Internal Audit Report Risk Management and Corporate ... › Documents › Appendix 3 Risk Management... · Risk Management and Corporate Governance (08.16/17) ... (“Report”) was

Internal Audit Report

Risk Management and Corporate Governance (08.16/17)

May 2017

2

Contents 01 Introduction

02 Background

03 Key Findings

04 Areas for Further Improvement and Action Plan

Appendices

A1 Audit Information

A2 Assessment against the IIA’s Risk Maturity Model

A3 Risk Appetite Examples

A4 Assessment against AoC Governance Code

Statement of Responsibility

This report (“Report”) was prepared by Mazars LLP at the request of Yeovil College and terms for the preparation and scope of the Report have been

agreed with them. The matters raised in this Report are only those which came to our attention during our internal audit work. Whilst every care has

been taken to ensure that the information provided in this Report is as accurate as possible, Internal Audit have only been able to base findings on

the information and documentation provided and consequently no complete guarantee can be given that this Report is necessarily a comprehensive

statement of all the weaknesses that exist, or of all the improvements that may be required.

The Report was prepared solely for the use and benefit of Yeovil College and to the fullest extent permitted by law Mazars LLP accepts no responsibility

and disclaims all liability to any third party who purports to use or rely for any reason whatsoever on the Report, its contents, conclusions, any extract,

reinterpretation, amendment and/or modification. Accordingly, any reliance placed on the Report, its contents, conclusions, any extract,

reinterpretation, amendment and/or modification by any third party is entirely at their own risk.

Please refer to the Statement of Responsibility in Appendix A1 of this report for further information about responsibilities, limitations and confidentiality.

If you should wish to discuss any aspect of this report, please contact Mat Cooling, Manager, Mazars LLP

[email protected] or Richard Bott, Partner, Mazars LLP [email protected]

mailto:[email protected]

mailto:[email protected]

Risk Management and Corporate Governance – Final – May 2017 Page 1

01 Introduction

As part of the Internal Audit Plan for 2016/17, we have undertaken a review of the College’s arrangements for Risk Management and Corporate Governance.

We are grateful to the staff at the College for their assistance during the course of the audit.

The report summarises the results of the internal audit work and, therefore, does not include all matters that came to our attention during the audit. Such matters have been discussed with the relevant staff.

02 Background

Risk Management

The Institute of Internal Auditors’ (IIA) International Standards define a risk as 'the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.' Effective risk management is therefore essential for all further education colleges and with ever increasing funding pressures, they must consider the risks they face and how they are to mitigate against them in much finer detail.

Yeovil College holds one risk register for the organisation, which is reviewed by the senior management team (SMT) and the Audit Committee on a regular basis. The responsibility for risk management within the College has been assigned to the Vice Principal – Finance and Resources, who acts as a gatekeeper of the risk register and ensures that it is regularly maintained.

During the College’s annual RAID day, the Vice Principal – Finance and Resources asked each member of the College Management Team to assess the risks that were relevant to their area and complete a basic risk register.

Corporate Governance

The College voluntarily adopted the Association of Colleges’ (AoC) Code of Good Governance for English Colleges (“Code”) in July 2015. The Code is intended to help governing boards meet and exceed basic governance requirements. The AoC have defined the following 10 principles of good governance:

1. Formulate and agree the mission and strategy including defining the ethos of the college.

2. Be collectively accountable for the business of the college taking all decisions on all matters within their duties and responsibilities.

3. Ensure there are effective underpinning policies and systems, which facilitate the student voice.

4. Foster exceptional teaching and learning.

5. Ensure that the college is responsive to workforce trends by adopting a range of strategies for engaging with employers and other stakeholders.

6. Adopt a financial strategy and funding plans which are compatible with the duty to ensure sustainability and solvency of the college.

7. Ensure that effective control and due diligence takes place in relation to all matters including acquisitions, subcontracting and partnership activity.

