Internal Audit Office

Self Assessment

All staff have the responsibility to identify, assess and manage risks to the achievement of their objectives.  Controls are processes that exist to minimize negative risks or enhance opportunities.  Self assessment is an approach to evaluating those controls. 

Risk and Internal Control            

Definitions

Risk is the chance of something uncertain happening which has an impact upon objectives   of the unit or organization.   The University defines risk in terms of:

• An uncertain or unanticipated future potential event or circumstances;
• Any impact or consequences arising from this event; and
• The likelihood (including possibility or probability) of this event occurring with that perceived consequence.

Internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness and efficiency of operations
• Compliance with applicable laws, regulations and policies
• Reliability of financial reporting
• Safeguarding of assets

Types of controls

There are three kinds of controls:

• Preventative Controls - directed at limiting the likelihood of a risk event (e.g segregation of duties and authorisations)
• Detective Controls - directed at detecting an event and reducing its impact (e.g reconciliations)
• Directive Controls - designed to cause a desirable event (e.g policies and procedures)

Balancing Risk and Internal Control

In order to achieve goals and objectives, management needs to effectively balance risks and controls.  Therefore, control procedures need to be developed so that they decrease risk to a level where management can accept the exposure to that risk. <Return to top>

Minimising the Risk of Fraud

A primary category of risk to the University is fraud.

There are generally three requirements for fraud to occur - opportunity, pressure, and rationalization .  

• Opportunity is generally provided through weaknesses in the internal controls, e.g a lack of supervision or no separation of duties
• Pressure/motivation can be imposed due to individual's personal financial problems
• Rationalization occurs when the individual(s) develops a justification or willingness for their fraudulent activities, e.g “I really need this money and I'll put it back when I get my pay” or “everyone else is doing it”.

Opportunity is the easiest and most effective requirement to address to reduce the probability of fraud.  By developing effective systems of internal control, opportunities to commit fraud can be removed. <Return to top>

Self Assessment

The “Guide to the Use of AS 4360 Risk Management within the Internal Audit Process” suggests using self assessment as an approach to evaluating controls.   The Internal Audit Office has developed a self assessment questionnaire - Control and Fraud Self Assessment (CFSA) - to provide a framework and tool for unit managers and their staff to evaluate the system of internal control.  The aim of the CFSA is to:

• assess of the effectiveness of the system of internal control operating in a budget unit
• assess and mange at risk area
• assess compliance with policies and procedures of the University
• help  detect and prevent fraudulent or corrupt activities
• highlight potential areas of concern, in order to direct Internal Audit assistance with remediation of non-compliance and to minimise risk
• improve the understanding of internal controls across the University, including education on policies of the University; and
• promote fraud and corruption awareness and prevention across the University.  <Return to top>

About the Control and Fraud Self Assessment Questionnaire

The Control and Fraud Self Assessment specifies the internal control objectives for a number of activities and identifies the risks that threaten these objectives and gives examples of potential fraud.  Each activity has a series of control questions designed to test for the existence of key controls. 

The questions are based on La Trobe University policies and procedures and standard business practice.  Where applicable specific LTU references are shown.  The CFSA is not intended to cover all activities of a unit.

Budget unit managers, in conjunction with appropriate staff, should complete the Self Assessment.  Answers should contain honest, fair and objective assessments.

If, as a result of completing the questionnaire, a manager suspects that corrupt or fraudulent activity or practices has occurred, or is occurring, they should immediately notify the Risk Management Unit.

The responses to the self assessment will be analysed by the Risk Management Unit to

• assist in prioritising risk; and
• assess areas and activities that may require improvement to mitigate risk. <Return to top>

When to Complete the Self Assessment Questionnaire

1.   University wide assessment.

The Corporate Governance and Audit Committee has approved the conduct of a control and fraud self assessment across all budget units of the University every 3 years.  Assessments will be evaluated with the aim of:

• identifying budget units which are non-compliant with policies and procedures of the University;
• identifying University wide activities/issues of concern or requiring improvement; and
• assisting in the development of the Annual Internal Audit Plan.

2.   Budget unit reviews.

The Annual Internal Audit plan includes financial compliance audits of selected budget units. Units subject to audit will be issued with a Self Assessment questionnaire to be completed prior to the internal audit.

The aim of the questionnaire is to enable the Internal Audit Office to gain an overall understanding of the unit's financial activities and to assist in the immediate identification of any weaknesses in internal control, issues of non-compliance and the identification of potential fraud exposures. 

The accuracy of completion of the Self Assessment forms part of the audit.

3.   Emerging areas of risk

Use of the full questionnaire or components thereof will be advocated in intervening years (at any time) for specified areas in circumstances where significant new risks are introduced into the business; this would include (but not be limited to):

• New management  is introduced into the budget unit;
• Significant staff turnover occurs within the budget unit;
• Significant restructuring or reassignment of responsibilities occurs within the budget unit occurs;
• Significant unplanned resourcing constraints are applied to the unit.
• Other audits indicate the potential for significant control weakness.
• emerging areas of risk and
• areas of concern to management or Council (for example identified fraud, protection of confidential information, etc). 

4.   Voluntary completion

In addition to the compulsory completion of the questionnaire, manager's are encouraged to use the CFSA to assess their ongoing compliance with policies and procedures and the assessment of the units resistance to potential fraud.  Manager's may wish to use the CFSA to help ‘educate' new staff to key policies and procedures of the University.  Questionnaires voluntarily completed do not have to be returned to Internal Audit.  <Return to top>