Vous êtes sur la page 1sur 10

ATTACHMENT 3

INTERNAL AUDIT PROTOCOLS

Contents
Purpose of protocols and structure
Objectives and scope of internal audit
Structure
Audit planning
Audit delivery
Audit reporting and follow up
Link to risk management framework
Performance monitoring

Purpose of Protocols and Structure

This document sets out the structure, planning, delivery, performance and reporting
practices to be adopted by the internal audit function of Uniting Care Queensland (UCQ). It
applies to all internal audit activities, whether performed by in-house resources, or
professional services providers who may be employed to support UCQ’s internal audit
activities from time to time.

Objectives and Scope of Internal Audit

The Audit, Risk and Compliance Committee of UCQ (ARCC) has approved an Internal
Audit Charter that sets out the purpose and scope of work to be undertaken by the internal
audit function. To avoid unnecessary duplication here, the Internal Audit Charter should be
read in conjunction with this document.

In summary however, the internal audit function is to provide the Board, ARCC and Senior
Management with independent and objective assurance and consulting services in relation
to the adequacy of design and effectiveness of implementation of governance, risk
management, internal control and compliance systems put in place by UCQ to manage its
business risks. Consequently, all areas of the business, including key business processes
and functions, are within the scope of internal audit.

In evaluating such business processes the focus of internal audit activities will generally be
to report on whether:

• Risks which may impact UCQ’s objectives have been recognised and are being
appropriately managed within acceptable risk levels;

• Resources are being used economically and efficiently;

• Performance information (financial and operational) is complete, accurate and timely;


• Policies, plans, procedures, laws, regulations, funding requirements, ethical standards
and fiduciary responsibilities are being complied with; and

• Assets are being safeguarded against loss, theft, destruction or other reduction in value.

To report on such objectives, internal audit will generally consider whether controls have
been designed adequately to manage risks to acceptable risk levels, and that they are
functioning or operating as intended.

Structure

UCQ is operating in a changing environment and must therefore structure and resource its
internal audit function in a flexible manner that allows appropriate responses to both current
and emerging risks and challenges. Consequently internal audit should have the ability to
use external service providers who understand UCQ’s operations and who can support its
internal resources through the use of specialist skills or additional resources as required
from time to time.

The structure also reflects the importance placed on the independence of the internal audit,
which supports its ability to provide objective assurance to the Board, ARCC and senior
management.

The structure is set out below:

Uniting Care Queensland Board

Audit, Risk and Compliance


Committee

Uniting Care Queensland Director


Planning and Reporting
Responsibility

Agency Executive Group Manager, Group Internal


Directors Finance & Strategic Audit Manager
Initiatives

Agency Senior Managers


Internal Audit
Resources

The roles implicit in the above structure, to be undertaken by appropriately qualified


personnel, include:

Page 2 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
Group Internal Audit Manager (GIAM)

This role reports to the Group Manager Finance & Strategic Initiatives (GMFSI). The GIAM
will be responsible for both annual and engagement level audit planning, and the delivery of
all internal audit activities in accordance with appropriate auditing standards, including
engagement planning, audit delivery, maintenance of appropriate documentation and the
preparation and delivery of reports.

The allocation of internal audit services within UCQ will be based upon the relative needs
and risk profiles of activities and the necessity to provide assurance to the ARCC that
UCQ’s governance, risk management, internal control and compliance systems are
adequately designed and operating as intended across all activities. It is the responsibility
of the GIAM to ensure that the activities of internal audit are co-ordinated fully with the risk
management framework.

It is also the responsibility of the GIAM to co-ordinate preparation of the internal audit plan
and reports in consultation with Agency Executive Directors and Senior Managers. Draft
audit plans and reports shall be provided to Agency Senior Managers prior to their
finalisation and provision to the ARCC. Significant matters may be escalated to the
Director Uniting Care, Queensland where standard escalation processes and times have
not resulted in an adequate response.

Any changes to the annual internal audit plan for matters as one off projects identified as
necessary during the year will be initially proposed by the GIAM in conjunction with Agency
Senior Managers for approval by the GMFSI.