8. Meet and aim to exceed its statutory responsibilities for equality and diversity.

9. Ensure that there are organised and clear governance and management structures, with well-understood delegations.

10. Regularly review governance performance and effectiveness.

The Code uses the normal “must and should” convention for governance codes. A “must” is an area of activity which is covered by statute and/or is the minimum expected by the principal regulators and funding agencies. Activities which exceed these basic requirements and represent good or enhanced governance practice are described as “should”. The College had not performed a self-assessment of its practice against the code, and as such we have performed a review to assess the extent to which the College meets the “must” areas of the Code.


03 Key Findings

Assurance on effectiveness of internal controls

Substantial Assurance

Examples of areas where controls are operating reliably

We confirmed that Risk Management Policy and Procedure documents were available on the College portal for all staff to access. These documents are due for review in June 2017.

Through interviews with managers we found that the College’s annual RAID day, during the summer, had promoted risk awareness across the College which resulted in each department creating a local risk register.

Our review of the College risk register found that all risks had clear controls in place or planned controls identified. These controls were all supported by an assurance map, which was easily measurable to confirm that controls were having the desired effect of reducing risk.

We confirmed that all risks identified on the College risk register were clearly linked to the objectives of the College.

We confirmed that the removal of all risks from the College risk register is approved at each audit committee.

We found that where a risk was removed from the register, the risk reference used is also removed. This ensures that where a risk is then deemed relevant again, it can be returned to the register with ease.

Recommendation Summary

1 (Fundamental) -

2 (Significant) 1

3 (Housekeeping) 4

TOTAL 5

Risk Management

Risk Appetite – Defining the organisation’s risk appetite is an important step in the risk management process as this helps the organisation define acceptable parameters within which to measure risk and evaluate whether additional measures are required to mitigate risks to acceptable levels, or conversely whether risks are already scored at a probability or impact that is low enough that even should the risk crystallise, the consequences are deemed acceptable to the organisation.

In some sectors outside of FE we have seen the use of a risk appetite assigned to each organisational objective. This approach would allow the College to maximise the use of its current risk and assurance mapping document. We have included example risk appetites used at a Higher Education institution and another client in Appendix A3, and we have raised a recommendation accordingly in Section 4

Value for money

Obtaining VfM is encompassed within effective risk management. Once risks have been identified, management needs to consider the mitigating actions to be taken that are proportionate to the risks faced. As such, both sides must be considered to identify a suitable equilibrium. The College has a duty of care to its stakeholders to ensure that risk is appropriately mitigated against, but this


does not mean that the cost of implementing mitigating actions should outweigh the risks. Throughout the course of our review we have considered the approach adopted by the College to be proportionate and in line with other colleges.

Sector Comparison

The College has identified the Vice Principal – Finance & Resources, as its ‘risk champion’ with overall responsibility for raising awareness of risk throughout the College; such an arrangement is quite typical within the sector.

Unlike many other organisations we assess, the College has restricted its official risk management process for the College-wide Risk Register, to the Senior Management level and above. As best practice we would expect to see risk management as a collaborative process throughout the College with risks and

their associated controls devised and managed from both a ‘bottom up’ and ‘top down’ approach with risk champions in place to ensure mitigating controls are both relevant and in place. As well as improving the control environment this can also provide administrative savings as onerous or overlapping controls can be more easily identified and removed or streamlined. We noted that plans are in place to develop this process at the next RAID day.

The College had 19 risks identified on the College risk register as at 08 March 2017. The average number of risks reported across 16 colleges within our sample was 32. A lower number of risks presented as amalgamated high level risks as opposed to a high number of risks can be easier to manage and update as the College’s strategic objectives change. However, a low number of risks could indicate possible gaps in the risk management framework.


04 Areas for Further Improvement and Action Plan

Definitions for the levels of assurance and recommendations used within our reports are included in Appendix A1.

We identified no areas where there is scope for improvement in the control environment and have not made any recommendations.

