Public Sector Internal Audit

Public Sector Internal Audit
An investment in assurance and business improvement
Better Practice Guide September 2007

ISBN No. 0 642 809882 8
© Commonwealth of Australia 2007
COPYRIGHT INFORMATION
This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be
reproduced by any process without prior written permission from the Commonwealth.
Requests and inquiries concerning reproduction and rights should be addressed to the Commonwealth
Copyright Administration, Attorney-General’s Department, Robert Garran Offices, National Circuit,
Canberra ACT 2600 http://www.ag.gov.au/cca
Questions or comments on the Guide may be referred to the ANAO at the address below.
The Publications Manager

Australian National Audit Office
GPO Box 707
Canberra ACT 2601
Email: webmaster@anao.gov.au
Website: http://www.anao.gov.au
Foreword
The responsibilities of internal audit vary considerably across public sector entities, as do
internal audit organisational arrangements and the way internal audit services are delivered.
This is to be expected, given the nature, size and complexity of the public sector.
It is our experience that better practice entities consider an appropriate level of investment in
internal audit to be an essential business decision. These entities recognise a well resourced
and effective internal audit function can play a key role in its governance arrangements.
By providing assurance on the effectiveness of an entity’s internal control environment and
identifying opportunities for performance improvement, internal audit can make a valuable
contribution to achieving an entity’s objectives.
This Guide updates and replaces the Guide issued by the ANAO in 1998. While many of
the principles remain the same, the role of internal audit has continued to evolve over time,
and this Guide incorporates practices and considerations of a better practice internal audit
function in a contemporary public sector environment. Consistent with other elements of
public sector administration, the roles and responsibilities of internal audit, together with
the skills and qualifications of internal audit staff, should be determined within the context
of each entity’s governance and risk profile.
The aim of the Guide is to provide guidance relevant to public sector entities operating
under both the Financial Management and Accountability and the Commonwealth
Authorities and Companies Acts. As with all the ANAO’s Better Practice Guides, each
entity is encouraged to use the Guide to identify, and apply, better practice principles and
practices that are tailored to its particular circumstances.
The Guide complements the ANAO’s Better Practice Guide Public Sector Audit Committees
issued in February 2005, and is intended as a reference document for Chief Executives,
Boards, members of Audit Committees, managers with responsibility for internal audit
activities, and internal audit staff.
Ian McPhee
Auditor-General
Foreword
Foreword.....................................................................................................................i
Part 1
1. Introduction............................................................................................................... 1
1.1 Coverage.......................................................................................................... 1
1.2 Common terminology........................................................................................ 1
1.3 Key characteristics of a better practice internal audit function............................ 2
1.4 Structure of the Guide....................................................................................... 2
1.5 Acknowledgements........................................................................................... 2
Key characteristics of a better practice internal audit function.................................... 3
2. Roles and responsibilities of internal audit activities.................................................... 4

2.1 Introduction....................................................................................................... 4
2.2 The purpose of internal audit............................................................................. 4
2.3 Internal audit independence.............................................................................. 4
2.4 Internal audit standards and values................................................................... 6
2.5 Determining the role of internal audit................................................................. 6
2.6 The internal audit charter................................................................................. 13
2.7 Contents of a better practice internal audit charter.......................................... 14
3. Planning internal audit activities............................................................................... 16

3.1 Introduction..................................................................................................... 16
3.2 Internal audit strategic business plan............................................................... 16
3.3 Purpose of an internal audit strategic business plan........................................ 16
3.4 Developing a strategic business plan............................................................... 17
3.5 Contents of a better practice internal audit strategic business plan.................. 20
3.6 Internal audit annual work plan........................................................................ 21
3.7 Developing a better practice internal audit annual work plan............................ 21
3.8 Contents of an internal audit annual work plan................................................ 24
3.9 Costing of individual audits.............................................................................. 24
3.10 Amendments to the annual work plan............................................................. 25
3.11 Timing of audit planning.................................................................................. 25
4. Relationships with key stakeholders........................................................................ 26

4.1 Introduction..................................................................................................... 26
4.2 Internal Audit and the Chief Executive............................................................. 26
4.3 Internal audit and the Board............................................................................ 26
4.4 Internal Audit and the Audit Committee........................................................... 27
4.5 Internal audit and management....................................................................... 28
4.6 Internal audit and the external auditor.............................................................. 28
4.7 Internal audit and other review activities and external bodies........................... 29
4.8 Internal audit and professional bodies.............................................................. 29
ii Better Practice | Internal Audit in the Public Sector

