Internal Audit and Risk Management Charter

This charter is established under the authority of the Senate.

The charter establishes the purposes, authorities and responsibilities of the internal audit function (called Office of Internal Audit and Risk Management) so that it can provide an effective service to the university. An effective service is required by Section 34(1) of the Murdoch University Act, 1973-1985 and Section 55(f) of the Financial Administration and Audit Act, 1985.

Definition

Internal Audit and Risk Manangement is an independent appraisal activity within the university for the review of our operations as a service to the university. It is  a managerial control that functions by examining and evaluating the adequacy and effectiveness of other controls.

Function

The function of Internal Audit and Risk Management is to conduct, for the Senate, the Audit Committee and Vice Chancellor, audits and reviews of the operations of:

• The accounting and financial management information and control systems and control systems and activities.

• Such other operational and management information, control systems and activities as directed by the Senate and Vice Chancellor to provide:
  

  1. regular advice as to whether or not key controls are in place and are being observed and that public and other properties, moneys and resources are being safeguarded;
  2. advice on the reliability or otherwise of management information;
  3. management oriented appraisals of operations and activities;
  4. independent advice to the Senate, Executive Deans and the Senior Executive Advisory Committee on action to improve operational efficiency and effectiveness; and
  5. periodical reports on follow up action taken on previously reported audit recommendations.
     

Independence

The internal audit function has independent status within the university and for that purpose:

• Shall be directly responsible to the Senate Audit and Risk Management Committee and the Vice-Chancellor for authority and the Deputy Vice-Chancellor for administrative purposes. The Office of Internal Audit and Risk Manangement will be independent of any other Division, School or Office or employee or official of the university. Further, the dismissal or a transfer of the Director, Office of Internal Audit and Risk Management shall require the written approval of the Chair of the Audit and Risk Management Committee.

• Has a duty to bring directly to the attention of the Chair of the Audit and Risk Manangement Committee and/or the Chancellor any concerns about audit matters or other significant risks not being adequately dealt with by the University.
  

   

• The Director, Office of Internal Audit and Risk Management shall draw to the attention of the Vice-Chancellor and the Senate Audit and Risk Management Committee all matters that, in his or her opinion, warrant reporting in this manner; and
  

  1. Shall have no executive or managerial powers, authorities, functions or duties except those relating to the management of the internal audit function.
     
  2. Shall not be involved in the daily operation of the accounting and financial management and control systems of the university nor in the internal checking of the university.
     
  3. Shall not be responsible for the detailed development or the implementation of new systems and procedures. The Office of Internal Audit and Risk Management should furnish advice on incorporating adequate controls in new systems and procedures. The Office should also provide assurance to management that the new systems and procedures will contribute to the achievement of the university's objectives.
     

Authorities

The Vice Chancellor provides the authority for the conduct of internal audits and reviews.

The Office of Internal Audit and Risk Management has no direct responsibility for, or authority over, any of the activities that it reviews. Therefore, audits do not in any way relieve other persons in the university of the responsibilities assigned to them.

The Office of Internal Audit and Risk Management shall:

• Undertake audits in accord with plans approved by the Senate Audit and Risk Management Committee.
• At all reasonable times, have full and free access to all relevant information and property of the university.
• At all reasonable times, have discussions with relevant personnel and require them to provide information, advice, explanations, and any assistance necessary for audit purposes; and
• Conduct such further audits and reviews as the Senate, Vice-Chancellor or the Deputy Vice-Chancellor may, from time to time direct, and - subject to their approval - decide the nature and scope of such audits and reviews.
  

Where the Office of Internal Audit and Risk Management does not possess all the necessary skills or experience, additional internal or external resources may be used for approved areas of review, subject to the Vice-Chancellor's or the Deputy Vice-Chancellor's approval.

Planning

The Director, Office of Internal Audit and Risk Management will consult with the members of the Senior Executive Advisory Committee to establish long and short term plans to execute the responsibilities of the internal audit function.

Internal Audit planning shall have the following elements:

The Strategic Review Plan (SRP).

This identifies the internal audit coverage to be achieved over a three - five year period. The SRP is to be reviewed annually and altered to reflect changes in priorities. It will identify and rank all areas that the Office of Internal Audit and Risk Management will cover. The Director, Office of Internal Audit and Risk Management will prepare the SRP for the Audit Committee's approval.

