1. Purpose of policy
The following policy and the associated Internal Audit Charter (Appendix A) is intended to provide a broad framework for the conduct of audit and assurance services at USC.
2. Policy scope and application
This policy applies to all staff, students, agents and members of decision-making and advisory bodies of the University.
3. Regulatory background
3.1 Under the University of the Sunshine Coast Act 1998 and the Financial Accountability Act 2009, Council is required to efficiently, effectively and economically manage and control the University’s operations and must act in the way that promotes the University’s interests, including to:
(a) establish and maintain appropriate systems of internal control and risk management;
(b) establish and keep funds and accounts in compliance with prescribed requirements;
(c) ensure annual financial statements are prepared, certified and tabled in Parliament in accordance with prescribed requirements;
(d) undertake planning and budgeting for the University that is appropriate to its size; and
(e) perform other functions conferred by legislation on the University or under a financial and performance management standard.
3.2 Assurance elements at the University which are covered by this Policy include the following three key legislative components.
3.2.1 Internal Audit – established by the University in accordance with the requirements of the Financial and Performance Management Standards 2009;
3.2.2 Audit and Risk Management Committee - established by the University in accordance with the requirements of the Financial and Performance Management Standards 2009, including the development of terms of reference which have regard to the Queensland Treasury publication ‘Audit Committee Guidelines – Improving Accountability and Performance’ (June 2012); and
3.2.3 External Audit – the University is required under Section 62 of the Financial Accountability Act 2009 to prepare annual financial statements, certify whether these statements comply with prescribed requirements; have the statements audited as required under the Auditor-General Act 2009 and include these statements in the University’s annual report.
Please refer to the University’s Glossary of Terms for policies and procedures. Terms and definitions identified below are specific to this policy and are critical to its effectiveness:
ARMC means the University’s Audit and Risk Management Committee.
Assurance Services means an objective examination of evidence for the purpose of providing an independent assessment on governance, risk management, and control processes for the University. Examples may include financial, performance, compliance, system security, and due diligence engagements.
Charter means the Internal Audit Charter (Appendix A).
Committee member means a member of the University’s Audit and Risk Management Committee.
Consulting Services means advisory and related activities, the nature and scope of which are agreed with the business area requesting the service, and are intended to add value and improve an organisation’s governance, risk management and control processes without the Internal Auditor assuming management responsibility. Examples include counsel, advice, facilitation and training.
Core Principles for the Professional Practice of Internal Auditing (Core Principles) are the key elements that describe Internal Audit effectiveness. The Core Principles underpin the Code of Ethics and the Standards.
External Audit refers to representatives of the Queensland Audit Office (QAO) or any other providers of audit services subcontracted by QAO to undertake elements of its audit program at the University. If QAO does subcontract to another audit provider, these providers report to QAO.
Internal Audit refers to the internal audit activities of the University, which may be established as an internal organisational unit or outsourced to an independent professional service provider, or any combination of the two.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
Terms of Reference refers to the Audit and Risk Management Committee Terms of Reference.
5. Policy statement
5.1 It is the policy of the University to establish an audit and assurance framework to assist in the effective discharge of its stewardship and leadership responsibilities, to strengthen the University’s control environment including the control of institutional resources in accordance with its legislative responsibilities.
5.2 The Council and management of the University are committed to an open and accountable system of governance and the embedding of continuous improvement processes across the University to support achievement of its strategic and operational objectives. The implementation of an effective audit and assurance framework is fundamental to these principles.
6. Audit and assurance framework
The University’s Audit and Assurance Framework is based on a three lines of defence model (as illustrated in Diagram 1 below) to demonstrate and structure roles, responsibilities, linkages and accountabilities for decision making, risk and control purposes to achieve effective governance and assurance. Each line of defence provides higher levels of independence and objectivity, thereby delivering greater assurance to key stakeholders.
10 The first line of defence is responsible for the identification and effective management and mitigation of risks as well as the identification, recording, escalation and management of issues.
2) The second line of defence undertakes independent oversight of the risk profile and risk management framework.
3) The third line of defence independently evaluates and provides an opinion on the adequacy and effectiveness of both the first and second line controls.
7. Internal Audit
7.1 The University is committed to maintaining an efficient, effective and economical internal audit function as required by the Financial and Performance Management Standards 2009 and will ensure that all internal audit activities remain free of influence by any organisational elements.