5. Resourcing the internal audit function...................................................................... 30
5.1 Introduction..................................................................................................... 30
5.2 Internal audit budget....................................................................................... 30
5.3 Service delivery models................................................................................... 31
5.4 Issues to consider in deciding the appropriate delivery model.......................... 32
5.5 Service provider panel arrangements............................................................... 33
5.6 Management of a co-sourced or outsourced function..................................... 33
5.7 Head of Internal Audit...................................................................................... 35
5.8 Resourcing the internal audit unit..................................................................... 37
6. Efficient and effective work practices....................................................................... 38

6.1 Introduction..................................................................................................... 38
6.2 Internal audit manual....................................................................................... 38
6.3 Managing the internal audit process................................................................ 39
6.4 Audit reporting................................................................................................ 42
6.5 Audit report recommendations........................................................................ 44
6.6 Monitoring recommendations.......................................................................... 45
7. Performance assessment and quality assurance..................................................... 47

7.1 Introduction..................................................................................................... 47
7.2 Measuring internal audit performance.............................................................. 47
7.3 Measurement techniques................................................................................ 48
7.4 Internal audit annual performance report......................................................... 48
7.5 Quality assurance............................................................................................ 49
Part 2
Model Internal Audit Charter.................................................................................... 51
Part 3
Example internal audit strategic business plan and annual work plan....................... 58
Example list of contents – internal audit manual....................................................... 74
Example internal audit protocol................................................................................ 76
Pro-forma internal audit annual work plan progress report....................................... 79
Pro-forma Implementation of recommendations progress report............................. 80
Example key performance indicators....................................................................... 81
Example client survey questionnaire........................................................................ 82
Example audit committee internal audit questionnaire.............................................. 83
Example internal audit self-review questionnaire...................................................... 85
References.............................................................................................................. 87
Index....................................................................................................................... 89
Contents iii
iv Better Practice | Internal Audit in the Public Sector
Internal Audit
in the Public Sector
Better Practice Guide
Part 1
Part 1
1 Introduction
Public sector managers operate in an increasingly complex and challenging environment. This, in
part, reflects the increasing demands and expectations of the community, government and the
Parliament. Public sector managers have a range of resources and mechanisms available to assist
them to meet their responsibilities within this environment.
In both the public and
In both the public and private sectors, internal audit has long been recognised by better practice private sectors, internal
entities as a valuable resource and entities have given the internal audit function a key role in their audit has long been
governance arrangements. In doing this, organisations recognise that internal audit is one of a number recognised by better
of internal assurance and business review type activities that should operate in a coordinated and practice entities as a
complementary manner to the benefit of the organisation. These other activities include management valuable resource and
monitoring, evaluations, quality assurance and control self-assessment arrangements, that are all entities have given the
designed to provide confidence and assurance to Chief Executives and/or Boards that management internal audit function
is meeting its responsibilities and the entity is achieving its objectives. a key role in their
governance arrangements.
Better practice entities also recognise that internal audit should:
 b
e operationally independent: that is, internal audit is independent from the activities
subject to audit
 h
ave the visible and active support of the Chief Executive and/or Board, the Audit Committee
and senior management
 h
ave well defined roles, responsibilities and audit plans that are aligned with the
entity’s risk profile
 have effective relationships with all stakeholders
 be properly resourced to enable it to meet its responsibilities
 adhere to specified professional standards
 have efficient and effective work practices
 be fully accountable for its performance, and The principles and
 be subject to periodic review. considerations outlined in
this Guide are generally
applicable to all public
1.1 Coverage sector internal audit
The principles and considerations outlined in this Guide are generally applicable to all public sector functions, irrespective
internal audit functions, irrespective of the particular delivery model adopted by the entity to provide of the particular delivery
internal audit services. model.
1.2 Common terminology

For ease of reference and presentation, the following terms are used in this Guide.
‘Chief Executive’ is used for the majority of entities subject to the Financial Management and
Accountability Act 1997 (FMA Act) where responsibility and accountability rests with the head of
the entity.
The term ‘Board’ is used for entities where a Board is appointed as the governing body of the entity,
as is generally the case with entities subject to the Commonwealth Authorities and Companies
Act 1997 (CAC Act).
Under the Financial Management and Accountability Act 1997 the Chief Executive is responsible for managing the affairs
of the entity in a way that promotes the efficient, effective and ethical use of Commonwealth resources for which the Chief
Executive is responsible. Under their enabling legislation, the Boards of Commonwealth authorities and companies subject
to the Commonwealth Authorities and Companies Act 1997 are generally similarly responsible for the efficient and effective
use of Commonwealth resources.

