Protocols
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Protocols as PDF for free.
More details
- Words: 3,399
- Pages: 10
ATTACHMENT 3
INTERNAL AUDIT PROTOCOLS Contents Purpose of protocols and structure Objectives and scope of internal audit Structure Audit planning Audit delivery Audit reporting and follow up Link to risk management framework Performance monitoring Purpose of Protocols and Structure This document sets out the structure, planning, delivery, performance and reporting practices to be adopted by the internal audit function of Uniting Care Queensland (UCQ). It applies to all internal audit activities, whether performed by in-house resources, or professional services providers who may be employed to support UCQ’s internal audit activities from time to time. Objectives and Scope of Internal Audit The Audit, Risk and Compliance Committee of UCQ (ARCC) has approved an Internal Audit Charter that sets out the purpose and scope of work to be undertaken by the internal audit function. To avoid unnecessary duplication here, the Internal Audit Charter should be read in conjunction with this document. In summary however, the internal audit function is to provide the Board, ARCC and Senior Management with independent and objective assurance and consulting services in relation to the adequacy of design and effectiveness of implementation of governance, risk management, internal control and compliance systems put in place by UCQ to manage its business risks. Consequently, all areas of the business, including key business processes and functions, are within the scope of internal audit. In evaluating such business processes the focus of internal audit activities will generally be to report on whether: •
Risks which may impact UCQ’s objectives have been recognised and are being appropriately managed within acceptable risk levels;
•
Resources are being used economically and efficiently;
•
Performance information (financial and operational) is complete, accurate and timely;
•
Policies, plans, procedures, laws, regulations, funding requirements, ethical standards and fiduciary responsibilities are being complied with; and
•
Assets are being safeguarded against loss, theft, destruction or other reduction in value.
To report on such objectives, internal audit will generally consider whether controls have been designed adequately to manage risks to acceptable risk levels, and that they are functioning or operating as intended. Structure UCQ is operating in a changing environment and must therefore structure and resource its internal audit function in a flexible manner that allows appropriate responses to both current and emerging risks and challenges. Consequently internal audit should have the ability to use external service providers who understand UCQ’s operations and who can support its internal resources through the use of specialist skills or additional resources as required from time to time. The structure also reflects the importance placed on the independence of the internal audit, which supports its ability to provide objective assurance to the Board, ARCC and senior management. The structure is set out below: Uniting Care Queensland Board Audit, Risk and Compliance Committee Uniting Care Queensland Director
Agency Executive Directors Agency Senior Managers
Group Manager, Finance & Strategic Initiatives
Planning and Reporting Responsibility
Group Internal Audit Manager
Internal Audit Resources
The roles implicit in the above structure, to be undertaken by appropriately qualified personnel, include:
Page 2 of 10 Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
Group Internal Audit Manager (GIAM) This role reports to the Group Manager Finance & Strategic Initiatives (GMFSI). The GIAM will be responsible for both annual and engagement level audit planning, and the delivery of all internal audit activities in accordance with appropriate auditing standards, including engagement planning, audit delivery, maintenance of appropriate documentation and the preparation and delivery of reports. The allocation of internal audit services within UCQ will be based upon the relative needs and risk profiles of activities and the necessity to provide assurance to the ARCC that UCQ’s governance, risk management, internal control and compliance systems are adequately designed and operating as intended across all activities. It is the responsibility of the GIAM to ensure that the activities of internal audit are co-ordinated fully with the risk management framework. It is also the responsibility of the GIAM to co-ordinate preparation of the internal audit plan and reports in consultation with Agency Executive Directors and Senior Managers. Draft audit plans and reports shall be provided to Agency Senior Managers prior to their finalisation and provision to the ARCC. Significant matters may be escalated to the Director Uniting Care, Queensland where standard escalation processes and times have not resulted in an adequate response. Any changes to the annual internal audit plan for matters as one off projects identified as necessary during the year will be initially proposed by the GIAM in conjunction with