View Current

Internal Audit Charter

This is the current version of this document. To view historic versions, click the link in the document's navigation bar.

Section 1 - Establishment

(1) This charter establishes the purpose, scope, authorities and responsibilities, organisational relationships and independence conferred by the University of Newcastle’s Council on Governance and Assurance Services with respect to carrying out internal audit duties.

(2) An effective internal audit service is required by Section 11 of the Government Sector Audit Act 1983 and supported by Section 17(A) of the University of Newcastle Act 1989 No 68.

(3) The Internal Audit function, within the context of the University's operations, comprises those resources directly associated with the provision of internal audit services, whether they be resources internal or external to the University.

(4) The role of Internal Audit, the Core Principles for the Professional Practice of Internal Auditing, the application of the Internal Audit Code of Ethics and the Internal Audit Standards, as stipulated in the International Professional Practices Framework (IPPF), are discussed regularly between the University Secretary (the Chief Audit Executive under the Standards), the Vice-Chancellor and the Risk Committee.

(5) Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve the University's operations. It helps the University accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

Top of Page

Section 2 - Purpose

(6) The Internal Audit Function assists the Council and Committees in the effective execution of its responsibilities by providing independent analysis, advice and recommendations concerning the operations and processes of the University. As such, Internal Audit programs should be developed to provide in-depth and quality analysis to identify improvements to meet strategic objectives.

(7) Internal Audit assists the University in achieving its objectives by adding value and identifying areas for improvement with the aim being to promote efficiency, economy and effectiveness of management processes as well as reliability and accuracy of operations.

Top of Page

Section 3 - Internal Audit Model

(8) Internal audit activity is outsourced to an external provider.

(9) The outsourced Internal Audit provider reports for administrative purposes to the University Secretary; however, retains unrestricted access to the Risk Committee to discuss any matters relating to the finances or operations of the University.

Top of Page

Section 4 - Independence 

(10) The Internal Audit function has independent status within the University to ensure its effectiveness. To achieve this, Internal Audit is:-

  1. functionally responsible to the Council via the Risk Committee;
  2. administratively responsible to the Vice-Chancellor;
  3. independent of any other organisational unit, employee or official of the University.

(11) The University Secretary has unrestricted access to the Chair of the Risk Committee and/or the Vice-Chancellor to raise any concerns about audit matters or other significant risks that in their opinion are not being adequately dealt with by the University.

(12) All Internal Audit activities must be free of influence from any element in the organisation, including matters related to audit selection, scope, procedures, frequency, timing, or report content.

(13) Internal Audit is independent of the activities that it audits to ensure unbiased judgements, proper conduct and impartial advice to management and the Council. Internal Audit has no direct operational responsibility or authority over any of the activities it reviews. The Internal Audit Function has no responsibility for developing or implementing procedures or systems and does not prepare records or engage in first or second line processing functions or activities, including the implementation of risk mitigates or controls.

(14) The work of Internal Audit does not in any way relieve managers of their responsibilities for the development, implementation, and maintenance of management control systems in their areas.

(15) Where the University Secretary is responsible for a non-audit activity, safeguards are implemented to maintain independence. Reviews of non-audit activities are managed and performed independently of the University Secretary and reported directly to the Risk Committee.

(16) Potential impairments to independence or objectivity relating to other management reviews must be disclosed to the key stakeholders of the engagement prior to acceptance of the engagement.

(17) To further preserve independence, staff working within Internal Audit, including the outsourced Internal Audit provider will not undertake secondary employment within the University unless approved by the Risk Committee on the recommendation of the University Secretary.

Top of Page

Section 5 - Authority

(18) Under the authority of the Council:

  1. Internal Audit will undertake audits in accordance with plans approved by the Risk Committee on behalf of Council.
  2. Internal Audit may undertake further audits and reviews as the Council, Council Committee, Vice-Chancellor, or members of the Executive Leadership Team may request from time to time.
  3. For the duration of the audit and in carrying out its duties and responsibilities, Internal Audit is entitled to full, free and unrestricted access to all of the University's activities, records, premises, property, personnel and any other documentation or information which the University Secretary considers necessary to properly fulfil its functions as specified in the Internal Audit Plan, scope of individual audits or other special tasks or investigations.
  4. University staff (including those employed by a University controlled entity) are required to fully cooperate with Internal Audit activities and to facilitate the progress of audit work by providing input and assistance in an appropriate manner.
  5. The University Secretary, in undertaking the Internal Audit Plan or other tasks as directed under b is authorised to allocate resources, set frequencies, select subjects, determine scopes of work, apply techniques required to accomplish audit objectives and approve the final audit report in consultation with key stakeholders in the individual audit.
  6. Subject to the availability of approved budget, the University Secretary is authorised to engage an external service provider to conduct the audit, specific task or investigation, or if additional resources are required. The University Secretary will decline the consulting engagement if Internal Audit has a conflict of interest which cannot be effectively managed, are unable to obtain or lack the requisite knowledge, skills, or other competencies needed to perform all or part of the engagement.
  7. The existence of Internal Audit does not reduce the financial and operational responsibilities of management for the proper execution and control of activities, including responsibilities for the periodic conduct of system appraisals, internal controls and risk management.
Top of Page

Section 6 - Confidentiality

(19) All records, documentation and information accessed in the course of Internal Audit activities are to be used solely for the conduct of these activities. All Internal Audit staff are responsible and accountable for maintaining the confidentiality of information they receive in the course of their work.

