Internal Audit - OPBD Procedure

To be read in conjunction with

READ IN CONJUNCTION WITH (lick on the hyperlink below to access)

Te Pūkenga Risk Management Framework



Approval Date
17 March 2022
Approved By
Otago Polytechnic Limited Board Chair
Next Review
17 March 2024
Deputy Chief Executive: Corporate Services
Baldrige Criteria

To detail the nature, role, responsibility, status, scope, and authority of Internal Audit work within Otago Polytechnic Limited.


The role of Internal Audit at Otago Polytechnic Limited is to assist the organisation to meet its objectives and to facilitate the leadership team and the board carrying out their responsibilities in relation to these matters.


The key objectives of the Internal Audit process are to:

  • Provide an independent appraisal of the adequacy and effectiveness of the controls in place.
  • Identify and recommend measures to achieve greater effectiveness, efficiency, and
  • Remedy practices that expose Otago Polytechnic Limited to risk and vulnerability.
  • Bring a systematic and disciplined approach to evaluating and improving the effectiveness of Otago Polytechnic Limited risk management, and internal control processes.

External Auditor refers to the organisation appointed by the Office of the Auditor General to conduct the statutory annual audit of Otago Polytechnic Limited and to provide an opinion on its annual financial statements and statement of service performance.

Internal Auditor refers to the person or organisation appointed to conduct internal audits for Otago Polytechnic Limited. This person or organisation may be internal to Otago Polytechnic Limited or a contracted external party (or both).

Internal Audit refers to an instance of (or function of) auditing within Otago Polytechnic Limited itself with respect to its internal processes and controls.



  1. The Internal Auditor reports to the Audit and Risk Committee of the Board and liaises primarily with the Deputy Chief Executive: Corporate Services but also with any Deputy Chief Executive depending on the function being audited.

 Responsibilities of the Audit and Risk Committee

  1. The Audit and Risk Committee is responsible for the development, review, and monitoring of Internal Audit functions, policies, and procedures. This includes:
    1. oversight of the Internal Audit function; and
    2. setting the budget for Internal Audit; and
    3. setting the Internal Audit work plan
    4. recommending the appointment of the Internal Auditor and/or the use of internal resources to carry out internal audit work; and
    5. receiving reports arising from Internal Audit activities; and
    6. meeting with the Internal Auditor independently of management on an annual basis.

 Responsibilities of Management

  1. The Deputy Chief Executive: Corporate Services is responsible for ensuring that those carrying out the Internal Audit function have:
    1. operational cooperation from staff throughout the organisation
    2. access to staff and systems requested by internal audit
    3. direct access and freedom to report to the Chief Executive
    4. unrestricted and independent access to the Audit and Risk Committee.

 Management is responsible for maintaining internal controls, including setting appropriate policies and monitoring compliance with these, and maintaining proper accounting records and other appropriate management information that ensures effective stewardship of government funds as required by the Education and Training Act 2020 and with reference to Tertiary Funding Information.

 Procedures – Planning and Reporting

The Deputy Chief Executive: Corporate Services, and the Audit and Risk Committee will agree on a three (3) year (reviewed annually) Internal Audit work plan setting out the recommended scope of its work in the period. The work plan should have due regard to the key areas identified within the risk assessment framework in regard to internal control and include monitoring compliance with policies and procedures associated with the Fraud Prevention and Response Policy and Standard Operating Procedures and Fraud Control Plan,

 5. and an appropriate level of forensic audit.

 6. The work plan will set the scope for each review, but will include:

a. Reviewing systems established by management to ensure that major risks to the achievement of the organisation’s objectives are being appropriately addressed by the controls inherent in these systems.

b. Reviewing the reliability and integrity of financial and operating information and the means used to identify measure, classify, and report such information.

c. Review of cyber security with reference to the Use and Security of Information Systems Policy.

d.. Review of health and safety policies, procedures, and compliance.

e. Assessing compliance with policies, plans, procedures, laws, and regulations that could have a significant impact on operations and reports.

f. Reviewing the means of safeguarding assets and, as appropriate, verifying the existence of assets.

g. Appraising the economy and efficiency with which resources are employed.

h. Investigating and reporting on alleged violations of policies and procedures, errors, fraud, or misuse of Otago Polytechnic Limited assets.

i.Assessing internal control risks to Otago Polytechnic Limited.

j. Performing and reporting on follow-up reviews to determine the status of recommendations contained in reports.

 7. The Internal Auditor will complete the reviews identified and agreed in the annual Internal Audit work plan and,

a. Report in writing to the Audit and Risk Committee and Deputy Chief Executive: Corporate Services setting out the processes followed, the findings and key concerns and

b. Raise any serious concerns about unresolved issues relating to projects or the Executive Leadership Team itself directly with the Audit and Risk Committee Chair.

c. Meet with the Audit and Risk Committee without the Executive Leadership Team present, at least annually.

d. Formally update the organisational internal control risk assessment annually. The update will be informed by the outcomes of the Internal Audit plan projects and will focus on the risks identified to the organisation and strategies to mitigate these risks and improve operational effectiveness.




Approved by:

Adam La Hood

Otago Polytechnic Limited Board Chair

17 March 2022

Adam La Hood Signature