Agency Senior Managers for approval by the GMFSI. Director, Uniting Care Queensland The Director, Uniting Care Queensland has the responsibility to provide assurance to the ARCC that the internal audit program is consistent with their assessment of needs and risks across UCQ and to reinforce the status and responsibility of the internal audit function with Agency Executive Directors. Agency Executive Directors Agency Executive Directors (or their equivalent) play a vital role to ensure that the Internal Audit Plan, as related to their Agency, provides adequate coverage of existing and planned governance, risk management, internal control and compliance systems and that planned and actual internal audit activities take into consideration the risk profile and nature of operational activities and issues for each Agency. It is the responsibility of Agency Executive Directors to: •
facilitate ready access by the GIAM and the Internal Audit Team to the operations, information, key personnel and management forums of Agencies;
•
support the effective conduct of the internal audit program; and
•
support the status and responsibility of the internal audit function within Agencies. Page 3 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
Group Manager Finance & Strategic Initiatives (GMFSI) The internal audit function reports to the GMFSI. This means the GMFSI will approve the budget of the internal audit function and will support the status and responsibility of the internal audit function within UCQ. Internal audit services (including cost recovery) will be agreed with each of UCQ’s Agencies on an annual basis through GMFSI and GIAM. The GIAM will report to the GMFSI in respect of day to day management matters, including general staffing and any external service providers used from time to time, travel, IT support, and general administration. The GMFSI is responsible for reviewing the draft internal audit programs, plans and reports prior to submission to the ARCC. The GMFSI is also responsible for evaluating the performance of the GIAM, including obtaining feedback from the ARCC, the Director, Uniting Care Queensland and Agency Executive Directors. Internal Auditors These roles will report to the GIAM and will assist in the delivery of audit engagements in accordance with appropriate auditing standards. External Service Provider The internal audit activities of the UCQ will need to be flexible in terms of the breadth and depth of coverage of the activities of UCQ. It is possible therefore that the internal audit activities of the Group may have to be supplemented from time to time with resources contracted from outside of UCQ. Such resources may be required to undertake audit work in respect of specialist areas, or where demand for work is such that additional general audit resources are required. Audit Risk and Compliance Committee The internal audit function reports to the ARCC in relation to Internal Audit Planning and Reporting, and as such the ARCC will be responsible for endorsing, for submission to the Board, the following items: •
annual audit plans;
•
changes to the annual audit plans during the course of the year;
•
reports from the GIAM; and
•
understanding the status of actions required as a result of audit findings.
The ARCC shall also be available to meet independently with the GIAM, as required.
Page 4 of 10 Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
In addition, the ARCC will be involved in decisions on the appointment and termination of the Group Internal Audit Manager and provide input into the annual performance review of Internal Audit and the GIAM. Audit Planning Scope of Work The audit work to be completed in any given year will focus on the general requirement that the ARCC will expect the Group Internal Audit Manager to provide a report, on an annual basis, in relation to the overall governance, risk management, internal control and compliance systems. The Group Internal Audit Manager will therefore plan the work of the internal audit function so as to obtain sufficient evidence throughout the course of the year, regarding the adequacy of design, and effectiveness of implementation, of the controls and processes adopted by UCQ and its Agencies to manage their key risks. To ensure this occurs, it would generally be expected that the audit plan will include the following major segments: Focus Area Business-As-Usual Processes
Description Review of all major business processes across the Group. Such reviews will be based on an overall risk analysis of such processes, across each service unit. Processes can be audited as a single process across the entire UCQ group, or restricted to specific activities, whether due to the relative size or importance of that activity, or for practical reasons such as when a range of processes are audited at one physical location to maximise the efficiency of an audit visit to a geographically separate location.
Change Projects
As the risk profile of Agencies, activities or processes generally increases during a period of change, such change projects should be included in the work of internal audit, as appropriate given the size of the project.
