INTERNAL AUDIT

PROCEDURE

Policy ID 00029/1 PageFebruary

1 of 11 2024
Internal Audit Procedure
This procedure must be read in conjunction with Audit Committee Charter, Internal Audit Charter
and the Internal Audit Policy.

Table of Content
s
1. Overview................................................................................................................................... 1
2. Rationale................................................................................................................................... 1
3. Procedures................................................................................................................................ 1
4. Complaints................................................................................................................................ 1
5. Contact...................................................................................................................................... 1
6. References................................................................................................................................ 1
1. Overview
1.1. The procedure provides guidance on how the internal audit function operates within
the Education Directorate (the Directorate).
2. Rationale
2.1. This procedure is established to guide the internal audit activity within the Directorate,
in accordance with Standard 2040 (Policies and Procedures) of the International
Standards for the Professional Practice of Internal Auditing.
3. Procedures
Annual Audit and Assurance Program
3.1. The Chief Internal Auditor prepares an Annual Audit & Assurance Program to be
presented to the Director-General for approval and to the Audit Committee for
endorsement.
3.2. The Annual Audit & Assurance Program will be reviewed and may be adjusted on a six-
monthly basis to ensure continual alignment to the Directorate’s strategic goals in
consideration of changes to the risk profile and management priorities. Any outcomes
of this review are subject to the Director-General’s approval and Audit Committee Chair
endorsement.
3.3. In accordance with the Public Sector Internal Audit Better Practice Guide (Australian
National Audit Office (2021)) and Effective Internal Auditing in the Public Sector – a
Good Practice Guide (issued by the Institute of Internal Auditors (March 2020)), the
following approach will be used to help guide the development of the plan:
 Consultation with all members of CORPEX, the Executive Governance Committee
(EGC), the Director-General and Audit Committee to identify areas of risk or concern;
 Reviewing the Directorate’s Strategic Risk Register and associated controls to
identify areas of importance and risk to the Directorate and/or where the potential
for loss or failure is greatest;
 Reviewing the Directorate’s Strategic Plan to ensure the Audit and Assurance
Program aligns with and responds to the Directorate’s strategic directions and
objectives;

Page 2 of 11
  Mapping the Directorate’s assurance coverage by reviewing internal and external
audit activities over three years and the Directorate’s Assurance Map to identify and
respond to gaps in assurance coverage; and
 Reviewing the ACT Audit Office’s Performance Audit Program and Potential Audits
and other relevant publications (such as the ACT Audit Office Insights Publications),
to ensure that potential duplication and gaps in overall audit coverage are known,
and to identify potential opportunities for the ACT Audit Office to rely on the work of
the internal audit function.
Resourcing, Conflict of Interest and Confidentiality

3.4. Internal audit activities are predominately undertaken by outsourced internal audit
service providers.

3.5. Based on the audit scope, focus and objectives, the skill set necessary to complete the
internal audit and the budget available for the audit, a suitable Internal Audit Service
Provider is selected from the Whole of Government panel arrangements – Professional
and Consulting Services Panel, Risk & Audit in accordance with the relevant
procurement guidelines. A multi-year agreement with one service provider will be
considered as an option ahead of the commencement of the 2024-25 Audit and
Assurance Program.

3.6. Prior to each audit starting, the Chief Internal Auditor will agree a budgeted hours and
price. Any proposed variations to the budgeted hours or price must be requested in
writing and negotiated with the Chief Internal Auditor as soon as possible and before
the budgeted hours are exceeded. The Chief Internal Auditor may authorise or reject
any variation at their discretion.

3.7. Outsourced service providers must demonstrate their professional competence through
relevant professional experience and appropriate professional certifications and
qualifications (such as, but not limited to, the Certified Internal Auditor designation
and/or other designations offered by the Institute of Internal Auditors and other
appropriate professional organisations). The providers are responsible for the provision
of suitably qualified audit staff and their professional conduct. Before the
commencement of the engagement, the providers must detail all proposed staff for
approval by the Chief Internal Auditor.

