Internal Audit

We provide independent advice and assurance on the effectiveness of governance, management processes and internal controls.

Contact Internal Audit Team

Our role and responsibilities

What is internal auditing?

Internal auditing is defined as “an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes”.

Why does UQ have an Internal Audit Function?

As a Queensland Statutory Body, UQ is obliged to observe the requirements of the Financial Accountability Act 2009 (the Act), and Financial and Performance Management Standard 2009 (the Standard) both of which contain certain mandatory requirements applicable to the internal audit function being:

  • Development of an internal audit charter
  • Planning the audit program
  • Reporting of audit issues, and;
  • The relationship with external audit

Internal Audit Charter

Internally, the Internal Audit function is governed by the Internal Audit Charter (PDF, 164KB) which sets out the responsibilities, organisation, authority, membership and operation of UQ’s Internal Audit function. It is approved by the Senate Risk and Audit Committee (SRAC) in consultation with the Vice-Chancellor’s Risk and Compliance Committee (VCRCC).

Responsibilities for monitoring and review

According to our Governance Framework and under the oversight and direction of the Senate and Executive Leadership, monitoring and reviews are undertaken at different levels of the University to provide assurance on performance, governance, risk management and compliance. The following figure illustrates these levels and relevant assurance responsibilities.


Diagram of responsibilities for internal auditing - description below

Our independence

The Internal Audit function is unique within UQ in that it is independent of management. While Internal Audit plans and programs of work will be developed in consultation with management, they are approved by the Senate Risk and Audit Committee. In addition, Internal Audit reports functionally to the Senate Risk and Audit Committee and administratively to the Director Governance and Risk. This allows Internal Audit to maintain an impartial, unbiased attitude and act with objectivity and independence in all that it does. Internal Audit cannot have any direct responsibilities for or authority over, any of the activities which it audits.

Our accountability

While Internal Audit is independent, it has an obligation to ensure it provides value adding and high quality services to management and the Senate by evaluating and improving the effectiveness of UQ’s risk management, control, and governance processes.

Internal Audit also has a responsibility to not only justify its selection of areas to audit including audit objectives and scope, it also has to ensure its audit processes (from planning to reporting) meet professional auditing standards, its findings and conclusions are evidence based and any recommendations are sensible and practicable. 

Internal audit value proposition

Internal Audit provides assurance, insight and objectivity to help management and governing bodies meet their goals.


Above diagram adopted from
The Institute of Internal Auditors (Global) - Value Proposition

Internal Audit provides assurance on the University’s governance, risk management and control processes to help the University achieve its strategic, operational, financial, and compliance objectives. We provide assurance that the University is operating as management intends and in compliance with Senate policies and directives.

Internal Audit is a catalyst for improving the University’s effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business processes. We provide insight for improving controls, processes, procedures, performance, and risk management; and for reducing expenses, enhancing revenues, and improving profits.

With commitment to integrity and accountability, Internal Audit provides value to governing bodies and senior management as an independent source of objective advice and assessment. This objectivity is a foundation for any assurance or insight work that is conducted.

Scope of work

The scope of work of Internal Audit is to assess and provide assurance on whether:

  • UQ has an adequate and effective system of internal control including governance, risk management and compliance frameworks.
  • Risks are appropriately identified and managed.
  • Interaction between the various governance groups occurs as needed.
  • Significant financial, managerial, and operating information is accurate, reliable, and timely.
  • Employees act in compliance with policies, standards, procedures, and applicable laws and regulations.
  • Resources are acquired economically, used efficiently, and adequately managed.
  • Quality and continuous improvement are fostered in the University’s control processes

Our services

Who is audited?

An annual risk-based planning process is undertaken in consultation with management and the Annual Internal Audit Plan is approved by the Senate Risk and Audit Committee. The Annual Internal Audit Plan is a dynamic document which must respond to the changing needs of UQ and the environment in which it operates. As such the Audit Plan is reviewed regularly to ensure audits remain relevant to the operational and strategic needs of UQ. Any changes to the plan will be approved by the Vice-Chancellors Risk and Compliance Committee and Senate Risk and Audit Committee.

What is our current strategy?

