Uniac - July 2022

Higher Education Auditing and Assurance Virtual Brochure – HE Updates July 2022

2 We are here to make a difference to the institutions we serve. We work in partnership to manage risk, promote effective and efficient mitigation measures and, more broadly, help develop risk, assurance and audit arrangements. We offer: • objectivity, integrity and constructive challenge • drive, innovation and creativity • confidence and diligence and • detailed and specialist knowledge of higher education. We pride ourselves on the knowledge and experience of our staff who are empowered and encouraged to deliver value adding reviews for a diverse range of higher education providers across the UK. We have a flexible and tailored approach that recognises the differences between working at large and research- intensive universities through to niche specialist providers. “In addition to the delivery of the internal audit programmes across institutions, we also produce regular, topical briefing notes – aimed at boards, audit committees and senior management. This brochure contains a few of those. If you’d like to know a bit more about Uniac and our services, please do get in touch.” Director’s Foreword: Richard Young Introduction: Who we are, and what we do 01. Modern Slavery Act 2015 02. Internal Audit and Climate Change 03. Managing IR35 Requirements 04. Consumer Protection Law 05. Small and specialist providers: Responding to and managing OfS Regulatory Requirements (Uniac and GuildHE) 06. Academic workload / contribution models In this issue

3 The higher education sector is vast and diverse. Here are just a few examples where our staff excel: Academic Governance Competition and Markets Authority Compliance Data Returns Data Protection and GDPR Equality, Diversity, and Inclusion Environment and Estates Financial Systems and Processes Fraud Prevention, Detection and Investigation Governance Grant Audit and Grant Record Keeping Human Resources IT Marketing Project Assurance Research and Enterprise Risk Management and Assurance Mapping Student Experience (and Supporting Processes) Sustainability UKVI (UK Visas and Immigration) Universities UK Accommodation Code of Practice Value for Money Our Specialisms

4 The Modern Slavery Act (2015) obliges all organisations, including universities, whose annual turnover exceeds £36 million, to produce an annual statement that describes the steps they have taken to ensure that there is no modern slavery in their own business and their supply chains. Modern slavery in the context of the 2015 Act includes slavery, servitude and forced or compulsory labour, and human trafficking. Home Office guidance argues that, rather than focusing on precise definitions, businesses have a moral duty to influence and incentivise continuous improvements in supply chains and a responsibility to ensure that workers are not being exploited, that they are safe and that relevant employment laws (including wages and working hours), health and safety and human rights laws and international standards are adhered to, including freedom of movement and communication. Non-compliance with the Act could result in legal enforcement; however, it is more likely to cause reputational damage. The Government launched an online modern slavery statement registry on 11 March 2021. Whilst all organisations are strongly encouraged to submit their most recently published statement on the registry to demonstrate they have reported, in future it will be mandatory to submit statements to the registry. This forms part of the proposed changes to strengthen the reporting requirements of the Act, including mandating the six reported areas contained in a statement as per the currently recommended areas to include under the Home Office’s statutory guidance (see relevant section below). Given it is six years since the requirements of the Act came into force and the proposed changes described above, it is timely to review institutions progress in this area. Whilst the Act does not prescribe the structure and content of annual statements in detail, the only absolute requirements are that: • a statement must be made (the statement should be updated every year and published within six months of the end of the financial year) Introduction 1. Modern Slavery Act 2015 – May 2022 Demonstrating compliance with the minimum legal requirements

5 • it must be an accurate description of the steps that have been taken to identify modern slavery in the organisation and its supply chain (the statement should refer to work carried out in the previous year as well as clear action for the coming years to identify and mitigate risk) • the statement must be published on the organisation’s website (the statement should be visible in a prominent place on the organisation’s website - for example, the home page or obvious drop-down menu) • the statement must be approved by the governing body (the statement should be approved at the highest level of governance, including date of approval); and • the statement must be signed off by the Vice-Chancellor or equivalent (the statement should be signed off by someone at the most senior level). The Home Office’s statutory guidance recommends that annual statements include descriptions of: • the organisation’s structure, its business and its supply chains (provide relevant information that creates a picture of the structure of the organisation’s business and its supply chains) • organisational policies in relation to slavery and human trafficking (provide a link between an organisation’s existing policies and modern slavery) • due diligence processes in relation to slavery and human trafficking in its business and supply chains (due diligence processes, risk assessment and management; identify high risk suppliers in supply chains to help prioritise actions. Engaging with suppliers and being clear about the organisation’s expectations from them) • the parts of its business and supply chains where there is a risk of slavery and human trafficking taking place, and the steps it has taken to assess and manage that risk (identify and recognise what specific risks exists in their supply chains and explain the steps taken to prioritise and address higher risks) • its effectiveness in ensuring slavery and human trafficking is not taking place in its business or supply chains, measured against such performance indicators as it considers appropriate (ensure the organisation has goals and Key Performance Indicators (KPIs) to measure the effectiveness of the organisation’s actions and track short, medium and long term progress, reviewed at least annually); and Home Office guidance