These are discussed in Chapter 5.
1 Introduction
‘Head of Internal Audit’ is used to describe the person responsible for the management of the internal
audit function. Depending on the circumstances, the Head of Internal Audit can be an employee of
the entity, a partner, director or senior employee of an external service provider.
‘Audit activities’ consist of:

 internal audits: including reviews of entity policies, programmes, operations, internal controls,
management information, governance frameworks and IT systems, and
Audit activities consist  a
dvisory services: including advice to management regarding existing, new or revised
of internal audits and processes, procedures and IT systems, risk management and fraud control facilitation,
advisory services. coordination and training, observer status on management committees and the provision of
other formal or informal advice. In conducting these services, internal audit does not assume
management responsibilities.
‘Internal audit support activities’ are activities associated with internal audit or managing the internal
audit function including: developing the internal audit strategic business plan and internal audit annual
work plan; providing support services to the Audit Committee; monitoring the implementation of
agreed internal and external audit report recommendations and those of Parliamentary Committees
and other bodies; internal audit staff management and training and liaison with the external auditor.
‘Non-audit activities’ are activities where internal audit undertakes management responsibilities

including: membership of management committees; the formulation of risk management and fraud
control plans; and the conduct of fraud investigations.
‘Type of audit’ is a means of classifying the primary focus or orientation of an internal audit. The two
types of audit referred to in this Guide are:
 c
ompliance: that the operations under review are complying with legislative requirements,
government or entity policy and procedures, and systems of internal control, and
 p
erformance improvement: aimed at improving the efficiency and effectiveness of the
programme or operations under review.
1.3 Key characteristics of a better practice internal audit function

Characteristics of a better practice internal audit function are outlined on the following page.
1.4 Structure of the Guide

Internal audit support
activities are activities The Guide is divided into the following three parts:
associated with internal
audit or managing the
Part 1 Better practice principles and considerations.
internal audit function. Part 2 Model internal audit charter.
Part 3 Internal audit toolkit.
1.5 Acknowledgements
The ANAO appreciates the assistance provided by MKL Consulting in preparing the Guide. In
addition, many entities and individuals contributed to the development of the Guide. These included
Chief Executives, chairs and members of a number of public sector audit committees, Heads of
Internal Audit as well as a number of people in the internal auditing and accounting professions, and
private sector organisations.

W
here the Head of Internal Audit is not an employee of the entity, arrangements need to be put in place to ensure relevant
public sector financial and other legal requirements are met.

Also known as ‘systems under development’ audits.

These include the Management Advisory Committee, the Ombudsman and the Australian Public Service Commission.

In practice, audits will often have more than one focus and there are a number of other terms in use to classify audits. For example,
‘compliance’ audits can be called ‘assurance’ audits, and ‘performance improvement’ audits called ‘performance’ audits.
Better Practice | Internal Audit in the Public Sector

Part 1
Key characteristics of a better practice
internal audit function
A better practice internal audit function is distinguished by the following key characteristics:
1. Is operationally independent: that is, internal audit is independent from the activities
subject to audit.
2. Is appropriately positioned in the entity’s governance framework to ensure the work
of internal audit complements the work of other internal and external assurance and
review providers.
3. Has a well developed business strategy that clearly articulates internal audit’s future role
and responsibilities.
4. Is business focused and has audit plans that are comprehensive and balanced, and are
linked to the risks in the entity.
5. Has the confidence of key stakeholders including the Chief Executive, the Board
(if applicable), the Audit Committee and senior management.
6. Undertakes all audits in accordance with specified auditing standards.
7. Has sufficient financial resources and access to internal audit staff with the necessary
skills, experience and personal attributes to achieve what is expected of internal audit.
8. Provides internal audit reports and other services, based on efficient and effective work
practices, that are valued by stakeholders.
9. Provides an annual assessment, based on internal audit work undertaken, of

