mapping 4 4

International: UKVI Compliance

4 4 4 4

VfM: Philanthropic

income

4 4

International – overseas operations

4 4 4 4

AMRC apprenticeships 4

CICS – identity and access management

4 4

Faculty review – Social Sciences

4 4 4

EFM – Sports Sheffield Cash

4 4

Follow-up (phase 2) 4 4 4 4 4

TUOS Car Parking Ltd 4

Finance - continuous auditing

4 4

Student Services – Social Media

4 4

Data submission It is of particular note that the Audit Committee‟s Annual Report must include an opinion on the adequacy and

effectiveness of arrangements for the management and quality assurance of data submissions to the Higher Education Statistics Agency, HEFCE and other funding bodies. To assist the Audit Committee prepare its Annual Report, we have outlined above where our work assessed the arrangements for the management and quality assurance of data submissions (see the table on this page). We provide no conclusions or opinion on data quality.

22

Page 23: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

23

Page 24: THE UNIVERSITY OF SHEFFIELD ANNUAL REPORT OF THE AUDIT COMMITTEE 2014 …/file/15-11-27_07.2.… · 2014-15 1. Introduction . The Audit Committee is required by the Higher Education

24