Transcription
UNSW Internal Audit CharterEffective 6 September 20211.IntroductionUNSW has established Internal Audit as a key component of UNSW’s governance framework.This Charter supersedes the 2019 Charter.(For the purpose of this Charter, UNSW means the legal entity The University of New South Walesand its controlled entities).This charter provides the framework for the conduct of the internal audit function at UNSW andhas been approved by the President and Vice-Chancellor (VC) and the Audit Committee.2.Purpose of Internal AuditInternal Audit is an independent, objective assurance and consulting activity designed to addvalue and improve an organisation's operations. It helps an organisation accomplish its objectivesby bringing a systematic, disciplined approach to evaluate and improve the effectiveness of riskmanagement, control, and governance processes 1.Internal Audit provides an independent and objective review and advisory service to: provide assurance to the VC, Council and the Audit Committee, that UNSW’s financial andoperational controls, designed to manage the organisation’s risks and achieve the entity’sobjectives, are operating in an efficient, effective and ethical manner, and assist management in improving the University’s business performance.3.Independence and ObjectivityIndependence is essential to the effectiveness of the Internal Audit function. Internal auditactivity must be independent, and internal auditors must be objective in performing their work.Internal auditors must have an impartial, unbiased attitude and avoid any conflicts of interest.Internal auditors must exhibit the highest level of professional objectivity in gathering,evaluating, and communicating information about the activity or process being examined.Internal auditors must make a balanced assessment of all the relevant circumstances and notbe unduly influenced by their own interests or by others in forming judgments.The Internal Audit function has no direct authority or responsibility for the activities it reviews. TheInternal Audit function has no responsibility for developing or implementing procedures or systemsand does not prepare records or engage in original line processing functions or activities (exceptin carrying out its own functions). The independence and objectivity of Internal Audit is notcompromised by the advisory services performed as described in Section 6 of this Charter.1 As defined by the International Standards for the Professional Practice of Internal Audit (IIA) (2013). Where relevant, sections ofthis Charter also incorporate other elements of the International Standards for the Professional Practice of Internal AuditingInternal Audit CharterEffective 6 September 20211
4.Authority and Reporting StructureThe internal Audit function is responsible on a day-to-day basis to the Chief Audit Executive(Director, Internal Audit) who leads the function.The Internal Audit function, through the Director, Internal Audit, reports functionally to the AuditCommittee on the results of completed audits, and for strategic direction and accountability purposes,and reports administratively to the Deputy Vice-Chancellor Planning & Assurance to facilitateadministrative and day to day operations.The Director, Internal Audit has direct communication access to the VC and the Audit Committee(including the Presiding Member) and reports to them directly on Internal Audit plans and results ofInternal Audit activities. The Audit Committee also holds confidential briefing sessions with theDirector, Internal Audit to discuss any matters the Audit Committee or the Director, Internal Auditconsider necessary.The following reporting line is prescribed:CouncilPresident and Vice-ChancellorAudit Committee(Presiding member)Deputy Vice-ChancellorPlanning & AssuranceDirector, Internal AuditThe Presiding Member of the Audit Committee (the Chair of the Audit Committee) is a member of (andappointed by) Council and reports through to the Council meeting immediately following each AuditCommittee meeting. The Presiding Member will be consulted on the appointment, removal, andperformance of the Director, Internal Audit.5.Scope of Internal Audit activityThe scope of Internal auditing encompasses the examination and evaluation of the adequacy andeffectiveness of UNSW's internal governance, risk management, internal process, controls andcompliance culture as well as the quality of performance in carrying out assigned responsibilities toachieve the University’s stated goals and objectives.Internal Audit reviews may cover all programs and activities of UNSW together with controlled andassociated entities, as provided for in relevant business agreements, memorandum of understanding orcontracts. Internal Audit activity encompasses the review of all financial and non-financial policies andoperations.Internal Audit will review the governance of an audited area by examining its strategies and plans and howits activities are being directed and monitored through a framework of accountability, delegation andreporting structure to assess the alignment of these activities with UNSW’s goals, values and complianceculture. It will also review the effectiveness of risk management and controls as key components in thegovernance process in optimising the audited area’s performance.6.Roles and responsibilitiesThe Internal Audit function must evaluate and contribute to the improvement of governance, riskmanagement, and control processes using a systematic and disciplined approach.Internal Audit CharterEffective 6 September 20212
