Internal Audit

Annual Work Plan 2015

Table of Contents
A. Introduction ................................................................................................................. 2
B. Internal Audit Activities Overview ............................................................................. 2
C. Methodology ............................................................................................................... 4
D. Internal Audit Coverage Prioritisation ........................................................................ 4
E. Objectives and Scope at Engagement/Audit Level ..................................................... 5
F. Proposed Internal Audit Annual Work Schedule 2015............................................... 5
G. Quality Assurance and Improvement Program and Outstanding Actions in Response to
the 2013 External Assessment of the Internal Audit Function ........................................... 6
H. Identified Auditable Areas to be covered within a Three Year Cycle ........................ 8

Prepared by: Maria Mu, CPA, CMIIA, CISA, Manager, Internal Audit
Date: 30/10/2014

Page 1 of 9

A. Introduction
The Internal Audit Charter requires that Internal Audit align its focus and activities to the Universitys
key risks. The proposed Internal Audit functional planning framework consists of two key documents:
an Internal Audit Strategic Plan with a three year outlook that relates the role of internal
audit to the requirements of the University by outlining the broad direction of internal audit
over the medium term, in the context of all the Universitys assurance activities; and
an Internal Audit Annual Work Plan supported by a schedule of potential audits.
Together, these documents serve the purpose of setting out, in strategic and operational terms, the
broad roles and responsibilities of Internal Audit that are included in the Internal Audit Charter and
identify key issues relating to internal audit capability, such as the required skills.
This Annual Work Plan covers a calendar year in line with the Universitys annual budgeting and
planning cycle and specifies the proposed internal audit coverage within the calendar year. It is
reviewed by the Manager, Internal Audit four times a year in line with the Audit Committee meeting
dates, with the preliminary approval provided by the Vice Chancellor, and the formal approval
provided by the Audit Committee of the University Council. Any significant deviation from the formally
approved Internal Audit Annual Work Plan and any impact of resource limitations are communicated
to the Vice Chancellor who provides preliminary approval, and to the Audit Committee for formal
approval.

B. Internal Audit Activities Overview

It is important that internal audit has a predominant focus on the conduct of assurance and advisory
activities. Nevertheless, audit support activities are also important activities generally undertaken by
internal audit. The relative proportion of resources devoted to internal audit support activities,
compared with audit and advisory activities, is an important matter for consideration by the Audit
Committee when considering Internal Audit plans and budgets. It is important to note that the smaller
the size of the in-house Internal Audit team, the greater the proportion of the audit support activities
will be.
Internal Audit conducts the following audit support activities which are generally non-discretionary:
Internal Audit strategic and operational planning;
Internal Audit functional and administrative reporting;
monitoring the implementation of audit recommendations made by Internal Audit and the
External Auditor;
liaison with the External Auditor;
Internal Audit Quality Assurance and Improvement Program;
assisting the Audit Committee to discharge its responsibilities, including facilitating the Audit
Committee report(s) to the University Council;
managing the contracts with and assessing the performance of the co-sourced service
partners;
performing any appropriate special tasks or projects requested by the Vice Chancellor, the
Audit Committee, and the Chancellor; and
disseminating better practice and lessons learnt arising from the internal audit activities
across the University.
The Internal Audit assurance activities include engagements with the following orientation:

Financial
o auditing the financial statements of externally funded grants including research, capital
and other special purpose grants/programs; and
o auditing the special purpose financial statements of discrete business operations such as
University Halls of Residence, on behalf of QAO.
In performing financial statement audits, the Manager, Internal Audit or the co-sourced
service partner(s) typically provides an audit opinion and a reasonable level of assurance

Page 2 of 9

to parties outside the University, depending on the purpose for which the financial
statements are prepared.
Engagements of this nature shall be conducted in accordance with the Australian Auditing
Standards, as appropriate.

