Home

Menu
About us Mission & Strategic Plan Internal Audit Charter Contact Us Audit Staff Protocol for Implemetation of Agreed Actions to Internal Audit Findings Audit Services Divisional Audit Financial Audit Information Technology (IT) Other Audits Audit Process Why and when will I be audited — Audit Resource Management System (ARMS) Audit Methodology Reporting Procedures Benchmarking Exercise Advice to University Staff What is Fraud? Creating a low fraud environment Faculty Advice Who does Internal Audit report to? Senior Vice Principal Audit and Risk Committee (including Terms of Reference) External Audit Useful Links

Protocol for the Implementation of Management Agreed Actions to Internal Audit Findings

Purpose

To provide a protocol by which Management Agreed Actions to audit findings are to be implemented and/or outstanding actions plans followed-up.

Background

The Audit Committee requested at its meeting 4/2001 held on 27 November 2001, that a protocol on reporting and follow-up of outstanding Management Agreed Actions to audit findings be implemented. The Committee stated that it was not general practice within outside organisations to allow audit recommendations to be outstanding, especially in relation to high risk findings, for lengthy periods of time.

Responsibility

Heads of Budgetary Divisions and Heads of Departments are responsible for ensuring Management Agreed Actions to Internal Audit findings are actioned within agreed time frames.

Communication

The Protocol is communicated to Heads of Budgetary Divisions and Heads of Departments responsible for ensuring Management Agreed Actions are implemented as follows:

on the Internal Audit web site;
at the time they are advised of the impending audit; and
at the time the Preliminary and Final audit reports are issued.

Protocol

With the introduction of Risk Management methodology to Internal Audit procedures, a risk rating is assigned to all audit findings. The following protocol (see below) should govern management action in implementing and reporting outcomes to agreed actions remedying the audit finding.

Risk Rating	Management Actions	Audit Actions
H HIGH RISK	Immediate action required. Senior manager responsible must be designated and a detailed action plan and timetable agreed with the Director, Internal Audit. Implement proposed solution/action. Report completion/progress to Director, Internal Audit in accordance with the terms of the agreed action plan.	Dealt with within two weeks or earlier as required.
S SIGNIFICANT RISK	Action required within one month or within agreed time frame. Senior manager responsible must be designated and a detailed action plan and timetable agreed with the Director, Internal Audit. Implement proposed solution/action. Report completion/progress to Director, Internal Audit in accordance with the terms of the agreed action plan.	Dealt with within one month
M MODERATE RISK	Action required within three months or within agreed time frame. Manager responsible must be designated and action plan and timetable agreed with the Director, Internal Audit. Implement proposed solution/action. Report completion/progress to Director, Internal Audit in accordance with the terms of the agreed action plan.	Dealt with within three months
L LOW RISK	Action required within six months or within agreed time frame. Manager responsible must be specified and action plan and timetable agreed with the Director, Internal Audit. Implement proposed solution/action. Report completion/progress to Director, Internal Audit in accordance with the terms of the agreed action plan.	Dealt with before next audit

Notes:

Required "Update" reports are to be made via emails to the Director, Internal Audit at internal-audit@unimelb.edu.au. These reports should include brief details of action completed and/or progress made. Where agreed time frames are not likely to be met, this must be highlighted together with the reasons for the delay and the remedial action that is to be taken.
Where management actions fall outside these guidelines or beyond agreed time frames, the Director, Internal Audit will advise the Head of the Budgetary Division and copy to the Head of Department/Unit and to the Senior Vice-Principal. Audit and Risk Committee will also be advised of all outstanding actions not met within the required timeframe.
In the event that, despite these guidelines, it is necessary to advise Audit and Risk Committee of any management actions that remain outstanding, the Senior Vice-Principal will, on behalf of the Audit and Risk Committee, write to the auditee requesting an explanation for their inaction either in writing or in person.

Ian Marshman Senior Vice~Principal

Senior Vice-Principal's Management Group Internal Audit

Menu