Frequently Asked Questions
Here are the answers to some of the questions we're asked most often.
- What is the difference between internal and external audit?
- How do you decide what areas to audit?
- Can I request a review?
- How long will the audit take?
- How much of my time will be required?
- How might I be involved and what will I have to do?
- What will the benefits be?
- What do I need to do to prepare?
- I'm worried we've got some serious issues to address, what should I do?
- What are you actually looking for?
- How disruptive will the audit be?
- What happens if you find any really serious issues?
- How confidential is the process?
- Who gets to see the results?
- Who audits Audit?
What authority does Internal Audit have?
Internal Audits are undertaken by an external provider, EY. The Risk Services team, which is part of the Governance and Assurance Services unit, assist in the management of the auditors. Internal audits are performed on behalf of the Council and approved by the Risk Committee.
Internal Audit’s authority is outlined in the Internal Audit Charter.
What is the difference between internal and external audit?
External audit focuses on an organisation’s financial statements and considers, for example:
- the risk of material misstatements within the financial statements;
- the appropriateness and reasonableness of accounting policies and estimates used; and
- evaluation of the presentation, structure and content of the financial reports.
The Audit Office of New South Wales, as the appointed external auditor, undertakes the audit of the University’s financial statements.
Internal Audit on the other hand, may review any area which is of importance to the University and helps to achieve the University objectives by evaluating and improving the effectiveness of risk management, internal controls, and governance processes.
How do you decide what areas to audit?
Areas for audits are set out in the Internal Audit Plan which is approved on an annual basis through Risk Committee. It aims to provide a program of audits which focus on areas aligned to the University’s current strategy, risk appetite and risk profile.
The Plan is developed based on Internal Audit’s understanding and assessment of risks University-wide, as well as the priorities at the College and Divisional levels. Senior leaders are consulted to inform this process.
Can I request a review?
We can receive requests for reviews from areas which may not have been included in the Internal Audit Plan. These requests are discussed and considered taking into account the risks, the skills and expertise needed, resources and the impact on the University’s Strategic risks.
Please contact the Internal Audit and Risk Services team at internalauditor@newcastle.edu.au and we can talk through what your needs are and how we can support you.
How long will the audit take?
The length of an audit is dependent on the scale, nature and complexity of the systems, processes and controls in place. An audit can vary in length from approximately one to four weeks and involves planning, fieldwork, and reporting stages. We can provide a firmer indication of timing during our formal engagement, planning and scoping process. This is where we sit down with key people involved to define the scope and requirements of the audit.
How much of my time will be required?
This depends on your role in the audit and is impacted by various factors, for example the nature of the review, the complexity of the area’s operations, ease of access to information and documentation. Some people may be required throughout the audit while other staff may be involved at the planning or the completion phases. We would identify the key resources during our planning meeting and agree these with you at that time.
Council and Risk Committee set clear expectations on when internal audits are required to be completed. The audit team will work with you to minimise disruption; however, full cooperation and priority from stakeholders are required to successfully complete the audits on time.
How might I be involved and what will I have to do?
There are key steps in the audit process and each stage requires slightly different input. When carrying out an internal audit we will work closely with the audit sponsor to define information requirements and a single point of contact. As part of our work we will carry out interviews with you to understand key processes and controls, and request documentation to carry out analytics and sample testing to see evidence of controls. On conclusion of the audit, the team will meet with you to discuss or explain findings and recommendations from the audit prior to issuing a report.
What will the benefits be?
Depending on the audit requirements and area of review, we can help you:
- offer another perspective—looking from the outside in;
- assist you to manage risks through identification of design effective internal controls and processes;
- highlight areas of non-compliance with regulation or policy and suggest improvements in your controls;
- review of operational procedures and potential irregularities;
- establish effective controls from the outset in relation to new systems, processes or projects; and
- promote effective internal controls that benefit your area.
What do I need to do to prepare?
Working together to agree on the audit scoping and timing, is important to ensure that the internal audit provides benefits to you. During the planning meeting, we will discuss our information needs and the proposed timing for receiving this data.
I'm worried we've got some serious issues to address, what should I do?
If you would like to talk to one of our team members we will be more than happy to help. Contact Internal Audit by email (internalauditor@newcastle.edu.au) and we can assist you in understanding the extent of your concerns and provide guidance on how to prepare an action plan or to improve controls to address your risks.
What are you actually looking for?
This will depend on the scope of the audit. We could be reviewing compliance against external legislation or regulations, or internal policy, or we would be reviewing the design and operation of processes and controls to support effectiveness and efficiency. Ultimately, the aim is to identify opportunities to improve business processes to support local areas.
How disruptive will the audit be?
We try our best to keep any disruption to a minimum by organising any meetings at a mutually convenient time and spending plenty of time explaining the process up front so we can all prepare and work through any key timing or operational challenges.
What happens if you find any really serious issues?
We have a no surprises audit approach. We will discuss issues with you as they are identified. We can provide guidance on actions to remediate the identified risks and assist you in developing appropriate timeframes to address findings.
Reports are provided to the Executive Committee and the Risk Committee and these reports will include the agreed actions and timeframes to improve the internal controls.
How confidential is the process?
Any records, document or information we obtain during the course of our activities are used solely for the audit or review. All documents are securely filed with access controlled. Any access to Internal Audit’s engagement records must be approved by the University Secretary and access requests from any external parties must be approved by senior management and/or Legal Counsel.
Who gets to see the results?
Reports are provided to you and your Executive. The final reports are presented to the Executive Committee and the Risk Committee.
The External Auditor may also review the report as far as it impacts on their audit process.
Who audits audit?
The Internal Audit provider remains independent of Schools, Colleges, Business units or Divisions subject to audit processes and maintain an impartial, unbiased attitude and avoid conflicts of interest. Internal Audit reports functionally to the Risk Committee and the University Secretary is accountable to the Vice-Chancellor for the efficient and effective management of the Internal Audit function and outsourced provider.
At least once every five years, an external assessment of the Internal Audit function is completed by a qualified and independent assessor. The frequency and form of this review is approved by the Risk Committee.
All Internal Audit team members uphold the principles of integrity, objectivity, confidentiality and competency. Read our full Code of Ethics.
The University of Newcastle acknowledges the traditional custodians of the lands within our footprint areas: Awabakal, Darkinjung, Biripai, Worimi, Wonnarua, and Eora Nations. We also pay respect to the wisdom of our Elders past and present.