View Current

Internal Audit Charter

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Purpose

(1) This document sets out the purpose, authority and the responsibility of the Internal Audit function at Charles Sturt University (the University). It provides the framework for the conduct of internal audits and has been approved by the University Council on the recommendation of the Finance, Audit and Risk Committee.

(2) This Charter applies to all areas of the University and its' controlled entities.

Top of Page

Section 2 - Glossary

(3) Nil.

Top of Page

Section 3 - Policy


(4) Internal Audit's mission is to enhance and protect organisational value by providing independent, risk-based objective assurance, advice and insight.

(5) Internal Audit assists the University to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes (Definition of Internal Auditing - The Institute of Internal Auditors).

Independence and Objectivity

(6) Independence is essential to the effectiveness of internal auditing. This independence is obtained primarily through organisational structure and individual auditor objectivity. Internal Audit is able to allocate resources, set frequencies, select subjects, determine scopes of work and apply the techniques required to accomplish audit objectives.

(7) In performing its activities, the Internal Audit function shall have no direct responsibility or authority over any of the operations reviewed. It shall not design and install procedures, prepare records, or engage in any other activity that it would normally review and appraise.

(8) Internal Audit staff or contractors must have an impartial, unbiased attitude and avoid any conflict of interest whether actual or perceived. It is the responsibility of the Internal Auditor to communicate to the Finance, Audit and Risk Committee any perceived or potential conflicts of interest that may compromise the objectivity of Internal Audit. The Internal Auditor must also confirm to the Finance, Audit and Risk Committee, at least annually, the independence of the internal audit activity.

(9) The Internal Auditor is the head of the Internal Audit function and reports administratively to the University Secretary and Director, Governance and Corporate Affairs to facilitate day to day operations. The Internal Auditor reports functionally to the University Council through the Finance, Audit and Risk Committee and has right of direct access to the Chancellor, Vice-Chancellor and the Finance, Audit and Risk Committee.

(10) Functional reporting to the Finance, Audit and Risk Committee involves the Committee:

  1. reviewing, providing comment and endorsing the Internal Audit Charter prior to recommendation to the University Council for approval;
  2. reviewing, providing comment and approving the Internal Audit three year audit plan;
  3. reviewing, providing comment and accepting reports from the Internal Auditor on the progress of internal audit activities or other matters that the Internal Auditor determines are necessary, including closed meetings with the Internal Auditor without management present;
  4. approving all decisions regarding the appointment or removal of the Internal Auditor; and
  5. making appropriate inquiries of management and the Internal Auditor to determine whether there is audit scope or budgetary limitations that impede the ability of the internal audit activity to execute its responsibilities.

Authority and Confidentiality

(11) The Internal Audit function, with strict accountability for confidentiality and safeguarding records and information, is authorised full, free and unrestricted access to any and all of the University's records, personnel and physical properties relevant to the performance of engagements and timely assistance should be rendered by other University staff in order to facilitate the progress of audit work.

(12) All records, documentation and information accessed in the course of internal audit activity are to be used strictly for internal audit purposes. The Internal Auditor and internal audit staff are responsible and accountable for maintaining the confidentiality of the information they receive during the course of their work.

Guiding Principles and Standards

(13) In addition to the University's policies and procedures including the Internal Audit Charter, the Internal Audit function operates under the guidance of the International Professional Practices Framework (IPPF), published by the Institute of Internal Auditors including The Definition of Internal Auditing, Code of Ethics and International Standards.

(14) The Internal Auditor is responsible for ensuring a Quality Assurance and Improvement Program is in place and includes the following:

  1. Internal assessments:
    1. ongoing monitoring of the performance of the Internal Audit function;
    2. periodic reviews performed through self-assessment or by other persons within the University with sufficient knowledge of internal audit practices; and
  2. External assessments conducted at least once every five years by a qualified, independent reviewer or review team from outside the University.

(15) The Internal Auditor is responsible for ensuring audits are conducted by audit staff with sufficient knowledge, skills, professional certifications and experience to meet the requirements of this charter and undertake their work with proficiency and due professional care.


(16) The Internal Audit function must evaluate the effectiveness and contribute to the improvement of governance, risk management and control processes using a systematic and disciplined approach that promotes continuous improvement.

(17) In the conduct of its activities, the Internal Audit function will play an active role in:

  1. developing and maintaining a culture of accountability and integrity;
  2. facilitating the integration of risk management into day-to-day business activities and processes; and
  3. promoting a culture of continuous improvement, self-assessment and adherence to high ethical standards.