Compliance
o Compliance has traditionally been a focus area for Internal Audit activities. The objective
of a compliance engagement is to enable the Manager, Internal Audit to express an
opinion on whether the University or an organisational area has complied in all material
aspects, with requirements as measured by the suitable criteria which include:
Federal and State legislation and regulatory requirements;
Federal and State Governments policies and administrative reporting guidelines;
University policies, procedures and Code of Conduct;
contracts to which the University is a party;
strategic plans, or operational programs;
ethics related objectives and programs;
information technology governance standards; and
other standards and good practice control models.
Engagements of this nature shall be conducted in accordance with the Australian
Standard on Assurance Engagement ASAE 3100 Compliance Engagements, as
appropriate.

Performance (improvement)
o Also known as operational engagement, performance (improvement) engagement is
designed to assess the economy, efficiency and effectiveness of the Universitys
business systems and processes.
Engagements of this nature shall be conducted in accordance with the Australian
Standard on Assurance Engagement ASAE 3500 Performance Engagements, as
appropriate.

A compliance or performance (improvement) engagement is conducted either as an audit, which

provides reasonable assurance, or as a review, which provides limited assurance.
For all assurance activities, Internal Audit observes the International Standards for the Professional
Practice of Internal Auditing (the Standards), the Definition of Internal Auditing, and the Code of Ethics
promulgated by the Institute of Internal Auditors. Where applicable, the professional practice
guidelines or statements issued by other relevant professional bodies are also followed, including (but
not limited to):
CPA Australia;
Chartered Accountants Australia and New Zealand;
the Information Systems Audit and Control Association; and
the Association of Certified Fraud Examiners.
The Internal Audit advisory activities are to provide objective and relevant consulting services or ad
hoc advice to management without assuming management responsibility. The Manager, Internal
Audit considers accepting proposed consulting engagements based on the engagements potential to
improve management of risks, add value, and improve the Universitys operations. Accepted
consulting engagements must be included in the Internal Audit Annual Work Plan. Internal auditors
must establish an understanding with consulting engagement clients about objectives, scope,
respective responsibilities, and other client expectations. For a significant engagement, this
understanding must be documented.
Internal Audit applies the principle that issue prevention activities are more beneficial and could be
more cost-effective than issue detection activities. Accordingly, Internal Audit acts proactively in
providing ad hoc advice to utilise its control and risk evaluation skills in preventing control weaknesses
and breakdowns by providing ad hoc advice to the University management on a range of matters,
including:

Page 3 of 9

o
o
o

development of new programs and processes;

risk management; and
fraud control.

The percentages of Internal Audit effort to conduct audit support, assurance and advisory activities
will fluctuate over the years depending on the Universitys assurance needs and the Internal Audits
operational needs and priorities such as system, process, and staff professional development
requirements. This is monitored by the Audit Committee.

C. Methodology
Internal Audit adopts a risk based methodology. The planning at both the functional and
engagement levels is based on the risk assessment performed by Manager, Internal Audit to ensure
that it is appropriate to the size, functions and risk profile of the University. In order to provide optimal
audit coverage to the University and minimise duplication of assurance effort, due consideration is
given to the following aspects:
key University business risks;
any key risks or control concerns identified by management;
assurance gaps and emerging needs; and
scope of work of other assurance providers, internal and external.
Internal Audit maintains an open relationship with the external auditor and other assurance providers.
The planning process includes formal consultation with the following key stakeholders:
The Vice Chancellor;
The Chair of the Audit Committee;
University Executives;
Queensland Audit Office (QAO);
Other internal assurance providers:
o Chief of Staff;
o University General Counsel and Head Legal and Assurance;
o Director, Quality, Planning and Analytics; and
o Associate Director, Workplace Health and Safety.

D. Internal Audit Coverage Prioritisation

During each calendar year, the Internal Audit Coverage will have different focus depending on the
Universitys current risk profile. The Internal Audit coverage is categorised into the following broad
groups. The order in which these are listed is in line with the current priority given to each group
based on the risk assessment.
1. Annual audits to review key areas of financial, operational, and human resources across the
whole University. This group of engagements are treated as first priority audits to meet the
external reporting and compliance obligation of the University, which can include:
a. Grant Audits;
b. Direct assistance to external audit by performing audit or review procedures under
the direction of the external auditor; such activities customarily include the following
engagements:
i. University Bookshops Financial Statements Audit (final audit will be 2014);
ii. University Halls of Residence Financial Statements Audit;
iii. Salaries Audit;
iv. Expenditure Audit;
v. Revenue Audit; and
vi. Follow up on audit recommendations made by the external auditor;
2. Audits of high risk areas/systems where the controls are considered to be effective,
however, independent assurance is required to ensure that the controls are in fact operating
as intended due to the importance to the University objectives, such as the Audit of Subject
Outlines (Third Party Delivery);

