Director, Assurance, Risk and Integrity Services
Date of Next Review
2.6.3 Roles and responsibilities
2.6.4 External audit
2.6.5 Internal control components
2.6.6 Limitations of internal control
This policy establishes a cost-effective internal control structure so that QUT Council can be reasonably assured that:
- the University's plans (QUT Blueprint, Academic and enabling plans, faculty / division / institute plans, functional plans), and the priorities, strategies and targets contained therein, are achieved
- the University's resources (including its people, systems, data / information bases and customer goodwill) are acquired economically, applied efficiently and adequately protected
- quality business processes and continuous improvement are emphasised
- the actions of all University officers (including members of QUT Council, senior management and staff) are in compliance with the University's policies, standards, plans and procedures, and all relevant laws and regulations; and
- data and information published either internally or externally is accurate, reliable and timely.
This policy applies to all QUT operations as an integral and embedded part of all University activities.
|Vice-Chancellor and President||
|Management/heads of divisions, portfolios, faculties, schools, departments and sections||
|Risk and Audit Committee (A/3.3)||
|Director, Assurance, Risk and Integrity Services||
The external audit process provides assurances to Parliament on the stewardship (integrity, propriety, economy, efficiency and operations) of the University. The Auditor-General, as Parliament's external auditor, discharges these responsibilities principally through certification of the University's financial statements. The University's accounts are audited by the Auditor-General of Queensland in accordance with Section 30 of the Auditor-General Act 2009 (Qld). Section 46 of the Auditor-General Act 2009 (Qld) empowers the authorised auditor to have, at all reasonable times, full and free access to all documents and property belonging to the University.
There are five primary components of internal control:
QUT’s control environment is established by setting standards of integrity, ethical values and diligence through the QUT Staff Code of Conduct (B/8.1) and other related policies.
QUT's Enterprise Risk Management Framework and Procedures including Risk Management policy (A/2.5) provide detailed guidance on the application of risk assessment and management processes to maximise efficiency while providing an adequate level of security and control over University operations.
Within QUT, control activities are embedded into University plans, policies, procedures, systems and business processes, and training is provided to ensure effective compliance by management and staff.
Information and communication
To facilitate proper decision making, relevant internal and external information should be identified, captured, and communicated in a timely manner and in appropriate forms, both internally and externally. This includes appropriate dissemination of strategic goals, financial and non-financial data, policies and procedures, management initiatives and responses to internal and external changes.
QUT has a range of ongoing mechanisms to monitor control processes, performance and risks, which aim to highlight any problem areas and allow early intervention and review to meet changing circumstances. These include monitoring and reporting of management, monitoring by Risk and Audit Committee, and Assurance, Risk and Integrity Services, and external audits. QUT aims to have systems which are viewed as dynamic, responsive to changes and are open to improvement and refinement.
QUT acknowledges the inherent limitations of, internal control as it is designed and operated to provide only reasonable assurance that the University’s objectives and goals will be achieved and this is managed through the Corruption and fraud control policy (B/8.6).
'Control' or control activity is any action taken by QUT Council, management, and other parties or officers to protect assets and manage risk, and thus to increase the likelihood that established objectives and goals will be achieved. This includes appropriate approvals, checks on accuracy and security of data, adequate segregation of incompatible duties such that no one person has complete control over all aspects of a transaction and IT security related control activities. It also includes planning, organising and directing the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Controls may be preventive (to deter undesirable events from occurring), detective (to detect and correct undesirable events that have occurred), or directive (to cause or encourage a desirable event to occur). The concept of a system of control is the integrated collection of control components and activities that are used by an organisation to achieve its objectives and goals.
MOPP A/1.1 QUT Governance Framework
MOPP A/1.3 Compliance
MOPP A/1.5 QUT Assurance, Risk and Integrity Services Charter
MOPP A/2.5 Risk management
MOPP A/3.3 Risk and Audit Committee charter
MOPP B/8.1 QUT Staff Code of Conduct
MOPP B/8.6 Corruption and fraud control
Business continuity management framework (QUT staff access only)
Corruption and Fraud Control Plan (QUT staff access only)
Finance Manual (QUT staff access only)
COSO – Internal Control - Integrated Framework
QUT’s Enterprise Risk Management (QUT staff access only)
Auditor-General Act 2009 (Qld)
Financial Accountability Act 2009 (Qld)
Financial and Performance Management Standard 2019 (Qld)
|11.03.20||All||Director, Assurance and Risk Management Services||Periodic review – minor revisions and modernised policy|
|09.06.15||All||Director, Assurance and Risk Management Services||Periodic review - minor revisions only|
|09.07.12||All||Director, Assurance and Risk Management Services||Revised policy (minor editorial changes only, endorsed by Chair, ARMC)|
Director, Assurance and Risk Management Services
Revised policy (minor editorial changes only)
New policy (endorsed by Audit and Risk Management Committee 02.11.05); replaces former policies G/9.2, G/9.3 and G/9.4