James Cook University. Internal Audit Protocol

Transcription

1 James Cook University Internal Audit Protocol Table of Contents A. Introduction 2 B. Management Consultation during the Annual Internal Audit Planning Process 2 C. Support Provided to QAO/External Auditor for their annual audit of JCU financial statements 4 D. Engagement Level Audit Process Separately Programmed Audit 5 1. Planning - Notification and Planning Consultation Planning - Audit Engagement Letter Planning - Commencement Meeting Fieldwork - Audit Information Requests Fieldwork Preliminary Findings and Recommendations Reporting -1st Draft Report for Formal Management Comment by DVC and Exit Meetings Reporting - 2nd Draft Report for DVC Acceptance Reporting - 3rd Draft Report for the Vice Chancellor s Comment Reporting Final Report to the Audit, Risk and Compliance Committee of the University Council... 8 E. Grant Audit 8 F. Audit Recommendation Follow Up 8 G. Advisory/Consultancy Service 9 H. Stakeholder Feedback and Issue Resolution 9 I. Version Control 10 Page 1 of 10

2 A. Introduction This inaugural Internal Audit Protocol outlines the respective roles and responsibilities of Internal Audit and Management in the course of common internal audit activities. It is intended to serve as a general reference for both Internal Audit and Management with a view to improving stakeholder communication and enhancing the efficiency and effectiveness of the Internal Audit processes. This Protocol will be reviewed on an annual basis by the Manager, Internal Audit in consultation with stakeholders to ensure that it continues to meet the requirements of the University and adds value to the governance, risk management, and control processes of the University. This Internal Audit Protocol: is a part of the action plan undertaken in response to the PricewaterhouseCoopers External Assessment Report of the former Audit and Assurance Office; forms a key part of the Internal Audit Manual, which is a requirement under Performance Standard 2040, International Standards for the Professional Practice of Internal Auditing (Standards); reflects the Better Practice Internal Audit Protocol promulgated by the Australian National Audit Office (ANAO); and aligns with the purpose, responsibilities and authority of the Internal Audit function as set out in the Internal Audit Charter approved by the Audit, Risk and Compliance Committee of the University Council. Key terminology: Internal Audit means the independent internal audit function within Legal and Assurance, Office of the Chief of Staff, which has a direct functional reporting line to the Vice Chancellor and the Audit, Risk and Compliance Committee of the University Council. Internal Auditor means the in-house and contracted internal auditors of the co-sourcing service suppliers engaged by Internal Audit through a co-sourcing supplier panel arrangement. Management is the general term used within the Standards and means the operational and senior management of a process/activity under audit. Within the University context, management means any University management outside of the independent Internal Audit function. Audit refers to an assurance engagement conducted by Internal Audit which can include audit, review or agreed upon procedures depending on the assurance level required. B. Management Consultation during the Annual Internal Audit Planning Process The Manager, Internal Audit, as the nominated person for the University as Head of the Internal Audit under section 78, Queensland Financial Accountability Act 2009, and the Chief Audit Executive under the Standards, is responsible for the preparation of an Internal Audit Strategic Plan and an Internal Audit Annual Work Plan, in consultation with the University Executive members, other internal assurance providers, and the Queensland Audit Office (QAO) or the contracted external auditor. The Vice Chancellor provides preliminary approval, prior to formal approval being obtained from the Audit, Risk and Compliance Committee, which generally occurs in its meeting in November. The Internal Audit Strategic Plan provides the context for internal audit activity. It articulates the links to: The University s business objectives; The University s key business risks; Assurance provided by other key internal assurance providers; Relationship with the external auditor QAO or the contracted external auditor; Internal Audit Charter; Internal Audit Planning Process; Internal Audit Strategies; Internal Audit Operational Risks; and Performance measures of Internal Audit. Page 2 of 10

