• Section 1 - Purpose
• Scope
• Section 2 - Policy
• Internal audit role and purpose
• Authority and confidentiality
• Guiding principles and professional standards
• Independence and objectivity
• Scope of work
• Internal audit functions
• Planning
• Reporting
• Evaluation of Internal Audit
• Relationship with other Assurance Activities
• Responsibilities
• University Council
• Audit and Risk Committee
• Internal Auditor
• Director, Risk and Compliance
• Portfolio Leaders
• Management
• Review of the Internal Audit Charter
• Section 3 - Procedures
• Section 4 - Guidelines
• Section 5 - Glossary

Section 1 - Purpose

(1) This document sets out the purpose, authority and responsibility of the Internal Audit function at Charles Sturt University (the University). This Charter incorporates the internal audit mandate of the University Council, in line with the Global Internal Audit Standards (the Standards).

Scope

(2) This Charter applies to all areas of the University and its controlled entities.

(3) This Charter has the same force and effect as a policy.

Section 2 - Policy

Internal audit role and purpose

(4) The internal audit function strengthens the University’s ability to create, protect and sustain value by providing the  University Council, the Audit and Risk Committee and management with independent, risk-based and objective assurance, advice, insight and foresight. 

(5) Internal audit provides assurance and advice to:

1. The Audit and Risk Committee and University Council to increase confidence about the University’s governance, risk management and control processes.
2. Assist management in improving business performance.

(6) The internal audit function's role is to enhance and protect organisational value by providing independent, risk-based objective assurance, advice and insight.

Authority and confidentiality

(7) All internal audit work is undertaken under the authority of the Charles Sturt University Council on the recommendation of, and under the delegation to, the Audit and Risk Committee.

(8) Charles Sturt University has a fully outsourced Internal Auditor, appointed in line with the University’s procurement processes. 

(9) Subject to budget availability, and on the authority of the Audit and Risk Committee, internal audit work may also be conducted by other external service providers where:

1. the Internal Auditor lacks the proficiency, knowledge, skill or other competencies needed to perform all or part of an engagement
2. where any real or perceived conflict of interest may arise in the conduct of the engagement by the Internal Auditor
3. where additional internal audit activities are requested outside the approved Internal Audit Plan, or
4. as otherwise requested by the University Council and/or Audit and Risk Committee.

(10) For an engagement to be considered internal audit work, the appointment, coordination and oversight of engagements performed by the Internal Auditor and/or external service providers must be managed by the Director, Risk and Compliance under approval by the Audit and Risk Committee. The conduct of such engagements must comply with this Internal Audit Charter.

(11) Subject to clauses (12) and (13), the internal audit function, with strict accountability for confidentiality and safeguarding of records and information, is authorised full, free and unrestricted access to any and all of the University's functions, premises, assets, personnel, records and other documentation, information and physical properties relevant to the performance of audit engagements. Timely assistance must be rendered by other University staff in order to facilitate the progress of audit work.

(12) All records, documentation and information accessed in the course of internal audit activity are to be used strictly for internal audit purposes. Internal audit staff are responsible and accountable for maintaining the confidentiality of the information they receive during the course of their work. Information which is identified as confidential and/or commercial-in-confidence should not be disclosed by the auditor to any third person without the University’s written consent, unless otherwise stipulated by engagement terms or the law.

(13) If the auditor seeks access to legally privileged material the University (including the General Counsel or their nominee) will work with the auditor to determine what information the auditor requires to be able to form the necessary audit opinion. If it is necessary to disclose privileged material to the auditor, then appropriate measures must be implemented to ensure conditions of confidentiality and privilege are maintained and to ensure disclosure is made for the limited purpose of the audit (limited waiver). Those measures may include entering into an express written agreement with the auditor (in addition to the audit engagement terms) which clearly records the terms on which the information is disclosed, including that the information is disclosed for the limited purpose of the audit, that the University does not waive privilege over the material, and that neither the contents of the documents nor the information contained in them will be disclosed in the auditor’s report.

(14) All internal audit documentation and work papers remain the property of the University, including where internal audit services are provided by external service providers.

Guiding principles and professional standards

(15) In addition to the University's policies and procedures, including the Internal Audit Charter and Internal Audit Manual, the Internal Audit function will govern itself by adherence to mandatory guidance contained in the International Professional Practices Framework (IPPF), issued by the Institute of Internal Auditors, including the Global Internal Audit Standards, Topical Requirements and Global Guidance.

