Durham University. Annual Assurance Plan 2008-09. Date: October 2008. This report is CONFIDENTIAL and its circulation and use are RESTRICTED. Contents. Introduction and Background. Annual Assurance Plan 2008-09
Annual Assurance Plan 2008-09
Date: October 2008
This report is CONFIDENTIAL and its circulation and use are RESTRICTED
Process improvement / VFM
Link between the strategic and annual assurance plan
Government Internal Audit Standards (GIAS) require that the work of the Business Assurance Service is planned at each level of operation. Our strategic assurance plan is based on a risk assessment (see the Strategic Assurance Plan 2006-07 to 2009-10) and we use this to develop an annual assurance plan which details the assignments we plan to perform in any given year.
The annual plan is for the period 1 August 2008 to 31 July 2009. Given the breadth and complexity of the systems operated by the University coupled with the need to limit valuable resources on non-core activity, it is unlikely that any annual operational assurance plan will manage to cover all systems for managing risk in sufficient depth – this is certainly the case here. Consequently, we have developed our annual assurance plan in the ongoing and developing context of a four year strategy which demonstrates how we propose to provide audit coverage of all of the areas identified in the assurance strategy. This is year three of the Service’s four year strategy.
Components of the strategic assurance plan
The annual and strategic assurance plan is made up of the following elements:
The annual plan is shown in appendices 3 and 4. The components of the plan are outlined in more detail in the subsequent section of this plan.
Contents of the plan
The annual assurance plan is set out in appendix 3. Each review is mapped to the University’s 2008-09 risk register as approved by UEC (May 2007). The high level University risk map as articulated by this register is shown at appendix 2.
Business Assurance key performance indicators (KPIs)
The Business Assurance Service is just that, a service, to the University. As such the Service should demonstrate good corporate and management governance and be accountable for the public resources expended on it.
To this end a balanced scorecard has been developed, which is intended to align the mission and work of the Service to that of the University, whilst remaining an independent function. This focuses performance measures on those which add strategic value to the University and are aligned to the various internal and external stakeholders of the Service.
The balanced scorecard and supporting metrics are shown in appendix 6.
Business Assurance Reporting
Our reporting structure is set out in detail the Business Assurance Briefing Note: University Assurance Arrangements (April 2008). In summary, reports received an overall conclusion about the process as designed and operated to mitigate controls. This is shown here:
Reports also receive a risk grading on a four point scale which reflects the net risk faced by the University over the process:
Our report format with explanations and narrative is shown in appendix 7.
HEFCE Audit Service
Opinion on the Financial Statements
Likelihood of occurrence
Likelihood of occurrence
* UEC sponsor = This is the UEC member with overall accountability for the process under review. Where processes cover a number of UEC members, a ‘lead sponsor’ will be identified. It is the role of the UEC sponsor to collate and approve the University Response to be included in the final report.
** Process owner = This is the operational manager (typically a head of department) with operational accountability for the process under review. Where processes cover a number of heads of departments each process owner will respond to recommendations within their operational accountability. Each process owner will liaise with the relevant UEC sponsor to collate the University Response to be included in the final report.
Step 8 – Receipt of UEC sponsor responses (University)
Step 6 – Issue of draft report to process owner (BAS)
Step 2 – Scope finalised (BAS / University)
Step 4 – Delivery of fieldwork for period agreed in scope (BAS)
Step 5 - Finalisation of fieldwork (BAS)
Step 7 – Receipt of process owner responses for factual accuracy (University) and distribution of draft report to UEC sponsor
Step 9 –Issue of final report (BAS)
Step 3 – Commencement of fieldwork (BAS)
Step 1 - Scope and terms of reference issued (BAS)
Appendix 6 – 2008-09 Reporting and Delivery Protocol