the effectiveness of the entity’s system of internal controls.
10. Advises the Audit Committee and entity management of patterns, trends or systemic
issues arising from internal audit work .
11. Facilitates communication between external audit and entity management.
12. Disseminates lessons learnt arising out of its work to relevant areas of the entity.
13. Regularly informs the Audit Committee of progress in the implementation of agreed
internal and external audit and other relevant report recommendations.
14. Actively manages any external service providers, and
15. Is subject to periodic assessment and review as part of a continuous

improvement process.
1 Introduction
2 Roles and responsibilities of internal
audit activities
2.1 Introduction
Internal audit is an integral part of the broad corporate governance framework that entities establish
to manage risks and achieve corporate objectives.
It is important that the position internal audit occupies in the governance framework and the role
it plays is determined by the particular assurance needs of the entity and its preferred governance
Internal audit is an integral framework, now and in the foreseeable future.
part of the broad corporate
governance framework 2.2 The purpose of internal audit
that entities establish to
manage risks and achieve Internal audit10 provides an independent and objective review and advisory service to:
corporate objectives.
 p
rovide assurance to the Chief Executive and/or Board that the entity’s financial and operational
controls designed to manage the organisation’s risks and achieve the entity’s objectives, are
operating in an efficient, effective and ethical manner, and
 assist management in improving the entity’s business performance.
2.3 Internal audit independence

A distinguishing feature of internal audit is its independence. Internal audit is independent in the sense
that it is independent of the activities it audits. This independence, best described as ‘operational
independence’, assists in ensuring that internal audit acts in an objective, impartial manner free from
any conflict of interest or inherent bias or undue external influence.
However, internal audit is not independent of the organisation in the same way as the external audit
function. It provides a service to management, reports to the Audit Committee and is accountable to
the Chief Executive or the Board for the achievement of its objectives and the use of its resources.
A number of practical measures can be taken to reinforce internal audit operational independence.
These include:
 internal audit reporting functionally to the Audit Committee and being accountable to the Chief
Executive of an FMA Act entity, or to the Board of a CAC Act entity
 the Head of Internal Audit having direct access to the Chief Executive and/or the Chair of the
Board, and the Chair and other members of the Audit Committee
A distinguishing feature  periodic ‘in camera’ meetings between the Head of Internal Audit and the Audit Committee
of internal audit is its
 a
ny change to the position of the Head of Internal Audit, or an external service provider, being
operational independence.
approved by the Chief Executive (or the Board, in the case of a CAC Act entity) in consultation
with the Audit Committee, and
 e
nsuring that internal audit has no management responsibilities11 that conflict with
its primary role.
The Institute of Internal Auditors defines internal audit as:

10
‘an independent, objective assurance and consulting activity designed to add value and improve an organization’s
operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of risk management, control, and governance processes.’
The Institute of Internal Auditors, Professional Practices Framework (The International Standards for the Professional Practice
of Internal Auditing), July 2006 p.1.
Where internal audit is allocated executive or line management responsibilities, appropriate safeguards should be in place to
11
ensure such responsibilities can be reviewed objectively.

Part 1
Internal audit independence is reinforced by specifying these arrangements in an internal audit charter.
Reporting lines Independence is enhanced

where internal audit
As noted above, independence is enhanced where internal audit reports functionally to the Audit
reports functionally to the
Committee12. In the case of an FMA Act entity, it is better practice for the Head of Internal Audit to
Audit Committee.
be accountable to the Chief Executive. Similarly, in the case of a CAC Act entity, the Head of Internal
Audit would be expected to be accountable to the Board13 or a delegate of the Board, such as the
Chair of the Audit Committee14.
These reporting lines are illustrated below.
Figure 1: Reporting lines for FMA and CAC entities
FMA Act agency CAC Act Entity
Chief Executive Board