Observation/Risk Recommendation Priority Management response Timescale/ responsibility

4.1 Observation: The College currently has no risk appetite statement. Defining the organisation’s risk appetite is an important step in the risk management process as this helps the organisation define acceptable parameters within which to measure risk and evaluate whether additional measures are required to mitigate risks to acceptable levels, or conversely whether risks are already scored at a probability or impact that is low enough that even should the risk crystallise, the consequences are deemed acceptable to the organisation.

Risk: There is no defined approach to the College’s willingness to approach risk.

The College should consider defining a formal risk appetite statement as well as classes of risk they may wish to seek or avoid.

2 SMT considers the risks around every event and opportunity as these arise.

We have defined a formal risk appetite statement which includes classes of risk that we may wish to avoid.

July 2017

Vice Principal Finance & Resources



4.2 Observation: We have conducted an assessment of Yeovil College’s risk management framework against the Institute of Internal Auditors’ (IIA) Risk Maturity Model. The results can be viewed in Appendix A2. The assessment has identified a number of areas where the College has scored as “Risk Aware” or “Risk Naïve”.

Risk: The College risk management framework is not sufficiently mature.

The College should review its results in the assessment against the IIA’s Risk Maturity Model in Appendix A2 and consider whether any additional steps need to be taken to further improve its risk management processes.

3 This will be further developed at the next College RAID day and with managers ahead of this time.

August 2017


4.3 Observation: Our review of the risk register outputs from the College’s RAID day identified that there were some inconsistencies within the registers, namely the accurate completion of the assurance maps, whereby the assurance maps on the risk registers were found to be additional controls rather than sources of assurance that controls were taking the desired effects.

Risk: Managers are not aware of how to assess risks and/or the value of implemented controls and may be using college resources inefficiently as a result.

During the next RAID day at the College, further consideration to the completion of the risk registers should be given.

3 This will be further developed at the next College RAID day and with managers ahead of this time.

August 2017




4.4 Observation: Our review of the scoring of risks in the main risk register at the College found that in five instances the risk scores were multiplied incorrectly which resulted in the risk being graded as a lower priority than it had scored. This meant that a risk was graded as medium, when the risk score would have presented it as high.

Risk: Appropriate attention is not given to risks of a high score.

Future revisions of the risk register should ensure that calculated scores are reviewed for accuracy before presentation. The College may wish to consider the use of an Excel based register, which may be able to calculate scores and gradings automatically.

3 Agreed. June 2017


4.5 Observation: Whilst we confirmed that the governors conduct a self-review of the effectiveness of the Board via “governor chats”, there has been no review of the effectiveness of the governance structure against the AoC’s Code, as is suggested in section 10.4 of the Code, since it was adopted in 2015.

Risk: The Board is not effective in its duties.

The College should conduct a self-assessment against their adopted governance Code. This assessment should inform an action plan to improve performance of the Board.

3 Agreed. The Corporation’s Search and Governance Committee will undertake a self-assessment against “the Code” on an annual basis. This will be added to the Committees Work Programme for 2017/18. The Board agreed to adopt the code from 01 August 2015 on the understanding recognised on page 3 of the Code that “Boards are free to achieve the expectations of the ‘must’ and the ‘should’ statements in whatever manner they see fit.” The Board adopted the “spirit” of the code rather than supporting a “tick box” approach.

December 2017

Clerk to Corporation


A1 Audit Information

Audit Control Schedule

Client contacts: Emma Cox – Vice Principal (Resources)

Jo Farrant – Clerk to the Corporation

Internal Audit Team: Richard Bott, Partner

Mat Cooling, Manager

Anand Patel, Senior Internal Auditor

Finish on Site / Exit Meeting: 17 March 2017

Draft report issued: 07 March 2017

Management responses received: 26 May 2017

Final report issued: 30 May 2017

Scope and Objectives

Objective:

Review focussing on adequacy of framework for managing corporate governance and risk management arrangements within the College.