With the redevelopment in 2017 of UQ’s Top Risks and Risk Appetite Statements and the recent approval of a new Enterprise Risk Management Framework, the Annual Internal Audit Plan is now better able to focus in these areas. Our strategy is clear:

  • To provide assurance on the UQ Top Risks
  • To add value to the University through quality assurance and advisory services that create impact
  • To work effectively with other Governance functions as they develop so that synergies are achieved and that efficiency is maximised
  • To promote and support a One-UQ culture

Why do we have both Internal and External Audit?

The University of Queensland is audited externally by Deloitte, under contract to the Queensland Audit Office. The objective of Internal Audit differs from that of external audit which is to provide an opinion to the Queensland Parliament on whether the annual financial statements present fairly and accurately the University’s operating results and financial position. However, to achieve cost-effective and efficient coverage, internal audit liaises regularly with the external auditors to co-ordinate work and to minimise duplication of effort. Internal audit will also consider the work performed by any other assurance functions when planning for each review.

Who audits Internal Audit?

Internal Audit is considered to be an integral part of internal management control of the University. Following liaison during the audit planning process and having access to Internal Audit's working papers, the external auditors may assess the effectiveness of Internal Audit in order to place reliance on our coverage where appropriate. In addition, the Institute of Internal Auditors’ standards recommend an External Quality Assurance Review of the Internal Audit function every five years. The results of these reviews are reported to the Vice-Chancellors’ Risk and Compliance Committee and the Senate Risk and Audit Committee.

What types of services can Internal Audit provide?

The UQ Internal Audit function offers two distinct categories of services i.e. Assurance and Insight as follows:


  1. UQ-wide or business process focused Operational Reviews are a risk-based review of systems and business processes in order to evaluate the level of inherent and managed risk as well as the effectiveness and efficiency of mitigating controls.
  2. Information Systems audits are the examination of the controls within information technology (IT) infrastructure, applications and processes that safeguard assets, maintain data integrity, and ensure the objectives of the system owners are effectively and efficiently achieved;
  3. Business Assurance audits are the systematic verification (usually on a risk-based rotation basis) that business unit internal controls in place are aligned with UQ policies and procedures, are efficient and cost effective and operating to adequately reduce risk;
  4. Follow-up reviews are limited to a follow up status review of previously reported Internal Audit findings, usually in instances where there has been an adverse report rating or a large number of significant audit issues reported;
  5. Project reviews are conducted at various stages in the lifecycles of operational or IT related projects. These reviews are scoped individually at the time of commencement of the review process to best address the project related risk. The size, complexity and risk profile of the project will drive the audit scope, extent of work and nature of reporting. These reviews are conducted in accordance with our approved Internal Audit Project Review Framework;
  6. Grant certifications are financial audit opinions on the acquittal of grant funding. The annual number of these audits is determined by contractual obligations of grant funding and reporting requirements of granting bodies.


  1. Advisory reviews are limited in scope and are conducted at the request of management or are opportunities to add value determined through the audit planning process. The findings of advisory reviews are provided in a memorandum format to senior management and are not reported in detail to the VCRCC or SRAC. The objective of advisory reviews is to provide insight for improving controls, processes, procedures, performance, and risk management;
  2. Other Activities include any other activities not included above but which have been authorised by the Internal Audit Charter.

What Does the Assurance Process Entail?

Notification of Management

Members of the University Senior Management Group are advised at the beginning of the year which areas have been selected for assurance or advisory assignments for the year.  The assigned Internal Audit lead will contact management in advance of the proposed audit date to agree on the timing of commencement, to explain our process and to give them the opportunity of providing input into the audit planning process.

Preliminary Planning

The Internal Audit team gains an understanding of the nature, size and structure of the area, how the area/system operates, what governs it, what rules and policies apply, risks and any other information which affects the audit area. An Engagement Memorandum is drafted with local management input, approved and formally issued. This sets out the expected timing of the audit, scope and deliverables, including expected distribution list for the final report.

Development of Audit Test Program

With the information gathered to date, the Internal Audit team develops an audit test program which includes the objectives, scope, identified risks and expected controls for testing. This is subject to approval by the Associate Director, Internal Audit prior to commencement of the audit and is subject to change as additional information becomes available during the audit. This audit test program is an internal document and is not supplied to management.