3.8. The outsourced service provider is to provide an undertaking at the commencement of

the contractual period that no actual or perceived conflict of interest exists, or is likely
to occur, in relation to the audit services to be provided. If at a later stage, audit staff
from the outsourced service provider become aware of a situation in which a conflict of
interest or bias is present or may reasonably be inferred, they must immediately advise
the Chief Internal Auditor, and apply mitigation strategies in consultation with the Chief
Internal Auditor.

3.9. The outsourced service provider is to provide a deed of confidentiality at the

commencement of the contractual period that they are responsible and accountable for
maintaining the confidentiality of the information they access during the course of their
work.

Page 3 of 11
 3.10. Internal auditors and outsourced service providers must suitably safeguard all
Directorate records, documentation and information from access by unauthorised
persons.

3.11. No audit documentation will be released to any external parties without the written
approval of the Director-General (or nominated delegate) and where necessary the
Directorate’s legal counsel.

An Internal Audit Process – Overview

3.12. An internal audit is conducted as follows:

1. Planning and  Internal Audits can be selected from the annual Audit and Assurance program, or they
scope may be management-initiated reviews.
 Research is undertaken to define the audit objective, scope and criteria to inform the
Terms of Reference.
 Key stakeholders are identified and timeframes are estimated.
 Terms of Reference submitted for approval to the Audit Sponsor, usually the Executive
Branch or Group manager for the area to be audited.
2. Entry meeting  An entry meeting is held with key stakeholders including, but not limited to, the Audit
Sponsor, the business unit subjected to the audit, the internal audit service provider, the
Chief Internal Auditor and members of the Audit and Assurance section.
3. Fieldwork and  Information and data gathering and analysis phase (including sampling, data analytics
Documentation and/or observations) to assess the effectiveness of controls and accuracy of information.
 Interviews with key personnel take place.
 Audit working papers prepared and completed (test plans) to verify findings and
evidence base.
4. Evaluation  Assessment of the effectiveness of the internal controls in place to mitigate risks.
 Identify any gaps in controls.

5. Reporting  Draft report is prepared for sharing with the Audit Sponsor and key stakeholders, and
includes an executive summary, details of the audit procedures performed, identifies
any issues and recommendations for improvement.
 Comments on the draft report will be considered by the auditors.
6. Debriefing / Exit  Exit meeting held with the Audit Sponsor, the business unit subjected to the audit, the
Meeting internal audit service provider, the Chief Internal Auditor and members of the Audit and
Assurance section.
 Discussion of key findings and proposed audit recommendations.
7. Management  Management comments are requested on the draft audit report.
comments  Management comments are required to be drafted in two weeks, and the Audit Sponsor
is required to clear those comments within one week. Failure to meet this deadline will
require an explanation to the Chair of the Audit Committee.
8. Endorsement  The Audit Committee discusses and endorses the draft audit report at a quarterly
meeting or out of session.
 Following endorsement, the report is made final.
9. Follow-up /  The final audit report is provided to the Director-General and Executive Governance
Monitoring and Committee for information.
 Audit recommendations are added to and tracked through a register – quarterly updates
Reporting are required.
 Monitoring of recommendations is reported to the Audit Committee and to the
Executive Governance Committee.

Planning and scope

Page 4 of 11
3.13. In planning each audit activity, the internal auditors will consider:

 the objectives of the activity being reviewed and the means by which the activity
controls its performance and achievement of those objectives;
 the significant risks to the activity, its objectives, resources, and operations and the
means by which the potential impact and/or likelihood of risk is kept to an
acceptable level;
 the adequacy and effectiveness of the activity’s risk management and control
systems compared to a relevant control framework or model;
 whether the scope is relevant to the risks identified when developing the internal
audit plan; and
 the opportunities for making significant improvements to the activity’s risk
management and control systems.
3.14. Preliminary scoping will be undertaken to ascertain and map business units’ current
practice/s, and determine if the process is compliant with policy, or if better practice in
terms of controls than what is prescribed in legislation or policy.

