View Document

Internal Audit Procedure

This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose

(1) The Internal Audit Procedure (Procedure) describes the process for the conduct and management of internal audit activities at the Australian Catholic University (ACU) in accordance with the Code of Ethics - The Institute of Internal Auditors.

(2) The Procedure is governed by the Internal Audit Policy and should be read in conjunction with the Internal Audit Charter.

Top of Page

Section 2 - Scope / Application

(3) The Procedure guides the process of internal audits to ensure practical alignment with the Policy.

Top of Page

Section 3 - Terms / Definitions

(4) Within this Procedure, the following terms are used as defined.

Term
Definition
ARC Audit and Risk Committee
CARM ACU’s Risk Management System (including Risk Registers)
Dir LAG
Director, Legal, Assurance and Governance
IIA
Institute of Internal Audit Service Providers
IPPF
International Professional Practices Framework
LAG Legal, Assurance and Governance Directorate
Top of Page

Section 4 - Annual Internal Audit Program

(5) The Director, Legal, Assurance and Governance, with support from the Assurance Unit, has responsibility for:

  1. ensuring the conduct of the internal audit function in collaboration with the external internal audit partner;
  2. developing an annual Internal Audit Program for endorsement by the ARC;
  3. monitoring progress of the Internal Audit Program via the Audit Actions Register (Audit Register);
  4. allocating audit resources to align with the endorsed program and ensuring audits are undertaken as scheduled;
  5. ensuring internal audit progress reports are provided to the ARC at each of their regular meetings or as directed by the Chair ARC;
  6. developing a quality assurance and improvement program; and
  7. coordinating the engagement of relevant ACU staff and officers to participate in internal audit activities, as required.

(6) Internal Audits are conducted as part of a risk management framework and include consultation with the Senior Executive and other relevant stakeholders.

(7) In addition to the Internal Audit Program, management-initiated assurance activities conducted across ACU are captured and monitored by the Assurance Unit in CARM.

Top of Page

Section 5 - Resourcing, Conflict of Interest and Confidentiality

(8) ACU adopts an outsourced model of internal auditing. All internal audits are outsourced to an independent third party (Internal Audit Service Provider).

(9) A suitable Internal Audit Service Provider is selected by the ARC on recommendation of the Dir LAG, following a selection process conducted in accordance with the Procurement Policy, based on the audit scope, focus and objectives, and the available budget.

(10) The Internal Audit Service Provider is expected to be able to demonstrate its professional competence through relevant experience and appropriate professional certifications and qualifications, such as designations offered by the Institute of Internal Audit Service Providers (IIA) or other appropriate professional organisations. The Internal Audit Service Provider is responsible for the provision of suitably qualified audit staff and their professional conduct.

(11) The Internal Audit Service Provider is required to provide an undertaking at the commencement of the contractual period that no conflict of interest exists, or is likely to occur, in relation to the audit services to be provided. If at a later stage, audit staff employed or engaged by the Internal Audit Service Provider become aware of a situation in which a conflict of interest or bias is present or may reasonably be inferred, they must immediately advise the Dir LAG, and apply mitigation strategies in consultation with the Dir LAG.

(12) The Internal Audit Service Provider is required to execute a deed of confidentiality or non-disclosure agreement at the commencement of the contractual period to ensure the Internal Audit Service Provider is and remains responsible and accountable for maintaining the confidentiality of the information accessed during the course of the internal audit work.

Top of Page

Section 6 - Internal Audit Process

(13) The internal audit process consists of 8 steps:

