Lots of activity around internal audit at the moment. The University has a statutory responsibility to audit aspects of its business regularly, and we get audited more than most departments. There are about 4 IT Audits a year, plus we get audited like any other department on handling of financial transactions, and we get involved in audits of other areas, such as an upcoming audit of our HESA return.
We’re just coming to the end of an audit on our SAP implementation, particularly looking at security and how we control changes to the system. Initial findings were given to us on Tuesday, and we’re now looking at our response. In some areas, the auditors will highlight areas where we do need to look at making changes to our processes, in others we will disagree with them, especially if we consider the risk or resource of doing what they suggest outweighs any benefit. Recommendations will be given to us in a final report, expected in a couple of weeks. We will be asked for a management response, which will then go to Audit Committee. This is an interesting committee as it consists mainly of lay members, ie not University staff. Their job is to scrutinise reports, and our response. If there are any “category1” recommendations – ie ones that the auditors feel must be complied with because the University will be at serious risk, then the Head of Department (ie me!) is summoned to the Audit Committee to explain themselves. It has happened to me on a number of occasions, and is not a particularly enjoyable experience, although the current Chair of Audit Committee is a very fair and reasonable person. Unlike previous occasions – I remember a colleague going to Audit Committee on my behalf when I couldn’t be there because I was in London. When I got back I asked him how he’d got on. “They gave me a very warm welcome”, he said. “They roasted me”. The next time I had to appear before them , I knew exactly what he meant!