Audit code of practice policy

1. Introduction

1.1 This Code was developed in line with good practice previously advised by the Higher Education Funding Council for England through its Audit Code of Practice. It governs both internal and external audit at the University.

1.2 The Code sets out the measures the University has in place to provide assurance on good governance, internal controls, the management of risk and achieving value for money (VFM).

2. Appointment of auditors

2.1 The Board of Governors is responsible for the appointment and removal of external and internal auditors.

2.2 The University has chosen to appoint an audit firm to provide its internal audit service.

2.3 The appointments are made by the Board of Governors following the recommendation of the Audit and Risk Committee.

3. The Audit and Risk Committee

3.1 The Board of Governors has an Audit and Risk Committee which follows best practice in higher education corporate governance. The Audit and Risk Committee is responsible for assuring the Board of Governors about the adequacy and effectiveness of:

• risk management, control and governance
• VFM
• the management and quality assurance of data.

3.2 The Audit and Risk Committee follows the Committee of University Chairs published detailed guidance about audit committees (‘Handbook for members of audit committees in higher education institutions’, HEFCE 2008/0621). It also takes into account other best governance practice guidance published from time to time.

3.3 The Audit and Risk Committee can undertake whatever work it considers necessary to fulfil its role. This should include assuring itself about the effectiveness of its internal and external auditors. It will only be able to provide the necessary assurances if it is supported by suitably resourced internal audit and external audit functions, operating to recognised professional standards. It also considers evidence-based assurances from management.

3.4 Members of the Audit and Risk Committee must not have executive authority. It must have a minimum of three independent governors.

3.5 Audit and Risk Committee members should not be members of the Finance Committee. This is to ensure that there are no conflicts of interest when the Audit and Risk Committee is considering issues involving the Finance Committee.

3.6 The Audit and Risk Committee report to the Board of Governors after each meeting.

4. Audit and Risk Committee annual report

4.1 The Committee produces an annual report for the Board of Governors and the Vice Chancellor as Accountable Officer. The report must cover the financial year and include any significant issues up to the date of signing the report and its consideration of the financial statements for the year. The report must be presented to and reviewed by the Board of Governors before the audited financial statements are signed.

4.2 The report must include the Committee’s opinion on the adequacy and effectiveness of the University’s arrangements for:

• risk management, control and governance
• economy, efficiency and effectiveness (VFM)
• management and quality assurance of data submitted to the Higher Education Statistics Agency, the Student Loans Company, the OfS, Research England and other bodies.

4.3 The final annual report to the governing body and the accountable officer must be shared with the Office for Students each year, and, on request, with Research England.

5. Internal audit arrangements

5.1 Internal audit is a vital element in University’s corporate governance since it provides the Board of Governors, the Audit and Risk Committee and the Vice Chancellor as accountable officer with independent assurance about the adequacy and effectiveness of risk management, control and governance, and VFM.

5.2 The University must have a suitably resourced internal audit function which must comply with the professional standards of the Chartered Institute of Internal Auditors. Internal audit terms of reference must make clear that its scope encompasses all the University’s activities, the whole of its risk management, control and governance, and any aspect of VFM delivery.

5.3 The internal audit service must produce an annual report which must relate to the financial year and include any significant issues, up to the date of preparing the report, which affect the opinions. It must be addressed to the Board of Governors and the Accountable Officer and must be considered by the Audit and Risk Committee.

5.4 The report must include the internal auditor’s opinions on the adequacy and effectiveness of the University’s arrangements for:

• risk management, control and governance
• economy, efficiency and effectiveness (VFM).

5.5 The report must be shared with the OfS each year, and, on request, with Research England.

5.6 The head of internal audit must have direct access to the University’s Accountable Officer, the Chair of the Audit and Risk Committee and, if necessary, the Chair of the Board.

5.7 As the internal audit is provided from an outside source, market testing must be undertaken at least every five years.

6. External audit arrangements in HEIs

6.1 External audit must provide an opinion to the Board of Governors on whether funds (including public funds) have been applied for the intended purposes and on whether the financial statements provide a true and fair view of the financial results for the year.