6 • the training about slavery and human trafficking available to its staff (provide appropriate modern slavery training to all employees targeted in relation to each department, e.g., human resources, procurement and legal etc.). Uniac has undertaken an exercise to compare and contrast the annual statements of several institutions across the HE sector against the areas described under the guidance heading above, the results of which are as follows: • the organisation’s structure, its business and its supply chains. Coverage across the statements reviewed was variable. Whilst some clearly articulated a clear understanding of the organisation’s structure, its business and its supply chains in detail, others failed to suitably address one or more of these areas at all, or to a limited extent - for example, number and classification of suppliers and supplies, and associated expenditure. There was also a general lack of detail beyond institutions’ tier one suppliers, perhaps partly reflecting the lack of visibility institutions have beyond this level in their supply chains. Providing a fuller explanation of the institutional set up and supply chains enables institutions to demonstrate a thorough analysis has been undertaken. • organisational policies in relation to slavery and human trafficking. All statements referenced or linked to at least one, but often several, existing policies. The specific policies varied to a large extent between different statements, including, but not limited to: Public Interest Disclosure (Whistleblowing) Policy, Employee Code of Conduct, Corporate, Social and Environmental Responsibility Policy, Procurement Policy, Code of Conduct for Recruitment and Labour in the Supply Chain, Donations Acceptance Policy, Adult Safeguarding Policy, Supplier Code of Conduct, Ethics Policy/Framework, Dignity and Respect, Good Practice in the Conduct of Research, Sustainable Procurement Policy, Fair Trade Policy, Sustainable Food Policy, Procurement Procedures Manual, Child Protection Policy, Health and Safety policies, Social Responsible/Ethical Investment Policy, Procurement Strategy, Financial Due Diligence Process. Some institutions also had explicitly specific policies in place. These included: Anti-Slavery and Human Trafficking Policy, Procurement Policy on Modern Slavery and Modern Slavery Policy 2015. Benchmarking

7 What was also evident from this review and benchmarking exercise was the variable extent to which modern slavery was or was not explicitly referenced in the aforementioned policies, with some including no reference at all, leading to the question of to what extent the implications of the Act are appropriately reflected in some institutions’ existing policy frameworks. We would suggest referencing a smaller number of specific policies or procedures which focus on slavery and human trafficking is a more positive demonstration of appropriate action rather than a plethora of documents that contain no explicit, or only passing, reference to this area and do not provide an adequate response on the part of the business concerned. • due diligence processes in relation to slavery and human trafficking in its business and supply chains. All the statements reviewed as part of the benchmarking exercise addressed this area, but the variation in the level of detail was again notable in terms of the processes described. Coverage included a combination of suppliers and/or prospective employees. As well as institutions’ internal processes, a high proportion of statements also referenced affiliations with Electronic Watch (EW) who’s mission is to help public sector organisations work together, and collaborate with civil society monitors in production regions, to protect the rights of workers in their electronic supply chains, and Netpositive Futures, which enables suppliers to develop a sustainability action plan. Institutions appear to consistently state they undertake modern slavery due diligence checks as part of the supplier selection process, with some adopting a risk-based approach based on the potential risk and value of the proposed contract, whether that is based on institutions’ own checks or assurances provided by potential suppliers via tender documentation. We see this as good practice; however, in the main, these processes did not apply beyond tier one suppliers, where modern slavery issues are most likely to occur. Whilst the difficulties and challenges in doing so are recognised, this would provide institutions with amore detailed understanding of modern slavery supply chain risks and ultimately facilitate better management, mitigation and transparency. • the parts of its business and supply chains where there is a risk of slavery and human trafficking taking place, and the steps it has taken to assess and manage that risk. The statements reviewed paint a picture of variable progress in this area. Some institutions’ processes appear to be relatively immature, with general reference made to future commitments and associated actions, but nothing specific by way of any formal risk assessment having already been undertaken. A number of institutions refer to having undertaken modern slavery risk analysis at a commodity and service or supplier level, either on an ongoing basis and/or as part of appointing a new supplier, which are then categorised into high, medium or low risk groups in order to prioritise the risk mitigation response. None of the statements reviewed contained references beyond first tier suppliers, which is of note given the