3.15. For each internal audit activity, the internal auditors will determine the risks to be
included in the scope of the internal audit. The internal audit fieldwork will be aimed at
determining the presence and effectiveness of controls in place to mitigate these
potential risks.

 Scoping/planning meeting: to determine the objectives and scope of each internal

audit activity, the internal auditors will conduct a planning meeting with the
management of the business unit being audited/reviewed.
 Audit criteria: the internal auditors should clarify the specific explicit and implicit
criteria against which evidence collected will be evaluated. Criteria are explicit when
they are clearly set out in policies, manuals, standard operating procedures,
standards, laws and/or regulations.
3.16. The internal auditors will prepare an audit Terms of Reference that will normally include
the:

 Overview of the area to be audited/reviewed;

 Background on why the audit is taking place;
 Objectives of the audit;
 Scope of the audit i.e. the processes the audit will include and exclude;
 Audit standards that will be followed including the type of engagement;
 Audit methodology/approach to be taken;
 Key deliverables of the project;
 Professional standards that will be followed;
 Resources that will be used on the audit and the cost; and
 Timing for the commencement of field work, draft report for discussion and final
report for tabling.

Page 5 of 11
3.17. The draft audit Terms of Reference is sent to the Chief Internal Auditor for approval and
then to the Audit Sponsor for approval. Upon receiving the draft audit Terms of
Reference, the Audit Sponsor is required to provide comments and approval within one
week.

Entry Meeting

3.18. The purpose of an entry meeting is to:

 ensure all relevant staff of the audited area are aware that the audit is taking place
and know who the internal auditors are;
 confirm the audit timeframes; and
 signal the commencement of audit fieldwork.
3.19. The entry meeting will be attended by the internal auditors and key stakeholders from
the area to be audited. It will be chaired by the Chief Internal Auditor and the Audit
Sponsor will be invited.

Audit Fieldwork and Documentation

3.20. A risk assessment is conducted at the activity level to identify and evaluate risk exposures
and determine audit objectives. It involves considering business process risks, quality of
management and/or individual performance. The risks that threaten the objectives of
each process to be audited should be identified and classified. The audit will concentrate
on those processes which are assessed as moderate or higher risk.

3.21. The internal auditors must obtain an understanding of the internal control system to
make a preliminary assessment as to whether those controls are effective in mitigating
risks. This can occur through the gathering, testing and analysis of information using
various auditing techniques. Audit techniques can include (but are not limited to)
conducting interviews, reviewing documents, analysing data, requesting questionnaires
and observations in walk-throughs.

3.22. To test the existence and/or effectiveness of controls in place to treat identified risks, the
internal auditors follow a documented audit testing program. The program involves
reviewing and documenting current processes and conducting sample testing where
appropriate.

3.23. The structure of the audit testing program should be made up of the following:

 Audit objective;
 Audit scope;
 Risk and control analysis;
 Audit criteria; and
 Previous audit recommendations – in cases where previous audits are relevant. The
internal auditors and/or outsourced service providers will then verify that the
matters have been addressed or are being addressed.
3.24. Internal Audit sampling will be conducted in line with sampling methodologies.

Page 6 of 11
 3.25. During the audit fieldwork, the internal auditors will communicate matters of significance
with the Chief Internal Auditor and Audit Sponsor to minimise the possibility of
"surprises" at the end of the audit. This may be done informally (e.g. emails, discussions)
or via formal meetings.

3.26. Audit evidence refers to all the information used by the internal auditors in arriving at the
findings and recommendations. Evidence needs to support the basis of the findings; it
should be relevant and appropriate to the internal audit testing program. Sample sizes
should be representative and sufficient to ensure that conclusions reached may be
statistically valid deriving from the data.

