• Section 1 - Purpose:
• Purpose
• Section 2 - Principles
• Independence and Conflict of Interest
• Conformance with Principles
• Authority and Confidentiality
• Reporting to the Audit and Risk Management Committee
• Nature and Scope of Work
• Resourcing
• Quality Assurance and Improvement Program
• Evaluation of Performance
• Relationship with External Audit and Other Assurance Activities
• Section 3 - Responsibilities
• Internal Audit
• University Staff
• Section 4 - Definitions

Section 1 - Purpose:

(1) The Internal Audit function is established by authority of the University of Canberra (University) Council and its responsibilities are defined in this Internal Audit Charter which is approved by the Audit and Risk Management Committee (ARMC).

(2) This Charter provides the framework for the conduct of Internal Audit activities at the University.

Purpose

(3) The purpose of Internal Audit is to enhance and protect organisational value by providing stakeholders with risk-based, objective and reliable assurance, advice and insight.

(4) Internal Audit provides independent and objective assurance to:

1. the Council that financial and non-financial controls are operating in an efficient, effective, economical and ethical manner; and
2. assist management in improving business performance.

Section 2 - Principles

Independence and Conflict of Interest

(5) Internal Audit is required to be independent and objective, with objectivity essential to its effectiveness.

(6) Internal Audit has no direct authority or responsibility for the activities it reviews. Internal Audit has no responsibility for the management of business activities or for development or implementation of operational systems or procedures.

(7) All Internal Audit staff and service providers report to the Chief Operating Officer and Vice-President Operations who is the appointed Chief Audit Executive and reports:

1. functionally for operations to ARMC through the Chair; and
2. administratively to the Vice-Chancellor, with right of direct access to the Chancellor.

(8) Where the Chief Operating Officer and Vice-President Operations may be responsible for a non-audit activity, the University has independence safeguards in place:

1. when responsible for non-audit activities, the Chief Operating Officer and Vice-President Operations is not acting in the capacity of the Chief Audit Executive when managing or performing those activities; and
2. internal audit review of these non-audit activities must be managed and performed independently of the Chief Operating Officer and Vice-President Operations. These reviews are to be sponsored by the Vice-Chancellor, and endorsed by, the ARMC.

(9) Each year on 31 December the Chief Audit Executive must confirm in writing to the ARMC that for the past year there has been:

1. organisational independence for the Internal Audit function;
2. conformance with the University Charter of Conduct and Values;
3. conformance with the Code of Ethics - Institute of Internal Auditors;
4. no conflicts of interest by the Chief Audit Executive, or if so, how these conflicts were appropriately managed;
5. no conflicts of interest by Internal Audit staff or service providers, or if so, how these conflicts were appropriately managed; and
6. no non-audit duties performed by the Chief Audit Executive, Internal Audit staff or service providers, or if so, how were these duties declared.

Conformance with Principles

(10) Internal audit activities will be conducted in accordance with the International Standards for the Professional Practice of Internal Auditing (the Standards) and Code of Ethics as issued by The Institute of Internal Auditors. Internal Audit is to ensure it is compliant with relevant legal and regulatory frameworks, aligns with industry standards as relevant to the conduct of its audits, and exercises due professional care in performing its duties.

Authority and Confidentiality

(11) All Internal Audit work is undertaken under the authority of the Vice-Chancellor.

(12) Internal Audit staff and service providers are authorised to have full, free and unrestricted access to all functions, premises, assets, personnel, records, and other documentation and information necessary to enable Internal Audit to fulfill its responsibilities.

(13) All records, documentation and information accessed in the course of undertaking Internal Audit work are to be used solely for the conduct of these activities. Internal Audit staff and service providers are responsible and accountable for maintaining the confidentiality of the information they receive during the course of their work.

(14) Management may request Internal Audit services in response to emerging business issues or risks. Internal Audit will attempt to satisfy these requests, subject to the assessed level of risk, availability of resources, and endorsement of the ARMC.

Reporting to the Audit and Risk Management Committee

(15) The ARMC supports the Council in exercising its governance responsibilities. Internal Audit will report to each ARMC meeting on:

1. internal audit engagements completed;
2. progress in implementing the Annual Internal Audit Plan; and
3. the status of implementation of agreed internal audit, external audit, and other relevant external body recommendations.

Nature and Scope of Work

(16) The scope of Internal Audit work embraces the wider concept of corporate governance and risk, recognising that controls exist in the University to manage risks and promote effective and efficient governance and performance. The types of Internal Audit work at the University are:

1. Assurance Services – objective examination of evidence for the purpose of providing an independent assessment of risk management (including appropriate application of the University’s Risk Appetite Statement), quality, control and governance processes.
2. Consulting Services – advisory and related client activities, the nature and scope of which are agreed upon with the University and which are intended to add value and improve business operations.
3. Other Value-Adding Services – focusing on efficiency and effectiveness to improve processes and the economical use of finances and resources.