6.2 External audit must also form a view about whether the University is a going concern.

6.3 External auditors must issue a report to the Audit and Risk Committee and the Board of Governors which records accounting issues and control deficiencies arising from the audit. Any issues around the use of charitable assets for non-charitable purposes must be highlighted in the report. The Vice Chancellor’s Executive must provide written responses to any recommendations made or issues raised. The report, including management response, are one of the annual accountability returns which must be submitted to the OfS.

6.4 The report, with management responses, must be made available to the Audit and Risk Committee in time to inform the Committee’s annual report.

6.5 The external auditors must report whether in all material respects:

• a. The financial statements give a true and fair view of the state of the University’s affairs, and of its income and expenditure, gains and losses, changes in reserves and cash flows for the year. They should take into account relevant statutory and other mandatory disclosure and accounting requirements, and OfS and Research England requirements.
• b. The financial statements have been properly prepared in accordance with the financial reporting standards (FRS102) and the ‘Statement of recommended practice: Accounting for further and higher education’, and relevant legislation.
• c. Funds from whatever source administered by the University for specific purposes have been properly applied to those purposes and managed in accordance with relevant legislation.
• d. Funds provided by the OfS and Research England have been applied in accordance with these terms and conditions and any other terms and conditions attached to them.
• e. The requirements of the OfS’s accounts direction have been met.

6.6 Auditors should have regard to the specific requirements of the OfS Terms and Conditions for Funding, such as compliance with those relating to increases in financial commitments thresholds, or other issues of non-compliance, in their management letters or reports.

6.7 Market testing should be undertaken at least every seven years.

6.8 One named individual partner in the firm is normally responsible for the HEI’s audit; they should not hold this position for more than 10 consecutive years.

7. Provision of audit services

7.1 Internal and external audit services must not be provided by the same firm or provider.

8. Provision of non-audit services

8.1 Where appropriate, the University may employ the internal or external auditors to undertake additional work. Any such work must not impair the independence and objectivity of the auditors. Consideration must also be given to the nature of the non-audit services; whether the skills and experience of the audit firm make it the most suitable supplier of the non-audit service; and the fees incurred.

8.2 The Chair of the Audit and Risk Committee must approve the provision of non-audit services by the auditors.

8.3 The University will disclose separately, by way of a note to the financial statements, the fees paid to their external auditors for other services.

9. Auditors’ access to information

9.1 Internal and external auditors must have unrestricted access to information, including all records, assets, personnel and premises and are authorised to obtain whatever information and explanations the head of internal audit service or the external auditor considers necessary.

10. Restriction on auditors’ liability

10.1 The internal audit provider may ask the University to agree to a restriction in the internal auditors’ liability arising from any default by the auditors. Normally such liability should be without limit. However, the University may negotiate a restriction in liability so long as the decision is made on an informed basis and the liability remains at such a level as to provide reasonable recourse for the University. The Board of Governors, through the Audit and Risk Committee, must be specifically notified of any request for a liability restriction.

10.2 The University must not agree to any restriction in external auditors’ liability in respect of the external audit of their annual financial statements. For other types of work performed by the external auditors, the provider may ask the University to agree to a restriction in the auditors’ liability arising from any default by the auditors. However, as with internal audit services, the University may negotiate a restriction in liability if the decision is made on an informed basis and the liability remains at such a level as to provide reasonable recourse to the University. The Board of Governors, through the Audit and Risk Committee, should be notified of any liability restriction agreed.

11. Appointment, removal or resignation of internal and external auditors

11.1 The Board of Governors is responsible for the appointment and removal of external and internal auditors. Where auditors cease to hold office for any reason, they should provide the Board with either a statement of any circumstances connected with their removal which they consider should be brought to the Board’s attention, or a statement that there are no such circumstances. Any such statements will also be sent to the OfS by the Accountable Officer.

12. Contact with OfS and Research England

12.1 The OfS and Research England may wish to communicate with the University’s external or internal auditors and should have unrestricted access to do so. This will normally be arranged through the University’s Accountable Officer. The OfS and Research England will exchange letters where necessary with both parties to deal with confidentiality and the terms under which access is given.