Professional Documents
Culture Documents
COPYRIGHT INFORMATION
This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be
reproduced by any process without prior written permission from the Commonwealth.
Requests and inquiries concerning reproduction and rights should be addressed to the Commonwealth
Copyright Administration, Attorney-General’s Department, Robert Garran Offices, National Circuit,
Canberra ACT 2600 http://www.ag.gov.au/cca
Questions or comments on the Guide may be referred to the ANAO at the address below.
Email: webmaster@anao.gov.au
Website: http://www.anao.gov.au
Foreword
The responsibilities of internal audit vary considerably across public sector entities, as do
internal audit organisational arrangements and the way internal audit services are delivered.
This is to be expected, given the nature, size and complexity of the public sector.
It is our experience that better practice entities consider an appropriate level of investment in
internal audit to be an essential business decision. These entities recognise a well resourced
and effective internal audit function can play a key role in its governance arrangements.
By providing assurance on the effectiveness of an entity’s internal control environment and
identifying opportunities for performance improvement, internal audit can make a valuable
contribution to achieving an entity’s objectives.
This Guide updates and replaces the Guide issued by the ANAO in 1998. While many of
the principles remain the same, the role of internal audit has continued to evolve over time,
and this Guide incorporates practices and considerations of a better practice internal audit
function in a contemporary public sector environment. Consistent with other elements of
public sector administration, the roles and responsibilities of internal audit, together with
the skills and qualifications of internal audit staff, should be determined within the context
of each entity’s governance and risk profile.
The aim of the Guide is to provide guidance relevant to public sector entities operating
under both the Financial Management and Accountability and the Commonwealth
Authorities and Companies Acts. As with all the ANAO’s Better Practice Guides, each
entity is encouraged to use the Guide to identify, and apply, better practice principles and
practices that are tailored to its particular circumstances.
The Guide complements the ANAO’s Better Practice Guide Public Sector Audit Committees
issued in February 2005, and is intended as a reference document for Chief Executives,
Boards, members of Audit Committees, managers with responsibility for internal audit
activities, and internal audit staff.
Ian McPhee
Auditor-General
Foreword
Foreword.....................................................................................................................i
Part 1
1. Introduction............................................................................................................... 1
1.1 Coverage.......................................................................................................... 1
1.2 Common terminology........................................................................................ 1
1.3 Key characteristics of a better practice internal audit function............................ 2
1.4 Structure of the Guide....................................................................................... 2
1.5 Acknowledgements........................................................................................... 2
Key characteristics of a better practice internal audit function.................................... 3
Part 2
Part 3
Example internal audit strategic business plan and annual work plan....................... 58
References.............................................................................................................. 87
Index....................................................................................................................... 89
Contents iii
iv Better Practice | Internal Audit in the Public Sector
Internal Audit
in the Public Sector
Better Practice Guide
Part 1
Part 1
1 Introduction
Public sector managers operate in an increasingly complex and challenging environment. This, in
part, reflects the increasing demands and expectations of the community, government and the
Parliament. Public sector managers have a range of resources and mechanisms available to assist
them to meet their responsibilities within this environment.
In both the public and
In both the public and private sectors, internal audit has long been recognised by better practice private sectors, internal
entities as a valuable resource and entities have given the internal audit function a key role in their audit has long been
governance arrangements. In doing this, organisations recognise that internal audit is one of a number recognised by better
of internal assurance and business review type activities that should operate in a coordinated and practice entities as a
complementary manner to the benefit of the organisation. These other activities include management valuable resource and
monitoring, evaluations, quality assurance and control self-assessment arrangements, that are all entities have given the
designed to provide confidence and assurance to Chief Executives and/or Boards that management internal audit function
is meeting its responsibilities and the entity is achieving its objectives. a key role in their
governance arrangements.
Better practice entities also recognise that internal audit should:
b
e operationally independent: that is, internal audit is independent from the activities
subject to audit
h
ave the visible and active support of the Chief Executive and/or Board, the Audit Committee
and senior management
h
ave well defined roles, responsibilities and audit plans that are aligned with the
entity’s risk profile
have effective relationships with all stakeholders
be properly resourced to enable it to meet its responsibilities
adhere to specified professional standards
have efficient and effective work practices
be fully accountable for its performance, and The principles and
be subject to periodic review. considerations outlined in
this Guide are generally
applicable to all public
1.1 Coverage sector internal audit
The principles and considerations outlined in this Guide are generally applicable to all public sector functions, irrespective
internal audit functions, irrespective of the particular delivery model adopted by the entity to provide of the particular delivery
internal audit services. model.
‘Chief Executive’ is used for the majority of entities subject to the Financial Management and
Accountability Act 1997 (FMA Act) where responsibility and accountability rests with the head of
the entity.
The term ‘Board’ is used for entities where a Board is appointed as the governing body of the entity,
as is generally the case with entities subject to the Commonwealth Authorities and Companies
Act 1997 (CAC Act).
Under the Financial Management and Accountability Act 1997 the Chief Executive is responsible for managing the affairs
of the entity in a way that promotes the efficient, effective and ethical use of Commonwealth resources for which the Chief
Executive is responsible. Under their enabling legislation, the Boards of Commonwealth authorities and companies subject
to the Commonwealth Authorities and Companies Act 1997 are generally similarly responsible for the efficient and effective
use of Commonwealth resources.
These are discussed in Chapter 5.
1 Introduction
‘Head of Internal Audit’ is used to describe the person responsible for the management of the internal
audit function. Depending on the circumstances, the Head of Internal Audit can be an employee of
the entity, a partner, director or senior employee of an external service provider.
‘Internal audit support activities’ are activities associated with internal audit or managing the internal
audit function including: developing the internal audit strategic business plan and internal audit annual
work plan; providing support services to the Audit Committee; monitoring the implementation of
agreed internal and external audit report recommendations and those of Parliamentary Committees
and other bodies; internal audit staff management and training and liaison with the external auditor.
‘Type of audit’ is a means of classifying the primary focus or orientation of an internal audit. The two
types of audit referred to in this Guide are:
c
ompliance: that the operations under review are complying with legislative requirements,
government or entity policy and procedures, and systems of internal control, and
p
erformance improvement: aimed at improving the efficiency and effectiveness of the
programme or operations under review.
1.5 Acknowledgements
The ANAO appreciates the assistance provided by MKL Consulting in preparing the Guide. In
addition, many entities and individuals contributed to the development of the Guide. These included
Chief Executives, chairs and members of a number of public sector audit committees, Heads of
Internal Audit as well as a number of people in the internal auditing and accounting professions, and
private sector organisations.
W
here the Head of Internal Audit is not an employee of the entity, arrangements need to be put in place to ensure relevant
public sector financial and other legal requirements are met.
Also known as ‘systems under development’ audits.
These include the Management Advisory Committee, the Ombudsman and the Australian Public Service Commission.
In practice, audits will often have more than one focus and there are a number of other terms in use to classify audits. For example,
‘compliance’ audits can be called ‘assurance’ audits, and ‘performance improvement’ audits called ‘performance’ audits.
1. Is operationally independent: that is, internal audit is independent from the activities
subject to audit.
2. Is appropriately positioned in the entity’s governance framework to ensure the work
of internal audit complements the work of other internal and external assurance and
review providers.
3. Has a well developed business strategy that clearly articulates internal audit’s future role
and responsibilities.
4. Is business focused and has audit plans that are comprehensive and balanced, and are
linked to the risks in the entity.
5. Has the confidence of key stakeholders including the Chief Executive, the Board
(if applicable), the Audit Committee and senior management.
7. Has sufficient financial resources and access to internal audit staff with the necessary
skills, experience and personal attributes to achieve what is expected of internal audit.
8. Provides internal audit reports and other services, based on efficient and effective work
practices, that are valued by stakeholders.
10. Advises the Audit Committee and entity management of patterns, trends or systemic
issues arising from internal audit work .
12. Disseminates lessons learnt arising out of its work to relevant areas of the entity.
13. Regularly informs the Audit Committee of progress in the implementation of agreed
internal and external audit and other relevant report recommendations.
1 Introduction
2 Roles and responsibilities of internal
audit activities
2.1 Introduction
Internal audit is an integral part of the broad corporate governance framework that entities establish
to manage risks and achieve corporate objectives.
It is important that the position internal audit occupies in the governance framework and the role
it plays is determined by the particular assurance needs of the entity and its preferred governance
Internal audit is an integral framework, now and in the foreseeable future.
part of the broad corporate
governance framework 2.2 The purpose of internal audit
that entities establish to
manage risks and achieve Internal audit10 provides an independent and objective review and advisory service to:
corporate objectives.
p
rovide assurance to the Chief Executive and/or Board that the entity’s financial and operational
controls designed to manage the organisation’s risks and achieve the entity’s objectives, are
operating in an efficient, effective and ethical manner, and
assist management in improving the entity’s business performance.
However, internal audit is not independent of the organisation in the same way as the external audit
function. It provides a service to management, reports to the Audit Committee and is accountable to
the Chief Executive or the Board for the achievement of its objectives and the use of its resources.
A number of practical measures can be taken to reinforce internal audit operational independence.
These include:
internal audit reporting functionally to the Audit Committee and being accountable to the Chief
Executive of an FMA Act entity, or to the Board of a CAC Act entity
the Head of Internal Audit having direct access to the Chief Executive and/or the Chair of the
Board, and the Chair and other members of the Audit Committee
A distinguishing feature periodic ‘in camera’ meetings between the Head of Internal Audit and the Audit Committee
of internal audit is its
a
ny change to the position of the Head of Internal Audit, or an external service provider, being
operational independence.
approved by the Chief Executive (or the Board, in the case of a CAC Act entity) in consultation
with the Audit Committee, and
e
nsuring that internal audit has no management responsibilities11 that conflict with
its primary role.
‘an independent, objective assurance and consulting activity designed to add value and improve an organization’s
operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of risk management, control, and governance processes.’
The Institute of Internal Auditors, Professional Practices Framework (The International Standards for the Professional Practice
of Internal Auditing), July 2006 p.1.
Where internal audit is allocated executive or line management responsibilities, appropriate safeguards should be in place to
11
Head of Head of
Internal Audit Internal Audit
Note: Many entities have established an executive board or committee to assist the Chief Executive
in managing the entity.
The extent to which the Chief Executive or Board may wish to delegate some or all of their
administrative responsibilities to a senior executive in the entity is a matter to be determined by each When administrative
Chief Executive or Board. When administrative responsibility for internal audit is delegated, it should responsibility for internal
be to a senior manager who demonstrates a commitment to the internal audit function and has, to the audit is delegated, it should
extent possible, no actual or perceived conflict of interest. It is generally recognised that, because the be to a senior manager
audit of financial systems and controls will generally feature prominently in internal audit coverage and who demonstrates a
the Chief Financial Officer (CFO) commonly has a prominent role in determining budget allocations, commitment to the internal
assigning responsibility of the internal audit function to the CFO creates an actual or perceived conflict audit function.
of interest. In any case, the reporting arrangements, should always provide for the Head of Internal
Audit to have direct access to the Chief Executive or Board.
12
However, there may be occasions when the Chief Executive or Board needs to be alerted quickly if there is an urgent major
issue. This can be done directly or through the Chair of the Audit Committee.
13
In cases where the entity is headed by an individual, it would be expected that the Head of Internal Audit would be
accountable to that person.
14
With direct access to the Chair of the Board, as necessary.
