Purpose of policy
- The following policy and the associated Internal Audit Charter (Appendix A) are intended to provide a broad framework for the conduct of audit and assurance services at the University.
Policy scope and application
- This policy applies to all staff, students, contractors and members of decision-making and advisory bodies of the University.
- Under the University of the Sunshine Coast Act 1998 (Qld) and the Financial Accountability Act 2009 (Qld), Council is required to efficiently, effectively and economically manage and control the University’s operations and must act in the way that promotes the University’s interests, including to:
- establish and maintain appropriate systems of internal control and risk management;
- establish and keep funds and accounts in compliance with prescribed requirements;
- ensure annual financial statements are prepared, certified and tabled in Parliament in accordance with prescribed requirements;
- undertake planning and budgeting for the University that is appropriate to its size; and
- perform other functions conferred by legislation on the University or under a financial and performance management standard.
- Assurance elements at the University which are covered by this policy include the following three key legislative components.
- Internal Audit – established by the University in accordance with the requirements of the Financial and Performance Management Standard 2019 (Qld);
- Audit and Risk Management Committee - established by the University in accordance with the requirements of the Financial and Performance Management Standard 2019 (Qld), including the development of terms of reference which have regard to the Queensland Treasury publication ‘Audit Committee Guidelines – Improving Accountability and Performance’ (July 2020); and
- External Audit – the University is required under Section 62 of the Financial Accountability Act 2009 (Qld) to prepare annual financial statements, certify whether these statements comply with prescribed requirements; have the statements audited as required under the Auditor-General Act 2009 (Qld) and include these statements in the University’s annual report.
- Assurance elements at the University which are covered by this policy include the following three key legislative components.
Definitions
Please refer to the University’s Glossary of Terms for policies and procedures. Terms and definitions identified below are specific to this policy and are critical to its effectiveness:
ARMC means the University’s Audit and Risk Management Committee.
Assurance Services means an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the University. Examples may include financial, performance, compliance, system security, project assurance and due diligence engagements.
Charter means the Internal Audit Charter (Appendix A).
Committee member means a member of the University’s Audit and Risk Management Committee.
Advisory Services means advisory and related activities, the nature and scope of which are agreed with the business area requesting the service and are intended to add value and improve an organisation’s governance, risk management and control processes without the Internal Auditor assuming management responsibility. Examples include counsel, advice, facilitation and training.
Core Principles for the Professional Practice of Internal Auditing (Core Principles) are the key elements that describe Internal Audit effectiveness. The Core Principles underpin the Code of Ethics and the Standards.
External Audit refers to representatives of the Queensland Audit Office (QAO) or any other providers of audit services subcontracted by QAO to undertake elements of its audit program at the University. If QAO does subcontract to another audit provider, these providers report to QAO.
Internal Audit refers to the internal audit activities of the University, which may be established as an internal organisational unit or outsourced to an independent professional service provider, or any combination of the two.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
Terms of Reference refers to the Audit and Risk Management Committee Terms of Reference.
Policy statement
- This policy establishes an audit and assurance framework to assist in the effective discharge of its stewardship and leadership responsibilities, to strengthen the University’s control environment including the control of institutional resources in accordance with its legislative responsibilities.
- The Council and management of the University are committed to an open and accountable system of governance and the embedding of continuous improvement processes across the University to support achievement of its strategic and operational objectives. The implementation of an effective audit and assurance framework is fundamental to these principles.
Principles
- Audit and assurance framework
- The University’s Audit and Assurance Framework is based on a three lines of defence model (as illustrated in Diagram 1 below) to demonstrate and structure roles, responsibilities, linkages and accountabilities for decision making, risk and control purposes to achieve effective governance and assurance. Each line of defence provides higher levels of independence and objectivity, thereby delivering greater assurance to key stakeholders.
- The first line of defence is responsible for the identification and effective management and mitigation of risks as well as the identification, recording, escalation and management of issues.
- The second line of defence undertakes independent oversight of the risk profile and risk management framework.
- The third line of defence independently evaluates and provides an opinion on the adequacy and effectiveness of both the first and second line controls.
