Internal auditing
Internal auditing brings an objective, disciplined approach to evaluating and improving the way an organisation operates.
The Internal Audit function at UQ helps the University accomplish its goals by providing independent advice and assurance on the effectiveness of governance, management processes and internal controls at all levels of the University. It focuses primarily on top risks and areas of significant impact.
The following outlines what staff can expect from the Internal Audit process:
Annual whole-of-UQ internal audit plan
- July/August: Annual planning cycle commences
- October: Draft Annual Internal Audit Plan endorsed by the Vice-Chancellor's Risk and Compliance Committee (staff login required) and the UQ Senior Executive Team
- November: Annual Internal Audit Plan approved at the Senate Risk and Audit Committee
- December/January: UQ Senior Executive Team members informed of planned audits.
Pre-planning
- Commences up to 4 weeks before individual audit start date.
- Pre-planning audit email sent to Audit Sponsor to seek key documents and identify key stakeholders.
- Key planning and audit meetings booked (including entry meeting).
Planning
- Commences on scheduled audit start date
- Key planning meetings with stakeholders, information gathering and early analysis and risk assessment
- Engagement terms of reference drafted
- Entry meeting held with key audit stakeholders
- Engagement terms of reference agreed with Audit Sponsor
- Engagement terms of reference issued
Fieldwork
- Internal Audit evaluates existing processes and controls within the audit scope, and tests to assess the degree to which they are operating effectively
- Assesses whether the processes in place are efficient and compliant with relevant standards and policies
- Initial findings identified, documented and discussed with all relevant responsible management/officers before formal exit meeting
- Quality review of audit work by Internal Audit management
Reporting
- Drafting of report by lead auditor and review of draft by Internal Audit management
- Exit meeting held with Audit Sponsor (or nominee)
- Draft report updated as necessary with management feedback
- Updated final draft report re-issued to Audit Sponsor
- Confirmation of final draft by Audit Sponsor
- Final report issued by Internal Audit
Finalisation
- Client satisfaction questionnaire issued by lead auditor to key audit stakeholders
- Report recorded in audit action tracking system by lead auditor and tracking commenced
- Audit results and key findings included in quarterly reporting to the Vice-Chancellor's Risk and Compliance Committee (staff login required) and the Senate Risk and Audit Committee
Action tracking
- Action owners notified as agreed management actions reach their due date
- Action owners provide feedback on progress by responding to automated emails and providing supporting documentation
- Upon completion, actions are closed in the tracking system
- Internal Audit has developed a procedure to manage the closure of open management actions (PDF, 342 KB)
- Long outstanding actions reported to management, the Vice-Chancellor's Risk and Compliance Committee (staff login required) and the Senate Risk and Audit Committee
Further guidance on reporting
At an early stage, issues identified during the audit will be socialised and discussed with the responsible local members of management. This helps us to check the factual accuracy of our preliminary findings.
The lead auditor will then draft a report for review by Internal Audit management, before discussing it with the Audit Sponsor and appropriate members of management at the exit meeting. The report will include:
- a description of the audit approach and scope
- conclusions on the findings identified
- an overall rating
- Internal Audit recommendations
- responses by management, including agreed actions and their due dates.
There should be no surprises in the final report, as the issues addressed should have already been discussed with management.
All reports issued by Internal Audit are addressed to the organisational unit head, process owner or project sponsor. The report will also be copied to an approved distribution list, including members of the University Senior Management Group as appropriate.
Responding to the report
Often it's useful to take a collaborative approach to establish the actions required to address the report findings, and we encourage open discussion, debate and joint solution-seeking.
The audit recommendations are intended as a guide for management only. Agreed actions may be different to the recommendations.
When considering management’s response to the audit report, we would recommend the following approach and/or considerations:
- Make sure that the findings are factually accurate and raise any inaccuracies with the lead auditor to resolve.
- Be comfortable with the findings raised – that they are genuine risks which are not mitigated by any other controls, and that their risk ratings are accurate. Internal Audit is open to transparent and robust discussions to ensure the best possible outcome and accuracy of the final report.
- When Internal Audit recommends an action you may:
- accept that recommendation and document your response, responsible party and due date
- choose an alternative action which appropriately addresses the risk raised, or
- choose no action and to accept the risk. This will be recorded in our system and if we consider this to be a higher risk, we may need to obtain endorsement from the UQ Senior Executive Team or the Senate Risk and Audit Committee.
Assurance vs. Advisory engagements
Our process and reporting differs, depending on the nature of the work that we are undertaking:
| Assurance and Audit | Advisory | |
|---|---|---|
| Scope/focus | Focus on:
| Limited/specific scopes |
| Initiation | Initiated through risk-based audit planning process | At the request of management or are opportunities to add value determined through the annual audit planning process |
| Reporting |
|
|