Internal Audit

Internal Audit (IA) provides independent and objective advice and assurance on the effectiveness of risk management, control, and governance processes within the University of Adelaide.

Internal audits are designed to provide assurance and confirm compliance to the University Council and its Standing Committees and are separate from those conducted annually by the State Auditor General’s Office.

The University’s IA services are outsourced providing independence and impartiality. Since 2021 Ernst & Young (EY) has been the University’s internal auditor.

EY, in consultation with Risk Services and Chief Operating Officer, develops a yearly internal audit plan, following a risk assessment and consultation across the University. The internal audit plan is endorsed by Risk Committee in Q4 and identifies projects and compliance reviews that will be conducted throughout the year. Reviews will be advised as soon as possible, after the audit plan has been approved.

Each year around 6 audits are scheduled. Timings are generally agreed in Q4 with the relevant branches to avoid conflicts as much as possible. Each audit has a set number of days allocated and a fixed date for reporting to Risk Committee through its annual calendar of meetings.

Internal audits are concluded with a formal internal audit report. The internal audit report generally includes recommendations and improvement opportunities that are referred to University management for action. Senior management are invited to respond to draft recommendations and once recommendations are accepted/agreed to, actions and timeframes are assigned. Actions will then be recorded in EYVIA to facilitate implementation tracking. EY has developed an action owner user manual to assist in navigating the EYVIA system.

The progress on implementing agreed actions is reported to the Risk Committee quarterly. This process is facilitated by EY and supported by the platform EYVIA. A procedure has been developed to provide guidance to University management on closing internal audit recommendations.

Risk Services’ role

Risk Services manages the relationship with the outsourced Internal Audit provider to ensure effective annual planning and timely completion of audit assignments. The IA services are supported internally by the Manager, Audit and Compliance and the Chief Risk Officer. If you require any assistance with communicating to the Internal Audit Team or have any questions or concerns around internal audit, Risk Services can assist. 

EY’s role

  • Report to Risk Committee not to University Management.
  • Scope the project, conduct fieldwork, and write up findings and recommendations.
  • Conduct reviews in conjunction with nominated personnel.
  • Seek access to senior managers and identified staff, to confirm activities, verify processes, source additional information and clarify concerns.
  • Approach University personnel at any stage of the audit project, as appropriate/notified.
  • Submit the final audit report, and subsequent status updates, to Risk Committee.

EY has key personnel assigned to the services to work with the University; the key team comprises Catherine Friday (Lead Partner), Amelia Grace and Laura Ford. Other auditors and specialists are involved as needed; their names and roles will be notified as appropriate.

Your role

  • Help refine the scope of a proposed audit and identify key people to participate in, and respond to, requests for access to data or responses to queries.
  • Use the time of all involved as efficiently and effectively as possible; so you are asked to:
    • approach the audit co-operatively and collaboratively; and
    • advise any concerns you have as soon as possible, about being able to accommodate the audit in the scheduled timeframe, and/or your ability to respond to requests or access to data from within existing resources.
  • Ask questions, query findings or seek advice at any of stage of the audit from EY, your manager, or Risk Services.
  • Follow the procedure on closing internal audit recommendations and advise EY and Risk Services if you are unable to meet a previously agreed target date.
  • Flag concerns early to Risk Services about any aspect of the audit, the auditor’s authority or approach, or any other issues, so that we can help resolve the concerns.
  • Closing open Internal Audit actions procedure

    1. Introduction

    The Institute of Internal Auditors defines internal audit as “an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

    Standard 2500 of the International Standards for the Professional Practice of Internal Auditing (‘the Standards’), requires that “The chief audit executive [EY] must establish and maintain a system to monitor the disposition of results communicated to management.” Standard 2500.A1 requires “The chief audit executive [EY] must establish a follow-up process to monitor and ensure that internal audit actions have been effectively implemented or that senior management has accepted the risk of not taking action.”

    The University’s internal audit services are outsourced providing independence and impartiality. Ernst & Young (EY) is contracted until December 2024 and uses the “EYVIA” platform to record, monitor and report on outstanding internal audit actions.

    In addition, Standard 2600 requires that “When the chief audit executive [EY] concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive [EY] must discuss the matter with senior management. If the chief audit executive [EY] determines that the matter has not been resolved, the chief audit executive [EY] must communicate the matter to the board [Risk Committee].

