top stories

Share

Higher Education Funding Council for England

Comments from the Association of Chartered Certified Accountants
January 2002

Executive Summary

The Association of Chartered Certified Accountants (ACCA) is pleased to have this opportunity to comment on the Audit Code of Practice issued by the Higher Education Funding Council (HEFCE). These comments have been prepared in consultation with members of ACCA's Internal Audit Sub-Committee.

ACCA is disappointed that the current exercise is only an update to the Code and that a full consultative review will not take place until 2003-04. We believe that the Code requires a full revision to bring it into line with recently issued internal audit standards (see below). We are also disappointed that the HEFCE provided a consultation period of less than eight weeks.

We believe that the Code should refer to a consistent set of standards and guidance on internal auditing.

We are concerned that there has been almost no extension to the mandatory requirements of the Code. Given the proposal for the HEFCE Audit Service to reduce its own direct work at higher education institutions and to place greater reliance on other sources of assurance, such an extension is now needed.

General Matters

Rigour with which the update is being undertaken

1. The Code is being updated to bring it into line with recent developments including new editions to two important internal audit standards, the Government Internal Audit Standards from HM Treasury and the Standards for the Professional Practice of Internal Auditing from the Institute of Internal Auditors (IIA). The IIA Standards were published in June 2000 and the Government Internal Audit Standards were issued in July 2001. This timetable should have given the HEFCE adequate time fully to revise the Code and to provide an adequate period for consultation.

2. In these circumstances, we are disappointed that the current exercise is merely an update and that 'a full consultative review' will not take place until 2003-04. (It is also disappointing that a consultation period of less than eight weeks was provided (including Christmas) compared to the Government's recommendation of at least 12 weeks for public consultation.)

3. We believe that the consultation exercise would have been improved if the proposed changes to the Code had been highlighted. Given their limited nature, this is particularly the case.

4. We are also concerned that further guidance on the work needed to produce internal control and risk management statements, including the role of the audit committee in risk management, is still being promised by the HEFCE. This is a developing area, but the Turnbull Report on which it will be based was published two and a half years ago, in September 1999. Consistency of reference to internal auditing standards

5. We believe that the Code should refer to a consistent set of standards and guidance on internal auditing that its readers should be directed to. The revised Code does not achieve this (see Annex A for details).

Limited extent of mandatory requirements

6. We are concerned that there has been almost no extension to the mandatory requirements of the Code. Given the increased extent to which the HEFCE Audit Service is proposing to rely on other sources of assurance and the planned reduction its own direct work at higher education institutions, we believe that this is necessary.

7. As an absolute minimum, the scope and content of the internal audit annual report should be made mandatory. While institutions are to be required to submit this document to the HEFCE, its the scope and content is not prescribed and no reference is made to the new requirement in the main body of the Code.

The role of internal audit

8. We believe that internal audit has two main roles. These are to:

• provide reasonable assurance that significant risks are being appropriately managed, with an emphasis on the role of internal controls
  and
  
• help to ensure that internal control and risk management systems are continually being improved and optimised by providing audit recommendations.

9. We accept that the HEFCE and HM Treasury consider that the first of these is the prime role for internal audit. The revised definition of internal audit within the Government Internal Audit Standards goes further to include the provision of internal audit recommendations. This has the effect of bringing both the points at paragraph 8 within the definition and primary role of internal audit as we recommend.

10. The revised Code seems to suggest that providing internal audit recommendations is part of internal audit's wider consultancy service. We do not believe that this is a reasonable assumption. For this reason, we suggest that paragraph 55 should be re-written to distinguish between:

• internal audit providing recommendations for improvements to internal control, as part of its core work
  and
  
• the wider consultancy service which internal audit should also provide.

DETAILED POINTS

Direct auditing by HEFCE

11. The new paragraph 35.c indicates that the HEFCE Audit Service will seek to undertake direct auditing where satisfactory assurance has not been provided on a system. We believe that this could lead to a significant extension of the work of the HEFCE Audit Service which appears to conflict with the aim of reducing the audit burden on institutions.

Frequency of audit committee meetings

12. We believe that good practice in other sectors is for audit committees to meet at least three times a year (see for example A Handbook for Audit Committee Members in Further and Higher Education 1996 page 41). We consider, therefore, that paragraph 44 of the Code should be revised to include this recommendation, rather than the minimum of two meetings a year which is currently suggested.

Timing of reports from the internal auditors and audit committee

13. The Code will require each institution to submit the annual report from its internal auditors and its annual audit committee reports to the HEFCE. No deadline is provided in the Code for the submission of these reports. We believe that these reports should be submitted by 31 December after the end of the financial year to which they refer.

Aim of the internal audit strategy

14. We believe that the first sentence of section b of the new paragraph 58 should be amended to read:

"b. The internal audit strategy should include providing an assurance on the adequacy of the institution's risk management strategy as part of its whole internal control system."

15. Despite the significant changes to the Government Internal Audit Standards in this area, the HEFCE has not amended its guidance in the Code on internal audit planning. Paragraph 71 and Annex E still refer to an audit cycle with the implication that the internal audit strategic plan will cover the next three to five years. Many internal auditors have now moved away from this cyclical view of audit planning.

Review of the internal audit strategy

16. We do not agree with the guidance which has been added to the Code (paragraph 70) that the overall internal audit plan should be updated annually. The previous HM Treasury standards on internal audit only required the strategic internal audit plan to be reviewed and updated regularly. The current Treasury standards do not include this requirement. We believe that, especially for smaller institutions, the strategy may not need to be updated each year.

Internal audit consortia

17. We believe that the benefits of institutions obtaining their internal audit services from an internal audit consortium are understated by the Code. We consider that this could be overcome by adding the following sentence to the end of paragraph 83:

"The use of internal audit consortia can combine the advantages of in-house staff with the flexibility and wider experience of an external team."

External audit review of internal audit

18. We do not consider that the final sentence to paragraph 84 is clear or relevant in this context. External auditors only need to review those aspects of the work of internal audit on which they wish to rely. The Code should not suggest that institutions should rely on their external auditors to provide assurance on the quality of their internal audit services.

Mandatory requirements for internal audit

19. We are surprised that there has been almost no extension to the mandatory requirements of the Code (see also paragraph 6 above). As proposed, the Code implies that it is acceptable for internal audit:

• not to have formally agreed terms of reference (or letter of engagement if provided externally)
• not to plan its work
  and
• to undertake academic audit.

20. In addition, we believe that paragraph f of Annex A should be extended so that it reads:

"The work of the internal audit service must cover the whole of the internal control system of the institution, including all its operations, resources, staff, services and responsibilities for other bodies. It should cover all activities associated with the institution, including those not funded by the HEFCE." (See paragraph 57 of the Code.) ACCA-CR-AW14

Back to top