Standards
It is important that While there is no legislative or policy requirement for internal audit in the Australian Government to
internal audit work is comply with any particular professional standard, it is important that internal audit work is conducted
conducted in accordance in accordance with recognised professional standards. Such standards assist in:
with recognised
professional standards. The providing confidence in the quality and consistency of the work that has been conducted
most recognised standard guiding the work of auditors
is the Professional Practices delivering auditing services in an effective and efficient way, and
Framework of the Institute
e
stablishing standards and benchmarks against which to measure the performance of
of Internal Auditors.
internal audit.
There are a number of standards that can guide the work of the internal audit function. The most
recognised standard is the Professional Practices Framework of the Institute of Internal Auditors (IIA).15
Other standards that may have application are the Australian Auditing Standards (ASAs), Auditing
and Assurance Standards (AUSs), standards issued by the Information Systems Audit and Control
Association (ISACA), Standards Australia and the International Standards Organisation ISO).
Values
Australian Public Service and supporting entity values can also be relevant to the work of internal
audit and the conduct of internal audit staff, and should be specified in the internal audit charter,
where relevant.
Entities should determine which standard(s) and values that must be complied with and specify them
in the internal audit charter16.
“We will make an impact when we understand and anticipate stakeholder needs, use our core
competencies to highlight weaknesses in a timely manner and provide meaningful recommendations that
solve the ‘big problems’.” Public Sector Head of Internal Audit
An important decision for each entity to make is deciding what role internal audit should play as part
of its governance framework17. Generally, this should be considered in the context of:
Evaluations
Comprehensive Quality Assurance
Assurance
Management Business
Control Improvement
Self-Assessment Reviews
To maximise the effectiveness of internal audit, it is important that its role is considered in the context
of other assurance and business review functions so that internal audit complements, rather than
duplicates, the responsibilities of others. It is equally important to ensure that the role of internal audit
is not displaced by these other functions or that, to the extent possible, there are no significant gaps
in the entity’s assurance and review framework.
One of the factors that will influence the role allocated to internal audit compared to those allocated
to other assurance and review functions, is the importance the entity places on assurance and One of the factors that will
review generally and independent assurance activities specifically. This is likely to be influenced to influence the role allocated
some extent by the maturity of the other assurance and review functions and also by the culture to internal audit compared
of the entity. to those allocated to
other assurance and
Another factor to consider in determining the role of internal audit is the role other specialist assurance
review functions, is the
functions and business improvement advisors play in an entity. For example, there may be a need
importance the entity
for a specialist risk management unit and/or a unit responsible for fraud control and investigation.
places on assurance and
This will be influenced, in part, by the nature of the business and its risks, including, for example, the
review generally and
degree of external regulation, industry standards and norms, the risk of internal or external fraud and
independent assurance
the scale and nature of entity operations. Entities will, therefore, need to consider how well equipped
activities specifically.
internal audit is to meet entity requirements for specialist assurance and advice.
In deciding on the activities internal audit will undertake, it is better practice to consider the
following factors:
In classifying audits, it is recognised that individual audits will often have multiple objectives that
are designed to provide, for example, assurance regarding compliance, as well as to identify
business improvement opportunities. In addition, whatever the particular focus or objective of
individual audits, internal audit should always be alert to opportunities to optimise controls, identify
non-compliance, and improve business performance in the conduct of its work. The two types of
audits referred to above are discussed below.
Compliance audits
complying with relevant legislation and government and entity policy requirements
A key role of internal audit d
esigning, operating, and monitoring business processes to achieve the
is to review an entity’s organisation’s objectives, and
systems of internal control
identifying risks that might prevent the entity from achieving its objectives, and developing,
and provide independent
implementing and monitoring controls to manage those risks.
assurance to the Chief
Executive or Board, through It is generally accepted that a key role of internal audit is to review an entity’s systems of internal
the Audit Committee, that control and provide independent assurance to the Chief Executive or Board, through the Audit
an entity’s internal controls Committee, that an entity’s internal controls18 are adequate and effective. This can include activities
are adequate and effective. such as providing assurance over compliance with legislative requirements, government and entity
policies, assessing the accuracy and integrity of management information, reviewing compliance
with procurement and contracting requirements and adherence to ethical standards.
Examples of audits that fall under the broad category of ‘compliance audits’ are discussed below.
Internal audit could usefully play a number of roles in relation to the Certificate of Compliance. For
example, internal audit could conduct a series of compliance reviews on key elements of the control
framework such as specific financial controls, management control self-assessment processes, if
applicable, or programme controls. Alternatively, or in addition, the Chief Executive/Board may prefer
regular, say, quarterly, or annual confirmation that the overall compliance framework can be relied on
to provide the required certification.
Another role that internal audit can play is the preparation of a periodic, say annual, assessment of
the effectiveness of an entity’s systems of internal controls based on the results of the internal audit
work conducted during the period. Internal audit usually conducts a number of audits each year
that assess the effectiveness of the internal controls operating in a range of individual financial or
business processes - such as payroll, grant acquittals, procurement or IT applications. The results of
individual audits are reported to the Audit Committee at the conclusion of each internal audit. Better
practice internal audit functions, are, however, increasingly being tasked with providing the Audit
Committee with an annual overall assessment, based on the internal audit coverage undertaken,
of the adequacy and effectiveness of an entity’s internal controls and any systemic issues that may
have arisen from the internal audit activity completed. Such an assessment can be used by the Chief
Executive and/or Board and the Audit Committee in forming a view about how much confidence
they can have in the entity’s control environment and any systemic issues that need management
Internal audit can also be
attention. As a minimum, internal audit should be collating the results of individual audit assignments
well placed to undertake
and providing a periodic summary report to the Audit Committee on audit findings and identifying
an analysis of the results
any systemic issues.
of reviews conducted by
Internal audit can also be well placed to undertake an analysis of the results of reviews conducted other internal and external
by other internal and external assurance providers. This might include reports on the results of assurance providers.
review such as compliance with its service charter, the results of control self-assessment reviews,
the findings from quality assurance reviews, and the results of IT system control monitoring or
occupational health and safety reviews. Providing a report in this way can assist the entity to address
any “silo affect” arising out of the work of different assurance providers and assist in identifying
systemic issues arising out of the range of assurance work that is commonly conducted in entities.
This whole-of-entity perspective on the assurance risks facing the organisation and how well they
are being managed could be used to further help inform risk identification and any necessary
management action.
19
See Finance Circular 2006/8 for FMA Act agencies and Finance Circular 2006/11 for CAC Act bodies.
Continuous auditing
The widespread use of major IT systems for processing payments and receipts, and a desire by
internal audit to be increasingly pro-active, is leading a number of better practice entities to consider
opportunities of moving towards a process of continuous auditing. Under such an approach major
IT systems are interrogated on a regular and frequent basis, even daily, with the aim of identifying
It is generally accepted anomalies or transactions that are outside pre-determined parameters that justify further examination.
that internal audit not The opportunity exists for such systems to be established by internal audit and over time, transferred
only provides assurance to management with internal audit being responsible for reviewing management’s actions in response
on compliance with to any anomalies identified.
procedures and systems
In deciding if a continuous auditing approach is appropriate for an individual entity, consideration
of internal control, but it is
should be given to the costs and benefits involved and the capabilities required.
also well placed to assist
management to improve Performance improvement audits
business performance.
It is generally accepted that internal audit not only provides assurance on compliance with procedures
and systems of internal control, but it is also well placed to assist management to improve business
performance. The objective of such assistance could include suggestions to improve the economy,
efficiency and/or effectiveness of an entity’s programmes and operations in areas such as improving
service delivery, better contract and project management, eliminating waste, reducing costs or
increasing revenue. The scope could cover all of the operations of the entity or be targeted to a
narrower set of activities associated with internal audit’s assurance role, such as matters related to
governance, controls or risk management.
Advisory services
Internal audit can also provide valuable advice to entity management and staff to assist them in
managing the entity’s risks in respect of programmes, systems, and processes, risk management
processes and fraud control. Such advisory activities can take a variety of forms including, advice on
systems of internal control, processes, procedures and policies, attending management meetings
as an observer, training managers and staff or providing informal advice in response to ad hoc
management requests.
In providing advice to management, care should be taken to maintain the operational independence of
internal audit. Internal audit can offer suggestions and recommendations but it is up to management
to accept or not accept that advice. If management accepts the advice it is then the responsibility of
management, not internal audit, to implement the advice and be accountable for its implementation.
Internal audit’s objectivity and impartiality could potentially be put at risk if internal audit takes on
management’s role. In this situation internal audit’s independence can be reinforced by reference in
Another area where internal an internal audit charter that distinguishes internal audit’s role from that of management.
audit can be of particular
assistance to entities is in New programmes, systems and processes
the implementation of new
Another area where internal audit can be of particular assistance to entities is in the implementation
government programmes,
of new government programmes, systems or processes. The introduction of new programmes,
systems or processes.
systems or processes, often involving substantial expenditure and tight timeframes, can present
additional risks for entities that need to be identified from the start and well managed early in the
process. The introduction of new IT systems can also be a particularly high risk activity and the
early involvement of internal audit can generate significant benefits by bringing internal audit’s specific
control expertise to bear on the task, including lessons learnt from previous similar projects in the
entity or from elsewhere.
It is management’s responsibility to identify and assess risks and to implement and monitor risk
mitigation strategies. However, given its expertise in risk and control assessment generally, together
with its experience in reviewing activities across the organisation, internal audit is well placed to assist
the entity to develop and monitor its risk management framework. Internal audit’s role can include:
The role that internal audit can play in developing and maintaining an entity’s risk management
framework will be influenced by the maturity of the framework and the extent that risk management
is embedded in day to day operations. This is likely to change and evolve over time as the maturity
of the risk management framework changes. For example, entities that have some way to go with
the introduction of their risk management framework may give internal audit a key role in assisting
management to identify risks and develop appropriate strategies and monitoring and reporting
arrangements. On the other hand, where entities have in place a robust and mature risk management
framework that operates throughout the organisation and where practical mitigation strategies are
monitored at senior levels, internal audit’s role might be more focused on providing independent
assurance on the effectiveness of the mitigation strategies and/or an assessment of the overall Whatever role internal
effectiveness of the framework. audit plays in risk
management, appropriate
Whatever role internal audit plays in risk management, appropriate arrangements should be in place
arrangements should be
to maintain the operational independence of internal audit.
in place to maintain the
Fraud control operational independence
of internal audit.
Responsibility for managing the risk of fraud, like responsibility for managing all risks, rests with
management as part of its ongoing responsibilities. However, internal audit can assist an entity to
manage fraud control by providing advice on the risk of fraud and/or by advising on the design or
adequacy of internal controls to minimise the risk of fraud occurring. It can assist in detecting fraud
by considering fraud risks as part of its audit planning and being alert to indicators that fraud may
have occurred. Fraud investigation is a matter that requires specialist knowledge and skills.
20
Because internal audit may act as probity auditor it is better practice that internal audit is not the initial probity advisor.
21
Such arrangements will also usually involve periodically reporting on a summary basis to the Audit Committee.
The role of internal audit in relation to fraud control should be considered as part of the organisation’s
overall fraud risk assessment and fraud policy22.
The relative balance of resources devoted to internal audit support activities compared with audit and
advisory activities, is a matter for consideration by the Audit Committee when considering internal
audit plans and budgets.
Non-audit activities
Internal audit operational independence is maintained when internal audit has no management
responsibilities other than for the internal audit function itself. Nevertheless, in limited circumstances,
it is recognised that internal audit may be called upon to perform activities that are management
responsibilities. These could include such activities as membership of management committees (as
distinct from having observer status), formulating fraud or risk management plans, or conducting
fraud investigations. The line between being an advisor to management and taking on management
responsibility for a task can sometimes be blurred. Consequently, it is important that professional
judgement is applied and appropriate safeguards put in place to maintain operational independence,
to the extent possible.