In the conduct of its activities, the Internal Audit function will play an active role in: developing and maintaining a culture of accountability and integrityencouraging the integration of risk management into day-to-day business activities and processes,andpromoting a culture of cost-consciousness, self-assessment and adherence to high ethicalstandards.Internal audit activities will encompass the following areas:Audit activities including Audits with the following orientation:Risk focused evaluate the effectiveness of controls, and contribute to the improvement of risk management processes provide assurance that risk exposures relating to the organisation's governance, operations,projects and information systems are correctly evaluated, including: reliability and integrity of financial and operational information effectiveness, efficiency and economy of operations, and safeguarding of assets evaluate the design, implementation, and effectiveness of the organisation's ethics-relatedobjectives, programs, and activities assess whether the information technology governance of the organisation sustains and supportsthe organisation's strategies and objectives review project controls to ensure they are operating as designed and that projects are beingdelivered in accordance with the organisation’s strategies and objectivesCompliance compliance with applicable laws, regulations and Government policies and directionsPerformance improvement the efficiency, effectiveness, and economy of the entity’s business systems and processes.Fraud fact-finding and forensic investigations that may be required by management to addresscomplaints of fraud, corruption, or misconduct which are received by management or InternalAudit.Advisory servicesThe Internal Audit function can advise UNSW’s management on a range of matters including:New programs, systems and processes providing advice on the development of new programs and processes and/or significant changesto existing programs and processes including the design of appropriate controlsRisk management assisting management to identify risks and develop risk mitigation and monitoring strategies aspart of the risk management frameworkFraud control evaluate the potential for the occurrence of fraud and how the organisation manages fraud risk assisting management to investigate fraud, identify the risks of fraud and develop fraud preventionand monitoring strategies.Audit support activitiesThe Internal Audit function is also responsible for: managing the Internal Audit function and budgetassisting the Audit Committee to discharge its responsibilitiesmonitoring the implementation of agreed audit recommendationsdisseminating across the entity better practice and lessons learnt arising from its audit activitiesongoing attendance, monitoring and oversight at key Project and Portfolio BoardsInternal Audit CharterEffective 6 September 20213
7.The Three Lines ModelUNSW adopts the International Standards for the Professional Practice of Internal Audit (IIA) endorsedThree Lines Model (TLM) in allocating responsibilities for risk management and internal control.As a First Line, UNSW’s management have ownership, responsibility and accountability for the controlenvironment and assessing, controlling and mitigating risks.Some UNSW management units also have responsibility for the Second Line activities such as oversightand support for First Line risk management activities through setting direction, ensuring compliance, andproviding assurance reporting.As a key assurance provider in the Three Line Model, Internal Audit will, through a risk-based approach,provide assurance to UNSW’s Audit Committee and management, on how effectively UNSW assessesand manages its risks, including the manner in which the First and Second Lines operate. Internal Auditwill ensure assurance activities provided by Internal Audit and other external or independent parties arecoordinated in an effective manner, and not result in duplication of resources.The independent check provided by Internal Audit activity will not absolve management and staff from anyof their risk management and internal control responsibilities.8.Access to Information and confidentialityInternal auditors are authorised to have full, free and unrestricted access to all functions, premises,assets, personnel, records, and other documentation and information that the Director, Internal Auditconsiders necessary to enable the Internal Audit function to