- Audit and assurance framework
Diagram1 – USC Audit and Assurance Framework
- Internal Audit
- The University is committed to maintaining an efficient, effective and economical internal audit function as required by the Financial and Performance Management Standard 2019 (Qld) and will ensure that all internal audit activities remain free of influence by any organisational elements.
- Internal audit responsibilities are defined by Council, on advice of the ARMC, in the associated Internal Audit Charter (Appendix A). Internal Audit’s role may include, but is not limited to, the review of University risk, internal controls, efficiency, effectiveness, governance, performance, and compliance matters (including work health and safety).
- The primary purpose of Internal Audit is to add value to the University’s operations by providing an independent appraisal and advisory function for Council, the ARMC and the Executive Committee thereby assisting the University in realising its strategic and corporate goals. This is achieved by examining and evaluating the adequacy, effectiveness and efficiency of risk management, systems of internal control and the quality of management systems in an independent and professional manner.
- A review or appraisal by Internal Audit does not in any way relieve officers of the University of their individual responsibilities and accountabilities. Nor does it any way diminish the Vice-Chancellor and President’s, members of UniSC’s Executive, or management’s responsibilities for the implementation and maintenance of effective systems of internal control and prevention and detection of fraud.
- Audit and Risk Management Committee
- The University is committed to maintaining an Audit and Risk Management Committee in accordance with the Financial and Performance Management Standard 2019 (Qld).
- The primary functions of the ARMC are to:
- Internal Audit
- evaluate whether processes are in place to address key roles and responsibilities in relation to risk management;
- evaluate the adequacy of the control environment to provide reasonable assurance that the systems of internal control are of a high standard and functioning as intended;
- review and appraise the financial statements to ensure the integrity and transparency of the financial reporting process;
- monitor the effectiveness of performance information and compliance with performance reporting requirements;
- evaluate the quality of the internal audit function, particularly in the areas of planning, monitoring and reporting;
- engage with external audit and assessing the adequacy of management response to issues identified by audit;
- review the effectiveness of how the University monitors compliance with relevant legislative and regulatory requirements and promotes a culture committed to lawful and ethical behaviour; and
- review the appropriateness of management’s handling of matters relating to (alleged) fraud or unethical conduct and evaluate the adequacy of measures taken to avoid similar conduct occurring in the future.
- The ARMC responsibilities are defined by Council as part of their oversight role. Detailed roles, responsibilities, composition and operating guidelines for the ARMC are outlined in its Terms of Reference.
- As part of its responsibilities, the ARMC will also oversight the University’s compliance with Australian Taxation Office requirements to the extent that they apply to the University’s operations.
- External Audit
- The University and its consolidated entities are required to have an external audit of statutory compliance in accordance with the Financial Accountability Act 2009 (Qld) and the Auditor-General Act 2009 (Qld). This is conducted by the Queensland Audit Office or its authorised subcontractors.
- External Audit must be given full, free and unrestricted access to any and all records, physical properties, personnel and other documentation belonging to, in the custody of, or under the control of, the University. All employees are to assist External Audit in fulfilling its role and responsibilities.
- The University’s external audit program is comprised of the following:
- on an annual basis an external audit plan is set by External Audit which outlines key areas of audit focus, scope and related costs and is provided to the ARMC for review. Final audited financial statements and reports are provided in sufficient time for the University to meet its financial and legislative reporting requirements; and
- as part of a comprehensive program of audit activities across entities at a state level, the Queensland Audit Office also runs a program of performance audits. The University is a willing participant in such audits.
- It is the responsibility of External Audit to audit the annual financial statements and prepare an auditor’s report in accordance with legislative requirements, prescribed accounting standards and government guidelines. The Auditor-General presents its annual report, audit certification and management letter to both the University and in its annual report to state parliament.
- External Audit representatives are invited to attend each ARMC meeting.
- Review
- This policy and the attached Internal Audit Charter will be reviewed by the ARMC annually. All amendments to the policy and Charter require ARMC’s endorsement, prior to submission to Council for discussion and approval.
Authorities/Responsibilities
6.1 The following authorities/responsibilities are delegated under this policy:
Activity | University Officer/Committee |
Overarching accountability for maintaining audit and assurance functions in accordance with legislative requirements. | Council |
Oversight of the University’s audit and assurance activities. | ARMC |
Responsible for ensuring that audit and assurance activities are carried out effectively within the University and for promoting a culture that encourages strong governance, risk management and control. | Vice-Chancellor and President |
Responsible for oversight of administrative aspects of the Internal Audit function. | Director, Governance and Risk Management |
Responsible and accountable to the ARMC to operate the Internal Audit function in accordance with the Audit and Assurance Framework and the University’s Internal Audit Charter. | Senior Manager, Internal Audit |
END
Appendix A - Internal Audit Charter
Introduction
- The Vice-Chancellor and President has established the Internal Audit Function as a key component of the University’s governance framework.
- Internal auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of the University. It assists the University to accomplish its objectives by bringing a systematic, disciplined and risk-based approach to evaluate and improve the effectiveness of the University’s risk management, control and governance processes.
- The Internal Audit Charter is intended to provide a broad framework for the conduct of internal audit services at the University in accordance with the Financial and Performance Management Standard 2009 (Qld). This Charter should be read in conjunction with the Audit and Assurance Framework - Governing Policy and applies to all members of the University Community.
- This charter provides the framework for the conduct of the internal audit function at the University and has been approved by Council taking into account the advice of the Audit and Risk Committee
Definitions
- Refer to the Audit and Assurance Framework - Governing Policy for a complete list of definitions.
Role of Internal Audit
- Internal audit is an independent, objective assurance activity designed to add value and improve an organisation’s operations.
- It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
- Internal Audit is an integral part of the internal control and risk management framework as it functions by evaluating the effectiveness of the University’s governance processes.
- The purpose of internal audit is to enhance and protect organisational value by providing risk-based and objective assurance, advice, and insight
- Internal audit provides an independent and objective review and advisory service to:
- provide assurance to the Vice-Chancellor and president, and the ARMC, that the University’s financial and operational controls, designed to manage the agency’s risks and achieve the entity’s objectives, are operating in an efficient, effective and ethical manner, and
- assist management in improving the University’s business performance.
Professionalism
- Internal Audit staff must be cognisant of the functions imposed in applicable standards and comply with professional standards of conduct including standards issued by:
- the Institute of Internal Auditors
- the Certified Practising Accountants (Australia)
- Chartered Accountants Australia and New Zealand
- the Information Systems Audit and Control Association
- the standard relevant to risk management (being AS/NZS ISO 31000: 2018) and
- other relevant standards issued by Standards Australia and the International Standards Organisation.
- Internal Audit will:
- govern itself by adherence to The Institute of Internal Auditors' mandatory guidance including the Core Principles for the Professional Practice of Internal Auditing, the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards).
- observe The Institute of Internal Auditors' Practice Advisories, Practice Guides and Position Papers, as applicable to guide Internal Audit’s operations.
- adhere to the University’s relevant policies and procedures and this Internal Audit Charter.
- Internal Audit staff must possess the knowledge, skills and technical proficiency essential to satisfactorily perform the tasks required of an internal auditor.
Authority and Scope of Internal Audit
- The Authority is granted to Internal Audit for full, free and unrestricted access to any and all of the University’s records, physical properties, personnel and other documentation pertinent to carrying out any engagement, with strict accountability for confidentiality and safeguarding of records and information. All staff members are to assist Internal Audit in fulfilling its role and responsibilities and must not knowingly mislead the internal audit function or wilfully obstruct any audit activity.
- All records, documentation and information accessed in the course of undertaking internal audit activities are to be used solely for the conduct of these activities.
- The Internal Audit function has authority to conduct such audits as are necessary to exercise its responsibilities, to determine their nature and scope and to develop methods of investigation for the appraisal of operations. Internal Audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. Internal Audit must disclose any such interference to the ARMC and discuss the implications.
- Other University policies, procedures and documents must not contradict the authorised access by Internal Audit as expressed in the Internal Audit Charter. In the event of any conflict this Charter should take precedence.
- The Senior Manager, Internal Audit will escalate matters to the Chairperson of the ARMC for action where there is insufficient co-operation received from senior management, or agreed protocols are not met.
- Internal Audit will have unfettered access to the Council, the Vice-Chancellor and President and the ARMC.
- Internal audit reviews may cover all programs and activities of the University together with associated entities, as provided for in relevant business agreements, memorandum of understanding or contracts. Internal audit activity encompasses the review of financial and non-financial policies and operations in line with the Internal Audit Plan.
- The scope of Internal Audit will include all parts of the University including controlled entities of the University.
Independence
- Independence is essential to the effectiveness of the internal audit function. Internal audit activity shall be independent, and internal auditors shall be objective in performing their work. Internal auditors shall have an impartial, unbiased attitude and avoid any conflicts of interest.
- The internal audit function has no direct authority or responsibility for the activities it reviews. The internal audit function has no responsibility for developing or implementing procedures or systems and does not prepare records or engage in original line processing functions or activities [except in carrying out its own functions]. Internal Audit will not be responsible for the detailed development or implementation of new financial or administrative systems or any amendment, variation, or alteration to any such system, but should be consulted before any such system or amendment, variation or alteration is approved.
- The internal audit function is responsible on a day-to-day basis to the Senior Manager, Internal Audit
- The Senior Manager, Internal Audit will confirm to the ARMC, at least annually, the organisational independence of the internal audit activity.
- Internal Audit staff and service providers are required to report any real or perceived impairments (e.g. conflicts of interest) to the Senior Manager, Internal Audit as soon as such impairments arise in accordance with the Conflict of Interest – Governing Policy. The Senior Manager, Internal Audit is required to report any such impairments to the Chairperson of the ARMC.
- The internal audit function, through the Senior Manager, Internal Audit, reports functionally to the ARMC on the results of completed audits, and for strategic direction and accountability purposes, and reports administratively to the Vice-Chancellor and President (through the Director, Governance and Risk Management) to facilitate day to day operations. The Senior Manager, Internal Audit has direct access to the Vice-Chancellor and President to discuss audit and risk issues when required.
Accountability
- The following dual reporting line is prescribed where the dotted line represents the ‘administrative’ reporting line and the bold line represents the ‘functional’ reporting line:
- The Director, Governance and Risk Management is nominated as the officer responsible for overseeing administrative aspects of Internal Audit.
- Within the constraints of Internal Audit’s approved budget and approved Internal Audit Plan, the Senior Manager, Internal Audit is authorised to:
- exercise autonomy in applying internal audit resources;
- recommend appointment of external service providers to co-source internal audit activities, both routine and ad hoc; and
- determine the scope, frequency, timing and procedures necessary to accomplish the objectives of each audit engagement.
- The Council, upon recommendation from the ARMC, will approve the Internal Audit Charter and all decisions regarding changes to the service delivery model for internal audit services and the performance evaluation, appointment or removal of an outsourced internal audit service.
- The ARMC will approve the risk based Internal Audit strategic and operational plans
- Internal Auditors must exhibit the highest level of professional objectivity in gathering, evaluating and communicating information about the activity or process being examined. Internal Auditors must make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
Confidentiality
- Internal Audit staff must maintain the confidentiality of information obtained in the course of their duties and any information accessed in the course of audits is to be used strictly for audit purposes. Information should not be used for personal benefit. If there is any doubt over the conveying of information to a person, the Vice-Chancellor and President (or delegate) is to be notified and will determine the appropriateness of the information transfer.
- The Senior Internal Audit Manager and individual internal audit staff are responsible and accountable for maintaining the confidentiality of the information they receive during the course of their work. Information will not be released to third parties (other than through contracted co-source arrangements) unless required or authorised or under law. Information will only be used for the purpose for which it is obtained.
- All internal audit documentation is to remain the property of the University. The Senior Manager, Internal Audit will determine the appropriate documentation retained for services provided by an external third-party in a co-source arrangement.
Responsibility
- The scope of Internal Audit encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the University’s governance, risk management and internal processes (including work health and safety matters), as well as the quality of performance in carrying out assigned responsibilities to achieve the University’s stated goals and objectives.
- Internal Audit undertake Internal Audit activities, aligned with the Internal Audit plan and Advisory Services as required.
- Internal Audit Activities
Internal audit activities will encompass the following areas (as appropriate to the Annual Internal Audit Plan):
- Risk Management
- evaluate the effectiveness, and contribute to the improvement, of risk management processes
- provide assurance to Council and the ARMC on the effectiveness of the risk management framework including the design and operational effectiveness of internal controls (financial and non-financial).
- provide assurance that risk exposures relating to the University’s governance, operations, and information systems are correctly evaluated, including:
- reliability and integrity of financial and operational information
- effectiveness, efficiency, and economy of operations and
- safeguarding of assets
- the reliability, timeliness, integrity and adequacy of information and the means used to identify, measure, classify and report such information;
- evaluating the effectiveness and efficiency with which resources are employed
- evaluating operations to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned;
- evaluate the design, implementation and effectiveness of the University’s ethics-related objectives, programs and activities
- assess whether the information technology governance of the University sustains and supports the University’s strategies and objectives.
- Compliance
- compliance with applicable laws, regulations and Government policies and directions.
- evaluating the systems established to ensure compliance with those policies, plans, procedures, laws and regulations which could have a significant impact on the University;
- Performance improvement
- the efficiency, effectiveness and economy of the entity’s business systems and processes.
- Any dispute relating to whether an activity falls within the Internal Audit scope or whether access to records, information or officers should be provided, will be determined by the Vice-Chancellor and President, or delegate, and may be referred to the ARMC.
- Advisory services
The internal audit function can advise the University’s management on a range of matters including:
- New programs, systems and processes
- providing advice on the development of new programs and processes and/or significant changes to existing programs and processes including the design of appropriate controls.
- Risk management
- assisting management to identify risks and develop risk treatment and monitoring strategies as part of the risk management framework
- Fraud and corruption control
- evaluate the potential for the occurrence of fraud and how the University manages fraud risk
- assisting management to investigate fraud, identify the risks of fraud and develop fraud prevention and monitoring strategies
Audit planning
- Internal Audit will submit the three-year Strategic Internal Audit Plan and the one-year Operational Internal Audit Plan to the ARMC for review and approval. This should include overall objectives, work schedules, staffing, financial budgets and a description of any limitations placed on Internal Audit’s scope of work.
- The general direction of the University’s internal audit activities over the medium term is to be documented in a three-year Strategic Internal Audit Plan.
- It will identify the broad goals to be achieved and strategies to be adopted over the three year period.
- Internal Audit must prepare the Strategic Internal Audit Plan based upon the results of a risk assessment and focuses on the areas of high risk and those where internal controls are weak.
- This Strategic Internal Audit Plan is to be reviewed annually by both Internal Audit and the ARMC and altered to take account of any changes in priorities or risks. The Strategic Internal Audit Plan forms the basis for the preparation of the one-year Operational Internal Audit Plan.
- The one-year Operational Internal Audit Plan details the program for the forthcoming year and indicates the time allowances and budget for each proposed review or project. The actual audit performance will be regularly reviewed against the Operational Internal Audit Plan by the ARMC. Any necessary amendments to the Plan shall be submitted to the ARMC for consideration and approval.
- Internal Audit will prepare an individual audit plan, or scoping document, for all proposed audits. This document will be agreed to by Internal Audit and the cost centre manager and signed-off by the relevant Executive member prior to commencement of the audit. This document should include audit title; objectives; description and scope; and expected timeframes including starting and finishing dates. The plan must consider the University’s strategies, objectives and risks relevant to the engagement.
- Audit plans will be developed using a risk-based methodology including input of senior management and the ARMC, to identify and prioritise audit tasks based on a risk assessment of the University’s operations. This will take account of materiality, level of assessed risk, significance in terms of organisational impact and public accountability.
- The activities and plans of Internal Audit are to be coordinated with those of External Audit to ensure coordination of internal and external audit coverage.
- The Vice-Chancellor and President, or delegate, is granted authority to amend the Internal Audit plans from time to time, to reflect emerging risks and priorities and to ensure that the plans remain responsive to changes in business requirements. Any significant deviation from the approved Internal Audit Plan will be reported at the next ARMC meeting.
Standards
- Internal audit activities will be conducted in accordance with this Charter, and with relevant professional standards including International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors.
- In the conduct of internal audit work, internal audit staff will:
- comply with relevant professional standards of conduct
- possess the knowledge, skills and technical proficiency relevant to the performance of their duties. This includes consideration of current activities, trends and emerging issues, to enable relevant advice and recommendations
- be skilled in dealing with people and communicating audit, risk management and related issues effectively
- exercise due professional care in performing their duties.
Relationship with external audit
- Internal and external audit activities will be coordinated to help ensure the adequacy of overall audit coverage and to minimise duplication of effort.
- Periodic meetings and contact between internal and external audit shall be held to discuss matters of mutual interest and facilitate coordination.
- External audit will have full and free access to all internal audit plans, working papers and reports.
Conduct of Work
- Audit Planning
- The Annual Audit Plan will define the objectives, scope, priority, timing and resource requirements for each audit task in the coming year. This plan will be prepared and submitted to the ARMC for approval. The Annual Audit Plan is undertaken each year and aligns with the three-year Strategic Internal Audit Plan.
- The Annual Audit Plan shall be sufficiently comprehensive to ensure the complete and effective reviews of specified University activities and allow flexibility to accommodate special tasks and projects.
- Special Investigations.
- Internal Audit staff may undertake special audits and investigations at the request of the relevant senior executive or after consultation with the Vice-Chancellor and President or as required in the course of general operations.
- Where Internal Audit assists in the investigation of suspected corrupt conduct, fraud or misappropriation within the University they will notify management and the ARMC of the corrective action to be taken.
- Other reviews as requested by the Vice-Chancellor and President and Senior Manager, Internal Audit or as a service to senior management may be conducted. Such requests will be risk assessed, as appropriate, to determine their priority within the approved annual audit plan.
Reporting and Monitoring
- At the conclusion of each audit, Internal Audit will issue a copy of the report on the audit outcome to the relevant cost centre manager and Executive member. The report will be submitted to the Executive Committee for review prior to the report being circulated to ARMC Committee members.
- The report will present the audit objectives, scope and conclusion based on the outcome of the audit as well as management’s response to the report. This response should include corrective action taken (or to be taken) in regard to the specific findings and recommendations and an agreed implementation timetable, or an explanation for any corrective action that will not be implemented.
- Internal Audit will be responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will remain in an open issues file until completed, reviewed and closed by Internal Audit. Internal Audit will also perform annually follow-up audits to review extreme and high risk recommendations that have been previously closed.
- Internal Audit will periodically report to the Executive Committee and the ARMC on Internal Audit purpose, authority, responsibility and performance relative to its plan, and on its conformance with the Standards. Reporting will also include significant risk and control issues including fraud risks, governance issues and other matters that require the attention of the Vice-Chancellor and President, Executive Committee or the ARMC.
- Internal Audit will establish and maintain a quality assurance and improvement program to evaluate the operations of the internal audit function in accordance with the requirement of the Institute of Internal Auditors and communicate to the Vice-Chancellor and President and the ARMC on this program.
Administrative arrangements
- Any change to the role of the Senior Manager, Internal Audit, [and, where the internal audit function uses an outsourced service delivery model, the external service provider] will be approved by Council on the recommendation of the ARMC
- The Senior Manager, Internal Audit, will arrange for an internal review, at least annually, and a periodic independent review, at least every five (5) years, of the efficiency and effectiveness of the operations of the internal audit function. The results of the reviews will be reported to the ARMC who will provide advice to Council on those results.
Review of the charter
- This charter will be reviewed at least annually by the ARMC. Any substantive changes will be formally approved by the Council on the recommendation of the ARMC.
Delegations
- The Director, Governance and Risk Management is the delegate of the Vice-Chancellor and President for matters relating to this Internal Audit Charter.
END of Appendix A