Scope:

Our work will consider the adequacy of the design and operation of the control

framework in relation to the following risk areas:

Lack of a robust risk management framework reflecting the risk appetite

of Yeovil College

Risk scoring is incomplete/ not subject to robust scrutiny and mitigating

controls either do not address the risk or are not monitored to ensure

they are effectively mitigating the risk identified.

The risk management framework does not clearly link to the objectives

of Yeovil College and does not differentiate between strategic risks to

the organisation and operational ones.

There are insufficient controls and processes in place to ensure

compliance with the mandatory elements of the Association of Colleges

- Code of Good Governance for English Colleges


Definitions of Recommendations

Priority Description

Priority 1 (High)

Recommendations represent fundamental control weaknesses, which expose the organisation to a high degree of unnecessary risk.

Priority 2 (Medium) equate Assurance:

Recommendations represent significant control weaknesses which expose the organisation to a moderate degree of unnecessary risk.

Priority 3 (Low) ted Assurance:

Recommendations show areas where we have highlighted opportunities to implement a good or better practice, to improve efficiency or further reduce exposure to risk.

Definitions of Assurance Levels

Assurance Level

Substantial Assurance:

Our audit finds no significant weaknesses and we feel that overall risks are being effectively managed. The issues raised tend to be minor issues or areas for improvement within an adequate control framework

Adequate Assurance:

There is generally a sound control framework in place, but there are significant issues of compliance or efficiency or some specific gaps in the control framework which need to be addressed. Adequate assurance indicates that despite this, there is no indication that risks are crystallising at present

Limited Assurance: Weaknesses in the system and/or application of controls are such that the system objectives are put at risk. Significant improvements are required to the control environment.

Statement of Responsibility

We take responsibility to Yeovil College for this report which is prepared on the basis of the limitations set out below.

The responsibility for designing and maintaining a sound system of internal control and the prevention and detection of fraud and other irregularities rests with management, with internal audit providing a service to management to enable them to achieve this objective. Specifically, we assess the adequacy and effectiveness of the system of internal control arrangements implemented by management and perform sample testing on those controls in the period under review with a view to providing an opinion on the extent to which risks in this area are managed.

We plan our work in order to ensure that we have a reasonable expectation of detecting significant control weaknesses. However, our procedures alone should not be relied upon to identify all strengths and weaknesses in internal controls, nor relied upon to identify any circumstances of fraud or irregularity. Even sound systems of internal control can only provide reasonable and not absolute assurance and may not be proof against collusive fraud.

The matters raised in this report are only those which came to our attention during the course of our work and are not necessarily a comprehensive statement of all the weaknesses that exist or all improvements that might be made. Recommendations for improvements should be assessed by you for their full impact before they are implemented. The performance of our work is not and should not be taken as a substitute for management’s responsibilities for the application of sound management practices.

This report is confidential and must not be disclosed to any third party or reproduced in whole or in part without our prior written consent. To the fullest extent permitted by law Mazars LLP accepts no responsibility and disclaims all liability to any third party who purports to use or rely for any reason whatsoever on the Report, its contents, conclusions, any extract, reinterpretation amendment and/or modification by any third party is entirely at their own risk.

Registered office: Tower Bridge House, St Katharine’s Way, London, E1W 1DD, United Kingdom. Registered in England and Wales No 0C308299.


A2 Assessment against the IIA’s Risk Maturity Model

Using the IIA Guidance on risk maturity we have carried out a subjective assessment and concluded that Yeovil College is currently at a point between Risk Aware and Risk Defined. A central risk register is documented and policies are in place, as well as assurance mapping information. However, we have identified a number of areas where the College could improve its risk management processes. The full results are summarised in the table on the next page.

Risk Naïve

Risk Aware

Risk Defined

Risk Managed

Risk Enabled


Key characteristics Sample audit test Risk maturity score Audit comments

1 The organisation's objectives are defined.

Check the organisation's objectives are determined by the board and have been communicated to all staff. Check other objectives and targets are consistent with the organisation's objectives.

Risk enabled (Yes) The Corporation agrees the Strategic Objectives on an annual basis. Review of operating plans confirmed that these objectives work towards the strategic aims. The College undertakes an annual away day where all Departments complete their annual objectives based on the College's corporate objectives.

