Transcription
Cardiff UniversityInternal Audit ManualPublication date January 2022Introduction & BackgroundApplication of the StandardsKey documents and evidenceSectionPage1231212Version number: V1.2(*alignment to v0.6 of CHEIA Quality Assurance Toolkit)With effect from: January 2022Next Review September 2024(Any significant changes prior to this planned reviewdate will result in an earlier review being completed asrequired)Owner: Faye Lloyd, Head of Internal Audit
Introduction and background 1Structured to ensurecompliance withrelevant InternalAudit standards* This Audit Manual has been developed in keeping with the structure ofthe CHEIA Internal Audit Quality Assurance Toolkit, which was originallycommissioned by HEFCE on behalf of CHEIA in 2005. The toolkit isperiodically updated to take account of changes to IIA Standards andrelated standards (e.g. Public Sector Internal Audit Standards PSIAS) andemerging good practice.Outlines keyoperating policiesand procedures thatgovern IAThe Manual establishes the key operating policies and procedures thatgovern the internal audit (IA) activity with a further view to strengtheningprofessionalism of the function and serving as a guidance document to staffat Cardiff University on the ‘modus operandi’ of the service.IA functionoperational since2017 with arefreshedmethodologyThe Internal Audit Service underwent a transformation from the JointInternal Audit Unit (covering Cardiff and Swansea Universities) that wasin operation up until March 2017. This was replaced by a refreshed servicethat was responsible for Cardiff University only. A new HIA and in-houseteam and co-sourced partners were recruited and contracted to deliver theService.Purpose of IA toprovideindependent,objective assuranceand consultingactivity designed toadd value andimprove operationsThe purpose of the Internal Audit Service at Cardiff University is to provideindependent, objective assurance and consulting activity designed to addvalue and improve Cardiff University’s operations. The mission of internalaudit is to enhance and protect organisational value by providing riskbased and objective assurance, advice, and insight. The internal auditservice helps Cardiff University accomplish its objectives by bringing asystematic, disciplined approach to evaluate and improve the effectivenessof governance, risk management, and control processes.Key documentsdirect the IAfunction andapproved by Audit &Risk Committee andCouncil1 P a g e
Application of the StandardsCIIAStandardQAIP Ref.& Evidence1. Purpose, authorityand responsibility ofthe Internal Audit (IA)activityInternal Audit Charter2. Access within theinstitutionInternal Audit Charter3. Independence andobjectivity of IAInternal Audit CharterRIPEGuidance for Advisory& Consultancy work2The Internal Audit Charter was agreed with the Vice-Chancellor inhis role as Accountable Office, endorsed by Audit Committee inOctober 2020 and recommended to Council and approved inNovember 2020. The Charter is published on the intranet and theexternal facing website containing public information. The Charterin use is based upon the template issued by CIIA.100010101110The Head of Internal Audit (HIA) and team has full unrestrictedaccess, and this is granted via the Internal Audit Charter, section 4 ofthe Charter refers to authority, “The Audit & Risk Committee authorisesthe internal audit service to:100011112100-Have full, free, and unrestricted access to all functions, records,property, and personnel pertinent to carrying out any engagement,subject to accountability for confidentiality and safeguarding of recordsand information.-Allocate resources, set frequencies, select subjects, determine scopes ofwork, apply techniques required to accomplish audit objectives, andissue reports.-Obtain assistance from the necessary personnel of Cardiff University,as well as other specialised services from within or outside, in order tocomplete the engagement."The HIA reports to the Chair of Audit & Risk Committee, andsubstantively to the Chief Operating Officer. The Head of InternalAudit holds regular 1:1s with Chair of Council.100011001110In June each year, the Audit & Risk Committee receive the IA AuditStrategy and Plan with reference to the IA service’s approach toadvisory and consultancy work for approval.The internal audit planning document, the ‘Risk Identification Plan& Evaluation (RIPE)’ includes a section for disclosure of potentialconflicts of interests linked to each audit assignment.Section 3 of the Internal Audit Charter refers to Independence &Objectivity of the IA service, “Internal auditors will maintain anunbiased mental attitude that allows them to perform engagementsobjectively and in such a manner that they believe in their work product,that no quality compromises are made, and that they do not subordinatetheir judgment on audit matters to others.”4 & 6. IA activity freefrom executiveinterference &responsibilitiesAnnual ReportInternal Audit Charter5. Council satisfiedwith status of HIA tofulfil responsibilitiesUnder the HEFCW Financial Memorandum, the HIA is required tostate in the Annual Report that the HIA has been unfettered in theirreporting.1000111011121130Evidenced within section 3 of the Internal Audit Charter.The HIA is appointed as per the original job description ‘with a levelof gravitas appropriate within the organisation', appointed on thesenior salary scale and subject to remuneration committee review for11102 P a g e