Financial Processes
Although these can be included as part of “business as usual” processes, the importance of external reporting requires that financial processes are given special consideration when planning audit work. Such work should be planned and coordinated with the external auditors to avoid unnecessary duplication.
Compliance processes
The processes adopted by UCQ to ensure compliance with policies, plans ethical standards and fiduciary responsibilities, laws, regulation applicable contracts and funding requirements takes place. These should form an essential part of the overall audit work. Page 5 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
The methods used to plan audit work should be in accordance with appropriate auditing standards. Strategic and Annual Audit Plans It would be expected that, due to the size of UCQ, all risks will not be able to be covered within any one year, and so a cyclical basis of auditing will be required to ensure adequate coverage of risks over a period of time. It is expected that the ARCC would be made aware of, and approval would be sought for, any long term or strategic audit plans. On an annual basis an audit plan, covering the work to be performed over the next financial year, is to be presented to the ARCC for approval. Such a plan will set out the approximate timing of audit work, the high level scope of each audit, and the resources required to complete the work over the course of the year. Changes to the plan can be suggested throughout the year, but will be subject to approval by the ARCC. Audit Delivery All audits should be planned, delivered and reported upon in accordance with the International Standards for the Professional Practice of Internal Auditing, issued by the Institute of Internal Auditors. In undertaking audits within UCQ however, it will be expected that certain behaviours and communication protocols will be adhered to, as set out in the following table: Audit Area Audit Planning
Protocol • Appropriate levels of management will be involved with the overall audit planning process • Internal audit services will be agreed with and contracted to each of the Agency Executive Directors at the beginning of each financial year. The contract will include scope of work, timetable and anticipated cost recovery.
Assignment Planning
•
•
Audit Work
• • •
Assignment scope document (ASD) to be prepared setting out the purpose, high level risks, scope, agreed timing, resources to be used and assistance required from the service unit to be audited ASD to be provided to audit sponsor and other interested parties at least two weeks prior to the commencement of the audit Internal audit is to be provided with access to whatever people, records or systems it deems necessary to perform the required level of audit work All work is to be appropriately documented and documentation is to be retained for 7 years Audit staff will be expected to maintain appropriate levels of confidentiality throughout the audit process, but in particular Page 6 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
Audit Area
Protocol when working at service unit locations
Findings and Recommendations
• •
Reporting
• •
•
Audit Follow Up
• •
Continuous Improvement
•
•
The more important issues that arise during the course of an audit should be progressively discussed with the appropriate levels of management concerned. Findings are to be discussed with local management prior to leaving the site, and wherever practical the rating of findings, management comments and actions should be agreed at this time Formal audit reports should be issued in draft, to local management for comment, no later than two weeks following the completion of the fieldwork Reports should be finalised, including the provision of comments on findings by management (including to Agency Executive Directors), within two weeks of the report being issued in draft Any issues identified to be of great significance and requiring urgent attention should be immediately reported by the GIAM to the GMFSI, Director Uniting Care Queensland and ARCC and Board Chairs. It will be expected that management will take ownership of all agreed actions and the timing allocated for their completion The internal audit function will follow up on progress in completing actions in order to provide a summary progress report on a quarterly basis to the ARCC meeting. The views of the Director, Uniting Care Queensland and Agency Executive Directors will be sought, on an annual basis, in respect of the performance of internal audit in their experience. This may be supplemented with the views of project managers and functional management where appropriate. The GMFSI will summarise the findings from this process and include any actions deemed necessary for improvement in the report to the ARCC at which the annual audit plan is to be approved.
Audit Reporting and Follow Up Individual Assignment Reports A full report will be prepared following the completion of each individual internal audit assignment. The report will set out, as a minimum, the following key pieces of information: Page 7 of 10 Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
•
The purpose of the audit work;
•
A summary of the scope of the audit work;
•
An overall conclusion in regards to whether controls have been designed and implemented which effectively manage the identified risks;
•
A summary of any best practices identified which should be shared with other activities within UCQ;
•
A summary of the key themes arising from the audit and any major or moderate category findings;
•
Detailed findings and recommended actions; and
•
Managements comments and agree actions.