3 The Internal Audit Annual Work Plan is based on the assessment of the risks facing the University and the business improvement opportunities available. To ensure that sufficient input is obtained from internal stakeholders, a formal management consultation process is conducted which includes the following steps: 1. Early September: Internal Audit performs an analysis of: o the University risks in particular those of High risk rating as registered in the University Level Risk Assessment ; o its own risk assessment of the auditable areas in consideration of: results of recent internal and external audit activities; previous audit coverage of auditable areas; the latest University Performance Report; the latest University Annual Report; material changes to the external compliance frameworks; request(s) from the Audit, Risk and Compliance Committee and the University Council; and request(s) from the Vice Chancellor. 2. Mid-September: Internal Audit offers and conducts confidential consultation meetings with the following key stakeholders in governance and management: The Chair of the Audit, Risk and Compliance Committee; The Vice Chancellor and President; University Executives; Queensland Audit Office; Other internal assurance providers: o Chief of Staff; o University General Counsel and Head, Legal and Assurance; o Director, Quality, Planning and Analytics; and o Divisional Executive Officer, Division of Services & Resources. Internal Audit encourages other staff members to provide their input either through the Head of their respective Divisions or functions or directly via to the Manager, Internal Audit. To ensure that all input is well considered in selecting potential areas for audit, it is Management s responsibility to ensure that appropriate staff members are available for consultation meetings. The consultation meetings generally take hours and will provide opportunities for Management to: o o provide feedback on the Internal Audit Protocol; provide input into selecting areas for audit within the next year, with particular consideration and information provided on the following aspects: organisational areas/processes/activities that should be audited; assessment of the risk level; risk categories cause(s) of the risk, if known; impact on business operations and objectives; preferred timing for audit; audit objectives (intended audit accomplishment); and audit scope (year, study period etc.). 3. Early October: Internal Audit submits to the Vice Chancellor a list of prioritised auditable areas to discuss the following aspects of each potential audit: o the type of engagement (financial, compliance, performance improvement (operational), information system, advisory, agreed upon procedures); o broad objective(s), to the extent possible; o the level of assurance desired (reasonable assurance requires an audit whilst limited assurance requires a review); and o estimated timing. 4. Mid-October: Internal Audit submits a draft Internal Audit Strategic Plan and a draft Internal Audit Annual Work Plan to the Vice Chancellor for preliminary approval. 5. Late October: Internal Audit submits a draft Internal Audit Strategic Plan and a draft Internal Audit Annual Work Plan for formal approval by the Audit, Risk and Compliance Committee in its meeting in November. Page 3 of 10

4 6. December: The approved Internal Audit Strategic Plan and the approved Internal Audit Annual Work Plan will be circulated. It is the responsibility of each DVC to keep relevant staff informed of the upcoming audit(s). 7. June: Manager, Internal Audit reviews the Internal Audit Annual Work Plan based on the aspects outlined below; with the preliminary approval of any significant changes to the Internal Audit Annual Work Plan being obtained from the Vice Chancellor and formal approval being obtained from the Audit, Risk and Compliance Committee in its next meeting: o the outcome of the discussion with QAO/the contracted external auditor regarding the areas of audit work undertaken by Internal Audit upon which QAO (external auditor) intends to place reliance; o any significant changes to the University s risk profile in particular the emerging compliance risks; and o the Internal Audit resources available. C. Support Provided to QAO/External Auditor for their annual audit of JCU financial statements The Manager, Internal Audit is responsible for communicating with QAO or the contracted external auditor, regarding the approved Internal Audit budgeted time allocation to conduct work on behalf of the external auditor. Once agreement has been reached between Internal Audit and the external auditor regarding the area of audit work to be undertaken by Internal Audit upon which the external auditor intends to place reliance, the Manager, Internal Audit informs the DVC, Services & Resources (DVCSR) of the outcome in order to inform the external audit fee negotiation. The Director, Financial and Business Services who is responsible for the overall coordination of the external audit visits and audit information requests, should ensure that the Manager, Internal Audit is informed of any potential external audit visits that may require interview time with the Internal Audit staff, such as the interim visits by the external Information System Auditors. The Manager, Internal Audit will communicate directly with the external auditor about the work that Internal Audit conducts on behalf of the external auditor. Any resource restraints impacting on the capacity of Internal Audit to complete the scheduled work for the external auditor will be discussed with the University General Counsel and/or the Chief of Staff initially, communicated with the DVCSR, and reported to the Vice Chancellor and the Audit, Risk and Compliance Committee. The Manager, Internal Audit is responsible for updating the external auditor on the progress achieved towards implementing any outstanding audit recommendations made by the external auditors in prior years. To avoid delay and miscommunication, the following process should be followed: The Chief of Staff ensures that any engagement communication issued to the Vice Chancellor by the external auditor is forwarded in a timely manner to the Manager, Internal Audit, including: o audit plan; o interim management report; and o final management report. The Manager, Internal Audit ensures that any finalised recommendations made by the external auditor are imported into the TeamCentral system and system generated notification s are sent to action owners to inform them of future follow-up and reporting requirements. Where there is a lack of information or clarity within the interim and final management reports issued by the external auditor, Internal Audit will exercise professional judgement to determine the initial information required to enable the importation of the data into the TeamCentral system. Once the individual audit recommendations are imported, clarifying s are triggered to the individual action owners to ensure that specific elements relating to an individual action is accurate and appropriate. As Internal Audit is not involved in the finalisation of the management reports issued by the external auditor, it is Management s responsibility to notify Internal Audit of any revision/clarification required regarding: o action owner (orphaned actions will be referred to DVCSR initially to clarify ownership); Page 4 of 10