CIIAStandardQAIP Ref.& EvidenceHIA Job Descriptionsalary amendments annually, as per an annual paper to Audit &Risk Committee and approved by Council.HIA receives circulation of UEB papers and attends ProfessionalServices Leadership Network (PLSN).7. Individualobjectivity andorganisationalindependencemaintainedRIPEAnnual Report8 & 30. Knowledge,skills andcompetencies of IAresourceRecruitmentInduction & PDRA requirement for internal auditors to declare any conflicts isincluded within the planning of each audit assignment via the RIPE.Formal declaration is made within the Annual Report.All staff are required to declare any declarations of interest withinthe corporate system, Core HR.Consultancy assignments undertaken by IA are subject to issuedguidance to ensure objectivity is maintained. In such instances, anysubsequent related assurance assignments would typically becarried out by a different member of staff or externally sourced.All IA in-house staff are required to be professionally qualified.Skills assessments are completed for each audit assignment via theRIPE to identify any training requirements.External firms are engaged, in line with the procurement policy toundertake areas of work which fill a skills gap or where technicalexpertise is required, such as IT audit resource.All staff are required to be professionally qualified.RecruitmentInduction & PDRPDR process for continuous improvement and development.Incident AssessmentFormCounter-Fraud PolicyRIPE121020302230The probation and performance development reviews are used todocument training needs, aligned to the annual IA programme.9. IA resources applya risk-based approach10 & 42. Anti-fraudskills, resource andprocess112011301210The recruitment process incorporates a risk-based assessment.Internal Audit have devised an Incident Assessment Form to allow arisk-based decision to be made and evidenced at the institution.Should specialist counter-fraud expertise be required for complexfrauds, professional services firms are utilised. *The institution’s Counter-Fraud Policy includes a Fraud ResponsePlan, which allows for an assessment to be made by a Panel* as tothe most appropriate resource to be used (including the potential foran External specialist) to undertake specialist investigations. Allprocedures have been tested during live incidents.1210204021202210Through planned audit work, the RIPE form used at the planningstage, has a section that requires an assessment of fraud risks.The Counter-Fraud/Anti-Bribery internal control environmentoperating at the institution is subject to periodic review by IA.11. IT skills andresourceIA StrategyThe IT programme is delivered by an external provider. There isbudget available to allow key risks to be identified and assessed (forexample using COBIT) and covered in a rolling programme of work.1210In-house IT related skills are kept up to date through skillsassessments completed via the RIPE for each audit assignment andvisibility of reporting from the external provider.3 P a g e
CIIAStandardQAIP Ref.& Evidence12 & 31. Consistencyof IA approach anduse of IT and audittools (e.g. dataanalytics)Shared drive – filestructurePADRIPEIA StrategyVersion Control13 & 22. Skills /experience/qualifications of theHIAHIA Job DescriptionAll audit files are held electronically, which facilitates the agility ofthe team, and enables location flexible working .12102040Each audit holds a unique reference number e.g. ‘202x/xx Cxx’, thefile structure on the shared drive is set up at the start of each year.The process of version control is captured in a separate document.Audit templates are held on the shared drive, key to the consistentapproach and delivery of each audit are the PAD and RIPE. Filereviews are completed and evidenced within these documents for allassignments to support and drive consistency.The use of data analytics and other tools is severely limited by thematurity of data quality across the institution. This was initiallyaddressed by the audit programme 2018/19 and is consideredannually. IA are unable to progress maturity in this area untilinstitutional maturity improves. However, consideration is given tothe use of data analytics for each audit assignment via the RIPE.The HIA Job Description requires that the post holder has significantrelevant experience and be professionally qualified.Further details of required qualifications, experience and skills isdetailed within the job description14. Professional duecare is exercised bythe IA function(experience,objectivity, trainingand