(18) Internal audit activities will encompass the following areas:

  1. Risk Management:
    1. evaluate the effectiveness of risk management processes;
    2. provide assurance that risk exposures relating to the organisation's governance, operations and information systems are correctly evaluated;
    3. evaluate the design, implementation and effectiveness of the organisation's ethics-related objectives, programs and activities;
    4. assess whether the information technology governance of the organisation sustains and supports the organisation's strategies and objectives.
  2. Compliance:
    1. compliance with applicable laws, regulations and Government policies and directions;
  3. Performance improvement:
    1. the efficiency, effectiveness and economy of the organisation's business systems and processes;
  4. Advisory services:
    1. The Internal Audit function may advise the University's management on a range of matters including:
      1. the provision of advice on the development of new programs and processes and/or significant changes to existing programs and processes including the design of appropriate controls;
      2. evaluating the potential for the occurrence of fraud and how the organisation manages fraud risk;
      3. assisting management to investigate fraud, identify the risks of fraud and develop fraud prevention and monitoring strategies;
  5. Educate the University community on the risks and potential impact of corruption, fraud and maladministration;
  6. Co-ordinate investigations as required into complaints or allegations of corruption and maladministration;
  7. Maintain regular contact with all areas of the University at a senior level to ensure continued understanding of the University's activities, co-operation between Faculties/Schools/Division and audit teams, and awareness of plans and strategies that may affect the audit activity; and
  8. Annually review the Internal Audit Charter, modify as appropriate and submit to the Finance, Audit and Risk Committee.

Relationship with External Audit

(19) Internal Audit will liaise with the NSW Audit Office to ensure that internal and external programs, when combined, provide an optimal coverage of auditable areas.

(20) The NSW Audit Office will have full and free access to internal audit working papers and reports.


(21) Internal Audit will prepare a flexible three year and annual internal audit plan using an appropriate risk-based methodology. This plan will take into account:

  1. the University Strategy and objectives;
  2. strategic and key operational risks;
  3. risk or control concerns identified by management;
  4. other assurance coverage over key risks; and 
  5. requests by management and the Finance, Audit and Risk Committee/University Council.

(22) The three year and annual internal audit plan is approved by the Finance, Audit and Risk Committee. The Internal Auditor or the Committee, in conjunction with the University Secretary and Director, Governance and Corporate Affairs may make alterations to the three year and annual internal audit plan where it is deemed appropriate to do so. Material alterations are subject to approval by the Finance, Audit and Risk Committee.

(23) Before an Internal Audit engagement commences, a Terms of Reference document will be prepared, which will be agreed with the relevant senior member of management and signed off as their agreement with the scope of services to be provided by the Internal Audit function.


(24) A written report will be issued by the Internal Auditor at the conclusion of each internal audit engagement, which includes management's response and corrective action taken or to be taken in regard to specific findings and recommendations. Each finding will be rated as follows:

Rating Description
High Finding represents a material breakdown and controls are not adequate to address the associated risk which could have an extreme or major consequence. Active management required immediately as a high priority. 
Medium Finding represents a significant breakdown and controls are not adequate to address the associated risk which could have a moderate or minor consequence. Active management required within 90 days.
Low Finding represents an insignificant breakdown where either the controls are partially adequate to address the associated risk, or the associated risk could have an insignificant consequence. Active management required within six months.
PIO Finding represents a process improvement opportunity and controls are adequate to address the associated risk. A suggested improvement in efficiency or better practice.

(25) The report will be distributed to internal and, in some cases, external stakeholders as appropriate. An executive summary of each internal audit report will be provided to the Finance, Audit and Risk Committee at the next scheduled meeting.

(26) If management's response to any finding is not considered adequate, the Internal Audit function will consult with management of the function being reviewed and seek to reach a mutually agreeable resolution. If an agreement is not reached, the Internal Audit function shall pursue the matter through channels to appropriate levels of management and if required the Finance, Audit and Risk Committee.

(27) Internal Audit will monitor the completion of corrective actions and depending on the significance of the finding, the Internal Audit function may validate those assertions before recommending closure of the issue.

(28) Quarterly reports will be provided to the Finance, Audit and Risk Committee on behalf of the University Council, summarising the results of audit activities, status of corrective actions and the Internal Audit function's Key Performance Indicators.

(29) An annual report will be provided to the Finance, Audit and Risk Committee on behalf of the University Council, which includes the results of the quality assurance and improvement program and an attestation of Internal Audit's compliance with relevant policies of the University and the Institute of Internal Auditor's code of ethics, freedom from conflict of interest, and that there has been no impairment to Internal Audit independence or objectivity.

Top of Page

Section 4 - Procedures

(30) Nil.

Top of Page

Section 5 - Guidelines

(31) Nil.