A/1.5 QUT Assurance, Risk and Integrity Services charter
Policy Owner | Director, Assurance, Risk and Integrity Services |
Approval Date | 21/02/2020 |
Approval Authority | Risk and Audit Committee |
Date of Next Review | 28/02/2023 |
1.5.1 Purpose
1.5.2 Application
1.5.3 Roles and responsibilities
1.5.4 Assurance, Risk and Integrity Services objectives and approach
1.5.5 Authority
1.5.6 Independence
1.5.7 Professional practices including standards
1.5.8 Audit
1.5.9 Enterprise risk management
1.5.10 Quality assurance program
1.5.11 Reporting and review
1.5.12 Liaison with external auditors
Related Documents
Modification History
1.5.1 Purpose
The Assurance, Risk and Integrity Services charter provides a broad framework, professional standards and guidance for the conduct of assurance, audit and coordination of enterprise risk management activities.
1.5.2 Application
This charter applies to all activities undertaken by Assurance, Risk and Integrity Services.
1.5.3 Roles and responsibilities
Position |
Responsibility |
---|---|
Risk and Audit Committee |
|
Director, Assurance, Risk and Integrity Services |
|
1.5.4 Assurance, Risk and Integrity Services objectives and approach
The primary objective of Assurance, Risk and Integrity Services is to add value to the University's operations and assist the University to achieve its corporate goals by providing independent and objective analysis, appraisals, recommendations, counsel and information on the University's systems of internal control, effectiveness of risk management and the quality of performance. This is achieved by examining and evaluating the adequacy, economy, effectiveness and efficiency of risk management, systems of internal control, and the quality of management in a systematic, disciplined and professional manner.
Assurance, Risk and Integrity Services does not set the risk appetite nor take decisions on risk responses and implement these responses on behalf of management. Management remain responsible and accountable for the identification, assessment and treatment of risk. In addition, Assurance, Risk and Integrity Services does not develop or implement procedures or systems, and is not engaged in operational or processing functions. This does not exclude Assurance, Risk and Integrity Services professionals from suggesting system development projects or being consulted on proposed and/or existing systems, policies and procedures. Assurance, Risk and Integrity Services may evaluate and assess significant projects or change initiatives and activities, including structural changes, or changes to processes, systems, services and controls.
A review or appraisal by Assurance, Risk and Integrity Services does not in any way relieve officers of the University of their individual responsibilities and accountabilities.
1.5.5 Authority
The Director, Assurance, Risk and Integrity Services, is authorised to direct a broad, comprehensive program of assurance, audit and co-ordination of risk management activities across the University. The Director, Assurance, Risk and Integrity Services, and staff are authorised to have full, free and unrestricted access to all functions, property, personnel, records, accounts, files and other documentation. Information accessed in the course of audits must be used strictly for audit purposes.
The Director, Assurance, Risk and Integrity Services is responsible for the management of assurance, risk and integrity services for the University.
1.5.6 Independence
Independence is essential to the effectiveness of the delivery of assurance, audit and co-ordination of risk management services. This independence is obtained primarily through organisational status and objectivity.
The Director, Assurance, Risk and Integrity Services is functionally responsible to the Risk and Audit Committee for ensuring not only the broadest range of assurance, audit and risk coverage but also adequate consideration of audit reports and appropriate action on audit recommendations.
Assurance, Risk and Integrity Services operates within the Chancellery directly reporting, for administrative purposes, to the Vice-Chancellor and President. The Director, Assurance, Risk and Integrity Services is responsible to the Vice-Chancellor and President for the performance of the assurance, audit and co-ordination of the risk management function and the performance of staff in Assurance, Risk and Integrity Services in accordance with the University's relevant human resources policies and procedures.
The Vice-Chancellor and President is responsible for ensuring resourcing support in respect of the assurance and co-ordination of the risk management function within the context and constraints of the University's planning and resourcing framework and principles. Resources may be provided by Assurance, Risk and Integrity Services staff who are employees of the University, or by external contractors and consultants.
