1. Purpose

1.1 This policy and the associated Internal Audit Charter (Charter) provide a broad overview for the conduct of audit and assurance services at the University.

2. Scope and application

2.1 This policy applies to all staff, students, contractors and members of decision-making and advisory bodies of the University.

2.2 Under the University of the Sunshine Coast Act 1998 (Qld) and the Financial Accountability Act 2009 (Qld), Council is required to efficiently, effectively and economically manage and control the University’s operations and must act in the way that promotes the University’s interests, including to:

(a) establish and maintain appropriate systems of internal control and risk management

(b) establish and keep funds and accounts in compliance with prescribed requirements

(c) ensure annual financial statements are prepared, certified and tabled in Parliament in accordance with prescribed requirements

(d) undertake planning and budgeting for the University that is appropriate to its size; and

(e) perform other functions conferred by legislation on the University or under a financial and performance management standard.

2.3 Assurance elements at the University which are covered by this policy include the following three key legislative components:

(a) Internal Audit – established by the University in accordance with the requirements of the Financial and Performance Management Standard 2019 (Qld)

(b) Audit and Risk Management Committee (ARMC) - established by the University in accordance with the requirements of the Financial and Performance Management Standard 2019 (Qld), including the development of terms of reference which have regard to the Queensland Treasury publication ‘Audit Committee Guidelines – Improving Accountability and Performance’ (July 2020); and

(c) External Audit – the University is required under Section 62 of the Financial Accountability Act 2009 (Qld) to prepare annual financial statements, certify whether these statements comply with prescribed requirements; have the statements audited as required under the Auditor-General Act 2009 (Qld) and include these statements in the University’s annual report.

3. Definitions

3.1 Refer to the University’s Glossary of Terms for definitions as they specifically relate to policy documents.

4. Policy Statement

4.1 This policy outlines the University's audit and assurance approach, designed to support the effective fulfillment of its stewardship and leadership responsibilities. It aims to enhance the University's control environment, including the management of institutional resources, in alignment with relevant legislative obligations.

4.2 The Council and management of the University are committed to an open and accountable system of governance. The implementation of an effective audit and assurance approach, and the integration of continuous improvement processes throughout the University to help achieve strategic and operational goals, is fundamental to these principles.

5. Principles

5.1 Audit and Assurance

5.1.1 The University’s Audit and Assurance approach is structured around a three lines of defence model, as per the University Risk and Compliance Management – Governing Policy. This model clarifies and organises roles, responsibilities, relationships and accountabilities related to decision-making, risk management and internal controls. It supports effective governance and assurance by progressively increasing levels of independence and objectivity across each line, thereby delivering greater assurance to key stakeholders.

5.1.1.1 The first line of defence includes all staff and management directly involved in day-to-day academic, corporate, and research activities. Risk Owners, Compliance Owners and Control Owners are responsible for the identification and effective management and mitigation of risks as well as the identification, recording, escalation and management of issues to ensure compliance obligations are met.

5.1.1.2 The second line of defence undertakes oversight of the risk and compliance activities undertaken by the first line and includes certain corporate functions which, in addition to their first line responsibilities as risk, compliance or control owners, have specialist governance, risk and compliance expertise in their respective domains to provide specific guidance, support, tools, and advice regarding the management of risks and compliance obligations (e.g. Governance and Risk Management (GRM), Finance, People & Culture (including Workplace Health & Safety), Data Governance and Privacy, and Cyber Security).

5.1.1.3 The third line of defence (Internal Audit) is responsible for independently evaluating the effectiveness of first line and second line controls, and reporting audit findings to the University Executive and the Audit and Risk Management Committee.

5.2 Internal Audit

5.2.1 The University is committed to maintaining an efficient, effective and economical internal audit function as required by the Financial and Performance Management Standard 2019 (Qld). The University must ensure that all internal audit activities remain free of influence by any organisational elements.

5.2.2 Internal Audit’s roles and responsibilities are defined by Council, on advice of the ARMC, and outlined in the Internal Audit Charter. Its primary purpose is to add value to the University’s operations by providing independent assurance and advisory services.

5.2.3 Internal Audit’s responsibilities include, but are not limited to, evaluating the adequacy and effectiveness of the University’s:

(a) risk management processes

(b) internal controls

(c) operational efficiency and effectiveness

(d) governance practices

(e) performance metrics; and

(f) compliance with applicable laws and regulations.