Page 4 of 9

3. Audits that review particular topics across the whole University such as procurement,
casual staff appointment, record management, WHS management, risk management. This
group of engagements are aimed at addressing systemic risks;
4. Audits that review particular processes/activities owned by a particular
Directorate/Colleges or Divisions such as Audit of Fleet and Fuel Cards; and
5. Consultancy/ad hoc advice on new systems, processes and initiatives.
A small contingent time budget can be set aside to accommodate ad hoc or special management
requests, particularly those from the Vice Chancellor and the Audit Committee.

E. Objectives and Scope at Engagement/Audit Level

Engagement objectives are broad statements developed by internal auditors that define intended
engagement accomplishments. This is largely informed by the identified risks and assurance needs of
the University. Internal Audit provides opportunities for auditees to have input in formulating audit
objective(s). For high risk audits, Internal Audit will also seek the Vice Chancellors endorsement of
the audit objective(s).
Engagement scope is driven by:
the determined objectives; the broader the objectives, the wider the audit scope; and
the level of assurance required; an audit provides a reasonable level of assurance and
requires wider scope than that for a review which provides limited level of assurance.
Although not common, a change in scope might be necessary to ensure that engagement objectives
are achieved in accordance with:
2220 Engagement Scope (the Standards) which states that the established scope must be
sufficient to achieve the objectives of the engagement; and
1130 Impairment to Independence or Objectivity (the Standards) which states that if
independence or objectivity is impaired in fact or appearance, the details of the impairment
must be disclosed to appropriate parties. The nature of the disclosure will depend upon the
impairment, which include scope limitations, restrictions on access to records, personnel, and
properties, and resource limitations, such as funding.
Any significant change in scope required will be discussed with the auditees (DVCs) and the Vice
Chancellor if necessary, and formally clarified in writing with all stakeholders
Part of the process of selecting audit topics is consideration of the objectives and scope of individual
audits. These factors can have a significant effect on the cost of the Internal Audit Annual Work Plan
or the number of audits included in the plan. In the past few years, Internal Audit had some in-depth
audits with broad objectives which were greatly valued by the key stakeholders. In light of the new
structure and a small number of in-house auditors (2 staff members), a change is warranted to be
practical ; this change would involve steering away from in-depth audits with broad objectives and
undertake more audits with more focused objectives and a narrower scope. In-depth audits with broad
objectives and a wide scope will be largely outsourced which is reflected in the Proposed Internal
Audit Annual Work Schedule 2015.

F. Proposed Internal Audit Annual Work Schedule 2015

2015 will be a transitional year during which the University is going to fully implement the new
structure, in particular the Academy. To minimise the disruption that the Internal Audit activities have
on business operations which are expected to transit to new models, approaches and processes,
Manager, Internal Audit will take the opportunity to take a combination of long service, annual and
staff study (Certified Fraud Examiner exam) leave.
During the four months while Manager, Internal Audit is on leave (April to July), a panel of co-sourcing
service partners will be engaged to ensure that the scheduled audit activities will continue and the
Internal Auditor receives sufficient supervisory support and mentoring. This is to ensure that audit
independence and quality assurance is achieved through independent, external professional service
providers. The external service provider(s) will be specifically requested to liaise with Crowe Horwath,