Where internal audit is to have responsibility for non-audit activities, these should also be specified
in the internal audit charter.
22
U
nder the Commonwealth Fraud Control Guidelines, agency heads are required to certify in their annual reports that
their agency has prepared fraud risk assessments and fraud control plans and has in place appropriate fraud prevention,
detection, investigation, reporting and data collection procedures and processes that meet the specific needs of the agency
and comply with the Commonwealth Fraud Control Guidelines. The Attorney-General’s Department, Commonwealth Fraud
Control Guidelines, May 2002 and the ANAO Better Practice Guide, Fraud Control in Australian Government Agencies,
August 2004 provide guidance on the risk assessment and control of fraud in the APS.
23
Auditor-General Act Part 4 Division 1.
24
FMA Act s 48 and CAC Act s 20.
25
FMA Act s 49 and CAC Act Schedule 1, Part 1, Clause 2.
a
s far as practicable, the coordination of audit programmes conducted by internal auditors and
those conducted by the Auditor-General, and
the provision of advice to the Chief Executive on the preparation and review of financial
statements of the Agency.
Professional standards also encourage co-operation between internal and external audit in the
context of the audit of an entity’s financial statements and to increase audit efficiency by minimising
duplication. There are mutual benefits for entities and the external auditor in internal audit conducting
work that can be relied on by the external auditor, particularly in the areas of legal compliance and
financial system controls. Professional standards
encourage co-operation
It is important, therefore, for entities to fully explore with external audit what review role internal audit
between internal and
can play in the preparation of the entity’s financial statements and in coordinating its plans with those
external audit in the context
of the external auditor. For example, internal audit can usefully review the adequacy of the quality
of the audit of an entity’s
assurance arrangements put in place by the Chief Financial Officer.
financial statements.
There is also an opportunity for internal audit to act as a liaison point with the external auditor. This
can assist not only in improving the efficiency of the overall audit process but also in developing a
good working relationship between internal and external audit.
The charter should be developed by the Head of Internal Audit. Consultation with stakeholders,
particularly the Chief Executive and the Audit Committee, as part of developing the charter is an
important means of understanding stakeholder needs and expectations. Any expectation gaps can
be identified and addressed as part of the development process. The charter should be consistent
with the Audit Committee’s responsibilities for oversighting the internal audit function as outlined in
the Committee’s charter.27
The charter should be approved by the Chief Executive, or the Board in the case of a CAC Act
entity, on the advice of the Audit Committee. Because the charter is a means of communicating
the role, responsibilities and authority of internal audit it is important that, once approved, it is made As governance
widely available throughout the entity. Many entities also make the charter publicly available via requirements change in
their website. response to changing
risks and the business
As governance requirements change in response to changing risks and the business environment, environment, the role of
the role of internal audit is also likely to change. The charter should, therefore, be reviewed at internal audit is also likely
least annually to have confidence that the role of internal audit continues to meet the needs of to change.
the organisation.
26
Internal audit is different from most other parts of the organisation in that it operates outside of its own boundaries across the
whole of the organisation. Because of internal audit’s broad mandate, it needs formal authority to access people and records
outside its own area to meet its responsibilities. Some entities also see benefit in reinforcing the role of internal audit in their
Chief Executive’s Instructions or equivalent policy documents.
27
T
he role of Audit Committees in respect of internal audit is outlined in the Australian National Audit Office, Public Sector
Audit Committees, Better Practice Guide, February 2005.
Independence
d
etails internal audit’s authority to access all records, assets, personnel and premises and its
authority to obtain such information as it considers necessary to fulfil its responsibilities
s pecifies information accessed in the course of internal audits will only be used for
auditing purposes.
details the role and responsibilities of internal audit including its role in undertaking:
audit activities
audit support activities
non-audit activities (if any)
d
efines the scope of internal audit, that is, the programmes, activities, processes, systems and
organisations that are (and are not) subject to internal audit review
Standards
The charter should also
specify the requirement for s pecifies the professional and other standards that will be followed when conducting internal
an internal audit strategic audit assignments
business plan and annual
Relationship with external audit
work plan.
defines the relationship between internal audit and external audit
Planning
s pecifies the requirement for an internal audit strategic business plan and an internal audit
annual work plan
s pecifies the reporting arrangements required including the provision of an annual assessment
of the entity’s system of internal controls and advice to the Audit Committee and entity
management of patterns, trends or systemic issues arising from internal audit work
Administrative arrangements
Review of charter
p
rovides for the periodic review of the Charter by the Audit Committee and approval of any
substantive changes by the Chief Executive, or the Board in the case of a CAC Act entity, on the
advice of the Audit Committee.
“By focussing our planning efforts on the things that matter to the business and asking the right
questions, we make sure internal audit is seen as part of the business and contributes to its success.”
Public Sector Head of Internal Audit
The period covered by the strategic business plan can vary, but would normally cover a three year
An internal audit strategic rolling period29 and be updated at least annually at the same time the internal audit annual work
business plan helps in plan is prepared.
focusing internal audit
effort where it is most 3.3 Purpose of an internal audit strategic business plan
useful and effective.
An internal audit strategic business plan helps in:
T
28
he internal audit annual work plan is, in turn, supported by specific plans for individual audit assignments. Better practice
on planning individual audit assignments is described in Chapter 6 of the Guide.
Where an entity has a formal strategic planning cycle it is better practice to align the internal audit strategic plan with that cycle.
29
Consultation with the Chief Executive, members of the Audit Committee, and senior managers is
important in assisting internal audit in understanding existing and emerging business strategies
and risks.
The entity’s risk profile and how it may change over time will also be an important determinant of the
size and nature of the internal audit programme and the types of audits that are undertaken. Provided
the entity’s risk identification process and risk management framework is mature, the entity’s risk
management plans will be a key source of information in developing the strategic business plan.
In situations where the entity does not have a mature risk management framework, it would be
expected that internal audit would develop its own entity risk profile that should be subject to
confirmation with the Audit Committee and the senior management of the entity.
30
The FMA Orders for FMA agencies provide for the Audit Committee to approve the strategic audit plan of the agency.
Consideration also needs to be given to the responsibilities and proposed coverage of other
internal or external review activities or functions. Internal review functions, as noted earlier, include
management monitoring and committees, evaluations, business improvement reviews, risk
management processes, quality assurance arrangements and management control self-assessment
arrangements. In addition, there are a number of external assurance and review bodies including
Parliamentary Committees, external audit, regulators, and the Ombudsman.
Parliamentary
External Audit Ombudsman Regulators
Committees
For example, the Management Advisory Committee established under the Public Service Act 1999.
31
To assist in determining the appropriate internal audit coverage entities increasingly see a benefit of
conducting an assurance mapping exercise. This consists of an analysis of the risks facing the entity
and the extent to which each of the various assurance and business review elements address these
risks. Such an exercise can be a very useful way of obtaining a broad entity-wide perspective of the
‘assurance landscape’ and assist in identifying any gaps or duplication.32
To assist in determining
the appropriate internal
Stakeholder expectations
audit coverage entities
In consultation with key stakeholders, it is also important for internal audit to obtain the views increasingly see a benefit
of stakeholders about their expectations of internal audit. In this regard, it can be expected that of conducting an assurance
stakeholders could have differing views about their expectations of internal audit and its focus and mapping exercise.
priorities. In these circumstances it is important for internal audit to ‘work through’ the different
perspectives and have follow-up discussions, as required, to ensure that the draft strategic business
plan fully takes into account the views of all stakeholders. In its consideration of the draft plan, the
Audit Committee should be made aware, at least in broad terms, of the views of key stakeholders
particularly if they are not reflected in the final draft of the plan.
Budget considerations
As a matter of principle, the internal audit strategic business plan should first address all the activities
that internal audit, the Audit Committee and other stakeholders consider should be included, before
reflecting on the possible budget available.
The size of the investment the entity wishes to make in internal audit would normally be determined
by the Chief Executive/Board on the advice of the Audit Committee33. Factors that influence the level
of this investment are outlined in Chapter 5, Resourcing the internal audit function.
32
A
n example of an assurance map is shown as part of the Example of an internal audit strategic business plan and audit
work plan in Part 3 of the Guide.
33
See Australian National Audit Office, Public Sector Audit Committees, Better Practice Guide, February 2005, p.13.
d
etails of the financial and human resource budgets for internal audit activities over the life
of the plan
the management strategies and approaches to help ensure that internal audit has access to the
necessary level of skilled and experienced staff, and that its methodologies and work practices
reflect contemporary better practice
identification of the risks and actions proposed to manage the risks of not achieving internal
audit’s objectives
d
etails of the performance measures to be used to measure the performance of internal
audit, and
arrangements for the review and update of the plan.
34
These themes should be aligned with the entity’s main business risks.
To assist in prioritising audit topics it is helpful to develop a set of criteria that can be used to assess
and rank potential topics35. Criteria can vary but would normally include:
the strategic and operational risks identified in the entity’s risk management plan or business unit
plans or in the absence of a mature risk management framework, as identified by internal audit
materiality and risks arising from the external environment
the potential or expected benefits of an audit
35
It can be helpful to maintain a list of potential audit topics as part of an ‘audit universe’ or a listing of auditable areas
or topics.
Some entities see benefit in allocating numerical “scores” to each of the criteria and aggregating the
scores to arrive at an overall audit ranking. Although audit “scores” can help to rank audit topics it should
be recognised that such a process still involves judgement in the allocation of individual scores.
A comprehensive internal
audit annual work plan will Comprehensive annual work plan
generally include audits A comprehensive internal audit annual work plan will generally include all or a majority of the following
that review particular activities:
topics across the whole
entity, such as procurement advice on new systems and processes– these are referred to as ‘systems under development’ audits36
practices, recordkeeping a
udits of major IT systems focussing, in particular, on security and access matters, and audits
and ethical conduct and of major projects
compliance with APS
a
number of annual audits to review key areas of financial, human resource or governance
and entity values, that
matters across different business units and geographical locations or a series of audits that are
are aimed at addressing
conducted each year, for example, to provide assurance over the quality of the preparation of
potential systemic risks.
the financial statements
a
udits that review particular topics across the whole entity, such as procurement practices,
recordkeeping and ethical conduct and compliance with APS and entity values, that are aimed
at addressing potential systemic risks
a
udits of areas where the risk is judged to be high but the controls are considered to be effective
in managing the risk. These audits can provide assurance that the controls are in fact operating
as intended
follow-up audits of areas audited previously where shortcomings have been identified
a
n allowance to undertake ad hoc or special request audits, particularly from the Chief Executive
and the Audit Committee, and
a number of reserve audit topics that could be substituted if planned audits do not proceed.
36
It is important that internal audit advice is communicated to management in a timely manner to enable the advice to be
considered before the system is implemented.
the risk tolerance37 and the risk profile38 of the entity: an entity with a low risk tolerance and a
substantial number of risks and, by extension, controls designed to assist in managing the risks,
could be expected to have a larger internal audit programme than an entity with a higher risk
tolerance and a smaller risk profile
the size and complexity of the entity’s business: the larger the number of separate business
activities and programmes, the more audits that could be expected to be required
the stability of the entity: internal audit might be required to do more in times of significant change.
As with the internal audit strategic business plan, the size of the internal audit annual work plan will
also be influenced by the level of investment in internal audit an entity wishes to make.