8 more tiers that exist in the supply chain, and the greater the complexity of the chain, the greater the challenge that institutions face to ensure that modern slavery is not taking place. There was some evidence of risk assessments that also took into account geography at a country level. We also note that whilst all statements referred to supply chains, there was limited information regarding organisations’ own business operations, as well as a general lack of detail around the specific risks that exist in institutions’ supply chains and the steps taken to address higher risks, perhaps in order to avoid institutions’ disclosing too much detail about their activities, which may also draw comparison with others. Whilst mindful of confidentiality, we think institutions should consider increasing transparency in this area as part of their statements through including greater detail around their risk assessments in terms of how they were conducted, the criteria used and the actions that have been, or will be taken, in response, to address modern slavery risks in their business operations and supply chains. • its effectiveness in ensuring slavery and human trafficking is not taking place in its business or supply chains, measured against such performance indicators as it considers appropriate. This was clearly the weakest area reported on across all of the statements reviewed, with all statements virtually silent in this regard. There was little by way of reference to the effectiveness of institutions’ activities in this area and none included any specific or relevant measurable goals or Key Performance Indicators (KPIs). As a minimum, we would expect linkage to existing KPIs that are relevant to modern slavery - for example, bespoke or integrated staff training in this area. As well as existing KPIs that may be relevant or contribute to modern slavery, institutions should also consider developing new KPIs and associated targets to measure performance and progress in mitigating and minimising modern slavery in its business operations and supply chains. • the training about slavery and human trafficking available to its staff. Again, the statements reviewed suggest a variable approach to training across the sector. At one extreme, one statement made no reference to any training delivered or to whom. At the other extreme, one statement made reference to relevant training that is required to be completed by all staff, which is delivered by an e-learning module renewable every three years. There was a more common middle ground referred to in a number of statements, with training provided to and/or undertaken by procurement teams. There was little evidence of wider targeted training to specific departments and employees. In some cases, training on modern slavery and human trafficking has been integrated as part of existing procurement training modules rather than separate and standalone training. There were some references to training events provided to suppliers, albeit by exception. It is noted that generally training references are made almost exclusively in the context of staff/employees as opposed to also incorporating explicitly, or at all, other types of stakeholders such as students, business partners, funders, research collaborators and so on. Informed by the assessment of the institution’s business operations

9 and associated supply chain arrangements that present modern slavery risks, we would expect a level of specific or closely related ethics and/or human rights mandatory training on modern slavery-related issues that is targeted to these identified groups and individuals therein, with the recipients clearly identified in the institution’s statement. Consideration should also be given to extending this training to members of their supply chains, given this is where the risk of modern slavery is probably the highest. We can provide Boards with independent assurance to support their sign-off of annual statements. To discuss this further, please contact us. Richard Young Executive Director t: 0161 546 3371 / 07795 122 252 e: ryoung@uniac.co.uk www.uniac.co.uk Michael Ritzmann Senior Audit and Assurance Consultant t: 0161 237 1174 e: mritzmann@uniac.co.uk www.uniac.co.uk We can help

10 In April 2021, we published a briefing on ‘Sustainability in Higher Education’. The paper called for the education sector to take further action on the threats and risks posed by climate and sustainability related issues. Since then, we have seen fairly limited action from the sector, and the case for change from a scientific and evidence led background continues to grow. It’s now likely that we will reach temperatures 1.5C over pre-industrial levels within the next five years, causing irreversible consequences for the global environment. There is an increasing drive to talk about sustainability in risk terms. We’ve seen this with the latest IPCC report1, and the recommendations from the TCFD2. Experts in the field are recognising that the effects of climate change are now inescapable and are looking to see what the likelihood and impacts of resulting risks are, and how these might be mitigated. 1 This refers to the paper produced by the second working group for the sixth assessment report to the International Panel for Climate Change. The paper details the work done to date on analysis of climate related impacts, adaptation and vulnerability. For the sector, we can view these under three key risk headings: Reputational Risks that employees / students / the general public do not perceive a provider’s actions to be sufficient, and consequently damage is caused to investment / recruitment / retention. This is the risk theme that is most commonly acknowledged by the sector, though we would argue is potentially the least damaging, and over focus on this may detract from management of other, more pertinent risks. Physical Risks that the effects of climate change will trigger physical damage to the estate / staff / students / visitors. Specifically for the UK, reaching global warming of 1.5C over pre-industrial levels will trigger increased volatility in weather events, which may lead to increased flooding / heatwaves (in a positive scenario), and subsequently pose difficulties for estates departments. The latest IPCC report suggests that we are already experiencing moderate to high risks of extreme weather events. Market risks Further afield, the increased danger associated with using finite resources and fossil fuels will place strain on international and national markets (e.g., energy and utility markets), and may cause significant price rises or resource scarcity. We anticipate that this will be met with increased legislation that providers 2 The TCFD (Task Force for Climate Related Disclosures) is an industry-led group which aims to create recommendations for policy makers on how to create effective legislation on climate reporting. Introduction Talking about risk 2. Internal Audit and Climate Change – March 2022