Director, Uniting Care Queensland

The Director, Uniting Care Queensland has the responsibility to provide assurance to the
ARCC that the internal audit program is consistent with their assessment of needs and
risks across UCQ and to reinforce the status and responsibility of the internal audit function
with Agency Executive Directors.

Agency Executive Directors

Agency Executive Directors (or their equivalent) play a vital role to ensure that the Internal
Audit Plan, as related to their Agency, provides adequate coverage of existing and planned
governance, risk management, internal control and compliance systems and that planned
and actual internal audit activities take into consideration the risk profile and nature of
operational activities and issues for each Agency.

It is the responsibility of Agency Executive Directors to:

• facilitate ready access by the GIAM and the Internal Audit Team to the operations,
information, key personnel and management forums of Agencies;

• support the effective conduct of the internal audit program; and

• support the status and responsibility of the internal audit function within Agencies.
Page 3 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
Group Manager Finance & Strategic Initiatives (GMFSI)

The internal audit function reports to the GMFSI. This means the GMFSI will approve the
budget of the internal audit function and will support the status and responsibility of the
internal audit function within UCQ. Internal audit services (including cost recovery) will be
agreed with each of UCQ’s Agencies on an annual basis through GMFSI and GIAM.

The GIAM will report to the GMFSI in respect of day to day management matters, including
general staffing and any external service providers used from time to time, travel, IT
support, and general administration.

The GMFSI is responsible for reviewing the draft internal audit programs, plans and reports
prior to submission to the ARCC. The GMFSI is also responsible for evaluating the
performance of the GIAM, including obtaining feedback from the ARCC, the Director,
Uniting Care Queensland and Agency Executive Directors.

Internal Auditors

These roles will report to the GIAM and will assist in the delivery of audit engagements in
accordance with appropriate auditing standards.

External Service Provider

The internal audit activities of the UCQ will need to be flexible in terms of the breadth and
depth of coverage of the activities of UCQ. It is possible therefore that the internal audit
activities of the Group may have to be supplemented from time to time with resources
contracted from outside of UCQ. Such resources may be required to undertake audit work
in respect of specialist areas, or where demand for work is such that additional general
audit resources are required.

Audit Risk and Compliance Committee

The internal audit function reports to the ARCC in relation to Internal Audit Planning and
Reporting, and as such the ARCC will be responsible for endorsing, for submission to the
Board, the following items:

• annual audit plans;

• changes to the annual audit plans during the course of the year;

• reports from the GIAM; and

• understanding the status of actions required as a result of audit findings.

The ARCC shall also be available to meet independently with the GIAM, as required.

Page 4 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
In addition, the ARCC will be involved in decisions on the appointment and termination of
the Group Internal Audit Manager and provide input into the annual performance review of
Internal Audit and the GIAM.

Audit Planning

Scope of Work

The audit work to be completed in any given year will focus on the general requirement that
the ARCC will expect the Group Internal Audit Manager to provide a report, on an annual
basis, in relation to the overall governance, risk management, internal control and
compliance systems.

The Group Internal Audit Manager will therefore plan the work of the internal audit function
so as to obtain sufficient evidence throughout the course of the year, regarding the
adequacy of design, and effectiveness of implementation, of the controls and processes
adopted by UCQ and its Agencies to manage their key risks.

To ensure this occurs, it would generally be expected that the audit plan will include the
following major segments:

Focus Area Description


Business-As-Usual Review of all major business processes across the Group. Such
Processes reviews will be based on an overall risk analysis of such
processes, across each service unit. Processes can be audited
as a single process across the entire UCQ group, or restricted to
specific activities, whether due to the relative size or importance
of that activity, or for practical reasons such as when a range of
processes are audited at one physical location to maximise the
efficiency of an audit visit to a geographically separate location.

Change Projects As the risk profile of Agencies, activities or processes generally


increases during a period of change, such change projects
should be included in the work of internal audit, as appropriate
given the size of the project.

Financial Processes Although these can be included as part of “business as usual”


processes, the importance of external reporting requires that
financial processes are given special consideration when
planning audit work. Such work should be planned and
coordinated with the external auditors to avoid unnecessary
duplication.