Where some or all services Where some or all services are provided by an external party, sufficient time should also be provided
are provided by an external to enable the contract, or contracts, to be properly managed.
party, sufficient time should
also be provided to enable 3.8 Contents of an internal audit annual work plan
the contract, or contracts,
to be properly managed. The plan should be sufficiently detailed to enable the Audit Committee and, as necessary, the Chief
Executive, to be satisfied that the proposed coverage is adequate. It would be expected that, as a
minimum, the plan should outline for each proposed audit the:
Some entities also see benefit in including a list of topics that rank just below those selected for
inclusion in the plan. This assists the Audit Committee to assess the proposed plan in the context of
risks that will not be addressed.
It is generally accepted that
for resource management The presentation of the annual work plan to the Audit Committee will generally be enhanced through
and accountability the use of summaries, graphs and charts which can be used, for example, to indicate the mix of
purposes internal audit audit types to be undertaken, the spread of audit activity across the entity by work group or by
units should have a formal geographical location.
time recording system to
record the time auditors 3.9 Costing of individual audits
spend on audit and
related tasks. It is generally accepted that for resource management and accountability purposes, internal audit
units should have a formal time recording system to record the time auditors spend on audit and
related tasks. Each entity also needs to decide if there are benefits in implementing and maintaining
a cost recording system that captures the cost of each individual audit. In making such a decision,
care should be exercised in specifying the degree of precision required from such a system and in
ensuring that the benefits are balanced against the degree of administrative effort and financial cost
involved in establishing and maintaining the system.
While it is important that details of these relationships are formalised in documents such as the
internal audit charter, the Audit Committee charter and management protocols, good relationships
also need to exist at a practical working level to be effective.
Good relationships need to In situations where the Head of Internal Audit is accountable to someone other than the Chief
exist at a practical working Executive, it is important that the Head of Internal Audit has direct access, on an as required basis,
level to be effective. to the Chief Executive.
internal audit assisting the Audit Committee to comply with its obligations under the FMA It is important that both
or CAC Acts formal and informal
lines of communication
internal audit being functionally responsible to the committee, for the conduct of the internal
be established between
audit programme; this places the committee in the role of being internal audit’s primary client and
internal audit and the
requires internal audit to have a close professional relationship with the committee as a whole
audit committee and with
and each of its members
individual committee
internal audit through its reports and its general interaction with the committee, being a key members, particularly
source of information on the effectiveness of controls and the performance of the entity the Chair.
internal audit providing secretariat support to the committee in many entities
the Audit Committee being responsible for either reviewing and approving internal audit plans, or
recommending their approval by the Chief Executive/Board, and
the Audit Committee being involved in assessing the performance of internal audit and in any
change of the Head of Internal Audit and/or any external service provider(s).
Given this relationship, it is important that both formal and informal lines of communication be
established between internal audit and the audit committee and with individual committee members,
particularly the Chair. Audit Committee members should be in a position to be able to openly discuss
matters of interest with the Head of Internal Audit. In doing this, committee members must be
confident that such discussions will be treated in confidence by internal audit.
It is generally accepted that the Head of Internal Audit, and any external service providers, will attend
Audit Committee meetings unless there are exceptional circumstances why they should be excluded
for a whole meeting or a particular agenda item, or items. It is also good practice for the Audit
Committee to meet privately with the Head of Internal Audit and any external service providers, from
time to time. This provides the Committee the opportunity to ask questions and to seek feedback
from internal audit without management being present. This practice also supports the independent
role of internal audit.
To meet the Audit
To meet the Audit Committee’s monitoring responsibilities, internal audit should report to the
Committee’s monitoring
Committee on a regular basis on the status of the internal audit annual work plan. This report
responsibilities, internal
should provide details of audit activity against planned audits, together with explanations of any
audit should report to the
significant variations.
Committee on a regular
Internal audit should also report regularly on the status of management’s actions to implement basis on the status of
agreed internal and external audit report recommendations and agreed Parliamentary Committee the internal audit annual
and other review body recommendations, providing details of who is responsible for implementing work plan.
the recommendations and an assessment of progress achieved.
As discussed earlier, better practice internal audit functions increasingly are providing Audit
Committees and Chief Executives with periodic reports on the patterns, trends and systemic issues
identified as a result of internal audit activities undertaken.
Better practice Audit Committees will formally review the performance of internal audit on at least an
annual basis. To assist the Committee in doing this, internal audit should provide an annual report in
an agreed format to the Committee on its achievements and on the use of its resources.
Better practice internal audit functions will interact on a regular basis with members of the senior
Meetings with entity management team, and through the delivery of practical, business focussed and useful reports and
managers should be used advice, will build a relationship that is based on cooperation, collaboration and mutual respect.
as an opportunity to be
briefed on key business Meetings with entity managers should be used as an opportunity to be briefed on key business
developments and the developments and the impact they have on the risks facing the entity. These meetings should also be
impact they have on the used to obtain informal feedback about the performance of internal audit and to assist in identifying
risks facing the entity. ways that internal audit can best assist entity management. In this context, better practice internal
audit units will encourage managers to seek their advice and assistance on either an informal or
formal basis as the need arises. One measure of the effectiveness of internal audit is the extent to
which managers seek out internal audit to assist them in managing their business.
In interacting with management, internal audit will be privy to information which can impact on
professional and, at times, personal reputations. It is important that internal audit respect the
confidentiality of such information and its communication to others be on a strictly need to know
basis. In situations where managers consider that such information is being used inappropriately, the
reputation and credibility of internal audit is likely to be adversely impacted.
Internal audit often will be responsible for liaising with external audit on behalf of the entity and be
tasked with coordinating external audit activity in an entity. This role can be a useful way for internal
audit to be aware of planned and actual external audit coverage, while at the same time being
cognisant of external auditors’ need for access to individuals and records to enable them to meet
their own audit responsibilities.
Such arrangements can be particularly important in situations where internal audit needs to
work closely with programme or internal audit units of other entities as a result of inter-agency or
other agreements.
The factors that will influence the quantum and mix of the internal audit budget include the:
n
umber and types of audits included in the annual work plan: an annual work plan with more
business improvement audits is likely to cost more than one that has a more compliance focus
c
omplexity of the annual work plan: the weight given to audits requiring specialist skills such as
expertise in information technology, could add to the cost of the annual work plan
g
eographic spread of audit work: the more travel that is required the greater the required budget
is likely to be
e
xtent of audit support activities: the inclusion of a large number of audit support activities is
likely to require increased resources
o
ther non-audit services required of the internal audit function: it could be expected that the
broader the role expected of internal audit the greater the internal audit budget
c
ost of the service delivery model chosen to provide internal audit services: the difference in cost
between the service delivery model chosen by the entity and the cost of alternatives will affect
the budget needed, and
If the audit committee c
ost of implementing the management strategies outlined in the internal audit strategic
considers the internal audit business plan: the internal audit budget will need to take into account the cost of agreed
budget to be insufficient, management strategies.
compared to the risks
facing the entity, it should The ANAO is aware that studies are undertaken from time to time that benchmark expenditure on
draw this to the attention of internal audit against a number of variables. Generally, they relate to private sector organisations but
the Chief Executive/Board. they may be of assistance in reviewing internal audit budgets in the public sector. Opportunities also
exist for internal audit to benchmark their budgets against similar public sector auditees as part of a
planned management strategy.
It is important that, in presenting the internal audit strategic business plan and internal audit annual
work plan to the Audit Committee, the Head of Internal Audit draws the committee’s attention to the
impact that any budget shortfall might have on the ability of internal audit to meet the expectations
of stakeholders and the exposure this might represent to the entity.
The Audit Committee will then be in a position to make an informed judgement on the adequacy or
otherwise of the budget. If the audit committee considers the budget internal audit to be insufficient,
compared to the risks facing the entity, it should draw this to the attention of the Chief Executive/Board.
“If co-sourcing or outsourcing internal audit service delivery, you need to be an informed purchaser.”
Chair Public Sector Audit Committee
As noted earlier in the Guide, within the Australian Government sector, internal audit is performed
in a range of entities that vary considerably in purpose, size, structure, and complexity. As a result,
there is a range of models used to deliver internal audit services. These are illustrated in the following
diagram.
Each model has its benefits and its risks. The most appropriate model will depend on the entity’s
particular needs that could well change over time as circumstances change. It is important, therefore,
to periodically consider which service delivery model will best suit the entity’s needs as part of the
Audit Committee’s consideration of the internal audit strategic business plan.
Cost
The cost of in-house provision compared with the alternatives is a key consideration. It is important
when comparing costs to take into account the full costs of the different options including the
salaries of in-house staff plus overheads such as training, leave, superannuation, staff management,
accommodation and facilities. In the case of co-sourcing or outsourcing, the costs of contract
management as well as of the contract itself should also be taken into account.
Flexibility
Many internal audits require access to special technical audit skills from that are either not available
or not cost-effective to maintain in-house. The ability to respond quickly to new requests for audits
without disrupting the planned programme or the need to resource workload peaks can also be
For some small entities important. Co-sourced or outsourced arrangements may be able to provide the required flexibility in
there may not be the such circumstances.
critical mass to make
an in-house internal Viability
audit function viable
and sustainable. For some small entities there may not be the critical mass to make an in-house internal audit function
viable and sustainable. Small internal audit units may find it difficult to supply sufficient staff with
the full range of skills necessary to undertake a comprehensive internal audit plan. In this situation,
there is a risk the audit plan will be determined more by the skills of the staff available rather than
the needs of the entity. Limited career progression and development opportunities can also act as a
disincentive for the recruitment and retention of staff.
If a panel arrangement is adopted, consideration needs to be given to striking a balance between the
number of providers required to provide sufficient flexibility and access to skilled staff and the need
to avoid spreading work too thinly. Where an external provider is contracted to only perform a small
parcel of work there is limited opportunity for the provider to develop the required understanding
If a panel arrangement is
of the entity and its business needs. The arrangement also has to be commercially viable from the
adopted, consideration
provider’s perspective.
needs to be given to
striking a balance between
5.6 Management of a co-sourced or outsourced function the number of providers
required to provide
The key to success in managing external providers, like the management of any outsourced
sufficient flexibility and
service, involves:
access to skilled staff and
c
hoosing the right provider with the right experience, on the basis of a value for the need to avoid spreading
money assessment work too thinly.
Even though the internal the services to be provided, including specific deliverables such as progress reports; the
audit function may be provision of draft and final audit reports; other services such as the development of internal audit
completely outsourced, strategies and plans; advice and assistance to management, including disseminating examples
responsibility for the overall of better practice and lessons learnt throughout the entity; the provision of secretariat and other
efficiency and effectiveness services to the Audit Committee and attendance at Audit Committee meetings
of the internal audit the standards and procedures to be followed, including quality assurance arrangements
function remains with
expected timeframes for audits
the entity.
the authority to access relevant records, personnel and property
ownership and custody of working papers
confidentiality of information, and
remuneration arrangements.
A key safeguard in helping to ensure that an external provider delivers a quality internal audit service
is to be satisfied that the provider allocates staff with appropriate skills and experience to audit
assignments and has in place effective supervision arrangements including sufficient oversight/
review by a partner or experienced senior auditor. To this end, it is generally appropriate to include
a clause in the contract nominating the personnel who will provide the audit services and to require
the entity to be consulted before other staff are used. This will also facilitate obtaining any necessary
security clearances.
Careful judgement should be exercised in the choice of the individual to play this role. The operational
independence of the person should be considered, as should their experience, skills and personal
attributes. It would be expected that the type of experience and skills needed for such a role would
be similar to those found in a Head of Internal Audit at a senior executive level.
“The Head of Internal Audit should live and breathe the business - not live and breathe auditing.”
