View Document

Internal Control Policy

This is the current version of this document. You can provide feedback on this document to the document author - refer to the Status and Details on the document's navigation bar.

Section 1 - Purpose

(1) This Policy establishes a cost-effective internal control structure so that QUT Council can be reasonably assured that:

  1. the University's plans (Connections - the QUT Strategy 2023 to 2027, Academic and enabling plans, faculty/division/institute plans, functional plans), and the priorities, strategies and targets contained therein, are achieved;
  2. the University's resources (including its people, systems, data / information bases and customer goodwill) are acquired economically, applied efficiently and adequately protected;
  3. quality business processes and continuous improvement are emphasised;
  4. the actions of all University officers (including members of QUT Council, senior management and staff) are in compliance with the University's policies, standards, plans and procedures, and all relevant laws and regulations; and
  5. data and information published either internally or externally is accurate, reliable and timely.
Top of Page

Section 2 - Application

(2) This Policy applies to all QUT operations as an integral and embedded part of all University activities.

Top of Page

Section 3 - Roles and Responsibilities

Positon
Responsibility
Vice-Chancellor and President
Ensures that cost-effective internal control structures for the University are established in line with the requirements of the Financial and Performance Management Standard 2009 (Qld).
Management/Heads of Divisions, Portfolios, Faculties, Schools, Departments and Sections
Develop cost-effective internal controls as an integral component of the overall process of managing the operations of the University by:
  1. identifying and evaluating the risk exposures which relate to their particular sphere of operations;
  2. specifying and establishing policies, plans, operating procedures, systems and other disciplines to minimise, mitigate and/or limit the risks associated with the exposures identified; and
  3. establishing practical cost-effective control processes that require and encourage all University officers to carry out their duties and responsibilities in a manner that achieves the above objectives.
Maintain the effectiveness of the control processes that have been established and foster continuous improvement of the processes.
Risk and Audit Committee
Monitors, reviews, evaluates and oversees the following responsibilities:
  1. risk;
  2. internal audit function;
  3. external audit;
  4. financial reporting, and
  5. internal control.
Director, Assurance and Audit
Ascertains the control processes throughout the University to ensure they are operating in an effective manner.
Reports to University management and Risk and Audit Committee on the adequacy and effectiveness of the University's systems of internal control, together with recommendations to improve the control processes.
All staff
Comply with legislative requirements, internal control activities and assist with the satisfactory conduct of audits as necessary.
Top of Page

Section 4 - External Audit

(3) The External Audit process provides assurances to Parliament on the stewardship (integrity, propriety, economy, efficiency and operations) of the University. The Auditor-General, as Parliament's external auditor, discharges these responsibilities principally through certification of the University's financial statements.

(4) The University's accounts are audited by the Auditor-General of Queensland in accordance with Section 30 of the Auditor-General Act 2009 (Qld). Section 46 of the Auditor-General Act 2009(Qld) empowers the authorised auditor to have, at all reasonable times, full and free access to all documents and property belonging to the University.

Top of Page

Section 5 - Internal Control Components

(5) There are five primary components of internal control:

Control Environment

(6) QUT’s control environment is established by setting standards of integrity, ethical values and diligence through the Code of Conduct - Staff and other related policies.

Risk Assessment

(7) QUT's Enterprise Risk Management Framework and Procedures including Risk Management Policy provide detailed guidance on the application of risk assessment and management processes to maximise efficiency while providing an adequate level of security and control over University operations.

Control Activities

(8) Within QUT, control activities are embedded into University plans, policies, procedures, systems and business processes, and training is provided to ensure effective compliance by management and staff.

Information and Communication

(9) To facilitate proper decision making, relevant internal and external information should be identified, captured, and communicated in a timely manner and in appropriate forms, both internally and externally. This includes appropriate dissemination of strategic goals, financial and non-financial data, policies and procedures, management initiatives and responses to internal and external changes.

Monitoring

(10) QUT has a range of ongoing mechanisms to monitor control processes, performance and risks, which aim to highlight any problem areas and allow early intervention and review to meet changing circumstances. These include monitoring and reporting by management, monitoring by Risk and Audit Committee, and Assurance and Audit, and external audits. QUT aims to have systems which are viewed as dynamic, responsive to changes and are open to improvement and refinement.

Top of Page

Section 6 - Limitations of Internal Control

(11) QUT acknowledges the inherent limitations of internal control as it is designed and operated to provide only reasonable assurance that the University’s objectives and goals will be achieved and this is managed through the Corruption and Fraud Control Policy.

Top of Page

Section 7 - Definitions

Term Definition
'Control' or Control Activity Is any action taken by QUT Council , management, and other parties or officers to protect assets and manage risk, and thus to increase the likelihood that established objectives and goals will be achieved. This includes appropriate approvals, checks on accuracy and security of data, adequate segregation of incompatible duties such that no one person has complete control over all aspects of a transaction and IT security related control activities. It also includes planning, organising and directing the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Controls may be preventive (to deter undesirable events from occurring), detective (to detect and correct undesirable events that have occurred), or directive (to cause or encourage a desirable event to occur). The concept of a system of control is the integrated collection of control components and activities that are used by an organisation to achieve its objectives and goals.