Report 98/28

Audit Code of Practice

This Code has been updated. The new Code takes effect from 1 August 2004.

View new Code (June 2004)

This document is also available in Word97 or RTF formats.

Foreword from the Chairman of the HEFCE, Sir Michael Checkland

Higher education institutions continue to face considerable change and increasing pressure on the management of resources, both financial and non-financial. The HE sector needs to strike a balance between autonomy and the proper use of public funds. This Code aims to help achieve that balance by clarifying the respective responsibilities of governing bodies, management and auditors.

The Code sets out the audit arrangements we will use, lays down a framework for audit within institutions, and gives guidance on good audit practice. In doing this, we fully recognise the autonomy of institutions. Accordingly, the Code stresses the need for liaison and co-operation, and seeks to minimise its mandatory requirements. A great deal of the Code is concerned with good practice guidance. Implementing good practice should be the aim of every institution, because it is in their own interests, and I believe the new Code will help them to do so.

Sir Michael Checkland
Chairman

Audit Code of Practice

Executive Summary

1. This document sets out the Council's requirements for institution's internal and external audit arrangements and gives the broad framework in which they should operate.

Key points

2. This Code supersedes the 1993 version with effect from 1 August 1998.

3. The Code describes our minimum audit requirements and those that we consider to be good practice or worthy of consideration.

4. Model versions of key documents are provided for institutions to use at their own discretion.

Audit Code of Practice

Introduction

1. The Financial Memorandum between the Council and the Department for Education and Employment (DfEE) requires the Council to issue an Audit Code of Practice (the Code). This Code is the Council's view on how effective audit coverage can be achieved. It sets out the Council's minimum requirements for external and internal audit arrangements, and the broad framework in which they should operate. The Code also provides an overview of the roles and responsibilities of the HEFCE's Audit Service (HEFCEAS). It is not intended to cover academic audit or the audit requirements of any other body.

2. There are a number of mandatory requirements which are conditions of funding under the Financial Memorandum between the Council and institutions. Within this Code 'must' and 'will' denote mandatory requirements, and 'should' denotes the Council's view of good practice. 'May' indicates ideas worthy of consideration. For ease of reference, the mandatory requirements are set out in Annex A. The Code also includes a number of 'model' documents. These are for guidance only and, together with the good practices set out, should be used with discretion. They may need adaptation to meet local circumstances. Additional guidance is available from the HEFCEAS.

3. The Council will assess compliance with these requirements, having regard for the guidance on good practice, and all of the audit arrangements that an institution has in place.

4. The Code is primarily for use by internal and external auditors, institutions' senior management, members of the governing body and audit committees. It should be read with the relevant publications of the Auditing Practices Board. More detailed advice on any aspect of the Code is available from the HEFCEAS. The Code is not intended to be a manual. Institutions should consider developing their own manuals to detail more fully their own procedures for audit-related matters.

5. From time to time the Code will be updated. The Council intends to review its operation fully in 2003, and will consult interested parties before making any significant amendments. The HEFCEAS welcomes comments on the Code and its operation at any time.

6. The Council may also supplement the Code with occasional Audit Practice Notes (APNs) and circular letters, giving guidance on good practice in specific areas, such as severance payments to senior staff (Circular Letter 7/97). They will be developed in consultation with the representative bodies in higher education, and may be incorporated into any subsequent revision of the Code.

7. The rest of this Code deals with the separate elements of audit arrangements, and sets out guidance on general principles of audit, the HEFCEAS, audit committees, internal audit and external audit.

Elements of audit

8. In accordance with their Financial Memorandum with the Council, institutions must have adequate and effective management controls. However, other public bodies also have an interest in these control arrangements, including Parliament, the Department for Education and Employment (DfEE) and, if applicable, the Further Education Funding Council (FEFC), the Research Councils and the Teacher Training Agency (TTA).

9. Each of these bodies needs to make appropriate arrangements to safeguard its interest. Each has its own auditors but in practice there are only two groups engaged in regular audit investigation of an institution's systems and records - an institution's internal and external auditors. This is the same level of activity that is common in the private sector. Of the interested parties, the DfEE, the HEFCE, the FEFC and the TTA seek to avoid duplication by relying on the work of the other auditors whenever possible.

Parliament

10. Parliament's interest is to see that public funds are properly accounted for and used economically, effectively and efficiently by recipients. The Comptroller and Auditor General, head of the National Audit Office (NAO), is the auditor of the HEFCE. He has the right to inspect the accounts of any institution that receives HEFCE grants and the right to carry out value for money investigations. The NAO is highly selective in its use of inspection rights: most of the financial audit work can be undertaken at the HEFCE, and value for money investigations normally involve only a sample of institutions at any one time.

Department for Education and Employment

11. Public funds are channelled through the DfEE, and the DfEE Accounting Officer is responsible and accountable to Parliament. The Accounting Officer must be satisfied that proper arrangements are being made to safeguard public funds. This is achieved by requiring the HEFCE to have an audit service and appropriate accounting systems. The work of the HEFCE and its audit service is examined by the DfEE audit service. The DfEE may observe the HEFCE audit service at work in institutions but it does not audit institutions itself.

HEFCE

12. The HEFCE's Chief Executive is Accounting Officer for the funds received from the DfEE and is accountable to Parliament for them. The Accounting Officer must therefore be satisfied that institutions are making proper arrangements to ensure that public funds are being used for the purposes for which they were given, and are adequately safeguarded. To obtain that assurance, the HEFCEAS will periodically assess compliance with this Code and assess the internal management controls of institutions, relying on the work of internal and external audit where appropriate. Additional information on serious weaknesses, significant frauds and any major accounting breakdowns is also required to help satisfy the Accounting Officer's responsibilities.

13. The governing body of the institution is responsible for ensuring the proper use of public funds. Under the Financial Memorandum, the governing body is required to designate a principal officer, known as the designated officer (The holder of the principal office of the institution, as defined in the Financial Memorandum between the HEFCE and the institution). He or she should satisfy the governing body in respect of the use of public funds and may be required to appear before the Committee of Public Accounts of the House of Commons, alongside the Chief Executive of the Council, on matters relating to the use of funds provided by the HEFCE. The designated officer is usually the institution's vice-chancellor, principal or equivalent.

14. The designated officer must inform, without delay, the chairman of the institution's audit committee, the chairman of the institution's governing body and the HEFCE Accounting Officer of any serious weakness, significant fraud or major accounting breakdown. If a matter requiring report is discovered by external or internal auditors in the normal course of their work and the designated officer refuses to make a report, then the auditors must report directly to the chairman of the institution's audit committee, the chairman of the institution's governing body and the HEFCE Accounting Officer. This is to ensure that the institution has taken appropriate action. In addition, the HEFCEAS is able to provide advice to institutions on dealing with fraud and irregularity, particularly when notified at an early stage. Information obtained, suitably anonymised, may be disseminated throughout the sector by HEFCEAS, thereby enabling institutions to protect their interests. This process should also reduce the need for visits to institutions by the HEFCEAS.

15. In this Code a serious weakness includes one that has resulted in an attempted, suspected or actual significant fraud or irregularity. Significant fraud is usually where one or more of the following apply:

a. The sums of money involved are, or potentially are, in excess of £10,000.

b. The particulars of the fraud are novel, unusual or complex.

c. There is likely to be public interest because of the nature of the fraud or the people involved.

There may be circumstances that do not fit this definition. In these cases or any others, institutions can seek advice or clarification from the Council's Chief Auditor. In view of the public interest, institutions should normally notify the police of all suspected or actual fraud. Where the police are not notified, management should advise the audit committee of the reason. Institutions are also referred to the guidance on fraud issued by HEFCEAS in 1998.

FEFC / TTA

16. Some institutions receive funds from the FEFC or the TTA, who therefore also have an interest in their management and accountability. To avoid unnecessary duplication, the FEFC and TTA will rely on the audit framework set out in the Code. They will not be directly involved in the auditing of higher education institutions, except they may occasionally request specific audit work to be undertaken in accordance with their own funding conditions.

General principles for internal and external auditors

Duties

17. These general principles for auditors are intended to supplement, not replace, those issued by the recognised professional bodies. This is necessary because the audit of public funds is different from those in the commercial sector, since auditors are also concerned with the HEFCE's requirements.

Independence

18. Auditors should avoid the following:

a. Official, professional and personal relationships which might cause the auditor to limit the extent or character of the audit.

b. Any responsibility for the executive management of the institution.

c. Any interest, financial or non-financial, direct or indirect, in the institution (other than the normal employee or contractor relationship, or the funding of any prize, scholarship or academic appointment).

Due professional care

19. In exercising due professional care auditors should:

a. Take reasonable steps to obtain information relevant to the audit. Auditors should take into account information from the institution, the Council, any changes in legislation, and the results of previous audit work.

b. Keep up to date with developments in professional matters.

c. Look out for and take into account any unusual circumstances.

d. Consider audit objectives and plan work to adhere to them.

e. Document the conclusions arising from the planning process, and detail a budget for staff and time.

f. Discuss the main features of the audit with the institution.

g. Ensure that audits are staffed with suitably qualified and experienced personnel, and that work is properly controlled and reviewed.

h. Co-ordinate the work of specialist staff.

i. Ensure that conclusions are adequately supported by reliable evidence. This evidence should be sufficient for an experienced auditor with no previous connection with the audit to ascertain what work was done and how the conclusions were reached.

j. Control costs of audit, and weigh costs and likely benefits.

k. Maintain objectivity at all times.

l. Preserve confidentiality where appropriate.

Audit arrangements for the Higher Education Funding Council for England

HEFCE

20. The HEFCE 's Chief Executive is Accounting Officer for the funds received from the DfEE and is accountable to Parliament for them. The Accounting Officer must therefore be satisfied that institutions are making proper arrangements to safeguard such funds and use them effectively. The Council itself also has a responsibility; to help it discharge this, it has established an Audit Committee, whose terms of reference are based on the model terms set out in Annex B.