judgement)File review of each audit assignment is the predominant control overthe due professional care exercised by the IA function. The HIAreviews the work of staff and in turn they review work completedby the HIA. All reviews are evidenced, which are held within therelevant audit assignment folder on the shared drive.Annual ReportReference to conformance with the standards also given within theannual report, section 1.49 for example in 2020/21 version.PADShared drive – filestructure15. IA relevantknowledge of workingcontext (HE Sector)Knowledge of the sector and ways of achieving this are given asobjectives within probation and PDR reviews. Inductionprogramme available for new starters drives knowledge acquisition.Induction & PDRObjectivesThe in-house team are members of key sector groups, BUFDG,WONK HE and CHEIA and receive appropriate regular sectorupdates. This extends to Welsh context specific requirements.Induction ChecklistRIPE121012301200122013111230All in-house staff attend either the HIA Forum or the Practitioner’sForum of CHEIA.Assessment of skills and knowledge is considered for each auditassignment via the RIPE.16. Training andcontinuingprofessionaldevelopment (CPD) ofIA staffAll staff are professionally qualified and are required to maintainCPD to retain professional membership.1230Training and CPD is also included within the probation and PDRprocess, referenced within the Audit Strategy.IA StrategyPDR4 P a g e
CIIAStandardQAIP Ref.& EvidenceA training budget is determined from the PDR and the programmeof work, which is included within the funding requirement put tothe Audit & Risk Committee in June each year.17. IA appetite forinnovation and newworking practices toenhance serviceprovisionIA StrategyThe HIA actively keeps abreast of current developments in the auditprofession and considers application to service delivery.12301300The HIA regularly maintains contact with other HIAs both in the HEsector via CHEIA and outside the sector via CIIA events, and theWales HIA networking group. CIIA HIA forum membership andattendance at events at national level.Working practices and templates are considered at regular pointsincluding at team audit planning sessions and in advance of the newacademic year.Appetite to incorporate data analytics into assignments where datamaturity allows.18 & 20. Internal &External Assessmentsof IAInternal review is completed for all work undertaken as part of dayto-day supervision prior to report release, as noted on the PAD andall published reports.Quality Assessmentand ImprovementProgramme (QAIP)IA completes the CHEIA peer review self-assessment annually andmaintains a ‘Quality Assurance and Improvement Programme’(QAIP). Annually the Audit & Risk Committee receive the QAIPaction plan, results and next steps (typically October) and this isincluded in the Annual Report.130013101311132013211322200022402430Formal external review is planned for 2021/22, to be determined bythe Audit & Risk Committee, paper presented outlining HEFCWFinancial Management Code requirements in October 2021.19. Auditees opinionof quality of servicereceived2431Feedback is gathered via several informal mechanisms, collated andreported annually to the Audit & Risk Committee (at their request)and included within the Annual Report.1311The HEFCW Financial Management Code details requirements forthe appointment, removal, or resignation of internal and externalauditors, where governing bodies are responsible for theappointment and removal of both internal and external auditors.1110Annual Report21. Appointment,removal & resignationof auditorsHEFCW FinancialManagement CodeOrdinancesAudit & Risk Committee advise on the appointment and terminationof the Head of Internal Audit.Ordinances of the Audit & Risk Committee outline theirresponsibility to advise the governing body on the appointment ofaudit providers.23 & 33. Developmentand progress of a riskbased Audit Strategyand PlanUEB Risk RegisterAudit UniverseIA Strategy & PlanProgress ReportRisk Assurance MapThe University Executive Board’s (UEB) Risk Register forms thestarting point for the Audit Strategy and Plan. The risk register islaid over the Audit Universe and there is direct line of sight from thehigher-level risks through to the Audit Programme for the year.111120102060Extensive consultation is undertaken during the planning processwith management and governors.Risk assurance mapping processes are considered as they becomeembedded into the institution.5 P a g e