Independence and objectivity

(16) Internal Auditor staff or external service providers must have an impartial, unbiased attitude and avoid any conflict of interest whether actual, perceived or potential. A conflict of interest could impair an individual’s ability to perform his or her duties and responsibilities objectively. Conflict of Interest at the University is defined in the Conflict of Interest Procedure.

(17) The Internal Auditor, external service providers and/or the Director Risk and Compliance must immediately communicate to the Audit and Risk Committee any actual, perceived or potential conflicts of interest that may compromise the objectivity of the Internal Audit function.

(18) Independence is essential to the effectiveness of internal auditing. This independence is obtained primarily through the organisational reporting structure. The Internal Audit function must be free from influence in relation to the allocation of resources, audit selection and scope, and the techniques required to accomplish audit objectives.

(19) The internal audit function shall have no direct responsibility or authority over any of the activities reviewed. It shall not design and install operational systems or procedures, prepare records, or engage in any other activity that it would normally review and appraise.

(20) Staff of the Internal Auditor or any external service providers are not to provide audit services for work they have previously been responsible for unless the staff member has not worked in the area for at least a year.

(21) Prior to engagement, business areas must seek written permission from the Director, Risk and Compliance to engage the Internal Auditor to provide non-internal audit services.

(22) The Internal Auditor reports functionally to the University Council through the Audit and Risk Committee and has right of direct access to the Chancellor, Vice-Chancellor and the Chair of the Audit and Risk Committee. The Internal Auditor has access to regular closed sessions with the Audit and Risk Committee.

(23) Functional reporting to the Audit and Risk Committee involves the Committee:

1. approving the Internal Audit Charter and the Internal Audit Manual
2. reviewing, providing comment and approving the Internal Audit Strategy
3. reviewing, providing comment and approving the Internal Audit Plan, and any changes to the plan
4. accepting reports from the internal audit function on the progress of internal audit activities or other matters that the Internal Auditor determines are necessary, including closed meetings with the Internal Auditor without management present
5. assessing the performance of the Internal Auditor
6. providing relevant advice to the University Council on all decisions regarding the appointment or removal of the Internal Auditor
7. making appropriate inquiries of management and the Internal Auditor to determine whether there is audit scope or budgetary limitations that impede the ability of the internal audit activity to execute its responsibilities
8. having regular closed sessions with the Internal Auditor
9. having a direct line of communication with the Internal Auditor
10. setting expectations regarding management’s support of the internal audit function, and
11. monitoring the Internal Auditor’s compliance with the Standards, together with quality and improvement arrangements.

(24) The Internal Auditor will report administratively to the Director, Risk and Compliance.

(25) Administrative reporting includes:

1. managing the internal audit budget and payments to the service provider(s)
2. assisting the internal audit function in regard to facilitating internal audit activities at the University
3. contract arrangements, variations and management contract performance.

(26) Where the Internal Auditor and/or Director, Risk and Compliance is responsible for non-audit activities, safeguards will be put in place to ensure independence or objectivity.

(27) To maintain independence, the Internal Auditor shall not undertake any operating responsibilities outside of internal audit work for the University, without the endorsement of the Vice-Chancellor and the approval of the Audit and Risk Committee.

Scope of work

(28) The scope of internal audit work may include:

1. assurance services – objective examination of evidence for the purpose of providing an independent assessment on governance, risk management and control processes for the University and its controlled entities. This may include activities such as:
   1. Compliance
      1. Compliance with legislative requirements, policies and procedures.
      2. The adequacy and effectiveness of internal financial and operational controls including IT system controls.
      3. The recording, control and use of University assets.
   2. Performance improvement
      1. The efficiency, effectiveness, and ethical conduct of University business systems and processes.
      2. Assessing and monitoring the successful implementation of recommendations for control improvements accepted by the University.
   3. Governance
      1. Assessing the state of organisational governance in the University and recommending strategies for improvement.
   4. Promoting best practice
      1. Identifying and promulgating best practice within the University.
2. advisory services – advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve the University’s governance, risk management and control processes without the Internal Auditor assuming management responsibility. This may include activities such as:
   1. New programs, systems and processes
      1. Providing advice on the development of new programs and processes and/or significant changes to existing programs and processes, including the design of appropriate controls, compliance, governance and risk management.
   2. Risk management
      1. Assisting management to identify risks and develop risk mitigation and monitoring strategies as part of the risk management framework.
      2. Monitoring and reporting on the implementation of risk mitigation strategies.
   3. Fraud control
      1. Assisting to identify and manage the risks of fraud and develop fraud prevention and monitoring strategies.