Chair, Public Sector Audit Committee
Role
The Head of Internal Audit39 is the most senior position within the entity responsible for internal audit
and is vital to the success of the function40. The person should play both a strategic leadership role
and ensure that the internal audit programme is delivered efficiently and effectively.
Responsibilities
The Head of Internal
The Head of Internal Audit is normally responsible for: Audit is the most senior
position within the entity
the efficient and effective operation of the internal audit function
responsible for internal
e
stablishing appropriate policies and procedures, and implementing audit plans and audit and is vital to the
management strategies to achieve internal audit’s objectives success of the function.
d
eveloping strong relationships with key stakeholders including the Chief Executive, the Board,
the Audit Committee, senior managers and the external auditor
providing effective and timely advice to senior management
d
eveloping the internal audit strategic business plan and annual work plan that outline the
objectives, priorities and proposed internal audit coverage
liaising with other internal and external assurance providers and business improvement advisors
in the development of internal audit plans
formulating staffing and budget requirements to help ensure that internal audit resources are
effectively deployed
e
nsuring the timely completion of internal audit assignments and the prompt presentation of high
quality reports to the Audit Committee
monitoring the implementation of internal audit plans and management strategies
m
aintaining an appropriate process for monitoring and reporting the status of previous
agreed internal or external audit recommendations or agreed recommendations
from Parliamentary Committees or other review bodies
the overall performance of the internal audit function
recruiting and managing staff with appropriate experience and skills
p
roviding opportunities for training and development to increase internal audit staff knowledge of
the entity and its risks and maintain their internal auditing skills, and
o
versighting external providers where entities have co-sourced or outsourced
internal audit arrangements.
39
T
he position of Head of Internal Audit is given a variety of titles such as chief internal auditor, chief audit executive or head of
assurance and risk management.
40
In situations where the internal audit function is outsourced, this person could be a partner, director or senior employee of
the service provider.
Status
The Head of Internal Audit needs to be sufficiently senior to be able to discuss and negotiate internal
audit results with senior management colleagues on a reasonably equal footing.
The position is one that can have a significant impact on the entity’s risk management, financial
and operational controls and its performance. The position should therefore be classified and
remunerated accordingly.
Appointment
Given the importance of the position, the ANAO Better Practice Guide on Public Sector
Audit Committees41 suggests that the Audit Committee advise the Chief Executive/Board on
the appointment of the Head of Internal Audit. This implies the active involvement of the Audit
The need to establish Committee, or at least the Chair, in appointing the Head of Internal Audit or an external service
and maintain an internal provider. This involvement will help to ensure there is a good working relationship with the Committee
audit unit that is staffed and a clear understanding of the expectations of the Committee. Including a management
with people who have member the Audit Committee on the selection panel is also an option that involves the Committee
the necessary skills and in the selection process42.
experience is an ongoing
issue for most, if not
all, entities.
Australian National Audit Office, Public Sector Audit Committees, Better Practice Guide, February 2005.
41
S
42
imilarly the Audit Committee should be actively involved in the appointment of an external service provider and any
changes in the position of the Head of Internal Audit or an external service provider.
internal secondments to internal audit for a fixed period of time. This benefits the organisation Rotating graduates through
and the individuals involved by developing officers who have a good understanding of the internal audit as part of
entity’s governance and accountability arrangements and a good overview of the different parts their development, offers
of the entity. Some entities see merit in rotating potential senior managers through internal them an opportunity to
audit for set periods as part of their career development43. Internal secondments also benefit quickly gain a practical
internal audit by having auditors with operational experience in the organisation who can understanding of the
provide a reality check on audit findings and conclusions. However, to ensure such staff remain entity, its governance
objective and to avoid any perception there may be a conflict of interest, effective training and arrangements and of the
supervision are important. importance of systems of
u
sing subject matter experts from within the organisation for particular audits. This can provide internal controls.
additional resources for internal audit for a specified period and can also avoid the learning
curve often involved with complex audits. Such experts can also add credibility to the audit
findings and conclusions. Like other internal secondments, adequate training and supervision are
necessary to help ensure objectivity.
s econdments of staff from other APS agencies. This arrangement provides an opportunity for
internal audit to gain specialist expertise and/or extra resources from outside the entity and for
the individual to gain experience in a different organisation and/or work area.
Many entities also have graduate recruitment programmes. Rotating graduates through internal audit
as part of their development, offers them an opportunity to quickly gain a practical understanding of
the entity, its governance arrangements and of the importance of systems of internal controls.
The effectiveness of such strategies is enhanced when supported by senior management, particularly the Chief Executive.
43
The internal audit manual should distinguish between mandatory requirements and supporting
guidance. Using diagrams, flowcharts and checklists can help to generate a better understanding of
The internal audit manual the processes involved; while including references to templates and any planning and auditing tools,
should distinguish between assists in promoting the support available to audit teams. Maintaining an electronic version of the
mandatory requirements manual enables it to be updated easily and including links to the location of stored electronic copies
and supporting guidance. of key documents allows audit staff to readily access such documents.
Audit planning
A detailed plan should be prepared for each audit assignment specifying the:
To provide a timely report to management and the Audit Committee, a key aim in planning an audit
should be to complete the audit in the minimum time necessary. It is therefore important that in planning
and scoping audits, audit effort and resources are directed to the key issues that matter most.
Before commencing an audit, it is good practice to review with line management if the issues identified
during the annual planning phase remain relevant. This can avoid conducting work that could prove Where internal audits
to be unnecessary and free up audit resources for other reviews where internal audit can add greater involve areas of interest to
value; alternatively, a change in scope may be required. In either case, approval should be sought other business areas or to
from the Audit Committee to maintain the integrity of the process. external service delivery
providers, it is important to
Where internal audits involve areas of interest to other business partners such as purchasing
get their perspective on the
departments or to external service delivery providers, it is important to get their perspective on the
issues to be addressed.
issues to be addressed.
It is also important that the plan is sufficiently flexible that it can be adjusted if circumstances require it.
Audit approach
There are a number of different audit approaches and techniques that can be adopted in an
audit. These include interviews, document reviews, sampling, testing of controls and analysis of
transactions, processes and management information.44 Generally, an audit will involve a combination
of such approaches. The audit approach selected should be the most time and cost-effective given
the objectives and scope of the audit. It should aim to collect sufficient appropriate evidence that
enables the auditor to come to well-founded conclusions about the programme or activity under
review and to make appropriate recommendations.
Decisions will have to be made at each stage of the audit about the need for specific testing, data
collection and analysis by internal audit and the extent that reliance can be placed on work of other
internal or external reviewers.
44
There are a number of model control frameworks that can assist internal audit in developing an appropriate audit approach.
These include:
• various publications of the Committee of Sponsoring Organisations of the Treadway Commission (COSO)
• the Canadian Institute of Chartered Accountants – Guidance on Assessing Control – The CoCo Principles, and
• ISACA, Control Objectives for Information and Related Technology (Cobit).
Communication starts at the initial planning phase and continues right through to the implementation
of audit recommendations.
Effective communication Internal audit units commonly produce an internal audit protocol to aid in the communication process
with stakeholders that sets out agreed arrangements for the conduct of audits. The protocol usually sets out the
throughout the audit sequence of events in an audit and the opportunities for consultation during the process. It is good
process is essential for a practice, as part of the protocol, to identify a “sponsor” for each audit. This will normally be the
successful audit outcome. senior manager with overall responsibility for the business area being reviewed. This person will be
the primary senior point of contact for the audit and be responsible for responding to the audit report
and for oversighting or implementing agreed recommendations.
In addition to the formal stages of contact outlined in the internal audit protocol, it is also important
that the auditors communicate regularly with the area under review both in terms of ‘testing’ emerging
findings, conclusions and recommendations as well as keeping them informed about the progress
of the audit.
Effective supervision
To assist in maintaining To assist in maintaining high quality standards, including impartiality and objectivity, it is important
high quality standards, that audit teams are properly supervised. Supervision needs will vary according to the skill and
including impartiality and experience of the team but will generally involve:
objectivity, it is important providing suitable directions or guidance at the start of an audit
that audit teams are
regularly monitoring audit progress
properly supervised.
ensuring compliance with standards and the internal audit manual
e
nsuring that audit findings, conclusions and recommendations are adequately supported by the
evidence, and
ensuring that reports are accurate, objective, clear and concise.
Audit quality is further strengthened where the management of the audit and the emerging findings
are reviewed periodically by someone at a distance from the detail of the audit. This could be the Head
of Internal Audit, a senior audit manager, or the engagement partner if the audit is outsourced.
a
ny issues requiring immediate action by management can be brought to their attention and, if
necessary, to the attention of the Chief Executive and the Audit Committee
Accordingly, systems and processes need to be in place to monitor emerging issues and the progress
of audits against the audit assignment plan and to alert stakeholders when action is required. In
particular, a time recording system which identifies costs and elapsed time against various audit
milestones, audit support activities and any non-audit tasks is an important means of planning
audits, allocating resources and recording data for accountability and benchmarking purposes.
A formal mid-point review, and other progress discussions as necessary, involving the Head of
Internal Audit, the audit team and the sponsor is seen as a useful means of keeping all parties
informed of audit progress and any emerging issues.
Pro-forma internal audit annual work plan progress report. Systems and processes
need to be in place to
Part 3 includes a pro-forma of a report detailing progress in implementing the annual monitor emerging issues
audit work plan. and the progress of
audits against the audit
Due care assignment plan and to
alert stakeholders when
Good audit processes are a necessary, but not sufficient, part of delivering an effective internal audit
action is required.
function. Such processes need to be supported by internal audit staff exercising due care in their
work. Due care, in the case of internal audit, means auditors working diligently and applying impartial
judgement based on integrity, skill and experience.
“A good audit report communicates the author’s conclusions effectively and makes recommendations
persuasively so that management understands the issues, accepts the conclusions and acts appropriately.”
HM Treasury Government Internal Audit Standards Good Practice Guidance: Reporting
The audit report is The audit report is the major means of communicating the findings, conclusions and recommendations
the major means of of an audit and much of the work of internal audit is judged on the quality of the final audit report,
communicating the including its analysis, findings, conclusions and recommendations. The recommendations, in
findings, conclusions and particular, provide the basis for:
recommendations of an improving internal controls and/or improving business performance, and
audit and much of the work
identifying better practice and/or lessons learnt.
of internal audit is judged
on the quality of the final To provide confidence that the audit findings and conclusions are accurate and valid and to maximise
audit report. the value derived from the review, the Head of Internal Audit should develop policies and procedures
for the reporting phase of the audit. These would normally cover the:
Such policies and procedures should be included in the internal audit manual and/or in the service
contract where the internal audit function is co-sourced or outsourced.
To help ensure audit
reports are timely and Reporting standards
of the required quality,
appropriate reporting To help ensure audit reports are timely and of the required quality, appropriate standards should be
standards should developed. Such standards could include:
be developed. a requirement for an overall audit conclusion and rating related to the audit objective(s)
the style and format of reports, including the use of any report template
expected timeframes for preparing draft reports and finalising reports
the length of reports
a requirement to include comments from the sponsor
a
requirement to include an action plan, including the individual responsible and the timeframe,
to implement agreed recommendations, and
a
requirement for certification that the audit has been conducted in accordance with specified
professional and other standards.
The allocation of an overall report rating that reflects the risk to the entity from any current risk
exposure assists the Audit Committee and senior management to quickly grasp the overall impact
of the report’s findings on the entity. There are various options for categorising overall ratings but
essentially they all reflect a range of risk exposures. Some describe overall performance in alpha
or numeric grades or in terms ranging from extreme, high, medium and low. Others use colours
either in the form of a ‘heat map’ for example, red, orange, yellow and green or ‘traffic lights’,
red, orange or green.