11 will have to navigate (e.g., energy usage cap and trade systems). The latest IPCC report suggests that we are already experiencing moderate risk of water scarcity in Southern Europe, with this anticipated to rise in Norther Europe in the foreseeable future. The HE sector needs to mature its approach to climate and sustainability risk in line with evidence based projects and action. There is an opening to balance these risks with significant opportunities, which could protect providers, and even increase reputation and standing. • Early adoption of leading low carbon tech may lead to increased investment and research credibility • Low carbon tech may lead to future cost efficiencies in strained markets • Early adoption and engagement with key initiatives may help providers shape emerging policy to ensure mutual benefit • Climate resilience planning may not only protect assets but increase valuation if physical risks develop sooner We anticipate that to meet the UK’s 2038 target for net zero, new legislation will have to be enacted, and soon. We’re starting to see early indications of this, such as the introduction of Climate Related Financial Disclosures, which will affect some UK providers (including UK public interest entities – which means it could be applicable for some HEIs in the sector). The regulations are due to come in for financial reports produced after 6th April 2022. Notably, these will include mandatory reporting of: - Company governance arrangements for assessing and managing climate related risks and opportunities - A description of how risks and opportunities are identified - A description of how these are integrated into overall risk management processes - A description of these risks and opportunities and the time periods by which they are assessed - A description of the actual and potential impacts of these risks on company operations - An analysis of the company resilience relating to these risks - A description of the associated targets and performance measuring - A description of supported KPIs, and how these are calculated Opportunities Legislating for change

12 We note that scope 3 disclosures3 are bizarrely not mandatory for reporting within the new framework. While these regulations might not extend to all providers, we would recommend reviewing and adopting some principles on a good practice basis. This legislation is similar to other regulatory drivers relating to sustainability in that there is a distinct focus on reporting, without any framework for legislative or financial intervention if targets are not met / climate action is not achieved. We anticipate more interventionist measures being developed as the associated risks become more likely - this may start with the regulator recognising the risk to the sector and highlighting statements of expectation or codes of practice that could spark regulatory intervention. As with all strategic change, there are key barriers to providers achieving an ideal sustainable end state. Most of these stem from culture issues, from executives and management teams that through no fault of their own, may not understand the nature of the risks, or how to deal with the issues. This often results in sustainability being siloed, or driven purely by estates functions, when a more cross working, whole provider approach would be more appropriate. Similarly, there is sometimes an over-keenness to be seen to be taking action - this results in ill 3 Scope 3 refers to Carbon emissions that occur in business chains but are not directly produced by day-to-day operations (e.g., staff travel, procurement, investments). thought-out plans, such as commitment to net zero goals, without consideration of key steps to achieve this, or of wider impacts and risks. To date (and from our experience), sustainability rarely appears in annual sector audit programmes. Where it is captured, the scope is often limited to reviews of carbon zero targets / projects and sponsored by estates departments. We believe there is potential to further the use of audit as a tool to assist with sustainable aims. The audit function is placed in a unique position, having easy access to teams across the range of the provider’s operations, and also to senior management and nonexecutives. This enables us to provide holistic assurance on sustainable aims and the supporting projects and communicate key messages across the institution. This position also allows the audit function to review climate strategy integration across key business areas, verifying existing processes and controls, and bringing in best practice for a rapidly changing risk environment. The role of the audit function does not, however, need to be limited to providing assurance. Relevant expertise can assist senior executives in understanding the key risks, and the threat posed to the provider – for example, through digesting recent policy briefings and communicating key messages. If however, providers fail to acknowledge wider sustainability risks and continue to only Internal audit’s role Barriers

13 view the risk through the prospect of reputational damage, the audit function can still provide a sense of objectivity to key stakeholders that appropriate action is being taken surrounding this risk. We can provide bespoke sustainability audit and consultancy, dependent on the needs of the institution. We could help with: - Monitoring of progress towards frameworks / accreditation - Advisory work on action to take and next steps to create sustainable approaches - Creation and implementation of sustainability strategies / policies - Systems and process reviews to assess sustainability in practice - Sustainability data collection and business intelligence - Benchmarking institutional approaches against sector and non-sector approaches - Assessing sustainable cultures across institutions, including both Senior Management and wider staff buy in. We can help Paddy Marshall Audit and Assurance Consultant t: 07796 180 139 e: pmarshall@uniac.co.uk www.uniac.co.uk

14 On 09/03/1999, the Inland Revenue issued a press release called ‘Countering Avoidance in the provision of Personal Services’ outlining Government plans to restrict the use of sole shareholder/director limited companies (‘Personal Services Companies’) to provide professional services to clients to (allegedly) reduce liabilities to tax. This became law in 2000 (via the Finance Act 2000) and the rules, whilst going through several changes and iterations, are still in place today. In 2015, the Government released a document called ‘How to make IR35 more effective in protecting the Exchequer’ which highlighted the possibility that organisations engaging individuals may be required to determine their employment status. In March 2016, the Government confirmed that there would be changes to IR35 legislation to consider in more detail ‘off-payroll working’ within public sector organisations which became effective from 06/04/2017. This required public sector organisations (‘clients’) to assume responsibility for determining whether individuals engaged for services were inside or outside the IR35 legislation. If individuals were assessed and deemed to be in an employment relationship, it became the responsibility of the client for treating the 4 Off-payroll working in the public sector: reform of the intermediaries legislation - technical note - GOV.UK (www.gov.uk) individuals as an employee and accounting for PAYE and National Insurance Contributions at source on behalf of HMRC. A technical note4 was published by HMRC which set out the practicalities of IR35 legislation requirements. This change required, in many cases, new processes and controls to be created in organisations which had not previously had to make these determinations themselves but relied on the contractors they were engaging. To support understanding of the legal change in responsibilities, HMRC published guidance in February 2017 for clients and contractors setting out the new rules.5 Additionally, HMRC launched the Employment Status Test (‘ESS’) to assist with the employment status determination for tax purposes of individuals for establishing whether they were inside or outside IR35. The ESS became the ‘Check Employment Status for Tax’ (‘CEST‘) tool currently used for status determinations. This paper considers the impact of the IR35 legislation from an HE perspective following on from recent work undertaken in this area on the relationship between institutions and individuals engaged for services, the current requirements (including the April 2021 update to the legislation), the risks to demonstrating these have been achieved and the way ahead for employment status determinations for tax purposes. 5 https://www.gov.uk/guidance/off-payroll-working-in-the-public-sector-reform-ofintermediaries-legislation 3. Managing IR35 Requirements – December 2021 Background