Internal audit functions

(29) The internal audit function must evaluate the effectiveness and contribute to the improvement of governance, risk management and control processes using a systematic, disciplined and risk-based approach that promotes continuous improvement.

(30) In the conduct of its activities, the internal audit function will play an active role in:

1. developing and maintaining a culture of accountability, integrity and adherence to high ethical standards
2. facilitating the integration of controls and risk management into day-to-day business activities and processes, and
3. promoting a culture of continuous improvement and self-assessment.

(31) The internal audit function will support the University by:

1. reviewing achievement of objectives
2. assessing if decisions are properly authorised
3. evaluating the reliability and integrity of information
4. ensuring assets are safeguarded
5. assessing compliance with laws, regulations, policies and contracts
6. considering the efficiency, effectiveness, economy and ethics of business activities
7. reviewing opportunities for fraud and corruption
8. monitoring the implementation of agreed recommendations arising from internal audit reports
9. identifying opportunities for improvement
10. disseminating across the University better practice and lessons learnt arising from its audit activities
11. developing a flexible annual audit plan using appropriate risk‐based methodology and submitting the plan for approval by the Audit and Risk Committee
12. maintaining a quality assurance program
13. issuing periodic reports to the Audit and Risk Committee
14. keeping the Audit and Risk Committee informed of emerging trends and successful practices in internal audit.

(32) Management may request internal audit services in response to emerging business issues or risks. The Internal Auditor  will attempt to satisfy these requests, subject to the assessed level of risk,  capacity of contracted budget and resources, and subject to the approval of the Audit and Risk Committee in the context of the Internal Audit Plan.

(33) The existence of internal audit does not relieve management from the responsibility of ensuring that adequate controls are in place for the proper management of business activities and risk for which they are accountable, including responsibility for periodically reviewing internal controls.

Planning

(34) In line with the Internal Audit Strategy the Internal Auditor will prepare a flexible Internal Audit Plan using an appropriate risk-based methodology. This plan will take into account:

1. the University Strategy and objectives
2. strategic and key operational risks
3. risk or control concerns identified by management
4. legislative and regulatory requirements
5. other assurance coverage over key risks, and
6. requests by management, the Audit and Risk Committee and University Council.

(35) The Internal Audit Plan is reviewed annually and is approved by the Audit and Risk Committee. Any alterations to the Internal Audit Plan must be approved by the Audit and Risk Committee.

(36) Before an internal audit engagement commences, a terms of reference document will be prepared, which will be agreed with the relevant portfolio lead(s)/audit sponsor and signed off as their agreement with the scope of services to be provided by the internal audit function. The Vice-Chancellor may also review and approve the terms of reference.

Reporting

(37) The Internal Auditor will report to the Audit and Risk Committee on:

1. overall performance of the internal audit function
2. internal audit work completed
3. progress of implementing the Internal Audit plan
4. common themes emerging from internal audit engagements
5. progress of implementation of internal audit recommendations, and recommendations arising from other reviews, where necessary
6. an annual report highlighting, the Internal Auditor’s achievements, summary of work, overall state of internal controls, any systemic issues identified and all other reporting requirements in line with the Standards
7. annual assertion on internal audit independence, compliance with the Standards and other reporting requirements as defined within the Internal Audit Manual, and
8. any other matters it deems necessary.

(38) The Internal Auditor will report periodically to the Executive Leadership Team, on matters such as the progress of implementing the Internal Audit Plan, and the progress of implementation of internal audit recommendations. The Director, Risk and Compliance will report on the progress of implementation of external audit recommendations.

(39) A written report will be issued by the internal audit function to the relevant stakeholders, such as portfolio lead(s)/audit sponsor and the Vice-Chancellor, as well as to the Audit and Risk Committee at the conclusion of each internal audit engagement, which includes management's response and corrective actions taken or to be taken regarding specific findings and recommendations.

(40) If management's response to any finding is not considered adequate, or where management seeks to accept a risk that may be outside the risk appetite of the University, the internal audit function will consult with management of the function being reviewed and seek to reach a mutually agreeable resolution. If an agreement is not reached, the Internal Auditor shall pursue the matter through channels to appropriate levels of management, including the Executive Leadership Team where required, and the Audit and Risk Committee if required.