HEFCE Audit Service

21. The Financial Memorandum between the DfEE and the Council requires the establishment of an internal audit function. This function will be discharged by the HEFCE Audit Service. The HEFCEAS will be externally tested in accordance with the guidance in Annex C.

Role

22. The HEFCEAS is responsible for evaluating all control arrangements, financial and otherwise, of the Council and of institutions funded by the Council, and for giving assurance to the Council and the Accounting Officer on those control arrangements.

23. The HEFCEAS has no executive role nor does it have any responsibility for the development, implementation or operation of systems. It may, however, provide advice on control and related matters subject to the need to maintain objectivity.

Scope

24. All the Council's activities are within the remit of the HEFCEAS. It will consider whether the system of controls is adequate to secure propriety, efficiency, economy and effectiveness in all areas. It will seek to confirm that management has taken the necessary steps to achieve these objectives.

25. All institutions receiving funding from the Council fall within the scope of HEFCEAS review. Rights of access to undertake examination of internal financial and management controls are provided in the Financial Memorandum between the Council and each institution.

Responsibilities

26. The HEFCEAS will undertake a programme of work, over a cycle to be agreed with the Council and the Accounting Officer, to achieve the following objectives:

a. To appraise the soundness, adequacy and application of financial and other controls.

b. To ascertain the extent of compliance with established policies and procedures.

c. To ascertain the extent to which assets and interests of funds provided to or by the Council are properly controlled and safeguarded from losses of all kinds.

d. To ascertain that accounting and other information is reliable as a basis for the production of accounts and other returns.

e. To identify, and test where appropriate, the controls established to ensure the integrity and reliability of information used.

f. To ascertain that the systems of control are laid down correctly and operate to promote the most effective, efficient and economic use of resources.

Access

27. The Chief Auditor has a direct right of access to the HEFCE Accounting Officer and the Chairman of the HEFCE Audit Committee and, if necessary, the Chairman of the Council.

28. The HEFCEAS has access to all HEFCE records, information and assets, and can require any officer to give any explanation which it considers necessary to fulfil its responsibilities. It has the same rights in respect of each institution funded by the Council.

Reporting

29. For day to day administrative purposes only, the Chief Auditor reports to the Director of Finance and Corporate Resources. The Chief Auditor will, when appropriate, draw the attention of the Accounting Officer and the HEFCE Audit Committee to serious weaknesses, significant frauds and any major accounting breakdowns.

30. The Chief Auditor will submit an annual report to the Council's Audit Committee and the Accounting Officer. This report will include the Chief Auditor's assessment of the adequacy and effectiveness of the internal control system, a report on coverage achieved and a set of internal audit performance measures.

31. The HEFCEAS will normally produce a draft report within one month of completing each audit, giving an opinion on the area reviewed and making recommendations where appropriate. Audit reports will be discussed and the facts agreed. Each report will include an agreed action plan for improvement. Fundamental and significant recommendations will be followed up in accordance with the action plan. All final versions of audit reports will be copied to the Council's Chief Executive.

Standards

32. The HEFCEAS will conform to the standards for internal audit laid down in the Auditing Guideline 'Guidance for Internal Auditors', issued by the Auditing Practices Committee in June 1990. Due regard will also be given to the advice in the Government Internal Audit Manual issued by HM Treasury, and to guidance from professional auditing and accountancy bodies. The Chief Auditor will monitor compliance with these standards and report as appropriate to the HEFCE's Audit Committee. In addition, the Audit Committee will consider a range of performance measures and receive any assessments of HEFCEAS by the DfEE Internal Audit Service.

Liaison

33. The HEFCEAS will liaise, whenever appropriate, with the NAO, the institutions' internal and external auditors, the DfEE, the TTA, the Scottish Higher Education Funding Council, the Higher Education Funding Council for Wales, and any other appropriate HEFCE officer or relevant organisation.

Approach

34. In achieving its objectives the HEFCEAS will do the following for the Council:

a. Identify all elements of the internal control system on which the Council intends to rely, assess audit needs and establish a review cycle.

b. Evaluate those systems, identify inappropriate or inadequate controls and recommend improvements in procedures and practices.

c. Undertake examinations to ensure that those systems of control are laid down and operate to promote the most effective, efficient and economic use of resources.

35. The HEFCEAS will also do the following for institutions:

a. Establish whether all elements of the internal control system on which each institution intends to rely have been identified; that audit needs have been assessed adequately and review cycles established; and that audit arrangements are consistent with the Code.

b. Consider institutions' internal control arrangements - primarily through a cycle of visits - with a view to relying on them, and where appropriate recommend improvements. Each cyclical visit to an institution will seek to gain an overview of the adequacy and effectiveness of the internal control arrangements in place. To minimise duplication, the HEFCEAS will rely on the work carried out by the institution's internal and external auditors where appropriate.

36. HE institutions are required to furnish the HEFCE with data which inform its allocation of funding generally, and in response to specific initiatives. These data may be supplied directly or through the Higher Education Statistics Agency. The HEFCE has procedures for validating and verifying data received, and may undertake audit work to satisfy itself that the information supplied is reliable. As a consequence, the HEFCEAS undertakes programmes of data audit. The scope and conduct of such reviews varies, but normally involves visits to institutions to evaluate the systems which generate data and to verify data on a sample basis.

Value for money

37. The HEFCEAS will be responsible for value for money studies across the higher education sector to ensure that systems of control are laid down and that those systems operate to promote the most effective, efficient and economic use of resources. These will be for the benefit of institutions and will be performed after appropriate consultation. The emphasis of such national studies will be to disseminate good practice and to support institutions conducting their own reviews at a local level. The national studies will be followed up to determine the extent to which good practice is being adopted in the sector. In addition, the HEFCEAS cyclical visits will examine the approach to value for money adopted by institutions. The HEFCEAS will maintain information and guidance on value for money, including a model strategy, which is available to institutions on request.

38. The HEFCEAS will also consider conducting any special reviews requested by the Accounting Officer of the Council. This includes work necessary to fulfil the HEFCE's contractual obligations with the Department of Education for Northern Ireland.

Audit committees in higher education

Audit committees

39. The governing body of an institution must ensure that it is fulfilling its responsibilities for proper financial management, for the effectiveness of the internal control and management systems, and for the economy, efficiency and effectiveness of the institution's activities. Accordingly, institutions are required by their Financial Memorandum with the Council to appoint an audit committee. The duties of the audit committee will have to be determined in the light of the institution's needs but should normally include those described in the model terms of reference at Annex B. Reference should also be made to the CIPFA 'Handbook for Audit Committee Members in Further and Higher Education', published in 1996, and the ICAEW Audit Faculty guidance 'Audit Committees: A framework for assessment' issued in 1997. These documents provide additional information on the role of audit committees.

40. The audit committee should be properly constituted, appointed and given sufficient authority and resources by the governing body. It should have the right to obtain all the information it considers necessary and to consult directly with the internal and external auditors. The committee should be advisory and should report (or have the right to report) directly to the governing body. It should consist of at least three members of the governing body and should be able to co-opt non-governing body members with particular expertise or interests.

41. Co-opted members of the audit committee should not normally be appointed as its chairman, since the chairman has to be able to attend, as of right, all meetings of the governing body. Where this is unavoidable, arrangements should be made to ensure the chairman has full access to the governing body for reporting purposes. Subject to this, co-opted members should be treated as having equivalent status on the audit committee as full governing body members. The committee should have the right, whenever it is satisfied it is appropriate, to go into confidential session and exclude any, or all, participants and observers.

42. At least one audit committee member should have a background in finance, accounting or auditing. To ensure independence and objectivity, members must not have executive authority or be members of a finance committee or its equivalent, unless the institution can satisfy the Council that this is unavoidable for statutory or practical reasons. If members with executive authority or membership of a finance committee are appointed, they should be in the minority and should not hold the chair. There should also be some mechanism for them to declare an interest in any matter that impinges on their other responsibilities; they may then be excluded from consideration of such items. The chairman of the governing body should not normally be a member of the audit committee. Care should be taken in the appointment of governors with a significant interest in the institution (including staff governors) to ensure that the independence and objectivity of the committee is preserved.

43. The audit committee should consider whether members, or prospective members, require any training on internal control, finance, audit or other related matters. Visits to the finance department could contribute to this process. Committee members should normally be provided with a copy of the guidance on audit committees issued by CIPFA and the ICAEW. Further advice on any aspect of audit committee membership is available from the HEFCEAS.

44. The audit committee should be given maximum discretion to determine its proceedings, within the terms of reference set for it by the governing body. The committee should usually meet at least twice in each financial year. Most institutions find three or four meetings more appropriate. The timing and content of the meetings should follow, as far as possible, the planning and reporting cycles of external and internal audit. Senior and other staff, not just the head of finance (or equivalent), should be invited to attend audit committee meetings, particularly where their area of responsibility is under examination. The internal auditor should normally attend all meetings. The external auditors should normally attend meetings where business relevant to them is to be discussed. Both the internal and external auditors should have the right of access to the chairman of the committee, and the right to ask the chairman to convene a meeting if necessary.

45. The clerk to the governing body or some other independent person should normally be the clerk to the audit committee. Where the clerk has significant financial or other responsibilities at senior management level within the institution, the governing body should consider whether the role of clerk to the committee should be transferred to another individual to maintain independence, or whether sufficient safeguards are built into the existing arrangements.

46. The audit committee should also identify and approve appropriate performance measures for internal and external audit and monitor their performance annually. The HEFCEAS can provide guidance on suitable performance measures.