Where multiple audit providers are used it is important that a common rating system is used.
This does not mean that all audit conclusions and/or recommendations need to be agreed, although
it would be expected that, in the majority of instances, agreement should be able to be reached
with the sponsor. In situations where agreement is not reached, the audit report should outline the
reason for this, including, if necessary, an additional comment from internal audit to assist the Audit
Committee and the Chief Executive to form a judgement on the issue(s).
a
reconciliation to the audit plan and comments on any variance (for example, budget vs
actual cost; planned duration vs actual duration; planned audit objectives and scope vs
actual audit objectives and scope
comments on the value added to the business by the audit
lessons learnt, and
ideas on future internal audit work arising from the audit.
In the draft report phase, information should, as far as possible, be kept confidential between internal
audit and the sponsor46. However, once finalised the report should be distributed to those with a
legitimate interest in the report such as the Chief Executive, the Audit Committee, the sponsor’s
supervisor and the external auditor.
Where appropriate, the report should be classified in line with government and entity security policies47.
Internal audit reports can be requested under Freedom of Information (FOI) legislation. Such requests
should be dealt with in accordance with the entity’s normal procedures for handling FOI requests.
45
The FMA Orders for FMA agencies require the Audit Committee to review all audit reports involving matters of concern to
senior management of the agency, including the identification and dissemination of good practices.
46
A clear exception would be if there were indications of a serious control matter that required immediate notification to the
Chief Executive and/or the Audit Committee.
47
Guidance on the classification of documents can be found in the Protective Security Manual (2005) issued by the Attorney-
General’s Department.
48
These can also be described in terms of a ‘heat map’ or ‘traffic lights’, in categories such as high, medium or low risk or in
numeric terms such as category one, two or three.
A self-assessment by line management and/or a follow-up audit by internal audit is likely to be the
most efficient and effective approach to monitor progress. The scope and timing of any follow-
up audit should be determined by the risks posed to the entity if the recommendations are not
implemented in an effective and timely manner.
Intranet-based technology offers the opportunity for internal audit to record recommendations and
implementation plans and monitor management’s progress in implementing the plans.
If internal audit is not satisfied with progress there should be a process to escalate its concerns to
senior management so management fully understands the risks involved. This would normally be
through the Audit Committee50.
If internal audit is not
Pro-forma Implementation of recommendations progress report satisfied with progress
there should be a process
Part 3 of the Guide includes a pro-forma of a report to the Audit Committee detailing progress
to escalate its concerns
in implementing agreed recommendations of internal and external audit reports, Parliamentary
to senior management
Committees and other review bodies.
so management fully
understands the
risks involved.
49
In addition to monitoring the implementation of internal audit recommendations, internal audit is often tasked with monitoring
the implementation of agreed recommendations of the external auditor, Parliamentary Committees and other review bodies.
50
One of the responsibilities for an Audit Committee identified in the ANAO’s Better Practice Guide on Public Sector Audit
Committees is monitoring management’s implementation of internal audit recommendations.
Given the Audit Committee is often responsible for periodically reviewing the performance of internal
audit, the Committee would normally approve the performance indicators used.
It is also important that performance is measured over time in order to identify trends, and that
performance is measured against both qualitative and quantitative targets. Such targets should be
challenging but realistic.
The most suitable KPIs will vary from entity to entity depending on their internal audit strategic
business plan. It would be expected that KPIs would be limited in number but as a minimum would
measure the timeliness, cost and quality of both audit work and any other services provided by
internal audit. Better practice KPIs include measurement of the:
It is important that
timeliness and cost of audits performance is measured
quality of audits, advisory services and audit support activities, including stakeholder satisfaction over time in order to
internal audit staff satisfaction, and identify trends, and that
performance is measured
overall contribution made by the internal audit function.
against both qualitative
It is relatively straightforward to measure the cost and timeliness of internal audit reports. It is more and, where possible,
difficult to measure, in an objective way, the quality of internal audit services or the contribution quantitative targets.
internal audit makes to the entity. Consequently, measurement of the effectiveness or the value
added by individual reports and the internal audit function itself is generally best measured by seeking
the views of key stakeholders51.
51
In any event, internal audit should keep track of where it has significantly influenced change in the entity.
Client satisfaction surveys at the end of an audit are a useful and well accepted way of measuring the
level of satisfaction with internal audit services. Short surveys that can be completed electronically
are an efficient means of collecting data. Any significant issues identified from such surveys should
Client satisfaction surveys be followed up in an interview, where possible.
at the end of an audit are
a useful and well accepted Key issues to address in such audit surveys include the:
way of measuring the level
auditors’ understanding of the area under review
of satisfaction with internal
audit services. quality of the analysis undertaken
usefulness of the recommendations
efficiency of the process
level of collaboration with management, and
overall value of the report to management.
As a key stakeholder, the Audit Committee should also be involved in providing regular feedback on
the quality and cost-effectiveness of the audit reports and other services provided by internal audit.
It would also be expected that the views of the Chief Executive and the external auditor52 would be
sought periodically, but at least once annually.
It is acknowledged that the external auditor may not have a complete picture of all of the activities of the internal audit
52
function, nevertheless, as part of its planning processes the external auditor considers the effectiveness of the internal audit
function and the reliance that can be placed on its work.
The Department of Prime Minister and Cabinet Requirements for Annual Reports for Departments, Executive agencies
53
and FMA Act bodies, June 2006 suggests entities include a statement of their internal audit arrangements, including the
approach adopted to identifying areas of significant operational or financial risk, and arrangements in place to manage
those risks.
Although primary responsibility for the quality of internal audit work rests with individual auditors
supported by a system of appropriate supervision, there is also benefit in the Head of Internal Audit There is benefit in the
developing a separate quality assurance programme consisting of periodic internal and external Head of Internal Audit
reviews. The focus of these reviews should be on the quality of the internal audit work and the developing a separate
efficiency of internal audit processes. quality assurance
programme consisting
of periodic internal and
Internal quality assurance review
external reviews.
The internal review should be conducted every two to three years by an experienced member of
the internal audit team, by an auditor from another internal audit unit or a consultant. Whatever the
arrangement, it is important that the review is undertaken in an objective and unbiased manner.
The reviews should be commissioned by the Head of Internal Audit who would present the results
to the Audit Committee. The timing and cost of such reviews should be included in the strategic
business plan and internal audit budget.
The review should be commissioned by the Head of Internal Audit and/or the Chair of the Audit
Committee and conducted by a consultant or by peers from another internal audit unit. The results
of the review should be reported to the Audit Committee. The timing and cost of such reviews should
also be factored into the internal audit strategic business plan and the internal audit budget.
Part 2
Model Internal
Audit Charter
Model Internal Audit Charter
Heads of Internal Audit, and external audit service providers where relevant, are encouraged to
review, in consultation with the Chief Executive/Board and the Audit Committee, their existing
charters against this model. In doing so it is important that each entity carefully consider
its particular circumstances, especially the range of responsibilities outlined in Chapter 2
of this guide.
Part 2
Introduction
The [Chief Executive/Board] has established the [name of internal audit unit] as a key component
of [entity’s] governance framework.
This charter provides the framework for the conduct of the internal audit function in the [entity]
and has been approved by the [Chief Executive/Board] on the advice of the Audit Committee.
provide
assurance to the [Chief Executive/Board] that [the entity’s] financial and operational
controls designed to manage the organisation’s risks and achieve the entity’s objectives are
operating in an efficient, effective and ethical manner, and
assist management in improving the entity’s business performance.
Independence
Independence is essential to the effectiveness of the internal audit function.
Internal audit has no direct authority or responsibility for the activities it reviews. The internal
audit function has no responsibility for developing or implementing procedures or systems and
does not prepare records or engage in original line processing functions or activities [except as
noted below1].
Internal Audit reports functionally to the Audit Committee. The Head of Internal Audit is accountable to
the [Chief Executive2 or Board3] for the efficient and effective operation of the internal audit function.
The Head of Internal Audit has direct access to the [Chief Executive/Chair of the Board], and the Chair
and other members of the Audit Committee. Periodic ‘in camera’ meetings will be held between the
Head of Internal Audit and the Audit Committee.
All records, documentation and information accessed in the course of undertaking internal audit
activities are to be used solely for the conduct of these activities. The Head of Internal Audit and
individual internal audit staff are responsible and accountable for maintaining the confidentiality of the
information they receive during the course of their work.
1
Delete if not applicable.
2
For FMA Act entities.
3
For CAC Act entities.
Inter-agency arrangements with other entities also provide for consultation and disclosure of audit
matters affecting other entity programmes and other circumstances.
In the conduct of its activities, internal audit will play an active role in:
c
ompliance with legislative requirements, Australian Government and [entity] policies and
procedures including assurance in respect of the Certificate of Compliance
the adequacy and effectiveness of internal financial and operational controls including IT
system controls
the recording, control and use of entity assets, and
Performance improvement
the efficiency, effectiveness, and ethical conduct of the entity’s business systems and processes.
Advisory services
Internal audit can advise [entity] management on a range of matters including:
p
roviding advice on the development of new programmes and processes and/or significant
changes to existing programmes and processes including the design of appropriate controls.
Amend as applicable.
Internal audit’s responsibilities will be influenced by the governance arrangements established by the entity and the existence
of other separate functions with specific responsibility for some of these matters. For example, many entities have separate
organisational units responsible for risk management and/or fraud control. As a consequence, the roles and responsibilities
listed are illustrative only.
In providing advisory services, internal audit needs to maintain operational independence. It is the responsibility of entity
management to accept or reject advice provided by internal audit, to implement the advice where considered appropriate
and be accountable for decisions taken.
a
ssisting management to identify risks and develop risk mitigation and monitoring strategies
as part of the risk management framework
co-ordinating the annual [entity] Risk Management Plan
monitoring and reporting on the implementation of risk mitigation strategies
Fraud control
Part 2
a
ssisting management to identify the risks of fraud and develop fraud prevention and
monitoring strategies
co-ordinating the [entity] Fraud Control Plan
Non-audit activities
Internal audit has management responsibility for the following areas:
Standards
Internal audit activities will be conducted in accordance with the Australian Public Service and
supporting [entity] values, policies and procedures.
Arising from internal and external audit reports, Parliamentary Committee reports and other external bodies such as the
Management Advisory Committee, the Australian Public Service Commission and the Ombudsman.
S
tandards for the Professional Practice of Internal Auditing issued by the Institute of
Internal Auditors
S
tandards relevant to internal audit issued by the Australian Society of Certified Practising
Accountants and the Institute of Chartered Accountants in Australia
T
he Statement on Information Systems Auditing Standards issued by the Information Systems
and Control Association, and
Standards issued by Standards Australian and the International Standards Organisation.
Periodic meetings and contact between internal and external audit shall be held to discuss matters
of mutual interest.
External audit will have full and free access to all internal audit plans, working papers and reports.
Planning
The Head of Internal Audit will prepare, for the Audit Committee’s consideration, an internal
audit strategic business plan and an internal audit annual audit work plan in a form agreed with
the Committee.
Reporting
The Head of Internal Audit will report to each meeting of the Audit Committee on:
audits completed
progress in implementing the strategic business plan and audit work plan, and
the status of the implementation of agreed internal and external audit, Parliamentary Committee
and other relevant external body recommendations.
Internal audit will also report to the Audit Committee at least once annually on the overall state
of internal controls in the [entity] and any systemic issues requiring management attention based on
the work of internal audit [and other assurance providers10].
9
Specify applicable Standards.
10
Amend as appropriate.
The Head of Internal Audit will arrange for a periodic, independent review of the efficiency and
effectiveness of the operations of the internal audit function at least every five years.
