Attachment 3: Co Ntents
Attachment 3: Co Ntents
Attachment 3: Co Ntents
Purpose of protocols and structure
Objectives and scope of internal audit
Audit planning
Audit delivery
Audit reporting and follow up
Link to risk management framework
Performance monitoring
This document sets out the structure, planning, delivery, performance and reporting
practices to be adopted by the internal audit function of Uniting Care Queensland (UCQ). It
applies to all internal audit activities, whether performed by in-house resources, or
professional services providers who may be employed to support UCQ’s internal audit
activities from time to time.
The Audit, Risk and Compliance Committee of UCQ (ARCC) has approved an Internal
Audit Charter that sets out the purpose and scope of work to be undertaken by the internal
audit function. To avoid unnecessary duplication here, the Internal Audit Charter should be
read in conjunction with this document.
In summary however, the internal audit function is to provide the Board, ARCC and Senior
Management with independent and objective assurance and consulting services in relation
to the adequacy of design and effectiveness of implementation of governance, risk
management, internal control and compliance systems put in place by UCQ to manage its
business risks. Consequently, all areas of the business, including key business processes
and functions, are within the scope of internal audit.
In evaluating such business processes the focus of internal audit activities will generally be
to report on whether:
• Risks which may impact UCQ’s objectives have been recognised and are being
appropriately managed within acceptable risk levels;
• Assets are being safeguarded against loss, theft, destruction or other reduction in value.
To report on such objectives, internal audit will generally consider whether controls have
been designed adequately to manage risks to acceptable risk levels, and that they are
functioning or operating as intended.
UCQ is operating in a changing environment and must therefore structure and resource its
internal audit function in a flexible manner that allows appropriate responses to both current
and emerging risks and challenges. Consequently internal audit should have the ability to
use external service providers who understand UCQ’s operations and who can support its
internal resources through the use of specialist skills or additional resources as required
from time to time.
The structure also reflects the importance placed on the independence of the internal audit,
which supports its ability to provide objective assurance to the Board, ARCC and senior
Page 2 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
Group Internal Audit Manager (GIAM)
This role reports to the Group Manager Finance & Strategic Initiatives (GMFSI). The GIAM
will be responsible for both annual and engagement level audit planning, and the delivery of
all internal audit activities in accordance with appropriate auditing standards, including
engagement planning, audit delivery, maintenance of appropriate documentation and the
preparation and delivery of reports.
The allocation of internal audit services within UCQ will be based upon the relative needs
and risk profiles of activities and the necessity to provide assurance to the ARCC that
UCQ’s governance, risk management, internal control and compliance systems are
adequately designed and operating as intended across all activities. It is the responsibility
of the GIAM to ensure that the activities of internal audit are co-ordinated fully with the risk
management framework.
It is also the responsibility of the GIAM to co-ordinate preparation of the internal audit plan
and reports in consultation with Agency Executive Directors and Senior Managers. Draft
audit plans and reports shall be provided to Agency Senior Managers prior to their
finalisation and provision to the ARCC. Significant matters may be escalated to the
Director Uniting Care, Queensland where standard escalation processes and times have
not resulted in an adequate response.
Any changes to the annual internal audit plan for matters as one off projects identified as
necessary during the year will be initially proposed by the GIAM in conjunction with Agency
Senior Managers for approval by the GMFSI.
The Director, Uniting Care Queensland has the responsibility to provide assurance to the
ARCC that the internal audit program is consistent with their assessment of needs and
risks across UCQ and to reinforce the status and responsibility of the internal audit function
with Agency Executive Directors.
Agency Executive Directors (or their equivalent) play a vital role to ensure that the Internal
Audit Plan, as related to their Agency, provides adequate coverage of existing and planned
governance, risk management, internal control and compliance systems and that planned
and actual internal audit activities take into consideration the risk profile and nature of
operational activities and issues for each Agency.