47. The audit committee should consider significant individual audit findings or recommendations, but need not be concerned with more detailed findings, unless the committee considers it valuable to do so. The committee should concentrate on gaining assurance that the institution's system of internal control is adequate and effective, for example through the internal auditors' opinions of the activities and systems they have reviewed, through external audit and other audit related work. For this purpose, the audit committee should ensure there is an adequate system in place to monitor the implementation of agreed audit recommendations. The governing body, advised by the audit committee, should ultimately be responsible for ensuring that management take prompt and effective action on those audit reports which call for it, or for recognising and accepting the risks of management not taking action.

48. The audit committee, advised by management and its internal audit service, must satisfy itself that satisfactory arrangements are in place to promote economy, efficiency and effectiveness. For this purpose, audit committees should consider institutional value for money strategies, and receive reports monitoring compliance with the strategy.

49. The audit committee will be concerned with both internal financial control and the wider aspects of internal control. In this context financial control covers areas such as the maintenance of proper accounting records, reliability of financial information, the safeguarding of assets and the proper use of public funds. The wider aspects of internal control cover business risk, non-financial controls, compliance with laws and regulations, and economy, efficiency and effectiveness. This interest also extends to good corporate governance as it forms part of the system of internal control.

50. Audit committees may review the draft annual financial statements, although care should be taken to avoid work that properly belongs to the finance committee. Where the financial statements are reviewed, the audit committee should consider the external audit opinion, the statement of members' responsibilities and any relevant issue raised in the external auditor's management letter. The committee should, where appropriate, confirm with the internal and external auditors that the effectiveness of the internal control system has been reviewed, and comment on this in its annual report to the governing body. In addition, the committee should review the corporate governance statement where one is provided. The second edition of the 'Guide for members of governing bodies of universities and colleges in England, Wales and Northern Ireland', issued by the Committee of University Chairmen is available from the HEFCE. This recommends the inclusion of a corporate governance statement in the annual report as good practice, and offers model statements accordingly. The audit committee should review, and provide assurance in its annual report to the governing body on, any such corporate governance statement in the annual financial statements. This assurance should be consistent with the committee's knowledge of the governing body structure and arrangements, and will be informed by any specific work on governance matters the committee has had access to.

51. The committee must produce an annual report for the governing body and the designated officer. When they have considered the report, it must be sent without delay to the Chief Auditor of the Council. The audit committee annual report should normally be submitted to the governing body before the members' responsibility statement in the annual financial statements is signed.

52. The audit committee annual report should include the committee's opinion on the extent to which the governing body may rely on the institution's internal control system, and the arrangements for promoting economy, efficiency and effectiveness, in the discharge of its responsibilities. (This opinion should be based upon the information presented to the committee.) Such a report should also record the work of the committee, and consider the following:

• the external auditors' management letter
• the internal auditors' annual report
• any value for money work
• any HEFCEAS or other relevant evaluation.

It might also identify any key issues for the institution arising out of its activity over the year. Further guidance on the content of the audit committee annual report is given in Annex H.

Internal audit arrangements in higher education institutions

53. Each institution is required by its Financial Memorandum with the Council to have an internal audit function. The prime responsibility of the internal audit service is to provide the governing body, the designated officer and the other managers of the institution with assurance on the adequacy and effectiveness of the internal control system. Responsibility for internal control remains fully with management, who should recognise that internal audit can only provide 'reasonable assurance' and cannot provide any certainty against material errors, loss or fraud. Internal audit also play a valuable role in helping management improve systems of internal control and so reduce the potential effects of any significant risks faced by institutions.

Role, scope and terms of reference

54. An institution must ensure that it has sound systems of control. These help to ensure:

a. The institution's objectives are achieved as far as possible.

b. The economical, efficient and effective use of resources is promoted.

c. Adherence to management's policies, directives and established procedures, and compliance with any relevant laws or regulations.

d. The institution's assets and interests are safeguarded - particularly from losses arising from fraud, irregularity or corruption.

e. As far as reasonably practicable, the integrity and reliability of accounting records and other

information.

55. Accordingly, the internal audit service must embrace the whole internal control system of the institution, including all its operations, resources, staff, services and responsibilities for other bodies. It should cover all activities associated with the institution, including those not funded by the HEFCE. For example, it should review controls that protect the institution in its dealings with any subsidiary or associated company or student union or any other activity in which the institution has an interest.

56. While it is the responsibility of management to promote value for money, internal auditors can specifically assist with this process as they have a responsibility to consider value for money in their routine audit work. This will include, among other things, considering:

a. Systems for planning, budgeting and controlling capital and revenue income and expenditure.

b. Personnel, estates and information systems management.

c. Arrangements for managing the assets of the institution.

d. Proper codification of responsibilities, authority and accountability.

e. Monitoring results against predetermined objectives.

Apart from any reporting arising as part of routine audit work, the internal auditor should advise the audit committee and the designated officer in the internal audit annual report whether proper arrangements are in place to promote economy, efficiency and effectiveness.

57. In view of their independence and professional expertise in review, analysis and investigative work, internal auditors are often regarded as particularly suitable for conducting or assisting with value for money studies. The internal audit service's terms of reference should therefore identify separately any responsibility it may have in initiating, conducting or participating in such studies. Specialists may also be engaged to work under the direction of, alongside, or as an alternative to internal auditors. The emphasis of such work should be to help management meet its responsibility for securing the economic, efficient and effective use of resources.

58. Auditors should not question policy objectives, but should consider the effects of policy, the arrangements by which policy objectives have been determined and the means for delivering those objectives.

59. Internal auditors should not perform academic audit. However, they may review whether an institution has adequate arrangements in place to deliver effective academic audit. The audit committee may wish to consider including such work in audit plans or to consider its own terms of reference in this regard.

60. Internal auditors should also assess the adequacy of the arrangements in place to prevent and detect irregularities, fraud and corruption. However, the primary responsibility for preventing and detecting corruption, fraud and irregularities rests with management, who should institute adequate systems of internal control, including clear objectives, segregation of duties and authorisation procedures.

61. The internal audit service should have formal terms of reference, agreed by the governing body on the recommendation of the audit committee. Model terms are set out in Annex D; however, local circumstances may vary and institutions may have to modify these. The terms of reference should form part of any contract for the provision of internal audit services by external providers. This should be made clear when seeking proposals for the provision of internal audit services.

Independence and status

62. Independence is fundamental to the effectiveness of internal audit. Therefore, while the auditor should consult with senior management on audit plans, these plans should be submitted to, and be approved by, the governing body on the recommendation of the audit committee or directly by the audit committee under delegated authority. Internal auditors may carry out additional work at the request of management, including investigations, provided such work does not compromise the objectivity and independence of the audit service or the achievement of the audit plan. Accordingly, each institution's audit committee should satisfy itself that the independence of the internal audit service has not been affected by the extent and nature of other work carried out.

63. Internal audit services should not have any management responsibilities other than for internal audit. For day-to-day administrative purposes, the internal audit service may be responsible to a senior officer within the institution, such as the clerk or secretary. The reporting arrangements should take account of the nature of audit work undertaken.

64. Internal audit should be seen to have sufficient status, respect and support within the institution. To be effective, the head of internal audit, or equivalent where the service is provided on a contract basis, must have direct access to the institution's designated officer and to the governing body (normally through the chairman of the audit committee), and, if necessary, to the chairman of the governing body. Internal auditors must also have unrestricted access to all records, assets, personnel and premises, and be authorised to obtain whatever information and explanations are considered necessary by the head of the internal audit service.

Approach

65. The internal audit service should normally adopt the systems-based approach.

66. A system is a set of related activities designed to operate together to achieve a planned objective. The internal audit service should therefore identify the objectives of systems. Where stated management objectives are inadequate to characterise systems, the internal audit service should clarify appropriate objectives with management.

67. The prime objective in a systems audit should be to evaluate the extent to which the controls in the system are adequate and may be relied upon to ensure the objectives of the system are met. To achieve this the internal audit service should:

a. Identify and record objectives, activities and controls.

b. Evaluate the adequacy and effectiveness of controls, having regard for their economy and efficiency, and the operational risk in the system.

c. Test that the controls are satisfactorily operated.

d. Arrive at conclusions supported by relevant, reliable and sufficient evidence; and report them, with recommendations to strengthen controls and compliance where necessary.

68. This approach enables the internal audit service to reach the conclusions necessary to form an opinion on individual systems and the whole framework of internal control. Such opinions should be clearly reported in assignment reports and the internal audit annual report.

69. It is the auditor's responsibility to alert the designated officer and the audit committee to the extent to which the institution and its governing body could be exposed by any shortcomings in the system under review. The degree of control should be related to the risks involved, but it is management's role to exercise judgement in establishing the balance between risk and control.

Planning

70. The work of the internal audit service should be planned at each level of operation.

71. The internal auditor should start each audit cycle with an analysis of the institution's systems to assess the audit need. This enables the internal audit service to see systems in terms of their relative risk and significance, and the relationships between them. The auditor should provide details of all systems identified even though they may not be recommended for review in the audit plans, so that the audit committee has more information on which to base its judgement of the needs assessment.

72. After consultation with senior management, the internal audit service should prepare long-term and short-term plans to carry out its responsibilities, for approval by the governing body on the advice of the audit committee. Governing bodies may delegate the approval of the audit plan to the audit committee.

73. Where existing resources are inadequate to meet the need identified, the head of the internal audit service should draw this fact to the attention of the designated officer and the governing body through the audit committee. The governing body should decide, on the advice of the audit committee, what level of resources should then be provided.

74. Further guidance on audit planning is provided at Annex E.

Reporting

75. The internal audit reporting arrangements should be determined by institutions after consideration by their audit committee. It is important that the reporting arrangements do not compromise the independence or objectivity of the internal audit service.