15 From 06/04/2021, all organisations covered by the IR35 legislation (both public and private sector) are required to determine the employment status for tax purposes of every worker who operates through their own intermediary, even if they are provided through an agency. An additional requirement is that any determination made should be communicated to the individuals using a’ Status Determination Statement’ (‘SDS’).6 Government guidance states that an SDS must: i. be passed to the worker and the person or organisation you contract with ii. give your conclusion and the reasons for coming to it. To support this, organisations are expected to: i. take ‘reasonable care’ when making a determination ii. make sure detailed records of employment status determinations are retained (including the reasons for the determination and fees paid) iii. have processes in place to deal with any disagreements that arise from determinations made 6 April 2021 changes to off-payroll working for clients - GOV.UK (www.gov.uk) iv. confirm the size of your organisation (if asked by the person or organisation you contract with, or the worker directly. Where it is deemed that the IR35 legislation applies to the worker engaged, the organisation performing the assessment is required to calculate the tax and national insurance applicable. The following risks should be fully considered to ensure that IR35 processes in place are fit for purpose in demonstrating compliance: • The institution is unable to demonstrate to HMRC that it has exercised reasonable care when determining the employment status of workers. This may be more of an issue in HEIs where several stakeholders input into the assessment process and incorrect reliance is placed on other areas to complete required checking. • Workers may be incorrectly assessed when determining whether IR35 or employment status rules apply potentially resulting in liabilities which have not been identified through the assessment. • The institution may make incorrect PAYE and National Insurance payments to HMRC due to incorrectly determining the employment status of workers, potentially Key risks to IR35 compliance IR35 Legislation changes from April 2021 ft

16 resulting in financial loss. This issue is potentially more apparent within HEIs where status determinations are not managed by Finance but academic schools and faculties. • Lack of clarity over assessment results leading to inappropriate judgements over determinations from the CEST online tool. • Failure to maintain clear evidence supporting the rationale for an IR35 determination could lead to challenge and review by HMRC. • Contractors deemed to be inside IR35 when they believe they should be assessed as ‘outside’ (particularly where they provide services to other organisations which have been deemed outside IR35) could lead to a reduction in available workers for the institution. This could result in ineffective management of projects through lack of suitably experienced and available resource. Again, this is a potentially significant issue within HEIs where IT and Estates resource is engaged through contractors arrangements. • Failure to correctly complete and issue Status Determination Statements to individuals and contractors leading to non-compliance with post April 2021 requirements for IR35 assessments, hence the issue of this paper now. • Restricting the management of the IR35 compliance process to HR functions within the institution may result in key financial implications being missed through lack of appropriate taxation specialist knowledge. Given the above areas of risk to demonstrating IR35 compliance, the following are controls which we have seen in place in HE institutions which we consider are best practice in mitigating and managing risks should they crystallise: • Clear process documentation in place for IR35 assessments which sets out: i. the steps taken to undertake employment status determinations ii. guidance setting out the responsibilities for recruiters within the organisation in engaging external workers iii. how determinations of employment status for tax purposes should be made and recorded iv. version control to ensure processes are updated with changes to legislation on a timely basis. • A clearly defined methodology for the retention of evidence for each employment status determination made for workers engaged. This is vital in demonstrating the assessment was undertaken as required. From recent work undertaken with HEI clients, this was observed as a strong indicator of robust controls in place over IR35 processes. • Ensuring that the finance and taxation teams of the institution have an input into the management of the process for undertaking IR35 assessments, given that the principal objective of the legislation is to ensure that the Best practice for managing IR35 compliance

