1. Purpose of policy
The following policy and the associated Internal Audit Charter (Appendix A) is intended to provide a broad framework for the conduct of audit and assurance services at USC.
2. Policy scope and application
This policy applies to all staff, students, agents and members of decision-making and advisory bodies of the University.
3. Regulatory background
3.1 Under the University of the Sunshine Coast Act 1998 and the Financial Accountability Act 2009, Council is required to efficiently, effectively and economically manage and control the University’s operations and must act in the way that promotes the University’s interests, including to:
(a) establish and maintain appropriate systems of internal control and risk management;
(b) establish and keep funds and accounts in compliance with prescribed requirements;
(c) ensure annual financial statements are prepared, certified and tabled in Parliament in accordance with prescribed requirements;
(d) undertake planning and budgeting for the University that is appropriate to its size; and
(e) perform other functions conferred by legislation on the University or under a financial and performance management standard.
3.2 Assurance elements at the University which are covered by this Policy include the following three key legislative components.
3.2.1 Internal Audit – established by the University in accordance with the requirements of the Financial and Performance Management Standards 2009;
3.2.2 Audit and Risk Management Committee - established by the University in accordance with the requirements of the Financial and Performance Management Standards 2009, including the development of terms of reference which have regard to the Queensland Treasury publication ‘Audit Committee Guidelines – Improving Accountability and Performance’ (June 2012); and
3.2.3 External Audit – the University is required under Section 62 of the Financial Accountability Act 2009 to prepare annual financial statements, certify whether these statements comply with prescribed requirements; have the statements audited as required under the Auditor-General Act 2009 and include these statements in the University’s annual report.
Please refer to the University’s Glossary of Terms for policies and procedures. Terms and definitions identified below are specific to this policy and are critical to its effectiveness:
ARMC means the University’s Audit and Risk Management Committee.
Assurance Services means an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the University. Examples may include financial, performance, compliance, system security, and due diligence engagements.
Charter means the Internal Audit Charter (Appendix A).
Committee member means a member of the University’s Audit and Risk Management Committee.
Consulting Services means advisory and related activities, the nature and scope of which are agreed with the business area requesting the service, and are intended to add value and improve an organisation’s governance, risk management and control processes without the Internal Auditor assuming management responsibility. Examples include counsel, advice, facilitation and training.
Core Principles for the Professional Practice of Internal Auditing (Core Principles) are the key elements that describe Internal Audit effectiveness. The Core Principles underpin the Code of Ethics and the Standards.
External Audit refers to representatives of the Queensland Audit Office (QAO) or any other providers of audit services subcontracted by QAO to undertake elements of its audit program at the University. If QAO does subcontract to another audit provider, these providers report to QAO.
Internal Audit refers to the internal audit activities of the University, which may be established as an internal organisational unit or outsourced to an independent professional service provider, or any combination of the two.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
Terms of Reference refers to the Audit and Risk Management Committee Terms of Reference.
5. Policy statement
5.1 It is the policy of the University to establish an audit and assurance framework to assist in the effective discharge of its stewardship and leadership responsibilities, to strengthen the University’s control environment including for the control of institutional resources in accordance with its legislative responsibilities.
5.2 The Council and management of the University are committed to an open and accountable system of governance and the embedding of continuous improvement processes across the University to support achievement of its strategic and operational objectives. The implementation of an effective audit and assurance framework is fundamental to these principles.
6. Audit and assurance framework
The University’s Audit and Assurance Framework is based on a four lines of defence model (as illustrated in Diagram 1 below) to demonstrate and structure roles, responsibilities, linkages and accountabilities for decision making, risk and control purposes to achieve effective governance and assurance. Each line of defence provides higher levels of independence and objectivity, thereby delivering greater assurance to key stakeholders.
1) First line of defence is ‘Line management in business operations ‘– line management are responsible for operationalising risk management and internal controls and implementing business improvement reviews and outcomes.
2) Second line of defence is ‘Management review and oversight’ – executive and senior management are responsible for establishing and monitoring the University’s policies and standards.
