Manual of Policies and Procedures

A/1.5 QUT Assurance and Risk Management Services Charter

Contact Officer

Director, Assurance and Risk Management Services

Approval Date

03/10/2014

Approval Authority

Audit and Risk Management Committee

Date of Next Review

01/10/2017

1.5.1 Policy principles
1.5.2 Role of Assurance and Risk Management Services
1.5.3 Authority
1.5.4 Independence
1.5.5 Responsibilities
1.5.6 Professional practices including standards
1.5.7 Audit
1.5.8 University-wide risk management
1.5.9 Quality assurance program
1.5.10 Reporting
1.5.11 Liaison with external auditors
Related Documents
Modification History

1.5.1 Policy principles

The Assurance and Risk Management Services Charter has been developed to provide a broad framework, professional standards and guidelines for the conduct of assurance, audit and coordination of University-wide risk management activities.

The Charter is subject to an annual review to ensure it is relevant, aligned with organisational changes and good practices, and an appropriate level of cost-effective value-added services is achieved.

The Assurance and Risk Management Services Charter is approved by the Audit and Risk Management Committee on delegated authority from QUT Council.

Top

1.5.2 Role of Assurance and Risk Management Services

The primary purpose of Assurance and Risk Management Services is to add value to the University's operations and assist the University to achieve its corporate goals by providing independent and objective analysis, appraisals, recommendations, counsel and information on the University's systems of internal control, effectiveness of risk management and the quality of performance. This is achieved by examining and evaluating the adequacy, economy, effectiveness and efficiency of risk management, systems of internal control, and the quality of management in a systematic, disciplined and professional manner.

Assurance and Risk Management Services should not be involved in setting the risk appetite or taking decisions on risk responses and implementing these responses on behalf of management. Management remain responsible and accountable for the identification, assessment and treatment of risk. In addition, Assurance and Risk Management Services should not develop or implement procedures or systems, prepare records, or be engaged in operational or processing functions. This does not exclude Assurance and Risk Management professionals from suggesting system development projects or being consulted on proposed and/or existing systems, policies and procedures.

A review or appraisal by Assurance and Risk Management Services does not in any way relieve officers of the University of their individual responsibilities and accountabilities.

Top

1.5.3 Authority

The Director, Assurance and Risk Management Services, is authorised to direct a broad, comprehensive program of assurance, audit and co-ordination of risk management activities across the University. The Director, Assurance and Risk Management Services, and staff are authorised to have full, free and unrestricted access to all functions, property, personnel, records, accounts, files and other documentation. Information accessed in the course of audits is to be used strictly for audit purposes.

The Director, Assurance and Risk Management Services, will have unfettered access to the Vice-Chancellor and to the Audit and Risk Management Committee and is responsible for the management of Assurance and Risk Management Services.

Top

1.5.4 Independence

Independence is essential to the effectiveness of the delivery of assurance, audit and co-ordination of risk management services. This independence is obtained primarily through organisational status and objectivity.

The Director, Assurance and Risk Management Services is responsible to the Audit and Risk Management Committee for ensuring not only the broadest range of assurance, audit and risk coverage but also adequate consideration of audit reports and appropriate action on audit recommendations.

Assurance and Risk Management Services operates within Chancellery directly reporting, for administrative purposes, to the Vice-Chancellor. The Director, Assurance and Risk Management Services is responsible to the Vice-Chancellor for the performance of the assurance, audit and co-ordination of the risk management function and the performance of staff in Assurance and Risk Management Services in accordance with the University's relevant human resources policies and procedures. The Vice-Chancellor is responsible for ensuring resourcing support in respect of the assurance and co-ordination risk management function within the context and constraints of the University's planning and resourcing framework and principles. Resources may be provided by Assurance and Risk Management Services staff who are employees of the University, or by external contractors and consultants.

Assurance and Risk Management Services staff must be independent of the activities they audit and will report to the Director, Assurance and Risk Management Services any situations in which a conflict of interest or bias is present or may be reasonably inferred. Assurance and Risk Management Services staff must not assume operating responsibilities and must be objective in performing their work.

Top

1.5.5 Responsibilities

Director, Assurance and Risk Management Services

The Director, Assurance and Risk Management Services is responsible to the Audit and Risk Management Committee in relation to all assurance, audit and co-ordination of risk management services, including:

  • the provision of objective assurance to the Audit and Risk Management Committee on the adequacy and effectiveness of the University's risk management and internal control activities
  • performance of assurance services (including training, facilitation and advisory) beyond audit services to assist management with achieving University goals
  • assisting in investigation of suspected corruption and fraudulent activities within the University and reporting to the Registrar, management and Audit and Risk Management Committee accordingly
  • keeping the Audit and Risk Management Committee informed of emerging trends and successful practices in assurance, audit and risk management, and
  • reporting to the Audit and Risk Management Committee on the performance of Assurance and Risk Management Services against the key performance indicators agreed with the Audit and Risk Management Committee.

Audit and Risk Management Committee

Audit and Risk Management Committee (A/3.3) advises both Council and the Vice-Chancellor, as accountable officer, on the performance or discharge of functions and duties under the Financial Accountability Act 2009 (Qld), Financial and Performance Management Standard 2009 (Qld) and the QUT Assurance and Risk Management Services Charter.

Top

1.5.6 Professional practices including standards

Assurance and Risk Management Services shall comply with the following:

  • The Institute of Internal Auditors, International Professional Practices Framework (IPPF)
  • Standards on Information Systems Auditing Standards issued by the Information Systems Audit and Control Association
  • Auditing and Assurance Standards Board (AUASB Auditing Standards) as appropriate to internal auditing, and
  • Standard relevant to Risk Management being AS/NZS ISO 31000:2009.