5 o o estimated implementation time (the next audit recommendation follow up reporting date will be set as the default date if an estimated implementation time is not specified); and disagreement with audit recommendation and/or acceptance of risks of not implementing a recommendation (an action owner is to specify Management s position when providing the next status update which must be approved by the respective DVC/delegate). If the Manager, Internal Audit is expected to play a role in supporting the annual external audit of JCU financial statements, this will need to be communicated and agreed in a timely manner between the Chief of Staff and DVCSR, and within the remit of the Internal Audit activities as per the Internal Audit Charter. D. Engagement Level Audit Process Separately Programmed Audit Internal Audit designs appropriate audit procedures for each individual audit based on its risk assessment. As a result, the audit process may vary slightly for different audits in order to maximise audit efficiency and minimise audit impact on business operations. However, the following distinctive stages of the audit process should generally be followed for each audit unless the circumstances warrant departure. 1. Planning - Notification and Planning Consultation As soon as practical, Internal Audit sends a Notification to the DVC of a Division that an approved audit will be scheduled by Internal Audit soon and that Internal Audit will in the near future: contact relevant staff members to obtain high level and current risk and control information relating to the processes and activities which may be relevant to the activities expected to be tested within an audit; and contact relevant DVCs to offer a formal planning meeting to obtain management input into the proposed objective, scope and timing etc. of the audit and to afford Management the opportunity to raise any queries or highlight any concerns. Please note that under some circumstances, input from the Vice Chancellor, the Chair of the Audit, Risk and Compliance Committee and/or the Chancellor may also be obtained with respect to audits with a High risk rating. 2. Planning - Audit Engagement Letter Following the preliminary risk assessment and planning consultation with Management, an audit engagement letter will be issued by the Manager, Internal Audit to the relevant University Executive members and copied to other Management members. An audit engagement letter will confirm the following aspects: standards adopted; objectives; scope; audit assessment criteria; and planned timing for fieldwork and reporting. It is Management s responsibility to notify Internal Audit if there are any queries regarding the scope of the audit which need to be clarified. Internal Audit is obligated under the Standards to ensure that the scope is sufficient to achieve the audit objective(s): scope limitations, including restrictions on access to records, personnel, and properties, and resource limitations, such as funding, will be reported to the Chief of Staff or Vice Chancellor for resolution; other significant changes in scope which results from ongoing risk assessment will be discussed with the auditees (DVCs) and the Vice Chancellor if appropriate, and formally clarified in writing with all stakeholders. If no clear assessment criteria are available, Internal Audit will use the Committee of Sponsoring Organizations (COSO) model as the assessment criteria in forming an audit opinion. The COSO model is recognised as a better practice model for providing guidance on critical aspects of organisational governance, business ethics, internal control, enterprise risk management, fraud and Page 5 of 10