76. At the end of each audit assignment, the internal audit service should provide a written report which sets out the findings, conclusions and recommendations arising. At least for all systems based audits, it should also give an opinion on the adequacy and effectiveness of the system.

77. The internal audit service must produce an annual report of its activities. This should be addressed to the governing body and the designated officer, and should be considered by the audit committee. The audit committee may forward the report to the governing body with their own report. The report should be for the institution's accounting period and be submitted to the designated officer when it is available, and to the audit committee at least for the first meeting of the following financial year. As a minimum it should include the internal auditor's opinion of the adequacy and effectiveness of the internal control system and the extent to which the governing body can rely on it. This opinion should be placed into its proper context: that is, the work undertaken has been based on the audit needs assessment and on the systems reviewed in the year, as well as incorporating knowledge of systems audited in previous years (including from a previous auditor). The report should also provide an opinion on the arrangements for securing value for money. Internal audit performance measures should be provided, including stating achieved coverage against the original audit plan. It should also draw attention to any significant audit recommendations which the internal audit service considers have not received adequate management attention.

Provision of service

78. There are a variety of ways to acquire an internal audit service. One possibility is to appoint a head of internal audit and staff as necessary. An 'in-house' team may also be supplemented from time to time with external consultants or contractors, under the direction of the head of internal audit, to meet any peaks in workload or provide specialist skills.

79. Another option is to form a consortium with one or more other institutions, on a geographical or common interest basis. A consortium may be organised in-house, be provided externally or as a mixture of the two. A number of institutions have set up such consortium arrangements.

80. A third option is to contract directly with an external provider, such as another institution, an accountancy firm, health authority or local authority. The same firm should not normally be appointed as both internal and external auditors as this can lead to a loss of objectivity and independence. Where use of the same firm for both services is considered to be appropriate to the institution's circumstances, reference should be made to Annex C, paragraph 7. It is important to note that internal and external auditors have different roles and responsibilities. In particular, external audit may need to be satisfied that the internal audit function is operating effectively.

81. Each institution, advised by its audit committee, should establish which is the most suitable and cost-effective way of obtaining internal audit services. However, at least every seven years, they should consider market testing internal audit services, since this provides a powerful incentive to maintain both quality and cost effectiveness. This external testing should take into account the guidance set out in Annex C.

Standards

82. The operation and conduct of the internal audit service should conform to the standards laid down in the Auditing Guideline 'Guidance for Internal Auditors', issued by the Auditing Practices Committee in June 1990. Internal auditors should also have regard to the H M Treasury Standards, the Government Internal Audit Manual, advice provided by professional auditing and accountancy bodies, and any guidance produced by the HEFCE.

83. The head of internal audit should implement measures to monitor the effectiveness of the service and compliance with standards. The audit committee should consider and approve these performance measures. The committee should also consider asking the external auditor to provide an independent assessment of internal audit's effectiveness. This information should be used to contribute towards the committee's annual assessment of the performance of the internal audit service. A list of suitable performance measures is available on request from the HEFCEAS.

Change of internal audit service

84. Internal audit working papers are the property of the institution. This should be made clear in the auditors' terms of engagement. If institutions change their internal auditors, they should make arrangements for relevant audit documentation to be passed to the incoming auditor. This will ease transition and avoid costly repetition of work. Incoming auditors can then seek to rely on the work of the previous auditor in preparing the audit needs assessment, audit plans and annual report. Institutions should also consider making arrangements for the incoming and outgoing auditors to meet. Where internal audit services are provided on a contractual basis, such arrangements should be included in the formal contract or terms of engagement.

85. Where internal audit is provided on a contract basis, the institution should agree a fixed term of office based on financial years, and consider market testing before the contract expiry date. Provision should be made for outgoing auditors to complete their work and submit an annual report after expiry of the contract term. Attendance by the auditors at the appropriate audit committee should also be considered. In the event of a change in auditor, institutions should ensure that the new contract immediately follows the end of the old contract or other arrangements.

Removal or resignation of auditors

86. Subject to normal staffing arrangements (for 'in-house' auditors) and any contractual arrangements in place, only the governing body (or the audit committee where delegated authority exists) may pass a resolution to remove the internal auditors before the end of their term of office if serious shortcomings are identified.

87. Where internal auditors cease to hold office for any reason, they should provide the governing body with either a statement of any circumstances connected with their removal which they consider should be brought to the governing body's attention, or a statement that there are no such circumstances. The internal auditors may also request an extraordinary general meeting of the governing body to consider the statement. Any such statements should also be sent to the HEFCEAS by the institution or, if it fails to do so, by the outgoing internal auditors.

88. The governing body must inform the Council's Chief Auditor without delay of the removal or resignation of the internal auditors.

Restriction of auditor's liability

89. Where the internal audit service is provided through a contractual arrangement with an external provider, the provider may ask the institution to agree to a restriction in the auditor's liability arising from any default by the auditors. Normally such liability should be without limit. However, institutions may negotiate a restriction in liability so long as the decision is made on an informed basis. The governing body, through the audit committee, should be specifically notified of any such request for a liability restriction. Further information on liability restriction is provided in paragraph 6 of Annex C.

Fraud and corruption

90. Each institution's management is responsible for the prevention, detection and investigation of irregularities, including fraud and corruption. To discharge this responsibility, management should ensure that an adequate system of internal control is operated. It is not a primary function of internal audit to detect fraud. However, the work of the internal audit service, in reviewing the adequacy and effectiveness of the internal control system, should help management to prevent and detect fraud. The internal audit service should ensure that it has the right to review, appraise and report on the extent to which assets and interests are safeguarded from fraud. When internal auditors suspect fraud, or are carrying out a fraud investigation, it is important to safeguard evidence. They should assess the extent of complicity to minimise the risk of information being provided to those involved, and the risk of misleading information being obtained from them.

91. Internal auditors should report serious weaknesses, significant fraud or major accounting breakdowns to the designated officer without delay. The designated officer must then inform the chairman of the audit committee, the chairman of the governing body and the HEFCE Accounting Officer of such matters without delay. If he or she refuses to do so, then the internal auditor must report to them directly.

92. The institution should ensure that the internal auditor is informed, as soon as possible, of all attempted, suspected or actual fraud or irregularity. The internal auditor should consider any implications in relation to the internal control system, and make recommendations to management, as appropriate, to strengthen the systems and controls. See also paragraphs 14 and 15 of this Code for further information.

Relationship with other auditors

93. There should be regular liaison between internal auditors, the institution's external auditors and the HEFCEAS to enhance the level of service provided to the institution. External auditors should be given access to the internal audit service's working papers and plans so that their work programmes can be adjusted accordingly, and so that the extent of their reliance on the work of the internal audit service can be determined.

94. Copies of the internal audit service's reports should be available to the external auditors. The internal audit service should also receive copies of the external auditor's plans and management letters, and any other relevant reports produced for the institution by other agencies.

95. The HEFCEAS must be allowed access to any work of the internal auditor, or correspondence between the internal and external auditors.

Value for money

96. Internal audit has a specific role to play in supporting the governing body and management with their responsibilities for obtaining value for money from the funds provided. This may include, for example, being a member of a value for money steering group. All internal audit work should be conducted with value for money in mind. Any value for money opportunities should be identified during audit planning and routine audit work, and be reported accordingly. Internal audit may carry out or participate in value for money studies undertaken at the institution, providing such work does not affect the ability of the auditor to complete the audit work necessary for the assurance provided in the annual report. Internal audit should also provide the designated officer and governing body, in the internal audit annual report, with its view on whether proper arrangements are in place to promote economy, efficiency and effectiveness.

Control self-assessment (CSA)

97. Control self-assessment - also known as control and risk self-assessment (CRSA) - is a relatively new management technique which some organisations in the public and private sector use to assess the risks in their organisation and identify the controls needed to manage those risks. This can increase understanding of risk and control within an organisation, and so improve the efficiency and effectiveness of controls. The internal auditor, or an alternative facilitator, may help management conduct a 'self-assessment'. There are a number of approaches to self-assessment including questionnaire-based and workshop-based methods.

98. The advantages of self-assessment include the following:

1. It strengthens management understanding both of risk, and of their responsibility for establishing and maintaining the internal control system needed to manage risk.
2. It provides additional evidence for the external auditors, internal auditors, the designated officer and the audit committee in assessing the state of the internal control system.
3. It can provide greater coverage of the control system than is normally feasible by the internal auditors alone, and could allow the internal audit service to reduce its routine work, so allowing greater focus on higher risk areas.
4. It can enhance the relationship between management and the internal audit service.

Although internal auditors can help management to establish, facilitate and review a self-assessment process, owning and operating it is still the responsibility of management.

99. CSA and the more traditional approach to internal audit are not mutually exclusive. While it is for institutions to decide whether or not to use CSA, the HEFCEAS encourages the use of self-assessment techniques to supplement, but not replace, internal audit work. The institution's audit committee should be specifically advised of the use of CSA. Where appropriate, the use of CSA should inform both the internal audit and audit committee annual reports.

External audit arrangements in higher education institutions

Role of external auditors

100. The primary role of external auditors is to report on the financial statements of institutions, and to carry out whatever examination of the statements and underlying records and control systems is necessary to reach their opinion on the statements. Their report should also state whether recurrent and specific grants and income from the HEFCE (and other bodies and restricted funds where appropriate) have been properly applied for the purposes provided, and in accordance with the institution's Financial Memorandum with the Council.

Qualification of external auditors

101. The qualifications required for external auditors of higher education corporations are as set out in paragraph 5(b) of Schedule 8 of the Further and Higher Education Act 1992. For other institutions, the requirements are the same as under the Companies Act 1985. Auditors should be registered with one of the appropriate professional bodies.

