Internal Audit
The University of Queensland’s Internal Audit team provides independent advice and assurance on the effectiveness of governance, risk management, compliance management and internal controls at UQ.
Roles and responsibilities
What is internal auditing?
Internal auditing is an independent and objective assurance and advisory service designed to improve an organisation’s operations.
It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.
Why does UQ have an internal audit function?
As a Queensland statutory body, UQ must observe the requirements of the Financial Accountability Act 2009 (the Act), and the Financial and Performance Management Standard 2009 (the Standard), and the Tertiary Education Quality and Standards Agency Act 2011 (TEQSA Act).
UQ has a responsibility to adopt sound practices for the stewardship of the public monies under its control. The Financial and Performance Management Standard 2009 provides a framework for UQ, as a statutory body, to develop and implement systems, practices and controls for efficient, effective and economic financial and performance management. This includes the establishment of an internal audit function.
Governance and management of Internal Audit
Internally, UQ’s Internal Audit function is governed by the Internal Audit Charter (PDF, 276.1 KB), which sets out the responsibilities, organisation, authority, membership and operation of UQ’s Internal Audit function. The Charter is approved by the Senate Risk and Audit Committee (SRAC) in consultation with the University Senior Executive Team.
The Internal Audit Charter (PDF, 276.1 KB) refers to the Three Lines Model (PDF, 880.9 KB), which helps organisations identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management. This model illustrates the interrelationship between management, the governing body (Senate) and Internal Audit, and the roles and responsibilities of each in supporting good governance:
In managing and undertaking our internal audit activities, UQ Internal Audit adheres to the mandatory elements of the International Professional Practices Framework (IPPF) (updated in 2024), which are the Global Internal Audit Standards and Topical Requirements.
Find out more about UQ's internal auditing process.
Our vision and strategy
UQ Internal Audit aims to be a trusted advisor and strategic enabler, recognised for its role in achieving UQ's objectives. We strive to enhance value through expert advice, embrace innovation with data-driven insights, and foster collaboration for a unified One-UQ approach. Our commitment to excellence positions us as a sector leader in the Australian University Sector.
UQ Internal Audit is dedicated to creating, protecting, and sustaining organisational value by delivering risk-based, objective assurance, advice, insight and foresight.
Our scope of work
Internal Audit’s scope of work is to assess and provide assurance on whether:
- UQ has an effective system of internal control, including governance, risk management and compliance frameworks;
- risks are appropriately identified and managed;
- interaction between the various governance groups occurs as needed;
- significant financial, managerial and operating information is accurate and timely;
- employees act in compliance with policies, standards, procedures, and applicable laws and regulations;
- resources are acquired economically, used efficiently, and adequately managed; and
- quality and continuous improvement are fostered in the University’s control process.
The scope of Internal Audit includes the whole of UQ including its controlled entities.
Our independence
The Internal Audit function is unique within UQ in that it is independent of management.
While Internal Audit plans and programs of work will be developed in consultation with management, they are approved by the Senate Risk and Audit Committee. In addition, Internal Audit reports functionally to the Senate Risk and Audit Committee and administratively to the Chief Operating Officer. This allows Internal Audit to maintain an impartial, unbiased attitude and act with objectivity and independence in all that it does. Internal Audit cannot have any direct responsibilities for or authority over, any of the activities which it audits.
Although it is necessary to support the independence of Internal Audit through the formal reporting structures, independence is a state of mind founded in strong principles of objectivity and moral fibre. Our primary responsibility is to always act in the best interests of the University. A strong working relationship with management assists in supporting our common objectives and allows us to function effectively and add value in the best way possible. For this reason, our audit plans (consisting of both assurance and advisory services) are developed in consultation with management, with input from the University Senior Executive Team and are adequately flexible to respond to the changing needs and risks of the University.
Our accountability
While Internal Audit is independent, we have an obligation to provide high-quality services to management and the Senate. Internal Audit also has a responsibility not only to justify our selection of areas to audit, including audit objectives and scope, but also to ensure that our audit processes (from planning to reporting) meet professional auditing standards, our findings and conclusions are evidence-based, and any recommendations are sensible and practicable.
An External Quality Assurance Review of the Internal Audit function takes place every five years.
How are Internal and External Audit different?
The Internal Audit team performs a different function to that of the University’s external auditors.
UQ is audited externally by the Queensland Audit Office. The purpose of the External Audit is to report to the Queensland Parliament on the fair representation of the University’s annual financial statements. Internal Audit liaises regularly with the external auditors to coordinate work and minimise duplication of effort.
UQ may also be audited by a number of other external parties including accreditation bodies.
Services
Our current focus areas
Our Annual Internal Audit Plan focuses on providing assurance or advisory services in the following focus areas:
- UQ's Strategic Objectives and Top Risks
- Key enterprise change initiatives
- Cyclical assurance on key operational or IT processes and controls
Who gets audited?
Each year, in order to decide which areas are to be audited, the Internal Audit team undertake a detailed risk-based planning process, which involves engagement across multiple key stakeholders and utilises multiple information sources. An Annual Internal Audit Plan is then endorsed internally by the University Senior Executive Team and is approved by the Senate Risk and Audit Committee in November each year. The approved plan is communicated to the relevant responsible areas in preparation for scheduling and commencement of the audits in the new year.
The Audit Plan is reviewed regularly to ensure scheduled audits remain relevant and up-to-date with the operational and strategic needs of UQ.
Services
The UQ Internal Audit function offers three distinct categories of service.
Assurance
Assurance engagements focus on whether risks are being adequately managed through governance processes that are sound and that existing internal controls are adequate to mitigate risks. This is achieved through:
- operational and information system audits - commonly focused on UQ Top Risks or areas of significant impact or higher risk;
- cyclical assurance;
- project reviews (can be assurance or advisory); and
- grant certifications.
Find out more information about the assurance process.
Advisory
Advisory engagements are limited in scope and are conducted at the request of management or are opportunities to add value determined through the audit planning process. This is achieved through:
- business process advisory;
- health checks;
- risk and control improvement facilitation; and
- control self-assessment (CSA).
Continuous Controls Monitoring (CCM) Facilitation
Continuous Controls Monitoring is the process and technology used to detect compliance and risk issues associated with an organisation's financial and operational environment. Internal Audit facilitates and supports the implementation of automated CCM by management. Management are responsible for implementation, day-to-day management, and operation, monitoring and reporting. At UQ, Internal Audit acts as the facilitator for implementation of CCM in a business area through the use of an outsourced service provider.
Governance, Risk and Compliance (GRC) System
The GRC system aims to improve UQ's risk management approach by providing increased visibility, accessibility and a consistent approach to internal audit, risk, compliance and insurance. For Internal Audit, the GRC system went live in July 2024 and Internal Audit management actions are now recorded, tracked, monitored and reported in this system.
Training for the users of the GRC system Internal Audit module was completed in July and August 2024. You can find the materials delivered in those sessions on the Systems Training Hub - Internal Audit training.
Please contact internal-audit@uq.edu.au (Internal Audit Team) if you have questions about the Internal Audit training or require further training.