6 financial reporting. This typically happens when an audit is conducted in an area where there is no well-established strategies and control framework. The planned timing for each audit milestone is tabulated in an audit engagement letter. The progress and actual timing of each milestone may vary depending on: the availability of key staff; the time taken by key staff to satisfy audit information requests; and other conflicting work priorities of Internal Audit and business areas. 3. Planning - Commencement Meeting Commencement meeting(s) will be offered in the audit engagement letter with the Management of the area under audit. The purpose of the commencement meeting is to: enable the audit team to meet key staff of the area under audit; clarify the objectives, scope and timing of the audit; provide an opportunity for staff of the area being audited to present their views and perspectives on the subject matters under audit; discuss the audit timing, duration, staff involvement required; and arrange access to buildings, personnel, files, systems and data. Commencement meetings are typically conducted with the operational Management which may not be necessary where Management is familiar with the Internal Audit process. Effective planning is crucial to maximise audit efficiency and effectiveness, and Internal Audit is committed to minimise the audit impact on normal business operations. It is Management s responsibility to ensure that relevant staff members are available to provide information and answer audit queries within a reasonable period, and to encourage staff members to ask Internal Audit about the internal audit process to help diminish unnecessary stress or concerns. 4. Fieldwork - Audit Information Requests Audit by its nature is based on continuous risk assessment, which means that it is common for planned audit procedures to change depending on the continuous risk assessment and the nature of the preliminary findings. As a result, Internal Audit may request more or less information as the fieldwork progresses. It is inherently difficult for Internal Audit to precisely predict the information that Internal Audit will require at the commencement of the audit fieldwork, with the exception of financial audits. Generally, two to three rounds of information requests are common to fulfil Internal Audit s professional responsibilities in ensuring that the audit objectives are achieved and that the audit opinion is based on sufficient and reliable evidence: 1 st round usually overall information on processes, systems and controls; 2nd round supporting information for selected samples for testing of details and analytical review; 3rd further information request resulting from the preliminary findings and audit supervisory review points which may include an expansion of samples and clarification of the information provided previously. It is Management s responsibility to ensure that the audit information required is made available to the Internal Auditors within a reasonable period of time. Internal Auditors will escalate unreasonable blockage and defensive behaviours to the Manager, Internal Audit, and Directors /Deans in the first instance. Any unresolved issues will be escalated to the Chief of Staff and the respective DVC(s). If information is still unavailable to enable Internal Audit to meet the reporting deadline required by the Vice Chancellor, scope limitations which may lead to Internal Audit not being able to draw an audit conclusion will be reported. 5. Fieldwork Preliminary Findings and Recommendations Internal Audit is committed to a no surprises approach and ongoing discussions will be held with process owners/operational Management (Team Leaders, Managers, Directors, etc.) as findings emerge and conclusions are developed. The Internal Auditor who conducts the audit fieldwork is Page 6 of 10