7.2 Internal audit responsibilities are defined by Council, on advice of ARMC, as part of their oversight role in the associated Internal Audit Charter (Appendix A). Internal Audit’s role may include, but is not limited to, the review of University risk, internal controls, efficiency, effectiveness, governance, performance and compliance matters (including work health and safety).
7.3 The primary purpose of Internal Audit is to add value to the University’s operations by providing an independent appraisal and advisory function for Council, ARMC and Executive thereby assisting the University in realising its strategic and corporate goals. This is achieved by examining and evaluating the adequacy, effectiveness and efficiency of risk management, systems of internal control and the quality of management systems in an independent and professional manner.
7.4 A review or appraisal by Internal Audit does not in any way relieve officers of the University of their individual responsibilities and accountabilities. Nor does it any way diminish the Vice-Chancellor and President, Executive and management’s responsibilities for the implementation and maintenance of effective systems of internal control and prevention and detection of fraud.
8. Audit and Risk Management Committee
8.1 The University is committed to maintaining an Audit and Risk Management Committee in accordance with the Financial and Performance Management Standards 2009.
8.2 The primary functions of ARMC are:
- evaluating whether processes are in place to address key roles and responsibilities in relation to risk management;
- evaluating the adequacy of the control environment to provide reasonable assurance that the systems of internal control are of a high standard and functioning as intended;
- performing an independent review of the financial statements to ensure the integrity and transparency of the financial reporting process;
- monitoring the effectiveness of performance information and compliance with performance reporting requirements;
- evaluating the quality of the internal audit function, particularly in the areas of planning, monitoring and reporting;
- engaging with external audit and assessing the adequacy of management response to uses identified by audit;
- reviewing the effectiveness of how the University monitors compliance with relevant legislative and regulatory requirements and promotes a culture committed to lawful and ethical behaviour.
8.3 The ARMC responsibilities are defined by Council as part of their oversight role. Detailed roles, responsibilities, composition and operating guidelines for ARMC are outlined in its Terms of Reference.
9. External Audit
9.1 The University and its consolidated entities are required to have an external audit of statutory compliance in accordance with the Financial Accountability Act 2009 and the Auditor-General Act 2009. This is conducted by the Queensland Audit Office or its authorised subcontractors.
9.2 External Audit must be given full, free and unrestricted access to any and all records, physical properties, personnel and other documentation belonging to, in the custody of, or under the control of, the University. All employees are to assist External Audit in fulfilling its roles and responsibilities.
9.3 The University’s external audit program is developed through two approaches:
(a) on an annual basis a core external audit program is set by External Audit and an outline including scope and related costs is provided to ARMC for sign off prior to commencement. Final audit statements and reports are provided in sufficient time for the University to meet its financial and legislative reporting requirements; and
(b) as part of a comprehensive program of audit activities across entities at a state level, the Queensland Audit Office also runs a program of performance audits. The University is a willing participant in such audits.
9.4 It is the responsibility of External Audit to audit the annual financial statements and prepare an auditor’s report in accordance with legislative requirements, prescribed accounting standards and government guidelines. The Auditor-General presents his annual report, audit certification and management letter to both the University and in his annual report to state parliament.
9.5 External Audit representatives are invited to be in attendance at each ARMC meeting.
This Policy and the attached Internal Audit Charter will be reviewed by ARMC annually. All amendments to the Policy and Charter require ARMC’s endorsement, prior to submission to Council for discussion and approval.
Appendix A - Internal Audit Charter
1.1 Internal auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of the University. It assists the University to accomplish its objectives by bringing a systematic, disciplined and risk-based approach to evaluate and improve the effectiveness of the University’s risk management, control and governance processes.
1.2 The Internal Audit Charter is intended to provide a broad framework for the conduct of internal audit services at the University in accordance with the Financial and Performance Management Standard 2009. This Charter should be read in conjunction with the University’s Audit and Assurance Framework - Governing Policy and applies to all staff, students, agents and members of decision-making and advisory bodies of the University.
Refer to the Audit and Assurance Framework - Governing Policy for a complete list of definitions.
3. Role of Internal Audit
Internal Audit provides an independent and objective review and advisory service to:
(a) provide analysis, findings and recommendations to Council that the University’s financial and operational controls are operating in an efficient, effective and ethical manner, to manage the University’s risks and achieve its objectives; and
(b) assist management in improving the University’s business performance.
