• Section 1 - Purpose
• Section 2 - Glossary
• Section 3 - Policy
• Guiding principles and standards
• Role
• Authority and confidentiality
• Responsibilities
• Internal Audit functions
• Head of Internal Audit
• Internal Auditor
• Relationship with external audit
• Planning
• Reporting
• Evaluation of Internal Audit
• Review of the Internal Audit Charter
• Section 4 - Procedures
• Section 5 - Guidelines

Section 1 - Purpose

(1) This document sets out the purpose, authority and the responsibility of the Internal Audit function at Charles Sturt University (the University). It provides the framework for the conduct of internal audits and has been approved by the University Council on the recommendation of the Finance, Audit and Risk Committee.

(2) This Charter applies to all areas of the University and its controlled entities.

(3) This Charter has the same force and effect of a policy. 

Section 2 - Glossary

(4) Internal Audit function – in the context of this Charter, the internal audit function comprises resources directly associated with the provision of internal audit services. These resources may be internal or external to the University. 

Section 3 - Policy

Guiding principles and standards

(5) In addition to the University's policies and procedures including the Internal Audit Charter, the Internal Audit function operates under the guidance of the International Professional Practices Framework (IPPF), published by the Institute of Internal Auditors, including the Core Principles for the Professional Practice of Internal Auditing, Definition of Internal Auditing, Code of Ethics and International Standards for the Professional Practice of Internal Auditing (Standards).

Role

(6) Internal Audit's mission is to enhance and protect organisational value by providing independent, risk-based objective assurance, advice and insight.

(7) Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. Internal Audit assists the University to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes (Definition of Internal Auditing - The Institute of Internal Auditors).

Independence and objectivity

(8) Internal Audit staff or contractors must have an impartial, unbiased attitude and avoid any conflict of interest whether actual or perceived. 

(9) The Director, Risk and Compliance, as the Head of Internal Audit will communicate to the Council’s Finance, Audit and Risk Committee any perceived or potential conflicts of interest that may compromise the objectivity of Internal Audit; 

(10) Independence is essential to the effectiveness of internal auditing. This independence is obtained primarily through the organisational reporting structure. The Internal Audit function must be free from influence in relation to the allocation of resources, audit selection and scope, and the techniques required to accomplish audit objectives.

(11) The Internal Audit function shall have no direct responsibility or authority over any of the operations reviewed. It shall not design and install procedures, prepare records, or engage in any other activity that it would normally review and appraise.

(12) The Director, Risk and Compliance is the Head of the Internal Audit function and reports administratively to the University Secretary to facilitate day to day operations. 

(13) Administrative reporting to the University Secretary relates to the day to day operations of the Internal Audit function, including budget and resourcing, human resource administration, the provision of office accommodation, computers and equipment, and support to access information and ensure the cooperation of University staff.

(14) The Internal Auditor reports functionally to the University Council through the Finance, Audit and Risk Committee and has right of direct access to the Chancellor, Vice-Chancellor and the Finance, Audit and Risk Committee. The Internal Auditor has access to regular closed sessions with the Finance, Audit and Risk Committee.

(15) Functional reporting to the Finance, Audit and Risk Committee involves the Committee:

1. reviewing, providing comment and endorsing the Internal Audit Charter prior to recommendation to the University Council for approval;
2. reviewing, providing comment and endorsing the Internal Audit Plan prior to recommendation to the University Council for approval;
3. reviewing, providing comment and accepting reports from the Internal Audit function on the progress of internal audit activities or other matters that the Head of Internal Audit and/or Internal Auditor determine are necessary, including closed meetings with the Head of Internal Audit and/or Internal Auditor without management present;
4. assessing the performance of the Internal Audit function;
5. providing relevant advice to the University Council on all decisions regarding the appointment or removal of the Internal Auditor; 
6. making appropriate inquiries of management and the Head of Internal Audit to determine whether there is audit scope or budgetary limitations that impede the ability of the internal audit activity to execute its responsibilities;
7. having regular closed sessions with the Internal Auditor; and
8. having a direct line of communication with the Internal Auditor.

(16) Where the Head of Internal Audit and/or the Internal Auditor are responsible for non-audit activities, safeguards will be put in place to ensure independence or objectivity. The Head of Internal Audit and/or the Internal Auditor will not audit activities that have been managed or performed by current Internal Audit staff for at least one year since the management or performance of that activity. Reviews of non-audit activities will be managed and performed independently of the Head of Internal Audit and reported directly to the Finance, Audit and Risk Committee.