    These standards form the basis for the procedure used by the University of Adelaide to close open internal audit actions.

    2. Recording and tracking internal audit actions

    A significant amount of time is committed to an internal audit engagement, and a clear and actionable audit observation is critical to communicate issues noted during the engagement. Audit observations provide management, the Risk Committee, and stakeholders with an objective summary of the University’s operations, risks, and controls, as well as a summary of the audit work performed. Audit observations are how internal audit communicates audit results. When gaps are identified, the internal audit suggests appropriate actions to improve the organization’s processes.

    Audit actions describe a desirable change required to address a key risk. These actions are provided to assist management address weaknesses or deficiencies within internal controls to mitigate key risks. Management can and should challenge both the gap and the action, based on evidence and analysis. The auditor will respond to such challenges and the final audit report should have a high degree of support from both management and auditors. The final audit report will include management comments that highlight management’s commitment to action, assign accountabilities and set target completion dates.

    Accountabilities and timeframes assigned to audit actions should be clearly communicated before the finalization of the Internal audit report to ensure timeframe and assignment are understood by all parties.

    Each audit finding has a risk rating as per the University Risk Matrix. Risk ratings are based on likelihood and consequence assessments, the criteria for which have been agreed with management. The risk rating indicates the potential risk impact on the category of risk and describes the management action required as defined by the University’s Risk Management Framework. The purpose of the risk ratings is to highlight the seriousness of the finding and to help management with prioritisation.

    Tracking audit actions holds management accountable for following through on the commitments made. Being mindful that systems and operating contexts constantly evolve, the aim is to ensure that the underlying risk and deficiency are corrected. As such, management has the discretion to address the risk and deficiency in ways different from the auditor’s action.

    1. Improvement opportunities

    As part of the internal audit engagement, improvement opportunities may be identified. Such opportunities will be included in the internal audit report and can be considered as valuable feedback to the business. While efforts should be made to take these into consideration, management comments, accountability and target completion dates will not be set in the audit report, nor will they be tracked in EYVIA.

    1. Standard and exceptional closing process

    The following table illustrates the difference between what internal audit would consider standard reasons for closing open actions versus what would be considered non-standard or exceptional reasons for closing actions. Closing requests for exceptional reasons will need to be appropriately justified and escalated to the Chief Risk Officer and Risk Committee.

    Standard reasons

    Exceptional reasons

    The original issue is resolved (to stakeholder satisfaction) and no longer warrants any action.

    The original issue is not resolved to reasonable stakeholder satisfaction, but management no longer wishes to be accountable for the implementation of the action.

    Examples include:

    1. The issue is addressed following the recommendations in the audit, with the intended benefit.
    2. The issue is addressed through alternative courses of action, with the intended benefit.
    3. The original finding and/or risk has become immaterial or irrelevant due to a change in circumstances.
    4. Other actions taken have already addressed the underlying risk.
    5. The original audit finding was found not to be accurate or reasonable as a basis for the proposed actions.

    Examples include:

    1. A fundamental change in organisational priorities.
    2. Costs of implementing the action are now disproportionate to the benefits.
    3. Management wishes to accept the risk, for any other reasons, without taking any further action.

    Requests for closing open internal audit actions for reasons other than the above are not considered sufficient grounds for closing open actions. Examples include but are not limited to:

    • Too much time has passed. Management is still expected to demonstrate that the finding no longer has any rationale or that the underlying risk has been addressed.
    • Commitment to a future change that will address the issue. This can be a valid reason to postpone the target completion date of the action but requires evidence of strong progress towards implementation of the change.
    • Change of responsible manager or a broader restructure. This does not in itself result in the issue being resolved and as such is not sufficient grounds for closing the open action.
    • Inadequate resources, funding, or management support for implementation. Such factors can be legitimate, however, escalation of decision-making regarding action closure will be required.

    4.1. Standard process

    The standard closing process is commonly applied where the evidence supports that the risk highlighted in the original finding has been satisfactorily addressed or where circumstances have changed to the extent that the original risk or action is no longer relevant. This process is managed by the internal audit team, in accordance with the internal protocols and processes outlined below.