The Director, Assurance, Risk and Integrity Services:
- has unrestricted access to the Risk and Audit Committee
- can meet separately and privately with the Risk and Audit Committee chair and/or members as required; and
- will establish regular meetings with the Vice-Chancellor and President.
Assurance, Risk and Integrity Services staff must be independent of the activities they audit and will report to the Director, Assurance, Risk and Integrity Services any situations in which a conflict of interest (whether actual, potential or perceived) may arise. Assurance, Risk and Integrity Services staff must not assume operating responsibilities and must be objective in performing their work.
1.5.7 Professional practices including standards
Assurance, Risk and Integrity Services complies with the following:
- The Institute of Internal Auditors, International Professional Practices Framework (IPPF)
- Standards on Information Systems Auditing Standards issued by the Information Systems Audit and Control Association
- Auditing and Assurance Standards Board (AUASB Auditing Standards) as appropriate to internal auditing, and
- Standard relevant to Risk Management being AS/NZS ISO 31000:2018.
Assurance, Risk and Integrity Services professionals are required to:
- comply with professional standards of conduct
- possess the knowledge, skills, and technical proficiency essential to the performance of assurance, audits and co-ordination of risk management activities
- be skilled in dealing with people and in communicating audit and risk issues effectively
- maintain their technical competence through a program of continuing education, and
- exercise due professional care in performing assurance, audits and the co-ordination of risk management activities.
1.5.8 Audit
Audit Plans
An Annual Assurance, Risk and Integrity Services Plan (Annual Plan) must be prepared by the Director, Assurance, Risk and Integrity Services for approval by the Risk and Audit Committee. The Annual Plan is based on an assessment of the University's business risks pertaining to the achievement of the University's priorities outlined in the QUT Blueprint. The Plans require agreement from the Vice-Chancellor and President prior to obtaining approval from the Risk and Audit Committee.
The actual audit performance shall be regularly reviewed against the Annual Plan by the Risk and Audit Committee. Any necessary amendments to the Annual Plan shall be submitted to the Risk and Audit Committee for endorsement.
Scope and frequency of audit
The scope of Assurance, Risk and Integrity Services encompasses the examination and evaluation of the adequacy, effectiveness and efficiency of governance, risk management and the systems of internal control and management performance, as well as all activities of the University and its controlled entities. It involves the review of all financial and non-financial operations, including information systems and business processes. The frequency of audits shall be assessed based on the risk exposure.
Audit technique
Assurance, Risk and Integrity Services uses the most appropriate auditing methodology for each audit depending on the nature of the audit, the risk exposure and the predetermined parameters.
Audit Report
On conclusion of the audit, a copy of the report on the audit outcome shall be issued to the relevant organisational head and to the Vice-Chancellor and President and shall be circulated to Risk and Audit Committee members.
The report shall present the overall risk assigned, audit objectives, scope, the conclusion based on the outcome of the audit, and an agreed implementation timeframe for audit recommendations.
Assurance, Risk and Integrity Services must establish and maintain a system to monitor the University response to recommendations communicated to management.
Coordination of Assurance Activities
Assurance, Risk and Integrity Services will consider the scope of work of other assurance providers, internal and external, as appropriate, for the purpose of providing optimal audit coverage to the University in an efficient and effective manner.
1.5.9 Enterprise risk management
Enterprise risk management is a structured, consistent and continuous process across the whole University which increases the likelihood of achieving corporate priorities by ensuring that a realistic analysis of possible outcomes informs QUT's decision making, planning and management processes. Assurance, Risk and Integrity Services is responsible for assisting management with embedding and coordinating risk management activities within the University. A Risk Management Plan will be developed in conjunction with the Annual Plan (A/1.5.8).
