Medr/2026/06: Guidance for Internal Auditors to use in their Annual Internal Audit of HE Data Systems and Processes

Introduction

1. This publication provides guidance to the internal auditors of higher education institutions (HEIs) and further education institutions (FEIs) funded by Medr for higher education provision referred to throughout as higher education providers (HEPs) to use for their annual internal audit of the internal controls relating to the systems and processes in place to produce higher education (HE) data returns, and requests a copy of this internal audit report for each HEP.  Both HEFCW and Medr are referenced throughout this publication depending on historic or current data and processes.

2. Previously, external audits of higher education data were commissioned by HEFCW, prior to HEFCW becoming part of Medr, so that HEPs were externally audited at least once every four years. 2021/22 was the last year of the contract HEFCW had with external auditors to do this and so in Medr we are continuing with the interim process used last year in place of external audits until the audit process is reviewed.

3. For 2026 the process will involve members of the Medr Higher Education Statistics team meeting with data contacts at each HEP, to cover items such as previous audit findings, ongoing implementation of the new Higher Education Statistics Agency (HESA) Student record, and data quality. As part of this interim process, Medr will continue to rely on the annual assurance provided to HEPs and their Audit Committees by their internal auditors about the systems and processes used to produce data returns. Relying on the internal audits will maintain an adequate level of annual assurance in respect of HEPs’ data returns.

4. The internal audit will provide an opinion as to the adequacy and effectiveness of the controls in place to manage the risks relating to the accuracy of data submitted by the HEP to HESA, Medr and Welsh Government (WG), including data used in calculations for the following funding streams:

• Teaching funding (currently comprising per capita and premium funding and part-time (PT) undergraduate (UG) credit-based funding);
• Research funding comprising Quality research (QR) funding and Postgraduate research (PGR) training funding;
• Research Wales Innovation Funding (RWIF);
• Medr’s part-time undergraduate fee waiver scheme;
• Well-being and mental health funding;
• Race access and success funding;
• Targeted employability support funding;
• Capital funding.

and the data used to monitor the following funding streams:

• Medr’s part-time undergraduate fee waiver scheme;
• PGT Master’s bursaries allocations;
• Medr funded Degree Apprenticeship scheme allocations.

5. The internal audit should also provide assurance over the controls in place to ensure the accuracy of data used in the monitoring of performance, including key performance indicators such as the National Measures, and if applicable, data included by HEPs as part of the fee and access plan reporting requirements.

6. This document provides guidance to the internal auditors about the nature of the controls that their audit should address, to assess whether the systems and processes are adequate to provide accurate data returns and data to use in funding and monitoring and also to ensure that internal audits taking place across the sector are carried out on a consistent basis.

7. If the internal audit report’s overall conclusion, or the conclusions relating to the adequacy of the design of the methods of control and the application of those controls, provides a negative opinion (e.g. limited or no assurance, unsatisfactory or inadequate controls) and/or the report includes a significant number of recommendations, Medr should be notified as soon as the opinion has been agreed. Medr will then conduct their own assessment of the issue and/or commission their own external audit as appropriate. This external audit would consider the accuracy of data for the current period and also consider the findings of the internal auditor and aim to assess the extent of potential errors in the data returns and data used for funding and monitoring for prior periods up to the last external audit. The findings of this external audit may result in adjustments to funding and further action may be taken if HEPs are found to be not compliant with their fee and access plans, the supply-side code of practice for data collections or the financial management code.

Scope of the Audit

8. The way in which internal audit work and controls testing is carried out at each HEP will depend on the systems and controls in place and how information is shared within the HEP. However, it is expected that the internal audit work will cover the elements highlighted in this document. Where previous internal audit work has found that the systems and controls in place are satisfactory, it may be considered appropriate by the HEP’s Audit Committee for subsequent audits to only cover areas of risk. In particular, due to the increased risks associated with the implementation of the HESA Data Futures programme in 2022/23, through 2023/24 and into 2024/25 collection, we would expect to see this area of work included in the scope.

9. The Data Futures programme was implemented for the 2022/23 HESA student record. There were difficulties with the return caused by delays to the functionality of the HESA Data Platform, late software updates, late supply of data quality rules by Jisc and other issues in its implementation year. In light of this, for the 2025 audit scope we didn’t recommend that auditors examine the implementation of the new record for 2022/23 in depth, or the systems and process relating to the 2022/23 return, but rather provide opinions on the controls in place to manage risks relating to the record going forward including plans to review and/or improve processes, documentation and data quality moving into the 2023/24 return. Difficulties were also experienced in returning the 2023/24 student record and this may have meant that providers were not able to fully implement new processes and procedures for their systems at that time. Difficulties were also experienced in returning the 2024/25 student record, however, providers are now moving towards more stable processes to make the return. We would expect auditors to take these difficulties into account in their work, and we expect auditors to include in the scope any updates applied to systems and processes, and to risk registers, after review of the 2022/23, 2023/24 and 2024/25 student data returns.

10. Auditors should ascertain the processes by which data returns and monitoring information are compiled and document them to the extent necessary to enable an evaluation to be made of the adequacy of the existing controls used by the HEP to ensure that they produce accurate data returns and appropriately compile monitoring data. Examples of the controls that the audit would normally be expected to assess are set out for all the current funding streams, data returns and other areas of audit in the sections below. Many of the controls are common to the data returns for all areas of audit. However, not all of the areas of audit apply to all HEPs, and auditors should refer to the relevant paragraphs.

11. Auditors should note that there are some areas where HEPs may have to return estimates, where information is not known at the time of return or information is not available in the required form. Estimates can be made using methods suggested by Medr in its guidance, or if appropriate, HEPs can use their own methods. Where estimates have been made, auditors should review the methods used to calculate them, confirm that they are properly documented, reasonable, consistently applied and tested for reliability.

12. If a HEP is in the process of merging or has recently merged with one or more other HEPs, the auditor should ascertain if procedures have been put in place to integrate their data systems or otherwise ensure that returns for the whole merged HEP can be made.

13. In planning the audit, the Auditor should consider the findings and conclusions of any external and/or internal audit reports relating to systems and data returns for the HEP and any follow up reports and correspondence with management to assess the extent of implementation of the reports’ recommendations. It is expected that the audit reports will make reference to and comment upon the extent that recommendations made by auditors in the previous internal or external audit reports have been effectively implemented.

14. Additionally any data issues or errors notified either directly to Medr by the provider, or identified and communicated by Medr, should be referenced in the report together with any action taken to ensure that data systems and processes have been amended where appropriate to mitigate against any such errors in future. As explained in paragraph 9, there were difficulties with the implementation of the Data Futures programme. This led to multiple errors being flagged and tolerated or left open in the HESA student record issue management system (IMS) since 2022/23. We are not expecting auditors to review these errors, but would recommend any review for the HESA student record for the 2024/25 return focus instead on providers’ plans to review these errors and any action they might take to improve systems and processes moving into future HESA student record returns.

15. It is recommended that internal audit staff with some experience of the HE sector and associated data returns are involved in the visits to HEPs undertaken as part of the review and that auditors are sufficiently briefed on the guidance contained within this publication prior to carrying out the audit. In addition, auditors should make themselves aware of the UK-wide issues experienced with the implementation of Data Futures in 2022/23 and any issues experienced by the provider for the 2023/24 and 2024/25 returns. Advice and clarification relating to the guidance in this publication can be obtained from Medr via [email protected], and Medr staff are available to meet with internal audit staff if required.