• Section 1 - Background and Purpose
• Section 2 - Scope
• Section 3 - Policy Statement
• Section 4 - Procedure
• Objective of Audit Reports
• Draft Audit Reports
• Rating of Internal Audit Findings
• Responding to Internal Audit Reports
• Follow up of Action Plans
• Reporting to Corporate Governance, Audit and Risk Committee and Senior Management
• Failure to Comply with Reporting Requirements
• Section 5 - Definitions
• Section 6 - Stakeholders

Section 1 - Background and Purpose

(1) To establish a framework for responding to internal audit reports and implementing internal audit recommendations. 

Section 2 - Scope

(2) Applies to:

1. All campuses
2. All staff

Section 3 - Policy Statement

(3) Internal audit reports will be required to be responded to within 10 days. Implementation of audit recommendations must be completed within the prescribed timeframes (see procedures).

(4) Staff that fail to meet internal audit reporting and implementation timeframes will be required to explain their inaction to the Vice-Chancellor and Corporate Governance, Audit and Risk Committee (CGARC).

Section 4 - Procedure

(5) To establish a framework for responding to internal audit reports and implementing internal audit recommendations.

Objective of Audit Reports

(6) The primary objective of reporting is to communicate the results of the internal audit work performed; thereby ensuring that it brings about changes which contribute to the achievement of the University’s objectives and improved efficiencies.

Draft Audit Reports

(7) A report of findings will be drafted at the conclusion of each internal audit project that includes a comprehensive list of all findings as well as the potential impact of the issues and respective recommended solutions.

(8) Internal Audit will meet (‘closing meeting’) with relevant area managers to discuss the issues raised in the draft report. The purpose of the meeting is to agree on the findings and recommendations, to correct any errors or misunderstandings and to agree to an action plan.

Rating of Internal Audit Findings

(9) Audit findings will be prioritised according to their relative significance and their impact to the process or operation based on the ratings determined by the Corporate Governance, Audit and Risk Committee (extreme, high, moderate, low). The actions required on the findings are directed by the rating; the more serious the issue the higher level of management action required and the more timely the action required.

Responding to Internal Audit Reports

(10) Following the closing meeting, the relevant area manager will be required to provide a written response to the audit report within 10 days.

(11) For each issue in the report, the process owner will provide an action plan for resolving the issue.  The action plan includes:

1. a plan to resolve the issue,
2. the designation of the issue owner, and
3. a timeframe (date) for resolution.  

(12) Audits which contain findings with an extreme or high rating will be referred to the relevant senior officer for comment or agreement with the action plan prior to finalisation of the report.

Follow up of Action Plans

(13) The Internal Audit Office will follow up the progress of implementation of action plans at least quarterly. 

(14) Areas will be required to provide an update on the progress of implementation. These progress reports must include brief details of action completed and/or progress made. Where agreed time frames are not likely to be met, this must be highlighted together with the reasons for the delay and proposed new implementation date.

(15) Areas are required to provide progress reports within the timeframe prescribed by the Internal Audit Office.

Reporting to Corporate Governance, Audit and Risk Committee and Senior Management

(16) The representative senior management will be provided with a copy of the audit report prior to submission to the Corporate Governance, Audit and Risk Committee.

(17) All final internal audit reports are issued to the CGARC.

(18) The Risk Management Division will report to the CGARC on the progress of implementation of action plans against the agreed timetable. 

Failure to Comply with Reporting Requirements

(19) Staff that fail to meet internal audit reporting and implementation timeframes will be required to explain their inaction to the Vice-Chancellor and Corporate Governance, Audit and Risk Committee.

Section 5 - Definitions

(20) Nil.

Section 6 - Stakeholders

(21) Responsibility for implementation – Manager, Internal Audit; and Director, Risk Management.

(22) Responsibility for monitoring implementation and compliance – Director, Risk Management; and Corporate Governance, Audit and Risk Committee.