(1) This Procedure is effective from 6 July 2022. (2) This Procedure outlines the consultation and approval process for the Annual Internal Audit Plan, and the process that will be undertaken during an audit or review conducted by the Internal Audit function at the University. (3) This Procedure applies to scheduled audits or reviews conducted by the Internal Audit function of the University. It outlines the responsibilities of both the Internal Audit function and University staff during the conduct of the audit or review. (4) The Procedure may not be applicable to audit activities of an advisory or investigatory nature. Applicability will be determined by, and at the discretion of, the Director, Audit, Risk and Business Continuity. (5) This Procedure is pursuant to the Internal Audit policy. (6) The Director, Audit, Risk and Business Continuity will develop a risk-based Internal Audit Plan annually, detailing the audits to be undertaken by the Internal Audit function for the relevant year. The Annual Internal Audit Plan will be developed in consultation with the Senior Executive Team, senior leaders of the University, and other relevant stakeholders. (7) The Internal Audit Plan will be submitted to the Vice-Chancellor and the Senior Executive Team for review, and then to the Audit and Risk Committee (ARC) for consideration and approval. (8) The approved Internal Audit Plan will be reviewed by the Director, Audit, Risk and Business Continuity on a six-monthly basis, with any material adjustments reported to the Vice-Chancellor and submitted to the ARC for approval. (9) The Director, Audit, Risk and Business Continuity will advise all staff of the approved Annual Internal Audit Plan via the Internal Audit Unit website. (10) The Internal Audit function will conduct preliminary planning activities to develop a draft terms of reference document for the audit or review. The terms of reference document includes the objective and scope of the audit, relevant risks, and the key timeframes and requirements for the audit or review process. (11) Draft terms of reference will be discussed and agreed with relevant staff at an audit scope meeting. The agreed terms of reference will be issued to all relevant staff likely to be involved in the audit before work commences. (12) Further meetings will be conducted by the Internal Audit function with relevant staff to perform detailed planning for the audit, including process walk-throughs, to obtain an adequate understanding of the area so that an effective risk-based audit can be performed. (13) The Internal Audit function will undertake detailed testing of the audit area, which may include further discussions with staff, data analysis and review of relevant documentation and systems. (14) Any potential audit findings identified during the fieldwork or planning stages of the audit will be discussed and confirmed with relevant staff prior to the finding being included in the draft Internal Audit Report. This includes discussing details and confirming the factual accuracy of the audit observation, identified root cause/s and associated risks. (15) At the completion of audit testing and fieldwork, a meeting will be conducted with relevant staff to discuss the outcomes of the audit fieldwork and any potential audit findings which may be included in the draft Internal Audit Report. (16) The Internal Audit function will draft an Internal Audit Report, based on the work performed during the audit, which outlines the audit results and any audit findings and recommendations. The draft Internal Audit Report will be discussed with relevant staff at an audit exit meeting. (17) Relevant staff will receive a copy of the draft Internal Audit Report to review and provide comments. Comments are to include action plans to address any audit recommendations, responsibilities, and timeframes. Comments are to be provided by the member of staff with responsibility for ensuring action plans can be implemented, and all comments are to be discussed with, and endorsed by, the relevant member/s of the Senior Executive Team prior to returning the report back to the Internal Audit function. (18) Comments on the draft Internal Audit Report are to be provided in a timely manner, within the timeframe agreed with the Internal Audit function (at a minimum, this will be 10 working days after the draft Internal Audit Report has been received by management). If this deadline cannot be met, this must be discussed with the Internal Audit function. If comments are not received in a reasonable timeframe, the Director, Audit, Risk and Business Continuity may escalate the report to the relevant member/s of the Senior Executive Team and/or the Vice-Chancellor. (19) The Internal Audit function will review all comments received, and ensure they address the substance of the audit recommendation and that reasonable timeframes for implementing action plans have been established (based on the risk associated with the audit finding). (20) Once appropriate comments have been included in the draft Internal Audit Report, it will be submitted to the Vice-Chancellor for consideration and for additional comments, where appropriate. Any comments provided will be incorporated into the draft Internal Audit Report and may require the Internal Audit function to perform further follow-up with relevant staff. (21) After comments from the Vice-Chancellor have been received, a final Internal Audit Report will be distributed to relevant staff (as outlined on the cover page of the report). The Internal Audit Report will also be made available to the Vice-Chancellor and all ARC members. (22) After the final Internal Audit Report has been distributed, an audit feedback survey will be provided to relevant staff to obtain feedback on the audit process and/or the auditors involved in the audit. (23) The Director, Audit, Risk and Business Continuity will report audit results to the meeting of the ARC held after the Vice-Chancellor has considered the Internal Audit Report. (24) The Internal Audit function will request staff nominated as responsible for implementing action plans to provide a status update on a regular basis, usually as action plan timeframes are due. The status update will involve staff providing information and evidence to demonstrate actions taken to date, outlining actions still to be undertaken, and a revised implementation date if required. (25) Any action plans not to be implemented are to be discussed with the Internal Audit function. Depending on the reasons, and the associated risk rating for the original audit finding, the matter may be escalated to the Senior Executive Team and/or the Vice-Chancellor for consideration. (26) On a regular basis the Director, Audit, Risk and Business Continuity will advise the Senior Executive Team and Vice-Chancellor of any agreed action plans which have not been implemented within a timely or reasonable manner. (27) The Director, Audit, Risk and Business Continuity will provide a report to each meeting of ARC on the status of all outstanding audit findings, including detailed information relating to high and very high risk audit findings as well as any action plans identified as not to be implemented. (28) For the purpose of this Procedure:Internal Audit procedure
Section 1 - Preamble
Section 2 - Purpose
Section 3 - Scope
Section 4 - Policy
Section 5 - Procedure
Annual Internal Audit plan
Audit process
Audit planning
Audit fieldwork
Audit reporting
Audit Completion
Follow-up and monitoring
Section 6 - Definitions
View Current
This is the current version of this document. To view historic versions, click the link in the document's navigation bar.