2 Management have been trained to understand what risks are, and their responsibility for them.

Interview managers to confirm their understanding of risk and the extent to which they manage it.

Risk aware (some limited training)

Interviews with eight managers confirmed that risk training was provided at an away day; however, many were unaware of risk management techniques, such as risk appetite. Management comment: This should be clearer with a risk appetite statement

3 A scoring system for assessing risks has been defined.

Check the scoring system has been approved, communicated and is used.

Risk aware (Unlikely, with no consistent approach)

The risk scoring system has been approved and is used on the College Risk Register; however, we found limited use amongst the departmental registers. Management comment: This will be introduced at the next RAID day

4 The risk appetite of the organisation has been defined in terms of the scoring system.

Check the document on which the controlling body has approved the risk appetite. Ensure it is consistent with the scoring system and has been communicated.

Risk naïve (No)

The College has no defined risk appetite.

5 Processes have been defined to determine risks, and these have been followed.

Examine the processes to ensure they are sufficient to ensure identification of all risks. Check they are in use, by examining the output from any workshops.

Risk defined (Yes, but may not apply to the whole organisation)

Interview with six managers to identify their risk determination methodology found that one manager determined risks based on the justification of actions already taken. Management comment: Further development of managers’ understanding of risk management prior to the next RAID day



6 All risks have been collated into one list. Risks have been allocated to specific job roles.

Examine the Risk Register. Ensure it is complete, regularly reviewed, assessed and used to manage risks. Risks are allocated to managers.


The College risk register holds all College-wide risks. Departments hold their own risk registers, of which some high risk items are included on the College risk register.

7 All risks have been assessed in accordance with the defined scoring system.

Check the scoring applied to a selection of risks is consistent with the policy. Look for consistency (that is, similar risks have similar scores.)


Departmental risk registers have not consistently used the scoring system. However, we confirmed that the College risk register is consistent (with the exception of some multiplication errors which were highlighted to management during the audit).

8 Responses to the risks have been selected and implemented.

Examine the Risk Register to ensure appropriate responses have been identified.


We confirmed that mitigating controls have been identified against all risks identified in the College and Departmental risk registers.

9 Management have set up methods to monitor the proper operation of key processes, responses and action plans ('monitoring controls')

For a selection of responses, processes and actions, examine the monitoring control(s) and ensure management would know if the responses or processes were not working or if the actions were not implemented.


Our review of the controls identified in the College Risk Registers found that all controls identified were measurable and were appropriately aligned to an assurance map and where relevant included a cross-reference to the College’s Operating Statement.

10 Risks are regularly reviewed by the organisation.

Check for evidence that a thorough review process is regularly carried out.

Risk enabled (Regularly reviews, probably quarterly)

We confirmed that a thorough review of the College risk register was conducted during the last three Audit Committee meeting. We also confirmed that all College-wide risks were reviewed by the SMT prior to audit committee meetings.

11 Management report risks to directors where responses have not managed the risks to an acceptable level to the board.

For risks above the risk appetite, check that the board has been formally notified of their existence.

Risk aware (No) Since the College does not have a defined risk appetite, the review of risks above an "acceptable" level is not completed. However, we confirmed by attendance at the Audit Committee in March 2017 that there was appropriate discussion of higher scored risks.

12 All significant new projects are routinely assessed for risk.

Examine project proposals for an analysis of the risks which might threaten them.

Risk managed (All projects)

Whilst this is not a formal policy, we confirmed that for two recent projects an assessment of risks were reviewed prior to acceptance of the projects. One project was significant, which has its own project risk register.



13 Responsibility for the determination, assessment and management of risks is included in job descriptions.

Examine job descriptions. Check the instructions for setting up job descriptions.

