View Document

Internal Audit Policy

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Background and Purpose

(1) The following Policy and the associated Internal Audit Charter provides a broad framework for the conduct of audit and assurance services at La Trobe University (LTU).

(2) This Policy enables the University to establish and maintain an effective Internal Audit function as a key component of its governance framework, and to meet internal audit requirements under law. The Policy supports the University’s compliance with the Higher Education Standards (Threshold Standards) 2015.

(3) The Procedures below document how to comply with this Policy.

(4) Governing Legislation

  1. La Trobe University Act 2009
  2. Financial Management Act 1994
Top of Page

Section 2 - Scope

(5) This Policy applies to the Internal Audit function of the University, and the scheduled audits, activities and reviews conducted by this function. Internal Audit will assist Council in discharging its responsibilities to efficiently, effectively and economically manage and control the University’s operations and act in a manner that promotes the University’s interests, including:

  1. Establishing and maintaining appropriate systems of internal control and risk management; 
  2. Establishing and keeping funds and accounts in compliance with prescribed requirements;
  3. Ensuring annual financial statements are prepared, certified and tabled in Parliament in accordance with prescribed requirements;
  4. Undertaking planning and budgeting for the University that is appropriate to its size; and
  5. Performing other functions conferred by legislation on the University or under a financial and performance management standard.
Top of Page

Section 3 - Policy Statement

(6) The University has an Internal Audit Charter to define the purpose, authority and responsibility of its Internal Audit function as conferred by the Corporate Governance, Audit and Risk Committee (CGARC) under authority of the La Trobe University Council. This Charter will be reviewed by the Director, Risk Management and submitted for approval annually to the CGARC.

(7) The University's Internal Audit function will provide independent, objective assurance and advisory services to the University in accordance with the Internal Audit Charter.

(8) The University will have a risk-based rolling three year Internal Audit Plan, approved annually by the CGARC, which will outline areas and functions of the University by the Internal Audit function.

(9) Audits will be performed by the Internal Audit function in accordance with an established audit methodology.

Top of Page

Section 4 - Procedures

Part A - Audit and Assurance Framework

(10) The University’s Audit and Assurance Framework is based on a ‘four lines of defence’ model to demonstrate and structure roles, responsibilities, linkages and accountabilities for decision making, risk and control purposes to achieve effective governance and assurance. Each line of defence provides higher levels of independence and objectivity, thereby delivering greater assurance to key stakeholders.

  1. First line of defence is ‘Line management in business operations’ – those in line management positions are responsible for operationalising risk management and internal controls and implementing business improvement reviews and outcomes.
  2. Second line of defence is ‘Management review and oversight’ – Senior Executive Group are responsible for establishing and monitoring the University’s policies and standards.
  3. Third line of defence is ‘Internal review’ – internal audit and assurance mechanisms are responsible for providing independent and objective assurance and advice on governance, risk and compliance matters to the University, and includes the Internal Audit function, CGARC and Council. 
  4. Fourth line of defence is ‘External review’ – external audit and assurance agencies are responsible for providing independent monitoring and review of the University including regulatory oversight by the Tertiary Education Quality and Standards Agency.

Part B - Internal Audit Responsibilities

(11) The University is committed to maintaining a risk-based, efficient, effective and economical internal audit function as required by the Financial Management Act 1994, and will ensure that all internal audit activities remain independent of management. 

(12) The responsibilities of Internal Audit are defined by Council, on advice of CGARC, as part of its oversight role in the associated Internal Audit Charter. Internal Audit’s role may include, but is not limited to, the review of University risk, internal controls, efficiency, effectiveness, governance, performance and compliance matters (including work health and safety).

(13) The primary purpose of Internal Audit is to add value to the University’s operations by providing an independent appraisal and advisory function for CGARC, Council and the Executive thereby assisting the University in realising its corporate goals. This is achieved by examining and evaluating the adequacy, effectiveness and efficiency of risk management, systems of internal control and the quality of management systems in an independent and professional manner.

(14) The operation of Internal Audit does not relieve officers of the University of their individual responsibilities and accountabilities, nor does it any way diminish the Vice-Chancellor or Executive and management’s responsibilities for the implementation and maintenance of effective systems of internal control and prevention and detection of fraud.

Part C - Development of Internal Audit Plan

(15) The Internal Audit Plan will be developed by Internal Audit for a rolling 3 year period that will be informed by the enterprise risk profile and this plan will be approved by the Vice-Chancellor and CGARC annually.

(16) The Internal Audit Plan will include the high level scopes of each audit, as mapped to material risks, including the expected days of effort and the nominated SEG member with portfolio responsibility for the risk area and who will be consulted in the development of the detailed audit scope.

(17) In defining the Plan and scoping each audit project, Internal Audit will take a risk-based approach and aim not to duplicate work of recent reviews. Final decisions about the scope, approach, depth of testing will remain with Internal Audit to ensure independence of assurance services as required by the Charter. 

Part D - Conduct of Internal Audits

Engagement Planning

(18) In accordance with the Internal Audit procedures, the function will conduct preliminary planning activities to develop a draft Scope document for the audit or review. The Scope document includes the objective and scope of the audit, relevant risks, and the key timeframes and requirements for the audit or review process.

(19) Draft Scope documents will be discussed and agreed with the Responsible Executive and staff at an audit scope meeting. The agreed Scope will be issued to all relevant staff likely to be involved in the audit before work commences.

