ANU ICT Governance Framework

Published 2013

ANU ICT governance processes include policies and audits that assist in the management of IT security and the use of the University's Information Infrastructure and Services (IIS) including risk; business continuity; data protection and security; infrastructure security, and the procurement and disposal of data and equipment.

Our policies and procedures set out the responsibilities of managers, supervisors and users of IIS across the University, and refer to relevant government legislation and Acts. IT policies and procedures are mandatory across the University.


Regular audits are conducted through the University Risk Management and Audit Office (RMAO) ensuring that risk around our processes is continually assessed, and concurrently managed and mitigated. For more detailed information on any of the audit functions, or specific questions relating to any ongoing internal audits, please contact

How does an audit work?

Once an audit plan is in place, Terms of Reference are agreed on for each specific audit. A report on each audit is provided to the Corporate Governance and Risk Office (CGRO) and the lead area being audited by the internal auditor. The report includes an executive summary, detailed findings, and matters of note.

Detailed findings are given a risk rating and include observations on the item audited, a risk and impact assessment, and one or more recommendations for action. ITS circulates this document to previously interviewed individuals as per the audit schedule to confirm accuracy of their comment, and record comments against recommendations. The audit report is then reviewed and ITS responds formally to the auditor with management comments, and outlines actions in response to the audit recommendation. Once finalised, the Audit and Risk Management Committee (ARMC) considers actions and, once accepted, agrees on a timeline for the action to be completed.

Each month an audit meeting is held between the ITS Policy and Audit Officer and a representative from the CGRO, to review progress and activity. A monthly report is submitted to the ARMC through CGRO detailing activity against each recommendation until the item is closed.

Internal audits

An internal audit plan is developed by the ARMC, in consultation with members of the University Executive, College Deans, Heads of Service Divisions, and external stakeholders such as the Australian National Audit Office (ANAO).

External audits

External audits are conducted on behalf of the Australian National Audit Office. Each year ITS participates in audits of the annual financial statements. Other audits are to ensure compliance, and give a true and fair view of the University's financial position; this may also impact on other areas of the University including Colleges and Service Divisions.