Risk defined (Limited) We reviewed a sample of job descriptions and confirmed that responsibility for risk management was included in the Vice Principal - Finance and Resources role only. Management comment: We will consider including this in managers’ contracts as these are updated

14 Managers provide assurance on the effectiveness of their risk management.

Examine the assurance provided. For key risks, check that controls and the management system of monitoring, are operating.

Risk managed (some managers)

We confirmed that the College's risk register includes an assurance map which provides a clear map of how the College is receiving assurance and how risks are being managed. We found that the departmental registers had incomplete assurance maps. Management comment: We will develop this at the next RAID day

15 Managers are assessed on their risk management performance.

Examine a sample of appraisals for evidence that risks management was properly assessed for performance.

Risk managed (some managers)

We confirmed that the Vice Principal - Finance and Resources' appraisal included an assessment of their performance with regards to risk management. However, we were informed that this was not considered for other appraisals.


A3 Risk Appetite Examples

We have included below an extract of an example risk appetite matrix in place at one of our clients. Whilst there will be some differences in practices and regulatory matters, the below contains a number of examples of potential tolerance indicators for a range of different events categorised into operational, reputational, compliance, financial and strategic groups, of which the College may wish to consider incorporating elements into its own risk management framework. We have also included a risk appetite chart used in a Higher Education institution to show a different approach taken, whereby classes of risk are assigned discrete “tolerable” scores of risks they are willing to accept or seek, using a 1-10 scale.

Client Example

Risk Class Board articulation

Operational zero tolerance for fraudulent activity

low operational risk appetite for process failure zero tolerance of business outside plan unless agreed through the relevant Board low tolerance for high priority internal audit recommendations zero tolerance for regulator issues no single operational risk loss (does not include normal volume/rate variances) to exceed £50,000 or 1% of income whichever is the lower / year annual aggregate operational risk losses for the group (not including rent loss) not to exceed £100,000 / year no more than 2 IT system outages / month for more than 1 hour no more than 1 IT virus caused outage / month for more than 1 hour No more than 1 failure of debit runs / year zero tolerance of IT & data security breaches will tolerate up to 20% exposure against capacity of the organisation for no more than one day i.e. 20% of its resources including the workforce not

being available very low tolerance for business outages effective and tested BCP arrangements in place for responding to outages 3 hours to 3 months in duration

Reputational

very low appetite for reputational risk around regulatory standards

Compliance zero appetite for legal action against the organisation zero tolerance for any serious injury or death caused by H&S failure zero tolerance to failure to meet deadlines by funders and regulatory authorities for required paperwork zero tolerance for loss or compromise of personal data


Financial zero tolerance for breaching loan covenants low tolerance for failure to meet overall budget bottom line budget variance should be no more than 3% adverse overall cash flow variance should be no more than 3% adverse Bad debts not to exceed £1.7m combined / year zero tolerance for going outside treasury policy

Strategic will tolerate a high level of risk on community investment to meet its objectives and expects some enterprises to fail. will accept one aborted new build scheme for social purposes a year but expects any losses to be no more than £50k and contingency plans in

place to deliver the scheme elsewhere all new ventures especially those in commercial have an agreed exit strategy as part of the business case to mitigate risk


University Example


A4 Assessment against AoC Governance Code

Ref Code Compliant/Non-compliant

1.1 The board must formulate and agree the mission and strategy including defining the ethos of the college. Compliant

1.2 The board must formally approve the strategic plan Compliant

1.6 In order to ensure successful implementation, the board must be clear how performance will be measured. Compliant

2.1 The board must be collectively accountable for the business of the college, taking all decisions on all matters within its duties and responsibilities.

Compliant

2.2 Members of boards must comply with the legislation relevant to their legal form of incorporation. Board members are charity trustees and must comply with charity legislation and case law.

Compliant

2.3 The board must set out its primary responsibilities in the Instrument and Articles of Government Compliant

2.4 The board must seek assurance that it meets all legal and regulatory requirements imposed on it as a corporate body

Compliant

2.5 The general principles and requirements of the Freedom of Information Act must apply, so that staff and students have access to all appropriate information about the board’s proceedings.