All findings should be graded in terms of their level of importance. The grading system to be used for findings should be the same as that used in the risk management framework. In addition to providing the report to the manager of the area reviewed, a copy is to be provided to GMFSI and the relevant Agency Executive Director. Audit Risk and Compliance Committee Reports A report is to be prepared for each ARCC meeting that summarises the audit activities which have taken place since the last meeting, any themes or emerging risks which the work highlights, all risks identified with more than a moderate potential impact, a summary of above moderate category findings and the status of work compared to the annual audit plan. On a quarterly basis, a summary report of audit engagements and outstanding (more than minor category) audit findings will be provided. On an annual basis a performance report will also form part of the ARCC summary report. This is to provide the ARCC with a summary of how the internal audit function has performed against agreed goals. Annual Report to the Audit Risk and Compliance Committee On an annual basis, the Group Internal Audit Manager is responsible for submitting to the ARCC a report which sets out a summary of the audit activities for the year, and an overall assessment on the design adequacy and effectiveness of implementation of UCQ’s governance, risk management, internal controls and compliance processes, as evidenced by the work undertaken.
Page 8 of 10 Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
Link to Risk Management Framework The activities of the internal audit function need to be fully co-ordinated with the overall risk management framework of UCQ. This will be achieved by ensuring the following basic processes occur: •
The annual audit plan will be developed based to a large extent on the risk profile of UCQ and each Agency;
•
Each audit assignment will be planned in such a manner as to ensure fieldwork seeks to obtain evidence of control effectiveness in respect of key risks, as summarised in the relevant risk profile;
•
Audit findings shall be graded in a manner consistent with the risk framework;
•
When discussing findings, it is a requirement that consideration is given to whether the findings indicate any changes are required to the risk profile, for example whether they indicate that management has not correctly assessed the importance of risks, or have overstated the effectiveness of controls, when determining their residual risk profile;
•
Agency Executive Directors should refer to audit activity and findings, when reporting upon their risk profile to the Director Uniting Care Queensland; and
•
Facilitating the updating of risk registers (risks, causes, treatments, action items) so that a consistent approach is applied across UCQ.
Performance Monitoring The performance of the internal audit function of UCQ will be monitored in two ways, as follows: Quality Review On a periodic basis, at least every five years, a person or organisation independent of the function will review the internal audit function. This would normally be expected to be an outside consultant with the appropriate level of expertise in internal audit best practice. Annual Performance Assessment The internal audit function will establish goals and present these to the ARCC for approval on an annual basis, at the beginning of the financial year. The GMFSI and GIAM will then report on performance against these goals at the end of that financial year. The assessment of performance will be based on a range of performance indicators, across a broad spectrum of focus areas. The measures to be used are summarised in the following table:
Page 9 of 10 Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
Financial and Management • Annual audit plan delivered within budget, concentrated on high risks and areas of sensitivity, and carried out with appropriate resources. • Cost savings or revenue opportunities identified as part of the outcomes of the audit process • Expertise from outside internal audit group used where appropriate and as planned (e.g. IT). Process • Protocols in relation to timing, communications and reporting have been adhered to throughout the year • All approved audits have occurred as intended or alternative suitable arrangements have been put in place • Actions in respect of audit findings have been followed up and reported upon as appropriate
Service Provision • Senior Managers believe that internal audit provides an objective value added service to the business • ARCC believe that the level of reliance they can place on the governance, risk management, internal control and compliance systems of the Group has improved as a result of internal audit activities People • The skills of line managers and staff have improved as a result of the internal audit work which has occurred • Internal audit staff are appropriately skilled and trained to undertake the range of audit work required to meet the objectives of the internal audit function within the context of UCQ’s operations • Staff turnover level for the most current year is in accordance with expectations.
The GIAM will conduct a performance review and career planning interview with each member of the internal audit team at least once per annum.
