Professional Documents
Culture Documents
Internal Audit Charter
Internal Audit Charter
TABLE OF CONTENTS
1. Purpose ..................................................................................................................................................... 2
2. Scope ......................................................................................................................................................... 2
4. Policy statement....................................................................................................................................... 2
5. Abbreviations/Definitions ....................................................................................................................... 3
12. Exclusions from the mandate of the Internal Audit Function ........................................................... 9
ARMC 39/22
1. Purpose
The Internal Audit Charter embodies the general authorisation and mandate from the Audit,
IT and Risk Committee of the University of Pretoria (UP) Council (AITRC) for the Internal
Audit Function to conduct a certain scope of work. It outlines the key principles associated
with the provision of various internal audit and related services at the University and its
entities, including the corresponding responsibilities of management and other relevant
stakeholder groups.
2. Scope
The Internal Audit Charter applies to all areas of the University of Pretoria, including the
faculties, professional service departments, centres, bureaus, units, campus companies
and other entities controlled by the University.
3. Consequences of non-compliance
Non-compliance with the Internal Audit Charter may result in reputational, as well as
potential financial damage and/or inability of the University to comply with applicable
legislative, contractual and corporate governance requirements.
In addition, non-compliance may result in relevant corrective action, including, but not
limited to, disciplinary action.
4. Policy statement
It is the policy of the University to maintain an independent, objective and effective co-
sourced Internal Audit Function that is adequately resourced to assist management in the
effective discharge of their responsibilities, by:
• Providing reasonable assurance on whether management processes are adequate
to identify, manage and monitor significant risks;
ARMC 39/22
2
remedial actions and improvements until the full implementation thereof has been
achieved.
5. Abbreviations/Definitions
IA Internal Audit
Internal Audit The collective consisting of the Department of Internal Audit and
Function Compliance Services (UP professional service department),
inclusive of the providers of co-sourced internal audit and related
services, as well as (where and to the extent applicable) ad hoc
ARMC 39/22
3
external service providers and experts engaged by the
Department of Internal Audit and Compliance Services.
The Internal Audit Function helps UP to accomplish its strategic and operational objectives
by bringing a systematic, disciplined approach to evaluate and improve the effectiveness
of various aspects of UP’s organisational governance.
The purpose of the University of Pretoria’s Internal Audit Function is to provide independent,
objective assurance and consulting services designed to add value and improve the
University of Pretoria’s operations and corporate governance.
ARMC 39/22
4
The mission of the Internal Audit Function is to enhance and protect UP’s organisational
value, including the UP’s reputation, by providing risk-based and objective assurance
services. This includes effective consulting services, advice and insight, inclusive of
effective recommendations for improvement, formulation of appropriate remedial actions
and provision of modern corporate governance insight.
The University’s approach to internal auditing is embedded in its philosophy that internal
auditing is an essential part of good corporate governance and one of the mechanisms for
providing the necessary checks and balances within the University.
The strategy of the University is to maintain a risk-based, independent co-sourced Internal
Audit Function consisting of the in-house component (the Department of Internal Audit and
Compliance Services) and a primary co-sourced internal audit and related services
provider(s) from the private sector, depending on capacity and the need for additional
expertise.
In addition, the strategy of the Internal Audit Function includes supplementary appointments
of ad hoc specialised audit and specific relevant subject matter service providers.
The appointment of the service providers is done in line with prevailing UP procurement
policies, procedures and related requirements.
The Internal Audit Function governs itself by adherence to the mandatory elements of the
Institute of Internal Auditors' International Professional Practices Framework, including the
Core Principles for the Professional Practice of Internal Auditing, the IIA Code of Ethics, the
International Standards for the Professional Practice of Internal Auditing, and the Definition
of Internal Auditing (“collectively referred to as “the Standards”).
The Director: IA and CS reports periodically to Executive management and the AITRC
regarding the Internal Audit Function’s conformance to the IIA Code of Ethics and the
Standards, as well as relevant UP policies.
The AITRC has established the Internal Audit Function on a co-sourced model, and is inter
alia, responsible for ensuring that the Internal Audit Function has sufficient authority,
resources and co-operation from management to fulfil its duties, by means of the following:
9.1 AITRC approves the appointment and dismissal of the primary co-sourced service
provider (except for circumstances where the contract has naturally come to an end
ARMC 39/22
5
due to the completion of the contractual period for which the co-sourced service
provider was appointed).
9.2 AITRC approves the Internal Audit Charter of the Internal Audit Function, and its
amendments, from time to time.
9.3 AITRC approves the risk-based Internal Audit Plan on an annual basis.
9.4 AITRC evaluates all material issues on which the Internal Audit Function reports.
9.5 AITRC evaluates management’s reports and comments, as well as the steps taken
by management to rectify situations.