3.27. Working papers document the audit work that was completed from the preliminary
scoping stages through to the final report. Audit working papers show whether due
professional care was exercised and illustrates compliance with professional auditing
standards.

3.28. Fieldwork and testing will be documented in the internal auditors standard format for
working papers.

3.29. All working papers will be subject to a quality assurance and technical review by a more
senior staff member of the internal auditors and/or outsourced service providers than
the staff member who completed the working papers. The Audit and Assurance team will
request and retain all audit working papers at the conclusion of each internal audit
activity.

3.30. All internal audit documentation is to remain the property of, and to be able to be
accessed by the Directorate, including where the internal audit services are performed by
an outsourced service provider.

3.31. Audit documentation must be retained in accordance with Territory Records Act 2002,
including the audit documentation retained by outsourced service providers.

Evaluation
3.32. The analysis and evaluation of evidence obtained should give rise to issues (positive or
constructive), which the internal auditors and/or outsourced service providers may
report to management. Conclusions should be specified, free from personal biases or
prejudices, and be objective.

Reporting
3.33. After the Fieldwork and Evaluation, a draft internal audit report (marked “draft”) will be
issued to the key stakeholders and Audit Sponsor of the business unit being audited, for
initial feedback and to confirm findings and observations.

3.34. This preliminary draft internal audit report is not for the purposes of receiving
management comments; but can be used during Debriefing / Exit meeting to ensure
clarification of information is sought.

Debriefing / Exit Meeting

3.35. An Exit Meeting will be held to discuss the findings from the audit field work to confirm
facts or clarify information.

Page 7 of 11
 3.36. The Exit Meeting will be attended by the Chief Internal Auditor, internal auditors and/or
outsourced service providers and key stakeholders and audit sponsor.

Management Comments
3.37. After the Debriefing / Exit Meeting a formal draft internal audit report (marked “draft”)
will be issued to the senior management of the area being audited, for management
comments.

3.38. The draft report will specifically:

 include an Executive Summary which will describe the objective, scope, background,
key controls and positive observations and key findings/opportunities for
improvement;
 state the objective(s), scope, methodology and conclusion of the audit;
 detail any risks identified that were not effectively treated and suggestions for
improvement;
 prioritise the risks identified through the use of the Directorate’s Risk Matrix;
 propose recommendations to further treat the identified risks; and
 seek management’s comments in response to the recommendations and
implementation timeframes.
3.39. Audit recommendations made in the draft report should be based on the issues raised in
the findings, implementable within a foreseeable period and be reasonable in
consideration of the risk rating.

3.40. If the Audit and Assurance section are made aware of an issue of material concern, there
is a professional obligation to report on the issue, even if it is outside the confines of the
original scope of the internal audit.

3.41. If issues are identified with the operation of external controls, relevant directorates or
agencies need to be informed. This may include issues with legislation, policy and/or
procedures which could adversely impact the Directorate.

3.42. Upon receipt of the draft internal audit report, the management of the business unit
being audited is required to provide management comments within two weeks.

3.43. All management responses which appear in the audit reports must fall within three
categories: Agreed, Disagreed or Partially Agreed.

3.44. The response should then concisely detail the action management intends to take in
response to the recommendation, stating who will take the action and when it will be
completed. If the recommendation is Partially Agreed or Disagreed, the response must
have a reason. When considering the implementation date of the recommendation,
management should weigh the risk rating against available resources, to arrive at a
reasonable timeframe.

Endorsement

Page 8 of 11
 3.45. Following the completion of management comments, the internal audit report will be
submitted to the Audit Sponsor for approval. Upon receipt of the report, the Audit
Sponsor is required to provide comments or approval within one week.