Part 2
Review of the charter
This charter will be reviewed at least annually by the Audit Committee. Any substantive changes will be
formally approved by the [Chief Executive or Board12] on the recommendation of the Audit Committee.
11
Amend as applicable.
12
Amend as applicable.
Part 3
Toolkit
Toolkit
Contents
Part 3
Example internal audit strategic business plan and annual work plan....................... 58
Part 3 Toolkit 57
Example internal audit strategic business plan and annual work plan
Introduction
Part A of this business plan outlines the strategic direction of [Entity’s] internal audit function over a
three year period [insert date] to [insert date].
It describes in broad terms the operations, programmes and business units that will be given priority
for audit coverage and the types of audits that will be conducted in those areas.
Part A also describes the management strategies that will be implemented over the period covered
by the plan, aimed at enabling internal audit to achieve its objectives.
Part B contains the [Entity] internal audit annual work plan for [insert date] and details the specific
audit activity that will be undertaken in [insert date].
This strategic business plan is available on the [Entity’s] intranet at [insert intranet address].
Methodology
This section will briefly outline the approach followed in developing the plan and the key
stakeholders consulted.
The aim of this section is to demonstrate that internal audit has a good understanding of the entity’s
business, what is planned for the future and how the work undertaken by internal audit assists the
entity to achieve its objectives.
The aim of this section is to identify those risks that arise out of the entity’s environment and future
direction that may be addressed by internal audit and to provide a link between the proposed
direction and priorities of internal audit and the risks of the entity
b
eing unable to deliver core services and maintain key financial and operational controls in
a period of rapid change
an inability to generate sufficient revenue
d
ifficulties in recruiting and retaining sufficient numbers of skilled staff to deliver entity
programmes in a time of strong labour market conditions
a
lack of co-ordination of service delivery with other government entities at the Australian,
state and local government levels and non-government organisations.
delays and cost blow-outs in major projects, and
security and business continuity.
For ease of presentation the risks could be consolidated into strategic audit themes and audits
that address the theme grouped together.
External environment
This section will identify issues and trends relevant to the entity that arise from the external environment
that may impact on the achievement of the entity’s objectives. Such issues could come from a
number of sources including:
Part 3 Toolkit 59
Example internal audit strategic business plan and annual work plan
A
B
C
D
F
Details can be provided of the specific coverage provided by each of the assurance and review
providers against the relevant business risk.
w
hat audit topics will be undertaken over the period of the plan and how they address the risks
facing the entity, including risks that might otherwise remain undetected
any rebalancing of the proportion of the different types of audit, or
the proposed introduction of any new audit advisory or audit support activities.
For ease of presentation, the proposed audit coverage could be summarised as shown in the following example. It shows which audits are proposed to be conducted over
a three year period:
audit theme
audit title
area responsible
type of audit
priority.
Audit theme* Audit Title Area Priority Audit Title Area Priority Audit Title Area Priority
Responsible Responsible Responsible
Type of audit Type of audit Type of audit
Cyclical1 Annual Business Unit 1 High Annual Business Unit 2 High Annual Business Unit 3 High
compliance compliance compliance
review Compliance review Compliance review Compliance
Certificate of Across entity High Certificate of Across entity High Certificate of Across entity Medium
Compliance Compliance Compliance Compliance Compliance Compliance
Governance Governance Programme X High Budgeting Business Unit 1 Medium Procurement Programme Z High
of programme and reporting
delivery partners framework Performance
Compliance Advisory improvement
IT security Business Unit 2 Medium Physical security Business Unit 4 Medium
environment Performance
improvement Advisory
1
Cyclical audits are reviews that are primarily of a compliance nature and are conducted as part of a regular annual cycle to examine key risks such as financial, human resource, legal, contractual, and project
management risks.
* These themes should be aligned with the entity’s main business risks.
Part 3 Toolkit
61
Example internal audit strategic business plan and annual work plan
Example internal audit strategic business plan and annual work plan
62
Year 1 Year 2 Year 3
Audit theme* Audit Title Area Priority Audit Title Area Priority Audit Title Area Priority
Responsible Responsible Responsible
Type of audit Type of audit Type of audit
Programme Programme Programme Y High International Business Unit 3 High
performance grants to client programmes
Performance Performance
organisations improvement improvement
* These themes should be aligned with the entity’s main business risks.
Example internal audit strategic business plan and annual work plan
Previous audits and planned audits
To assist the Audit Committee and other stakeholders to place the planned audit coverage in context,
this section lists the audits completed over, for example, the last two years as well as those planned
over the life of the plan. An example of how this might be presented is illustrated below.
A
B
C
D
E
F
G
Allocation of resources
This section details the relative allocation of internal audit resources between audit, including advisory,
audit support and any non-audit activities. Other options include showing the allocation of resources
between the different types of audit, business units and/or geographical locations. Details can be
provided in tabular or graphic form. The following examples illustrate graphic representations of the
allocation of resources.
Part 3 Toolkit 63
Example internal audit strategic business plan and annual work plan
Audit resources
This section details the financial and human resource budgets for audit activities over the life of the
plan including the previous year for comparative purposes.
Total
Staff recruitment/training
2
If specified in the internal audit charter.
c
hanges in work practices and enhancement of audit methodologies to assist in ensuring that
internal audit meets the needs of stakeholders and delivers value for money
review of the internal audit professional development programme
introduction of new audit technology
benchmarking exercises or external reviews, and
the introduction of secondment programmes aimed at ensuring internal audit has the necessary
skilled and experienced staffing resources to deliver the internal audit annual work plan.
The expiration of the external This has the potential to Immediate review of service
provider contract in 15 months result in delays in the audit delivery options followed by
time programme if there is a early commencement of the
change in audit service tendering process.
provider. There is also the risk
of increased costs, in line with
market changes over the last
three years.
Increase in staff turnover Turnover of in-house audit Allowance has been made for
staff is a significant risk over managing staff retention and
the next 12-18 months recruitment activities and the
as senior staff approach introduction of a secondment
retirement age. programme.
Management requests Internal audit unable to Programme includes
additional audits respond in a timely way to allowance for urgent and
requests for additional audits unforseen tasks subject to
that have not been included in approval by Chief Executive/
the audit work programme. Board or Audit Committee.
Performance measures
This section will list the performance measures that will be used to measure the performance of
internal audit and any changes in measures or targets over time.
Review of plan
This section will describe the timeframe and arrangements to be made for the review and update
of the plan. It would normally cover a three year rolling period and be reviewed at least annually.
It would be developed by the Head of Internal Audit for approval by either the Chief Executive/Board
or the Audit Committee.
Part 3 Toolkit 65
Example internal audit strategic business plan and annual work plan
66
Part B: Internal audit annual work plan for [year]
Audit theme* Area Audit Audit description Potential benefit/ Priority Estimated Estimated start date
>
Responsible orientation rationale duration
Governance
Cyclical compliance Business Compliance An assessment of the Provide assurance that High [ ] days Start: [Month]
Certificate of Across entity Compliance An assessment of the Provide assurance on the High [ ] days Start: [Month]
Compliance validity of a sample of confidence that can be
management reports placed on management
regarding the Certificate of reporting in respect of the
Compliance Certificate of Compliance.
[sponsor] Contractor To AC: [Month]
* These themes should be aligned with the entity’s main business risks.
>
The plan could also include the cost of individual audits.
Audit theme* Area Audit Audit description Potential benefit/ Priority Estimated Estimated start date
>
Responsible orientation rationale duration
IT security Business Unit Performance To review the IT security Assurance that key IT Medium [ ] days Start: [Month]
environment 2 improvement environment including controls are operating
governance, architecture effectively and that
intrusion detection and projects to improve
network encryption security have been
completed.
[sponsor] Contractor To AC [Month]
* These themes should be aligned with the entity’s main business risks.
>
The plan could also include the cost of individual audits.
Part 3 Toolkit
67
Example internal audit strategic business plan and annual work plan
Example internal audit strategic business plan and annual work plan
68
Audit theme* Area Audit Audit description Potential benefit/ Priority Estimated Estimated start date
>
Responsible orientation rationale duration
Programme performance
Programme grants to Programme Y Performance To assess if the Provides an opportunity High [ ] days Start: [Month]
Strategy/planning
Implementation of Across entity Performance To assess the Provides assurance High [ ] days [Start: [Month]
strategic changes improvement effectiveness of the and opportunities for
and organisational implementation of improvement in the
restructure recent strategic changes achievement of strategic
including organisational objectives.
restructure
[sponsor] Contractor To AC [Month]
* These themes should be aligned with the entity’s main business risks.
>
The plan could also include the cost of individual audits.
Audit theme* Area Audit Audit description Potential benefit/ Priority Estimated Estimated start date
>
Responsible orientation rationale duration
Human resources
Personnel security Across entity Compliance A review of the security A number of issues Medium [ ] days Start: [Month]
clearances clearance and vetting regarding security
policies and practices clearances have been
to assess whether the raised in most recent staff
entity is managing these survey.
processes in accordance
with Australian
Government policy as
outlined in the Protective
Security Manual
A sample of clearances
will be selected for
examination
[sponsor] In-house To AC: [Month]
* These themes should be aligned with the entity’s main business risks.
>
The plan could also include the cost of individual audits.
Part 3 Toolkit
69
Example internal audit strategic business plan and annual work plan
Example internal audit strategic business plan and annual work plan
70
Audit theme* Area Audit Audit description Potential benefit/ Priority Estimated Estimated start date
>
Responsible orientation rationale duration
Asset management Business Unit 4 Compliance A review of asset Findings from an earlier High [ ] days Start: [Month]
management to audit of IT assets
assess whether the indicated there may be
overall management more systemic issues.
of the function is being
performed in accordance
with applicable legislation,
government policy
and internal control
requirements
[sponsor] In-house To AC [Month]
* These themes should be aligned with the entity’s main business risks.
>
The plan could also include the cost of individual audits.
Audit theme* Area Audit Audit description Potential benefit/ Priority Estimated Estimated start date
>
Responsible orientation rationale duration
* These themes should be aligned with the entity’s main business risks.
>
The plan could also include the cost of individual audits.
Part 3 Toolkit
71
Example internal audit strategic business plan and annual work plan
Example internal audit strategic business plan and annual work plan
72
Reserve topics
>
Audit theme* Area responsible Audit orientation Audit description Potential benefit/ Estimated duration
rationale
Audit title
Programme performance Programme A Performance improvement Review of the selection Better targeting of [ ] days
of projects to be funded assistance offers the
under Programme A potential to better achieve
Strategy/ planning IT Business Unit Compliance Review of planning of a Assurance that entity [ ] days
selections of IT projects policy and procedures for
planning IT projects are
complied with.
IT project planning
* These themes should be aligned with the entity’s main business risks.
Example internal audit strategic business plan and annual work plan
Resource allocation
There are a number of options that can be used to illustrate the allocation of internal audit resources
in the internal audit annual work plan. Some of these are illustrated below.
Business Unit 1
Business Unit 2
Compliance orientation Business Unit 3
Performance improvement orientation Programme X
Across entity
Governance
Programme performance
Strategy/planning Audits
Human resources Advisory services
Financial Audit support activities
Part 3 Toolkit 73
Example list of contents - internal audit manual
Introduction
Purpose of internal audit
Purpose of the manual
Application to in-house staff and external providers
Review of audit manual
Strategic planning
Major tasks in developing the internal audit strategic business plan
Timing of tasks
Responsibilities for tasks
Reporting
First draft report
Exit interview
Final draft report
Obtaining management response
Completing the final audit report
Audit findings and recommendations rating system
Report format
Document styles/templates
Post-audit events
Audit evaluation by sponsor
Evaluation and debrief of auditor/external provider
Disseminating better practice and lessons learnt
Quality assurance review
Appendices
Internal audit protocols
Records management
Registry files
Audit working papers
Audit records retention and disposal rules
Security procedures
Confidentiality
Data and document security
Asset security
Part 3 Toolkit 75
Example internal audit protocol
Example internal audit protocol
The format and content of the internal audit protocol is a matter for the Head of Internal Audit
in consultation with entity management. This example includes the key points found in a better
practice internal audit protocol.
