Manual of Policies and Procedures

A/1.5 QUT Assurance, Risk and Integrity Services charter

Contact Officer

Director, Assurance, Risk and Integrity Services

Approval Date

21/02/2020

Approval Authority

Risk and Audit Committee

Date of Next Review

28/02/2023

1.5.1 Purpose
1.5.2 Application
1.5.3 Roles and responsibilities
1.5.4 Assurance, Risk and Integrity Services objectives and approach
1.5.5 Authority
1.5.6 Independence
1.5.7 Professional practices including standards
1.5.8 Audit
1.5.9 Enterprise risk management
1.5.10 Quality assurance program
1.5.11 Reporting and review
1.5.12 Liaison with external auditors
Related Documents
Modification History

1.5.1 Purpose

The Assurance, Risk and Integrity Services charter provides a broad framework, professional standards and guidance for the conduct of assurance, audit and coordination of enterprise risk management activities.

Top

1.5.2 Application

This charter applies to all activities undertaken by Assurance, Risk and Integrity Services.

Top

1.5.3 Roles and responsibilities

Position
Responsibility

Risk and Audit Committee

  • approves the Assurance, Risk and Integrity Services charter (A/3.3)
  • advises Council and the Vice-Chancellor and President on the performance of functions under the Financial Accountability Act 2009 (Qld), Financial and Performance Management Standard 2019 (Qld) and the QUT Assurance, Risk and Integrity Services charter

Director, Assurance, Risk and Integrity Services

  • provides objective assurance to the Risk and Audit Committee on the adequacy and effectiveness of the University's risk management and internal control activities
  • provides assurance services (including training, facilitation and advisory) beyond audit services to assist management with achieving University priorities
  • assists in investigation of suspected corruption and fraudulent activities within the University, reporting to the Vice-President (Administration) and University Registrar, management and Risk and Audit Committee accordingly
  • informs Risk and Audit Committee of emerging trends and good practices in assurance, audit and risk
  • reports on the performance of Assurance, Risk and Integrity Services against key performance indicators agreed with the Risk and Audit Committee

Top

1.5.4 Assurance, Risk and Integrity Services objectives and approach

The primary objective of Assurance, Risk and Integrity Services is to add value to the University's operations and assist the University to achieve its corporate goals by providing independent and objective analysis, appraisals, recommendations, counsel and information on the University's systems of internal control, effectiveness of risk management and the quality of performance. This is achieved by examining and evaluating the adequacy, economy, effectiveness and efficiency of risk management, systems of internal control, and the quality of management in a systematic, disciplined and professional manner.

Assurance, Risk and Integrity Services does not set the risk appetite nor take decisions on risk responses and implement these responses on behalf of management. Management remain responsible and accountable for the identification, assessment and treatment of risk. In addition, Assurance, Risk and Integrity Services does not develop or implement procedures or systems, and is not engaged in operational or processing functions. This does not exclude Assurance, Risk and Integrity Services professionals from suggesting system development projects or being consulted on proposed and/or existing systems, policies and procedures. Assurance, Risk and Integrity Services may evaluate and assess significant projects or change initiatives and activities, including structural changes, or changes to processes, systems, services and controls.

A review or appraisal by Assurance, Risk and Integrity Services does not in any way relieve officers of the University of their individual responsibilities and accountabilities.

Top

1.5.5 Authority

The Director, Assurance, Risk and Integrity Services, is authorised to direct a broad, comprehensive program of assurance, audit and co-ordination of risk management activities across the University. The Director, Assurance, Risk and Integrity Services, and staff are authorised to have full, free and unrestricted access to all functions, property, personnel, records, accounts, files and other documentation. Information accessed in the course of audits must be used strictly for audit purposes.

The Director, Assurance, Risk and Integrity Services is responsible for the management of assurance, risk and integrity services for the University.

Top

1.5.6 Independence

Independence is essential to the effectiveness of the delivery of assurance, audit and co-ordination of risk management services. This independence is obtained primarily through organisational status and objectivity.

The Director, Assurance, Risk and Integrity Services is functionally responsible to the Risk and Audit Committee for ensuring not only the broadest range of assurance, audit and risk coverage but also adequate consideration of audit reports and appropriate action on audit recommendations.

