CSU Internal Audit Manual
CSU’s Internal Audit Framework considers six separate areas of internal audit activity including
governance, operational practice, communications, risk management, fraud control and internal control.
The Internal Audit Manual provides a web based link to key policies and documents areas under each of
these areas. Quality management principles operate within each element of the internal audit framework.
[Acknowldgement: This manual ultilises guidance materials and articles published by the Intitute of Internal
Auditors - Australia.]
Internal Audit Manual
Governance
Audit and Risk
Committee Terms of
Reference (1)
Internal Audit Charter
(2)
IIA Code of Ethics (3)
IIA Standards (4)
Operational Practice
Risk-based Audit
Planning (5)
Engagement Process (6)
Proficiency & Due
Professional Care (7)
Quality Assurance (8)
Audit Reports (9)
General advice (10)
Periodic Self
Assessment
Risk Management
Fraud Control
Policy (11)
Disclosures
Co-ordination (15)
Risk Framework (12)
Record Keeping (16)
Facilitation (13)
Training (14)
Communications
Fraud Awareness
Training (17)
Internal Control
Control self assessment
(18)
1. Audit and Risk Committee Terms of Reference
http://www.csu.edu.au/adminman/gov/Governance_Audit_and_Risk_Committee_Rule_2006_No1.pdf
2. Internal Audit Charter
http://www.csu.edu.au/adminman/fin/internal-Audit-Charter.pdf
3. Code of Ethics (Reference Institute of Internal Auditors
http://www.iia.org.au/technicalResources/codeOfEthics.aspx
4. Standards (Reference Institute of Internal Auditors)
http://www.iia.org.au/technicalResources/standards.aspx
5. Risk Based Planning
Internal Audit’s program of activities is guided by an assessment of risk to the University and the capacity
of Internal Audit to help clarify and manage these risks. The audit program is informed by an annual
assessment of strategic and operational risks. The Vice-Chancellor or other senior executives may request
an audit review to support an operational requirement or in response to an emerging risk area.
Internal Audit activity is one component of CSU’s risk management framework. Internal Audit reviews do
not aim to provide coverage of every element of the audit universe as assurance is provided by other
elements of CSU’s risk management framework. Internal Audit coverage is also informed by:
-
Periodic meta-level review of key quality assurance processes;
Reliance on control self assessment processes to provide an assurance of administrative compliance
within budget centres; and
Risk assessment processes.
6. Audit Engagement Process
Audit activities are approved by the Audit and Risk Committee and are scheduled on a plan prepared by the
University Auditor. The Internal Audit engagement process contains the following key elements:
a) Prior to the commencement of an audit the University Auditor will notify the responsible budget
centre manager of the planned commencement of fieldwork.
b) The responsible budget centre manager will normally be the primary line of contact with the audit team and
will be responsible for coordinating the University’s response to audit findings and recommendations.
c) Prior to the commencement of audit fieldwork, the University Auditor and the senior line manager will
agree the audit commencement date and discuss audit coverage.
d) The responsible budget centre manager and the University Auditor will negotiate and agree timeframes for
the completion of each audit component. Under normal circumstances the University will adhere to the
agreed timeline. However, should an extension of time be required this can be negotiated and agreed
between the senior line manager and the University Auditor.
e) Following initial consultations with the budget centre manager, the University Auditor will prepare
Terms of Reference for the audit assignment. The Terms of Reference will communicate:










7.
why the audit has been commissioned;
what the audit is to cover (the audit’s objectives and scope);
key issues to be assessed by the auditor under each area of coverage
consultation requirements including a requirement for the auditor to convene formal entry and
exit interviews with nominated senior managers and staff;
the audit teams responsibility to prepare a draft audit report for initial review and acceptance by
the University Auditor;
the audit teams responsibility to forward the draft audit report to nominated senior managers for
consideration and response;
management’s responsibility to consult with the audit team to remove any apparent errors of fact
from the draft audit report;
management’s responsibility to respond fully to the substance of all recommendations.
the agreed time frame for the completion of important audit milestones including preparation of
a draft report, receipt of management responses and preparation of a final audit report; and
the University Auditor’s responsibility to monitor and where necessary assist the strategic
progress of each audit.
Proficiency, Due Care and Quality Assurance
Quality assurance of the internal audit process is guided by applicable benchmarks of the Institute of
Internal Auditors. There is an expectation that internal auditors, as a team, will have the competence to
complete assigned tasks. Members of the internal audit team are encouraged to pursue ongoing professional
development to ensure competence and proficiency. Internal Audit resources and skills are supplemented,
as required, through the engagement of contact auditors.
Audit findings and recommendations are required to be evidence based and documented in working papers.
Working papers are reviewed by the University Auditor and filed electronically.
8. Annual Self Assessment
Annual self-assessments of the Internal Audit Function should focus on evaluating:






Conformance with the Internal Audit Charter, the IIA Definition of Internal Auditing, the Code of
Ethics and the Standards
The quality of the audit work, including adherence to the internal audit methodology
The quality of supervision
The infrastructure, including the policies and procedures, supporting the internal audit activity
The ways in which the internal audit activity adds value to the organisation
The achievement of performance standards / indicators.
Periodic self-assessments are conducted through:





Working paper reviews,for conformance with the Standards and internal audit policies and
procedures, by staff not involved in the respective audits
Self-assessments of the internal audit activity with objectives / criteria established as part of the
QAIP (ie specific criteria are developed for each element under the three areas – governance,
professional practice and reporting)
Identification of systemic issues
Benchmarking of best practices
Review of internal audit performance metrics and performance reporting.
Annual Self Assessment surveys are generally forwarded to the University Auditor by the NSW Audit
Office. The University’s response to these surveys is forwarded to the NSW Audit Office through the Chair
of the Audit and Risk Committee. The Audit and Risk Committee will flag any required follow-up action,
by the University, in relation to the self assessment result.
9. External Assessment
The Internal Audit function is periodically assessed by the NSW Audit Office. External Assessment of the
Internal Audit Function may also be commissioned periodically by the Audit and Risk Committee.
10. Audit Communication
There is an expectation the internal audit teams will ensure that responsible line managers and budget centre
managers are informed of audit fieldwork requirements in a timely manner. Responsible line managers and
budget centre managers should be provided with updates on any key audit findings during the course of
audit fieldwork.
At the conclusion of Audit fieldwork, the audit team will convene an Exit Discussion with the responsible
budget centre manager and other staff members as required. The purpose of the exit interview is to discuss
audit findings and recommendations. The Exit Discussions should be used by the responsible auditor as a
basis for preparing a draft audit report. A draft audit report should be submitted to the responsible budget
centre manager within 2 weeks of the completion of audit fieldwork.
11. Audit Reports
CSU audit reports should include a Memo to the responsible Primary Budget Centre Manager. The Memo
should generally include the following elements:




background;
scope and objectives;
methodology; and
the auditor’s concluding opinion on the broad state of wellbeing of the area of audit coverage.
Findings and recommendations are (generally) presented in a tabular form and in order of risk assessed
importance. The table will include columns for:

Audit Observation



Risk
Recommendation
Management Response.
Responsible Primary Budget Centre managers are responsible for responding to Internal Audit
recommendations in a timely manner. Responses should indicate whether management agrees, disagrees or
agrees in principle to each recommendation, what follow- up actions are planned to be taken and when those
actions will be completed.
Finalised audit reports are submitted under the University Auditor quarterly report to the Vice-Chancellor
for tabling at the Audit and Risk Committee.
10. General Advice to line management and to Council.
Internal Audit may provide ad hoc advice reports on the operation of the University and emerging risks to
the Vice Chancellor or responsible line managers. Opinions and advice provided by Internal Audit will
include a disclosure on the quality of supporting evidence.
It is operationally desirable that general advise to be minute and/ or confirmed though an email
communication.
11. Risk Management Policy
The University Auditor is responsible for maintain the University’s Risk Management Policy. The Policy is
reviewed periodically and approved by University Council.
http://www.csu.edu.au/adminman/gov/policy-risk-management.pdf
12. Risk Management Framework.
The framework describes the University’s governance arrangements, key management responsibilities,
policies, procedures, and protocols. The document aims to give Audit and Risk Committee some assurance
that the complex area of risk management is being approached in an effective manner by the University.
(Annexure 5 Refers)
13. Facilitation of Risk Assessments
Ownership of University risk assessments resides with the Vice-Chancellor and responsible line managers.
Internal Audit may provide a service to line management by helping to facilitate certain risk assessment
processes including the University’s Strategic Risk Assessment.
14. Risk Management Training
Internal Audit periodically performs risk management training across the University. An online risk
management training presentation is also available providing guidance to University Staff.
There is an expectation that risk management training will be provided to staff in response to the adoption
of new risk management methodologies and the acquisition of any new risk management tools.
http://www.csu.edu.au/division/plandev/internal_audit/resources.htm
15. Disclosures Co-ordination
The University Auditor is the nominated disclosures Coordinator for CSU. The University Auditor is
responsible for maintaining the University’s Disclosures Policy and Reporting Procedure in concurrent to
NSW Government requirements.
(Annexure 6 refers)
16. Disclosure Records
The University Auditor is responsible for maintaining a disclosures database and records in accordance with
requirements outlined by the NSW Government. Nominated Disclosure officers will also comply with the
record keeping requirements of the NSW Government.
17. Fraud Awareness training
CSU staff are required to complete an on-line fraud awareness training module which is maintained by the
University Auditor. Additional Fraud Awareness training may be provided through the Internal Audit Unit.
18. Control Self Assessment
Internal Audit prepares control self assessments that are aimed to help line managers both check list
compliance requirements and to flag any emerging risk areas.