17 employment status of workers is correctly assessed for tax purposes. In one HEI recently reviewed, it was observed that multiple stakeholders were involved in the IR35 process across different functions which positively impacted the completion of the process. • Using external agencies for the provision of contractors for services who themselves use umbrella companies, reduces the risk of exposure to non-payment of income tax and national insurance as any liabilities identified will remain with the umbrella company or the agency contracted with. A recent review of a larger HEI indicated that agencies were used where contractors were operating through umbrella companies. • Where agencies were engaged by the institution to provide contractors, the agency contract terms clearly set out the responsibility for the calculation and payment of tax and national insurance where an employment relationship was deemed to exist. Again, in one HEI recently reviewed, we observed that contractor agencies used retained responsibility for a significant part of the IR35 requirements and accounting for tax which removed the burden from the HEI. • As Status Determination Statement requirements have been introduced from April 2021, we advise that there is a clear communication framework in place for communicating employment status determinations and 7 ESM10014 - Employment Status Manual - HMRC internal manual - GOV.UK (www.gov.uk) their rationale to individuals and contractors to ensure that: i. Status Determination Statements comply with the requirements set out by HMRC 7 ii. Individuals and contractors clearly understand the determination to enable informed decision-making over whether they wish to enter a contractual arrangement with the organisation iii. All parties are clear on the arrangements in place for the provision of work by the individual or contractor. • A sufficiently comprehensive training programme for all recruiting managers with responsibility for the engagement of individuals and contractors either directly or through agency arrangements was observed in larger institutions reviewed. This was typically overseen by one area of the institution (such as HR or Finance). We would recommend that this is regularly reviewed to ensure that updates to legislation are captured and communicated on a timely basis. • Having clearly defined responsibilities within the institution for managing the IR35 process ensure that all requirements of the legislation are clearly assigned, and key components are not missed. • In one organisation, whilst IR35 requirements were satisfactorily managed, we recommended that a central repository was created and maintained to capture all IR35

18 employment status determinations. This would provide all stakeholders to the process with a detailed schedule of the IR35 status of any given arrangement with individual contractors to ensure all requirements have been met. We would recommend that institutions consider the insurance arrangements in place to ensure that cover is in place to mitigate the risk of incorrect status determinations and potential future tax liabilities arising from these through the findings of HMRC investigation activity. In one institution, we noted that standard IR35 determination statements had been created for similar roles across departments (to avoid running an assessment for every new contractor). From our review of the legislation, care should be exercised in creating standard IR35 determination statements for similar roles as, whilst roles may appear the same they may have small differences in requirements which would cause the assessment to result in an inside IR35 determination. Given the development of the IR35 legislation since its inception in 2000, further changes by HMRC to the requirement to assess workers’ employment status for tax purposes are anticipated to ensure that the legislation remains appropriate and fairly applied to the engagement relationship between individuals and institutions. Listed below are some other areas for consideration regarding IR35 legislation: • A consideration over whether to continue to engage individuals operating through PSCs and undertaking IR35 assessments of the engagements entered or end these relationships in favour of issuing fixed term employment contracts to workers engaged. The advantage of engaging with individuals operating through PSCs is the wider access to knowledge and experience which may otherwise not be available for individuals engaged as employees. • The obvious disadvantage of engaging workers as employees is the extra burden of accounting for tax and national insurance, the cost of employers’ national insurance and auto-enrolment workplace pension responsibilities which, where an outside IR35 relationship is established are not the responsibility of the client institution. • An additional consideration is that not all institutions are necessarily the ‘end client’ for the purposes of IR35 legislation. Where an institution is considering filling a role, HMRC will consider it as the decision-maker in the process and it must issue a Status Determination Statement which should be issued to the individual engaged. Where an individual contractor’s ‘end client’ (i.e., the institution) outsources the project to a third party to manage activity, HMRC will consider that third party as the Other considerations ft

19 end client who takes on the decision-making for the PSCs it manages.8 Where the institution is requesting the third party to undertake specific roles, it will retain the decision-making responsibilities (and completion and issue of SDS), whilst the third party – such as an agency – will have the role of ‘fee payer’ for the PSCs engaged.9 This may particularly be relevant where an IT consultancy third party is engaged. • It is also worth noting that ‘small companies’ as defined by HMRC10 are exempt from IR35 legislation meaning that, where contractors are engaged, the decision-making and liability for payment of tax and national insurance lies with the PSC. Where a third party engaged is therefore classified as a small company, the initial end-client does not retain any IR35 assessment responsibility or any potential tax liability. This is particularly important where small companies are engaged to provide contractors for projects within the organisation. • It is crucial that the IR35 responsibilities are established and clearly defined. In the future, HMRC may focus some compliance assurance activity on contracts where IR35 exempt small consultancy companies are used to ascertain that these are not being used to avoid responsibility for their legal obligations. 8 https://www.gov.uk/hmrc-internal-manuals/employment-status-manual/esm10014 • Agencies used by the end-client organisation to provide individual contractors for projects are defined as the fee payer in the relationship with the PSC the individual contractor is using. Because of this relationship, the agency will become liable for any uncollected tax due from the PSC if the end client’s IR35 assessment process has resulted in errors, irrespective of the level of care taken by the organisation. It is critical that, where agencies are used, the contractual arrangements are clear and that IR35 assessment responsibilities are clearly defined and understood. Uniac can provide an assessment of the current processes and controls in place to manage IR35 to provide assurance that these comply with current HMRC requirements. 9 https://www.gov.uk/hmrc-internal-manuals/employment-status-manual/esm10010 10 https://www.gov.uk/annual-accounts/microentities-small-and-dormant-companies We can help Graeme Chambers Senior Assurance and Audit Consultant e: gchambers@uniac.co.uk www.uniac.co.uk Richard Young Director t: 07795 122 252 e: ryoung@uniac.co.uk www.uniac.co.uk

