Part II - TRAC Principles

Section C: Quality assurance and validation

Chapter C.3 Internal audit

1. Internal audit can provide assurance on the systems used for ensuring compliance with TRAC standards and minimum requirements, as set out in this Guidance. A review to assess the extent of this compliance should be built into their audit programme, which will be agreed by the Audit Committee. It should be undertaken periodically.
2. It is not a TRAC requirement that external auditors scrutinise or audit the calculations or methods used.
3. The internal audit programme should help to:
   • ascertain that accounting and other information is reliable as a basis for producing accounts, and financial, statistical and other returns;
   • ascertain the integrity and reliability of financial and other information provided to management, including that used in decision-making.
4. The internal audit review should cover all TRAC systems, and in particular the annual TRAC process, and TRAC fEC. Any additional information included on a TRAC report (e.g. income allocation on the annual TRAC return) should also be covered.
5. The internal audit review could be planned around the TRAC minimum requirements:

   principles and conventions

   annual TRAC

   income allocation

   indirect cost rate and estates charges

   TRAC fEC

6. A full systems audit should be carried out every three years (the end of the second TRAC cycle relates to 2007/08 data and should be carried out before 31 January 2009). A full systems audit covers a review of the controls in systems designed to meet TRAC minimum requirements.
7. Following assurance that new TRAC systems have been robustly introduced, or previous systems are operating effectively, the reviews should then be planned on an on-going basis following institutions’ normal risk analysis. This should be planned in the knowledge that a considerable amount of implementation of TRAC fEC will still be taking place up to 2007 – and that by 1 August 2007 full robustness should have been achieved. However, full implementation of TRAC fEC will only be possible by December 2009.
8. The work to be carried out should depend on the institution’s view of:
   • the risks;
   • the controls and checks needed and those that are in place;
   • the tests of these controls and checks that are necessary to assess their effectiveness;
   • whether the methods being used are ‘tried and tested’ (e.g. described in the Guidance and in wide use in the sector) or developed and used by only a small number of HEIs;
   • the quality of TRAC project management during the development and implementation stages;
   • other objectives that the institution is seeking to satisfy, which rely on TRAC data or systems, e.g. pricing decisions and other internal decision-making.
9. The particular risks to be considered under TRAC would include:
   • the risk of not reporting (perception of a poorly managed institution that is unable to provide information);
   • reporting results that are not robust (not in compliance with the costing standards) – and asking the head of the institution to underwrite these results;
   • the inability to provide information that would be considered to be sufficiently robust by external sponsors (loss of stakeholder confidence; potentially lower recovery rates on work);
   • using inadequate or misleading information for internal decision making;
   • implementation of an overzealous or inappropriate approach to implementation (including towards internal audit work in this area) – diverting institutional time from other priorities.
10. The TRAC internal audit plan should be designed in a way that respects the principles which underpin the design of the TRAC requirements. These principles require the TRAC process to be minimally burdensome and as helpful to institutions as possible. Institutions are allowed flexibility in the systems and methods they use, and can improve and adapt the guidance within the overall standards and requirements set out.
11. The methods should focus attention on important costs and do not require repeated measurement of factors which do not change year-to-year, or undue precision over small cost elements. Materiality is an important principle, along with recognition that there will always be elements of judgement in cost allocation.
12. Audit does not require precise judgement in all areas. Several areas in costing involve judgement and discretion. Perhaps the most obvious of these is the allocation of staff effort, where even the most costly methods are not easily auditable in the sense of being externally verifiable.
13. Modern approaches to audit relate to a judgement based on risk, materiality, and the appropriateness of the methods used, in other words, a normal systems-based audit. This can be interpreted to imply that the costs produced under TRAC should fairly represent the full economic costs of the activity. The principles to be adopted here are:
    • focusing particular effort on the most significant costs;
    • ensuring that the method is defensible and is signed by the head of institution as showing results that are commensurate with the real cost of the activities reported.
14. The number of days required for these reviews will depend on several factors:
    • the risks identified;
    • the types of system being introduced;
    • the approach and level of assurance identified for the reviews;
    • the quality of the systems and project management arrangements found to be in place.
15. The internal audit approach to TRAC audit is expected to rely largely upon management assurances, supported by limited testing, as opposed to carrying out detailed compliance testing.
16. The internal audit process is in addition to external QA, and sponsors’ QA processes.