(20) Internal Audit reports are deemed to be confidential reports of the Council and will be provided to the University's appointed external auditors and/or any other government agency in accordance with legislative requirements. Access to Internal Audit records will be managed by the Vice-Chancellor or the University Secretary after consideration and approval from relevant senior management.

Top of Page

Section 7 - Scope of Responsibilities 

(21) The University Secretary is responsible for supervising the performance of the outsourced Internal Audit provider and ensuring internal audits and agreed engagements are conducted in accordance with this Charter, University Policies and the IPPF.

(22) Internal Audit shall, in the performance of its function, consider the following:

  1. compliance, with internal and external legislation and instruments;
  2. the adequacy, reliability, integrity and effectiveness of the financial and operational controls, including IT system controls ;
  3. whether the information technology governance supports the University's strategies and objectives;
  4. the recording, control and use of the University's assets;
  5. the efficiency, effectiveness, design, implementation and ethical conduct of the University's systems and processes with an aim to contribute to the improvement in internal controls and risk management processes; and
  6. the extent to which public and other property, money and resources under the control of the University are accounted for, used and safeguarded from loss, including misuse.

(23) Internal Audit shall, where appropriate and requested, provide advice to management, including on new projects and programs, with particular emphasis on the matters identified in clause 18.

(24) Internal Audit activities may also cover any controlled entities of the University.

(25) By request from the Council or the Vice-Chancellor, Internal Audit may be asked to engage with associated/related bodies that are part of, attached to or otherwise partially controlled by the University.

(26) Should consulting opportunities arise during an internal audit engagement, a specific written understanding as to the objectives, scope, respective responsibilities, and other expectations should be reached between the parties with the results of the consulting engagement communicated to stakeholders.

(27) Internal Audit activities does not, in any instance, extend to:-

  1. exercising executive or managerial authority functions except those related to the Internal Audit function;
  2. performing any operational duties for the University or its controlled entities;
  3. initiating or approving accounting transactions outside the Internal Audit area; or
  4. involvement in any day-to-day operations or internal control functions of the University except those related to the Internal Audit function.
Top of Page

Section 8 - Planning 

(28) Following consultation with the Vice-Chancellor, members of the Executive Leadership Team and other relevant parties a risk based Internal Audit Plan will be prepared annually by the University Secretary for approval of the Risk Committee on behalf of Council.

(29) Amendments to the approved Internal Audit Plan shall be submitted to the Risk Committee for consideration and approval on the recommendation of the University Secretary.

Top of Page

Section 9 - Professional Standards and Quality Assurance

(30) Internal Audit will conduct activities consistent with this Charter and the International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors (IIA), noting that:

  1. external audit activities remain the prerogative of the NSW Audit Office, or their agents;
  2. Internal Audit activities do not extend to the coordination of external audit on behalf of the NSW Audit Office although Internal Audit will consult with the University's external auditors to reduce duplication of audit activity; 
  3. where applicable, Internal Audit will have regard for the standards and practice statements and professional code of ethics issued by Australian and International accounting and auditing organisations, including the Institute of Internal Auditors and the Accounting Professional and Ethical Standards Board.

(31) The University Secretary will arrange an independent review of the efficiency and effectiveness of the operations of the Internal Audit function as part of a quality assurance program at least every five years, with additional self-assessments every three years.

Top of Page

Section 10 - Reporting 

(32) The University Secretary will provide the results of internal audits and quality assurance reviews to the Vice-Chancellor and as a general rule, to the Executive Leadership Team and the relevant members of University management.

(33) The University Secretary will report to the Risk Committee on:

  1. audits completed;
  2. progress in implementing the Internal Audit Plan including any issues impacting on the approved plan;
  3. progress in implementing agreed audit recommendations including any issues impacting on implementation;
  4. matters arising from previous meetings; and
  5. any other information requested by the Risk Committee.

(34) The University Secretary will communicate to the Vice-Chancellor and the Risk Committee any instances where management assumes a level of risk that may be outside the risk appetite and is unacceptable to the University.

(35) Annually the University Secretary will provide to the Risk Committee an attestation to support the independence of the internal audit services provided and an attestation to support compliance with the International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors.

Top of Page

Section 11 - Audit Recommendations and Actions 

(36) The University Secretary is responsible for working with relevant management to ensure that a system is in place which supports the implementation of agreed audit recommendations and actions within required time-frames.

(37) It is the responsibility of management to ensure the agreed audit recommendations are actioned within the required time-frame.

Top of Page

Section 12 - Review of Charter

(38) The University Secretary is responsible for review of this Charter every two years.

(39) Amendments to this Charter require the approval of the Council on the recommendation of the Risk Committee.