Frequently Asked Questions
Here are the answers to some of the questions we're asked most often.
- What is the difference between internal and external audit?
- How do you decide what areas to audit?
- Can I request a review?
- How long will the audit take?
- How much of my time will be required?
- How might I be involved and what will I have to do?
- What will the benefits be?
- What do I need to do to prepare?
- I'm worried we've got some serious issues to address, what should I do?
- What are you actually looking for?
- How disruptive will the audit be?
- What happens if you find any really serious issues?
- How confidential is the process?
- Who gets to see the results?
- Who audits audit?
What authority does Assurance Services have?
The Internal Audit team is part of the Assurance Services unit. Assurance Services is an independent function set up under the authority of the Vice-Chancellor. Internal audits are performed on behalf of the Council and approved by the Risk Committee.
What is the difference between internal and external audit?
External audit focuses on an organisation’s financial statements and considers, for example:
- the risk of material misstatements within the financial statements;
- the appropriateness and reasonableness of accounting policies and estimates used; and
- evaluation of the presentation, structure and content of the financial reports.
The Audit Office of New South Wales, as the appointed external auditor, undertakes the audit of the University’s financial statements.
Internal Audit on the other hand, may review any area which is of importance to the University and helps to achieve the University objectives by evaluating and improving the effectiveness of risk management, internal controls, and governance processes.
How do you decide what areas to audit?
Areas for audits are set out in the Internal Audit Plan which is approved on an annual basis through Risk Committee. It aims to provide a program of audits which focus on areas aligned to the University’s current strategy, risk appetite and risk profile.
The Plan is developed based on Internal Audit’s understanding and assessment of risks University-wide, as well as the priorities at the Faculty and Divisional levels. Senior leaders, including all Pro Vice-Chancellors, Senior Deputy Vice-Chancellor, Deputy Vice-Chancellors, Chief Operating Officer, Chief Finance Officer and a number of Directors are consulted to inform this process.
Can I request a review?
We can receive requests for reviews from areas which may not have been included in the Internal Audit Plan. These requests are discussed and considered taking into account the risks, the skills and expertise needed, resources and the impact on the University’s Strategic risks.
Please contact one of the Internal Audit team members and we can talk through what your needs are and how we can support you.
How long will the audit take?
The length of an audit is dependent on the scale, nature and complexity of the systems, processes and controls in place. An audit can vary in length from a week or so through to a few months and involves planning, fieldwork, and reporting stages. We can provide a firmer indication of timing during our formal engagement, planning and scoping process. This is where we sit down with key people involved to define the scope and requirements of the audit.
How much of my time will be required?
This depends on your role in the audit and is impacted by various factors, for example the nature of the review, the complexity of the area’s operations, ease of access to information and documentation. Some people may be required throughout the audit while other staff may be involved at the planning or the completion phases. We would identify the key resources during our planning meeting and agree these with you at that time.
How might I be involved and what will I have to do?
There are key steps in the audit process and each stage requires slightly different input. We might request information in the lead up to meeting with you to help us better understand your risks and policies. Following on from this, we might need to meet with you for a discussion on the key processes and identification of controls. We may ask you for some further information or details supporting the current procedures or to support the transactions we are testing. We will also meet with you to discuss or explain findings and recommendations from the audit prior to issuing any report.
What will the benefits be?
Depending on the audit requirements and area of review, we can help you:
- offer another perspective—looking from the outside in;
- assist you to manage risks through identification of design effective internal controls and processes;
- highlight areas of non-compliance with regulation or policy and suggest improvements in your controls;
- review of operational procedures and potential irregularities;
- establish effective controls from the outset in relation to new systems, processes or projects; and
- promote effective internal controls that benefit your area.
What do I need to do to prepare?
Working together to agree on the audit scoping and timing, is important to ensure that the internal audit provides benefits to you. During the planning meeting, we will discuss our information needs and the proposed timing for receiving this data.
I'm worried we've got some serious issues to address, what should I do?
If you would like to talk to one of the team we will be more than happy to help. Contact us by phone or email and we can assist you in understanding the extent of your concerns and provide guidance on how to prepare an action plan or to improve controls to address your risks.
What are you actually looking for?
This will depend on the scope of the audit. We could be reviewing compliance against external legislation or regulations, or internal policy, or we would be reviewing the design and operation of processes and controls to support effectiveness and efficiency. Ultimately, the aim is to identify opportunities to improve business processes to support local areas.
How disruptive will the audit be?
We try our best to keep any disruption to a minimum by organising any meetings at a mutually convenient time and spending plenty of time explaining the process up front so we can all prepare and work through any key timing or operational challenges.
What happens if you find any really serious issues?
We have a no surprises audit approach. We will discuss issues with you as they are identified. We can provide guidance on actions to remediate the identified risks and assist you in developing appropriate time frames to address findings.
Reports are provided to the Executive Committee and the Risk Committee and these reports will include the agreed actions and time frames to improve the internal controls.
How confidential is the process?
Any records, document or information we obtain during the course of our activities are used solely for the audit or review. All documents are securely filed with access controlled. Any access to Internal Audit’s engagement records must be approved by the Director Assurance Services and access requests from any external parties must be approved by senior management and/or Legal Counsel.
Who gets to see the results?
Reports are provided to you and your Executive. The final reports are presented to the Executive Committee and the Risk Committee.
The External Auditor may also review the report as far as it impacts on their audit process.
Who audits audit?
Internal Audit team members remain independent of schools, faculties, business units or divisions subject to audit processes and maintain an impartial, unbiased attitude and avoid conflicts of interest. We provide an annual independence declaration to the Risk Committee. Assurance Services reports functionally to the Risk Committee and the Director Assurance Services is accountable to the Vice-Chancellor for the efficient and effective management of the Internal Audit function.
At least once every three years, an external assessment of the Internal Audit function is completed by a qualified and independent assessor. The frequency and form of this review is approved by the Risk Committee.
All Internal Audit team members uphold the principles of integrity, objectivity, confidentiality and competency. Read our full Code of Ethics.