Internal Audit Process
Scope
The Dir LAG is responsible for development of the audit scopes that fall within the Internal Audit Program. These are prepared in consultation with the relevant business areas and approved by the ARC. Once the scope is approved, the Internal Audit Service Provider commences the subsequent stages of the Internal Audit Process.
Entry Meeting
An entry meeting is held at the start of an internal audit. The entry meeting is conducted by the Internal Audit Service Providers and key stakeholders from the area to be audited.
The purpose of the entry meeting is to ensure all relevant staff of the audited area are aware that the audit is taking place and know who the auditors are; confirm the audit timetable and approach to the fieldwork; and signal the commencement of audit field work.
Fieldwork
All audits, regardless of their nature, involve providing assurance on the design and effectiveness of a system of internal control. Fieldwork for any given audit will vary and may include staff interviews, reviewing documents and records, questionnaires, systems documentation, walk-throughs and/or performing some initial analytical procedures or data analysis, reviewing and documenting current processes and conducting sample testing where appropriate.
During the audit field work, the Internal Audit Service Provider will communicate matters of significance with Dir LAG and Audit Sponsor to ensure high risk matters are raised before the end of the audit. This may be done informally (e.g. emails, discussions) or via formal meetings.
Access to all records and information of ACU is required for internal audit work. ACU staff are required to cooperate with auditor’s requests for information, documents and other records.
Assistance from the area being audited is to be provided in a timely manner and could include:
  • Review and provision of feedback on the proposed scope;
  • Providing a contact officer(s);
  • Attendance at entry and exit meetings and providing input into the accuracy and benefit of the reports;
  • Providing input to draft audit recommendations;
  • Attending audit committee meetings if invited.
Exit Meeting
Following completion of the fieldwork an exit meeting will be held to discuss the findings to confirm facts or clarify information. The meeting will be attended by the Dir LAG or delegate, representatives of the Internal Audit Service Provider and members of the Senior Executive and / or Executive from the audited area.
Draft Report and Proposed Management Actions
A formal draft internal audit report will be issued to the Dir LAG or delegate and senior stakeholders including members of the Senior Executive and / or Executive from the audited area for dissemination to senior management of the area being audited, for management comments.
The draft report will:
  • include an Executive Summary which will describe the objective, scope, background, key controls and positive observations and key findings / opportunities for improvement;
  • state the objective(s), scope, methodology and conclusion of the audit;
  • detail any risks identified that were not effectively treated and suggestions for improvement;
  • prioritise the risks identified through the use of the risk matrix or similar;
  • propose recommendations to further treat the identified risks; and
  • seek management’s comments in response to the recommendations and implementation timeframes.
While the initial audit scop is designed to provide parameters for the internal audit, it does not limit reporting of findings outside the scope especially where an issue of high risk / material concern is identified. In such cases, the Internal Audit Service Provider has a professional obligation to report the issue even if it is outside the original scope of the audit.
Final Report and Management Actions
Final audit reports must include a management response. The Internal Audit Service Provider will provide the draft report to Dir LAG or delegate for the ACU management response. The Internal Audit Service Provider will coordinate and / or assist in the preparation and review of the management response to audit findings for inclusion in the final audit report, in consultation with the relevant ACU Executive member. This will include reviewing draft reports, in consultation with relevant staff, to assess for inaccuracies and provide comment where required.
Audit and Risk Committee Endorsement
The Final Report and Management Action Plan (MAP) will be provided to the ARC for endorsement at the next available meeting. Communication of the endorsement will be communicated to the members of the Senior Executive and the Executive from the audited area.
Management Action, Implementation and Tracking
The audited area is responsible for enacting the MAP after approval by the ARC. The MAP identifies action officers and timelines for completion of actions as appropriate. Progress on Actions are recorded and tracked via the nominated Audit Register tracking system.
Top of Page

Section 7 - Evaluating the effectiveness of the Audit

(14) Feedback will be requested from the Lead Coordinator concerning the conduct of the Internal Audit Service Provider in performing the audit and the recommendations in terms of their usefulness as part of improving the quality of audit performance. An evaluation survey will guide the responses.

Top of Page

Section 8 - Communicating Audit Outcomes

(15) Findings and recommendations for each audit / review will be uploaded to the agreed audit tracking system after the final report has been endorsed by the ARC. Relevant Executive and Senior Executive stakeholders will be advised of the conclusion of the audit and the availability of the results.

Top of Page

Section 9 - Monitoring Audit Recommendations

(16) The Dir LAG in collaboration with the Internal Audit Service Provider is required to track progress towards implementing agreed actions aligned to internal audit recommendations to ensure that they are being implemented within the agreed timeframes.

(17) The Internal Audit Service Provider maintains the Audit Register which records recommendations, action items, responsible officers, expected completion dates and implementation status for each audit.[1]

[1] ACU currently uses EY’s VIA system.

(18) Information in the Audit Register includes the Action Assignee, Executive Sponsor, date for completion and activity conducted. Executive sign-off is required.

(19) Action Owners are required to update the Audit Register periodically in order to ensure timely reporting to the ARC. Any extension of time required to complete a recommendation must be approved by the ARC.

(20) The ARC monitors all recommendations from audit activity across ACU based on advice from the Internal Audit Service Provider on the following matters:

  1. the efficacy of actions to close out identified risks; and
  2. the satisfactory completion of Internal Audit recommendations.
Top of Page

Section 10 - Review

(21) In accordance with the Policy Development and Review Policy, the ARC, under the direction of the Dir LAG, will facilitate the review of the following documents every five years (or sooner as required or requested by the ARC or Dir LAG):

  1. Internal Audit Charter;
  2. Internal Audit Policy; and
  3. Internal Audit Procedure,
Top of Page

Section 11 - Further Assistance

(22) For further assistance, please contact the Assurance Unit, Legal, Assurance and Governance Directorate.

Top of Page

Section 12 - Roles and Responsibilities

Approval Authority
The Audit and Risk Committee
Governing Authority
Chief Operating Officer
Responsible Officer
Director, Legal, Assurance and Governance