4 minute read
Report on Internal Administrative/Operational Structures and Financial Controls
Systems of internal control and processes
The Cape Peninsula University of Technology (CPUT) maintains a system of internal control to provide reasonable assurance regarding the achievement of its objectives. The system of internal control is designed to ensure effective and efficient operations, the reliability of financial reporting, and overall compliance with relevant laws and regulations, to prevent loss of resources and assets, and also to reduce legal liability.
The internal control system is designed to provide reasonable assurance to the University and the Council regarding an operational environment that promotes the safeguarding of the University’s assets, and the preparation and communication of reliable financial and other relevant information. Internal control objectives include measures to ensure completeness, accuracy and proper authorisation in relation to documented organisational structures setting out the segregation of responsibilities, as well as established policies and procedures, including a code of ethics.
It is the responsibility of Management to establish and maintain effective internal control systems. As part of fulfilling that responsibility, Management understands and supports the role of Internal Audit. As such, Management is responsible for ensuring that audit report findings and recommendations are addressed in an appropriate manner.
There are inherent limitations to the effectiveness of any system of internal control, including the possibility of human error, and the circumvention of controls. Accordingly, even an effective internal control system can only provide reasonable assurance with respect to the reporting of financial information and the safeguarding of assets. Smart systems, including automated internal control systems, are considered to be a key enabler of CPUT’s Vision 2030.
Computer and telecommunications services
The University applies modern technology solutions, such as virtualisation, storage redundancy, and managed backup applications in its data centres. These solutions are developed and implemented in accordance with defined and documented standards to achieve efficiency, effectiveness, reliability and security. In utilising technology to transact with staff, students and third parties, procedures are designed to minimise the risk of fraud and error. During 2021, CPUT continued to upgrade its IT infrastructure and software suite to meet the demands of multimodal learning and a remote workforce. Simultaneously, IT security was strengthened to mitigate the increased cyber security risk introduced by remote working. In response, a significant portion of the 2021 Internal Audit Plan was assigned to IT governance, information security, and IT resilience. The Information Technology Governance Committee of Council provides oversight of the IT control environment, including the implementation of the IT Strategy.
Internal audit
Internal Audit monitored the adequacy and effectiveness of internal control systems through the approved 2021 Internal Audit Plan. The Internal Audit Plan is developed annually, following a risk-based approach. The Plan is approved by the Audit and Risk Oversight Committee (AROC), and is amended in response to emerging risks. Internal Audit’s findings and recommendations are reported to Management and the Council via the AROC.
Follow-up reviews are performed continuously to verify the implementation of agreed Management action plans in response to previously reported Internal Audit findings. Progress is reported to Executive Management to ensure that actions are implemented timeously.
3 4
3
3 2
6 10
6 Academic Integrity Cyber Security Finance Governance, Risk and Compliance Organisational Resilience Smart Workforce Student Centredness Other
Figure 1: Internal Audit Reports 2021
Internal Audit completed 37 assurance reviews in 2021, depicted in Figure 1. The Audit Plan was developed considering primary and secondary themes. The most significant themes for 2021 included Academic Integrity, Cyber Security, and Finance, comprising more than 50% of the Audit Plan.
Combined assurance
CPUT adopted a combined assurance model to provide a coordinated approach to all assurance activities of the University. The model is designed to address the significant risks that CPUT faces, and to monitor the relationship between internal and external assurance providers. Combined assurance is the process of internal and external assurance providers working together and combining activities to reach the goal of integrating and aligning assurance processes so that Executive Management and governance bodies (Council and AROC) obtain a holistic view of the effectiveness of the University’s governance processes, risks and controls, to enable them to set priorities and take action. CPUT has adopted a principles-based approach to combined assurance, which is designed to provide flexibility. As such, Council, Executive Management, and assurance providers are not slotted into rigid lines or roles. The areas of responsibility for these role players are generally described as:
• Accountability by Council to stakeholders for oversight; • Actions (including managing risk) by Management to achieve
CPUT’s objectives; and • Assurance and advice by an independent internal audit function to provide insight, confidence, and encouragement for continuous improvement.
Statement of assessment of internal controls
Reports to the AROC by both Internal and External Auditors indicate that there are some areas of control that are deemed to be inadequate or ineffective. These matters were reported to Management for action, and are monitored by Executive Management and AROC.
Statement by Audit and Risk Oversight Committee
The Audit and Risk Oversight Committee reviewed the Report on Internal Administrative/Operational Structures and Financial Controls in the year under review at its meeting on 13 May 2022, which was quorate. The documentation for approval by the Committee was also circulated with the meeting agenda in advance, with due notice.
Interim Chair of Audit and Risk Director: Internal Audit Oversight Committee (AROC) Ms H Van Dyk Ms N Dhevcharran
