System of internal control

The Board of Governors is responsible for the university’s system of internal control that supports the achievement of policies, aims and objectives, while safeguarding the public and other funds and assets for which it is responsible.

The system of internal control is designed to manage rather than eliminate the risk of failure to achieve business objectives; it can therefore only provide reasonable and not absolute assurance of effectiveness. It is an ongoing process designed to identify the principal risks to the achievement of policies, aims and objectives, to evaluate the nature and extent of those risks and to manage them efficiently, effectively and economically.

The following processes have been established:

  • The board meets at least four times a year to consider the plans and strategic direction of the university.
  • The board receives regular reports from the Audit and Risk Assurance Committee concerning governance, risk management and internal control, and will request reports from management on specific areas of concern and the steps being taken to manage these risks/issues.
  • As part of the assurance assessment, the board receives an annual report from the Director of Internal Audit which addresses key issues of internal control and risk.
  • The Audit and Risk Assurance Committee meets at least four times a year, and receives regular reports from Internal Audit, which include Internal Audit’s independent opinion on the adequacy and effectiveness of the university’s system of internal control, together with recommendations for improvement. Management letters from external auditors are reviewed and management responses agreed.
  • The Audit and Risk Assurance Committee is also responsible for reviewing the effectiveness of the risk management control and governance arrangements, although the process of risk assessment and risk management is devolved to the Risk Management Steering Group, which reports through to the Audit and Risk Assurance Committee.
  • As part of the embedded risk management process within the university, risk lists are held and periodically reviewed and updated by each school/department, with consolidated risk lists reviewed by the Risk Management Steering Group. A summary of key risks and response actions is then submitted to the Audit and Risk Assurance Committee and the Board of Governors.
  • Risk management considerations are addressed specifically on all major projects and decision-making papers through the committee structure.