Thursday, 31 January 2008

Internal Audit

Lots of activity around internal audit at the moment. The University has a statutory responsibility to audit aspects of its business regularly, and we get audited more than most departments. There are about 4 IT Audits a year, plus we get audited like any other department on handling of financial transactions, and we get involved in audits of other areas, such as an upcoming audit of our HESA return.

We’re just coming to the end of an audit on our SAP implementation, particularly looking at security and how we control changes to the system. Initial findings were given to us on Tuesday, and we’re now looking at our response. In some areas, the auditors will highlight areas where we do need to look at making changes to our processes, in others we will disagree with them, especially if we consider the risk or resource of doing what they suggest outweighs any benefit. Recommendations will be given to us in a final report, expected in a couple of weeks. We will be asked for a management response, which will then go to Audit Committee. This is an interesting committee as it consists mainly of lay members, ie not University staff. Their job is to scrutinise reports, and our response. If there are any “category1” recommendations – ie ones that the auditors feel must be complied with because the University will be at serious risk, then the Head of Department (ie me!) is summoned to the Audit Committee to explain themselves. It has happened to me on a number of occasions, and is not a particularly enjoyable experience, although the current Chair of Audit Committee is a very fair and reasonable person. Unlike previous occasions – I remember a colleague going to Audit Committee on my behalf when I couldn’t be there because I was in London. When I got back I asked him how he’d got on. “They gave me a very warm welcome”, he said. “They roasted me”. The next time I had to appear before them , I knew exactly what he meant!


Stu said...

Has there been any discussion on using alternatives to Shibboleth? Outside the academic community, it has had limited success compared to standards such as OpenID, which is used by millions and millions of users.

Chris Sexton said...

Hi Stuart - nice to have a comment from an ex-member of staff - hope all is well with you. You pose an interesting question. The answer is that yes, OpenID was considered, but the strategy was to go with Shibboleth, basically because of the lack of trust in OpenID - there's lots written about it, and a good summary here:

Stu said...

Hi Chris - all is well thanks! Many thanks for the summary - very informative and most useful.

Best regards,

Chris Sexton said...

One thing that I'm interested to know, is why when I told a few people that you'd commented, they said "oh, the cube.."

Stu said...

Lots of laughter. I'm amazed anyone still remembers me there after all this time (it's 12 years this summer since I left). Please pass on my best wishes to everyone!

TheCube was my username on the Computer and Software Society's bulletin board system that I helped create, which is my claim to notoriety around the University to this day. It was originally a nickname I picked up in sixth form become coming to the University.