Internal Audit (policy & procedure)

Transcription

1 Internal Audit (policy & procedure) Objective (purpose) The purpose of this document is to ensure the Crime and Corruption Commission s (CCC) internal audit function operates efficiently and effectively in accordance with sections of the Financial and Performance Management Standard Policy & procedure statement Internal audit is an integral part of the CCC corporate governance framework. The Commission recognises that by providing assurance on the effectiveness of the agency s internal control environment and identifying opportunities for performance improvement, internal audit can make a valuable contribution to achieving the CCC s corporate objectives. The Internal Audit Policy and Procedure documents the process and methodology for conducting audits and for managing the Internal Audit function. It is reviewed biennially in conjunction with the Internal Audit Charter. The Internal Audit Charter outlines the role, authority and responsibility conferred by the Commission on the internal audit function within the CCC. Definitions For the purpose of this policy and procedure, the following definitions apply: Term Charter Governance Definition The internal audit charter is a formal document that defines the Internal Audit purpose, authority and responsibility. It establishes the Internal Audit function within the CCC; authorises access to records, personnel, and physical properties relevant to the performance of audit assignments; and defines the scope of internal audit activities. The combination of processes and controls implemented by the CCC to inform, direct, manage, and monitor the activities of the organisation toward the achievement of its objectives. Internal Control The policies, procedures and activities that are part of a control framework, designed to ensure that risks are contained within the risk tolerances established by the CCC. Ver 2 - October 2015 PUBLIC Page 1 of 7

2 Application This policy and procedure is applicable to all CCC employees. Specifically the Internal Auditor undertakes audits and reviews in accordance with approved plans and conducts management initiated reviews as directed by the Chief Executive Officer. Procedure 1. Audit Planning 1.1 Whole of Universe Strategic Audit Plan (WUSAP) The WUSAP identifies the broad goals to be achieved and strategies to be adopted over a five year period. The Internal Auditor must prepare the WUSAP based upon the CCC s Strategic Plan and focuses on the areas of high risk and those where internal controls are weak. The WUSAP is reviewed and, if acceptable, endorsed by the Audit and Risk Management Committee (ARMC). It is forwarded to the Commission for approval. The WUSAP is reviewed annually by both the Internal Auditor and the ARMC and is referred to the Commission for approval. The WUSAP forms the basis for the preparation of the Annual Internal Audit Plan (AIAP). 1.2 Annual Internal Audit Plan (AIAP) The AIAP is prepared by having discussions with senior management and identifying areas of most risk. The areas of most risk should correlate with the Corporate Risk Register and relevant business unit risk registers. The AIAP is prepared by the Internal Auditor, endorsed by the ARMC and approved by the Commission. It contains details of audits to be completed for the ensuing year and a time budget for the completion of each audit assignment. The progress of the AIAP is monitored quarterly by the ARMC. The identification and prioritisation of individual audit tasks is based on a risk assessment of: materiality; significance of the auditable area in terms of its organisational impact; importance in terms of sensitivity and public accountability; and in consultation with senior management and QAO. Management s views are sought for any special considerations. 1.3 Individual Audit Plans The Internal Auditor prepares audit plans (briefs) for all proposed audits and submits them to the C h a i r m a n a n d Chief Executive Officer for approval. The audit plans will include the following as a minimum: Project title; Objectives; Methodology Scope; Areas of inherent risk; Ver 2 - October 2015 PUBLIC Page 2 of 7

3 Expected starting date; and Audit resources. The Internal Auditor also prepares an audit test program that demonstrates the audit tests to be completed from which audit findings and recommendations will be derived. The audit plan and test program are prepared as a result of: Preliminary discussions with management and employees of the area under review; Applying risk management strategies; i.e testing in areas at most risk and on materiality; Stating the audit samples to be chosen and the sampling technique Prior audit results; Policy and procedure manuals relevant to the area; and Other reference sources including business plans, service level agreements, and better practice guides etc. The Internal Auditor will establish individual audit files for each audit project. The individual audit plans (brief) would usually be the first document on these files. 2. Conduct of Audit Work 2.1 Overall Audit Approach The internal audit function will use contemporary auditing methodologies and practices in the performance of audits. The methodology used and approach to an audit is dependent on the nature of the area or system under review and the objectives set for the audit. The approach adopted remains the responsibility of the Internal Auditor. 2.2 Preliminary meeting Prior to the commencement of all audit projects, the Internal Auditor must conduct a preliminary meeting with the person(s) responsible for the activity under review, to discuss the audit objectives, scope and approach and any areas of concern or other risk areas they would like to include in the review. The agreed audit objective(s) and scope will be documented and a copy provided to the relevant manager. 2.3 Audit Fieldwork All audit fieldwork/testing must be performed in conjunction with the test program prepared during the planning stage and in accordance with the Institute of Internal Auditors Standards. (The test program may be amended if during the testing phase of the audit it becomes apparent that further testing is required or that a different approach is warranted.) All audit work must be documented and retained on the audit file as evidence to support audit findings and conclusions. 2.4 Exit interview For all audit projects, once audit testing is complete the Internal Auditor must discuss the findings and proposed recommendations at an exit interview with the person responsible for the activity under review. The results of the exit meeting must be documented as it forms the basis for preparation of the draft audit report. Ver 2 - October 2015 PUBLIC Page 3 of 7