Selection criteria and procedures

102. The governing body is usually responsible for appointing external auditors, although it may delegate this to the audit committee. Before receiving proposals, the institution should determine selection criteria, procedures, and the frequency of external testing, taking into account the guidance given at Annex C. Particular attention should be given to such issues as:

a. Quality of service, including experience.

b. Audit fees, including a clear commitment on future fee increases.

Letter of engagement

103. The duties of institutions and external auditors should be clearly presented in the agreed terms of reference. The external auditors' letter of engagement should not depart in any material way from the guidance set out in the model at Annex F. Where significant differences from the model are under consideration, a copy of the proposed letter should be sent to the HEFCE's Chief Auditor without delay.

Additional services

104. Institutions may ask external auditors to provide services beyond the scope of the audit of the financial statements, including special investigation work, taxation compliance and advice, consultancy and value for money reviews. Generally, it is a matter for institutions and auditors to agree precise requirements, and the audit committee should be informed of any work undertaken. However, any additional work should not impair the independence of the audit function and so should normally be the responsibility of different staff within the firm of auditors.

105. The audit committee has a key role to play where the auditors supply a substantial amount of non-audit services. The committee should keep the nature and extent of such services under review, seeking to balance independence and objectivity with the institution's needs. (See also paragraph 118 in connection with audit liability.) The same firm should not normally be appointed as both internal and external auditors as this can lead to a loss of objectivity and independence. Where using the same firm for both services is considered appropriate to the institution's circumstances, reference should be made to Annex C, paragraph 7. It is important to note that internal and external auditors have different roles and responsibilities. In particular, external audit may need to be satisfied that the internal audit function is operating effectively.

106. In order to help judge the relationship between the institution and its external auditors, the institution must disclose separately, by way of a note to its financial statements, the fees paid to its external auditors for other services. Each institution's audit committee should review the level of fees and satisfy itself that the extent and nature of other work have not affected the independence of the external audit.

Reporting arrangements

107. External audit should report to the institution by way of a management letter which highlights any significant accounting and control issues arising from the audit. The letter, with management responses, should be made available (in draft if necessary) to the institution's audit committee in time to inform the committee's annual report, and in any event no later than two months after issuing an opinion on the financial statements. Institutions must send two copies of the final management letter incorporating management responses to the HEFCE Chief Auditor by 28 February in the following year, by which time it should have been seen by the audit committee and/or governing body. External auditors should also, whenever appropriate, attend audit committee meetings.

Audit report

108. The external auditors shall report whether:

a. The financial statements give a true and fair view of the state of the institution's affairs and of its income and expenditure, recognised gains and losses and statement of cashflow for the year. They should take into account relevant statutory and other mandatory disclosure and accounting requirements, and HEFCE requirements.

b. Funds from whatever source administered by the institution for specific purposes have been properly applied to those purposes and, if relevant, managed in accordance with relevant legislation.

c. Funds provided by the HEFCE have been applied in accordance with the Financial Memorandum (dated .....) and any other terms and conditions attached to them. In particular, auditors should have regard to the specific requirements of the Financial Memorandum, such as compliance with the short-term and long-term borrowing conditions, and the offering of security over Exchequer-funded assets.

d. The financial statements comply with the Companies Act 1985 (where the institution is incorporated under the Companies Act) and, where appropriate, the Statement of Recommended Practice on Accounting in Higher Education Institutions (SORP) or other legislative or regulatory requirements.

109. Institutions may ask external auditors, usually through a separate letter of engagement, to review statements of corporate governance included within the annual financial statements. Where the institution reviews the effectiveness of its internal control system, the external auditor may be invited to examine this review. External auditors may report privately to the governing body (through the audit committee) on the results of their work or may make reference to this review in the financial statements, either in their audit opinion report or through a separate report.

110. A model external audit report for an institution's annual financial statements is given at Annex G.

Reappointment of external auditors

111. Institutions should reappoint auditors formally each year. The audit committee should assess the auditors' work each year to ensure that it is of a sufficiently high standard and at a reasonable price. The committee should then make a recommendation to the governing body regarding the re-appointment of the auditors. Performance measures could be used as part of the assessment process. Provided that the auditors' performance is satisfactory, it will not be necessary to repeat the full selection process each year. However, market testing should be considered at least every seven years. One partner in the firm is normally responsible for the institution's audit; he or she should not hold this position for more than seven continuous years. See also Annex C paragraph 2.

Removal or resignation of auditors

112. The governing body may pass a resolution to remove the auditors before the end of their term of office if serious shortcomings are identified.

113. External auditors who have resigned or been removed from office for whatever reason should be entitled to attend, and make representations to, the general meeting of the governing body at which their term of office would have expired, or at which it is proposed to fill the vacancy caused by the resignation or removal. They are entitled to receive notices of, or other communications relating to, that meeting, and to be heard on any part of the business which concerns them as former auditors of the institution.

114. Where auditors cease to hold office for any reason, they should provide the governing body with either a statement of any circumstances connected with their removal which they consider should be brought to the governing body's attention, or a statement that there are no such circumstances. The auditors may also request an extraordinary general meeting of the governing body to consider the statement. These provisions are analogous to those in the Companies Acts. Any such statements should also be sent to the HEFCEAS without delay, by the institution or, if it fails to do so, by the outgoing auditors.

115. The governing body must inform the Council's Chief Auditor without delay of the removal or resignation of the auditors.

116. In deciding whether or not to accept the appointment, anyone proposing to take up the office of external auditor should obtain the institution's permission to communicate with the outgoing auditors. Outgoing auditors should also obtain permission from the institution to discuss its affairs freely with the proposed auditors, and should disclose all information required by the proposed auditors which is relevant to the appointment. These provisions are analogous to those in the Guide to Professional Ethics of the Institute of Chartered Accountants in England and Wales.

Restriction of auditors' liability

117. Institutions must not agree to any restriction in liability in respect of the audit of their annual financial statements. This principle matches that of Section 310 of the Companies Act 1985, which prohibits any capping of the auditors' liability in respect of audit opinions given under the Act.

118. For other types of work performed by the external auditor, the provider may ask the institution to agree to a restriction in the auditors' liability arising from any default by the auditor. Normally, such liability should be without limit. However, institutions may negotiate a restriction in liability so long as the decision is made on an informed basis. The governing body, through the audit committee, should be notified of any liability restriction agreed. Further information on liability restriction is provided in paragraph 6 of Annex C to this Code.

HEFCE access to external auditors

119. On occasion the HEFCEAS may wish to meet with institutions' external auditors, particularly in connection with a visit to the institution by the HEFCEAS. The institution should not limit access in any way. Formal discussion should normally be arranged through the institution's designated officer or representative. The HEFCEAS will exchange letters where necessary with both parties which deal with confidentiality and the terms under which access is given.

Annex A

Mandatory requirements

1. The following are mandatory requirements of this Code of Practice:

a. The governing body of each institution must take reasonable steps to ensure that there is a sound system of internal control within the institution.

b. Each institution must have an effective audit committee, which produces an annual report for the governing body and the designated officer.

c. Members of the audit committee must not have executive authority or be members of a finance committee, unless the institution can satisfy the Council that this is unavoidable for practical or statutory reasons.

d. The audit committee of each institution, advised where appropriate by its internal audit service, must satisfy itself that satisfactory arrangements are in place to promote economy, efficiency and effectiveness.

e. Each institution must have an effective internal audit function, which reports at least annually to the governing body and the designated officer.

f. The work of the internal audit service must cover the whole of the internal control system of the institution.

g. The head of the internal audit service must have direct access to the institution's designated officer, the chairman of the audit committee and, if necessary, the chairman of the governing body. Internal, as well as external, auditors must also have unrestricted access to all records, assets, personnel and premises, and be authorised to obtain whatever information and explanations the head of the internal audit service or the external auditor considers necessary.

h. Fees paid to external auditors for other services must be disclosed separately in a note in the financial statements.

i. The Council's audit service, HEFCEAS, must have access to all records, information and assets, and can require any officer to give any explanation which it considers necessary to fulfil its responsibilities. This includes access to any work of the internal auditor, or correspondence between internal and external auditors, and access to the work of the external auditor. For access to external audit work, the HEFCEAS will exchange letters where necessary with both parties which deal with confidentiality and the terms under which access is given.

j. The governing body must not accept any restriction of liability in respect of the external audit of the institution's financial statements.

k. The following information must be provided:

1. The governing body must send a copy of the audit committee's annual report to the HEFCE Chief Auditor.
2. The governing body must send to the HEFCE Chief Auditor, by 28 February in the following year, two copies of the external auditor's management letter and any management response.
3. The designated officer must report any serious weaknesses, significant frauds or major accounting breakdowns without delay to the chairman of the audit committee, the chairman of the governing body, the head of internal audit and the HEFCE Accounting Officer. If the designated officer refuses to make an appropriate report, then the internal and external auditors must report to them directly.
4. The governing body must inform the HEFCE Chief Auditor without delay of the removal or resignation of the external or internal auditors.

2. The Council will assess compliance with these requirements, having regard for the guidance on good practice and all of the audit arrangements that an institution has in place.

Annex B

Audit committees

Introduction

The Council has certain mandatory requirements which must be included in the audit committee's terms of reference. However, the other elements of the model terms of reference will often have to be modified to suit local circumstances. The key question for audit committees is whether the arrangements within the institution meet the intentions behind these guidelines. These are: that the audit committee is independent; has sufficient authority and resources to form an opinion and report on the internal control system and financial reporting arrangements of the institution; and can satisfy itself that the institution has adequate arrangements for ensuring economy, efficiency and effectiveness. The terms of reference should be formally approved by the governing body.

