Internal auditing
Internal auditing brings an objective, disciplined approach to evaluating and improving the way an organisation operates.
The Internal Audit function at UQ helps the University accomplish its objectives by providing independent advice and assurance on the effectiveness of governance, risk management, compliance management and internal controls at UQ. It focuses primarily on top risks and areas of significant impact.
The following audit stakeholders are relevant to the audit process and management of audit actions through the Governance, Risk and Compliance (GRC) system at UQ:
| Business Roles | Description |
|---|---|
Audit Sponsor | Senior executive (USET member) ultimately accountable for the strategy and operations of the portfolio owning the business area/ process that has been selected for audit. |
Audit Owner | Executive / Senior manager/ functional owner ultimately accountable for the strategy and operations of the business area/ process that has been selected for audit. |
Auditee | Manager directly responsible for the strategy and operations of the business area/ process that has been selected for audit. Key every-day point of contact for the audit. |
Action Owner | Person responsible for implementing an audit action that is assigned to them in the audit report and GRC system. Responsible in GRC system for providing ongoing status updates for actions and providing evidence to close out actions. |
Action Proxy | Person that has the authority to respond to audit actions and make status updates and provide information on behalf of the Action Owner in the GRC system. (The Action Proxy role for Internal Audit actions is only available for USET members. The Action Proxy does not take on the responsibility of the Action Owner but assists the Action Owner in executing their duties). |
Reporting Co-ordinator | Person responsible for assisting the responsible Audit Owner and Audit Sponsor with oversight and monitoring of open actions for the portfolio or function as a whole. Available for USET members, functional owners and members of senior management in addition to existing access of these members to their portfolio and function reporting and dashboards in the GRC system. |
The following outlines what staff can expect from the Internal Audit process:
Annual whole-of-UQ internal audit plan
July/August: Annual planning cycle commences
October: Draft Annual Internal Audit Plan endorsed by the University Senior Executive Team
November: Annual Internal Audit Plan approved at the Senate Risk and Audit Committee (SRAC)
December/January: The approved plan communicated to the relevant responsible areas in preparation for scheduling and commencement of the audits in the new year.
Pre-planning
- Commences up to 4 weeks before individual audit start date
- Pre-planning audit email sent to Audit Owner to seek key documents and identify key stakeholders
- Key planning and audit meetings booked (including entry meeting)
Planning
- Commences on scheduled audit start date
- Key planning meetings with stakeholders, information gathering and early analysis and risk assessment
- Engagement terms of reference drafted
- Entry meeting held with key audit stakeholders
- Engagement terms of reference agreed with Audit Owner
- Engagement terms of reference issued to Audit Owner/Audit Sponsor
Fieldwork
- Internal Audit evaluates existing processes and controls within the audit scope, and tests to assess the degree to which they are designed appropriately and/or operating effectively
- Assesses whether the processes in place are efficient and compliant with relevant standards and policies
- Initial issues identified, documented and discussed with all relevant responsible managers before formal exit meeting
- Quality review of audit work by Internal Audit management
Reporting
- Drafting of report by lead auditor and review of draft by Internal Audit management
- Exit meeting held with Audit Owner and relevant staff
- Draft report updated as necessary with management feedback, actions and agreed due dates
- Updated final draft report re-issued to Audit Owner
- Confirmation of final draft by Audit Owner or Audit Sponsor
- Final report issued by Internal Audit
Finalisation
- Audit satisfaction survey issued by lead auditor to key audit stakeholders
- Report findings and actions recorded in GRC system by lead auditor and tracking commenced
- Audit results and key findings included in quarterly reporting to the University Senior Executive Team and the Senate Risk and Audit Committee (SRAC)
Action tracking
- Action owners (and Action Proxies) have real-time access to the GRC system and are expected to provide ongoing updates regarding progress, including updating completion percentages, for open actions.
- Action Owners (and Action Proxies) are notified as agreed audit actions reach their due dates or are overdue.
- Action owners (and Action Proxies) provide updates on progress in the GRC system and update due dates if actions become overdue but are not yet complete.
- Upon completion, actions are closed in the GRC system and tracking ceases.
- Internal Audit has developed a procedure to manage the closure of open management actions (PDF, 342 KB)
- Overdue actions are reported to management, the University Senior Executive Team and the Senate Risk and Audit Committee (SRAC).
Further guidance on reporting
At an early stage, issues identified during the audit will be socialised and discussed with the responsible local members of management. This helps us to check the factual accuracy of our preliminary findings.
The lead auditor will then draft a report for review by Internal Audit management, before discussing it with the Audit Owner and appropriate members of management at the exit meeting. The report will include:
- a description of the audit approach and scope
- conclusions on the findings identified
- an overall rating
- Internal Audit recommendations
- responses by management, including agreed actions and their due dates.
There should be no surprises in the final report, as the issues addressed should have already been discussed with management.
All reports issued by Internal Audit are addressed to the organisational unit head, process owner or project sponsor. The report will also be copied to an approved distribution list, including members of the University Senior Executive Team as appropriate.
Responding to the report
Often it's useful to take a collaborative approach to establish the actions required to address the report findings, and we encourage open discussion, debate and joint solution-seeking.
The audit recommendations are intended as a guide for management only. Agreed actions may be different to the recommendations.
When considering management’s response to the audit report, we would recommend the following approach and/or considerations:
- Make sure that the findings are factually accurate and raise any inaccuracies with the lead auditor to resolve.
- Be comfortable with the findings raised – that they are genuine risks which are not mitigated by any other controls, and that their risk ratings are accurate. Internal Audit is open to transparent and robust discussions to ensure the best possible outcome and accuracy of the final report.
- When Internal Audit recommends an action you may:
- accept that recommendation and document your response, action owner and due date
- choose an alternative action which appropriately addresses the risk raised, or
- choose no action and to accept the risk. This will be recorded in our system and if we consider this to be a higher risk, we may need to obtain endorsement from the University Senior Executive Team or the Senate Risk and Audit Committee (SRAC).
Assurance vs. Advisory engagements
Our process and reporting differs, depending on the nature of the work that we are undertaking:
| Assurance and Audit | Advisory | |
|---|---|---|
| Scope/focus | Focus on:
| Limited/specific scopes |
| Initiation | Initiated through risk-based audit planning process | At the request of management or are opportunities to add value determined through the annual audit planning process |
| Reporting |
|
|