20 On the 24th November 2021, the Department for Education (DfE) wrote to vice-chancellors regarding their admissions policies and contract terms. While the letters have not been made public, it is understood that the DfE has raised concerns around universities using contract terms that allow them to withdraw offers if a course is oversubscribed. The Office for Students (OfS) has also expressed its concerns around this and their opinion that such clauses would likely contravene consumer protection law11. Lastly, on the 24th November the Competition and Markets Authority (CMA) also published a statement12 reiterating its views on how consumer protection law applies in the HE sector. This is the first time that the sector has heard from the CMA since 2016. As such, we have taken the opportunity to provide a general update to audit committees on consumer protection in HE. We begin by summarising the current legal and regulatory context, followed by a discussion of potential developments, particularly in the OfS’ regulatory approach. We finish by 11 https://www.officeforstudents.org.uk/news-blog-and-events/press-and-media/ofsresponds-to-cma-statement-on-consumer-law-and-the-admission-process/ 12 https://www.gov.uk/cma-cases/consumer-protection-review-of-higher-education offering some recommendations to institutions to ensure robust and continued compliance with consumer protection law and OfS expectations. Under the 2015 Consumer Rights Act, students are legally classified as “consumers” and therefore entitled to full protection under the UK’s consumer protection laws. The OfS has further enshrined these protections under regulatory condition C1, which states: The provider must demonstrate that in developing and implementing its policies, procedures and terms and conditions, it has given due regard to relevant guidance about how to comply with consumer protection law. Currently, the “relevant guidance” is the sector advice issued by the CMA back in March 201513. In this advice, the CMA emphasises universities’ legal obligations to ensure that 1) prospective and enrolled students receive accurate, clear, timely, and comprehensive information about their course; and 2) terms and conditions between universities and their students are fair. Over the past two years, Covid-19 has presented some serious challenges for universities in fulfilling these obligations. 13 https://www.gov.uk/government/collections/higher-education-consumer-lawadvice-for-providers-and-students Legal and regulatory context Background 4. Consumer Protection Law – December 2021

21 However, while other regulatory conditions were relaxed, the OfS was clear in its message that the law is the law and universities must continue to comply fully with consumer protection legislation. Following this, in January 2021, the OfS instructed institutions to assess their compliance with consumer law and provide assurances to their governing body. In its November 2021 statement, the CMA has repeated its 2015 advice. Contract terms are likely to be unfair if they 1) allow a provider to withdraw offers when the terms of the offer have been met; and / or 2) exclude or limit the provider’s liability if it subsequently fails to provide the place it has agreed. Overall, within a changing and challenging external context, the legislative requirements, expectations, and advice for providers has remained unchanged since 2015. However, that is not to say that change is impossible. The OfS takes a strong interest in consumer protection for students. It has also signalled on several occasions its frustrations with the CMA’s hands-off approach and intentions in developing its own involvement. We highlight two key areas where we could see the OfS take action: 1. Standardised student contracts 14 https://www.officeforstudents.org.uk/media/80806001-1364-46d5-8326c0f60782dc1b/bd-2019-november-81-student-information-and-contracts.pdf At its very first Board meeting in January 2018, the OfS raised the possibility of standardising student contracts. This would give the OfS complete control over the contract terms used across the sector and the ability to remove any that it deems as unfair. 2. New guidance Currently, the OfS has limited scope to enforce compliance with consumer protection legislation. They cannot judge whether a provider is in breach of the law (this can only be done by a court) and their own regulatory condition only requires providers to give “due regard to relevant guidance”. In a Board paper from November 201914, the OfS states: “We know that our consumer protection tools, as currently configured, are not allowing us to intervene when we see evidence that our regulatory objectives and outcomes [high quality academic experience and protecting students’ interests] are not being delivered for students.” A straightforward solution, and one they express interest in, would be to replace the CMA’s guidance with their own and strengthen the wording of regulatory condition C1. This would allow the OfS to take more proactive enforcement action. While they do not have the authority to judge if a provider is in breach of the law, they can absolutely judge if a provider is in breach of their own published guidance. Potential developments