    • Action owners are allocated to each individual action within EYVIA and will be prompted by internal audit or Risk Services to provide feedback and evidence regarding the implementation of the agreed action.
    • Requests to close open actions must always be supported by evidence, explanations, and documentation. Internal audit is responsible for assessing the information and documentation provided before closing the action in EYVIA.
    • Decisions regarding closing more significant actions may be escalated to Risk Services for discussion and approval.
    • Internal audit together with Risk Services monitor open actions on a quarterly basis and report accordingly to the Risk Committee.

    EY has prepared an action owner user manual to assist in navigating the EYVIA system.

    4.2. Exceptional process

    In unusual and exceptional cases, management may approach internal audit to request closing open actions, despite them not having been resolved. The Area Manager responsible (i.e., meaning Deputy Vice-Chancellors and Vice Presidents; Pro Vice-Chancellors; Executive Deans; Executive Director, Human Resources; Chief Executive, External Relations (and a person acting in these positions); and Institute Directors, as defined in the University of Adelaide Enterprise Agreement 2023 - 2025 is required to confirm in writing to internal audit and Risk Services that they are supportive of accepting the underlying risk and proposing closing the open action. In assessing the appropriateness of a request to close an unresolved action, the Area Manager should consider if the argumentation is genuine and valid and whether key University stakeholders (including the Risk Committee) would be satisfied with the decision to continue with the deficiency leading to the action.

    Internal audit and Risk Services will consider the proposal, in the context of the following:

    • Other actions already completed relating to the same audit finding and risk,
    • Changes in circumstances,
    • The cost of addressing an audit finding in relation to the benefits,
    • Whether the open action relates to a key control[1] or has University-wide implications (e.g., a systemic issue),
    • The risk rating of the finding that the open action relates to, and
    • How the open action relates to the University’s Risk Appetite.

    Exceptional closing requests where risks are not considered unacceptable should be supported by the Chief Risk Officer, and reported to the Risk Committee. If the Chief Risk Officer assesses that closing the open action will result in the acceptance of a level of risk that may be unacceptable to the University, the request will be presented for decision at the Risk Committee by the Area Manager. Closing actions must always be properly supported and justified, including evidence of management’s acceptance of the underlying risk.

    1. Requests for a revision of the target completion date

    If management is unable to meet a previously agreed target completion date, only the Risk Committee may approve a revision of the agreed target completion date. A justification and plan of action highlighting the commitment by management to implement the action needs to be provided. Internal audit together with Risk Services will facilitate the request for extension to be reported to the Risk Committee. The implementation of internal audit actions is an integral part of the internal audit process and allows management to address weaknesses or deficiencies within internal controls to mitigate key risks. As such, revisions of target completion dates should only be used in exceptional cases. If a revision of the target completion date is requested more than twice for the same action, the Area Manager will need to present it to the Risk Committee to obtain approval for such a request.

    1. Other strategies to improve the closing process

    6.1. Improvement plan

    In exceptional cases where the nature of the observations made in the Internal audit report is predominantly strategic, with internal assessments ongoing and several recommended actions in response to both the findings and improvement opportunities noted, the internal audit may decide to not seek individual management responses to each action. In such cases, an overarching recommendation may be made to management to translate the actions into a combined ‘Improvement Plan’ that brings together the internal audit actions with those from the internal assessment.

    This will support the University with a more considered response plan that more systematically uplifts maturity, reduces compliance risk, and enhances clarity for everyone involved. Usually, it will be recommended for the Improvement Plan to be overseen by an appropriate governance structure within the University, with Executive ownership, and that resourcing requirements to support the Improvement Plan are determined. Once developed, the Improvement Plan should be presented to the University’s Risk Committee by the Internal audit sponsor for visibility and the actions from the internal audit report will be monitored as per usual procedures.

    We note, that this is not a standard approach and will only be utilized in specific situations.

    6.2. Setting reasonable timeframes

    The internal audit aims to work with the business to set reasonable timeframes for the completion of actions arising from internal audits. Management is encouraged to carefully consider the reasonability and feasibility of the timeframes proposed at the time of finalization of the report.

    6.3. Resources

    A common barrier to closing open audit actions is funding and resourcing. Management is therefore recommended to carefully consider staffing and budget implications to assess the realism of proposed internal audit actions and timeframes. Management should actively consider agreed commitments regarding open audit actions when establishing annual budgets.

     

    [1] For this document a key control is (1) a control that an appropriate risk analysis determines is critically important for effective system safeguards, (2) the only control that covers a risk; and/or (3) a control that covers more than one risk or supports a whole process execution.