Assurance and Risk Management Services professionals are required to:

  • comply with professional standards of conduct
  • possess the knowledge, skills, and technical proficiency essential to the performance of assurance, audits and co-ordination of risk management activities
  • be skilled in dealing with people and in communicating audit and risk issues effectively
  • maintain their technical competence through a program of continuing education, and
  • exercise due professional care in performing assurance, audits and the co-ordination of risk management activities.

Top

1.5.7 Audit

Audit Plans

An Assurance and Risk Management Services Strategic Plan (Strategic Plan) covering three years and an Annual Assurance and Risk Management Services Plan (Annual Plan) must be prepared by the Director, Assurance and Risk Management Services for approval by the Audit and Risk Management Committee. The Plans must be based on an assessment of the University's business risks pertaining to the achievement of the University's corporate goals and key priorities outlined in the QUT Blueprint. The Plans require agreement from the Vice-Chancellor prior to obtaining approval from the Audit and Risk Management Committee.

The actual audit performance shall be regularly reviewed against the Annual Plan by the Audit and Risk Management Committee. Any necessary amendments to the Annual Plan shall be submitted to the Audit and Risk Management Committee for endorsement.

Scope and frequency of audit

The scope of Assurance and Risk Management Services encompasses the examination and evaluation of the adequacy, effectiveness and efficiency of governance, risk management and the systems of internal control and management performance, as well as all activities of the University and its controlled entities. It involves the review of all financial and non-financial operations, either manual or computerised, including management information systems. The frequency of audits shall be assessed based on the risk exposure.

Audit technique

Assurance and Risk Management Services shall use the most appropriate auditing methodology for each audit depending on the nature of the audit, the risk exposure and the predetermined parameters.

Audit Report

On conclusion of the audit, a copy of the report on the audit outcome shall be issued to the relevant organisational head and to the Vice-Chancellor and shall be circulated to Audit and Risk Management Committee members.

The report shall present the overall risk assigned, audit objectives, scope, the conclusion based on the outcome of the audit, and an agreed implementation timeframe for audit recommendations.

Assurance and Risk Management Services must establish and maintain a system to monitor the disposition of results communicated to management.

Top

1.5.8 University-wide risk management

University-wide risk management is a structured, consistent and continuous process across the whole University which increases the likelihood of achieving corporate goals by ensuring that a realistic analysis of possible outcomes informs QUT's decision making, planning and management processes. Assurance and Risk Management Services is responsible for assisting management with embedding and coordinating risk management activities within the University. A Risk Management Plan will be developed in conjunction with the Annual Plan (A/1.5.7).

Top

1.5.9 Quality assurance program

The Director, Assurance and Risk Management Services, must establish and maintain a quality assurance program to evaluate the operations of Assurance and Risk Management Services. The program will incorporate benchmarking and review of the function in accordance with the requirement of The Institute of Internal Auditors.

The purpose of this program is to provide assurance that audit work conforms with The Institute of Internal Auditors, International Professional Practices Framework (IPPF) and the Assurance and Risk Management Services Charter, and is both cost effective and efficient.

The Director, Assurance and Risk Management Services must communicate the results of the quality assurance and improvement program to senior management and the Audit and Risk Management Committee.

Top

1.5.10 Reporting

In accordance with the Audit and Risk Management Committee meeting schedule, the Director, Assurance and Risk Management Services, shall submit to the Audit and Risk Management Committee a report summarising all assurance, audit and risk co-ordination activities undertaken during the reporting period. An annual report on the performance of Assurance and Risk Management Services against the agreed key performance indicators shall be submitted by the Director, Assurance and Risk Management Services.

Top

1.5.11 Liaison with external auditors

Internal and external audit activities should be coordinated to ensure adequate audit coverage and to minimise duplication of effort.

Periodic meetings between Assurance and Risk Management Services and external auditors shall be held to discuss matters of mutual interest.

Access to audit programs, working papers and reports shall be made available for review by external auditors.

Top

Related Documents

MOPP A/1.3 Compliance

MOPP A/2.5 Risk management

MOPP A/2.6 Internal control

MOPP A/3.3 Audit and Risk Management Committee

MOPP B/8.1 QUT Staff Code of Conduct

MOPP B/8.6 Corruption and fraud control

MOPP B/8.7 Conflict of interest

Assurance and Risk Management Services Manual

Auditing and Assurance Standards Board (AUASB), Auditing Standards

Financial Accountability Act 2009 (Qld)

Financial and Performance Management Standard 2009 (Qld)

QUT Corruption and Fraud Control Plan (QUT staff access only)

QUT Risk Management Framework

Risk Management Standard (AS/NZS ISO 31000:2009)

The Institute of Internal Auditors, International Professional Practices Framework (IPPF)

Top

Modification History

Date

Sections

Source

Details

03.10.14 All Director, Assurance and Risk Management Services Revised policy - minor editorial changes only
30.05.13 All Audit and Risk Management Committee Revised policy

23.03.11

All

Audit and Risk Management Committee

Periodic review - minor revisions only

31.07.09

All

Governance Services

Editorial amendments consistent with financial legislation and QUT Assurance and Risk Management Services Charter

08.11.06

All

Audit and Risk Management Committee

Revised Charter to incorporate risk management function; renamed to Assurance and Risk Management Charter (formerly QUT Internal Audit Charter)

18.05.05

All

Secretariat

Editorial (relocated and renumbered to A/1.5 � formerly MOPP Appendix 60)

01.09.04

All

Audit and Risk Management Committee

Revised Internal Audit Charter to reflect current reporting arrangements

02.07.03

All

Audit Committee

Revised Internal Audit Charter

29.11.02

All

Audit Committee

Revised Internal Audit Charter

06.07.98

All

Audit Committee

Revised Internal Audit Charter

Top