View Current

Internal Audit Charter

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose

(1) This document sets out the purpose, authority and the responsibility of the Internal Audit function at Charles Sturt University (the University). It provides the framework for the conduct of internal audits and has been approved by the University Council on the recommendation of the Audit and Risk Committee.

Scope

(2) This Charter applies to all areas of the University and its controlled entities.

(3) This Charter has the same force and effect as a policy.

Top of Page

Section 2 - Policy

Internal audit purpose

(4) The Internal Audit function assists the University Council and committees in the effective execution of its responsibilities by providing independent analysis, advice and recommendations concerning the operations and processes of the University. As such, Internal audit programs should be developed to provide in‐depth and quality analysis to identify improvements to meet strategic objectives.

Guiding principles and standards

(5) In addition to the University's policies and procedures including the Internal Audit Charter, the Internal Audit function operates under the guidance of the International Professional Practices Framework (IPPF), published by the Institute of Internal Auditors, including the Core Principles for the Professional Practice of Internal Auditing, Definition of Internal Auditing, Code of Ethics and International Standards for the Professional Practice of Internal Auditing (Standards).

Role

(6) Internal Audit's role is to enhance and protect organisational value by providing independent, risk-based objective assurance, advice and insight.

(7) Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. Internal Audit assists the University to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes (Definition of Internal Auditing - The Institute of Internal Auditors).

Independence and objectivity

(8) Internal Audit staff or contractors must have an impartial, unbiased attitude and avoid any conflict of interest whether actual or perceived.

(9) The Internal Auditor will communicate to the Council’s Audit and Risk Committee any perceived or potential conflicts of interest that may compromise the objectivity of Internal Audit.

(10) Independence is essential to the effectiveness of internal auditing. This independence is obtained primarily through the organisational reporting structure. The Internal Audit function must be free from influence in relation to the allocation of resources, audit selection and scope, and the techniques required to accomplish audit objectives.

(11) The Internal Audit function shall have no direct responsibility or authority over any of the operations reviewed. It shall not design and install procedures, prepare records, or engage in any other activity that it would normally review and appraise.

(12) The Internal Auditor reports functionally to the University Council through the Audit and Risk Committee and has right of direct access to the Chancellor, Vice-Chancellor and the Audit and Risk Committee. The Internal Auditor has access to regular closed sessions with the Audit and Risk Committee.

(13) Functional reporting to the Audit and Risk Committee involves the Committee:

  1. reviewing, providing comment and endorsing the Internal Audit Charter prior to recommendation to the University Council for approval
  2. reviewing, providing comment and endorsing the Internal Audit Plan prior to recommendation to the University Council for approval
  3. reviewing, providing comment and accepting reports from the Internal Audit function on the progress of internal audit activities or other matters that the Head of Internal Audit and/or Internal Auditor determine are necessary, including closed meetings with the Head of Internal Audit and/or Internal Auditor without management present
  4. assessing the performance of the Internal Audit function
  5. providing relevant advice to the University Council on all decisions regarding the appointment or removal of the Internal Auditor
  6. making appropriate inquiries of management and the Internal Auditor to determine whether there is audit scope or budgetary limitations that impede the ability of the internal audit activity to execute its responsibilities
  7. having regular closed sessions with the Internal Auditor, and
  8. having a direct line of communication with the Internal Auditor.

(14) Where the Internal Auditor is responsible for non-audit activities, safeguards will be put in place to ensure independence or objectivity.

(15) To maintain independence, Internal Audit staff shall not undertake any operating responsibilities outside of Internal Audit work, without the endorsement of the Vice-Chancellor and the approval of the Audit and Risk Committee.

Authority and confidentiality

(16) All Internal Audit work is undertaken under the authority of the University Council on the recommendation of the Audit and Risk Committee.

(17) Subject to budget availability, and on the authority of the University Council and/or Audit and Risk Committee, Internal Audit work may be conducted by external service providers where:

  1. the Internal Audit function lacks the proficiency, knowledge, skill or other competencies needed to perform all part of the engagement in line with the standards
  2. where any real or perceived conflict of interest may arise in the conduct of the engagement by the Internal Audit function
  3. where the Internal Audit function lacks the capacity to deliver the Internal Audit Plan approved by the University Council within reasonable timeframes as agreed with the Audit and Risk Committee, or
  4. as otherwise requested by the University Council and/or Audit and Risk Committee.

(18) For an engagement to be considered Internal Audit work, the appointment, coordination and oversight of engagements performed by external service providers under clause 19, must be managed by the Internal Auditor. The conduct of such engagements must comply with this Internal Audit Charter. 