7 responsible for clarifying and confirming the preliminary audit findings with the operational Management to ensure that these are factually correct and that operational Management has an opportunity to provide input into developing practical audit recommendations. This typically takes place towards the end of the fieldwork. If deemed necessary, Internal Audit is obligated to communicate significant matters of concern with High risk ratings to the respective DVC(s) and the Vice Chancellor prior to the completion of the audit fieldwork. 6. Reporting -1st Draft Report for Formal Management Comment by DVC and Exit Meetings The Manager, Internal Audit, after the review of audit work papers, issues the first draft report to the respective DVC(s) for formal Management comment. The draft report will be copied to the relevant operational Management and exit meeting(s) will be offered to: afford Management the opportunity to correct any factual errors, misunderstandings or misinterpretations that may exist in draft findings; discuss the practicality of recommendations and ownership and timeframe for remedial Management action; discuss Management feedback on audit conclusions in the executive summary section; and provide feedback on the audit approach. Under some circumstances where the draft findings reported are relevant to more than one Division, and it is appropriate to restrict access to certain issues, Internal Audit may issue extracts of the draft report to some individuals. An exit meeting may not be necessary in cases where the draft audit findings and recommendations are largely agreeable to the DVCs. Under these circumstances, an acceptance from the DVC may be sufficient. For complex operational audits, multiple exit meetings with Management at various levels may be necessary. The Manager, Internal Audit will determine an appropriate exit process in consultation with the relevant DVC(s). DVCs are usually required to provide Management comments within ten (10) working days. When providing Management comments, DVCs are required to clearly advise Internal Audit on the following: any factual errors or misinterpretations that may exist within the draft findings and conclusions; where Management agrees with a recommendation, Management should: o prepare an action plan in response to the draft recommendation; o o provide an estimation time for implementation; and nominate an implementation owner (generally Manager, Director, Dean levels or above); where Management disagrees with a draft recommendation, clearly state so, and provide the reason(s) for the disagreement, for discussion with Internal Audit about alternative actions; where Management decides to accept the risk of not implementing an audit recommendation due to cost or other considerations, this should be clearly stated with a supporting explanation. The Manager, Internal Audit is obligated to evaluate if the acceptance of the risks is acceptable to the University, and discuss this with the DVCs, the Chief of Staff, the Vice Chancellor and the Audit, Risk and Compliance Committee, as appropriate. 7. Reporting - 2nd Draft Report for DVC Acceptance If necessary, Internal Audit will issue the 2nd draft report, generally within five (5) working days, to incorporate Management s feedback received following the exit meeting(s), for DVC acceptance. DVCs are generally required to provide feedback on the 2nd draft report within five (5) working days. 8. Reporting - 3rd Draft Report for the Vice Chancellor s Comment Upon receiving formal Management comments on the 1 st or 2 nd draft report as applicable, the 2 nd or 3 rd draft report with Management s comments approved by the DVCs is submitted to the Vice Chancellor for review and comment. In the rare circumstance of residual disagreement in opinion or the corrective actions required, this will be highlighted in a covering letter to the Vice Chancellor for consideration and a final Management Page 7 of 10

8 decision. Should the Vice Chancellor have any queries, further information may be sought from Management through her office or Internal Audit. 9. Reporting Final Report to the Audit, Risk and Compliance Committee of the University Council Generally, within two (2) working days of receiving the Vice Chancellor s comments, Internal Audit distributes a copy/section of the final report with the Vice Chancellor s comments to respective DVC(s) and any operational Management who has agreed to undertake any management action(s) in response to the audit recommendation(s). A full copy of the final report is submitted to the Audit, Risk and Compliance Committee at its next meeting for consideration. Occasionally, the Audit, Risk and Compliance Committee may make specific comment or request about a particular audit finding and recommendation. This is generally addressed through the audit recommendation follow up process. Any audit recommendations made or alternative agreed Management actions are added to TeamCentral, the web-based system used by Internal Audit to manage the audit recommendation follow up process. Internal Audit will follow up on subsequent actions taken in accordance with the timeframe as indicated in the agreed management action plan. Please refer to Section F for procedures on audit recommendation follow up. E. Grant Audit Internal Audit is committed to provide audit certification within 7-12 working days. Depending on the size, complexity and time required for Management to provide supporting information, the turnaround time may be up to 17 working days. Grant auditing is currently co-sourced. The Manager, Internal Audit is responsible for the quality assurance of the internal audit activities provided by third parties under the co-sourcing arrangement. As part of the quality assurance program, the Manager, Internal Audit will on a sample basis undertake a review of: the quality of financial statements and management certification submitted for audit; and the quality of the audit work undertaken by the co-source audit service providers. Upon receiving grant audit notification from Financial and Business Services, Internal Audit will assess its time and budget and decide if grant audit fieldwork is to be conducted internally and/or externally. This is an ongoing, dynamic and risk based process. Under no circumstances should a grant file be forwarded to the co-sourcing audit service provider directly without the knowledge of Internal Audit. It is Management s responsibility to: Ensure that any audit fees allowed in the funding agreement are accrued in the accounts. Inform Internal Audit via to internal.audit@jcu.edu.au of any urgent or large grant audits in advance. Internal Audit will negotiate with the co-source audit service provider to enable shorter turnaround time if possible with no guarantee that the service provider will meet the requirement. Ensure that the Internal Audit Grant Checklist is completed and submitted to Internal Audit with each grant audit request. Respond to audit queries which include providing supporting information for audit sample testing within a reasonable period of time. Should there be a long delay in responding to these audit queries, there will be a risk of the auditors not meeting the audit reporting deadline. More detailed information on Grant Audit Procedures and Grant Audit Checklist is published on the Internal Audit website. F. Audit Recommendation Follow Up The Manager, Internal Audit must establish and maintain an audit recommendation follow-up process to monitor Management s implementation of the audit recommendations made by Internal Audit and QAO. When the Manager, Internal Audit believes that Management has accepted a level of risk that may be unacceptable to the University, the Manager, Internal Audit must discuss the matter with the Chief of Staff, respective DVC(s) and/or Vice Chancellor, as appropriate. If the Manager, Internal Audit determines that the matter has not been resolved, this must be communicated to the Audit, Risk and Compliance Committee. Page 8 of 10