3) Third line of defence is ‘Internal review‘ – internal audit and assurance mechanisms are responsible for providing independent and objective assurance and advice on governance, risk and compliance matters to the University, and includes the Internal Audit function, ARMC and Council.
4) Fourth line of defence is ‘External review’ – external audit and assurance agencies, are responsible for providing independent monitoring and review of the University including regulatory oversight.
Diagram 1 - USC Audit and Assurance Framework
*Adapted from The Institute of Internal Auditors Position Paper: The Three Lines Of Defence In Effective Risk Management And Control
7. Internal Audit
7.1 The University is committed to maintaining an efficient, effective and economical internal audit function as required by the Financial and Performance Management Standards 2009, and will ensure that all internal audit activities remain free of influence by any organisational elements.
7.2 Internal audit responsibilities are defined by Council, on advice of ARMC, as part of their oversight role in the associated Internal Audit Charter (Appendix A). Internal Audit’s role may include, but is not limited to, the review of University risk, internal controls, efficiency, effectiveness, governance, performance and compliance matters (including work health and safety).
7.3 The primary purpose of Internal Audit is to add value to the University’s operations by providing an independent appraisal and advisory function for Council, ARMC and Executive thereby assisting the University in realising its corporate goals. This is achieved by examining and evaluating the adequacy, effectiveness and efficiency of risk management, systems of internal control and the quality of management systems in an independent and professional manner.
7.4 A review or appraisal by Internal Audit does not in any way relieve officers of the University of their individual responsibilities and accountabilities. Nor does it any way diminish the Vice-Chancellor and President, Executive and management’s responsibilities for the implementation and maintenance of effective systems of internal control and prevention and detection of fraud.
8. Audit and Risk Management Committee
8.1 The University is committed to maintaining an Audit and Risk Management Committee in accordance with the Financial and Performance Management Standards 2009.
8.2 The primary functions of ARMC are to:
(a) promote accountability, and support measures to improve management performance and internal controls throughout the University;
(b) oversee and monitor the University’s internal audit, compliance and risk functions including work health and safety matters;
(c) oversee the integrity of the University’s financial reporting systems;
(d) ensure effective liaison between the University’s Internal and External Auditors, including coordination of internal and external audit coverage; and
(e) ensure effective liaison between senior management and the University’s External Auditors including oversight of the University’s external audit program, recommendation of the annual financial statements to Council for approval, and monitoring the University’s response to the annual audit.
8.3 The ARMC responsibilities are defined by Council as part of their oversight role. Detailed roles, responsibilities, composition and operating guidelines for ARMC are outlined in its Terms of Reference.
9. External Audit
9.1 The University and its consolidated entities are required to have an external audit of statutory compliance in accordance with the Financial Accountability Act 2009 and the Auditor-General Act 2009. This is conducted by the Queensland Audit Office or its authorised subcontractors.
9.2 External Audit must be given full, free and unrestricted access to any and all records, physical properties, personnel and other documentation belonging to, in the custody of, or under the control of, the University. All employees are to assist External Audit in fulfilling its roles and responsibilities.
9.3 The University’s external audit program is developed through two approaches:
(a) on an annual basis a core external audit program is set by External Audit and an outline including scope and related costs is provided to ARMC for sign off prior to commencement. Final audit statements and reports are provided in sufficient time for the University to meet its financial and legislative reporting requirements; and
(b) as part of a comprehensive program of audit activities across entities at a state level, the Queensland Audit Office also runs a program of performance audits. The University is a willing participant in such audits.
9.4 It is the responsibility of External Audit to audit the annual financial statements and prepare an auditor’s report in accordance with legislative requirements, prescribed accounting standards and government guidelines. The Auditor-General presents his annual report, audit certification and management letter to both the University and in his annual report to state parliament.
9.5 External Audit representatives are invited to be in attendance at each ARMC meeting.
This Policy and the attached Internal Audit Charter will be reviewed by ARMC annually. All amendments to the Policy and Charter require ARMC’s endorsement, prior to submission to Council for discussion and approval.
Appendix A – Internal Audit Charter