(19) The Internal Audit function, with strict accountability for confidentiality and safeguarding records and information, is authorised full, free and unrestricted access to any and all of the University's functions, premises, assets, personnel, records and other documentation, information and physical properties relevant to the performance of engagements and timely assistance should be rendered by other University staff in order to facilitate the progress of audit work.

(20) All records, documentation and information accessed in the course of internal audit activity are to be used strictly for internal audit purposes. Internal Audit staff are responsible and accountable for maintaining the confidentiality of the information they receive during the course of their work.

(21) All Internal Audit documentation and work papers remain the property of the University, including where Internal Audit services are provided by external service providers.

Scope of work

(22) The scope of Internal Audit work shall include:

  1. Assurance Services – objective examination of evidence for the purpose of providing an independent assessment on governance, risk management and control processes for the University and its controlled entities. This may include activities such as:
    1. Compliance
      1. Compliance with legislative requirements, policies and procedures.
      2. The adequacy and effectiveness of internal financial and operational controls including IT system controls.
      3. The recording, control and use of University assets.
    2. Performance improvement
      1. The efficiency, effectiveness, and ethical conduct of University business systems and processes.
      2. Assessing and monitoring the successful implementation of recommendations for control improvements accepted by the University.
    3. Governance
      1. Assessing the state of organisational governance in the University and recommending strategies for improvement.
    4. Promoting best practice
      1. Identifying and promulgating best practice within the University.
  2. Consulting Services – advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve the University’s governance, risk management and control processes without the Internal Auditor assuming management responsibility. This may include activities such as:
    1. New programmes, systems and processes
      1. Providing advice on the development of new programmes and processes and/or significant changes to existing programmes and processes, including the design of appropriate controls, compliance, governance and risk management.
    2. Risk management
      1. Assisting management to identify risks and develop risk mitigation and monitoring strategies as part of the risk management framework.
      2. Monitoring and reporting on the implementation of risk mitigation strategies.
    3. Fraud control
      1. Assisting to identify and manage the risks of fraud and develop fraud prevention and monitoring strategies.
      2. Assessing the Fraud Control Plan.

Responsibilities

Internal Audit functions

(23) The Internal Audit function must evaluate the effectiveness and contribute to the improvement of governance, risk management and control processes using a systematic, disciplined and risk-based approach that promotes continuous improvement.

(24) In the conduct of its activities, the Internal Audit function will play an active role in:

  1. developing and maintaining a culture of accountability and integrity
  2. facilitating the integration of controls and risk management into day-to-day business activities and processes, and
  3. promoting a culture of continuous improvement, self-assessment and adherence to high ethical standards.

(25) The Internal Audit function will support the University by:

  1. reviewing achievement of objectives
  2. assessing if decisions are properly authorised
  3. evaluating the reliability and integrity of information
  4. ensuring assets are safeguarded
  5. assessing compliance with laws, regulations, policies and contracts
  6. considering the efficiency, effectiveness, economy and ethics of business activities
  7. reviewing opportunities for fraud and corruption
  8. monitoring the implementation of agreed recommendations arising from internal audit reports
  9. identifying opportunities for improvement
  10. disseminating across the University better practice and lessons learnt arising from its audit activities
  11. developing a flexible annual audit plan using appropriate risk‐based methodology and submitting plan for approval by the Audit and Risk Committee
  12. maintaining a quality assurance program
  13. issuing periodic reports to the Audit and Risk Committee
  14. keeping the Audit and Risk Committee informed of emerging trends and successful practices in internal audit.

(26) Management may request Internal Audit services in response to emerging business issues or risks. The Internal Audit function will attempt to satisfy these requests, subject to the assessed level of risk, availability of resources, and subject to the approval of the Audit and Risk Committee in the context of the Internal Audit Plan.

(27) The existence of Internal Audit does not relieve management from the responsibility of ensuring that adequate controls are in place for the proper management of business activities and risk for which they are accountable, including responsibility for periodically reviewing internal controls.

Internal auditor

(28) The Internal Auditor is responsible, in consultation with the Audit and Risk Committee, for:

  1. effectively managing the Internal Audit function to ensure it adds value to the organisation
  2. establishing policies and procedures to guide the Internal Audit function
  3. maintaining quality assurance measures for the Internal Audit function and reporting performance to senior management and the Audit and Risk Committee
  4. ensuring Internal Audit resources are appropriate, sufficient and effectively deployed to achieve the approved Internal Audit Plan, including selecting an external provider where required
  5. developing and regularly reviewing the Internal Audit Charter
  6. reporting to senior management and the Audit and Risk Committee on the Internal Audit function’s purpose, authority, responsibility, independence, performance, and conformance with the Code of Ethics and the Standards
  7. developing and implementing the risk-based Internal Audit Plan in line with approved audit policies and procedures
  8. preparing a written report of audit findings, including recommending a course of action to remediate risks identified
  9. assessing the appropriateness of management response to audit findings to adequately remediate the risks identified
  10. monitoring and reporting progress in implementing approved management responses to audit recommendations
  11. reporting to the Audit and Risk Committee on the above, and
  12. alerting the Chair of the Audit and Risk Committee and/or Chancellor of significant issues in a prompt manner.