• facilitate ready access by the GIAM and the Internal Audit Team to the operations,
information, key personnel and management forums of Agencies;
• support the status and responsibility of the internal audit function within Agencies.
Page 3 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
Group Manager Finance & Strategic Initiatives (GMFSI)
The internal audit function reports to the GMFSI. This means the GMFSI will approve the
budget of the internal audit function and will support the status and responsibility of the
internal audit function within UCQ. Internal audit services (including cost recovery) will be
agreed with each of UCQ’s Agencies on an annual basis through GMFSI and GIAM.
The GIAM will report to the GMFSI in respect of day to day management matters, including
general staffing and any external service providers used from time to time, travel, IT
support, and general administration.
The GMFSI is responsible for reviewing the draft internal audit programs, plans and reports
prior to submission to the ARCC. The GMFSI is also responsible for evaluating the
performance of the GIAM, including obtaining feedback from the ARCC, the Director,
Uniting Care Queensland and Agency Executive Directors.
Internal Auditors
These roles will report to the GIAM and will assist in the delivery of audit engagements in
accordance with appropriate auditing standards.
The internal audit activities of the UCQ will need to be flexible in terms of the breadth and
depth of coverage of the activities of UCQ. It is possible therefore that the internal audit
activities of the Group may have to be supplemented from time to time with resources
contracted from outside of UCQ. Such resources may be required to undertake audit work
in respect of specialist areas, or where demand for work is such that additional general
audit resources are required.
The internal audit function reports to the ARCC in relation to Internal Audit Planning and
Reporting, and as such the ARCC will be responsible for endorsing, for submission to the
Board, the following items:
• changes to the annual audit plans during the course of the year;
The ARCC shall also be available to meet independently with the GIAM, as required.
Page 4 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
In addition, the ARCC will be involved in decisions on the appointment and termination of
the Group Internal Audit Manager and provide input into the annual performance review of
Internal Audit and the GIAM.
Audit Planning
Scope of Work
The audit work to be completed in any given year will focus on the general requirement that
the ARCC will expect the Group Internal Audit Manager to provide a report, on an annual
basis, in relation to the overall governance, risk management, internal control and
compliance systems.
The Group Internal Audit Manager will therefore plan the work of the internal audit function
so as to obtain sufficient evidence throughout the course of the year, regarding the
adequacy of design, and effectiveness of implementation, of the controls and processes
adopted by UCQ and its Agencies to manage their key risks.
To ensure this occurs, it would generally be expected that the audit plan will include the
following major segments:
Page 5 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
The methods used to plan audit work should be in accordance with appropriate auditing
It would be expected that, due to the size of UCQ, all risks will not be able to be covered
within any one year, and so a cyclical basis of auditing will be required to ensure adequate
coverage of risks over a period of time. It is expected that the ARCC would be made aware
of, and approval would be sought for, any long term or strategic audit plans.
On an annual basis an audit plan, covering the work to be performed over the next financial
year, is to be presented to the ARCC for approval. Such a plan will set out the approximate
timing of audit work, the high level scope of each audit, and the resources required to
complete the work over the course of the year. Changes to the plan can be suggested
throughout the year, but will be subject to approval by the ARCC.
Audit Delivery
All audits should be planned, delivered and reported upon in accordance with the
International Standards for the Professional Practice of Internal Auditing, issued by the
Institute of Internal Auditors.
In undertaking audits within UCQ however, it will be expected that certain behaviours and
communication protocols will be adhered to, as set out in the following table:
Page 6 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
Audit Area Protocol
when working at service unit locations
Findings and • The more important issues that arise during the course of an
Recommendations audit should be progressively discussed with the appropriate
levels of management concerned.
• Findings are to be discussed with local management prior to
leaving the site, and wherever practical the rating of findings,
management comments and actions should be agreed at this
Audit Follow Up • It will be expected that management will take ownership of all
agreed actions and the timing allocated for their completion
• The internal audit function will follow up on progress in
completing actions in order to provide a summary progress
report on a quarterly basis to the ARCC meeting.