CIIAStandardQAIP Ref.& EvidenceThe programme is reviewed quarterly by UEB and the Audit & RiskCommittee, and changes proposed are documented. KPIs areincluded within the progress report and notes any limitations.A level of contingency days are built into the plan to enable theservice to respond to emerging risks.24. Knowledgetransfer available tosupport the IAfunctionThe IA function is supported by two co-sourced partners to addressany gaps in the plan.1210IA is on the distribution list for UEB, committees of Council andother sub-committees as required. Regular diarised meetingsbetween HIA and the Chief Operating Officer, University Secretary,Director of Financial Operations and Chair of Council2010Contracts for cosourced provision25. Processes toensure IA are keptinformed ofinstitutional changesimpacting the riskenvironmentUEB, Council,committees of Council& sub-committeepapers26. Audit Universecoverage of theinstitution andassociated activitiesAudit CharterAudit Universe27. IA resourceadaptable to changingrisk profileIA StrategyAnnual planning meetings are held between the HIA and the ViceChancellor and Pro Vice-Chancellors as a minimum.IA Charter specifically refers to 'Cardiff University and its affiliates'in section 6.1000201021002201The audit universe incorporates associated activities of theuniversity, including the Student Union, joint ventures andsubsidiary companies, and continues to be extended.The ‘IA Strategy, Plan and Budget’ is presented to Audit & RiskCommittee for review, endorsement and recommendation toCouncil, including that 'the resources are sufficient bearing in mindthe University's risk profile’; and, proposed areas of coverage etc.1110201020302230Any additional requirements would be taken to Audit & RiskCommittee for consideration when required.28. Communication ofthe approved IAStrategyThe IA Strategy and Plan is received by University Executive Board,Audit & Risk Committee, and Council.2020IA audit coverage determined in the strategy and amendmentsapproved by Audit & Risk Committee.20202030A high-level risk assurance map has been completed to aid oversightof other assurance providers across the institution. Any externalsources of assurance available are considered for each auditassignment via the RIPE.2050IA Strategy29. No limitations toscope of IA coverageIA Strategy32. IA overview ofother assuranceprovidersAnnual ReportRIPETime is built into the Audit Plan to accomplish an overview of otherassurance providers and liaise with such providers, includingdiscussions with external auditors, Wellcome and UKRI.6 P a g e
CIIAStandardQAIP Ref.& EvidenceThe co-ordination and alignment of external assurance sources isbeing led by IA at present. There is an increasing maturity ofinstitutional assurance frameworks.Known assurance providers to IA include: UKRI funding assurancereview, HTA external visit, HEPCW VfM report, C. G. Lees researchfunding assurance and the work of the KPMG data returns(commissioned by HEFCW).34. Annual Report toAudit & RiskCommittee for periodunder reviewHEFCW FinancialManagement CodeAnnual Report35 & 59. Audit & RiskCommittee monitoreffectiveness andperformance of IAQuarterly progressreportQAIPCUC Audit CommitteeCode of Practice36. Mechanisms topromote adherence toethical standardsIA CharterRIPEAnnual Report presented to Audit & Risk Committee in Octobereach year. In advance of this, the Annual Report is presented toUniversity Executive Board for discussion and comment.In accordance with the HEFCW Financial Management Code theAnnual Report provides an opinion of governance, riskmanagement, internal controls, data quality and value for money,regards adequacy and effectiveness.1000111113002060Quarterly progress report to each Audit & Risk Committee, whichincludes operational KPIs for monitoring purposes.11002060Regular in camera meetings with the Audit & Risk Committee andthe Chair in line with scheduled committee meetings.2070IA self-assessment completed annually.The Chair of Audit & Risk Committee provides input to the HIAPDR, which feeds into HIA pay review.The CUC Audit Committee Code of Practice (May 2020), refers tocommittee oversight of internal audit effectiveness, specifically‘Element 8: The Audit Committee exercises effective oversight ofinternal audit’.Processes to direct adherence to ethical standards are embeddedwithin the audit methodology including: the IA Charter (Section 2),independence & objectivity considerations for each assignment viathe RIPE, and the requirement for all in-house staff to be qualifiedwhich require annual declarations to be made of conformance toethical standards of relevant bodies.110011201210122013001311132220002040243137. IA consideration ofinstitutionalgovernanceIA CharterIA StrategyIA Annual ReportIncluded within the IA Charter, Strategy and opinion within theAnnual Report.Annual governance audit carried out to meet HEFCW FMCrequirements for opinion. The annual report draws togetheremerging governance themes in the root cause analysis of emergingthemes.1000210021102201Council effectiveness review conducted periodically. Last reviewcompleted in 2020/21 which is included in the opinion.38. IA consideration ofrisk managementIncluded within the IA Charter, Strategy and Opinion within theAnnual Report.100021007 P a g e