(20) Further meetings will be conducted by the Internal Audit function with relevant staff to perform detailed planning for the audit, including process walk-throughs and data extraction, to obtain an adequate understanding of the area so that an effective risk-based audit can be performed.

Execution

(21) The Internal Audit function will undertake detailed testing of the audit area, which may include further discussions with staff, data analysis and review of relevant documentation and systems.

(22) Any potential audit findings identified during the fieldwork or planning stages of the audit will be discussed and confirmed with relevant staff prior to the finding being included in the draft Internal Audit Report. This includes discussing details and confirming the factual accuracy of the audit observation, identified root cause/s and associated risks.

Close-out

(23) At the completion of audit testing and fieldwork, a workshop will be conducted with relevant staff to discuss the outcomes of the audit fieldwork and any potential audit findings which may be included in the draft Internal Audit Report.

Audit Reporting

(24) The Internal Audit function will draft an Internal Audit Report, based on the work performed during the audit, which outlines the audit results and any audit findings and recommendations. The draft Internal Audit Report will be discussed with relevant staff at an audit exit meeting.

(25) Relevant staff will receive a copy of the draft Internal Audit Report to review and provide comments. Comments are to include action plans to address any audit recommendations, responsibilities, and timeframes. Comments are to be provided by the member of staff with responsibility for ensuring action plans can be implemented, and all comments are to be discussed with, and endorsed by, the relevant member/s of the Executive prior to returning the report back to the Internal Audit function.

(26) Comments on the draft Internal Audit Report are to be provided in a timely manner, within the timeframe agreed with the Internal Audit function (at a minimum, this will be one week after the draft Internal Audit Report has been received by management). If this deadline cannot be met, this must be discussed with the Internal Audit function. If comments are not received in a reasonable timeframe, the Director, Risk Management may escalate the report to the Responsible Executive, relevant member/s of the Executive and/or the Vice-Chancellor.

(27) The Internal Audit function will review all comments received, and ensure they address the substance of the audit recommendation and that reasonable timeframes for implementing action plans have been established (based on the risk associated with the audit finding).

(28) Once appropriate comments have been included in the draft Internal Audit Report, it will be submitted to the Responsible Executive for consideration and for additional comments, where appropriate. Any comments provided will be incorporated into the draft Internal Audit Report, and may require the Internal Audit function to perform further follow-up with relevant staff.

(29) After comments from the Responsible Executive have been received, a final Internal Audit Report will be distributed to relevant staff (as outlined in the report). The Internal Audit Report will also be made available to the Vice-Chancellor and all CGARC members.

Audit Completion

(30) After the final Internal Audit Report has been distributed, an audit feedback survey will be provided to relevant staff to obtain feedback on the audit process and/or the auditors involved in the audit.

(31) The Director, Risk Management will report audit results to the meeting of the CGARC held after the Vice-Chancellor has considered the Internal Audit Report.

Follow-up and Monitoring

(32) The Internal Audit function will request staff nominated as responsible for implementing action plans to provide a status update on a regular basis, usually as action plan timeframes are due. The status update will involve staff providing information and evidence to demonstrate actions taken to date, outlining actions still to be undertaken, and a revised implementation date if required.

(33) Any action plans not to be implemented are to be discussed with the Internal Audit function. Depending on the reasons, and the associated risk rating for the original audit finding, the matter may be escalated to the Executive and/or the Vice-Chancellor for consideration.

(34) Areas involved in the review will be required to provide an update on the progress of implementation. These progress reports must include brief details of action completed and/or progress made. Where agreed time frames are not likely to be met, this must be highlighted together with the reasons for the delay and proposed new implementation date.

(35) On a regular basis the Director, Risk Management will advise the Executive and Vice-Chancellor of any agreed action plans which have not been implemented within a timely or reasonable manner.

(36) The Director, Risk Management will provide a report to each meeting of CGARC on the status of all outstanding audit findings, including detailed information relating to high and very high risk audit findings as well as any action plans identified as not to be implemented.

Part E - Responding to Reports of Internal Audits

(37) Internal audit reports, once completed, will be provided to the relevant SEG portfolio holder with a request for management comments. Responses to audit reports will be required within 5 working days of receipt.

(38) Internal Audit will follow up with responsible managers on the progress of implementation of action plans quarterly, with reports provided to CGARC.

Top of Page

Section 5 - Definitions

(39) For the purpose of this Policy:

  1. Internal Audit function: encompasses in-house internal audit staff employed directly by the University; internal audit staff provided by an external organisation under a co-source provider arrangement; and staff from another external organisation engaged to provide specific internal audit services.
  2. CGARC: Corporate Governance, Audit and Risk Committee, a sub-committee of Council.
  3. Charter: means the Internal Audit Charter.
  4. Committee member: means a member of the University’s CGARC.
  5. External Audit: refers to representatives of the Victorian Auditor-General's Office (VAGO) or any other providers of audit services subcontracted by VAGO to undertake elements of its audit program at the University. 
  6. Internal auditing: is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
  7. Risk based internal auditing: is the methodology which Internal Audit activity uses to provide assurance that risks are being managed within the organisation’s risk appetite.
Top of Page

Section 6 - Stakeholders

Responsibility for implementation – Risk and Assurance Advisor; and Director, Risk Management.
Responsibility for monitoring implementation and compliance – Director, Risk Management; and Corporate Governance, Audit and Risk Committee (CGARC).