9.6 AITRC ensures proper co-ordination between external auditors and the Internal
Audit Function.
9.7 AITRC monitors the performance of the Internal Audit Function (in-house and co-
sourced), assessing the adequacy and effectiveness of the manner in which internal
audits are performed, and ensuring adequate resources are made available to the
Internal Audit Function.
9.8 AITRC approves the Internal Audit Function’s budget and resource plan as
administratively allocated by the relevant UP Executive authority.
9.9 AITRC ensures that the Internal Audit Function is an integral part of UP’s corporate
governance processes and that it functions independently of management.
9.10 AITRC receives communications from the Director: IA and CS on the Internal Audit
Function’s performance relative to its plan and other matters.
9.11 AITRC, as the functional line manager, approves decisions regarding the
appointment, performance management, discipline management, any significant
HR management matters including remuneration upon the appointment thereof, and
dismissal of the Director: IA and CS.
9.12 AITRC makes periodic inquiries of management and the Director: IA and CS to
determine whether there are inappropriate scope, resource or process limitations.
9.13 AITRC ensures that the Director: IA and CS has unrestricted access to and
communicates and interacts directly with the members and the Chairperson of the
AITRC, including in private meetings without management present.
9.14 AITRC approves that the Director: IA and CS and the director of the primary co-
sourced service provider, and one (1) member of each of their senior management
teams, are invited to attend all of the ordinary and any relevant special meetings of
the AITRC.
9.15 AITRC ensures that the Internal Audit Function has full, free, and unrestricted
access to all functions, records, property, data, assets, and UP personnel (both staff
and management) pertinent to carrying out any engagement at the time they are
relevant to the performance of the specific internal audit engagement(s), subject to
ARMC 39/22
6
accountability and due care for the confidentiality and safeguarding of records and
information.
9.16 AITRC authorises the Director: IA and CS to allocate resources, set frequencies,
select subjects, determine scopes of work, apply techniques required to accomplish
assurance and non-assurance objectives per the Internal Audit Function’s mandate,
to constructively liaise with various stakeholders, to obtain management comment
where applicable, and to issue draft and final reports, as well as other
communications and activities incidental to the discharge of the Internal Audit
Function’s mandate.
9.17 AITRC authorises the Director: IA and CS to obtain assistance from the necessary
UP personnel, as well as other specialised services from within or outside of UP, in
order to complete any of its engagements and reviews, which technical subject
matter assistance or external independence thereof is deemed necessary in the
professional discretion of the Director: IA and CS.
ARMC 39/22
7
Internal auditors have no direct operational responsibility or authority over any of the
activities audited. Accordingly, internal auditors do not implement internal controls, develop
procedures (other than those relevant to its functioning), install systems, prepare records,
or engage in any other activity that may impair their judgement.
Where the Director: IA and CS has or is expected to have roles and/or responsibilities that
fall outside of internal auditing, safeguards will be established to limit impairments to
independence or objectivity.
Internal auditors (both in-house and co-sourced) will, in their individual professional
capacity as part of the Internal Audit Function:
The scope of work of the Internal Audit Function consists of two (2) broad categories, as
indicated below:
Category 1:
Assurance activities (internal audits): Reviews based on a systematic, disciplined and risk-
based approach, performed in accordance with the IIA Standards, aimed at evaluating and
improving the adequacy and effectiveness of internal controls, corporate governance, risk
management and other organisational processes. Internal audits encompass, but are not
limited to, objective examinations of evidence for the purpose of providing independent
assessments to the AITRC and management on the adequacy and effectiveness of
governance, risk management, and control processes at the University of Pretoria.
Internal audits may include, but are not limited to the following reviews:
ARMC 39/22
8
• Established processes and systems enable compliance with the policies,
procedures, laws, and regulations that could significantly impact UP.
• Information and the means used to identify, measure, analyse, classify, and report
such information are reliable and have integrity.
• Resources, assets and consumable goods and services are acquired economically,
managed, consumed and applied efficiently and responsibly, and protected
adequately.
Category 2:
Non-assurance activities: Consulting activities, advisory services, investigations, internal
training and related services and participation in UP and UP-related projects, excluding
assurance activities (internal audits).
The Internal Audit Function plays a role as consultants/advisors in various strategic
processes of UP and UP-related entities, such as (but not limited to) Business Continuity
Management, Risk and Compliance Management, Policies and Procedures Management,
etc.
Non-assurance activities are subject to the consideration of appropriate safeguards with
regards to the independence of the Internal Audit Function and its mandate.