Compliance The processes adopted by UCQ to ensure compliance with


processes policies, plans ethical standards and fiduciary responsibilities,
laws, regulation applicable contracts and funding requirements
takes place. These should form an essential part of the overall
audit work.

Page 5 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
The methods used to plan audit work should be in accordance with appropriate auditing
standards.

Strategic and Annual Audit Plans

It would be expected that, due to the size of UCQ, all risks will not be able to be covered
within any one year, and so a cyclical basis of auditing will be required to ensure adequate
coverage of risks over a period of time. It is expected that the ARCC would be made aware
of, and approval would be sought for, any long term or strategic audit plans.

On an annual basis an audit plan, covering the work to be performed over the next financial
year, is to be presented to the ARCC for approval. Such a plan will set out the approximate
timing of audit work, the high level scope of each audit, and the resources required to
complete the work over the course of the year. Changes to the plan can be suggested
throughout the year, but will be subject to approval by the ARCC.

Audit Delivery

All audits should be planned, delivered and reported upon in accordance with the
International Standards for the Professional Practice of Internal Auditing, issued by the
Institute of Internal Auditors.

In undertaking audits within UCQ however, it will be expected that certain behaviours and
communication protocols will be adhered to, as set out in the following table:

Audit Area Protocol


Audit Planning • Appropriate levels of management will be involved with the
overall audit planning process
• Internal audit services will be agreed with and contracted to
each of the Agency Executive Directors at the beginning of
each financial year. The contract will include scope of work,
timetable and anticipated cost recovery.

Assignment Planning • Assignment scope document (ASD) to be prepared setting out


the purpose, high level risks, scope, agreed timing, resources
to be used and assistance required from the service unit to be
audited
• ASD to be provided to audit sponsor and other interested
parties at least two weeks prior to the commencement of the
audit

Audit Work • Internal audit is to be provided with access to whatever


people, records or systems it deems necessary to perform the
required level of audit work
• All work is to be appropriately documented and
documentation is to be retained for 7 years
• Audit staff will be expected to maintain appropriate levels of
confidentiality throughout the audit process, but in particular

Page 6 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
Audit Area Protocol
when working at service unit locations

Findings and • The more important issues that arise during the course of an
Recommendations audit should be progressively discussed with the appropriate
levels of management concerned.
• Findings are to be discussed with local management prior to
leaving the site, and wherever practical the rating of findings,
management comments and actions should be agreed at this
time

Reporting • Formal audit reports should be issued in draft, to local


management for comment, no later than two weeks following
the completion of the fieldwork
• Reports should be finalised, including the provision of
comments on findings by management (including to Agency
Executive Directors), within two weeks of the report being
issued in draft
• Any issues identified to be of great significance and requiring
urgent attention should be immediately reported by the GIAM
to the GMFSI, Director Uniting Care Queensland and ARCC
and Board Chairs.

Audit Follow Up • It will be expected that management will take ownership of all
agreed actions and the timing allocated for their completion
• The internal audit function will follow up on progress in
completing actions in order to provide a summary progress
report on a quarterly basis to the ARCC meeting.

Continuous • The views of the Director, Uniting Care Queensland and


Improvement Agency Executive Directors will be sought, on an annual
basis, in respect of the performance of internal audit in their
experience. This may be supplemented with the views of
project managers and functional management where
appropriate.
• The GMFSI will summarise the findings from this process and
include any actions deemed necessary for improvement in the
report to the ARCC at which the annual audit plan is to be
approved.

Audit Reporting and Follow Up

Individual Assignment Reports

A full report will be prepared following the completion of each individual internal audit
assignment. The report will set out, as a minimum, the following key pieces of information:

Page 7 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
• The purpose of the audit work;

• A summary of the scope of the audit work;

• An overall conclusion in regards to whether controls have been designed and


implemented which effectively manage the identified risks;

• A summary of any best practices identified which should be shared with other activities
within UCQ;

• A summary of the key themes arising from the audit and any major or moderate
category findings;

• Detailed findings and recommended actions; and

• Managements comments and agree actions.