The Annual Review Plan (ARP).

This shows the internal audit program for the first year of the SRP and indicates the planned time for each review. The Director, Office of Internal Audit and Risk Management will prepare the ARP and the Audit and Risk Management Committee will approve it. The ARP will be consistent with the SRP. The Director, Office of Internal Audit and Risk Management will conduct a mid year review of the ARP that will modify it as necessary. The Chair of the Audit and Risk Management Committee will approve the modified ARP on behalf of the Audit and Risk Management Committee. This modified plan will be presented for consideration at the subsequent Audit and Risk Management Committee meeting.

Field Plans.

These are the working plans for each review. The auditor performing the review will prepare these plans. The Director, Office of Internal Audit and Risk Management will approve each field plan. These plans will be presented to the relevant Division, School or Office head for their endorsement.

Timings.

The Audit and Risk Management Committee will approve the following year's SRP and ARP at its November meeting. Mid year ARP reviews will be presented to the Audit and Risk Management Committee at the August meeting. Field plans will be approved before the testing phase of each review.

The Director, Office of Internal Audit and Risk Manangement will prepare for the Deputy-Vice Chancellor a comparison of actual work performed against the ARP at the end of each month or as often as necessary. A progress report comparing actual to planned work will be presented at each Audit and Risk Management Committee meeting.

Activities

The Office of Internal Audit and Risk Management shall, as necessary, in the performance of its function:

• undertake regular periodic compliance testing of key controls over accounting and financial management information and control systems;
• determine whether the systems of internal control are adequate and functioning effectively and efficiently;
• ascertain the extent to which public and other property, money and resources under the control of the university are accounted for, used and safeguarded from losses of all kinds;
• assess the relevance, reliability and adequacy of management data;
• promote effective control at reasonable cost;
• assess the value obtained for moneys expended and evaluate alternative future expenditure;
• recommend changes in procedures and systems to improve efficiency and prevent waste and extravagance;
• ascertain the extent of compliance with established policies, plans and procedures and determine whether they are effective in securing their intended purpose;
• advise on appropriate systems of control and other operational matters;
• carry out any special investigations, appraisals, inspections and examinations in areas having financial, operational or management impact;
• review management systems and operations to assess the extent to which university objectives and the adequacy of controls over activities leading to such achievement;
• draw attention to any failure to take prompt action in regard to reported recommendations; and
• Assess the effectiveness of risk management processes within Divisions, Schools and Offices.
  

Internal Audit Practice

Internal auditing will be conducted in a manner consistent with the Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors, except that:

• External audit activities remain the prerogative of the Office of the Auditor General, or their agents.
• Office of Internal Audit and Risk Management activities shall not extend to the coordination of external and internal audit. However, the Office of Internal Audit and Risk Management will consult with our external auditors to reduce duplication of audit activity.

Where applicable, the Office of Internal Audit and Risk Management will have regard for the standards and practice statements and professional code of ethics issued by Australian and International accounting and auditing organisations.

Specific standards to be followed include:

• The Office of Internal Audit and Risk Management must be independent of the activities they audit and must maintain an independent outlook.
• Reporting must be timely, honest and objective.
• Reviews must be performed with proficiency and due professional care.
• Evidence supporting audit observations must be sufficient, reliable, competent and appropriate to the review topic.
• Information that auditors gain in the course of their work is confidential and must not be used or conveyed for purposes outside the scope of approved responsibilities.
• The Director, Office of Internal Audit and Risk Management shall maintain a quality assurance program to review the Office of Internal Audit and Risk Management operations to ensure that internal audit's work complies with this charter.
  

8. Relationships

The Office of Internal Audit and Risk Management will:

• relate to professional organisations and bodies to keep abreast of advances in internal audit practices;
• maintain contact with other specialist parties within the university that are set up to assist line management; and
• liaise with the university's external auditors to reduce duplication of audit effort.
  

INTERNAL AUDIT CHARTER APPROVED BY SENATE RESOLUTION 106/96 AMENDED BY SENATE RESOLUTIONS S/108/2001 AND S54b/2002