1.5.10 Quality assurance program
The Director, Assurance, Risk and Integrity Services, must establish and maintain a quality assurance program to evaluate the operations of Assurance, Risk and Integrity Services. The program will incorporate benchmarking and review of the function in accordance with the requirement of The Institute of Internal Auditors.
The purpose of this program is to provide assurance that audit work conforms with The Institute of Internal Auditors, International Professional Practices Framework (IPPF) and the Assurance, Risk and Integrity Services charter, and is both cost effective and efficient.
The Director, Assurance, Risk and Integrity Services must communicate the results of the quality assurance and improvement program to senior management and the Risk and Audit Committee.
Where a function is under the control of the Director, Assurance, Risk and Integrity Services (for example, second line of defence functions, such as risk management), the function is to be reviewed by an externally sourced team reporting directly to the Risk and Audit Committee.1.5.11 Reporting and review
In accordance with the Risk and Audit Committee meeting schedule, the Director, Assurance, Risk and Integrity Services, shall submit to the Risk and Audit Committee a report summarising all assurance, audit and risk co-ordination activities undertaken during the reporting period. An annual report on the performance of Assurance, Risk and Integrity Services against the agreed key performance indicators shall be submitted by the Director, Assurance, Risk and Integrity Services, to the committee.
This charter is reviewed periodically to ensure it is relevant, aligned with organisational changes and good practices, and an appropriate level of cost-effective value-added services is achieved.
1.5.12 Liaison with external auditors
Internal and external audit activities should be coordinated to ensure adequate audit coverage and to minimise duplication of effort.
Periodic meetings between Assurance, Risk and Integrity Services and external auditors shall be held to discuss matters of mutual interest.
Audit programs, working papers and reports shall be made available for review by external auditors.
Related Documents
MOPP A/1.3 Compliance
MOPP A/2.5 Risk management
MOPP A/2.6 Internal control
MOPP A/3.3 Risk and Audit Committee charter
MOPP B/8.1 QUT Staff Code of Conduct
MOPP B/8.6 Corruption and fraud control
MOPP B/8.7 Conflict of interest
Assurance, Risk and Integrity Services Manual
Auditing and Assurance Standards Board (AUASB), Auditing Standards
Financial Accountability Act 2009 (Qld)
Financial and Performance Management Standard 2019 (Qld)
QUT Corruption and Fraud Control Plan (QUT staff access only)
QUT Risk Management Framework
Risk Management Standard (AS/NZS ISO 31000:2018)
The Institute of Internal Auditors, International Professional Practices Framework (IPPF)
Modification History
Date |
Sections |
Source |
Details |
03.06.20 | A/1.5.6 | Director, Assurance and Risk Management Services | Administrative changes to update reporting line to Chancellery - effective 01.07.20 |
21.02.20 | All | Risk and Audit Committee | Revised and modernised policy - effective 01.07.20 |
03.10.14 | All | Director, Assurance and Risk Management Services | Revised policy - minor editorial changes only |
30.05.13 | All | Audit and Risk Management Committee | Revised policy |
23.03.11 |
All |
Audit and Risk Management Committee |
Periodic review - minor revisions only |
31.07.09 |
All |
Governance Services |
Editorial amendments consistent with financial legislation and QUT Assurance and Risk Management Services Charter |
08.11.06 |
All |
Audit and Risk Management Committee |
Revised Charter to incorporate risk management function; renamed to Assurance and Risk Management Charter (formerly QUT Internal Audit Charter) |
18.05.05 |
All |
Secretariat |
Editorial (relocated and renumbered to A/1.5 - formerly MOPP Appendix 60) |
01.09.04 |
All |
Audit and Risk Management Committee |
Revised Internal Audit Charter to reflect current reporting arrangements |
02.07.03 |
All |
Audit Committee |
Revised Internal Audit Charter |
29.11.02 |
All |
Audit Committee |
Revised Internal Audit Charter |
06.07.98 |
All |
Audit Committee |
Revised Internal Audit Charter |