Relationship with external audit

(29) The Internal Audit function will liaise with the external auditor to ensure that internal and external programs, when combined, provide optimal coverage of auditable areas, and to minimise duplication of audit effort. Periodic meetings and contact between internal and external audit shall be held to discuss matters of mutual interest and facilitate coordination.

(30) The external auditor will have full and free access to internal audit books, records, documents and papers to the extent required by law.

Planning

(31) The Internal Audit function will prepare a flexible Internal Audit Plan using an appropriate risk-based methodology. This plan will take into account:

  1. the University Strategy and objectives
  2. strategic and key operational risks
  3. risk or control concerns identified by management
  4. legislative and regulatory requirements
  5. other assurance coverage over key risks, and
  6. requests by management, the Audit and Risk Committee and University Council.

(32) The Internal Audit Plan is reviewed annually and endorsed by the Audit and Risk Committee prior to recommendation to the University Council for approval. The Head of Internal Audit, with the approval of the Audit and Risk Committee, may make alterations to the Internal Audit Plan where it is deemed appropriate to do so.

(33) Before an internal audit engagement commences, a terms of reference document will be prepared, which will be agreed with the relevant Portfolio Lead(s)/audit sponsor and signed off as their agreement with the scope of services to be provided by the Internal Audit function.

Reporting

(34) The Internal Audit function will report to the Audit and Risk Committee on:

  1. overall performance of the Internal Audit function
  2. internal audit work completed
  3. progress of implementing the Internal Audit plans
  4. progress of implementation of internal audit recommendations, and recommendations arising from other reviews, where necessary
  5. achievements, via its annual report, to summarise work and achievements for the year to demonstrate value delivered, and to provide an opinion on the overall state of internal controls and any systemic issues identified
  6. annual assertion on the work of the Internal Audit function and compliance with the Standards, and
  7. any other matters it deems necessary.

(35) The Internal Audit function will report periodically to the Executive Leadership Team, on matters such as the progress of implementing the Internal Audit Plan, and the progress of implementation of internal and external audit recommendations.

(36) A written report will be issued by the Internal Audit function to the relevant stakeholders, such as Portfolio Lead(s)/audit sponsor and the Vice-Chancellor, as well as to the Audit and Risk Committee at the conclusion of each internal audit engagement, which includes management's response and corrective actions taken or to be taken in regard to specific findings and recommendations. 

(37) If management's response to any finding is not considered adequate, or where management seeks to accept a risk that may be outside the risk appetite of the University, the Internal Audit function will consult with management of the function being reviewed and seek to reach a mutually agreeable resolution. If an agreement is not reached, the Internal Auditor shall pursue the matter through channels to appropriate levels of management, including the Executive Leadership Team where required, and the Audit and Risk Committee if required.

(38) The Internal Audit function will monitor the completion of corrective actions and depending on the significance of the finding, the Internal Audit function may validate those assertions before recommending closure of the issue.

(39) In addition to the reporting of work undertaken by the Internal Audit function in line with the approved Internal Audit plans, the Internal Auditor may draw the Audit and Risk Committee's attention to all matters that, in their opinion, warrant reporting.

Evaluation of Internal Audit

(40) The Director, Risk and Compliance will develop and maintain quality assurance measures that periodically assess the performance of the Internal Audit function. The Audit and Risk Committee will receive reports, and review and comment, on the performance of the Internal Audit function.

(41) External assessments will also be conducted at least once every five years by a qualified, independent reviewer or review team from outside the University.

(42) The Director, Risk and Compliance is also responsible for the administration of the Internal Audit function, including monitoring of the budget, human resource administration, the provision of office accommodation, computers and equipment, and support to access information and ensure the cooperation of University staff.

Review of the Internal Audit Charter

(43) The Internal Auditor will review this Internal Audit Charter at least every three years, with any changes endorsed by the Audit and Risk Committee and recommended for approval by the University Council. 

Top of Page

Section 3 - Procedures

(44) Nil. 

Top of Page

Section 4 - Guidelines

(45) Nil.

Top of Page

Section 5 - Glossary

(46) Internal Audit function – in the context of this Charter, the internal audit function comprises resources directly associated with the provision of internal audit services. These resources may be internal or external to the University.