Entities are encouraged to review their existing protocol against this better practice example.
Introduction
This protocol outlines the respective roles and responsibilities of internal audit and management in
the course of an audit and the opportunities for consultation during the audit process.
p
rovide assurance to the Chief Executive [and/or Board] that [the entity’s] financial and
operational controls designed to manage the organisation’s risks and achieve the organisation’s
objectives are operating in an efficient, effective and ethical manner, and
assist management in improving the entity’s business performance.
Independence
Internal audit has no direct authority or responsibility for the activities it reviews. Internal audit has no
responsibility for developing or implementing procedures or systems and does not prepare records
or engage in original line processing functions or activities.
Internal Audit reports functionally to the Audit Committee. The Head of Internal Audit is accountable
to the Chief Executive [or Board].
All records, documentation and information accessed in the course of audits are used solely for
auditing purposes. Under its legislation, the Australian National Audit Office has access to all relevant
[entity] documents including internal audit reports.
Agreements with purchasing departments also provide for consultation and disclosure of audit
matters affecting purchasing department programmes and other circumstances2.
S
tandards for the Professional Practice of Internal Auditing issued by the Institute of
Internal Auditors
1
For more information on the roles and responsibilities of internal audit see the internal audit charter available on the
[entity’s] intranet.
2
Include where applicable.
3
Specify applicable standards.
Internal audit activities are conducted in accordance with the Australian Public Service and [entity]
values, policies and procedures.
The strategic business plan and the audit annual work plan are approved by the Chief Executive/
Board/Audit Committee. The audit work plan is available on the [entity] intranet.
In addition, audits not on the audit work plan can be commissioned by the Chief Executive, the Audit
Committee or management.
Audit process
The various stages in the audit process are outlined below.
Preliminary consultation
Prior to commencing the audit, internal audit will consult with the relevant senior manager on the:
Opening interview
An opening interview will be conducted shortly before the start of the audit with management of the
area to be reviewed. The purpose of the opening interview is to:
enable the audit team to meet key staff of the area being reviewed
clarify the objectives, scope and timing of the audit
p
rovide an opportunity for staff of the area being reviewed to present their views and
perspectives on the matters subject to audit
finalise the plan for conducting the audit in terms of timing, duration, staff involvement, and
a
rrange access to buildings, personnel, files, systems and data in order to
commence fieldwork.
Fieldwork
Internal audit is committed to a ‘no surprises’ approach and on-going discussions will be held with
management as findings emerge and conclusions are developed. At the mid point of the audit, a formal
meeting will be sought with the sponsor to discuss the audit programme and any emerging issues.
If necessary, internal audit will communicate significant matters of concern to the Chief Executive
and/or the Audit Committee prior to the completion of the final report.
Amend as applicable.
Audits commissioned by management and not included in the audit work plan require the agreement of the Audit Committee.
Part 3 Toolkit 77
Example internal audit protocol
Exit interview
At the conclusion of the fieldwork, internal audit will prepare a first draft report to be used as the basis
for discussion at an exit interview.
Draft report
Internal audit will issue a final draft audit report promptly following the exit interview, generally within
10 working days.
Management comments
On receipt of the final draft report, the sponsor and management of the work area under review should:
Management comments are required within 10 working days of the receipt of the draft report.
Final report
Within 5 working days of the receipt of management comments, internal audit will issue a final report to:
Where appropriate, lessons learnt and examples of better practice will be disseminated to a wider
audience in [entity].
A client satisfaction questionnaire will be sent with the final report. The sponsor should complete the
client satisfaction questionnaire and return it to the Head of Internal Audit. The Head of Internal Audit
will follow up any feedback indicating possible shortcomings in internal audit performance.
Audit title Progress status1 Original date for Revised date for Percentage of Last milestone Status comment3
consideration by consideration by estimated days achieved2
Audit Committee Audit Committee used
O
Progress status legend
R Red: Significant delays
O Orange: Some delays
G Green: On track
Milestones
Assignment planning commenced
Entry interview
Fieldwork commenced
Fieldwork completed
Exit interview completed
Draft report issued
Management comments received
Report considered by Audit Committee
1
Internal audit’s assessment of audit progress represented by ‘traffic lights’.
2
Selected from list of milestones.
3
Internal audit’s commentary on audit progress. An opportunity also exists to advise the Audit Committee of the significance of any findings that are emerging from audits in progress.
Part 3 Toolkit
79
Pro-forma internal audit annual work plan progress report
Pro-forma Implementation of recommendations progress report
80
Pro-forma Implementation of recommendations progress report
Status of the implementation of internal audit and other report1 recommendations as at [date]
Report title and date Recommendation/ Progress Category/priority of Manager Original Revised Comment5
1
Including external audit and recommendations of Parliamentary Committees and other relevant bodies.
2
Or date issued, if not considered by the Audit Committee.
3
Summary of recommendation or issue.
4
Internal audit’s assessment of progress represented by appropriate coloured ‘traffic lights’.
5
Internal audit’s commentary on the adequacy of progress, as required.
Example key performance indicators
Example key performance indicators
Measuring performance over time using a number of key performance indicators (KPIs) linked
to internal audit objectives, and acting on the results, is important for an effective internal
audit function.
The most appropriate KPIs will vary according to the objectives and structure of the internal
audit function, but entities are encouraged to review their existing key performance indicators
against the following example indicators.
Percentage
Performance indicator Target Actual
variation
% staff turnover
Part 3 Toolkit 81
Example client survey questionnaire
Rating scale
Importance: 1 = Low importance 2 = Medium importance 3 = High importance
Performance: 1 = Strongly Disagree 2 = Disagree 3 = Agree 4 = Strongly Agree
Importance Performance
Please use the space below to explain any specific ratings, to provide additional comments, or to
offer suggestions to improve future internal audits.
Comments:
Rating scale
Importance: 1 = Low importance 2 = Medium importance 3 = High importance
Performance: 1 = Strongly Disagree 2 = Disagree 3 = Agree 4 = Strongly Agree
Importance Performance
Meetings
Part 3 Toolkit 83
Example Audit Committee internal audit questionnaire
Importance Performance
The internal audit strategic business plan and annual audit plan 1 2 3 1 2 3 4
was developed in consultation with the Chief Executive, the Audit
Committee and senior management.
The internal audit strategic business plan and annual audit plan 1 2 3 1 2 3 4
takes into account the work of other sources of assurance
and review.
Audit reports
Overall contribution
Please use the space below to explain any specific ratings, to provide additional comments, or to
offer suggestions for improvement.
Comments:
Rating scale
Ratings: 1 = Strongly Disagree 2 = Disagree 3 = Agree 4 = Strongly Agree
Rating
· line management. 1 2 3 4
You have direct access to the Chief Executive/Chair of the Board and the Chair 1 2 3 4
of the Audit Committee.
Internal audit is part of an integrated governance framework. 1 2 3 4
The internal audit charter is up to date and clearly articulates the roles, 1 2 3 4
responsibilities and accountability lines of the internal audit function.
Your role is clear and well understood by management and staff in the entity. 1 2 3 4
You have access to all entity records, information and staff in the conduct of 1 2 3 4
your work.
You and your staff know the entity’s business and the risks it faces. 1 2 3 4
There is a strategic internal audit business plan and internal audit annual 1 2 3 4
work plan that is aligned with the entity’s business objectives, risks and major
business systems and processes.
You have access to sufficient skilled and experienced staff and financial resources 1 2 3 4
to meet your responsibilities and the expectations of key stakeholders.
Internal audit’s working practices are efficient and effective and are supported 1 2 3 4
by an up to date Internal Audit Manual.
Relevant professional standards are adhered to. 1 2 3 4
Part 3 Toolkit 85
Example internal audit self-review questionnaire
Rating
HM Treasury, Government Internal Audit Standards Good Practice Guidance: The Consultancy
Role of Internal Audit, February, 2003
HM Treasury, Government Internal Audit Standards Good Practice Guide: Audit Strategy, May, 2002
HM Treasury and National Audit Office, Co-operation between internal and External Auditors-
A Good Practice Guide
Treasury Board of Canada Secretariat, A Guide to Planning, Conducting and Reporting on Internal
Auditing Assurance Engagements in the Federal Government of Canada, April, 2004
Treasury Board of Canada Secretariat, Internal Auditing Standards for the Government of Canada,
April, 2006
Philomena Leung, Barry Cooper and Peter Robertson, The Role of Internal Audit in Corporate
Governance & Management, RMIT Publishing, 2004
The Institute of Internal Auditors, Professional Practices Framework (The International Standards for
the Professional Practice of Internal Auditing), July, 2006
The Institute of Internal Auditors Australia, Professional Practice Guide for Internal Audit, 2005
References 87
The Institute of Internal Auditors, The Role of Auditing in Public Sector Governance, November, 2006
United States General Accounting Office, Standards for Internal Control in the Federal Government,
November, 1999
Index 89
Continuous auditing, 10 Information Systems Audit & Control
Corporate objectives, achieving, 4 Association, 29
Management Q
control self-assessment arrangements, 1, 7
Quality assurance, 1, 7, 47–9
internal audit and, 28
external reviews, 49
monitoring, 1, 7
internal reviews, 49
strategies, 19
Questionnaires
Measurement techniques, 48
Audit Committee, 83
MKL Consulting, 2 client survey, 82
Model internal audit charter, 15, 51–5 self-review, 85
N R
New programs, 10 Recommendations
advice on, 22 audit report, arising from, 42, 44–5
‘systems under development’ audits, 22 implementation progress report, 80
Non-audit activities Report see Audit report
definition, 2 Reporting lines, 5
overview, 12
Risk
risk profile of entity, 17
O sources of, 18
Other review activities strategic business plan, 17
internal audit and, 29
Risk management, 4, 7, 11
strategic business plan, 18
strategic business plan, alignment of, 21
Outsourcing
choosing service provider, 33 S
clear deliverables, establishing, 34
Self-review questionnaire, 49, 85
management of, 33, 34
Service delivery models, 31–2
service delivery model, 31
service provider panel arrangements, 33 Staff
attracting and retaining, 32
P Stakeholders
Performance assessment, 47–9 confidence and trust of, 26
annual performance report, 48 effective communication with, 40
measurement techniques, 48 expectations of, 19
Performance improvement audit, 2, 10 key, relationships with, 26
who are, 26
Plans
annual work plan see Annual work plan Standards, 6
audit planning, 39
Index 91
Strategic business plan
annual work plan supporting, 16
budget considerations, 19
business objectives, 19
checklist, 25
contents, 20–1
developing, 17–20
example, 25, 58–73
external environment risks, 18
goals and objectives of entity, 17
management strategies, 19
other review activities or functions, 18
period covered by, 16
previous internal audit coverage, 21
purpose, 16–17
risk management plan, alignment with, 21
risk profile of entity, 17
stakeholder expectations, 19
timing of planning, 25
Supervision, effective, 40
Systems, new, 10
T
Terminology, 1–2
V
Values, 6
W
Whole-of-entity perspective, 9
Work practices
efficient and effective, 38–46