(17) To maintain independence, Internal Audit staff shall not undertake any operating responsibilities outside of Internal Audit work, without the endorsement of the Vice-Chancellor and the approval of the Finance, Audit and Risk Committee.

Authority and confidentiality

(18) All Internal Audit work is undertaken under the authority of the University Council on the recommendation of the Finance, Audit and Risk Committee.

(19) Subject to budget availability, and on the authority of the University Council and/or Finance, Audit and Risk Committee, Internal Audit work may be conducted by external service providers where: 

1. the Internal Audit function lacks the proficiency, knowledge, skill or other competencies needed to perform all part of the engagement in line with the standards;
2. where any real or perceived conflict of interest may arise in the conduct of the engagement by the Internal Audit function;
3. where the Internal Audit function lacks the capacity to deliver the Internal Audit Plan approved by the University Council within reasonable timeframes as agreed with the Finance, Audit and Risk Committee; or
4. as otherwise requested by the University Council and/or Finance, Audit and Risk Committee.

(20) For an engagement to be considered Internal Audit work, the appointment, coordination and oversight of engagements performed by external service providers under Clause 19, must be managed by the Head of Internal Audit and/or Internal Auditor. The conduct of such engagements must comply with this Internal Audit Charter. 

(21) The Internal Audit function, with strict accountability for confidentiality and safeguarding records and information, is authorised full, free and unrestricted access to any and all of the University's functions, premises, assets, personnel, records and other documentation, information and physical properties relevant to the performance of engagements and timely assistance should be rendered by other University staff in order to facilitate the progress of audit work.

(22) All records, documentation and information accessed in the course of internal audit activity are to be used strictly for internal audit purposes. Head of Internal Audit and Internal Audit staff are responsible and accountable for maintaining the confidentiality of the information they receive during the course of their work.

(23) All Internal Audit documentation and work papers remain the property of the University, including where Internal Audit services are provided by external service providers.

Scope of work

(24) The scope of Internal Audit work shall include:

1. Assurance Services – objective examination of evidence for the purpose of providing an independent assessment on governance, risk management and control processes for the University and its controlled entities.
2. Consulting Services – advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve the University’s governance, risk management and control processes without the Internal Auditor assuming management responsibility.

Responsibilities

Internal Audit functions

(25) The Internal Audit function must evaluate the effectiveness and contribute to the improvement of governance, risk management and control processes using a systematic, disciplined and risk-based approach that promotes continuous improvement.

(26) In the conduct of its activities, the Internal Audit function will play an active role in:

1. developing and maintaining a culture of accountability and integrity;
2. facilitating the integration of controls and risk management into day-to-day business activities and processes; and
3. promoting a culture of continuous improvement, self-assessment and adherence to high ethical standards.

(27) The Internal Audit function will support the University by:

1. reviewing achievement of objectives;
2. assessing if decisions are properly authorised;
3. evaluating the reliability and integrity of information;
4. ensuring assets are safeguarded;
5. assessing compliance with laws, regulations, policies and contracts;
6. considering the efficiency, effectiveness, economy and ethics of business activities;
7. reviewing opportunities for fraud and corruption;
8. following-up previous audits to assess if remedial action has been effectively implemented; and
9. identifying opportunities for improvement.

(28) Management may request Internal Audit services in response to emerging business issues or risks. The Internal Audit function will attempt to satisfy these requests, subject to the assessed level of risk, availability of resources, and subject to the approval of the Finance, Audit and Risk Committee in the context of the Internal Audit Plan.

(29) The existence of Internal Audit does not relieve management from the responsibility of ensuring that adequate controls are in place for the proper management of business activities and risk for which they are accountable, including responsibility for periodically reviewing internal controls.

Head of Internal Audit

(30) The Head of Internal Audit is responsible, in consultation with the Finance, Audit and Risk Committee, for:

1. effectively managing the Internal Audit function to ensure it adds value to the organisation;
2. developing and implementing a risk-based Internal Audit Plan;
3. establishing policies and procedures to guide the Internal Audit function;
4. maintaining quality assurance measures for the Internal Audit function and reporting performance to senior management and the Finance, Audit and Risk Committee;
5. ensuring Internal Audit resources are appropriate, sufficient and effectively deployed to achieve the approved Internal Audit Plan, including selecting an external provider where required;
6. developing and regularly reviewing the Internal Audit Charter; and
7. reporting to senior management and the Finance, Audit and Risk Committee on the Internal Audit function’s purpose, authority, responsibility, independence, performance, and conformance with the Code of Ethics and the Standards.