A full report will be prepared following the completion of each individual internal audit
assignment. The report will set out, as a minimum, the following key pieces of information:
Page 7 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
• The purpose of the audit work;
• A summary of any best practices identified which should be shared with other activities
within UCQ;
• A summary of the key themes arising from the audit and any major or moderate
category findings;
All findings should be graded in terms of their level of importance. The grading system to
be used for findings should be the same as that used in the risk management framework.
In addition to providing the report to the manager of the area reviewed, a copy is to be
provided to GMFSI and the relevant Agency Executive Director.
A report is to be prepared for each ARCC meeting that summarises the audit activities
which have taken place since the last meeting, any themes or emerging risks which the
work highlights, all risks identified with more than a moderate potential impact, a summary
of above moderate category findings and the status of work compared to the annual audit
On a quarterly basis, a summary report of audit engagements and outstanding (more than
minor category) audit findings will be provided.
On an annual basis a performance report will also form part of the ARCC summary report.
This is to provide the ARCC with a summary of how the internal audit function has
performed against agreed goals.
On an annual basis, the Group Internal Audit Manager is responsible for submitting to the
ARCC a report which sets out a summary of the audit activities for the year, and an overall
assessment on the design adequacy and effectiveness of implementation of UCQ’s
governance, risk management, internal controls and compliance processes, as evidenced
by the work undertaken.
Page 8 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
Link to Risk Management Framework
The activities of the internal audit function need to be fully co-ordinated with the overall risk
management framework of UCQ. This will be achieved by ensuring the following basic
processes occur:
• The annual audit plan will be developed based to a large extent on the risk profile of
UCQ and each Agency;
• Each audit assignment will be planned in such a manner as to ensure fieldwork seeks to
obtain evidence of control effectiveness in respect of key risks, as summarised in the
relevant risk profile;
• Audit findings shall be graded in a manner consistent with the risk framework;
• Agency Executive Directors should refer to audit activity and findings, when reporting
upon their risk profile to the Director Uniting Care Queensland; and
• Facilitating the updating of risk registers (risks, causes, treatments, action items) so that
a consistent approach is applied across UCQ.
Performance Monitoring
The performance of the internal audit function of UCQ will be monitored in two ways, as
Quality Review
On a periodic basis, at least every five years, a person or organisation independent of the
function will review the internal audit function. This would normally be expected to be an
outside consultant with the appropriate level of expertise in internal audit best practice.
The internal audit function will establish goals and present these to the ARCC for approval
on an annual basis, at the beginning of the financial year. The GMFSI and GIAM will then
report on performance against these goals at the end of that financial year.
Page 9 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc
Financial and Management Service Provision
• Annual audit plan delivered within • Senior Managers believe that internal
budget, concentrated on high risks audit provides an objective value
and areas of sensitivity, and carried added service to the business
out with appropriate resources. • ARCC believe that the level of
• Cost savings or revenue reliance they can place on the
opportunities identified as part of governance, risk management,
the outcomes of the audit process internal control and compliance
• Expertise from outside internal audit systems of the Group has improved
group used where appropriate and as a result of internal audit activities
as planned (e.g. IT).
Process People
• Protocols in relation to timing, • The skills of line managers and staff
communications and reporting have have improved as a result of the
been adhered to throughout the internal audit work which has occurred
year • Internal audit staff are appropriately
• All approved audits have occurred skilled and trained to undertake the
as intended or alternative suitable range of audit work required to meet
arrangements have been put in the objectives of the internal audit
place function within the context of UCQ’s
• Actions in respect of audit findings operations
have been followed up and reported • Staff turnover level for the most
upon as appropriate current year is in accordance with
The GIAM will conduct a performance review and career planning interview with each
member of the internal audit team at least once per annum.
Page 10 of 10
Q:\UCare\Office of Director\Marketing & Communication\Marketing\Lea\Misc\9 6(d) Internal Audit Protocols.doc