9 Internal Audit reviews the audit recommendation follow-up process at least annually in consultation with key stakeholders to ensure that the outcomes achieved meets key stakeholder expectations. It is important to note that QAO assesses the following key control factors as a part of its assessment of the University s Entity Controls : the independence and competence of the Internal Audit function; and issues identified by Internal Audit and QAO are actioned in a timely manner. The effectiveness of the audit recommendation follow up process and outcome is monitored by the Chief of Staff and the Audit, Risk and Compliance Committee. It is Management s responsibility to ensure that management status update and evidence of implementation are provided to Internal Audit as per the approved deadlines in the Audit Recommendation Follow-up Process Overview document, which is published on the Internal Audit website. G. Advisory/Consultancy Service For significant advisory services that constitute a formal consultancy under the Standards, the Manager, Internal Audit must obtain pre-approval from the Audit, Risk and Compliance Committee. The understanding of the objectives, scope, respective responsibilities, resourcing and client expectations must be documented for any significant consultancy, which is currently defined as the advisory activities that could take more than ten (10) working days to complete. When performing consulting engagements, Internal Audit must ensure that the scope of the engagement is sufficient to address the agreed-upon objectives. If Internal Audit develops reservations about the scope during the engagement, these reservations must be discussed with the client to determine whether or not to continue with the engagement. Work programs and reporting of the results of consulting engagements may vary in form and content, and these will be agreed with Management requesting the engagement. Each year, a small time budget is allocated to answer ad-hoc advisory requests from Management at various levels, which includes the following areas: risk evaluation; control assessment; system changes; policy review. Internal Audit encourages Management to seek the opinion of Internal Audit through advisory services where there is any doubt if any proposed changes to systems, processes or controls would be acceptable from an audit perspective. On the basis of audit independence not being impaired, Internal Audit provides advice to Management who has the discretion and sole responsibility to decide on the adoption, rejection or implementation of a recommended course of action. H. Stakeholder Feedback and Issue Resolution In keeping with the University s planning and performance management framework, Internal Audit s performance will be gauged by performance indicators including percentage of completion of the programmed audits and results of any University wide survey of the Internal Audit services; feedback from the Vice Chancellor, the Audit, Risk and Compliance Committee and QAO; as well as the results of any external assessment. Ongoing feedback on the Internal Audit process and/or the conduct of the Internal Auditors may be provided to: Manager, Internal Audit; University General Counsel; Chief of Staff. Internal Auditors are bound by the Internal Audit Charter, the code of professional ethics and the University s Code of Conduct to maintain independence, objectivity and ethical standards. Internal Auditors are committed to professional workplace behaviour and expect to be treated in a professional and responsible manner. Page 9 of 10

10 Any unreasonable blockage and unprofessional behaviours are to be escalated to the Manager, Internal Audit, Directors or Deans in the first instance. Any unresolved issues are to be escalated to the Chief of Staff, DVCs, and/or HR for resolution. I. Version Control Version History updated to reflect minor changes to practice updated to reflect changes to the Audit, Risk & Compliance Committee and other University governance, risk and control processes 14/12/2015 updated for ARFU timeline /03/2015 Approved by the Vice Chancellor Sponsor Vanessa Cannon, Chief of Staff Author: Consultation: Maria Mu, Manager, Internal Audit University General Counsel Chief of Staff University Executive Group Members: QAO Director, Financial and Business Services Approval Authority Professor Sandra Harding, Vice Chancellor Approval date: 20/03/2015 Review: At least annually from the approval date Page 10 of 10