Manual of Policies and Procedures

A/2.6 Internal control

Contact Officer

Director, Assurance, Risk and Integrity Services

Approval Date


Approval Authority


Date of Next Review


2.6.1 Purpose
2.6.2 Application
2.6.3 Roles and responsibilities
2.6.4 External audit
2.6.5 Internal control components
2.6.6 Limitations of internal control
2.6.7 Definitions
Related Documents
Modification History

2.6.1 Purpose

This policy establishes a cost-effective internal control structure so that QUT Council can be reasonably assured that:

  • the University's plans (QUT Blueprint, Academic and enabling plans, faculty / division / institute plans, functional plans), and the priorities, strategies and targets contained therein, are achieved
  • the University's resources (including its people, systems, data / information bases and customer goodwill) are acquired economically, applied efficiently and adequately protected
  • quality business processes and continuous improvement are emphasised
  • the actions of all University officers (including members of QUT Council, senior management and staff) are in compliance with the University's policies, standards, plans and procedures, and all relevant laws and regulations; and
  • data and information published either internally or externally is accurate, reliable and timely.


2.6.2 Application

This policy applies to all QUT operations as an integral and embedded part of all University activities.


2.6.3 Roles and responsibilities

Positon Responsibility
Vice-Chancellor and President
  • ensures that cost-effective internal control structures for the University are established in line with the requirements of the Financial and Performance Management Standard 2009 (Qld)
Management/heads of divisions, portfolios, faculties, schools, departments and sections
  • develop cost-effective internal controls as an integral component of the overall process of managing the operations of the University by:
    • identifying and evaluating the risk exposures which relate to their particular sphere of operations
    • specifying and establishing policies, plans, operating procedures, systems and other disciplines to minimise, mitigate and/or limit the risks associated with the exposures identified
    • establishing practical cost-effective control processes that require and encourage all University officers to carry out their duties and responsibilities in a manner that achieves the above objectives
  • maintain the effectiveness of the control processes that have been established and foster continuous improvement of the processes
Risk and Audit Committee (A/3.3)
  • monitors, reviews, evaluates and oversees the following responsibilities:
    • risk
    • internal audit function
    • external audit
    • financial reporting, and
    • internal control
Director, Assurance, Risk and Integrity Services
  • ascertains the control processes throughout the University to ensure they are operating in an effective manner
  • reports to University management and Risk and Audit Committee on the adequacy and effectiveness of the University's systems of internal control, together with recommendations to improve the control processes
All staff
  • comply with legislative requirements, internal control activities and assist with the satisfactory conduct of audits as necessary


2.6.4 External audit

The external audit process provides assurances to Parliament on the stewardship (integrity, propriety, economy, efficiency and operations) of the University. The Auditor-General, as Parliament's external auditor, discharges these responsibilities principally through certification of the University's financial statements. The University's accounts are audited by the Auditor-General of Queensland in accordance with Section 30 of the Auditor-General Act 2009 (Qld). Section 46 of the Auditor-General Act 2009 (Qld) empowers the authorised auditor to have, at all reasonable times, full and free access to all documents and property belonging to the University.


2.6.5 Internal control components

There are five primary components of internal control:

Control environment

QUT’s control environment is established by setting standards of integrity, ethical values and diligence through the QUT Staff Code of Conduct (B/8.1) and other related policies.

Risk assessment

QUT's Enterprise Risk Management Framework and Procedures including Risk Management policy (A/2.5) provide detailed guidance on the application of risk assessment and management processes to maximise efficiency while providing an adequate level of security and control over University operations.

Control activities

Within QUT, control activities are embedded into University plans, policies, procedures, systems and business processes, and training is provided to ensure effective compliance by management and staff.

Information and communication

To facilitate proper decision making, relevant internal and external information should be identified, captured, and communicated in a timely manner and in appropriate forms, both internally and externally. This includes appropriate dissemination of strategic goals, financial and non-financial data, policies and procedures, management initiatives and responses to internal and external changes.


QUT has a range of ongoing mechanisms to monitor control processes, performance and risks, which aim to highlight any problem areas and allow early intervention and review to meet changing circumstances. These include monitoring and reporting of management, monitoring by Risk and Audit Committee, and Assurance, Risk and Integrity Services, and external audits. QUT aims to have systems which are viewed as dynamic, responsive to changes and are open to improvement and refinement.


2.6.6 Limitations of internal control

QUT acknowledges the inherent limitations of, internal control as it is designed and operated to provide only reasonable assurance that the University’s objectives and goals will be achieved and this is managed through the Corruption and fraud control policy (B/8.6).


2.6.7 Definitions

'Control' or control activity is any action taken by QUT Council, management, and other parties or officers to protect assets and manage risk, and thus to increase the likelihood that established objectives and goals will be achieved. This includes appropriate approvals, checks on accuracy and security of data, adequate segregation of incompatible duties such that no one person has complete control over all aspects of a transaction and IT security related control activities. It also includes planning, organising and directing the performance of sufficient actions to provide reasonable assurance that objectives and goals will be achieved. Controls may be preventive (to deter undesirable events from occurring), detective (to detect and correct undesirable events that have occurred), or directive (to cause or encourage a desirable event to occur). The concept of a system of control is the integrated collection of control components and activities that are used by an organisation to achieve its objectives and goals.


Related Documents

MOPP A/1.1 QUT Governance Framework

MOPP A/1.3 Compliance

MOPP A/1.5 QUT Assurance, Risk and Integrity Services Charter

MOPP A/2.5 Risk management

MOPP A/3.3 Risk and Audit Committee charter

MOPP B/8.1 QUT Staff Code of Conduct

MOPP B/8.6 Corruption and fraud control

Business continuity management framework (QUT staff access only)

Corruption and Fraud Control Plan (QUT staff access only)

Finance Manual (QUT staff access only)

COSO – Internal Control - Integrated Framework

QUT Blueprint

QUT’s Enterprise Risk Management (QUT staff access only)

Auditor-General Act 2009 (Qld)

Financial Accountability Act 2009 (Qld)

Financial and Performance Management Standard 2019 (Qld)


Modification History





11.03.20 All Director, Assurance and Risk Management Services Periodic review – minor revisions and modernised policy
09.06.15 All Director, Assurance and Risk Management Services Periodic review - minor revisions only
09.07.12 All Director, Assurance and Risk Management Services Revised policy (minor editorial changes only, endorsed by Chair, ARMC)



Director, Assurance and Risk Management Services

Revised policy (minor editorial changes only)




New policy (endorsed by Audit and Risk Management Committee 02.11.05); replaces former policies G/9.2, G/9.3 and G/9.4