Page 5 of 9

the External Auditor contracted by QAO for JCU for the three year period from 2015-2017 and
preparing reports to the Audit Committee on audit matters.
To ensure effective internal stakeholders engagement, communication, and financial management,
Manager, Internal Audit proposes that the Chief of Staff and/or Head, Legal & Assurance, play a
caretaker role regarding Internal Audit administrative matters while Manager, Internal Audit is on
leave, which include coordinating the Audit Committee reporting and approving the financial
transactions of Internal Audit. It is also expected that the Internal Auditor will perform some higher
duties.
The proposed Work Program for 2015 is tabulated in Table 1 on Page 7, which is developed based
on the in-house Internal Audit staff time budget available.
Subject to approval by the Audit Committee of this Annual Work Plan, monetary budget request will
be submitted for approval through the administrative reporting line (Head, Legal and Assurance, and
Chief of Staff). It is expected that any co-sourcing costs will be fully funded and quarantined from the
Internal Audit profile salaries and general operating budgets.
Any budget and resources limitations and subsequent deletion of scheduled jobs will be
communicated to and agreed with the Audit Committee and the Vice Chancellor, in the usual manner.

G. Quality Assurance and Improvement Program and Outstanding Actions in

Response to the 2013 External Assessment of the Internal Audit Function
Manager, Internal Audit is progressively developing a new Quality Assurance and Improvement
Program which will be embedded through the further customisation of the TeamMate Audit
Management System. A review of the progress achieved against the Action Plan resulting from the
2013 External Assessment of the Internal Audit function has been performed and the outcome is
reported through a separate agenda (Item 10) as per the request of the Audit Committee. From 2016,
any outstanding actions will be detailed within this plan under this section for streamlined planning
and follow up purposes.

Page 6 of 9

Table 1: Proposed Internal Audit Annual Work Schedule 2015

Code

Project Title

Type

Sourcing

Time
Budget
in Days

F-15-01

JCU Bookshops Financial Statements (2014)

1 Assurance - Financial

Co-sourcing

F-15-02

JCU Halls of Residence Financial

Statements (2014)

1 Assurance - Financial

Co-sourcing

F-15-03

AusAID Program Audit

1 Assurance - Financial

Co-sourcing

G-15

Grant Audits

1 Assurance - Financial

Co-sourcing

12

C-15-01

Work on behalf of QAO

2 Assurance - Compliance

In-house

30

C-15-02

Subject Outlines (Third Party Delivery)

2 Assurance - Compliance

In-house

30

C-15-03

Fleet and Fuel Cards

2 Assurance - Compliance

Co-sourcing

25

C-15-04

Supplier Selection

2 Assurance - Compliance

Co-sourcing

C-15-05

Casual Staff Appointment & remuneration

2 Assurance - Compliance

Co-sourcing

C-15-06

WHS Management Framework

2 Assurance - Compliance

Co-sourcing

10

NA-15-01

Support for Financial Misconduct

Investigation

4 Productive Non-audit
Activities

Co-sourcing

15

A-15-01

Ongoing Staff Queries & Miscellaneous

Management Referrals

5 Advisory

In-house

14

A-15-02

Student Fees & Charges Integrity Checking

6 Advisory

In-house

25

AS-15-01

Internal Audit Strategic & Operational

Planning & Review of Charter

6 Audit Support

In-house

17

AS-15-02

Internal Audit Process Improvement &

Quality Assurance & Improvement Activities

6 Audit Support

In-house

21

AS-15-03

Internal Audit Administration & Team

Activities incl. PMP, Website, Budgeting

6 Audit Support

In-house

27

AS-15-04

Internal Audit Professional Development Incl.