(41) The internal audit function will monitor the completion of corrective actions and depending on the significance of the finding, the internal audit function may validate those assertions before recommending closure of the issue.

(42) In addition to the reporting of work undertaken by the internal audit function in line with the approved Internal Audit Plans, the Internal Auditor may draw the Audit and Risk Committee's attention to all matters that, in their opinion, warrant reporting.

Evaluation of Internal Audit

(43) An overarching quality assurance and improvement program will be maintained that covers all aspects of the internal audit function. The program includes:
•    Internal Quality Assessment.
•    Performance measures agreed by the Audit and Risk Committee.
•    External Quality Assessment.

(44) In line with the Standards, the Internal Auditor must develop, implement and maintain an internal quality assurance and improvement program that covers all aspects of the Internal Audit function. At least annually, the Internal Auditor must communicate the results of the internal quality assessment to the Audit and Risk Committee and the Executive Leadership Team.

(45) The Director, Risk and Compliance will periodically assess the performance of the internal audit function in consultation with the Audit and Risk Committee.  In line with the Standards, an external quality assessment will also be performed at least once every five years.

Relationship with other Assurance Activities

(46) The Risk Management Policy outlines the University’s ‘three lines’ model to support the monitoring, oversight and escalation of risks and to provide assurance over the management of risk. The Internal Auditor should establish and maintain an open relationship with the external auditor and other assurance providers and plan its activities to ensure adequacy of overall assurance coverage and to minimise duplication of assurance effort across the University.

(47) The external auditor will have full and free access to internal audit plans, records, documents and papers to the extent required by law, subject to equivalent requirements to those set out in clause 13 where the external auditor seeks access to legally privileged material.

Responsibilities

University Council

(48) The University Council is responsible for:

1. establishing, approving and supporting the authority, role and responsibilities of the internal audit function
2. the establishment and disestablishment of the Internal Auditor  
3. the appointment or removal of the Internal Auditor
4. oversight of the internal audit function, including the effectiveness and independence of the internal audit function
5. oversight of risk management and risk assessment across the University.

Audit and Risk Committee

(49) In line with Governance (Audit and Risk Committee) Rule 2022, the Audit and Risk Committee is responsible for:

1. acting as the Board for the purposes of applying roles and responsibilities under the Standards (under delegation from the University Council)
2. providing advice to the University Council on the appointment or removal of the Internal Auditor
3. approving the Internal Audit Charter and Internal Audit Manual
4. approving the Internal Audit Plan
5. receiving reports from the Internal Auditor (as well as other external service providers) and monitoring implementation of audit recommendations
6. evaluating the performance and effectiveness of the Internal Auditor and providing advice to the University Council
7. championing and overseeing the internal audit function
8. functional oversight of the internal audit function
9. supporting the Internal Auditor through regular and direct communications, including holding closed sessions with the Internal Auditor
10. engaging with senior management to ensure the internal audit function is free from interference and has the ability to work independently, as well as providing advice to management regarding issues identified in audit reports
11. providing a decision where management and the Internal Auditor are not in agreement regarding an internal audit finding and recommendation.

Internal Auditor

(50) The Internal Auditor is responsible, in consultation with the Audit and Risk Committee, for:

1. conducting the internal audit function in line with this Internal Audit Charter and the Internal Audit Manual
2. effectively managing the internal audit function to ensure it adds value to the University
3. ensuring internal audit resources are appropriate, sufficient and effectively deployed to achieve the approved Internal Audit Plan
4. reporting to senior leadership and the Audit and Risk Committee on the internal audit function’s purpose, authority, responsibility, independence, performance and conformance with the Standards
5. developing and implementing the risk-based Internal Audit Plan that considers the University’s objectives and risks, including those identified by management, for approval by the Audit and Risk Committee
6. ensuring changes to the Internal Audit Plan are approved by the Audit and Risk Committee
7. preparing a written report of audit findings, including recommending a course of action to remediate risks identified
8. assessing the appropriateness of management response to audit findings to adequately remediate the risks identified
9. monitoring and reporting progress in implementing approved management responses to audit recommendations
10. reporting to the Audit and Risk Committee on the above
11. maintaining internal quality assurance measures for the internal audit function and reporting performance to senior leadership and the Audit and Risk Committee
12. working collaboratively with the University throughout any performance reviews and/or external quality assessments, and
13. alerting the Chair of the Audit and Risk Committee and/or Chancellor of significant risks or issues in a prompt manner.