5.2.4 These responsibilities are discharged through the creation and execution of a risk-based rolling three-year Strategic Internal Audit Plan and an annual Operational Internal Audit Plan. The Strategic Internal Audit Plan identifies the broad goals to be achieved and strategies to be adopted over the three-year period, and the Annual Operational Internal Audit Plan details the audit engagements for the forthcoming year.

5.2.5 A review or provision of reasonable assurance by Internal Audit does not in any way relieve officers of the University of their individual responsibilities and accountabilities. Nor does it any way diminish the Vice-Chancellor and President’s, members of the University’s Executive, or management’s responsibilities for the implementation and maintenance of effective systems of internal control, and prevention and detection of fraud.

5.2.6 The Senior Internal Auditor and representatives from the co-source Internal Audit Service Provider are invited to attend each ARMC meeting

5.3 Audit and Risk Management Committee (ARMC)

5.3.1 The University is committed to maintaining an ARMC in accordance with the Financial and Performance Management Standard 2019 (Qld).

5.3.2 As it relates to Internal Audit, the primary functions of the ARMC are to:

(a) oversee and evaluate the design adequacy and operating effectiveness of the control environment to provide reasonable assurance that the systems of internal control are of a high standard and functioning as intended; and

(b) oversee and evaluate the quality of the internal audit function, particularly in the areas of planning, monitoring and reporting.

5.3.3 As it relates to External Audit, the primary functions of the ARMC are to:

(a) review and appraise the financial statements to ensure the integrity and transparency of the financial reporting process; and

(b) engage with external audit and assessing the adequacy of management response to issues identified by audit

5.3.4 The ARMC responsibilities are defined by Council as part of their oversight role. Detailed roles, responsibilities, composition and operating guidelines for the ARMC are outlined in its Terms of Reference.

5.4 External Audit

5.4.1 The University and its consolidated entities are required to have an external audit of statutory compliance in accordance with the Financial Accountability Act 2009 (Qld) and the Auditor-General Act 2009 (Qld). This is conducted by the Queensland Audit Office or its authorised subcontractors.

5.4.2 External Audit must be given full, free and unrestricted access to any and all records, physical properties, personnel and other documentation belonging to, in the custody of, or under the control of, the University. All employees are to assist External Audit in fulfilling its role and responsibilities.

5.4.3 The University’s external audit program is comprised of the following:

(a) on an annual basis an external audit plan is set by External Audit which outlines key areas of audit focus, scope and related costs and is provided to the ARMC for review. Final audited financial statements and reports are provided in sufficient time for the University to meet its financial and legislative reporting requirements; and

(b) as part of a comprehensive program of audit activities across entities at a state level, the Queensland Audit Office also runs a program of performance audits. The University is a willing participant in such audits.

5.4.4 It is the responsibility of External Audit to audit the annual financial statements and prepare an auditor’s report in accordance with legislative requirements, prescribed accounting standards and government guidelines. The Auditor-General presents its annual report, audit certification and management letter to both the University and in its annual report to state parliament.

5.4.5 External Audit representatives are invited to attend each ARMC meeting.

5.5 Review

5.5.1 This policy and the Internal Audit Charter are reviewed by the ARMC annually. All amendments to the policy and Charter require ARMC’s endorsement, prior to submission to Council for discussion and approval.

6. Authorities and responsibilities

6.1 As the Approval Authority, Council approves this policy in accordance with the University of the Sunshine Coast Act 1998 (Qld).

6.2 As the Responsible Executive Member the Vice-Chancellor and President can approve procedures and guidelines to operationalise this policy. All procedures and guidelines must be compatible with the provisions of this policy.

6.3 As the Designated Officer the Director, Governance and Risk Management can approve associated documents to support the application of this policy. All associated documents must be compatible with the provisions of the policy.

6.4 This policy operates from the last amended date, with all previous iterations of policy on University audit and assurance are replaced and no longer operating from this date.

6.5 All records relating to University audit and assurance must be stored and managed in accordance with the Records Management - Procedures.

6.6 This policy must be maintained in accordance with the University Policy Documents – Procedures and reviewed on an annual policy review cycle.

6.7 Any exception to this policy to enable a more appropriate result must be approved in accordance with the University Policy Documents – Procedures prior to deviation from the policy.

6.8 Refer to University Delegations – Governing Policy in relation to the approved delegations detailed within this policy.

6.9 The following authorities and responsibilities are delegated under this policy:

7. Appendices and supporting documents

Appendix 015: Internal Audit Charter

END