3.46. Once the report is approved by the Audit Sponsor, it can then be included in the papers
for the next Audit Committee meeting for endorsement. The internal auditors, Chief
Internal Auditor and Audit Sponsor will attend the Audit Committee meeting to answer
any questions that the Audit Committee may have.

3.47. Following endorsement, the internal audit report can be distributed to the Executive
Governance Committee for information, and to Director-General.

Follow up / Monitoring and Reporting

3.48. The Chief Internal Auditor provides audit recommendation progress reports to the Audit
Committee and Executive Governance Committee on a quarterly basis.

3.49. The Chief Internal Auditor maintains an Audit Recommendations Register which records
recommendations, responsible officers, progress updates, expected completion dates
and implementation status for each audit.

3.50. The Chief Internal Auditor provides updates to the Audit Committee on internal and
external audit recommendations to assist the Committee with monitoring progress or
accepting the closure of recommendations, as required.

3.51. Recommendations arising from the Auditor-General Office’s financial and computer
information system audit management reports are subject to verification by the Audit
Office as part of the annual review process.

3.52. Recommendations arising from Auditor-General’s Office performance audits are subject
to reporting through the annual review process; however, they can be considered for
closure by the Audit Committee, when fully implemented.

Audit Committee Reporting

3.53. Audit Committee reporting occurs on a quarterly basis and includes:

 progress updates of the Annual Audit and Assurance Program;

 presentation of internal audit reports with management comments, for
endorsement;
 implementation status of open audit recommendations and recommended actions
from the Chief Internal Auditor;
 standing agenda items; and,
 any special agenda items that are of interest to the Committee.
3.54. The Chief Internal Auditor is required to distribute Audit Committee meeting agenda and
papers at least one week before the meeting. The Executive Branch Managers of the
relevant areas within the Directorate are required to submit Audit Committee meeting
papers and audit recommendation updates (cleared by the Executive Group Managers or

Page 9 of 11
 Deputy Director-General) to the Chief Internal Auditor at least two weeks before the
meeting.

3.55. This procedure will be reviewed on an ongoing basis with a formal review conducted at
least once every three years. Any substantive changes will be formally approved by the
Director-General and endorsed by the Audit Committee.

4. Contact
4.1 The Chief Internal Auditor is responsible for this procedure.
4.2 For support contact the Chief Internal Auditor on (02) 6207 4386.

5. Complaints
5.1. Any concerns about the application of this procedure or the procedure itself, should be
raised with:
 the Policy Owner, the Chief Internal Auditor;
 the Directorate’s Feedback and Complaints team on (02) 6205 5429; or
 online at www.education.act.gov.au/about-us/contact_us;
 see also the Complaints Management Policy on the Directorate’s website.

6. References
6.1. Definitions
 Conflict of Interest: any relationship that is, or appears to be, not in the best interest
of the organisation. A conflict of interest would prejudice an individual’s ability to
perform his or her duties and responsibilities objectively.
 Control: any action taken by management, the board, and other parties to manage
risk and increase the likelihood that established objectives and goals will be
achieved. Management plans, organises, and directs the performance of sufficient
actions to provide reasonable assurance that objectives and goals will be achieved.
 Independence: the freedom from conditions that threaten the ability of the internal
audit activity to carry out internal audit responsibilities in an unbiased manner.
 Internal Audit: an independent, objective assurance activity designed to add value
and improve an organisation’s operations. It helps an organisation accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve
the effectiveness of risk management, control and governance processes.
 Risk: the possibility of an event occurring that will have an impact on the
achievement of objectives. Risk is measured in terms of impact and likelihood.

6.2. Related Policies and Documents

 Internal Audit Policy, Policy Identifier 00029/1
 Internal Audit Fact Sheet, Policy Identifier 00029/2
 Internal Audit Charter, Policy Identifier 00029/3
 Audit Committee Charter, Policy Identifier 00029/4

Page 10 of 11
 Framework for Internal Audit Committee and Function (CMTEDD)

Page 11 of 11