4.1 Internal Audit staff must be cognisant of the functions imposed in applicable standards and comply with professional standards of conduct including standards issued by:
(a) the Institute of Internal Auditors
(b) the Certified Practising Accountants (Australia)
(c) the Institute of Chartered Accountants (Australia)
(d) the Information Systems Audit and Control Association
(e) the standard relevant to risk management (being AS/NZS ISO 31000: 2018) and
(f) other relevant standards issued by Standards Australia and the International Standards Organisation.
4.2 Internal Audit will:
(a) govern itself by adherence to The Institute of Internal Auditors' mandatory guidance including the Core Principles for the Professional Practice of Internal Auditing, the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards).
(b) observe The Institute of Internal Auditors' Practice Advisories, Practice Guides and Position Papers, as applicable to guide Internal Audit’s operations.
(c) adhere to the University’s relevant policies and procedures and this Internal Audit Charter.
4.3 Internal Audit staff will be required to maintain the confidentiality of information obtained in the course of their duties and any information accessed in the course of audits is to be used strictly for audit purposes. Information should not be used for personal benefit. If there is any doubt over the conveying of information to a person, the Vice-Chancellor and President (or delegate) is to be notified and will determine the appropriateness of information transfer.
4.4 Internal Audit staff must possess the knowledge, skills and technical proficiency essential to satisfactorily perform the tasks required of an internal auditor.
5. Authority of Internal Audit
5.1 The Authority is granted to Internal Audit for full, free and unrestricted access to any and all of the University’s records, physical properties, personnel and other documentation pertinent to carrying out any engagement, with strict accountability for confidentiality and safeguarding of records and information. All employees are to assist Internal Audit in fulfilling its roles and responsibilities.
5.2 Internal Audit will have unfettered access to the Council, the Vice-Chancellor and President and Audit and Risk Management Committee (ARMC).
5.3 Other University policies, procedures and documents must not contradict the authorised access by the Internal Audit as expressed in the Internal Audit Charter. In the event of any conflict this policy should take precedence.
6. Organisational Relationships and Independence
6.1 Internal Audit has an independent and neutral status within the University and will be directly responsible to ARMC, as such Internal Audit report administratively to the Vice-Chancellor and President, or delegate, but functionally to ARMC.
6.2 The Director, Governance and Risk Management is nominated as the officer responsible for overseeing administrative aspects of Internal Audit.
6.3 Within the constraints of Internal Audit’s approved budget and approved Internal Audit Plan, the Senior Internal Auditor is authorised to:
- exercise autonomy in applying internal audit resources;
- recommend appointment of external service providers to co-source internal audit activities, both routine and ad hoc; and
- determine the scope, frequency, timing and procedures necessary to accomplish the objectives of each audit engagement.
6.4 Internal Audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. Internal Audit must disclose any such interference to the ARMC and discuss the implications.
6.5 The Council, upon recommendation from ARMC, will approve the Internal Audit Charter and all decisions regarding changes to the service delivery model for internal audit services and the performance evaluation, appointment or removal of an outsourced internal audit service.
6.6 The ARMC will approve the risk based Internal Audit strategic and operational plans (refer 8.1).
6.7 Internal Audit will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records or engage in any other activity that may impair their judgment.
6.8 Internal Auditors must exhibit the highest level of professional objectivity in gathering, evaluating and communicating information about the activity or process being examined. Internal Auditors must make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
6.9 Internal Audit will confirm to ARMC, at least annually, the independence of the internal audit activity.
6.10 All formal correspondence received from Internal Audit by the Vice-Chancellor and President or Committee members will be tabled at the next available ARMC meeting.
6.11 The existence of Internal Audit does not diminish the responsibilities of the Vice-Chancellor and President, senior management and staff to implement and maintain effective systems of internal control.
7.1 The scope of Internal Audit encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the University’s governance, risk management and internal process (including work health and safety matters), as well as the quality of performance in carrying out assigned responsibilities to achieve the University’s stated goals and objectives.
(a) evaluating the reliability, timeliness, integrity and adequacy of information and the means used to identify, measure, classify and report such information;
(b) evaluating and appraising the soundness, adequacy and application of accounting and operating controls (financial and non-financial) and recommending improvements where necessary;
(c) evaluating the systems established to ensure compliance with those policies, plans, procedures, laws and regulations which could have a significant impact on the University;
(d) evaluating the accounting for and the safeguarding of assets and, as appropriate, verifying the existence of such assets;
(e) evaluating the effectiveness and efficiency with which resources are employed;
(f) evaluating operations to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned;
(g) monitoring and evaluating governance processes;
(h) monitoring and evaluating the effectiveness of risk management processes within the University;
(i) consulting with External Audit regarding the degree of coordination between Internal and External Audit;
(j) performing consulting and advisory services related to governance, risk management and control as appropriate for the University;
(k) reviewing specific operations at the request of the Vice-Chancellor and President or ARMC;
(l) conducting investigations in relation to allegations of fraud, corruption and whistleblower complaints.