4 3. Audit Reporting 3.1 Draft Audit Report The Internal Auditor must prepare a structured draft audit report so that it states: the objective/s of the audit; scope of the audit; the audit methodology used; summary of audit findings and recommendations that highlight areas of risk; audit conclusion detailed audit findings and recommendations recommendations for further action and/or improvement. An executive summary must be prepared which will identify issues, provide recommendations and actions planned or completed and any continuing risk exposures. The Internal Auditor must keep managers fully briefed throughout the course of the audit and distribute the draft reports to the relevant manager(s) for comment 3.2 Management Comments The Internal Auditor will provide a copy of the draft audit report to management of the area under review and invite management to provide comments on each of the audit findings and recommendations. Management comments should identify the person responsible for implementing actions required and provide an action date for each audit recommendation. The Internal Auditor must include management comments in the Final Audit Report. After inviting comments from management on the contents of the draft audit report, Internal Audit must prepare and issue a final audit report. The final audit report contains all the information in the draft audit report and with any agreed amendments and management comments. The Internal Auditor must address all final audit reports to the Chairman via the Chief Executive Officer for approval and issue copies to all Executive Directors, directors and relevant managers. The ARMC will be provided with a full report of each audit on a timely basis. The Internal Auditor must follow up on agreed management actions to audit findings and recommendations. The ARMC must be provided with a list of outstanding management actions at quarterly meetings and record reasons for any undue delays. The Commission should be informed of delays greater than 6 months, where the audit finding has been rated as high risk. The Internal Auditor will make all audit reports available for review by Queensland Audit Office (QAO) staff. The Internal Auditor will ensure sensitive information is treated in accordance with the CCC s requirements. 3.3 Reporting to the Commission The Commission will be notified of all internal audit reports tabled at ARMC meetings. Ver 2 - October 2015 PUBLIC Page 4 of 7

5 3.4 Annual Report At the end of each financial year the Internal Auditor is required to summarise the audit activity and work performed during the year, in a form that is appropriate for publishing in the Agency s Annual Report. The report shall include (as a minimum): A review of performance against the annual audit plan; Any initiatives introduced; and Compliance with regulatory and legislative requirements 4. Engaging Contractors 4.1 Specific Audit Requirements Where external contractors are engaged for audit work, specific requirements for their engagement must include: a description of the services to be supplied including audit coverage; budget approval; the reporting requirements; the term of the contract; resourcing arrangements; security clearances; intellectual property considerations; conflict of interest; and confidentiality obligations. Responsibilities and Authorities The Internal Auditor prepares the Strategic Audit Plan and ensures completion of the audit activities outlined within it. Prepares the Annual Audit Plans and individual audit plans for proposed audits and submits them to the Chairman via the Chief Executive Officer for approval. Prepares audit test programs and establishes audit files for each audit project. Conducts preliminary meeting with t h e person responsible for t h e activity under audit review and documents it as a note to file. Prepares the Internal Audit Brief that includes the audit objectives and scope. Conducts audit testing in conjunction with the test program. Documents all audit work undertaken and records on file. Retains sufficient evidence on file to support any audit findings and conclusions. Documents audit issues identified in an audit and issues them to management for their review and comment. Keeps managers fully briefed throughout the course of the audit. Discusses audit findings with the appropriate executive directors, directors or managers Ver 2 - October 2015 PUBLIC Page 5 of 7

6 Reviews the draft report with the appropriate person as a preliminary to finalising the report and circulates the report for comment. Requests and incorporates management comments on observations or recommendations into the final audit report. Follows up on internal audit recommendations agreed by management to ensure they have been implemented within a reasonable time. Prepares and issues a final audit report addressed to the Chairman and copied to the Chief Executive Officer, ARMC, Commission Members, all executive directors and relevant managers. Liaises with QAO staff as required, particularly during audit of financial statements and provides internal audit reports and documentation as required. ARMC Reviews and endorses the WUSAP and AIAP. Assesses the performance of the internal audit function. Ensures the audit activity is adequate for the Commission s objectives and risks. Chief Executive Officer Reviews individual audit plans. Assesses the Internal Auditor s Achievement and Capability Plan (ACP) Approves the Auditor s leave and budget expenses. Documents and Records Audit Plan Template (audit brief) Audit Test Program Template Audit Questionnaire Template Draft Audit Report Template Final Audit Report Template Strategic Audit Plan Annual Audit Plan Individual Audit Plans Summary of Audit Observations and Recommendations Template Legislative reference Financial Accountability Act 2009 Finance Accountability Regulation 2009 Financial and Performance Management Standard 2009 Other references CCC Internal Audit Charter CCC ARMC Charter International Standards for the Professional Practice of Internal Auditing, Institute of Internal Auditors Auditing Standards and Practice Statements, issued by CPA Australia, the Institute of Chartered Accountants in Australia and the Information Systems Audit and Control Association. Ver 2 - October 2015 PUBLIC Page 6 of 7

7 Review triggers This policy will be reviewed biennially. The following stakeholders should be consulted in any review of this policy: Chief Executive Officer Metadata Policy & Procedure Owner/Point of Contact: Author position: Approver s position: Brendan Clarke Internal Auditor Chief Executive Officer Date Approved: October 2015 Policy & Procedure Review Date: December 2016 Document reference No: Key Words: TRIM: 15/ (Internal Audit) TRIM: 13/ (Corp Gov) Audit, Accountability, Internal Control Ver 2 - October 2015 PUBLIC Page 7 of 7