meet its responsibilities 2.All records, documentation and information accessed in the course of undertaking Internal Audit activitiesare to be used solely for the conduct of these activities. The Director, Internal Audit and individual internalaudit staff are responsible and accountable for maintaining the confidentiality of the information theyreceive during the course of their work.All Internal audit documentation is to remain the property of the audited University, including whereinternal Audit services are performed by an external third-party provider.All staff of UNSW are required to provide Internal Audit with all the assistance it requests in fulfilling itsInternal Audit roles and responsibilities.9.StandardsInternal Audit activities will be conducted in accordance with this Policy and with relevant professionalstandards including International Standards for the Professional Practice of Internal Auditing issued bythe Institute of Internal Auditors (IIA).In the conduct of Internal Audit work, Internal audit staff will: comply with relevant professional standards of conductpossess the knowledge, skills and technical proficiency relevant to the performance of their dutiesbe skilled in dealing with people and communicating audit, risk management and related issueseffectivelyexercise due professional care in performing their duties.In addition to UNSW policies and procedures and the relevant legislations, Internal Audit operates under theguidance of the following authorities and standards: 2UNSW’s Audit Committee Terms of ReferenceUNSW’s Risk Committee Terms of ReferenceInternational Standards for the Professional Practice of Internal Auditing issued by IIAThe IIA’s Code of Ethics.Subject to any overriding legislative restrictions on information.Internal Audit CharterEffective 6 September 20214
10. PlanningInternal Audit reviews will be determined through the planning process of a three-year Internal AuditPlan (the “Plan”) that will align the focus of internal audit activity with UNSW’s strategic initiatives andUNSW’s Risk Management Framework; and will include input from the members of the AuditCommittee, management, Risk management, as well as the Audit Office of NSW.The Director, Internal Audit will prepare a risk-based, three-year rolling work plan updated bi-annuallyin a form and in accordance with a timetable agreed with the Audit Committee.The Plan will be prepared using a risk-based methodology so as to focus internal audit effort on areasof higher risk to UNSW. The Plan will align to UNSW’s Risk Management framework and will refer tothe Risk Profiles of UNSW.The Plan will be reviewed and approved by the Audit Committee after it has been reviewed by the VCand Management Board and with input from Management Board, the Audit Committee and the RiskManagement function of the university. The Plan will also be presented to the Risk Committee.Input and update to the scheduled Internal Audit reviews occur continuously as circumstances dictateand will not be restricted by the aforementioned planning cycle. Any significant deviation from anapproved Internal Audit Plan and any impact of resource limitations will be communicated to the AuditCommittee and the VC.A rolling Project Assurance Plan is maintained for UNSW’s Portfolio of Projects. Project Assurance isreliant on the quality assurance activities under the University Portfolio Office’s (UPO) QualityAssurance Framework, therefore Internal Audit will reassess the rolling Project Assurance Plan forpresentation at each Audit Committee to ensure the focus of Project Assurance activity is still relevant.11. Reporting and monitoringThe Director, Internal Audit will report to each meeting of the Audit Committee on: audits completed during the reporting periodprogress in implementing the bi-annual audit work plan,any significant matters concerning risk, internal control, compliance culture and internalgovernancethe implementation status of agreed internal and external audit recommendations, andany other matters needed or requested by the Committee.A report on Project Assurance reviews completed during the period will also be presented at each meeting ofthe Audit Committee.A written report will be issued by the Director, Internal Audit following the conclusion of each Internal Auditreview to the Management Board member who has management responsibility for the entity or activity beingaudited.Other recipients will include:a) President and Vice-Chancellor (Executive Summary/One Page Summary)b) Audit Committee (Executive Summary/One Page Summary and a Full Report for those reviews ratedRequires Immediate Attention)c) The Audit Office of New South Wales (Full Report)d) Vice-President Operations (Full Report)e) Deputy Vice-President Planning & Assurance (Full Report)f) Provost (Full Report)g) Managers and staff relevant to the activities covered by the review and the responsible action partiesfor the agreed management actions (Full Report).The Internal Audit report will include specific findings, management's agreed actions and targetcompletion dates of these actions. A full report will be made available to the VC and the members ofthe Audit Committee on request. The Internal Audit report will also reference UNSW’s RiskManagement framework.An Annual Report of Themes and Insights will be prepared that provides a summary of the key themesInternal Audit CharterEffective 6 September 20215