Internal Auditor

(31) The Internal Auditor is responsible for:

1. developing and implementing the risk-based Internal Audit Plan in line with approved audit policies and procedures;
2. preparing a written report of audit findings, including recommending a course of action to remediate risks identified;
3. assessing the appropriateness of management response to audit findings to adequately remediate the risks identified;
4. monitoring and reporting progress in implementing approved management responses to audit recommendations;
5. reporting to the Finance, Audit and Risk Committee on the above; and
6. alerting the Chair of the Finance, Audit and Risk Committee and/or Chancellor of significant issues in a prompt manner.

Relationship with external audit

(32) The Internal Audit function will liaise with the NSW Audit Office to ensure that internal and external programs, when combined, provide optimal coverage of auditable areas, and to minimise duplication of audit effort. Periodic meetings and contact between internal and external audit shall be held to discuss matters of mutual interest and facilitate coordination.

(33) The NSW Audit Office will have full and free access to internal audit books, records, documents and papers to the extent required by law.

Planning

(34) The Internal Audit function will prepare a flexible Internal Audit Plan using an appropriate risk-based methodology. This plan will take into account:

1. the University Strategy and objectives;
2. strategic and key operational risks;
3. risk or control concerns identified by management;
4. legislative and regulatory requirements;
5. other assurance coverage over key risks; and
6. requests by management, the Finance, Audit and Risk Committee and University Council.

(35) The Internal Audit Plan is reviewed annually and endorsed by the Finance, Audit and Risk Committee prior to recommendation to the University Council for approval. The Head of Internal Audit, with the approval of the Finance, Audit and Risk Committee, may make alterations to the Internal Audit Plan where it is deemed appropriate to do so.

(36) Before an internal audit engagement commences, a terms of reference document will be prepared, which will be agreed with the relevant Portfolio Lead(s) and signed off as their agreement with the scope of services to be provided by the Internal Audit function.

Reporting

(37) The Internal Audit function will report to the Finance, Audit and Risk Committee on:

1. overall performance of the Internal Audit function;
2. internal audit work completed;
3. progress of implementing the Internal Audit plans;
4. progress of implementation of internal and external audit recommendations, and recommendations arising from other reviews, where necessary;
5. achievements, via its annual report, to summarise work and achievements for the year to demonstrate value delivered, and to provide an opinion on the overall state of internal controls and any systemic issues identified; 
6. annual assertion on the work of the Internal Audit function and compliance with the Standards; and
7. any other matters it deems necessary.

(38) The Internal Audit function will report periodically to the Executive Leadership Team (ELT), on matters such as the progress of implementing the Internal Audit Plan, and the progress of implementation of internal and external audit recommendations.

(39) A written report will be issued by the Internal Audit function to the relevant stakeholders, such as Portfolio Lead(s) and the Vice-Chancellor, as well as to the Finance, Audit and Risk Committee at the conclusion of each internal audit engagement, which includes management's response and corrective actions taken or to be taken in regard to specific findings and recommendations. 

(40) If management's response to any finding is not considered adequate, or where management seeks to accept a risk that may be outside the risk appetite of the University, the Internal Audit function will consult with management of the function being reviewed and seek to reach a mutually agreeable resolution. If an agreement is not reached, the Head of Internal Audit and/or the Internal Auditor shall pursue the matter through channels to appropriate levels of management, including the ELT where required, and the Finance, Audit and Risk Committee if required.

(41) The Internal Audit function will monitor the completion of corrective actions and depending on the significance of the finding, the Internal Audit function may validate those assertions before recommending closure of the issue.

(42) In addition to the reporting of work undertaken by the Internal Audit function in line with the approved Internal Audit plans, the Head of Internal Audit may draw the Finance, Audit and Risk Committee’s attention to all matters that, in their opinion, warrant reporting.

Evaluation of Internal Audit

(43) The Head of Internal Audit will develop and maintain quality assurance measures that periodically assess the performance of the Internal Audit function. The Finance, Audit and Risk Committee will receive reports, and review and comment, on the performance of the Internal Audit function.

(44) External assessments will also be conducted at least once every five years by a qualified, independent reviewer or review team from outside the University.

Review of the Internal Audit Charter

(45) The Head of Internal Audit will review this Internal Audit Charter at least every three years, with any changes endorsed by the Finance, Audit and Risk Committee and recommended for approval by the University Council. 

Section 4 - Procedures

(46) Nil. 

Section 5 - Guidelines

(47) Nil.