Queensland University of Technology Brisbane Australia Skip bannerSkip to content A university for the real world - Manual of Policies and Procedures
QUT Home
Contact us
MOPP Home Protocol for MOPP Policy Recent Updates

A/2.6 Internal control policy
Chapters
A - Governance/Organisation
B - Human Resources
C - Teaching/Learning
D - Research/Development
E - Student Administration
F - Information Management
G - Financial Management
H - Physical Facilities
I - International/Community
MOPP Appendices
- - - - -
MOPP Protocol
MOPP Updates

[Print-friendly version]

Contact Officer

Director, Assurance and Risk Management Services

Approval Date

14/12/2005

Approval Authority

Council

Date of Next Review

01/01/2009

2.6.1 Policy
2.6.2 Definitions
2.6.3 Components of internal control
2.6.4 Role of Audit and Risk Management Committee
2.6.5 Internal Audit
2.6.6 External Audit
2.6.7 Limitations of internal control
Related Documents
Modification History

2.6.1 Policy

QUT is committed to establishing a cost-effective internal control structure with the objective of managing the operations of the University in a manner which provides the QUT Council reasonable assurance that:

  • the University's plans (QUT Blueprint, top level plans, faculty / division plans, functional plans) and the objectives and goals contained therein are achieved;
  • resources are acquired economically and employed efficiently, quality business processes and continuous improvement are emphasised;
  • the University's resources (including its people, systems, data / information bases and customer goodwill) are adequately protected;
  • the actions of all University officers (including Council members, senior management and staff) are in compliance with the University's policies, standards, plans and procedures, and all relevant laws and regulations; and
  • data and information published either internally or externally is accurate, reliable and timely.

The Vice-Chancellor is ultimately responsible for the establishment of a cost-effective internal control structure for the University in line with the requirements of the Financial Management Standard 1997. However, developing and maintaining cost-effective internal controls is a management responsibility and an integral component of the overall process of managing operations of the University. As such, it is the responsibility of all managers at all levels of the University to:

  • identify and evaluate the risk exposures which relate to their particular sphere of operations;
  • specify and establish policies, plans and operating procedures, systems and other disciplines to be used to minimise, mitigate and/or limit the risks associated with the exposures identified;
  • establish practical cost-effective control processes that require and encourage all University officers to carry out their duties and responsibilities in a manner that achieves the above objectives; and
  • maintain the effectiveness of the control processes that have been established and foster continuous improvement of these processes.

Top

2.6.2 Definitions

' Control' is any action taken by management to enhance the likelihood that established objectives and goals will be achieved. Controls may be preventive (to deter undesirable events from occurring), detective (to detect and correct undesirable events that have occurred), or directive (to cause or encourage a desirable event to occur). The concept of a system of control is the integrated collection of control components and activities that are used by an organisation to achieve its objectives and goals.

Top

2.6.3 Components of internal control

There are five primary components of internal control:

  • Control environment
  • Risk assessment
  • Control activities
  • Information and communication
  • Monitoring

Control environment

The level of awareness of University officers and their attitude towards the significance of control within the University affects the way in which people conduct their activities, assess risk, carry out their control activities, and capture and communicate relevant information. Establishing an appropriate control environment involves setting standards for, and displaying human qualities such as integrity and ethical values as stated in the QUT Code of Conduct ( B/8.1 ) and other related policies.

Risk assessment

This represents the balance of the control environment with the risks and potential consequences associated with business operations. An optimum level of control commensurate with risk is the objective resulting in cost-effective internal control. This maximises efficiency while providing an adequate level of security and control over business operations. QUT's risk management policy ( A/2.5 ) and the detailed guidelines embodied in the Risk Management Framework provide guidance on the application of risk management processes.

Control activities

Control activities include the actions taken by QUT Council and management to protect assets and address business risks. These include appropriate approvals, checks on accuracy of data and adequate segregation of incompatible duties such that no one person has complete control over all aspects of a transaction. Within QUT these are embedded into University plans, policies, procedures, systems and business processes. Their effectiveness relies on the level of compliance by management and staff.

Information and communication

The effective and timely communication of management information to key officers of the University in a timely manner is essential for proper decision making. The dissemination of strategic goals, financial and non-financial data, policies and procedures, management initiatives and responses to external changes ensures effective performance. Therefore relevant internal and external information should be identified, captured, and communicated in a timely manner and in appropriate forms.

Monitoring

Monitoring the control processes maintains quality systems by providing data on performance. This will highlight any problem areas and allow early intervention and review to meet changing circumstances or needs. Business systems need to be viewed as dynamic, responding to changes and open to improvement and refinement. Within QUT a range of mechanisms are used to monitor control processes, performance and business risks, and examples include Audit and Risk Management Committee, Internal and External Audits.

Top

2.6.4 Role of Audit and Risk Management Committee

Audit and Risk Management Committee of Council is responsible for monitoring and overseeing the responsibilities of management, Internal Audit and External Audit, as these responsibilities relate to the University's processes for controlling its operations and managing business risks.

Top

2.6.5 Internal Audit

Assurance and Risk Management Services, in accordance with the University's Assurance and Risk Management Services Charter ( A/1.5 ), has responsibility for ascertaining that the control processes throughout the University are operating in an effective manner. Assurance and Risk Management Services is also responsible for reporting to University management and Audit and Risk Management Committee on the adequacy and effectiveness of the University's systems of internal control, together with recommendations to improve the control processes.

Top

2.6.6 External Audit

The responsibility of external audit is to provide assurances to Parliament as to the stewardship (integrity, propriety, economy, efficiency and operations) of the University. The Auditor-General, as Parliament's external auditor, discharges these responsibilities principally through the certification of the University's financial statements. The University's accounts are audited by the Auditor-General of Queensland in accordance with Section 73 of the Financial Administration and Audit Act 1977 . Section 85 of the Act empowers the authorised auditor to have, at all reasonable times, full and free access to all documents and property belonging to the University. Members of the University community are responsible for assisting with the satisfactory conduct of the audit as necessary and for complying with the legislative requirements.

Top

2.6.7 Limitations of internal control

It is acknowledged that because of its inherent limitations, internal control can be designed and operated to provide only reasonable assurance that the University objectives and goals will be achieved. The examples of inherent limitations include human judgement and errors, manual and automated controls that can be circumvented by collusion, and management may inappropriately override internal control.

Top

Related Documents

MOPP A/1.1 QUT Corporate Governance Framework

MOPP A/1.5 QUT Assurance and Risk Management Services Charter

MOPPA/2.5 Risk Management

MOPP A/3.2.7 Audit and Risk Management Committee

MOPP B/8.1 QUT Code of Conduct

MOPP B/8.6 Corruption and Fraud Control policy

QUT's Risk Management Framework

Financial Administration and Audit Act 1977

Financial Management Standard 1997

Internal Control - Integrated Framework (known as "COSO" model)

Top

Modification History

Date

Sections

Source

Details

14.12.05

All

Council

New policy (endorsed by Audit and Risk Management Committee 02.11.05); replaces former policies G/9.2, G/9.3 and G/9.4

Top
Chapter A | Chapter B | Chapter C | Chapter D | Chapter E | Chapter F | Chapter G | Chapter H | Chapter I | Appendices | Protocol for MOPP Policy | Recent Updates
QUT Home | MOPP Home
CRICOS No. 00213J
Privacy | Copyright | Accessibility
Last modified 25-May-2007
Contact us | Feedback | Disclaimer