The following are excluded from the mandate of the Internal Audit Function:
• The evaluation of academic performance falls within the mandate of Senate and is
undertaken through a process of independent external peer and/or relevant third-
party review, accreditation assessment by professional boards, reviews by external
auditors or by the Auditor-General of South Africa;
• The management and/or implementation of the combined assurance model and the
co-ordination of the process with other parties (which forms part of the Executive
management’s mandate);
• Any directives, additional duties or reviews that do not form part of its mandate;
• Any references made to “Internal Audit/Internal Auditors/Department of Internal
Audit and Compliance Services” in UP policies or external documents, which were
not part of prior consultation and agreement with the Director: IA and CS;
• The Internal Audit Function may not be compelled to accept an ad hoc request from
management or third parties to perform any specific review or activity;
• Where UP policy documents or external party requirements refer to “audit” and “UP
auditors”, the assumption is that these reference(s) refer to the external auditors of
UP (registered auditors who are members of the Independent Regulatory Board for
Auditors (IRBA)); and
ARMC 39/22
9
• Review of compliance of donor funding with donor-specific requirements, review of
financial information for purposes of agreed upon procedures or for purposes of
providing an opinion on the fair presentation thereof, or any other review which is
not expressly included in the mandate of the Internal Audit Function per the present
Internal Audit Charter and associated documents.
The Director: IA and CS will report to Executive management for noting and at the AITRC,
for approval, respectively, at the following key intervals:
The Interim Consolidated Summary Internal Audit Report will serve at the first
meeting of the AITRC annually (approximately in May of every year), indicating to-
date progress on the Internal Audit Plan, any changes thereto requested by either
management or the Internal Audit Function, summary outcomes of final reports
issued since the previous reporting cycle and any other significant matters.
The Final Consolidated Summary Internal Audit Report will serve at the third
meeting of the AITRC annually (approximately in October of every year), indicating
to-date progress on the Internal Audit Plan, any changes thereto requested by either
management or the Internal Audit Function, summary outcomes of final reports
issued since the previous reporting cycle and any other significant matters.
This report also includes, but is not limited to, the following:
o A proposed risk-based Internal Audit Plan for the upcoming academic and
financial year, for consideration and approval by the AITRC;
o Results of client satisfaction surveys, as may be conducted from time to
time;
ARMC 39/22
10
o Confirmation of the Internal Audit Function’s independence for the
reporting period;
o The Internal Audit Function’s assessment of the UP internal financial
controls; and
o Other significant matters arising, as the case may be.
In addition, the Director: IA and CS will report to relevant members of Executive and Senior
management on the outcomes of individual internal audit engagements, and where
applicable, investigations and consulting and advisory activities.
Where applicable, findings, observations and recommendations for improvement of
governance, risk management, and control processes and remedial actions are discussed
and agreed with the relevant members of management.
In addition, the Internal Audit Function contributes to other reporting processes, as may
arise from specific policy requirements and organisational processes, including but not
limited to, the provision of inputs towards:
• UP Annual Report;
• Summary Quarterly and Annual Whistle-Blowing and Anti-Fraud Reports;
• Quarterly reports to the Vice-Chancellor and Principal; and
• Other reports as may be deemed applicable to the functioning and the mandate of
the Internal Audit Function.
The detailed arrangements for internal audit and related services are outlined in the Service
Level Agreement (SLA), which is entered into between the Director: IA and CS on behalf of
the Internal Audit Function and by the Vice-Chancellor and Principal of the University, on
behalf of UP management, in the Vice-Chancellor and Principal’s capacity as the Chief
Executive Officer of UP.
The Director: IA and CS is required to apply reasonable professional judgement and due
care in ensuring, facilitating, directing and monitoring the following:
• Ensuring compliance of the Internal Audit Function to the Internal Audit Charter.
• Ensuring that assurance and non-assurance engagements are planned, performed
and reported with due care and diligence. Detailed arrangements and
methodologies in this regard may be documented in the standard operating
procedures of the Internal Audit Function, as deemed relevant.
• Ensuring that the principles of integrity, objectivity, confidentiality, quality and
competency are applied and upheld by the Internal Audit Function.
• Ensuring that all personnel of the Internal Audit Function, including of the co-
sourced service provider(s), as well as any subject matter experts temporarily
engaged by the Internal Audit Function for ad hoc reviews and projects, collectively
ARMC 39/22
11
possess or obtain the knowledge, skills, and other competencies needed to meet
the requirements of the Internal Audit Charter.
• Ensure that trends and emerging issues that could impact the University of Pretoria
are considered and communicated to Executive management and the AITRC as
appropriate.
• Ensuring adherence of the Internal Audit Function to the relevant policies and
procedures, unless such policies and procedures conflict with the Internal Audit
Charter or applicable professional body requirements. Any such conflicts will be
resolved or otherwise communicated to Executive management and the AITRC.
• Ensuring appropriate level of co-ordination of its activities with other assurance
providers.