The Internal Audit team evaluates the existing processes and controls and tests to assess the degree to which the controls are operating effectively. The Internal Audit team is also able to assess whether or not the procedures in place are efficient and compliant with relevant governance standards and Policies.


Where the Internal Audit team identifies areas for improvement, these are discussed with the relevant staff and the accuracy of the information gathered is confirmed. This consultative process forms the basis for agreement being reached as to any remedial action to be implemented.

Quality Review

Each audit is subject to quality review by the Associate Director, Internal Audit who ensures that audit conclusions are supported by appropriate evidence and that the report is fair and balanced.


The audit lead drafts a report for review by the Associate Director, Internal Audit before it is discussed with the head of the organisational unit or process owner. The report includes a description of the audit approach and scope, conclusions on the issues identified, an overall rating, Internal Audit recommendations and responses by management, including actions agreed and due dates. There should be no surprises about the information included in the report when it is issued as final, as the issues will have been discussed previously with management. All reports issued by Internal Audit are addressed to the organisational unit head, process owner or project sponsor and are copied to an approved distribution list, including members of the University Senior Management Group as appropriate. The more significant issues identified in individual audit reports are reported on a quarterly basis to the Vice-Chancellor’s Risk and Compliance Committee and the Senate Risk and Audit Committee.

Action Tracking and Closure of Audit Findings

Once a report has been issued as final it is input into our automated audit action tracking system “Vision”. As agreed management actions reach their due dates, notifications are sent out to the action owners for feedback to Internal Audit regarding progress and status. As evidence is provided to Internal Audit regarding resolution or completion of actions, outstanding audit actions are able to be formally closed. This system also enables our reporting to management and the Vice-Chancellor’s Risk and Compliance Committee and the Senate Risk and Audit Committee regarding any long outstanding unresolved audit actions for follow-up.

Customer Satisfaction

We aim to provide a high quality service and to add value to the University in all that we do. After each audit we will elicit feedback from local management regarding their experience of the audit process. 

Our professional affiliations

Our team members are affiliated to one or more of the following professional bodies


Australian & New Zealand University Internal Audit Group (ANZUIAG) is a discussion group open to Internal Audit staff from Australian and New Zealand tertiary education providers.


Membership is available to those involved in audit or risk management in a university, TAFE, or higher education college in Australia and New Zealand.


The ANZUIAG LinkedIn site has been set up to provide an area for questions and discussion amongst members.

How to apply for membership in LinkedIn.

Mailing list

The ANZUIAG mailing list is a useful way for members to post a question, raise issues and share best practices and resources with other ANZUIAG members.

To join the mailing list, you may either send an email to and insert 'subscribe' (without the quotation marks) in the subject of the email, or go to and subscribe. 

Conference Programs and Presentations

Year Presentations
2012-Present View (link to AURIMS site)
Year Program Presentations
2011 Download

Leverage Technology to Empower Internal Audit - Bryan Burnhart
Research - David Cookson

Fraud & Forensic Accounting - Dean Newlan
Open Forum

Higher Education and the Power of Choice - Ernst & Young

Integrity Matters - Holly Lindsay
Academic Risk - Phill Draber
TEQSA - Pip Pattison
Pushing the Boundaires Seema Patel
Education Sector and Public Sector Issues - Tim Loughnan

2010 Download

ANZUIAG: Past, Present and future - Armanas, Draber, Procopis
Assurance Mapping - Peter Beaton
Computer Assisted Audit Tools and Techniques - Bennison, Webster, Park
Internal Audit Engagement Protocols - Lee Ward
Lion Tamers and Horse Whisperers, Shaping Workplace CulturesPaul Collins
Recent Fraud Examples in Australian and New Zealand Organisations -Kevin Hannan Devine
Internal Audit Planning - Blunt, Brown, McGrath
Cross sectoral collaboration future directions in Australia Neville Moo and Craig Setter
Sustainability and Environmental Risk Management at UQ and QUT -Brian Fenn and Stuart Green
Delegations of Authority - Andrew Cooke
Improving the Health of your University Risk ProgramsToni Casey and Harry Rosenthall