and insights from work that has been performed over that year.Internal Audit will be responsible for following up the progress and completion of management agreedactions and the results will be analysed and reported to the Audit Committee. Internal Audit will reviewand test on a selective basis the implemented agreed management actions.The Director, Internal Audit attends the meetings of the Audit Committee and may assist with thedeliberations of the Committee.The Internal Audit function will also report to the Audit Committee at least annually on the overall stateof internal controls at UNSW and any systemic issues requiring management attention based on thework of the internal audit function (and other assurance providers).12. ResourcingInternal Audit organises Internal Audit activities so that they are performed by adequate andprofessionally competent resources. The adopted model of resourcing to this end will be determinedby Internal Audit in consultation with the Audit Committee.Where an outsourcing or co-sourcing model is adopted, the external service provider will be selectedon the basis of their competence, skills and knowledge against a set of criteria that are critical to meetUNSW’s internal audit requirements. The selection process will follow normally accepted probityprinciples. The independence and objectivity of a potential provider will also be considered to ensurethere is no existence of relationships that may prevent the provider from discharging its services toUNSW in a manner which is impartial and unbiased.In the event of adopting an outsourcing or co-sourcing model, the Director, Internal Audit is fullyaccountable for Internal Audit activity at UNSW. The Director, Internal Audit must maintain oversight ofthe work performed by the provider, including but not limited to the adequacy of the scope andobjectives of the reviews, the basis on which conclusions are drawn in the reviews, as well as beingsatisfied with the provider’s internal compliance and quality control processes.The Director, Internal Audit will not engage the Internal Audit/ Risk service unit (IA/ Risk Unit) of theco-source partner(s) to provide any -internal audit services to Internal Audit without the prior approvalof the Audit Committee if there is a risk of self-review or a lack of actual or perceived independence.The co-source partner(s) will advise the Director, Internal Audit of any potential engagement of the firmby UNSW (other than by Internal Audit). The Director, Internal Audit will refer such engagement to thePresiding Member of the Audit Committee for review.The Director, Internal Audit will confirm to the Audit Committee annually the organisationalindependence of Internal Audit activity, including that of any external firms which execute the auditplan. This annual confirmation will include any other services that these firms might have provided inthe First and Second Line activities, and the quantum of these fees as percentage of Internal auditfees.13. Relationship with External AuditInternal and External audit activities will be coordinated to help ensure the adequacy of overall auditcoverage and to minimise duplication of effort.Periodic meetings and contact between internal and external audit shall be held to discuss matters of mutualinterest and facilitate coordination.External audit will have full and free access to all Internal Audit plans, working papers and reports.14. Assessment and Quality ImprovementThe Director, Internal Audit will arrange for a periodic independent review, at least every five (5) years, ofthe efficiency and effectiveness of the operations of the internal audit function. The results of the reviewswill be reported to the Audit Committee.Internal Audit CharterEffective 6 September 20216
15. Review of the CharterThis charter will be reviewed every two years by the Audit Committee. Any substantive changes will beformally approved by the VC on the recommendation of the Audit Committee.ENDSources1. IIA Model Charter, The Institute of Internal Auditors (Revised March 2018)2. Model Internal Audit Charter, Internal Audit and Risk Management Policy for the NSW PublicSector, Policy and Guideline Paper TPP 15-03 (July 2015), NSW TreasuryInternal Audit CharterEffective 6 September 20217
This Charter supersedes the 2019 Charter. (For the purpose of this Charter, UNSW means the legal entity The University of New South Wales and its controlled entities). This charter provides the framework for the conduct of the internal audit function at UNSW and has been approved by the President and Vice-Chancellor (VC) and the Audit Committee. 2.