Model terms of reference

Constitution

1. The governing body has established a committee of the governing body known as the audit committee.

Membership

2. The committee and its chairman shall be appointed by the governing body, from among its own members, and must consist of members with no executive responsibility for the management of the institution. There shall be no fewer than three members; a quorum shall be two members. The chairman of the governing body will not normally be a member of the committee. The chairman of the committee will normally be a member of the governing body. Members should not normally have significant interests in the institution.

3. At least one member should have a background in finance, accounting or auditing. The committee may, if it considers it necessary or desirable, co-opt members with particular expertise. No member of the committee may also be a member of the finance committee (or equivalent), unless specifically authorised by the Higher Education Funding Council for England (HEFCE).

Attendance at meetings

4. The head of finance (or equivalent), the head of internal audit, and a representative of the external auditors shall normally attend meetings where business relevant to them is to be discussed. However, at least once a year the committee may meet with the external auditors without any officers present.

Frequency of meetings

5. Meetings shall normally be held at least twice each financial year. The external auditors or head of internal audit may request a meeting if they consider it necessary.

Authority

6. The committee is authorised by the governing body to investigate any activity within its terms of reference. It is authorised to seek any information it requires from any employee, and all employees are directed to co-operate with any request made by the committee.

7. The committee is authorised by the governing body to obtain outside legal or other independent professional advice and to secure the attendance of non-members with relevant experience and expertise if it considers this necessary, normally in consultation with the designated officer and/or chairman of the governing body. However, it may not incur direct expenditure in this respect in excess of £x, without the prior approval of the governing body.

8. The audit committee may review the draft annual financial statements. Where reviewed, the committee should consider the external audit opinion, the statement of members' responsibilities, the corporate governance statement and any relevant issue raised in the external auditor's management letter. The committee should, where appropriate, confirm with the internal and external auditors that the effectiveness of the internal control system has been reviewed, and comment on this in its annual report to the governing body.

Duties

9. The duties of the committee shall be:

a. To advise the governing body on the appointment of the external auditors, the audit fee, the provision of any non-audit services by the external auditors and any questions of resignation or dismissal of the external auditors.

b. To discuss if necessary with the external auditors, before the audit begins, the nature and scope of the audit.

c. To discuss with the external auditors problems and reservations arising from the interim and final audits, including a review of the management letter incorporating management responses, and any other matters the external auditors may wish to discuss (in the absence of management where necessary).

d. To consider and advise the governing body on the appointment and terms of engagement of the internal audit service (and the head of internal audit, if applicable), the audit fee, the provision of any non-audit services by the internal auditors and any questions of resignation or dismissal of the internal auditors.

e. To review the internal auditors' audit needs assessment and the audit plan; to consider major findings of internal audit investigations and management's response; and promote co-ordination between the internal and external auditors. The committee will ensure that the resources made available for internal audit are sufficient to meet the institution's needs (or make a recommendation to the governing body as appropriate).

f. To keep under review the effectiveness of internal control systems, and in particular to review the external auditors' management letter, the internal auditors' annual report, and management responses.

g. To monitor the implementation of agreed audit-based recommendations, from whatever source.

h. To ensure that all significant losses have been properly investigated and that the internal and external auditors, and where appropriate the HEFCE Accounting Officer, have been informed.

i. To oversee the institution's policy on fraud and irregularity, including being notified of any action taken under that policy.

j. To satisfy itself that satisfactory arrangements are in place to promote economy, efficiency and effectiveness.

k. To receive any relevant reports from the National Audit Office, the HEFCE and other organisations.

l. To monitor annually the performance and effectiveness of external and internal auditors, and to make recommendations to the governing body concerning their re-appointment, where appropriate.

m. To consider elements of the annual financial statements in the presence of the external auditor, including the auditor's formal opinion, the statement of members' responsibilities and any corporate governance statement.

Reporting procedures

10. The minutes (or a report) of meetings of the committee will be circulated to all members of the governing body.

11. The committee will prepare an annual report for the institution's financial year. The report will be addressed to the governing body and designated officer, summarising the activity for the year. It will give the committee's opinion on the extent to which the governing body may rely on the internal control system and the arrangements for securing economy, efficiency and effectiveness. (This opinion should be based upon the information presented to the committee). The audit committee annual report should normally be submitted to the governing body before the members' responsibility statement in the annual financial statements is signed.

Clerking arrangements

12. The clerk to the audit committee will be the clerk to the governing body (or other appropriate independent individual).

Annex C

Guidance on procedures for external testing of external and internal audit

Introduction

1. External testing can be conducted in a number of ways. The most common method is a full tendering exercise. This should be considered for the provision of all external audit services, although it may depend on the institution's financial regulations. Guidance on how such an exercise could be conducted is set out below. However, institutions may find it appropriate to develop alternative models, for example comparison of current costs and coverage with that provided to a number of similar institutions. Whatever alternative is adopted it should be fair, reasonable and well documented. The frequency of such testing is a matter for individual institutions, but it should normally take place at least every seven years. Institutions may contact HEFCEAS for advice on all aspects of external testing.

2. However external testing is undertaken and whatever the result, no partner in a firm of auditors should be responsible for an institution's external audit for more than seven continuous years. After that period, the partner concerned should not resume responsibility for the external audit of the institution for five years.

3. External testing should be conducted in accordance with an institution's own purchasing procedures. European Community procurement requirements should be taken into account where the likely audit and related fees over the proposed contract period exceed the relevant threshold. External testing should take place as far in advance of the start date of the contract as possible, to provide continuity of service and so that the new auditors have enough time to prepare properly.

Tendering procedures

4. The audit committee should establish an evaluation committee which could consist of members of the governing body, management and representatives of the audit committee. This committee should agree on its selection criteria and the scope of the audit work required, and identify suitable providers. This should normally include the institution's present auditor. Information should be sought on each provider's track record and relevant experience. Factors such as the size, location and nature of the audit should be taken into account when the audit committee decides which providers to invite. The tender documentation could include or refer to the proposed terms of reference the institution will find acceptable. For external audit this will normally be based on the model letter of engagement shown at Annex F. For internal audit this will normally be based on the model terms of reference shown at Annex D. Providers should be asked to indicate what material changes to the model terms they would like the evaluation committee to consider.

5. The evaluation committee should then seek detailed proposals from at least four providers, with possibly one reserve. The proposals should be evaluated using pre-determined assessment criteria. The evaluation committee should draw up a short-list of at least three candidates and invite each of them to make an oral presentation. The institution may send a copy of their written proposals to the HEFCE Chief Auditor for comments at least two weeks before the interviews. Following the interviews, a recommendation on which provider to accept should be made to the governing body, or the audit committee where it has been given delegated authority in this respect.

6. The provider should be required to:

a. Operate in accordance with published audit standards.

b. Meet certain quality standards in completing its work.

c. Comply with terms of reference approved by the governing body.

d. Provide suitably qualified and experienced staff.

e. Endeavour to promote continuity of staffing.

f. Ensure that the staff employed will receive appropriate training.

g. Provide the HEFCEAS with access to relevant working papers and correspondence in accordance with this Audit Code of Practice.

h. Set out proposals for liaison with other auditors.

i. In respect of internal audit, set out the firm's position on the restriction of liability. Where a restriction is sought, the level should be stated, together with the firm's explanation of why liability should be restricted and why the level proposed is both reasonable and appropriate. When comparing different proposals, the institution's evaluation committee should take any differences in liability restriction into account. In particular, this evaluation should consider the risks and likely consequences of any loss suffered as a result of negligence, the level of professional indemnity held, and the wider interest of the institution's responsibility for public funds, as described in the Financial Memorandum with the HEFCE. See also paragraph 89 of this Code.

j. For non-statutory audit work conducted by the external auditor, the same principles in sub-paragraph i above should be applied by management and, where an agreement to restrict liability is reached, the governing body should be notified, through the audit committee.

7. The same firm should not normally be appointed as both internal and external auditors as this can lead to a loss of objectivity and independence. Appropriately qualified firms are not, however, disqualified from providing both external and internal audit services. Where adopted, the rationale for such arrangements should be clear, for example when an institution or the contract value is so small that separation of the roles is impracticable. Where an accountancy firm provides both these services, institutions and their audit committees should ensure that:

a. The separate roles of internal and external audit are clearly specified.

b. A clear working relationship is established between the two sets of auditors.

c. Provision of the services is the responsibility of different staff, particularly the partner and manager.

d. Internal audit files remain the property of the institution.

e. Internal audit files will be passed on if there is a change in auditors.

Qualifications of external providers

8. The provider should ideally be able to demonstrate a record in providing audit services which goes wider than HEFCE sector institutions. It should not be assumed that audit firms are qualified to provide internal audit services simply because they undertake external audit, or vice-versa. Auditors should normally be registered by an appropriate professional body.

Change of external provider

9. When any appointment is agreed by the governing body, institutions should inform the HEFCE Chief Auditor of their selection and provide a statement outlining the procedure adopted in making appointments.

Annex D

Model terms of reference for an internal audit service

1. The internal audit service is responsible for conducting an independent appraisal of all the institution's activities, financial and otherwise. It should provide a service to the whole organisation, including the governing body and all levels of management. It is not an extension of, nor a substitute for, good management. The internal audit service is responsible for giving assurance to the institution's governing body and designated officer on all control arrangements. It also assists management by evaluating and reporting to them the effectiveness of the controls for which they are responsible. It remains the duty of management, not the internal auditor, to operate an adequate system of internal control. It is for management to determine whether or not to accept audit recommendations and to recognise and accept the risks of not taking action.

Scope

2. All the institution's activities, funded from whatever source, fall within the remit of the internal audit service. The internal audit service will consider the adequacy of controls necessary to secure propriety, economy, efficiency and effectiveness in all areas. It will seek to confirm that management have taken the necessary steps to achieve these objectives. The scope of internal audit work should cover all operational and management controls and should not be restricted to the audit of systems and controls necessary to form an opinion on the financial statements. This does not imply that all systems will be subject to review, but that all will be included in the audit needs assessment and hence considered for review following the assessment of risk.