Page 10 of 10 Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
INTERNAL AUDIT PROTOCOLS Contents Purpose of protocols and structure Objectives and scope of internal audit Structure Audit planning Audit delivery Audit reporting and follow up Link to risk management framework Performance monitoring Purpose of Protocols and Structure This document sets out the structure, planning, delivery, performance and reporting practices to be adopted by the internal audit function of Uniting Care Queensland (UCQ). It applies to all internal audit activities, whether performed by in-house resources, or professional services providers who may be employed to support UCQ’s internal audit activities from time to time. Objectives and Scope of Internal Audit The Audit, Risk and Compliance Committee of UCQ (ARCC) has approved an Internal Audit Charter that sets out the purpose and scope of work to be undertaken by the internal audit function. To avoid unnecessary duplication here, the Internal Audit Charter should be read in conjunction with this document. In summary however, the internal audit function is to provide the Board, ARCC and Senior Management with independent and objective assurance and consulting services in relation to the adequacy of design and effectiveness of implementation of governance, risk management, internal control and compliance systems put in place by UCQ to manage its business risks. Consequently, all areas of the business, including key business processes and functions, are within the scope of internal audit. In evaluating such business processes the focus of internal audit activities will generally be to report on whether: •
Risks which may impact UCQ’s objectives have been recognised and are being appropriately managed within acceptable risk levels;
•
Resources are being used economically and efficiently;
•
Performance information (financial and operational) is complete, accurate and timely;
•
Policies, plans, procedures, laws, regulations, funding requirements, ethical standards and fiduciary responsibilities are being complied with; and
•
Assets are being safeguarded against loss, theft, destruction or other reduction in value.
To report on such objectives, internal audit will generally consider whether controls have been designed adequately to manage risks to acceptable risk levels, and that they are functioning or operating as intended. Structure UCQ is operating in a changing environment and must therefore structure and resource its internal audit function in a flexible manner that allows appropriate responses to both current and emerging risks and challenges. Consequently internal audit should have the ability to use external service providers who understand UCQ’s operations and who can support its internal resources through the use of specialist skills or additional resources as required from time to time. The structure also reflects the importance placed on the independence of the internal audit, which supports its ability to provide objective assurance to the Board, ARCC and senior management. The structure is set out below: Uniting Care Queensland Board Audit, Risk and Compliance Committee Uniting Care Queensland Director
Agency Executive Directors Agency Senior Managers
Group Manager, Finance & Strategic Initiatives
Planning and Reporting Responsibility
Group Internal Audit Manager
Internal Audit Resources
The roles implicit in the above structure, to be undertaken by appropriately qualified personnel, include:
Page 2 of 10 Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
Group Internal Audit Manager (GIAM) This role reports to the Group Manager Finance & Strategic Initiatives (GMFSI). The GIAM will be responsible for both annual and engagement level audit planning, and the delivery of all internal audit activities in accordance with appropriate auditing standards, including engagement planning, audit delivery, maintenance of appropriate documentation and the preparation and delivery of reports. The allocation of internal audit services within UCQ will be based upon the relative needs and risk profiles of activities and the necessity to provide assurance to the ARCC that UCQ’s governance, risk management, internal control and compliance systems are adequately designed and operating as intended across all activities. It is the responsibility of the GIAM to ensure that the activities of internal audit are co-ordinated fully with the risk management framework. It is also the responsibility of the GIAM to co-ordinate preparation of the internal audit plan and reports in consultation with Agency Executive Directors and Senior Managers. Draft audit plans and reports shall be provided to Agency Senior Managers prior to their finalisation and provision to the ARCC. Significant matters may be escalated to the Director Uniting Care, Queensland where standard escalation processes and times have not resulted in an adequate response. Any changes to the annual internal audit plan for matters as one off projects identified as necessary during the year will be initially proposed by the GIAM in conjunction with Agency Senior Managers for approval by the GMFSI. Director, Uniting Care Queensland The Director, Uniting Care Queensland has the responsibility to provide assurance to the ARCC that the internal audit program is consistent with their assessment of needs and risks across UCQ and to reinforce the status and responsibility of the internal audit function with Agency Executive Directors. Agency Executive Directors Agency Executive Directors (or their equivalent) play a vital role to ensure that the Internal Audit Plan, as related to their Agency, provides adequate coverage of existing and planned governance, risk management, internal control and compliance systems and that planned and actual internal audit activities take into consideration the risk profile and nature of operational activities and issues for each Agency. It is the responsibility of Agency Executive Directors to: •
