View Current

Internal Audit procedure

This is the current version of this document. You can provide feedback on this policy to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Preamble

(1) This Procedure was approved by Council on 4 October 2012 and incorporates all amendments to 10 November 2014.

(2) This Procedure is pursuant to the Internal Audit policy.

Top of Page

Section 2 - Purpose

(3) This Procedure outlines the consultation and approval process for the Annual Internal Audit Plan, and the process that will be undertaken during an audit or review conducted by the Internal Audit function at the University.

Top of Page

Section 3 - Scope

(4) This Procedure applies to scheduled audits or reviews conducted by the Internal Audit function of the University. It outlines the responsibilities of both the Internal Audit function and University staff during the conduct of the audit or review.

(5) The Procedure may not be applicable to audit activities of an advisory or investigatory nature. Applicability will be determined by, and at the discretion of, the Director, Internal Audit.

Top of Page

Section 4 - Policy

(6) Refer to the Internal Audit policy.

Top of Page

Section 5 - Procedure

Annual Internal Audit plan

(7) The Director, Internal Audit will develop a risk-based Internal Audit Plan annually, detailing the audits to be undertaken by the Internal Audit function for the relevant year. The Annual Internal Audit Plan will be developed in consultation with the Executive, senior management of the University, and other relevant stakeholders.

(8) The Internal Audit Plan will be submitted to the Vice-Chancellor and the Executive for review, and then to the Audit and Risk Committee (ARC) for consideration and approval.

(9) The approved Internal Audit Plan will be reviewed by the Director, Internal Audit on a six-monthly basis, with any material adjustments reported to the Vice-Chancellor and submitted to the ARC for approval.

(10) The Director, Internal Audit will advise all staff of the approved Annual Internal Audit Plan via the Internal Audit Unit website.

Audit process

Audit planning

(11) The Internal Audit function will conduct preliminary planning activities to develop a draft terms of reference document for the audit or review. The terms of reference document includes the objective and scope of the audit, relevant risks, and the key timeframes and requirements for the audit or review process.

(12) Draft terms of reference will be discussed and agreed with relevant staff at an audit scope meeting. The agreed terms of reference will be issued to all relevant staff likely to be involved in the audit before work commences.

(13) Further meetings will be conducted by the Internal Audit function with relevant staff to perform detailed planning for the audit, including process walk-throughs, to obtain an adequate understanding of the area so that an effective risk-based audit can be performed.

Audit fieldwork

(14) The Internal Audit function will undertake detailed testing of the audit area, which may include further discussions with staff, data analysis and review of relevant documentation and systems.

(15) Any potential audit findings identified during the fieldwork or planning stages of the audit will be discussed and confirmed with relevant staff prior to the finding being included in the draft Internal Audit Report. This includes discussing details and confirming the factual accuracy of the audit observation, identified root cause/s and associated risks.

(16) At the completion of audit testing and fieldwork, a meeting will be conducted with relevant staff to discuss the outcomes of the audit fieldwork and any potential audit findings which may be included in the draft Internal Audit Report.

Audit reporting

(17) The Internal Audit function will draft an Internal Audit Report, based on the work performed during the audit, which outlines the audit results and any audit findings and recommendations. The draft Internal Audit Report will be discussed with relevant staff at an audit exit meeting.

(18) Relevant staff will receive a copy of the draft Internal Audit Report to review and provide comments. Comments are to include action plans to address any audit recommendations, responsibilities, and timeframes. Comments are to be provided by the member of staff with responsibility for ensuring action plans can be implemented, and all comments are to be discussed with, and endorsed by, the relevant member/s of the Executive prior to returning the report back to the Internal Audit function.

(19) Comments on the draft Internal Audit Report are to be provided in a timely manner, within the timeframe agreed with the Internal Audit function (at a minimum, this will be 10 working days after the draft Internal Audit Report has been received by management). If this deadline cannot be met, this must be discussed with the Internal Audit function. If comments are not received in a reasonable timeframe, the Director, Internal Audit may escalate the report to the relevant member/s of the Executive and/or the Vice-Chancellor.

(20) The Internal Audit function will review all comments received, and ensure they address the substance of the audit recommendation and that reasonable timeframes for implementing action plans have been established (based on the risk associated with the audit finding).

(21) Once appropriate comments have been included in the draft Internal Audit Report, it will be submitted to the Vice-Chancellor for consideration and for additional comments, where appropriate. Any comments provided will be incorporated into the draft Internal Audit Report, and may require the Internal Audit function to perform further follow-up with relevant staff.

(22) After comments from the Vice-Chancellor have been received, a final Internal Audit Report will be distributed to relevant staff (as outlined on the cover page of the report). The Internal Audit Report will also be made available to the Vice-Chancellor and all ARC members.

Audit Completion

(23) After the final Internal Audit Report has been distributed, an audit feedback survey will be provided to relevant staff to obtain feedback on the audit process and/or the auditors involved in the audit.

(24) The Director, Internal Audit will report audit results to the meeting of the ARC held after the Vice-Chancellor has considered the Internal Audit Report.

Follow-up and monitoring

(25) The Internal Audit function will request staff nominated as responsible for implementing action plans to provide a status update on a regular basis, usually as action plan timeframes are due. The status update will involve staff providing information and evidence to demonstrate actions taken to date, outlining actions still to be undertaken, and a revised implementation date if required.

(26) Any action plans not to be implemented are to be discussed with the Internal Audit function. Depending on the reasons, and the associated risk rating for the original audit finding, the matter may be escalated to the Executive and/or the Vice-Chancellor for consideration.

(27) On a regular basis the Director, Internal Audit will advise the Executive and Vice-Chancellor of any agreed action plans which have not been implemented within a timely or reasonable manner.

(28) The Director, Internal Audit will provide a report to each meeting of ARC on the status of all outstanding audit findings, including detailed information relating to high and very high risk audit findings as well as any action plans identified as not to be implemented.

Top of Page

Section 6 - Definitions

(29) For the purpose of this Procedure:

  1. Internal Audit function: encompasses in-house audit staff employed by the University, staff from the contracted internal audit co-source provider and/or staff from an external organisation engaged by the Internal Audit Unit to provide specific internal audit services.
  2. Risk: the chance of something happening that will have an impact on the achievement of the University's objectives. It is measured in terms of likelihood and consequence.
  3. Risk management: the 'effect of uncertainty on objectives', as defined by Standards Australia and Standards New Zealand (AS/NZS ISO 31000: 2009 Australian/New Zealand Standard: Risk management - Principles and guidelines.) Risk is typically characterised by reference to potential events, and measured in terms of a combination of the likelihood of the event occurring and the consequence if it was to occur.