Compliant

2.11 Governors, whose views are not consistent with the decisions of the board as a whole, must abide by the principle of collective decision-making and stand by the decisions of the board.

Compliant

3.2 The board must endorse a set of appropriate policies that describe how the strategy is being implemented Compliant

3.4 The board must be assured that there are management-led systems in place to provide the very best affordable learning experience for every student including those undertaking learning activity off-site or provided under a subsidiary or partnership arrangement.

Compliant

3.5 The board must have close regard to the voice of its students and the quality of the student experience, which should be central to all board decisions

Compliant

3.7 The board must provide a safe environment and have a robust and regularly assessed and monitored safeguarding policy

Compliant



4.1

The board must foster exceptional teaching and learning. The board must, where appropriate, seek to secure coherent provision for students that leads to further learning or apprenticeships and/or employment. The board must ensure appropriate mechanisms are in place for effective oversight of the quality and inclusivity of the learning experience.

Compliant

4.6 The board must be aware of the expectations of external bodies and in particular their expectations of good quality

Compliant

4.7 The board must see the results of student surveys and be able to monitor improvement plans Compliant

5.1 The board must ensure that the college is responsive to the community and relevant employment trends including building strong two-way relationships with Local Enterprise Partnerships and other employer-led local groups

Compliant

6.1 The board must adopt an affordable financial strategy and plans which are compatible with the duty to ensure sustainability and solvency of the college. The board must set and approve the annual budget. Responsibility for its approval must be reserved for the collective decision of the board, without delegation.

Compliant

6.2 The board must adopt effective systems of control and risk management that promote value for money, efficient use of the capital estate and technology, meet mandatory audit requirements, and produce accurate and quality-assured college data.

Compliant

6.3 The board must ensure compliance with the funding agencies’ financial memoranda and must understand and meet the conditions of funding, as set by the funding agencies and other funders.

Compliant

6.4 The board must inform the funding agencies of any “materially adverse” change in the college’s circumstances.

Compliant

6.5 Colleges must have financial regulations and appropriately documented delegations and procedures, approved by the board, which specify its financial responsibilities and authority and those of its committees and its staff.

Compliant

6.8 The board must ensure that a statement on internal controls explaining the risk management arrangements that are in operation is contained in the corporate governance section of the audited financial statements

Compliant

6.9 The board must comply with the funding agencies mandatory requirements relating to audit including adherence to the Joint Audit Code of Practice (JACOP), which sets out the minimum requirements

Compliant



6.10. The audit committee must support the board and the principal by reviewing the comprehensiveness, reliability and integrity of assurances including the college’s governance, risk management and internal control framework and produce an annual audit report for the board.

Compliant

6.11 The board must ensure effective arrangements are in place for the management and quality assurance of data

Compliant

7.2 In establishing partnerships or new business acquisitions, the board must ensure effective governance arrangements and put in place appropriate control, reporting and delegation systems.

Compliant

7.3 The board should ensure that particular scrutiny is exercised on new and external activities with significant potential financial or reputational risks. Where such activities involve commercial transactions, care must be taken to ensure that arrangements conform to the requirements of charity law and regulation.

Compliant

7.4

New ventures (such as setting up a multi-academy trust, acquiring new companies or creating colleges in other countries) present colleges with both opportunities and significant challenges and risks. The board must ensure that not only does it approve such strategic developments, but also that the executive produces regular reports on the performance of all strategic partnerships and external businesses.

Compliant

7.7 In relation to subcontracting, partnerships and other forms of college collaboration, the board should agree the authorisation requirements for approving such arrangements, including the circumstances where board approval is required.

Compliant

7.8 The board must ensure all college policies, particularly those on safeguarding are actively implemented in the subsidiaries and partnerships.

Compliant

7.9 The board must be assured that the student voice is heard through all partnership activities. Compliant

8.1 The board must meet and should aim to exceed its statutory responsibilities for equality and diversity through its own actions and behaviour in all aspects of its affairs. The board must promote equality and diversity throughout the other nine principal responsibilities.