Director, Risk and Compliance

(51) The Director, Risk and Compliance is responsible, in consultation with the Audit and Risk Committee and the University Secretary, for:

1. effectively managing the University’s relationship with the contacted Internal Auditor to ensure it meets the obligations of its contract and the Internal Audit Charter and Internal Audit Manual
2. developing and implementing the risk-based Internal Audit Strategy for the internal audit function that supports the strategic objectives and success of the University  
3. providing University resources to assist the Internal Auditor to develop and implement a risk-based Internal Audit Plan
4. establishing the Internal Audit Charter and Internal Audit Manual, in consultation with the Internal Auditor, for approval by the Audit and Risk Committee
5. managing the procurement process for internal audit services
6. overseeing the Internal Auditor’s contract and reporting on the provider’s performance to senior leadership and the Audit and Risk Committee
7. developing and coordinating the external quality assessment of the Internal Auditor and reporting the results of the assessment and improvement actions to the Audit and Risk Committee
8. overseeing the engagement and performance of other external providers where required.

Portfolio Leaders

(52) The Portfolio Leaders are responsible for:

1. providing adequate resources to ensure adequate risk management and internal controls within their areas of responsibility
2. providing input into the Internal Audit Strategy and Internal Audit Plan
3. providing input into, and approving, the scope of internal audit activities, including authority to release resources, information and data to support the internal audit activity
4. championing the internal audit function.

Management

(53) Management is responsible for:

1. maintaining adequate risk management and internal controls within their areas of responsibility
2. working collaboratively with the Internal Auditor function by making staff available to support audit engagements and providing timely information and data
3. timely review of audit reports and agreement of audit actions
4. timely implementation of remedial audit actions to address risks coming from internal audit reports.

Review of the Internal Audit Charter

(54) The Director, Risk and Compliance will review this Internal Audit Charter, in conjunction with the Internal Auditor, no later than every three years or when any significant changes occur, with any changes approved by the Audit and Risk Committee.

Section 3 - Procedures

(55) Nil. 

Section 4 - Guidelines

(56) Nil.

Section 5 - Glossary

(57) For the purpose of this policy, the following terms are used:

1. Board – the Standards define the Board as the “highest-level body charged with governance”. In the context of the University, the University Council has delegated this function to the Audit and Risk Committee.
2. Chief Audit Executive – the Standards define the Chief Audit Executive as the “leadership role responsible for effectively managing all aspects of the internal audit function and ensuring the quality performance of internal audit services in accordance with the Global Internal Audit Standards”. In the context of Charles Sturt University, the responsibilities of Chief Audit Executive are shared between the Internal Auditor and the Director, Risk and Compliance as outlined in this Charter and the Internal Audit Manual.
3. External Audit – for the purposes of this document the Audit Office of New South Wales is the University’s external auditor, responsible for assessing the control environment over financial reporting in the forming of an opinion on the financial statements of the University and its controlled entities.
4. Internal Auditing - is an independent, objective assurance and advisory service designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management and control processes (Definition of Internal Auditing – Global Internal Audit Standards).
5. Internal Auditor – the external service provider engaged by the University to perform the Internal Audit function on behalf of the University in line with the Standards and this Internal Charter and Internal Audit Manual,
6. Internal audit function – comprises resources directly associated with the provision of internal audit services. These resources may be internal or external to the University and include the Internal Auditor.
7. Internal Audit Plan – sets out the internal audit program for the year ahead, derived from the Internal Auditor’s assessment of the University’s strategies, objectives and risks.
8. Internal Audit Strategy – a strategy for the internal audit function that supports the University’s objectives and success of the University and aligns with the expectations of the University Council, Audit and Risk Committee and senior leadership.
9. International Professional Practices Framework (IPPF) – framework that provides mandatory and recommended guidance for internal audit professionals worldwide, including the Global Internal Audit Standards, Topical Requirements and Global Guidance.
10. Portfolio Lead - is the member of the Executive Leadership Team responsible for a portfolio area of the University.
11. Standards – the Global Internal Audit Standards issued by the Institute of Internal Auditors as part of the International Professional Practices Framework (IPPF).