(17) The scope and coverage of Internal Audit work is not limited in any way, and may cover any of the programs and activities of the University and its controlled entities.

Resourcing

(18) The ARMC will be promptly advised of any resource limitations to which may impact the ability of Internal Audit to fulfill its responsibilities.

Quality Assurance and Improvement Program

(19) The Chief Audit Executive, in collaboration with the Institutional Quality Assurance team, is responsible for developing and maintaining a Quality Assurance and Improvement Program that includes:

1. Ongoing Internal Assessments including:
   1. supervision and review of Internal Audit engagements;
   2. collecting feedback from management after each Internal Audit engagement;
   3. performance evaluations; and
   4. results of Internal Audit performance measures.
2. Periodic Internal Assessments to be conducted annually:
   1. review of the Internal Audit Charter for conformance with the Standards; and
   2. self-assessment of conformance with the Standards.
3. External Assessments conducted at least once every five years by a qualified, independent assessor or assessment team from outside the University.

Evaluation of Performance

(20) Internal Audit performance will be evaluated and the results reported to the ARMC. This will include:

1. results of the Quality Assurance and Improvement Program;
2. feedback from management of areas where Internal Audit engagements have been performed; and
3. performance of service providers.

(21) Feedback on Internal Audit performance will be sought annually from members of the ARMC.

Relationship with External Audit and Other Assurance Activities

(22) Internal Audit will establish and maintain an open relationship with Institutional Quality Assurance, the External Auditor and other assurance providers. Internal Audit will plan its activity to ensure the adequacy of overall assurance coverage and to minimise duplication of assurance effort.

(23) External Auditors have full and free access to all Internal Audit plans, working papers and reports.

Section 3 - Responsibilities

Internal Audit

(24) Internal Audit responsibilities include, but are not limited to:

1. Internal Audit Manual
   1. Developing and maintaining an Internal Audit Manual containing procedures and methodology for Internal Audit work.
2. Internal Audit Plan and Assurance Map
   1. Developing a risk-based Strategic Internal Audit Plan that considers risks and issues identified by management, and submit that plan to the ARMC for review and endorsement.
   2. From the Strategic Internal Audit Plan, implementing an Annual Internal Audit Plan for the period 1 January to 31 December each year.
   3. Ensuring no changes are made to the Annual Internal Audit Plan without prior approval of the ARMC.
   4. Developing an Assurance Map built around the University 3 Lines of Defence that rates the effectiveness of the various assurance activities. This assists Internal Audit to better understand the overall assurance environment when developing the Internal Audit Plan and to formulate a plan that better targets areas where greater assurance may be required. It can also reduce duplication of assurance activities.
3. Internal Audit Engagements
   1. Conformance with the “International Standards for the Professional Practice of Internal Auditing”.
   2. Conducting internal audit engagements contained in the approved Annual Internal Audit Plan and producing a report for each audit containing recommendations for improvement.
   3. Appropriate level of consultation with management and other senior University staff.
   4. Ensuring responses and corrective action to be taken for recommendations are obtained from management and included in Internal Audit reports, including a timetable for completion. Management has maximum of 10 working days from when they receive the draft report to provide their responses to Internal Audit.
   5. Where management responses to any recommendation are not considered adequate, the Chief Audit Executive will consult with management of the area audited and attempt to reach a mutually agreeable resolution. If agreement is not reached, the Chief Audit Executive will refer the matter to the Vice-Chancellor for resolution. If agreement is still not reached, the final arbiter will be the ARMC.
   6. Providing final internal audit reports to management of the area audited, the Vice-Chancellor, and the ARMC. Copies may be provided to the External Auditor if requested.
4. Implementation of Audit Recommendations
   1. Establishing a system to monitor progress by management to implement Internal Audit and External Audit recommendations, as well as recommendations contained in reports by other external and regulatory bodies.
   2. Ensuring management provides updates to Internal Audit every three months on progress to implement audit recommendations, with these updates due three weeks prior to every quarterly ARMC meeting.
   3. Following-up and obtaining evidence that audit recommendations are implemented by management before recommending closure to the ARMC.

University Staff

(25) University management have the obligation to attend to all Internal Audit requests within a reasonable period, including the provision of responses to Internal Audit reports within 10 working days of having received the report.

(26) There is an expectation that all University staff do not knowingly mislead the Internal Audit activity or intentionally obstruct any audit activity. In addition to contributing professionally and constructively to internal audit engagements, and the implementation of actions in response to audit recommendations, University staff are expected and encouraged to bring any matters of concern to the notice of appropriate officers or the Chief Audit Executive.

Section 4 - Definitions