All findings should be graded in terms of their level of importance. The grading system to
be used for findings should be the same as that used in the risk management framework.

In addition to providing the report to the manager of the area reviewed, a copy is to be
provided to GMFSI and the relevant Agency Executive Director.

Audit Risk and Compliance Committee Reports

A report is to be prepared for each ARCC meeting that summarises the audit activities
which have taken place since the last meeting, any themes or emerging risks which the
work highlights, all risks identified with more than a moderate potential impact, a summary
of above moderate category findings and the status of work compared to the annual audit
plan.

On a quarterly basis, a summary report of audit engagements and outstanding (more than
minor category) audit findings will be provided.

On an annual basis a performance report will also form part of the ARCC summary report.
This is to provide the ARCC with a summary of how the internal audit function has
performed against agreed goals.

Annual Report to the Audit Risk and Compliance Committee

On an annual basis, the Group Internal Audit Manager is responsible for submitting to the
ARCC a report which sets out a summary of the audit activities for the year, and an overall
assessment on the design adequacy and effectiveness of implementation of UCQ’s
governance, risk management, internal controls and compliance processes, as evidenced
by the work undertaken.

Page 8 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
Link to Risk Management Framework

The activities of the internal audit function need to be fully co-ordinated with the overall risk
management framework of UCQ. This will be achieved by ensuring the following basic
processes occur:

• The annual audit plan will be developed based to a large extent on the risk profile of
UCQ and each Agency;

• Each audit assignment will be planned in such a manner as to ensure fieldwork seeks to
obtain evidence of control effectiveness in respect of key risks, as summarised in the
relevant risk profile;

• Audit findings shall be graded in a manner consistent with the risk framework;

• When discussing findings, it is a requirement that consideration is given to whether the


findings indicate any changes are required to the risk profile, for example whether they
indicate that management has not correctly assessed the importance of risks, or have
overstated the effectiveness of controls, when determining their residual risk profile;

• Agency Executive Directors should refer to audit activity and findings, when reporting
upon their risk profile to the Director Uniting Care Queensland; and

• Facilitating the updating of risk registers (risks, causes, treatments, action items) so that
a consistent approach is applied across UCQ.

Performance Monitoring

The performance of the internal audit function of UCQ will be monitored in two ways, as
follows:

Quality Review

On a periodic basis, at least every five years, a person or organisation independent of the
function will review the internal audit function. This would normally be expected to be an
outside consultant with the appropriate level of expertise in internal audit best practice.

Annual Performance Assessment

The internal audit function will establish goals and present these to the ARCC for approval
on an annual basis, at the beginning of the financial year. The GMFSI and GIAM will then
report on performance against these goals at the end of that financial year.

The assessment of performance will be based on a range of performance indicators,


across a broad spectrum of focus areas. The measures to be used are summarised in the
following table:

Page 9 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
Financial and Management Service Provision
• Annual audit plan delivered within • Senior Managers believe that internal
budget, concentrated on high risks audit provides an objective value
and areas of sensitivity, and carried added service to the business
out with appropriate resources. • ARCC believe that the level of
• Cost savings or revenue reliance they can place on the
opportunities identified as part of governance, risk management,
the outcomes of the audit process internal control and compliance
• Expertise from outside internal audit systems of the Group has improved
group used where appropriate and as a result of internal audit activities
as planned (e.g. IT).
Process People
• Protocols in relation to timing, • The skills of line managers and staff
communications and reporting have have improved as a result of the
been adhered to throughout the internal audit work which has occurred
year • Internal audit staff are appropriately
• All approved audits have occurred skilled and trained to undertake the
as intended or alternative suitable range of audit work required to meet
arrangements have been put in the objectives of the internal audit
place function within the context of UCQ’s
• Actions in respect of audit findings operations
have been followed up and reported • Staff turnover level for the most
upon as appropriate current year is in accordance with
expectations.

The GIAM will conduct a performance review and career planning interview with each
member of the internal audit team at least once per annum.

Page 10 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc

Vous aimerez peut-être aussi