View Document

Internal Audit Policy

This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose

(1) This Policy reflects ACU’s commitment to provide an independent, objective assurance approach to evaluate and improve the effectiveness of risk management, control, and governance processes across Australian Catholic University (ACU).

(2) This Policy should be read in conjunction with the Internal Audit Charter.

Top of Page

Section 2 - Introduction

(3) Internal Audit is an independent, objective assurance service designed to add value and improve an organisation’s operations. It helps ACU accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Audits are scheduled throughout the year depending on several factors, such as peak business periods, reliance by the external auditor on internal audit work, availability of key staff members and changes to systems. Internal audit is an outsourced function completed under contract to ACU by an external service provider.

(4) Internal audit is responsible to Senate reporting through the Audit and Risk Committee (ARC).

Top of Page

Section 3 - Internal Audit Operations and Services

(5) Internal audit ensures governance, risk management and control processes are adequate and functioning in a manner to provide a reasonable level of confidence in operations.

(6) A typical review conducted by internal Audit involves a detailed review of a process or function to test processes, systems and controls to ensure they are working as desired.

(7) This testing can be conducted in a variety of ways, including:

  1. observation of procedures in place;
  2. review of documentation;
  3. re-performance of an operation;
  4. Compliance Testing of Transactions; and
  5. Substantive Testing of Transactions.

(8) A report will be produced and shared with the Review Sponsor. This report will set out observations and recommendations for further actions to address issues. This report will be provided to senior management and ARC for their consideration.

(9) The Internal Audit function will apply and uphold principles of integrity, objectivity, confidentiality, and competence as required by the Code of Ethics - The Institute of Internal Auditors.

Top of Page

Section 4 - Authority to Act

(10) Internal Audit is authorised to:

  1. have unrestricted access to records, property and personnel;
  2. maintain sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this Policy and the associated Internal Audit Charter; and
  3. obtain the necessary assistance of personnel in the University where they perform audits, as well as other specialised services from within or outside the University.

(11) Internal Audit is not authorised to:

  1. perform any operational duties for the University or its affiliates;
  2. initiate or approve accounting transactions external to Internal Audit; or
  3. direct the activities of any University employee not assigned to assist the internal auditors.

(12) To ensure that the objectivity of the Internal Audit is not adversely affected, Internal Audit staff shall not develop and install systems and procedures, nor be engaged directly in any other activity which Internal Audit would normally review and appraise.

(13) Internal Audit may provide a consultative role in determining and recommending the standards of control to be incorporated in new systems. Internal Audit should, wherever appropriate, have the status of observer and adviser on any steering committee or review group established for new or existing systems whether manual or automated.

Top of Page

Section 5 - Responsibilities

Functional responsibilities

Audit and Risk Committee

(14) The ARC is a standing committee with powers to act delegated to it by Senate. It is chaired by an expert in audit committee and financial matters who may be external to the University and Senate.

Review Sponsor

(15) A Review Sponsor will be identified at the start of an Internal Audit review. This staff member will be a senior leader of the operational area under review and be a subject matter expert in the area under review and senior enough to be able to reach across the operational portfolio and into other operational areas as needed with confidence and authority.

(16) This Review Sponsor will cooperate with Internal Audit personnel and;

  1. ensure timely review and sign off of the review scope, response to reasonable questions, requests for data and other information or assets, access to staff and resources etc.; and
  2. assist with logistics for the audit visit, arrange meetings with appropriate staff, arrange access to records, access to an appropriate workspace on site, reference point to clarify content, etc.

Director, Data Analytics and Strategic Insights

(17) The Director, Legal, Assurance and Governance (Dir LAG) acts as the Chief Audit Executive and reports to the Chief Operating Officer (COO) for administrative matter. Impairments to independence or objectivity (real or perceived) will be disclosed to the Chair, Audit and Risk Committee and the Vice-Chancellor and President, if required.

(18) The Dir LAG will:

  1. act as contract manager for any outsourced Internal Audit Provider;
  2. ensure internal audits are conducted in compliance with the Internal Audit Charter and Internal Audit service contract;
  3. periodically report to senior management and the Audit and Risk Committee on the Internal Audit activity;
  4. coordinate implementation of the approved annual audit plan including, as appropriate, any special tasks or projects requested by management and the Audit and Risk Committee;
  5. supply professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this charter;
  6. establish a quality assurance program to assure the operation of internal audit activities;
  7. coordinate management responses to internal audit reports and monitoring of close out of engagement findings and recommendations to ensure they are finalised in a timely manner and in line with management’s commitment to address the issues identified and report on outstanding audit recommendations and report results to the Audit and Risk Committee;
  8. issue periodic reports to the Audit and Risk Committee and management summarizing results of audit activities;
  9. keep the Audit and Risk Committee informed of emerging trends and successful practices in internal auditing, risk or financial management;
  10. provide a list of significant measurement goals and results to the Audit and Risk Committee; and
  11. act as a Review Sponsor in the event of the nominated Review Sponsor being unwilling or unable to fulfill this role.

Internal Audit Service Provider – Insourced and Outsourced

(19) ACU may have both insourced or outsourced (or combination of these) Internal Audit Provider to provide Internal Audit services to ACU.

(20) The Internal Audit Provider will under contract:

  1. develop flexible annual audit plans using an appropriate risk-based methodology, including any risks or control concerns identified by management, and submit plans to the Audit and Risk Committee for review and approval; and
  2. supply professional audit staff with sufficient knowledge, skills, experience, and professional certifications to meet the requirements of this charter
Top of Page

Section 6 - Internal Audit Charter

(21) The internal audit function operates under an Internal Audit Charter which establishes the objective, scope and authority conferred by the Vice-Chancellor and President through the Audit and Risk Committee on Internal Audit, to ensure an efficient, effective and economical internal audit function is provided to the University in accordance both legislative and professional requirements.

(22) The Internal Audit Charter contains specific requirements applicable to the University’s operations, including:

  1. ACU Mission, Identity and Values and scope of work;
  2. accountability
  3. independence and objectivity;
  4. authority to act
  5. standards of audit practice; and
  6. approval and amendment of Charter.

(23) The Internal Audit function will provide assessment and evaluation of the effectiveness and efficiency of financial and operational systems, reporting processes and activities; and aid in risk management through identifying deficiencies and opportunities in risk management activity.

(24) The Internal Audit Charter is reviewed by the Audit and Risk Committee every two years, and changes are recommended to the Vice-Chancellor and President for approval.

Top of Page

Section 7 - Further Assistance

(25) For further assistance, please contact the Director, Legal, Assurance and Governance.