Compliant

8.3

The board has a number of legal obligations in relation to equality and diversity which it must understand and comply. These go much further than avoiding discrimination and require the active promotion of equality in a number of defined areas. The board must therefore ensure that agreed policies are progressed and actioned throughout the college. The board may also wish to consider advice issued by government departments and other agencies on equality, diversity and safeguarding.

Compliant

9.1 The board must ensure that there are organised and clear governance and management structures, with well-understood delegations and authorities, and that governors are capable, knowledgeable and supported.

Compliant



9.9 The board must determine the pay and conditions of service of the principal, other senior post holders and the clerk and may establish a remuneration committee to advise the board.

Compliant

9.12 The board must appoint a chair from amongst its external members Compliant

9.19 Members must act in the best interest of the college, rather than selectively or in the interests of a particular constituency. Members must act with honesty, frankness and objectivity, taking decisions impartially, fairly and on merit, using the best evidence and without discrimination or bias

Compliant

9.20. The board must have the power to remove any of its members from office and must do so if a member breaches the terms of his/her appointment

Compliant

9.21

The principal must be responsible for the executive management of the college and its day-to-day direction. The specific responsibilities of the principal in relation to board business must include: Ensuring that board decisions are implemented through the college’s management structure. Advising the board as required. Undertaking the role of the accounting officer.

Compliant

9.23 The board must appoint a person to act as the clerk to the corporation. The board must protect the clerk’s ability to carry out his/her responsibilities, including appropriate training and development and ensuring adequate time and resources to undertake the role effectively.

Compliant

9.24 The clerk must inform the board if s/he believes that any proposed action would exceed its powers or involve regulatory risk or (where the clerk has other management responsibilities at the college) if there is a potential conflict of interest between his/her clerking and management roles

Compliant

9.27 The board must also confirm the appointment [of chairs] where it has been carried out by a sub-group or committee.

Compliant

10.1 The board must regularly review its effectiveness ensuring continuous improvement, thereby not only enhancing its own performance but providing an example to the college

Compliant

10.4 In addition, the board must conduct a regular, full and robust review of its effectiveness and that of its committees, the starting point for which should be an assessment against this Code

Non-compliant

Whilst we confirmed that the governors conduct a self-review of the effectiveness of the Board via “governor chats”, there has been no review of the effectiveness of the governance structure against the AoC’s Code.


Internal audit feedback form

Key

5 = strongly agree with comment


1 = strongly disagree with comment

Yeovil College - Internal Audit Client Satisfaction survey

Client manager: Emma Cox

Project: Risk Management and Corporate Governance

Performed by: Anand Patel

Indicator 1 2 3 4 5

Planning

The scope of the audit covered the system being audited.

I agreed the key areas of risk to be addressed by the audit.

The planning meeting and/or other preliminary discussions were useful

and informed the audit. Probably needed more time with senior

managers in relation to curriculum areas, e.g. Principal and Vice

Principal Curriculum & Quality had limited time therefore input during

the audit.

Delivery

The audit took place at the agreed times and locations.

The audit was for the agreed duration.


The personnel were those expected per the planning brief.

Quality

The auditors appeared to understand the context of the College’s

operations within which this audit was set.

The auditors knew the College and the system. The process has

changed and is evolving and this has been a learning curve.

The audit identified all the principal areas of strength and weakness

within the systems acting to mitigate principal areas of risk. For the

college, this has to be about balancing the need for assessment of risk

vs resources available.

Reporting

The report was issued promptly after the conclusion of fieldwork and

any related queries.

The report suitably reflected the main issues identified during the audit

or at the closure meeting.

The recommendations made were useful and practical.

The report and opinion given were easily understood.

The report was provided in a useful format.

We should be grateful to receive any other comments or observations you have in respect of this audit. In particular, any ideas to improve the audit process or the

audit report would be welcomed. In addition, if you feel this, or any other area under your control would benefit from further input from us, please let us know.