3. It is not within the remit of the internal audit service to question the appropriateness of policy decisions. However, the internal audit service is required to examine the arrangements by which such decisions are made, monitored and reviewed.

4. The internal audit service may also conduct any special reviews requested by the governing body, audit committee or designated officer, provided such reviews do not compromise its objectivity, independence or achievement of the approved audit plan.

Responsibilities

5. The head of the internal audit service is required to give an annual opinion to the governing body and designated officer, through the audit committee, on the adequacy and effectiveness of the whole internal control system within the institution, and the extent to which the governing body can rely on it. He or she should also comment on other activities for which the governing body is responsible, and to which the internal audit service has access. The head of the internal audit service should give an opinion on whether the control arrangements, including those for economy, efficiency and effectiveness, are adequate and properly applied.

6. To provide the required assurance the internal audit service will undertake a programme of work over a cycle authorised by the governing body on the advice of the audit committee. The programme will have the following objectives:

a. To appraise the soundness, adequacy and application of the whole internal control system.

b. To ascertain the extent to which the system of internal control ensures compliance with established policies and procedures.

c. To ascertain the extent to which the assets and interests entrusted to or funded by the institution are properly controlled and safeguarded from losses arising from fraud, irregularity or corruption.

d. To ascertain that accounting and other information is reliable as a basis for producing accounts, and financial, statistical and other returns.

e. To ascertain the integrity and reliability of financial and other information provided to management, including that used in decision making.

f. To ascertain that systems of control are laid down and operate to promote the economic, efficient and effective use of resources.

Standards and approach

7. The internal audit service's work will be performed with due professional care, in accordance with appropriate professional auditing practice. It will have regard for the Government Internal Audit Manual, and will comply with the HEFCE Audit Code of Practice.

8. In achieving its objectives the internal audit service should:

a. Identify all elements of control systems on which it is proposed to rely, and establish a review cycle.

b. Evaluate those systems, identify inappropriate or inadequate controls, and recommend improvements in procedures or practices.

c. Ascertain that those systems of control are laid down and operate to promote the most economic, efficient and effective use of resources.

d. Draw attention to any apparently uneconomical or otherwise unsatisfactory result flowing from decisions, practices or policies.

e. Liaise with external auditors, and with the HEFCE Audit Service.

Independence

9. The internal audit service has no executive role, nor does it have any responsibility for the development, implementation or operation of systems. However, it may provide advice on implementation, control and related matters, subject to resource constraints and the need to maintain objectivity. For day-to-day administrative purposes only, the head of internal audit should report to a senior officer within the institution, such as the institution's clerk or secretary. (The reporting arrangements should take account of the nature of audit work undertaken.) The head of internal audit shall have right of access to the designated officer.

10. Within the institution, responsibility for internal control rests fully with management, who should ensure that appropriate and adequate arrangements exist without reliance on the institution's internal audit service. To preserve the objectivity and impartiality of the internal auditors' professional judgement, responsibility for implementing audit recommendations rests with management.

Access

11. The internal audit service has rights of access to all of the institution's records, information and assets which it considers necessary to fulfil its responsibilities. Rights of access to other bodies funded by the institution should be set out in the conditions of funding. The head of internal audit has a right of direct access to the chairman of the governing body, the chairman of the audit committee and the designated officer. In turn, the internal audit service agrees to comply with any requests from the external auditors and the HEFCE Audit Service for access to any information, files or working papers obtained or prepared during audit work that they need to discharge their responsibilities.

Reporting

12. The head of the internal audit service must submit an annual report to the governing body and designated officer through the audit committee, based on the institution's financial year. This should give an opinion on the whole framework of internal control at the institution, and on the arrangements for securing economy, efficiency and effectiveness. The auditor should also prepare, before the beginning of the year, a long-term strategy document supported by an audit needs assessment, and an annual audit plan. These should be submitted to the governing body for approval following consultation with relevant managers and the designated officer, and after consideration by the audit committee.

13. The head of the internal audit service is accountable to the designated officer and the governing body through the audit committee for the performance of the service. He or she should also report audit findings to relevant managers (including the designated officer) and draw the attention of the audit committee to key issues and recommendations. This may be done by providing the committee with copies of all reports, or by reporting on an exception basis or by providing a summary of key issues.

14. The internal audit service should usually produce its reports, in writing, within one month of completion of each audit, giving an opinion on the system reviewed and making recommendations to improve systems where appropriate. Such reports should be copied to the designated officer and may be copied to the audit committee. Managers will be required to respond to each audit report, usually within one month of issue, stating their proposed action with a timetable for implementing agreed recommendations. Material recommendations will usually be followed up some six to twelve months later. In addition the audit committee will monitor the implementation of audit recommendations.

15. The head of the internal audit service should report to the designated officer any serious weaknesses, significant fraud or major accounting breakdown discovered during the normal course of audit work. If the designated officer refuses to report the matter to the HEFCE Accounting Officer, the chairman of the audit committee and the chairman of the governing body, then the auditor must report to them directly.

Standards

16. The operation and conduct of the internal audit service should conform to the standards in the Auditing Guideline 'Guidance for Internal Auditors', issued by the Auditing Practices Committee in June 1990. Internal auditors should also have regard to the H M Treasury Standards, the Government Internal Audit Manual, advice provided by professional auditing and accountancy bodies, and any guidance produced by the HEFCE.

17. The head of internal audit should implement measures to monitor the effectiveness of the service and compliance with standards. In addition, the audit committee should consider and approve the performance measures used by internal audit, and should also consider asking the external auditor to provide an independent assessment of internal audit's effectiveness.

Liaison

18. The internal audit service will liaise with the external auditors and the HEFCE Audit Service to enhance the level of service it provides to the institution.

Annex E

The internal audit planning process

1. The work of the internal audit service should be planned at each level of operation. The head of internal audit should prepare plans to carry out the responsibilities of the internal audit unit, for approval by the governing body on the advice of the audit committee.

Principles

2. Systematic planning helps an internal audit unit to achieve its objectives, and helps those with responsibility for reviewing the plans. Plans should be based on the terms of reference for the internal audit service approved by the governing body on the advice of the audit committee. Plans should cover all systems and should:

a. Establish a schedule of systems assessed as requiring review and a period within which it is desirable that each of these systems should be examined.

b. Define the tasks to be performed.

c. Assist in the direction and control of work, identifying critical areas, setting target dates and allocating resources.

3. In order to plan adequately the head of internal audit should:

a. Define audit needs based on the internal audit service's terms of reference.

b. Identify the staff and other resources needed and reconcile these with available resources.

c. Agree the time period of audit plans.

d. Record all plans in writing.

e. Monitor work against the plans and revise them accordingly.

4. The emphasis of audit plans will change from time to time. This may result from, for example, changes in the services provided or in institutional priorities. Plans should be sufficiently flexible and have adequate provision for contingencies to allow prompt response to unscheduled work.

5. Audit plans should be based upon a comprehensive understanding of the institution and the way it operates. High risk operations and any known problem areas should be clearly identified, and the emphasis of the audit plan directed accordingly.

Assessment of audit need

6. An assessment of audit need will help the audit committee and governing body to judge the effect of any decision they may make regarding audit scope or resources. The audit needs of an institution should be determined without regard to constraints such as the time and resources which may be available. The assessment should be carried out on all auditable risks which impinge on the ability of the institution to achieve its strategic objectives.

7. The needs assessment process should involve:

a. Identifying all areas of work by system and sub-system. The auditor should provide details of all systems identified even though they may not be recommended for review in the audit plans, so that the audit committee has more information on which to base its judgement of the needs assessment.

b. Determining how systems will be grouped for audit purposes.

c. Seeking senior management's views on which areas or particular factors are considered high risk.

d. Assessing the vulnerability of each area of work.

e. Determining the period over which all systems should be audited and the frequency of review.

f. Estimating the resources required to meet audit need.

8. The audit needs assessment should be updated at least annually and should be completely reassessed towards the end of one full cycle of coverage.

9. In identifying the areas of work, if it becomes apparent that a system is missing, the head of internal audit should draw it to the attention of management and the audit committee.

10. Where existing resources are inadequate to meet the assessed need, the head of internal audit should refer to the governing body, through the audit committee, and the designated officer. They should then decide, on the advice of the audit committee, whether:

a. Additional resources should be provided.

b. Audit scope or time-scales, and hence assurance, should be modified.

11. Audit results should be continually assessed. Critical areas which warrant considerable attention or early audit examination may not have been recognised in the initial assessment of audit need. Similarly, some areas may be found to warrant less attention.

Plans

12. All plans should be achievable and promote the efficient use of resources. They should be based on the priorities indicated in the audit needs assessment and the actual resources available. Their precise nature will depend upon the complexity and size of the institution, but they should reflect the need for long-term, short-term and individual work plans.

Long-term audit plan

13. The long-term audit plan should be a strategic plan for the review cycle. It will normally cover a period of three to five years, during which each system assessed as requiring review should be reviewed at least once. It should set out the areas to be covered and their review frequencies, allow for easy extraction of annual plans, and be reconciled with available resources. The long-term audit plan should be capable of operating on a roll-forward basis, but should be reviewed at least annually. On each occasion it should be approved by the governing body on the advice of the audit committee.

Short-term audit plan

14. The short-term plan should translate the long-term plan into audits to be carried out in the coming year or shorter period. It should define the scope and purpose of individual audits and allocate resources. The short-term audit plan should be approved by the governing body on the advice of the audit committee. Performance should be regularly monitored against the plan so that it can be revised if necessary.

