This section provides a summary of our audit process. 

The review process in brief :

Who is audited?

On an annual basis, Internal Audit uses a standard methodology to identify and perform a risk analysis of all areas within the University so as to prioritise areas, processes and projects for audit. Extensive management input is sought at this stage so as to focus the audit plan on the appropriate risk areas. The annual audit plan is tabled for approval by the Vice-Chancellor’s Risk and Compliance Committee and the Senate Risk Committee. The annual audit plan is reevaluated during the year as priorities and risk profiles change. The auditable areas or entities are assigned to lead assurance officers during the year to manage the individual audit processes.

What happens during an audit?

Notification of Management

The lead Assurance Officer will contact management in advance of the proposed audit date to agree on the timing of commencement, to explain our process and to give them the opportunity of providing input into the audit planning process.

Preliminary Planning

The Assurance Officer gains an understanding of the nature, size and structure of the area, how the area/system operates, what governs it, what rules and policies apply and any other information which affects the audit area. An engagement memorandum is drafted, finalised and sent to management. This sets out the expected timing of the audit, scope and deliverables, including expected distribution list for the final report.

Development of Audit Program

With the information gathered to date, the Assurance Officer develops an audit program which includes the objectives, scope and program steps. This is subject to approval by the Associate Director, Internal Audit prior to commencement of the audit and is subject to change as additional information becomes available during the audit. This audit program is an internal document and is not supplied to management.


The Assurance Officer evaluates the existing processes and controls and tests to assess the degree to which the controls are operating effectively. The Assurance Officer is also able to assess whether or not the procedures in place are efficient and compliant with relevant governance standards and Policies.


Where the Assurance Officer identifies areas for improvement, these are discussed with the relevant staff and the accuracy of the information gathered is confirmed. This consultative process forms the basis for agreement being reached as to any remedial action to be implemented.

Quality Review

Each audit is subject to quality review by the Associate Director, Internal Audit who ensures that audit conclusions are supported by appropriate evidence, that the working papers have been properly maintained and that the report is fair and balanced.


The Assurance Officer drafts a report for review by the Associate Director, Internal Audit before it is discussed with the OU head. The report includes a description of the audit approach and scope, conclusions on the issues identified, an overall rating, Internal Audit recommendations and comments by Management, including actions agreed and due dates. There should be no surprises about the information included in the report when it is issued as final, as the issues will have been discussed previously with Management. All reports issued by Internal Audit are addressed to the OU Head and are copied to an approved distribution list, including members of the University Senior Management Group as appropriate. Significant issues identified in individual audit reports are reported to the Vice-Chancellor’s Risk and Compliance Committee and the Senate Risk Committee.


At a later date, generally 3 - 6 months after the report has been issued, a follow-up is required to ensure that the agreed actions have been implemented and are workable and beneficial.

To whom does Internal Audit report?

Internal Audit is an advisory service having an independent status within the University. As an advisory service, Internal Audit has no direct responsibilities for or authority over, any of the activities which it audits. The Associate Director, Internal Audit reports to the Director, Corporate Operations on matters of administration and to the Chief Operating Officer on operational matters. To provide for the independence of the Internal Audit function, the Associate Director, Internal Audit has direct access to the Chair of the Vice-Chancellor’s Risk and Compliance Committee, Vice-Chancellor, Chair of the Senate Risk Committee and Chancellor.

Why do we have both internal and external audit?

The University of Queensland is audited externally by Deloitte, under contract to the Queensland Audit Office. The objective of Internal Audit differs from that of external audit which is to provide an opinion to the Queensland Parliament on whether the annual financial statements present fairly and accurately the University’s operating results and financial position. However, to achieve cost-effective and efficient coverage, internal audit liaises regularly with the external auditors to co-ordinate work and to minimise duplication of effort. Internal audit will also consider the work performed by other assurance functions when planning for each review.

Who audits Internal Audit?

Internal Audit is considered to be an integral part of internal management control of the University. Following liaison during the audit planning process and having access to Internal Audit's working papers, the external auditors assess the effectiveness of Internal Audit annually. They assess our work in order to place reliance on our coverage where appropriate. In addition, the Institute of Internal Auditors’ standards recommend an External Quality Review of the Internal Audit function every five years. The results of these reviews are reported to the Vice-Chancellors’ Risk and Compliance Committee and the Senate Risk Committee.

What types of services can Internal Audit provide?

By having systems subject to your responsibility reviewed by an independent function, areas requiring improvement or areas of non-compliance or risk can be highlighted for remedial action, therefore helping your operations function more efficiently and effectively and ensuring acceptable governance standards are achieved and risks are adequately managed. In addition, if you are considering changes to systems or business processes, Internal Audit can assist to ensure that those changes have the necessary controls built in from the start and that the project governance is effective and achieves compliance with policies.

Our services include the following types of reviews:

  • Operational Audits

These are audits scheduled in accordance with the Internal Audit planning methodology on an annual basis to achieve coverage across the University over time and to address higher risk areas. These audits involve examination of controls, processes and systems used to manage an area’s resources, assets and information. They assess the efficiency and effectiveness of operations including finance and controls over business risk as well as compliance with policies and procedures.

  • Information Systems audits

These involve internal control reviews of existing applications and information system environments scheduled in accordance with the Internal Audit planning methodology on an annual basis to achieve coverage across the University over time and to address higher risk areas. • Pre-and post-implementation reviews These provide advice on and monitor new information system developments.

  • Grant certifications

We provide a number of financial audit opinions on grant financial statements to granting bodies.

  • Limited scope reviews

Special requests for internal audit reviews of limited scope areas are prioritised based on risk in relation to the established annual audit plan.

  • Consultation and Advice

Internal Audit offers a consultation service particularly in relation to projects and new system implementations. Assurance Officers are available to provide (or obtain) advice on University policy, procedure and practice.


Investigations may result from disclosures made under the Public Interest Disclosures Act, from requests by management or as a result of findings arising from internal audits. The Integrity and Investigations Unit will assess and undertake investigations in to such matters and the Associate Director, Integrity and Investigations can be contacted in this regard.