CIIAStandardQAIP Ref.& EvidenceIA CharterIA StrategyIA Annual ReportAnnual risk management audit carried out to meet HEFCW FMCrequirements for opinion. The annual report draws togetheremerging risk management themes.2120220139. IA consideration ofinternal controlsIncluded within the IA Charter, Strategy and Opinion within theAnnual Report.IA CharterIA StrategyIA Annual ReportEvery audit considers the internal control environment which feedsinto the annual opinion. The annual report draws together emergingthemes via a root cause analysis.10002100213040. IA consideration ofvalue for moneyIncluded within the IA Charter, Strategy and Opinion within theAnnual Report.IA CharterIA StrategyIA Annual ReportPriority ratings ofrecommendationsEvery audit considers value for money arrangements which feedsinto the annual opinion. The annual report draws togetheremerging themes via a root cause analysis.22011000210021302201The internal audit methodology includes the ability to raise VfMpoints within each audit, as well as looking to audit specific areaswith a VfM slant.Management assurances and external forms of assurances areconsidered in deriving theVfM opinion.41. Documented workprogrammes toachieve engagementobjectivesRIPEPADTerms of Reference(ToR)43. Planning ofindividual auditassignmentsRIPEPADToRAt the planning stage of each audit the methodology requires thecompletion of a RIPE and PAD (Process Analysis and Design) form.Both are the foundation for the completion of the Terms of Referencewhich outlines risks, objectives covered and requirements of testingincluding the tools and techniques used. Each piece of work isbespoke. The same methodology is applied for consultancy/adviceengagements.22002210Initial conversations are held with members of UEB when the HIAholds annual planning meetings. The HIA assigns an auditor whocompletes desk-based research to commence the completion of thePAD and RIPE.220022102230224022202230Planning meetings with key contacts are arranged to discuss theaudit area and associated risks to facilitate the completion of theRIPE and PAD, and ultimately a Terms of Reference.Each audit is assigned a UEB Sponsor, determined by the riskregister in most instances. Once the RIPE and draft ToR have beenreviewed by HIA (or reviewer), a draft of the ToR will be sharedwith the UEB sponsor for agreement, which includes; scope(including any limitations where relevant), objectives, risks,deliverables and proposed timelines.The audit will only commence once a final ToR has been releasedfollowing agreement of the draft.44, 47, 48 & 50.Reports provide fulland completedisclosure of materialfacts.Recommendations areThe PAD/RIPE are the key documents to connect the audit fromplanning through to the report. The summary of the PAD informsthe overall conclusion of the audit. Audit close meetings are held forall assignments including advisory work. Format of close meetingsdiffers depending on the assignment, PowerPoint presentation usedfor large assignments to relay findings through the discussion.131123002310232023308 P a g e
CIIAStandardQAIP Ref.& Evidenceidentifiable from thePAD to IA reportPADRIPEReport TemplatesShared drivesAssurance ratingsHIA/alternate undertakes review of all working papers and evidenceof this review is presented on the PAD. Paper files are not created,all information is held on the shared drive within the relevant auditassignment folder.Report templates are in place for assurance / advisory assignments,to be tailored as required and must demonstrate the link to auditrisks from the ToR and PAD. Standard wording for conclusionsagreed by Audit & Risk Committee and applied to all assignmentswithin these templates.23402400241024212440A separate follow-up template is in place. The style of reporting isextended to the external contractors, who badge their own reportsbut utilise our methodology and style.KPI’s are used to monitor performance of the reporting processwhich are monitored by Audit & Risk Committee.45 & 51. Supervisionof audit engagementsand quality assuranceRIPEPADReport TemplateQAIPAudit review is captured for all assignments electronically, filereview is evidenced on the RIPE, PAD and draft report, prior torelease. In the instance where the HIA undertakes audit work, areview is undertaken by another member of staff.1300131123402420External sub-contracted auditors follow their agreed in-house QAprotocols.2430Team meetings provide opportunity to discuss lessons learned fromeach assignment, to continuously improve working practices.QAIP conducted annually by HIA as a peer-reviewed selfassessment.46. Appropriatecontrol over access toengagement recordsManagement andprotection of data:mandatory actions forinternal auditorsShared drive – filestructureAudit assignment engagement records are held on the shared drive.There is restricted access to the shared drive with only IA teammembers having access. An IA TEAMS site is available for use alsofor convenience and accessible to IA staff only. The shared driveremains the definitive and authoritative information source.20402330IA only release audit ToR’s and reports to the UEB Sponsor andLead Contact, unless advised to circulate further or where requiredfor