1. Introduction
1.1 The Vice-Chancellor and President has established the Internal Audit Function as a key component of the University’s governance framework.
1.2 Internal auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of the University. It assists the University to accomplish its objectives by bringing a systematic, disciplined and risk-based approach to evaluate and improve the effectiveness of the University’s risk management, control and governance processes.
1.3 The Internal Audit Charter is intended to provide a broad framework for the conduct of internal audit services at the University in accordance with the Financial and Performance Management Standard 2009 (Qld). This Charter should be read in conjunction with the University Audit and Assurance - Governing Policy and applies to all members of the University Community.
1.4 This Charter provides the framework for the conduct of the internal audit function at the University and has been approved by Council taking into account the advice of the Audit and Risk Management Committee.
2. Definitions
2.1 Refer to the University Audit and Assurance - Governing Policy for a complete list of definitions.
3. Role of Internal Audit
3.1 Internal Audit is an independent, objective assurance activity designed to add value and improve an organisation’s operations.
3.2 It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
3.3 Internal Audit is an integral part of the internal control and risk management framework as it functions by evaluating the effectiveness of the University’s governance processes.
3.4 The purpose of internal audit is to enhance and protect organisational value by providing risk-based and objective assurance, advice, and insight.
3.5 Internal Audit provides an independent and objective review and advisory service to:
(a) provide assurance to the Vice-Chancellor and President, and the ARMC, that the University’s financial and operational controls, designed to manage the agency’s risks and achieve the entity’s objectives, are operating in an efficient, effective and ethical manner; and
(b) assist management in improving the University’s business performance.
4. Professionalism
4.1 Internal Audit staff must be cognisant of the functions imposed in applicable standards and comply with professional standards of conduct including standards issued by:
(a) the Institute of Internal Auditors;
(b) the Certified Practising Accountants (Australia);
(c) Chartered Accountants Australia and New Zealand;
(d) the Information Systems Audit and Control Association;
(e) the standard relevant to risk management (being AS/NZS ISO 31000: 2018); and
(f) other relevant standards issued by Standards Australia and the International Standards Organisation.
4.2 Internal Audit must:
(a) govern itself by adherence to the Institute of Internal Auditors' mandatory guidance including the Core Principles for the Professional Practice of Internal Auditing, the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards);
(b) observe the Institute of Internal Auditors' Practice Advisories, Practice Guides and Position Papers, as applicable to guide Internal Audit’s operations; and
(c) adhere to the University’s relevant policies and procedures and this Internal Audit Charter.
4.3 Internal Audit staff must possess the knowledge, skills and technical proficiency essential to satisfactorily perform the tasks required of an internal auditor.
5. Authority and scope of Internal Audit
5.1 The Authority is granted to Internal Audit for full, free and unrestricted access to any and all of the University’s records, physical properties, personnel and other documentation pertinent to carrying out any engagement, with strict accountability for confidentiality and safeguarding of records and information. All staff members are to assist Internal Audit in fulfilling its role and responsibilities and must not knowingly mislead the Internal Audit function or wilfully obstruct any audit activity.
5.2 All records, documentation and information accessed in the course of undertaking internal audit activities are to be used solely for the conduct of these activities.
5.3 The Internal Audit function has authority to conduct such audits as are necessary to exercise its responsibilities, to determine their nature and scope and to develop methods of investigation for the appraisal of operations. Internal Audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results. Internal Audit must disclose any such interference to the ARMC and discuss the implications.
5.4 Other University policies, procedures and documents must not contradict the authorised access by Internal Audit as expressed in the Internal Audit Charter. In the event of any conflict this Charter should take precedence.
5.5 The Senior Internal Audit Manager must escalate matters to the Chairperson of the ARMC for action where there is insufficient co-operation received from senior management, or agreed protocols are not met.
5.6 Internal Audit will have unfettered access to the Council, the Vice-Chancellor and President and the ARMC.
5.7 Internal Audit reviews may cover all programs and activities of the University together with associated entities, as provided for in relevant business agreements, memorandum of understanding or contracts. Internal audit activity encompasses the review of financial and non-financial policies and operations in line with the Internal Audit Plan.
5.8 The scope of Internal Audit will include all parts of the University including controlled entities of the University.
