Chapter 3 â Policy Implications for Gaelic - University of Edinburgh
Chapter 3 â Policy Implications for Gaelic - University of Edinburgh
Chapter 3 â Policy Implications for Gaelic - University of Edinburgh
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Internal Audit Planning Methodology<br />
b. Where the HEI has a comprehensive risk register, and where these risks clearly link<br />
to business objectives, that register may serve as the audit universe, although the<br />
auditor always retains a pr<strong>of</strong>essional duty to satisfy him or her self that the list is<br />
comprehensive. Many HEIs limit their risk register to their top 10 or 20 significant<br />
risks and as such operational areas such as payments and receivables might never be<br />
audited. In such cases, the auditor may wish to compile their own audit universe.<br />
c. Where the auditor has compiled the list <strong>of</strong> auditable entities, it will need to be<br />
annotated to highlight links with key institutional risks identified by the risk<br />
management process. Annotating the document to show previous and potential<br />
future coverage may also assist the auditor, management and the audit committee to<br />
maintain a long-term view <strong>of</strong> audit coverage within the organisation: although this<br />
will need to stop short <strong>of</strong> evolving into a long-term Audit Plan.<br />
d. In practice, many <strong>of</strong> the areas listed will never be audited as they are not considered<br />
material in the level <strong>of</strong> risk that they pose to the <strong>University</strong> or because assurance can<br />
be drawn from other sources. For example, academic audit, health and safety<br />
processes.<br />
e. Basing the audits around processes or risks will help ensure the audit takes a holistic<br />
view <strong>of</strong> how the institution manages its risks. Departmental audits are most likely<br />
to be useful <strong>for</strong> subsidiaries or other autonomous units that follow their own local<br />
procedures.<br />
f. The institution’s risk management process will be a key driver <strong>for</strong> the proposed<br />
audit programme and will have particular credibility where the risks identified link<br />
demonstrably to key business objectives.<br />
g. The key risks identified by management may include some topics that Internal Audit<br />
can usefully explore in further detail. Equally, there may well be some risks that do<br />
not lend themselves to audit.<br />
h. The draft Audit Plan will probably be a blend <strong>of</strong> assignments drawn from the risk<br />
management process, and assignments that relate to the ongoing periodic review <strong>of</strong><br />
core operating processes and systems – such as student registration/records, payroll,<br />
debtors, creditors and so on. Risks exist at strategic and operational levels, and<br />
Internal Audit has a role to play in <strong>of</strong>fering assurance at both levels. The balance <strong>of</strong><br />
ef<strong>for</strong>t between strategic and operating risk is a matter <strong>for</strong> the internal auditor’s<br />
pr<strong>of</strong>essional judgement, combined with the expectations <strong>of</strong> internal and external<br />
stakeholders.<br />
i. The auditor may consider investing resource into the audit <strong>of</strong> new system projects.<br />
Auditing new applications (and proposed surrounding processes) at the design stage<br />
can help line managers to design-in good control (and avoid the cost <strong>of</strong> over<br />
control). This can save both management and auditors’ time and cost in the long<br />
run, and ensure systems do not have a period when control is poor.<br />
CUC - Handbook <strong>for</strong> Members <strong>of</strong> Audit Committees in Higher Education<br />
Institutions (2008)<br />
14. This handbook provides (non-prescriptive) guidance to help audit committees and stresses<br />
that “practices that work best <strong>for</strong> one organisation may not be ideal <strong>for</strong> another”. It states<br />
that: “Internal auditors should adopt a risk based approach when planning their audit<br />
work” and “if they are confident about risk management and if the risk management<br />
arrangements effectively mitigate a risk, then that risk should not merit additional audit<br />
attention.”<br />
Page 14 <strong>of</strong> 22