completion of management response, e.g. a recommendationrequires action from more than one department/school.Further details are provided in the ‘Management and Protection ofData’, which is mandatory for all IA staff.IA document retention and data policy maintained by IA, lastupdated April 2021.All university staff are required to annually complete mandatory‘Information Security’ e-learning.49, 56 & 57.Managementagreement ofrecommendations andprocedures for dealingwith disagreementsReport templatesAudit & RiskCommittee ToRThe reporting requirements are set out in the ToR for each piece ofwork undertaken. Management have 10 working days to provide amanagement response to the draft report, which requires a responseto each recommendation (unless advisory), confirming if they agreeor disagree with recommendations. On return, IA check forreasonableness of responses and timeliness of completion, prior toissuing as a final report. On receipt of the management responses IAwill aim to issue the final report within 5 working days.11112400241026009 P a g e
CIIAStandardQAIP Ref.& EvidenceIA CharterIn instances where recommendations are not accepted, Audit & RiskCommittee will be made aware of the discrepancy, and thatmanagement choose to accept the risk by not implementing therecommendation.Section 3 of the IA Charter refers, if there is interference withreporting or communication of risks and section 6, “the HIA willreport periodically to senior management and the Audit & RiskCommittee any response to risk by management that may beunacceptable to Cardiff University.” This is undertaken routinelyvia the Tracker.52. Exclusion ofrecommendation fromthe reportPADReviewed draft report53. Audit opinionsAssurance ratingsThis is not common practice but may happen if recommendationsare grouped into an action category. All decisions are clearlydocumented on the PAD and reviewed audit report, providingdirect line of sight from the RIPE and PAD, to the final report.233024202440Assurance ratings are documented and appended to every report,which were approved by the Audit & Risk Committee, 'Review ofInternal Audit Assurance Ratings for 2017/18 - 17/34’ to aligndirectly with the risk management framework.2040221024102450The HIA reviews all internally and externally produced work forconsistency with this framework.54. Follow-up of prioryear / in year IArecommendationsTrackerFUP reportUEB and thereafter the Audit & Risk Committee (at each meeting)receives a report of the highly rated recommendations, ‘the Tracker’.The Tracker lists all Priority-1 recommendations, highlighting thoseoutstanding and an IA assessment of the risk remaining to thebusiness if recommendations are not implemented. The number ofitems on the tracker also contributes to the IA Opinion.25002600The Tracker paper captures the progress of undertaking follow-upsof each audit assignment, where all categories of recommendationare followed up on and released as a separate report.55. Mechanisms inplace to timetable thecompletion of auditwork and deliverablesIA StrategyToR58. Benchmarking ofIA costsThe IA Strategy and Programme outlines the timetable forcompletion of audit work. Regular updates are made to the Auditand Risk Committee as a standing item through the progress report,and amendments to the plan clearly shown and formally requestedfrom the committee.20002200Each audit assignment terms of reference details proposed timelinesand deliverables.Benchmarking of IA costs is included within Audit Strategy andPlan annually using the annual BUFDG survey output.1110The Audit & Risk Committee receive the results of the QAIP forreview and discussion, minutes of the meeting record thecommittee’s response regarding performance.13112230IA Strategy60. Audit & RiskCommittee’sassessment of theperformance of IAQAIPAudit & Risk Committee self-evaluation would also provide insightto performance of IA.Audit & Risk Committee Chair Annual Report to Council states “thecommittee has satisfied itself that reliance can be placed on the10 P a g e
CIIAStandardQAIP Ref.& EvidenceAudit & RiskCommittee selfevaluationAudit & RiskCommittee AnnualReportreporting made by the Internal Audit function in place during theyear”11 P a g e
Key Documents and Evidence1.3Cardiff University Website – Internal /corporate-information/internal-audit2.Cardiff University Intranet – Internal Audit f University Website – Audit & Risk Committee Terms of 343-ordinances4.Audit & Risk Committee approval:Internal Audit Charter (October 2020 Meeting Book)5.Internal Audit Strategy and Plan (Approved annually in October Meeting Book)6.Internal Audit Annual Report (Approved annually in November Meeting Book)7.Progress Reports (Presented at each Audit &
The Manual establishes the key operating policies and procedures that govern the internal audit(IA)activity with a further view to strengthening professionalism of the function and serving as a guidance document to staff at Cardiff University on the 'modus operandi' of the service.
