Development of annual audit plan

A risk based audit plan is developed by the Internal Audit Unit on an annual basis. Areas for review are identified from the following sources:

  • Risk registers (including consolidated) of Colleges and Professional Support Units.
  • Issues, incidents and near misses in the year.
  • Requests and input from UMT, Heads of Unit, external auditors or other sources.
  • Requests from Údarás, Audit and Risk Committee (ARC), Risk Management Group and other committees.
  • Year end governance processes supporting the Annual Governance Statement such as internal control questionnaires and risk returns.
  • Issues impacting other Universities and the educations sector.
  • Requests from HEA and/or Department.
  • Best practice requirements.

The finalised audit plan details the audits to be completed during the year and this is submitted for approval to the ARC. Priorities can change during the year with additional audits selected or identified audits postponed with any changes subject to approval from the ARC.

Audit Planning Process

A terms of reference (ToR) is prepared in advance of each audit which outlines the overview, scope, objectives and timeframe of the audit. The ToR can also outline a requirements list for the audit as well as specific areas for testing. In preparing the ToR, the auditor will consider the relevant risk register(s), regulations and best practice standards, any known issues and policies and procedures published.

 The ToR is issued to the Head of the Unit(s) under review with a planning meeting established to discuss the scope of the audit, identify key audit contacts as well as agree audit start dates. Once agreed, an audit work programme is created by the audit team that outlines the scope items, related risks and the testing to be completed.

Fieldwork

During the fieldwork phase, the audit programme is completed. The completion of tasks can occur through process walkthroughs, meetings with specific staff members to discuss matters and through the testing of records for accuracy. Testing can involve the review of items on a sample basis if the population size is large. Sample testing is the random selection of transactions/reports from a specific range. (E.g., a sample of 25 invoices and goods received notes for the period June to December 20XX). Sample amounts can also be selected at the discretion of the auditor.

If possible, it would be the intention of the audit team to complete the audit on site with the area under review. During the course of the fieldwork, a log of outstanding queries and potential issues will be maintained and brought to a close out meeting. The close out meeting occurs at the end of fieldwork and these outstanding queries and potential issues are discussed with the head of the unit(s) or area under review. The primary outcome of the meeting is to agree the accuracy of the potential findings in advance of drafting the report.

Reporting

The audit work programme is finalised and any issues or findings identified considered for inclusion in the audit report. The findings are then assigned a rating based on the following ranking;

Priority Ranking Description
High Critical risk management processes or internal control weaknesses have not been addressed.  There is a potential for resource implications, damage to the University’s reputation or loss of information. This may have implications for the achievement of operational or business objectives and for the effective implementation of strategic processes.  Recommendations with this prioritisation should be taken into consideration by management immediately and action plans undertaken as agreed with management.
Medium There is a need to strengthen internal control or risk management processes. The recommendation should be actioned within 6 to 12 months, or by the start of the new financial year or cycle if appropriate.
Low Internal control and risk management processes should be strengthened, but there is little risk of a material impact.  The recommendation should be actioned when practicable.
Recommendation No material weakness identified but a possibility where the internal control and risk management processes could be strengthened, the implementation of which is at the discretion of the area.

 Both the number of findings raised and the rating assigned to each influences the overall opinion included in the report.

 The Internal Audit function will issue an opinion in its reports within the following assurance levels;

Assurance Level  Description
Reasonable Assurance

Audit results indicate that reasonable assurance can be placed on the sufficiency and operation of internal controls to mitigate and/or manage those inherent risks to which activity under review is exposed.

The absence (or disclosure of only a limited number) of high or medium priority observations means that normal ongoing management supervision, together with the resolution of any findings raised in the audit report, should ensure that control risk remains low.

Limited Assurance

Audit results indicate that limited assurance can be placed on the sufficiency and operation of internal controls to mitigate and/or manage one or more of those key inherent risks to which the activity under review is exposed.

The disclosure of high and medium priority observations is indicative of increased levels of control risk.  Management action is required to address these observations together with increased managerial supervision and ongoing oversight to ensure control risk is reduced.

No Assurance

Audit results indicate that assurance cannot be placed on the sufficiency and operation of internal controls to mitigate and/or manage one or more of those key inherent risks to which the activity under review is exposed.

The disclosure of high and medium priority observations is indicative of heightened control risk.  Substantial management action is required to address these observations together with increased managerial supervision and closer ongoing oversight to ensure control risk is reduced.

The audit report is drafted and includes the following:

  • Overview of the scope and objective of the audit.
  • An executive summary including summary of findings.
  • Overall opinion.
  • Detailed findings which outline the theme of the issue, finding itself, risk attached, recommendation, management action (and target closure date) and ranking.

The draft report is issued to UMT/ Heads of Unit/ Senior management in area for review of content for factual accuracy and provision of management action. Once the report has been agreed, inclusive of management actions, it is submitted to the ARC for review and approval. Once approved, the report is deemed final.

Follow up

All medium and high ranking findings are tracked centrally by the Internal Audit Unit (IAU) unit in their recommendations register. This database is used to track open issues and an update is sought from action owners on a quarterly basis on open issues. A report on open findings will be presented by the DIARM at the audit committee on a regular basis. This report will include key metrics and information for the audit committee.

When a finding is due to be closed and the area advises that the actions are implemented, the IAU will gain evidence of the action being implemented before formally closing off the finding.

 If actions are overdue for a considerable period of time, this is escalated to the ARC and UMT.