• Ensuring conformance of the Internal Audit Function with the IIA Standards, subject
to the following:
o If the Internal Audit Function is prohibited by law or regulation from
conformance to certain parts of the Standards, the Director: IA and CS will
ensure appropriate disclosures and will ensure conformance to all other
parts of the Standards.
o If the IIA Standards are used in conjunction with requirements issued by
other relevant professional and regulatory bodies, the Director: IA and CS
will ensure that the Internal Audit Function conforms to the Standards, even
if the Internal Audit Function also conforms to the more restrictive
requirements of such other relevant professional and regulatory bodies.
Co-operation and support from management is essential to the ability of the Internal Audit
Function to execute its mandate.
Any attempt to interfere with, prevent, obstruct, harass or in any way intimidate the Internal
Audit Function in performance of its mandated duties, including accessing information,
which is required to perform the duties, shall be escalated to the relevant member of the
Executive and thereafter, as may be applicable, to the Vice-Chancellor and Principal for
resolution.
If the concerns are not resolved in a timely manner through this escalation, the Director: IA
and CS shall escalate the matter to the Chairperson of the AITRC.
The internal audit review processes, and/or the consulting activities of the Internal Audit
Function, do not relieve other persons in the UP structures (staff and management) from
the responsibilities assigned to them per UP policies and related activities.
ARMC 39/22
12
16. Responsibility with regards to fraud
Management and those charged with governance have the primary responsibility for the
design and implementation of the internal control environment at UP. This includes
mechanisms to deter, prevent, detect and remediate fraud and irregularities.
The Internal Audit Function, through its mandate, is responsible for the examination and
evaluation of the adequacy and effectiveness of the internal controls implemented by
management.
In terms of the, inter alia, IIA Standard 1210.A2, internal auditors are required to have
sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by
the organisation, but are not expected to have the expertise of a person whose primary
responsibility is the detection and investigation of fraud. Per IIA Standard 2120.A2, the
Internal Audit Function must evaluate the potential for the occurrence of fraud and how the
organisation manages fraud risk.
Per IIA Standard 2210.A2, the Internal Audit Function is required to consider the probability
of significant errors, fraud, non-compliance and other irregularities when developing its
internal audit engagement objectives.
It should be noted that there are inherent limitations in any system of internal control,
including error and circumventions through collusion. In addition, internal audit procedures
cannot guarantee that fraud will be detected.
The Executive management, through its budgetary and financial processes, allocates
annual operational funding to the Internal Audit Function. The funding is used for defraying
the costs associated with the primary co-sourced and ad hoc externally sourced, related
services, and separately, the administrative running costs of the Internal Audit Function.
The decisions relating to the use of the allocated operational funding are subject to the
prevailing UP policies, with the necessary independence associated with the organisational
status of the Internal Audit Function.
In order to preserve the organisational independence of the Internal Audit Function, the
annual operational funding allocated to the Internal Audit Function, once allocated, is ring-
fenced and cannot be re-allocated to other cost centres of the University, without express
written consent of the Director: IA and CS. This also applies to the reserve funds of the
Internal Audit Function.
The operational funding of the Internal Audit Function is applied primarily towards the co-
sourced costs associated with the execution of the Internal Audit Plan, the investigations
allocated to the co-sourced and ad hoc outsourced service providers, and advisory
ARMC 39/22
13
services, to the extent deemed necessary at the discretion of the Director: IA and CS,
subject to the prevailing UP procurement and related policies.
Where relevant, the Director: IA and CS consults administratively with the Registrar in this
regard.
The human resources costs of the in-house component of the Internal Audit Function,
namely the personnel of the Department of Internal Audit and Compliance Services, are
covered from the central HR budget of the University per prevailing UP policies.
The Internal Audit Function is required to maintain a quality assurance and improvement
program that covers the assurance-related (i.e. internal auditing) aspects of the Internal
Audit Function’s mandate.
The program is required to include an evaluation of the Internal Audit Function’s
conformance to the IIA Standards and an evaluation of whether internal auditors apply the
IIA’s Code of Ethics.
The program is required to assess the efficiency and effectiveness of the Internal Audit
Function’s assurance-related services and identify opportunities for improvement.
The Director: IA and CS will communicate to Executive management and the AITRC, the
Internal Audit Function’s quality assurance and improvement program, including results of
internal self-assessments and external assessments conducted per the schedule approved
by the AITRC or at least every five years, by a qualified, independent assessor or
assessment team from outside the University of Pretoria, duly accredited by the IIA.
This document, including amendments thereto, is consulted with and presented to the
Executive management for consideration, as well as to the AITRC for consideration and
approval.
ARMC 39/22
14
The Director: IA and CS, as the policy owner, reviews the Internal Audit Charter in
consultation with the AITRC on a periodic basis, but at least every five (5 years) to ensure
its continued effectiveness and relevance.
21. Approval
This Charter was approved by the AITRC and signed on its behalf by the Chairperson.
ARMC 39/22
15