7.2 The scope of Internal Audit will include all parts of the University including controlled entities of the University.
7.3 Any dispute relating to whether an activity falls within the Internal Audit scope or whether access to records, information or officers should be provided, shall be determined by the Vice-Chancellor and President, or delegate, and may be referred to ARMC.
8. Audit planning
8.1 Internal Audit will submit the three-year Strategic Internal Audit Plan and the one-year Operational Internal Audit Plan to ARMC for review and approval. This should include overall objectives, work schedules, staffing, financial budgets and a description of any limitations placed on Internal Audit’s scope of work.
8.2 The general direction of the University’s internal audit activities over the medium term is to be documented in a three year Strategic Internal Audit Plan.
(a) It will identify the broad goals to be achieved and strategies to be adopted over the three year period.
(b) Internal Audit must prepare the Strategic Internal Audit Plan based upon the results of a risk assessment and focuses on the areas of high risk and those where internal controls are weak.
(c) This Strategic Internal Audit Plan is to be reviewed annually by both Internal Audit and the ARMC and altered to take account of any changes in priorities or risks. The Strategic Internal Audit Plan forms the basis for the preparation of the one-year Operational Internal Audit Plan.
8.3 The one-year Operational Internal Audit Plan details the program for the forthcoming year and indicates the time allowances and budget for each proposed review or project. The actual audit performance shall be regularly reviewed against the Operational Internal Audit Plan by ARMC. Any necessary amendments to the Plan shall be submitted to ARMC for consideration and approval.
8.4 Internal Audit will prepare an individual; audit plan, or scoping document, for all proposed audits. This document will be agreed to by Internal Audit and the cost centre manager and signed-off by the relevant senior staff member prior to commencement of the audit. This document should include audit title; objectives; description and scope; and expected timeframes including starting and finishing dates. The plan must consider the University’s strategies, objectives and risks relevant to the engagement.
8.5 Audit plans will be developed using a risk-based methodology including input of senior management and ARMC, to identify and prioritise audit tasks based on a risk assessment of the University’s operations. This will take account of materiality, level of assessed risk, significance in terms of organisational impact and public accountability.
8.6 The activities and plans of Internal Audit are to be coordinated with those of External Audit to ensure coordination of internal and external audit coverage.
8.7 All significant auditable areas should be covered in the risk assessment process and each critical risk area (as agreed by Internal Audit, the Vice-Chancellor and President and ARMC) should be covered at least triennially, having regard to current risk assessment.
8.8 The Vice-Chancellor and President, or delegate, is granted authority to amend the Internal Audit plans from time to time, to reflect emerging risks and priorities and to ensure that the plans remain responsive to changes in business requirements. Any significant deviation from the approved Internal Audit Plan will be reported at the next ARMC meeting.
9. Reporting and Monitoring
9.1 On the conclusion of each audit, Internal Audit will issue a copy of the report on the audit outcome to the Vice-Chancellor and President, or delegate, the relevant cost centre manager and individual Executive member. This report shall then be circulated to Committee members.
9.2 The report will present the audit objectives, scope and conclusion based on the outcome of the audit as well as management’s response to the report. This response should include corrective action taken (or to be taken) in regard to the specific findings and recommendations and an agreed implementation timetable, or an explanation for any corrective action that will not be implemented.
9.3 Internal Audit will be responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will remain in an open issues file until completed, reviewed and closed by Internal Audit. Internal Audit will also perform an annual follow-up audit to review extreme and high risk recommendations that have been previously closed.
9.4 Internal Audit will periodically report to senior management and ARMC on Internal Audit purpose, authority, responsibility and performance relative to its plan, and on its conformance with the Standards Reporting will also include significant risk and control issues including fraud risks, governance issues and other matters that require the attention of the Vice-Chancellor and President, senior management or ARMC.
9.5 Internal Audit will establish and maintain a quality assurance and improvement program to evaluate the operations of the internal audit function in accordance with the requirement of the Institute of Internal Auditors, and communicate to the Vice-Chancellor and President and ARMC on this program.
10.2 The Director, Governance and Risk Management is the delegate of the Vice-Chancellor and President for matters relating to this Internal Audit Charter.
END of Appendix A