What is Internal Audit's relationship to the risk register?
The University's risk register is designed to include all of the risks which might adversely and significantly impact upon the University's Strategy.
Internal Audit's strategic plan allows time for us to review directly the management of most of the risks in the University's Risk Register. We also take into account the University's risk register risks when auditing departments.
In addition to risks drawn directly from the risk register, the Internal Audit plan also includes time for the audit of other risks which we consider merit audit attention. Internal Audit thus completes its own evaluation of University risks to guide the allocation of its resources.
Can Internal Audit advise me on managing risks?
In most cases we can and such advice will form part of our audit reports. It should be noted that management of risk is the responsibility of University management whilst Internal Audit have responsibility for providing assurance that the risk management process is operating effectively.
Are all risks covered as part of the audit?
Not all of them. There are some where the Internal Audit team does not have the skills or expertise to provide an effective review. This is acknowledged in our reports to the Audit and Risk Committee. In such cases experts are retained by the University to review specific risks and, where appropriate, Internal Audit draws upon the work of those experts to offer assurance to the Audit and Risk Committee.
In the area of IT, Internal Audit itself retains specialist auditors to undertake the work necessary to review the associated risks.
Will Internal Audit expect to see a risk register for my department or function?
Yes, where the central risk management process requires you to complete one. Where risks are crucial to the achievement of your departmental objectives, testing of your controls over the risks will form part of the audit.
What assurance do I get on risks at the end of the audit?
Our final audit opinion in each case relates to both risk management and control. You can therefore derive some assurance in respect of the risks about which Internal Audit expresses an opinion.
Our assurance is normally expressed in terms of the risk management being satisfactory. We thus do not provide an opinion that risks are managed "to the nth degree." We simply report that they are adequately managed. Our opinion is also expressed at a point in time. Management of the risk continues to be a continuous issue for management.