facilitate ready access by the GIAM and the Internal Audit Team to the operations, information, key personnel and management forums of Agencies;
•
support the effective conduct of the internal audit program; and
•
support the status and responsibility of the internal audit function within Agencies. Page 3 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
Group Manager Finance & Strategic Initiatives (GMFSI) The internal audit function reports to the GMFSI. This means the GMFSI will approve the budget of the internal audit function and will support the status and responsibility of the internal audit function within UCQ. Internal audit services (including cost recovery) will be agreed with each of UCQ’s Agencies on an annual basis through GMFSI and GIAM. The GIAM will report to the GMFSI in respect of day to day management matters, including general staffing and any external service providers used from time to time, travel, IT support, and general administration. The GMFSI is responsible for reviewing the draft internal audit programs, plans and reports prior to submission to the ARCC. The GMFSI is also responsible for evaluating the performance of the GIAM, including obtaining feedback from the ARCC, the Director, Uniting Care Queensland and Agency Executive Directors. Internal Auditors These roles will report to the GIAM and will assist in the delivery of audit engagements in accordance with appropriate auditing standards. External Service Provider The internal audit activities of the UCQ will need to be flexible in terms of the breadth and depth of coverage of the activities of UCQ. It is possible therefore that the internal audit activities of the Group may have to be supplemented from time to time with resources contracted from outside of UCQ. Such resources may be required to undertake audit work in respect of specialist areas, or where demand for work is such that additional general audit resources are required. Audit Risk and Compliance Committee The internal audit function reports to the ARCC in relation to Internal Audit Planning and Reporting, and as such the ARCC will be responsible for endorsing, for submission to the Board, the following items: •
annual audit plans;
•
changes to the annual audit plans during the course of the year;
•
reports from the GIAM; and
•
understanding the status of actions required as a result of audit findings.
The ARCC shall also be available to meet independently with the GIAM, as required.
Page 4 of 10 Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
In addition, the ARCC will be involved in decisions on the appointment and termination of the Group Internal Audit Manager and provide input into the annual performance review of Internal Audit and the GIAM. Audit Planning Scope of Work The audit work to be completed in any given year will focus on the general requirement that the ARCC will expect the Group Internal Audit Manager to provide a report, on an annual basis, in relation to the overall governance, risk management, internal control and compliance systems. The Group Internal Audit Manager will therefore plan the work of the internal audit function so as to obtain sufficient evidence throughout the course of the year, regarding the adequacy of design, and effectiveness of implementation, of the controls and processes adopted by UCQ and its Agencies to manage their key risks. To ensure this occurs, it would generally be expected that the audit plan will include the following major segments: Focus Area Business-As-Usual Processes
Description Review of all major business processes across the Group. Such reviews will be based on an overall risk analysis of such processes, across each service unit. Processes can be audited as a single process across the entire UCQ group, or restricted to specific activities, whether due to the relative size or importance of that activity, or for practical reasons such as when a range of processes are audited at one physical location to maximise the efficiency of an audit visit to a geographically separate location.
Change Projects
As the risk profile of Agencies, activities or processes generally increases during a period of change, such change projects should be included in the work of internal audit, as appropriate given the size of the project.
Financial Processes
Although these can be included as part of “business as usual” processes, the importance of external reporting requires that financial processes are given special consideration when planning audit work. Such work should be planned and coordinated with the external auditors to avoid unnecessary duplication.