Staff Study Leave, Training & Conference

6 Audit Support

In-house

30

AS-15-05

University Administrative & Engagement

Activities

6 Audit Support

In-house

16

AS-15-06

Audit Committee Reporting & Supporting

Activities

6 Audit Support

In-house

23

AS-15-07

QAO Engagement Activities

6 Audit Support

In-house

14

AS-15-08

Audit Recommendations Follow-up &

TeamCentral Administration

6 Audit Support

In-house

25

AS-15-09

Co-sourcing Partners Relationship

Management

7 Audit Support

In-house

10

NW-15-01

Public Holidays

7 Non-work

N/A

20

NW-15-02

Sick & Carers Leave

7 Non-work

N/A

17

NW-15-03

Annual Leave

7 Non-work

N/A

56

NW-15-04

JCU Special Holidays

7 Non-work

N/A

NW-15-05

Cultural Leave

7 Non-work

N/A

NW-15-06

Long Service Leave

7 Non-work

N/A

47

Contingency

11

Total

522

Page 7 of 9

H. Identified Auditable Areas to be covered within a Three Year Cycle

Other auditable areas identified with the audit planning process have been tabulated below in Table 2
which can be brought forward should extra resources be available, or could be substituted if
scheduled audits do not proceed for any reason. Please note that to focus on the risk areas, nondiscretionary annual audits to review key areas of financial, operational, and human resources
across the whole University in order to meet the external reporting and compliance obligation of the
University, are not included in this table. Those may include:
a. Grant Audits;
b. Direct assistance to external audit by performing audit or review procedures under
the direction of the external auditor; such activities customarily include the following
engagements:
i. University Halls of Residence Financial Statements Audit;
ii. Salaries Audit;
iii. Expenditure Audit;
iv. Revenue Audit; and
v. Follow up on audit recommendations made by the external auditor.

Table 2: Identified Auditable Areas to be covered within a Three Year Cycle

University Key
Business Risk

2015

1.

Decline in student
numbers (Domestic
vs. International,
coursework vs.
research)

2.

Ineffective oversight of
the third party
academic quality

3.

Poor student
experience & retention

4.

Non-compliance with
legislative and
regulatory
requirements

5.

Non-compliance with
contractual obligations

6.

Uneconomic and noncomplying asset

management

7.

Ineffective project
management

8.

Ineffective information
and security
management

No Internal Audit coverage

due to management
assurance activities such as
the development of a
marketing strategy and the
planned review of the
Student and Academic
Services Directorate

2016

Marketing
International Student
Application Processing
Indigenous Participation
( Students)

Subject Outline Audit (Third

Party Delivery)

Potential depending on
new risk assessment

Student Fees Integrity

Checking Consultancy

Student Enquires
Facility Maintenance

WHS Management
A new Compliance
Framework is currently
being proposed.

Rolling Legislative
compliance audit
schedule

Recurring Grant, AusAID

audits

Record Management

Management assurance
activities in plan

ICT Project Office has

relocated to ICT Directorate
in July 2014
a large number of projects
associated with the Future
Task force may finish
within 2015
General and application
controls of the key
corporate systems are
covered by Internal and

Page 8 of 9

2017

Course
Rationalisati
on Process

Rolling
Legislative
compliance
audit
schedule

Portable and Attractive

Assets

Project Management
(Excl. Capital)

Key and ID
Management

Course
Approval
Process
Domestic
Student
Application
and
admission
Process

Strategic
Asset
Management

ICT Disaster
Recovery

9.

Ineffective risk
management and
business continuity
management

10. Ineffective human

resource management
(appointment &
performance
management)

Version
Prepared by:
Consultation:

Date Preliminary Approval

provided by the Vice
Chancellor
Date Formal Approval
provided by the Audit
Committee

external audits regularly.

A significant number of
management actions are
followed by Internal Audit
within the audit
recommendations follow up
process
A new Risk and Insurance
Advisor role is under
recruitment ; this role will
perform a review of the risk
management process and
register

Casual Staff Appointment &

Remuneration

Risk Management
Framework

Staff Ethics Framework

Business
Continuity
Planning

Performance
Management

2014-10-29 Draft
for Approval by the Vice Chancellor and the Audit Committee
Maria Mu, Internal Audit Manager
Prof. Sandra Harding, Vice Chancellor and President
Mr Graham Kirkwood, Chair of the Audit Committee
Ms Tricia Brand, DVC, Services and Resources
Prof. Ian Wronski AO, DVC, Tropical Health and Medicine
Prof. Sally Kift, DVC, Academic
Prof. Dale Anderson, DVC, JCUS
Prof. Paul Gadek, Chair of Academic Board
Ms. Vanessa Cannon, Chief of Staff
Ms. Fiona Macdonald, University General Counsel and
Head, Legal and Assurance
Ms Vicki Hamilton, Director, Quality, Planning and Analytics
Mr Blaise Allen, Associate Director, Workplace Health &
Safety
Queensland Audit Office
31/10/2014

13/11/2014

Page 9 of 9