6. Independence
6.1 Independence is essential to the effectiveness of the Internal Audit function. Internal Audit activity shall be independent, and internal auditors shall be objective in performing their work. Internal auditors shall have an impartial, unbiased attitude and avoid any conflicts of interest.
6.2 The Internal Audit function has no direct authority or responsibility for the activities it reviews. The Internal Audit function has no responsibility for developing or implementing procedures or systems and does not prepare records or engage in original line processing functions or activities [except in carrying out its own functions]. Internal Audit is not responsible for the detailed development or implementation of new financial or administrative systems or any amendment, variation, or alteration to any such system, but should be consulted before any such system or amendment, variation or alteration is approved.
6.3 The Internal Audit function is responsible on a day-to-day basis to the Senior Internal Audit Manager.
6.4 The Senior Internal Audit Manager will confirm to the ARMC, at least annually, the organisational independence of the Internal Audit activity.
6.5 Internal Audit staff and service providers are required to report any real or perceived impairments (e.g. conflicts of interest) to the Senior Internal Audit Manager as soon as such impairments arise in accordance with the Conflict of Interest – Governing Policy. The Senior Internal Audit Manager is required to report any such impairments to the Chairperson of the ARMC.
6.6 The Internal Audit function, through the Senior Internal Audit Manager, reports functionally to the ARMC on the results of completed audits, and for strategic direction and accountability purposes, and reports administratively to the Vice-Chancellor and President (through the Director, Governance and Risk Management) to facilitate day to day operations. The Senior Internal Audit Manager has direct access to the Vice-Chancellor and President to discuss audit and risk issues when required.
7. Accountability
7.1 The following dual reporting line is prescribed where the blue lines and boxes represents the ‘administrative’ reporting line and the orange lines and boxes represents the ‘functional’ reporting line:
7.2 The Director, Governance and Risk Management is nominated as the officer responsible for overseeing administrative aspects of Internal Audit.
7.3 Within the constraints of Internal Audit’s approved budget and approved Internal Audit Plan, the Senior Internal Audit Manager is authorised to:
(a) exercise autonomy in applying internal audit resources;
(b) recommend appointment of external service providers to co-source internal audit activities, both routine and ad hoc; and
(c) determine the scope, frequency, timing and procedures necessary to accomplish the objectives of each audit engagement.
7.4 The Council, upon recommendation from the ARMC, approves the Appendix A - Internal Audit Charter and all decisions regarding changes to the service delivery model for Internal Audit services and the performance evaluation, appointment or removal of an outsourced internal audit service.
7.5 The ARMC must approve the risk based Internal Audit Strategic and Operational Plans.
7.6 Internal Auditors must exhibit the highest level of professional objectivity in gathering, evaluating and communicating information about the activity or process being examined. Internal Auditors must make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
8. Confidentiality
8.1 Internal Audit staff must maintain the confidentiality of information obtained in the course of their duties and any information accessed in the course of audits is to be used strictly for audit purposes. Information must not be used for personal benefit. If there is any doubt over the conveying of information to a person, the Vice-Chancellor and President (or delegate) is to be notified and will determine the appropriateness of the information transfer.
8.2 The Senior Internal Audit Manager and individual internal audit staff are responsible and accountable for maintaining the confidentiality of the information they receive during the course of their work. Information must not be released to third parties (other than through contracted co-source arrangements) unless required or authorised or under law. Information must only be used for the purpose for which it is obtained.
8.3 All internal audit documentation is to remain the property of the University. The Senior Internal Audit Manager determines the appropriate documentation retained for services provided by an external third-party in a co-source arrangement.
9. Responsibility
9.1 The scope of Internal Audit encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the University’s governance, risk management and internal processes (including Work, Health and Safety matters), as well as the quality of performance in carrying out assigned responsibilities to achieve the University’s stated goals and objectives.
9.2 Internal Audit undertakes internal audit activities, aligned with the Internal Audit Plan and Advisory Services as required.
