Chapter 3 â Policy Implications for Gaelic - University of Edinburgh
Chapter 3 â Policy Implications for Gaelic - University of Edinburgh
Chapter 3 â Policy Implications for Gaelic - University of Edinburgh
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Internal Audit Planning Methodology<br />
strategy that can be undertaken by Internal Audit. The IIA Position Statement on Risk<br />
Based Internal Auditing (2003) states that “Internal Audit needs to adopt a risk based<br />
approach compatible with that adopted by their organisation.”<br />
Implication <strong>for</strong> the Internal Audit Plan <strong>of</strong> the <strong>University</strong> <strong>of</strong> <strong>Edinburgh</strong><br />
9. Our view <strong>of</strong> the <strong>University</strong>’s risk maturity is that the <strong>University</strong> can be classified as risk<br />
defined as described in the IIA guidance (see Annex A). This was our assessment when<br />
we first applied the IIA guidance in 2005-06 and we continue to hold this view following<br />
subsequent re-assessments.<br />
10. An organisation classified as being risk defined is not in a position to support a fully risk<br />
based approach to Internal Auditing. Internal Audit is not able to provide its assurance<br />
strategy solely based on the risk management processes, management <strong>of</strong> key risks and<br />
reporting <strong>of</strong> risks; although it may be able to identify risk management policies or pockets<br />
<strong>of</strong> risk management excellence and plan to provide assurance on these elements.<br />
Additionally, Internal Audit should plan to provide assurance that control processes are<br />
working according to the objectives or standards that have previously been set.<br />
11. There<strong>for</strong>e, the Internal Audit Plan consists <strong>of</strong> a blend <strong>of</strong> assignments drawn from the risk<br />
management process and our ongoing cycle <strong>of</strong> location-based audits.<br />
HEFCE – A Guide to Risk-Based Internal Audit in Higher Education (2004)<br />
12. HEFCE commissioned guidance to assist institutions in applying the IIA Standards in a<br />
higher education environment. It is not intended to be prescriptive but to outline a generic<br />
application <strong>of</strong> a risk-based audit methodology. The term risk-based applies both to the<br />
development and maintenance <strong>of</strong> the overall audit plan, and to the approach <strong>for</strong> individual<br />
audit assignments.<br />
13. The guidance provides a number <strong>of</strong> useful insights into developing the audit planning<br />
process. Some relevant excerpts are listed below:<br />
a. Audit Plans need to be dynamic to reflect the fast-changing nature <strong>of</strong> most<br />
organisations. It is best to think in terms <strong>of</strong> planning no more than one year ahead.<br />
Even with this short horizon, it will be necessary to review the plan to consider the<br />
inclusion <strong>of</strong> emerging business issues and to drop audits that have reduced in<br />
priority. Changing levels <strong>of</strong> priority may be driven by:<br />
<br />
<br />
<br />
The HEI’s risk management process<br />
The outcomes <strong>of</strong> other audits completed during the period<br />
General discussions between the auditors, management and the audit committee.<br />
Page 13 <strong>of</strong> 22