Assurance, Risk and Integrity Services operates within the Chancellery directly reporting, for administrative purposes, to the Vice-Chancellor and President. The Director, Assurance, Risk and Integrity Services is responsible to the Vice-Chancellor and President for the performance of the assurance, audit and co-ordination of the risk management function and the performance of staff in Assurance, Risk and Integrity Services in accordance with the University's relevant human resources policies and procedures.

The Vice-Chancellor and President is responsible for ensuring resourcing support in respect of the assurance and co-ordination of the risk management function within the context and constraints of the University's planning and resourcing framework and principles. Resources may be provided by Assurance, Risk and Integrity Services staff who are employees of the University, or by external contractors and consultants.

The Director, Assurance, Risk and Integrity Services:

  • has unrestricted access to the Risk and Audit Committee
  • can meet separately and privately with the Risk and Audit Committee chair and/or members as required; and
  • will establish regular meetings with the Vice-Chancellor and President.

Assurance, Risk and Integrity Services staff must be independent of the activities they audit and will report to the Director, Assurance, Risk and Integrity Services any situations in which a conflict of interest (whether actual, potential or perceived) may arise. Assurance, Risk and Integrity Services staff must not assume operating responsibilities and must be objective in performing their work.

Top

1.5.7 Professional practices including standards

Assurance, Risk and Integrity Services complies with the following:

  • The Institute of Internal Auditors, International Professional Practices Framework (IPPF)
  • Standards on Information Systems Auditing Standards issued by the Information Systems Audit and Control Association
  • Auditing and Assurance Standards Board (AUASB Auditing Standards) as appropriate to internal auditing, and
  • Standard relevant to Risk Management being AS/NZS ISO 31000:2018.

Assurance, Risk and Integrity Services professionals are required to:

  • comply with professional standards of conduct
  • possess the knowledge, skills, and technical proficiency essential to the performance of assurance, audits and co-ordination of risk management activities
  • be skilled in dealing with people and in communicating audit and risk issues effectively
  • maintain their technical competence through a program of continuing education, and
  • exercise due professional care in performing assurance, audits and the co-ordination of risk management activities.

Top

1.5.8 Audit

Audit Plans
An Annual Assurance, Risk and Integrity Services Plan (Annual Plan) must be prepared by the Director, Assurance, Risk and Integrity Services for approval by the Risk and Audit Committee. The Annual Plan is based on an assessment of the University's business risks pertaining to the achievement of the University's priorities outlined in the QUT Blueprint. The Plans require agreement from the Vice-Chancellor and President prior to obtaining approval from the Risk and Audit Committee.

The actual audit performance shall be regularly reviewed against the Annual Plan by the Risk and Audit Committee. Any necessary amendments to the Annual Plan shall be submitted to the Risk and Audit Committee for endorsement.

Scope and frequency of audit
The scope of Assurance, Risk and Integrity Services encompasses the examination and evaluation of the adequacy, effectiveness and efficiency of governance, risk management and the systems of internal control and management performance, as well as all activities of the University and its controlled entities. It involves the review of all financial and non-financial operations, including information systems and business processes. The frequency of audits shall be assessed based on the risk exposure.

Audit technique
Assurance, Risk and Integrity Services uses the most appropriate auditing methodology for each audit depending on the nature of the audit, the risk exposure and the predetermined parameters.

Audit Report
On conclusion of the audit, a copy of the report on the audit outcome shall be issued to the relevant organisational head and to the Vice-Chancellor and President and shall be circulated to Risk and Audit Committee members.

The report shall present the overall risk assigned, audit objectives, scope, the conclusion based on the outcome of the audit, and an agreed implementation timeframe for audit recommendations.

Assurance, Risk and Integrity Services must establish and maintain a system to monitor the University response to recommendations communicated to management.

Coordination of Assurance Activities
Assurance, Risk and Integrity Services will consider the scope of work of other assurance providers, internal and external, as appropriate, for the purpose of providing optimal audit coverage to the University in an efficient and effective manner.