Compliance processes
The processes adopted by UCQ to ensure compliance with policies, plans ethical standards and fiduciary responsibilities, laws, regulation applicable contracts and funding requirements takes place. These should form an essential part of the overall audit work. Page 5 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
The methods used to plan audit work should be in accordance with appropriate auditing standards. Strategic and Annual Audit Plans It would be expected that, due to the size of UCQ, all risks will not be able to be covered within any one year, and so a cyclical basis of auditing will be required to ensure adequate coverage of risks over a period of time. It is expected that the ARCC would be made aware of, and approval would be sought for, any long term or strategic audit plans. On an annual basis an audit plan, covering the work to be performed over the next financial year, is to be presented to the ARCC for approval. Such a plan will set out the approximate timing of audit work, the high level scope of each audit, and the resources required to complete the work over the course of the year. Changes to the plan can be suggested throughout the year, but will be subject to approval by the ARCC. Audit Delivery All audits should be planned, delivered and reported upon in accordance with the International Standards for the Professional Practice of Internal Auditing, issued by the Institute of Internal Auditors. In undertaking audits within UCQ however, it will be expected that certain behaviours and communication protocols will be adhered to, as set out in the following table: Audit Area Audit Planning
Protocol • Appropriate levels of management will be involved with the overall audit planning process • Internal audit services will be agreed with and contracted to each of the Agency Executive Directors at the beginning of each financial year. The contract will include scope of work, timetable and anticipated cost recovery.
Assignment Planning
•
•
Audit Work
• • •
Assignment scope document (ASD) to be prepared setting out the purpose, high level risks, scope, agreed timing, resources to be used and assistance required from the service unit to be audited ASD to be provided to audit sponsor and other interested parties at least two weeks prior to the commencement of the audit Internal audit is to be provided with access to whatever people, records or systems it deems necessary to perform the required level of audit work All work is to be appropriately documented and documentation is to be retained for 7 years Audit staff will be expected to maintain appropriate levels of confidentiality throughout the audit process, but in particular Page 6 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
Audit Area
Protocol when working at service unit locations
Findings and Recommendations
• •
Reporting
• •
•
Audit Follow Up
• •
Continuous Improvement
•
•
The more important issues that arise during the course of an audit should be progressively discussed with the appropriate levels of management concerned. Findings are to be discussed with local management prior to leaving the site, and wherever practical the rating of findings, management comments and actions should be agreed at this time Formal audit reports should be issued in draft, to local management for comment, no later than two weeks following the completion of the fieldwork Reports should be finalised, including the provision of comments on findings by management (including to Agency Executive Directors), within two weeks of the report being issued in draft Any issues identified to be of great significance and requiring urgent attention should be immediately reported by the GIAM to the GMFSI, Director Uniting Care Queensland and ARCC and Board Chairs. It will be expected that management will take ownership of all agreed actions and the timing allocated for their completion The internal audit function will follow up on progress in completing actions in order to provide a summary progress report on a quarterly basis to the ARCC meeting. The views of the Director, Uniting Care Queensland and Agency Executive Directors will be sought, on an annual basis, in respect of the performance of internal audit in their experience. This may be supplemented with the views of project managers and functional management where appropriate. The GMFSI will summarise the findings from this process and include any actions deemed necessary for improvement in the report to the ARCC at which the annual audit plan is to be approved.
Audit Reporting and Follow Up Individual Assignment Reports A full report will be prepared following the completion of each individual internal audit assignment. The report will set out, as a minimum, the following key pieces of information: Page 7 of 10 Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
•
The purpose of the audit work;
•
A summary of the scope of the audit work;
•
An overall conclusion in regards to whether controls have been designed and implemented which effectively manage the identified risks;
•
A summary of any best practices identified which should be shared with other activities within UCQ;
•
A summary of the key themes arising from the audit and any major or moderate category findings;
•
Detailed findings and recommended actions; and
•
Managements comments and agree actions.