Audit work plans

15. Work plans should be prepared in advance for every audit and should include objectives, resources, locations, timetables, methods, procedures, supervision, reporting and other relevant factors.

Annex F

Model version of terms of engagement for the appointment of external auditors

The HEFCEAS should be notified of any material difference between this model letter and the auditor's letter.

To the members of the governing body of ...............................................................................

Appointment and qualification

1. As appointed auditors of ................................. we agree to the following basis on which we shall perform our duties.

2. We understand that the governing body - (This will require modification where the governing body does not appoint the auditor.) will assess the auditors' work in each year and undertake a detailed review of the appointment at least every seven years. Remuneration will be fixed by the governing body on the advice of the audit committee.

3. We confirm that we are qualified as auditors in accordance with the meaning of the Companies Act 1985.

Responsibilities of the institution

4. We recognise that the governing body is responsible on behalf of the institution for:

a. Establishing and maintaining a system of controls, financial and otherwise, in order to carry on the operation of the institution in an orderly and efficient manner, ensure adherence to management policies, safeguard the assets and secure, as far as possible, the completeness and accuracy of the records.

b. Preparing financial statements that:

1. Comply with the institution's charter and statutes, all statutory requirements relating to the institution's financial affairs, the Financial Memorandum (dated ...................) with the Higher Education Funding Council for England (HEFCE), any requirements of the Further Education Funding Council or the Teacher Training Agency (If appropriate), and other regulations relating to the constitution and activities of the institution and which are relevant to its financial affairs.
   
   
2. Show a true and fair view of the state of the institution's affairs at 31 July and of the cashflows and income and expenditure for the year then ended, taking into account where relevant and appropriate all required statutory and other disclosure requirements and the Statement of Recommended Practice (SORP) on Accounting in Higher Education Institutions.
   
   

c. Preparing the Finance Record (or its successor) in accordance with instructions from the Higher Education Statistics Agency (HESA).

Standards of audit

5. We will undertake the audit of the institution's financial statements and such other matters as the governing body requires in accordance with auditing standards, having regard to relevant Auditing Guidelines and Auditing Standards issued by the Auditing Standards Board.

Reporting

6. We as auditors:

a. Are responsible for making a report to the governing body on the financial statements which are to be laid before the governing body during our tenure of office.

b. May be required to provide an audit report on the HESA Finance Record (or its successor) which should be consistent with our audit report on the institution's financial statements.

7. Our report will state whether in our opinion the financial statements show a true and fair view of the institution's affairs at 31 July, and of the cashflow and income and expenditure for the year then ended.

8. In arriving at our opinion we are required to consider the following matters and to report on any aspect where we are not satisfied, namely whether:

a. Proper records are being kept by the institution.

b. The financial statements agree with the accounting records.

c. We have obtained all the information and explanations we think are necessary for the purpose of our audit.

d. The financial statements comply with the Companies Act 1985 (where the institution is incorporated under the Companies Act), and, where appropriate, with the Statement of Recommended Practice on Accounting in Higher Education Institutions (SORP) or other legislative or regulatory requirements.

9. We will also report to the governing body whether, in all material respects, monies expended out of all non-recurrent grants and other funds from whatever source, administered by the institution for specific purposes, have been properly applied to those purposes and, if appropriate, managed in compliance with any relevant legislation such as the Trustees Investment Act 1961.

10. We have agreed with the institution the wording of an unqualified audit report at the time of our appointment. Any subsequent modifications or qualifications will then be based on our professional judgement, but comply with the APB Auditing Standard: Audit Reports on Financial Statements (May 1993).

11. We undertake to report to the governing body (by way of a management letter by 28 February the following year), any significant matters arising from the audit which might lead to material errors or have impact on future audits. This could include areas where economies could be made or resources could be used more effectively, with advice for improvement. The management letter could include:

a. Weaknesses in the structure of accounting systems and internal control.

b. Deficiencies in the operation of accounting systems and internal control, including internal audit.

c. Inappropriate accounting practices and regulations.

d. Non-compliance with legislation, accounting standards, Funding Council requirements or other regulations.

Irregularities including fraud

12. The governing body is responsible for ensuring the establishment and maintenance of an adequate system of internal control. It is also responsible for ensuring compliance with statutory, taxation and other regulations, and for the prevention and detection of irregularities, including fraud. We are not required to search specifically for such matters and our audit should not therefore be relied on to disclose them. However, we shall plan and conduct our audit so that we have a reasonable expectation of detecting material mis-statements in the accounts resulting from irregularities, including fraud, or breach of regulations.

13. We will report in writing any serious weaknesses, fraud, irregularities or accounting break-downs we come across in the normal course of our duties to the designated officer, and, where the designated officer refuses to make a report, to the governing body and to the HEFCE's Accounting Officer without delay.

Other work

14. We may be asked from time to time to provide additional services beyond the scope of the audit described above. This could involve investigation work and value for money reviews. Precise requirements will be agreed between the governing body and ourselves in a separate engagement letter before any work is undertaken. Any systems development or consultancy work will be the responsibility of separate staff.

Access

15. We shall have rights of access at all times to the books, accounts and vouchers of the

institution and to such information and explanations as we think necessary to perform our duties. We also expect to have access to internal audit files and working papers. We, in turn, agree to comply with any requests from the internal auditors and the HEFCE Audit Service for access to any information, files or working papers obtained or prepared during our audit that they need to discharge their responsibilities. The HEFCEAS will exchange letters where necessary with both parties which deal with confidentiality and the terms under which access is given.

16. We shall have the right of access to the chairman of the audit committee, the right to ask the chairman to convene a meeting of the audit committee if necessary, and the right to attend audit committee meetings where relevant business is to be discussed.

Annual meetings

17. We will be entitled to attend the meeting of the governing body to which the institution's annual reports and financial statements of account are presented. We will also be entitled to receive all notices of and other communications relating to that meeting which any member of the governing body is entitled to receive, and to be heard at any such meeting, on any part of the business which concerns us as auditors.

Termination of appointment

18. We understand that if there are serious shortcomings on our part the governing body may pass a resolution to remove us before the expiry of our term of office, notwithstanding any agreement between us and the institution.

Fees

19. [A paragraph setting out the auditor's terms for charging and collecting fees should be included.]

Other terms

20. [Auditors may include certain additional paragraphs for internal purposes, for example, on confidentiality, conflicts of interest, quality of service, complaints procedure and legal jurisdiction.]

Agreement of terms

21. If the contents of this letter are not in accordance with your understanding of the arrangements made, we shall be pleased to receive your observations and to give you any further information you require. Otherwise we shall be grateful if you would confirm in writing your agreement to the terms of this letter by signing the enclosed copy and returning it to us. Once agreed, this letter will remain effective from one audit appointment to another until it is replaced.

Yours sincerely

On behalf of the governing body of ...................., I confirm that the above terms are satisfactory.

Signed

Position

Date

Annex G

Audit report by institution's external auditors: suggested wording

The suggested form of the wording of the unqualified report (If appropriate) should be:

'REPORT OF THE AUDITORS TO GOVERNING BODY OF ....................................

We have audited the financial statements on pages ...... to ...... which have been prepared under the historical cost convention (as modified by the revaluation of certain fixed assets) and in accordance with the accounting policies set out on pages …. to ….

Respective responsibilities of the governing body and auditors

As described on page …., the governing body is responsible for preparing the financial statements. It is our responsibility to form an independent opinion, based on our audit, on those statements and to report our opinion to you.

Basis of opinion

We conducted our audit in accordance with Auditing Standards issued by the Auditing Practices Board and the Audit Code of Practice issued by the HEFCE. An audit includes examination, on a test basis, of evidence relevant to the amounts and disclosures in the financial statements. It also includes an assessment of the significant estimates and judgements made by the governing body in the preparation of the financial statements, and of whether the accounting policies are appropriate to the institution's [group's⁴] circumstances, consistently applied and adequately disclosed.

We planned and performed our audit so as to obtain all the information and explanations which we considered necessary in order to provide us with sufficient evidence to give reasonable assurance that the financial statements are free from material mis-statement, whether caused by fraud or other irregularity or error. In forming our opinion we also evaluated the overall adequacy of the presentation of information in the financial statements.

Opinion

In our opinion:

i. The financial statements give a true and fair view of the state of affairs of the institution [and the group (If appropriate) ] at 31 July 19.., and of the surplus of income over expenditure, recognised gains and losses and cashflows of the institution [and the group (Include where the institution is incorporated under the Companies Act.) ] for the year then ended and have been properly prepared in accordance with [the Companies Act group (Include where the institution is incorporated under the Companies Act.) and] the Statement of Recommended Practice on Accounting in Higher Education Institutions.

ii. Income from the Higher Education Funding Council for England, [the Further Education Funding Council and the Teacher Training Agency (If appropriate) ,] grants and income for specific purposes and from other restricted funds administered by the institution have been applied only for the purposes for which they were received.

iii. Income has been applied in accordance with the institution's statutes (Or equivalent) and where appropriate with the Financial Memorandum (dated .....) with the Higher Education Funding Council for England.'

_________________

Definitions given in the Statement of Recommended Practice are to be used in defining other restricted funds. Any necessary qualifications would then be based on the auditors' professional judgement, but comply with the APB Auditing Standard: Audit Reports on Financial Statements (May 1993).

Annex H

Model format for an audit committee annual report

The Audit Code of Practice requires each institution's audit committee to prepare an annual report for submission to its own governing body (the internal audit annual report may be attached). The annual report should be prepared as early as possible in each year with the aim of it being available by the time the annual financial statements are signed. The report should be signed and dated by the chairman of the committee. Paragraph 51 of this Code gives the core information suitable for the report. This model, used with discretion, suggests that a comprehensive report could contain (as appropriate) the following: