1. Purpose
1.1 This policy and the associated Appendix A – Internal Audit Charter (Charter) provide a broad overview for the conduct of audit and assurance services at the University.
2. Scope and application
2.1 This policy applies to all staff, students, contractors and members of decision-making and advisory bodies of the University.
2.2 Under the University of the Sunshine Coast Act 1998 (Qld) and the Financial Accountability Act 2009 (Qld), Council is required to efficiently, effectively and economically manage and control the University’s operations and must act in the way that promotes the University’s interests, including to:
(a) establish and maintain appropriate systems of internal control and risk management;
(b) establish and keep funds and accounts in compliance with prescribed requirements;
(c) ensure annual financial statements are prepared, certified and tabled in Parliament in accordance with prescribed requirements;
(d) undertake planning and budgeting for the University that is appropriate to its size; and
(e) perform other functions conferred by legislation on the University or under a financial and performance management standard.
2.3 Assurance elements at the University which are covered by this policy include the following three key legislative components:
(a) Internal Audit – established by the University in accordance with the requirements of the Financial and Performance Management Standard 2019 (Qld);
(b) Audit and Risk Management Committee (ARMC) - established by the University in accordance with the requirements of the Financial and Performance Management Standard 2019 (Qld), including the development of terms of reference which have regard to the Queensland Treasury publication ‘Audit Committee Guidelines – Improving Accountability and Performance’ (July 2020); and
(c) External Audit – the University is required under Section 62 of the Financial Accountability Act 2009 (Qld) to prepare annual financial statements, certify whether these statements comply with prescribed requirements; have the statements audited as required under the Auditor-General Act 2009 (Qld) and include these statements in the University’s annual report.
3. Definitions
3.1 Refer to the University’s Glossary of Terms for definitions as they specifically relate to policy documents.
4. Policy Statement
4.1 This policy establishes an audit and assurance approach to assist in the effective discharge of its stewardship and leadership responsibilities, to strengthen the University’s control environment including the control of institutional resources in accordance with its legislative responsibilities.
4.2 The Council and management of the University are committed to an open and accountable system of governance and the embedding of continuous improvement processes across the University to support achievement of its strategic and operational objectives. The implementation of an effective audit and assurance approach is fundamental to these principles.
5. Principles
5.1 Audit and Assurance
5.1.1 The University’s Audit and Assurance approach is based on a three lines of defence model (as illustrated in Diagram 1) to demonstrate and structure roles, responsibilities, linkages and accountabilities for decision making, risk and control purposes to achieve effective governance and assurance. Each line of defence provides higher levels of independence and objectivity, thereby delivering greater assurance to key stakeholders.
5.1.1.1 The first line of defence is responsible for the identification and effective management and mitigation of risks as well as the identification, recording, escalation and management of issues.
5.1.1.2 The second line of defence undertakes independent oversight of the risk profile and risk management.
5.1.1.3 The third line of defence independently evaluates and provides an opinion on the adequacy and effectiveness of both the first and second line controls.
Diagram 1 – UniSC Audit and Assurance
5.2 Internal Audit
5.2.1 The University is committed to maintaining an efficient, effective and economical internal audit function as required by the Financial and Performance Management Standard 2019 (Qld) and must ensure that all internal audit activities remain free of influence by any organisational elements.
5.2.2 Internal Audit responsibilities are defined by Council, on advice of the ARMC, in the associated Appendix A – Internal Audit Charter. Internal Audit’s role includes, but is not limited to, the review of University risk, internal controls, efficiency, effectiveness, governance, performance, and compliance matters (including Work Health and Safety).
5.2.3 The primary purpose of Internal Audit is to add value to the University’s operations by providing an independent appraisal and advisory function for Council, the ARMC and the Executive Committee thereby assisting the University in realising its strategic and corporate goals. This is achieved by examining and evaluating the adequacy, effectiveness and efficiency of risk management, systems of internal control and the quality of management systems in an independent and professional manner.
5.2.4 A review or appraisal by Internal Audit does not in any way relieve officers of the University of their individual responsibilities and accountabilities. Nor does it any way diminish the Vice-Chancellor and President’s, members of UniSC’s Executive, or management’s responsibilities for the implementation and maintenance of effective systems of internal control and prevention and detection of fraud.
5.3 Audit and Risk Management Committee (ARMC)
5.3.1 The University is committed to maintaining an ARMC in accordance with the Financial and Performance Management Standard 2019 (Qld).
5.3.2 The primary functions of the ARMC are to:
(a) evaluate whether processes are in place to address key roles and responsibilities in relation to risk management;
(b) evaluate the adequacy of the control environment to provide reasonable assurance that the systems of internal control are of a high standard and functioning as intended;
(c) review and appraise the financial statements to ensure the integrity and transparency of the financial reporting process;
(d) monitor the effectiveness of performance information and compliance with performance reporting requirements;
(e) evaluate the quality of the internal audit function, particularly in the areas of planning, monitoring and reporting;
(f) engage with external audit and assessing the adequacy of management response to issues identified by audit;
(g) review the effectiveness of how the University monitors compliance with relevant legislative and regulatory requirements and promotes a culture committed to lawful and ethical behaviour; and
(h) review the appropriateness of management’s handling of matters relating to (alleged) fraud or unethical conduct and evaluate the adequacy of measures taken to avoid similar conduct occurring in the future.
5.3.3 The ARMC responsibilities are defined by Council as part of their oversight role. Detailed roles, responsibilities, composition and operating guidelines for the ARMC are outlined in its Terms of Reference.
5.3.4 As part of its responsibilities, the ARMC also oversees the University’s compliance with Australian Taxation Office requirements to the extent that they apply to the University’s operations.
5.4 External Audit
5.4.1 The University and its consolidated entities are required to have an external audit of statutory compliance in accordance with the Financial Accountability Act 2009 (Qld) and the Auditor-General Act 2009 (Qld). This is conducted by the Queensland Audit Office or its authorised subcontractors.
5.4.2 External Audit must be given full, free and unrestricted access to any and all records, physical properties, personnel and other documentation belonging to, in the custody of, or under the control of, the University. All employees are to assist External Audit in fulfilling its role and responsibilities.
5.4.3 The University’s external audit program is comprised of the following:
(a) on an annual basis an external audit plan is set by External Audit which outlines key areas of audit focus, scope and related costs and is provided to the ARMC for review. Final audited financial statements and reports are provided in sufficient time for the University to meet its financial and legislative reporting requirements; and
(b) as part of a comprehensive program of audit activities across entities at a state level, the Queensland Audit Office also runs a program of performance audits. The University is a willing participant in such audits.
5.4.4 It is the responsibility of External Audit to audit the annual financial statements and prepare an auditor’s report in accordance with legislative requirements, prescribed accounting standards and government guidelines. The Auditor-General presents its annual report, audit certification and management letter to both the University and in its annual report to state parliament.
5.4.5 External Audit representatives are invited to attend each ARMC meeting.
5.5 Review
5.5.1 This policy and Appendix A - Internal Audit Charter are reviewed by the ARMC annually. All amendments to the policy and Charter require ARMC’s endorsement, prior to submission to Council for discussion and approval.
6. Authorities/Responsibilities
6.1 The following authorities/responsibilities are delegated under this policy:
Activity | University Officer/Committee |
Overarching accountability for maintaining audit and assurance functions in accordance with legislative requirements. | Council |
Oversight of the University’s audit and assurance activities. | ARMC |
Responsible for ensuring that audit and assurance activities are carried out effectively within the University and for promoting a culture that encourages strong governance, risk management and control. | Vice-Chancellor and President |
Responsible for oversight of administrative aspects of the Internal Audit function. | Director, Governance and Risk Management |
Responsible and accountable to the ARMC to operate the Internal Audit function in accordance with the Audit and Assurance approach and the University’s Internal Audit Charter. | Senior Internal Audit Manager |
END
Appendix A – Internal Audit Charter
1. Introduction
1.1 The Vice-Chancellor and President has established the Internal Audit Function as a key component of the University’s governance framework.
1.2 Internal auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of the University. It assists the University to accomplish its objectives by bringing a systematic, disciplined and risk-based approach to evaluate and improve the effectiveness of the University’s risk management, control and governance processes.
1.3 The Internal Audit Charter is intended to provide a broad framework for the conduct of internal audit services at the University in accordance with the Financial and Performance Management Standard 2009 (Qld). This Charter should be read in conjunction with the University Audit and Assurance - Governing Policy and applies to all members of the University Community.
1.4 This Charter provides the framework for the conduct of the internal audit function at the University and has been approved by Council taking into account the advice of the Audit and Risk Management Committee.
2. Definitions
2.1 Refer to the University Audit and Assurance - Governing Policy for a complete list of definitions.
3. Role of Internal Audit
3.1 Internal Audit is an independent, objective assurance activity designed to add value and improve an organisation’s operations.
3.2 It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
3.3 Internal Audit is an integral part of the internal control and risk management framework as it functions by evaluating the effectiveness of the University’s governance processes.
3.4 The purpose of internal audit is to enhance and protect organisational value by providing risk-based and objective assurance, advice, and insight.
3.5 Internal Audit provides an independent and objective review and advisory service to:
(a) provide assurance to the Vice-Chancellor and President, and the ARMC, that the University’s financial and operational controls, designed to manage the agency’s risks and achieve the entity’s objectives, are operating in an efficient, effective and ethical manner; and
(b) assist management in improving the University’s business performance.
4. Professionalism
4.1 Internal Audit staff must be cognisant of the functions imposed in applicable standards and comply with professional standards of conduct including standards issued by:
(a) the Institute of Internal Auditors;
(b) the Certified Practising Accountants (Australia);
(c) Chartered Accountants Australia and New Zealand;
(d) the Information Systems Audit and Control Association;
(e) the standard relevant to risk management (being AS/NZS ISO 31000: 2018); and
(f) other relevant standards issued by Standards Australia and the International Standards Organisation.
4.2 Internal Audit must:
(a) govern itself by adherence to the Institute of Internal Auditors' mandatory guidance including the Core Principles for the Professional Practice of Internal Auditing, the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards);
(b) observe the Institute of Internal Auditors' Practice Advisories, Practice Guides and Position Papers, as applicable to guide Internal Audit’s operations; and
(c) adhere to the University’s relevant policies and procedures and this Internal Audit Charter.
4.3 Internal Audit staff must possess the knowledge, skills and technical proficiency essential to satisfactorily perform the tasks required of an internal auditor.
5. Authority and scope of Internal Audit
5.1 The Authority is granted to Internal Audit for full, free and unrestricted access to any and all of the University’s records, physical properties, personnel and other documentation pertinent to carrying out any engagement, with strict accountability for confidentiality and safeguarding of records and information. All staff members are to assist Internal Audit in fulfilling its role and responsibilities and must not knowingly mislead the Internal Audit function or wilfully obstruct any audit activity.
5.2 All records, documentation and information accessed in the course of undertaking internal audit activities are to be used solely for the conduct of these activities.
5.3 The Internal Audit function has authority to conduct such audits as are necessary to exercise its responsibilities, to determine their nature and scope and to develop methods of investigation for the appraisal of operations. Internal Audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. Internal Audit must disclose any such interference to the ARMC and discuss the implications.
5.4 Other University policies, procedures and documents must not contradict the authorised access by Internal Audit as expressed in the Internal Audit Charter. In the event of any conflict this Charter should take precedence.
5.5 The Senior Internal Audit Manager must escalate matters to the Chairperson of the ARMC for action where there is insufficient co-operation received from senior management, or agreed protocols are not met.
5.6 Internal Audit will have unfettered access to the Council, the Vice-Chancellor and President and the ARMC.
5.7 Internal Audit reviews may cover all programs and activities of the University together with associated entities, as provided for in relevant business agreements, memorandum of understanding or contracts. Internal audit activity encompasses the review of financial and non-financial policies and operations in line with the Internal Audit Plan.
5.8 The scope of Internal Audit will include all parts of the University including controlled entities of the University.
6. Independence
6.1 Independence is essential to the effectiveness of the Internal Audit function. Internal Audit activity shall be independent, and internal auditors shall be objective in performing their work. Internal auditors shall have an impartial, unbiased attitude and avoid any conflicts of interest.
6.2 The Internal Audit function has no direct authority or responsibility for the activities it reviews. The Internal Audit function has no responsibility for developing or implementing procedures or systems and does not prepare records or engage in original line processing functions or activities [except in carrying out its own functions]. Internal Audit is not responsible for the detailed development or implementation of new financial or administrative systems or any amendment, variation, or alteration to any such system, but should be consulted before any such system or amendment, variation or alteration is approved.
6.3 The Internal Audit function is responsible on a day-to-day basis to the Senior Internal Audit Manager.
6.4 The Senior Internal Audit Manager will confirm to the ARMC, at least annually, the organisational independence of the Internal Audit activity.
6.5 Internal Audit staff and service providers are required to report any real or perceived impairments (e.g. conflicts of interest) to the Senior Internal Audit Manager as soon as such impairments arise in accordance with the Conflict of Interest – Governing Policy. The Senior Internal Audit Manager is required to report any such impairments to the Chairperson of the ARMC.
6.6 The Internal Audit function, through the Senior Internal Audit Manager, reports functionally to the ARMC on the results of completed audits, and for strategic direction and accountability purposes, and reports administratively to the Vice-Chancellor and President (through the Director, Governance and Risk Management) to facilitate day to day operations. The Senior Internal Audit Manager has direct access to the Vice-Chancellor and President to discuss audit and risk issues when required.
7. Accountability
7.1 The following dual reporting line is prescribed where the blue lines and boxes represents the ‘administrative’ reporting line and the orange lines and boxes represents the ‘functional’ reporting line:
7.2 The Director, Governance and Risk Management is nominated as the officer responsible for overseeing administrative aspects of Internal Audit.
7.3 Within the constraints of Internal Audit’s approved budget and approved Internal Audit Plan, the Senior Internal Audit Manager is authorised to:
(a) exercise autonomy in applying internal audit resources;
(b) recommend appointment of external service providers to co-source internal audit activities, both routine and ad hoc; and
(c) determine the scope, frequency, timing and procedures necessary to accomplish the objectives of each audit engagement.
7.4 The Council, upon recommendation from the ARMC, approves the Appendix A - Internal Audit Charter and all decisions regarding changes to the service delivery model for Internal Audit services and the performance evaluation, appointment or removal of an outsourced internal audit service.
7.5 The ARMC must approve the risk based Internal Audit Strategic and Operational Plans.
7.6 Internal Auditors must exhibit the highest level of professional objectivity in gathering, evaluating and communicating information about the activity or process being examined. Internal Auditors must make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
8. Confidentiality
8.1 Internal Audit staff must maintain the confidentiality of information obtained in the course of their duties and any information accessed in the course of audits is to be used strictly for audit purposes. Information must not be used for personal benefit. If there is any doubt over the conveying of information to a person, the Vice-Chancellor and President (or delegate) is to be notified and will determine the appropriateness of the information transfer.
8.2 The Senior Internal Audit Manager and individual internal audit staff are responsible and accountable for maintaining the confidentiality of the information they receive during the course of their work. Information must not be released to third parties (other than through contracted co-source arrangements) unless required or authorised or under law. Information must only be used for the purpose for which it is obtained.
8.3 All internal audit documentation is to remain the property of the University. The Senior Internal Audit Manager determines the appropriate documentation retained for services provided by an external third-party in a co-source arrangement.
9. Responsibility
9.1 The scope of Internal Audit encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the University’s governance, risk management and internal processes (including Work, Health and Safety matters), as well as the quality of performance in carrying out assigned responsibilities to achieve the University’s stated goals and objectives.
9.2 Internal Audit undertakes internal audit activities, aligned with the Internal Audit Plan and Advisory Services as required.
9.3 Internal Audit Activities
9.3.1 Internal Audit activities encompasses the following areas (as appropriate to the Annual Internal Audit Plan):
(a) Risk Management:
(i) evaluate the effectiveness, and contribute to the improvement, of risk management processes;
(ii) provide assurance to Council and the ARMC on the effectiveness of the risk management framework including the design and operational effectiveness of internal controls (financial and non-financial);
(iii) provide assurance that risk exposures relating to the University’s governance, operations, and information systems are correctly evaluated, including:
- reliability and integrity of financial and operational information;
- effectiveness, efficiency, and economy of operations;
- safeguarding of assets;
- the reliability, timeliness, integrity and adequacy of information and the means used to identify, measure, classify and report such information;
- evaluating the effectiveness and efficiency with which resources are employed; and
- evaluating operations to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.
(iv) evaluate the design, implementation and effectiveness of the University’s ethics-related objectives, programs and activities; and
(v) assess whether the information technology governance of the University sustains and supports the University’s strategies and objectives.
(b) Compliance:
(i) compliance with applicable laws, regulations and Government policies and directions; and
(ii) evaluating the systems established to ensure compliance with those policies, plans, procedures, laws and regulations which could have a significant impact on the University.
(c) Performance improvement:
(i) the efficiency, effectiveness and economy of the entity’s business systems and processes.
9.3.2 Any dispute relating to whether an activity falls within the Internal Audit scope or whether access to records, information or officers should be provided, are determined by the Vice-Chancellor and President (or delegate) and can be referred to the ARMC.
9.4 Advisory services
9.4.1 The Internal Audit function can advise the University’s management on a range of matters including:
(a) New programs, systems and processes:
(i) providing advice on the development of new programs and processes or significant changes to existing programs and processes including the design of appropriate controls.
(b) Risk management:
(i) assisting management to identify risks and develop risk treatment and monitoring strategies as part of the risk management framework.
(c) Fraud and corruption control:
(i) evaluate the potential for the occurrence of fraud and how the University manages fraud risk; and
(ii) assisting management to investigate fraud, identify the risks of fraud and develop fraud prevention and monitoring strategies.
10. Audit planning
10.1 Internal Audit must submit the three-year Strategic Internal Audit Plan and the one-year Operational Internal Audit Plan to the ARMC for review and approval. This includes:
(a) overall objectives;
(b) work schedules;
(c) staffing;
(d) financial budgets; and
(e) a description of any limitations placed on Internal Audit’s scope of work.
10.2 The general direction of the University’s Internal Audit activities over the medium term is documented in a three-year Strategic Internal Audit Plan, which:
(a) identifies the broad goals to be achieved and strategies to be adopted over the three year period;
(b) is prepared by Internal Audit based upon the results of a risk assessment and focuses on the areas of high risk and those where internal controls are weak; and
(c) is reviewed annually by both Internal Audit and the ARMC and altered to take account of any changes in priorities or risks. The Strategic Internal Audit Plan forms the basis for the preparation of the one-year Operational Internal Audit Plan.
10.3 The one-year Operational Internal Audit Plan details the program for the forthcoming year and indicates the time allowances and budget for each proposed review or project. The actual audit performance must be regularly reviewed against the Operational Internal Audit Plan by the ARMC. Any necessary amendments to the Plan must be submitted to the ARMC for consideration and approval.
10.4 Internal Audit must prepare an individual audit plan, or scoping document, for all proposed audits. This document must be agreed to by Internal Audit and the Cost Centre Manager; and the relevant Executive member prior to commencement of the audit. This document must include audit title; objectives; description and scope; and expected timeframes including starting and finishing dates. The plan must consider the University’s strategies, objectives and risks relevant to the engagement.
10.5 Audit plans must be developed using a risk-based methodology including input of senior management and the ARMC, to identify and prioritise audit tasks based on a risk assessment of the University’s operations. This must take account of:
(a) materiality;
(b) level of assessed risk;
(c) significance in terms of organisational impact; and
(d) public accountability.
10.6 The activities and plans of Internal Audit are to be coordinated with those of External Audit to ensure coordination of internal and external audit coverage.
10.7 The Vice-Chancellor and President (or delegate), is granted authority to amend the Internal Audit Plans from time to time, to reflect emerging risks and priorities and to ensure that the plans remain responsive to changes in business requirements. Any significant deviation from the approved Internal Audit Plan must be reported at the next ARMC meeting.
11. Standards
11.1 Internal Audit activities must be conducted in accordance with this Charter, and relevant professional standards including International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors.
11.2 In the conduct of Internal Audit work, Internal Audit staff must:
(a) comply with relevant professional standards of conduct;
(b) possess the knowledge, skills and technical proficiency relevant to the performance of their duties. This includes consideration of current activities, trends and emerging issues, to enable relevant advice and recommendations;
(c) be skilled in dealing with people and communicating audit, risk management and related issues effectively; and
(d) exercise due professional care in performing their duties.
12. Relationship with external audit
12.1 Internal and external audit activities will be coordinated to help ensure the adequacy of overall audit coverage and to minimise duplication of effort.
12.2 Periodic meetings and contact between internal and external audit shall be held to discuss matters of mutual interest and facilitate coordination.
12.3 External audit will have full and free access to all internal audit plans, working papers and reports.
13. Conduct of work
13.1 Audit planning
13.1.1 The Annual Audit Plan will define the objectives, scope, priority, timing and resource requirements for each audit task in the coming year. This plan is prepared and submitted to the ARMC for approval. The Annual Audit Plan is undertaken each year and aligns with the three-year Strategic Internal Audit Plan.
13.1.2 The Annual Audit Plan shall be sufficiently comprehensive to ensure the complete and effective reviews of specified University activities and allow flexibility to accommodate special tasks and projects.
13.2 Special investigations
13.2.1 Internal Audit staff can undertake special audits and investigations at:
(a) the request of the relevant Senior Executive;
(b) after consultation with the Vice-Chancellor and President; or
(c) as required in the course of general operations.
13.2.2 Where Internal Audit assists in the investigation of suspected corrupt conduct, fraud or misappropriation within the University they must notify management and the ARMC of the corrective action to be taken.
13.2.3 Other reviews as requested by the Vice-Chancellor and President and Senior Internal Audit Manager or as a service to senior management may be conducted. Such requests will be risk assessed, as appropriate, to determine their priority within the approved Annual Audit Plan.
14. Reporting and monitoring
14.1 At the conclusion of each audit, Internal Audit will issue a copy of the report on the audit outcome to the relevant Cost Centre Manager and Executive Member. The report is submitted to the Executive Committee for review prior to the report being circulated to ARMC Committee members.
14.2 The report presents the audit objectives, scope and conclusion based on the outcome of the audit as well as management’s response to the report. This response must include corrective action taken (or to be taken) in regard to the specific findings and recommendations and an agreed implementation timetable, or an explanation for any corrective action that will not be implemented.
14.4 Internal Audit is responsible for appropriate follow-up on engagement findings and recommendations. All significant findings remain in an open issues file until completed, reviewed and closed by Internal Audit. Internal Audit must also perform annually follow-up audits to review extreme and high-risk recommendations that have been previously closed.
14.5 Internal Audit must periodically report to the Executive Committee and the ARMC on Internal Audit purpose, authority, responsibility and performance relative to its plan, and on its conformance with the Standards. Reporting will also include significant risk and control issues including fraud risks, governance issues and other matters that require the attention of the Vice-Chancellor and President, Executive Committee or the ARMC.
14.6 Internal Audit must establish and maintain a quality assurance and improvement program to evaluate the operations of the internal audit function in accordance with the requirement of the Institute of Internal Auditors and communicate to the Vice-Chancellor and President and the ARMC on this program.
15. Administrative arrangements
15.1 Any change to the role of the Senior Internal Audit Manager, (and, where the Internal Audit function uses an outsourced service delivery model, the external service provider) are approved by Council on the recommendation of the ARMC.
15.2 The Senior Internal Audit Manager, must arrange for an internal review, at least annually, and a periodic independent review, at least every five years, of the efficiency and effectiveness of the operations of the Internal Audit function. The results of the reviews will be reported to the ARMC who will provide advice to Council on those results.
16. Review of the charter
16.1 This Charter must be reviewed at least annually by the ARMC. Any substantive changes must be formally approved by the Council on the recommendation of the ARMC.
17. Delegations
17.1 The Director, Governance and Risk Management is the delegate of the Vice-Chancellor and President for matters relating to this Internal Audit Charter.
END of Appendix A