9.3 Internal Audit Activities
9.3.1 Internal Audit activities encompasses the following areas (as appropriate to the Annual Internal Audit Plan):
(a) Risk Management:
(i) evaluate the effectiveness, and contribute to the improvement, of risk management processes;
(ii) provide assurance to Council and the ARMC on the effectiveness of the risk management framework including the design and operational effectiveness of internal controls (financial and non-financial);
(iii) provide assurance that risk exposures relating to the University’s governance, operations, and information systems are correctly evaluated, including:
- reliability and integrity of financial and operational information;
- effectiveness, efficiency, and economy of operations;
- safeguarding of assets;
- the reliability, timeliness, integrity and adequacy of information and the means used to identify, measure, classify and report such information;
- evaluating the effectiveness and efficiency with which resources are employed; and
- evaluating operations to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.
(iv) evaluate the design, implementation and effectiveness of the University’s ethics-related objectives, programs and activities; and
(v) assess whether the information technology governance of the University sustains and supports the University’s strategies and objectives.
(b) Compliance:
(i) compliance with applicable laws, regulations and Government policies and directions; and
(ii) evaluating the systems established to ensure compliance with those policies, plans, procedures, laws and regulations which could have a significant impact on the University.
(c) Performance improvement:
(i) the efficiency, effectiveness and economy of the entity’s business systems and processes.
9.3.2 Any dispute relating to whether an activity falls within the Internal Audit scope or whether access to records, information or officers should be provided, are determined by the Vice-Chancellor and President (or delegate) and can be referred to the ARMC.
9.4 Advisory services
9.4.1 The Internal Audit function can advise the University’s management on a range of matters including:
(a) New programs, systems and processes:
(i) providing advice on the development of new programs and processes or significant changes to existing programs and processes including the design of appropriate controls.
(b) Risk management:
(i) assisting management to identify risks and develop risk treatment and monitoring strategies as part of the risk management framework.
(c) Fraud and corruption control:
(i) evaluate the potential for the occurrence of fraud and how the University manages fraud risk; and
(ii) assisting management to investigate fraud, identify the risks of fraud and develop fraud prevention and monitoring strategies.
10. Audit planning
10.1 Internal Audit must submit the three-year Strategic Internal Audit Plan and the one-year Operational Internal Audit Plan to the ARMC for review and approval. This includes:
(a) overall objectives;
(b) work schedules;
(c) staffing;
(d) financial budgets; and
(e) a description of any limitations placed on Internal Audit’s scope of work.
10.2 The general direction of the University’s Internal Audit activities over the medium term is documented in a three-year Strategic Internal Audit Plan, which:
(a) identifies the broad goals to be achieved and strategies to be adopted over the three year period;
(b) is prepared by Internal Audit based upon the results of a risk assessment and focuses on the areas of high risk and those where internal controls are weak; and
(c) is reviewed annually by both Internal Audit and the ARMC and altered to take account of any changes in priorities or risks. The Strategic Internal Audit Plan forms the basis for the preparation of the one-year Operational Internal Audit Plan.
10.3 The one-year Operational Internal Audit Plan details the program for the forthcoming year and indicates the time allowances and budget for each proposed review or project. The actual audit performance must be regularly reviewed against the Operational Internal Audit Plan by the ARMC. Any necessary amendments to the Plan must be submitted to the ARMC for consideration and approval.
10.4 Internal Audit must prepare an individual audit plan, or scoping document, for all proposed audits. This document must be agreed to by Internal Audit and the Cost Centre Manager; and the relevant Executive member prior to commencement of the audit. This document must include audit title; objectives; description and scope; and expected timeframes including starting and finishing dates. The plan must consider the University’s strategies, objectives and risks relevant to the engagement.
10.5 Audit plans must be developed using a risk-based methodology including input of senior management and the ARMC, to identify and prioritise audit tasks based on a risk assessment of the University’s operations. This must take account of:
(a) materiality;
(b) level of assessed risk;
(c) significance in terms of organisational impact; and
(d) public accountability.
10.6 The activities and plans of Internal Audit are to be coordinated with those of External Audit to ensure coordination of internal and external audit coverage.
10.7 The Vice-Chancellor and President (or delegate), is granted authority to amend the Internal Audit Plans from time to time, to reflect emerging risks and priorities and to ensure that the plans remain responsive to changes in business requirements. Any significant deviation from the approved Internal Audit Plan must be reported at the next ARMC meeting.