22 At the same time, the burden of enforcement would shift away from students. Currently, if a university is in breach of consumer protection law, it is down to students to raise individual complaints to the CMA. New guidance or a reworded regulatory condition would allow the OfS to make more proactive and sector-wide interventions on students’ behalf. This move would also allow the OfS to broaden the scope of the guidance (and thereby their enforcement powers) to all student groups. The CMA’s 2015 advice only applies to undergraduate students despite universities having legal obligations towards its entire student body. This is a clear shortfall that the CMA has not addressed, even in its November 2021 statement. Lastly, in authoring their own guidance, the OfS would have far greater control in the design and implementation of institutions’ compliance with consumer protection laws. We highlight some areas below that we believe will help institutions develop a comprehensive and balanced approach to their compliance with consumer protection law. CMA’s 24th November statement Firstly, given the recent releases, providers should familiarise themselves with the CMA’s statement and guidance and take action to review and change their terms and conditions where necessary. Scope of compliance Most institutions manage their compliance with consumer protection laws as part of their wider arrangements for OfS compliance. For best practice, and to ensure full compliance with the law, institutions should ensure that all student groups are included within this remit. This is usually straightforward for undergraduate and postgraduate taught students (for which the CMA guidance is easier to apply). Nonstandard provision (such as CPD, PGR, and apprenticeships) can prove more challenging as these courses often follow different admissions and delivery patterns. Addressing these areas will ensure that institutions are prepared for potential changes in the OfS’ regulatory approach. Reducing burden It is important to recognise that the CMA’s guidance is not designed to prevent or discourage programmes from making changes or to stifle innovation. Instead, the guidance seeks to ensure that any changes are open, fair, and endorsed by those they affect. Institutions with a mature and embedded approach may wish to explore ways to reduce the burden of compliance in ways that are more amenable to course innovation and development. A good starting point would be to review the changes to key processes (e.g. course approval and course amendments) that were made during the Covid-19 disruption. Institutions may Good practice

23 find that “relaxed” procedures have been equally effective in ensuring compliance. An example we have seen from our work in the sector is to reduce the approval thresholds for categories of course changes, e.g. from Faculty-level to Schoollevel. Developing a risk-based approach to course changes Linked to this, institutions may wish to review the framework within which they address proposed course changes. Currently, the standard approach is to classify all types of amendment as major or minor and to develop the subsequent review and approval processes around these categories. While this approach can provide adequate control, we are aware from our work in the sector of a growing appetite to move away from prescriptive category definitions to a more risk-based approach. Under a risk-based approach, proposed amendments are considered individually and the level of risk determined according to the significance of the change (e.g. through its potential impact on learning objectives), its timing (e.g. whether it is proposed for current cohorts), and any other relevant considerations (e.g. whether a specific fieldwork destination was heavily marketed to current students). This assessment would determine whether the amendment ought to be classed as “major”, “minor”, or indeed any other risklevel. Institutions may find this approach could reduce the administrative burden of CMA compliance while being more conducive to course innovation and development. Uniac has experience in consumer protection laws as they apply to HEIs. We can provide an assessment of the current processes and controls in place to support compliance, along with sector benchmarking to help institutions develop a bestpractice approach. Fiona Waller Audit and Assurance Consultant e: fwaller@uniac.co.uk www.uniac.co.uk We can help

24 In 2019, the former Director of the Office for Fair Access, Professor Sir Les Ebdon, said: "While Ministers might have intended the impact of the recent changes to higher education regulation to have been favourable to smaller and specialist providers, it certainly does not feel like this for these institutions. The myriad of regulatory requirements being thrown at providers are challenging. This paper considers some of the burdens of the OfS Regulatory Framework on small and specialist providers of higher education. In gaining access to the Register of Higher Education, providers at that point must prove compliance with the initial conditions. In moving forward, they must remain compliant with the ongoing conditions of Registration, often without the breadth or depth of administrative support available to large, established institutions. They are less likely to have access to complex modelling software / expertise to scenario plan, monitor and evaluate student outcomes and probably feel there is little evidence to date of 'light touch regulation'. In addition to the regulatory framework, there is a burgeoning array of briefing papers and guidance notes with OfS's own limited resources to undertake assurance exercises such as regulatory effectiveness reviews. There has been a year-on-year increase in the number of published regulatory documents (from 29 in 2017/18 to 82 in 2019/20). For smaller providers, where regulatory compliance may fall to one or two individuals (in addition to other duties), it is simply too arduous to respond to all consultations and retain and cross-reference the potential impacts of what is being proposed / required. We consider some practical ways in which small providers can stay on top of regulatory requirements and make decisions about how to prioritise current and new requirements. The Higher Education and Research Act (Part 1 2(2)(a))15 outlines the General Duties of the OfS, to have regard to "choice in the provision of higher education amongst a diverse range of types of provider". In other words, the OfS should be supporting choice in the diversity of Higher Education provision, and therefore needs to have regard to protecting the diversity of providers available to students. 15 https://www.legislation.gov.uk/ukpga/2017/29/pdfs/ukpga_20170029_en.pdf Background 5. Small and specialist providers: Responding to and managing OfS Regulatory Requirements – November 2021 (Uniac and GuildHE)