Top

1.5.9 Enterprise risk management

Enterprise risk management is a structured, consistent and continuous process across the whole University which increases the likelihood of achieving corporate priorities by ensuring that a realistic analysis of possible outcomes informs QUT's decision making, planning and management processes. Assurance, Risk and Integrity Services is responsible for assisting management with embedding and coordinating risk management activities within the University. A Risk Management Plan will be developed in conjunction with the Annual Plan (A/1.5.8).

Top

1.5.10 Quality assurance program

The Director, Assurance, Risk and Integrity Services, must establish and maintain a quality assurance program to evaluate the operations of Assurance, Risk and Integrity Services. The program will incorporate benchmarking and review of the function in accordance with the requirement of The Institute of Internal Auditors.

The purpose of this program is to provide assurance that audit work conforms with The Institute of Internal Auditors, International Professional Practices Framework (IPPF) and the Assurance, Risk and Integrity Services charter, and is both cost effective and efficient.

The Director, Assurance, Risk and Integrity Services must communicate the results of the quality assurance and improvement program to senior management and the Risk and Audit Committee.

Where a function is under the control of the Director, Assurance, Risk and Integrity Services (for example, second line of defence functions, such as risk management), the function is to be reviewed by an externally sourced team reporting directly to the Risk and Audit Committee.

Top

1.5.11 Reporting and review

In accordance with the Risk and Audit Committee meeting schedule, the Director, Assurance, Risk and Integrity Services, shall submit to the Risk and Audit Committee a report summarising all assurance, audit and risk co-ordination activities undertaken during the reporting period. An annual report on the performance of Assurance, Risk and Integrity Services against the agreed key performance indicators shall be submitted by the Director, Assurance, Risk and Integrity Services, to the committee.

This charter is reviewed periodically to ensure it is relevant, aligned with organisational changes and good practices, and an appropriate level of cost-effective value-added services is achieved.

Top

1.5.12 Liaison with external auditors

Internal and external audit activities should be coordinated to ensure adequate audit coverage and to minimise duplication of effort.

Periodic meetings between Assurance, Risk and Integrity Services and external auditors shall be held to discuss matters of mutual interest.

Audit programs, working papers and reports shall be made available for review by external auditors.

Top

Related Documents

MOPP A/1.3 Compliance

MOPP A/2.5 Risk management

MOPP A/2.6 Internal control

MOPP A/3.3 Risk and Audit Committee charter

MOPP B/8.1 QUT Staff Code of Conduct

MOPP B/8.6 Corruption and fraud control

MOPP B/8.7 Conflict of interest

Assurance, Risk and Integrity Services Manual

Auditing and Assurance Standards Board (AUASB), Auditing Standards

Financial Accountability Act 2009 (Qld)

Financial and Performance Management Standard 2019 (Qld)

QUT Corruption and Fraud Control Plan (QUT staff access only)

QUT Risk Management Framework

Risk Management Standard (AS/NZS ISO 31000:2018)

The Institute of Internal Auditors, International Professional Practices Framework (IPPF)

Top

Modification History

Date

Sections

Source

Details

03.06.20 A/1.5.6 Director, Assurance and Risk Management Services Administrative changes to update reporting line to Chancellery - effective 01.07.20
21.02.20 All Risk and Audit Committee Revised and modernised policy - effective 01.07.20
03.10.14 All Director, Assurance and Risk Management Services Revised policy - minor editorial changes only
30.05.13 All Audit and Risk Management Committee Revised policy

23.03.11

All

Audit and Risk Management Committee

Periodic review - minor revisions only

31.07.09

All

Governance Services

Editorial amendments consistent with financial legislation and QUT Assurance and Risk Management Services Charter

08.11.06

All

Audit and Risk Management Committee

Revised Charter to incorporate risk management function; renamed to Assurance and Risk Management Charter (formerly QUT Internal Audit Charter)

18.05.05

All

Secretariat

Editorial (relocated and renumbered to A/1.5 - formerly MOPP Appendix 60)

01.09.04

All

Audit and Risk Management Committee

Revised Internal Audit Charter to reflect current reporting arrangements

02.07.03

All

Audit Committee

Revised Internal Audit Charter

29.11.02

All

Audit Committee

Revised Internal Audit Charter

06.07.98

All

Audit Committee

Revised Internal Audit Charter

Top