11. Standards
11.1 Internal Audit activities must be conducted in accordance with this Charter, and relevant professional standards including International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors.
11.2 In the conduct of Internal Audit work, Internal Audit staff must:
(a) comply with relevant professional standards of conduct;
(b) possess the knowledge, skills and technical proficiency relevant to the performance of their duties. This includes consideration of current activities, trends and emerging issues, to enable relevant advice and recommendations;
(c) be skilled in dealing with people and communicating audit, risk management and related issues effectively; and
(d) exercise due professional care in performing their duties.
12. Relationship with external audit
12.1 Internal and external audit activities will be coordinated to help ensure the adequacy of overall audit coverage and to minimise duplication of effort.
12.2 Periodic meetings and contact between internal and external audit shall be held to discuss matters of mutual interest and facilitate coordination.
12.3 External audit will have full and free access to all internal audit plans, working papers and reports.
13. Conduct of work
13.1 Audit planning
13.1.1 The Annual Audit Plan will define the objectives, scope, priority, timing and resource requirements for each audit task in the coming year. This plan is prepared and submitted to the ARMC for approval. The Annual Audit Plan is undertaken each year and aligns with the three-year Strategic Internal Audit Plan.
13.1.2 The Annual Audit Plan shall be sufficiently comprehensive to ensure the complete and effective reviews of specified University activities and allow flexibility to accommodate special tasks and projects.
13.2 Special investigations
13.2.1 Internal Audit staff can undertake special audits and investigations at:
(a) the request of the relevant Senior Executive;
(b) after consultation with the Vice-Chancellor and President; or
(c) as required in the course of general operations.
13.2.2 Where Internal Audit assists in the investigation of suspected corrupt conduct, fraud or misappropriation within the University they must notify management and the ARMC of the corrective action to be taken.
13.2.3 Other reviews as requested by the Vice-Chancellor and President and Senior Internal Audit Manager or as a service to senior management may be conducted. Such requests will be risk assessed, as appropriate, to determine their priority within the approved Annual Audit Plan.
14. Reporting and monitoring
14.1 At the conclusion of each audit, Internal Audit will issue a copy of the report on the audit outcome to the relevant Cost Centre Manager and Executive Member. The report is submitted to the Executive Committee for review prior to the report being circulated to ARMC Committee members.
14.2 The report presents the audit objectives, scope and conclusion based on the outcome of the audit as well as management’s response to the report. This response must include corrective action taken (or to be taken) in regard to the specific findings and recommendations and an agreed implementation timetable, or an explanation for any corrective action that will not be implemented.
14.4 Internal Audit is responsible for appropriate follow-up on engagement findings and recommendations. All significant findings remain in an open issues file until completed, reviewed and closed by Internal Audit. Internal Audit must also perform annually follow-up audits to review extreme and high-risk recommendations that have been previously closed.
14.5 Internal Audit must periodically report to the Executive Committee and the ARMC on Internal Audit purpose, authority, responsibility and performance relative to its plan, and on its conformance with the Standards. Reporting will also include significant risk and control issues including fraud risks, governance issues and other matters that require the attention of the Vice-Chancellor and President, Executive Committee or the ARMC.
14.6 Internal Audit must establish and maintain a quality assurance and improvement program to evaluate the operations of the internal audit function in accordance with the requirement of the Institute of Internal Auditors and communicate to the Vice-Chancellor and President and the ARMC on this program.
15. Administrative arrangements
15.1 Any change to the role of the Senior Internal Audit Manager, (and, where the Internal Audit function uses an outsourced service delivery model, the external service provider) are approved by Council on the recommendation of the ARMC.
15.2 The Senior Internal Audit Manager, must arrange for an internal review, at least annually, and a periodic independent review, at least every five years, of the efficiency and effectiveness of the operations of the Internal Audit function. The results of the reviews will be reported to the ARMC who will provide advice to Council on those results.
16. Review of the charter
16.1 This Charter must be reviewed at least annually by the ARMC. Any substantive changes must be formally approved by the Council on the recommendation of the ARMC.
17. Delegations
17.1 The Director, Governance and Risk Management is the delegate of the Vice-Chancellor and President for matters relating to this Internal Audit Charter.
END of Appendix A