All findings should be graded in terms of their level of importance. The grading system to be used for findings should be the same as that used in the risk management framework. In addition to providing the report to the manager of the area reviewed, a copy is to be provided to GMFSI and the relevant Agency Executive Director. Audit Risk and Compliance Committee Reports A report is to be prepared for each ARCC meeting that summarises the audit activities which have taken place since the last meeting, any themes or emerging risks which the work highlights, all risks identified with more than a moderate potential impact, a summary of above moderate category findings and the status of work compared to the annual audit plan. On a quarterly basis, a summary report of audit engagements and outstanding (more than minor category) audit findings will be provided. On an annual basis a performance report will also form part of the ARCC summary report. This is to provide the ARCC with a summary of how the internal audit function has performed against agreed goals. Annual Report to the Audit Risk and Compliance Committee On an annual basis, the Group Internal Audit Manager is responsible for submitting to the ARCC a report which sets out a summary of the audit activities for the year, and an overall assessment on the design adequacy and effectiveness of implementation of UCQ’s governance, risk management, internal controls and compliance processes, as evidenced by the work undertaken.
Page 8 of 10 Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
Link to Risk Management Framework The activities of the internal audit function need to be fully co-ordinated with the overall risk management framework of UCQ. This will be achieved by ensuring the following basic processes occur: •
The annual audit plan will be developed based to a large extent on the risk profile of UCQ and each Agency;
•
Each audit assignment will be planned in such a manner as to ensure fieldwork seeks to obtain evidence of control effectiveness in respect of key risks, as summarised in the relevant risk profile;
•
Audit findings shall be graded in a manner consistent with the risk framework;
•
When discussing findings, it is a requirement that consideration is given to whether the findings indicate any changes are required to the risk profile, for example whether they indicate that management has not correctly assessed the importance of risks, or have overstated the effectiveness of controls, when determining their residual risk profile;
•
Agency Executive Directors should refer to audit activity and findings, when reporting upon their risk profile to the Director Uniting Care Queensland; and
•
Facilitating the updating of risk registers (risks, causes, treatments, action items) so that a consistent approach is applied across UCQ.
Performance Monitoring The performance of the internal audit function of UCQ will be monitored in two ways, as follows: Quality Review On a periodic basis, at least every five years, a person or organisation independent of the function will review the internal audit function. This would normally be expected to be an outside consultant with the appropriate level of expertise in internal audit best practice. Annual Performance Assessment The internal audit function will establish goals and present these to the ARCC for approval on an annual basis, at the beginning of the financial year. The GMFSI and GIAM will then report on performance against these goals at the end of that financial year. The assessment of performance will be based on a range of performance indicators, across a broad spectrum of focus areas. The measures to be used are summarised in the following table:
Page 9 of 10 Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
Financial and Management • Annual audit plan delivered within budget, concentrated on high risks and areas of sensitivity, and carried out with appropriate resources. • Cost savings or revenue opportunities identified as part of the outcomes of the audit process • Expertise from outside internal audit group used where appropriate and as planned (e.g. IT). Process • Protocols in relation to timing, communications and reporting have been adhered to throughout the year • All approved audits have occurred as intended or alternative suitable arrangements have been put in place • Actions in respect of audit findings have been followed up and reported upon as appropriate
Service Provision • Senior Managers believe that internal audit provides an objective value added service to the business • ARCC believe that the level of reliance they can place on the governance, risk management, internal control and compliance systems of the Group has improved as a result of internal audit activities People • The skills of line managers and staff have improved as a result of the internal audit work which has occurred • Internal audit staff are appropriately skilled and trained to undertake the range of audit work required to meet the objectives of the internal audit function within the context of UCQ’s operations • Staff turnover level for the most current year is in accordance with expectations.
The GIAM will conduct a performance review and career planning interview with each member of the internal audit team at least once per annum.
Page 10 of 10 Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