Officer (Note)
Administrative Audit Administrative Audit

Delegate Committee Delegate Committee
Head of Head of
Internal Audit Internal Audit
Note: Many entities have established an executive board or committee to assist the Chief Executive
in managing the entity.
The extent to which the Chief Executive or Board may wish to delegate some or all of their
administrative responsibilities to a senior executive in the entity is a matter to be determined by each When administrative
Chief Executive or Board. When administrative responsibility for internal audit is delegated, it should responsibility for internal
be to a senior manager who demonstrates a commitment to the internal audit function and has, to the audit is delegated, it should
extent possible, no actual or perceived conflict of interest. It is generally recognised that, because the be to a senior manager
audit of financial systems and controls will generally feature prominently in internal audit coverage and who demonstrates a
the Chief Financial Officer (CFO) commonly has a prominent role in determining budget allocations, commitment to the internal
assigning responsibility of the internal audit function to the CFO creates an actual or perceived conflict audit function.
of interest. In any case, the reporting arrangements, should always provide for the Head of Internal
Audit to have direct access to the Chief Executive or Board.
12
However, there may be occasions when the Chief Executive or Board needs to be alerted quickly if there is an urgent major
issue. This can be done directly or through the Chair of the Audit Committee.
13
In cases where the entity is headed by an individual, it would be expected that the Head of Internal Audit would be
accountable to that person.
14
With direct access to the Chair of the Board, as necessary.
2 Roles and responsibilities of internal audit activities

2.4 Internal audit standards and values
Standards
It is important that While there is no legislative or policy requirement for internal audit in the Australian Government to
internal audit work is comply with any particular professional standard, it is important that internal audit work is conducted
conducted in accordance in accordance with recognised professional standards. Such standards assist in:
with recognised
professional standards. The  providing confidence in the quality and consistency of the work that has been conducted
most recognised standard  guiding the work of auditors
is the Professional Practices  delivering auditing services in an effective and efficient way, and
Framework of the Institute
 e
stablishing standards and benchmarks against which to measure the performance of
of Internal Auditors.
internal audit.
There are a number of standards that can guide the work of the internal audit function. The most
recognised standard is the Professional Practices Framework of the Institute of Internal Auditors (IIA).15
Other standards that may have application are the Australian Auditing Standards (ASAs), Auditing
and Assurance Standards (AUSs), standards issued by the Information Systems Audit and Control
Association (ISACA), Standards Australia and the International Standards Organisation ISO).
Values
Australian Public Service and supporting entity values can also be relevant to the work of internal
audit and the conduct of internal audit staff, and should be specified in the internal audit charter,
where relevant.
Entities should determine which standard(s) and values that must be complied with and specify them
in the internal audit charter16.
2.5 Determining the role of internal audit
“We will make an impact when we understand and anticipate stakeholder needs, use our core
competencies to highlight weaknesses in a timely manner and provide meaningful recommendations that
solve the ‘big problems’.” Public Sector Head of Internal Audit
An important decision for each entity to make is deciding what role internal audit should play as part
of its governance framework17. Generally, this should be considered in the context of:
 organisational and environmental factors, and

An important decision for
 specific internal audit considerations.
each entity to make is
deciding what role internal
audit should play as part of
its governance framework.
15
The Institute of Internal Auditors, Professional Practices Framework (The International Standards for the Professional Practice
of Internal Auditing), July 2006. Many internal auditors working in the Australian Government or for private sector service
providers are members of the IIA. They are required by their membership to comply with standards issued by the IIA, to the
extent that they are not inconsistent with the law.
16
To encourage compliance with the adopted standards, consideration should be given to a form of certification on completion
of each audit report, that the audit has been conducted in accordance with the specified standards. Reference to the
standard(s) to be complied with should also be included in the internal audit charter, any contract with a third party provider,
and details included in an internal audit manual.
17
Some entities, for instance, see merit in combining the internal audit function with other activities such as risk management
and fraud control. This can result in work areas being known by such titles as Risk Management and Assurance, Audit and
Investigations, Governance and Assurance, and Assurance and Risk.

Part 1
Organisational and environmental factors
Internal audit is one of a number of assurance and review functions or activities in many entities. Other
internal assurance and review elements of this framework can include management monitoring,
evaluations, business improvement reviews, risk management processes, quality assurance
arrangements and management control self-assessment arrangements.
This framework is illustrated below. To maximise the

effectiveness of internal
audit, it is important that
Figure 2: Internal assurance and review framework
its role is considered in the
context of other assurance
Management Internal Audit Risk Management
and business review
monitoring functions so that internal
audit complements,
rather than duplicates, the
responsibilities of others.
Evaluations
Comprehensive Quality Assurance
Assurance
Management Business
Control Improvement
Self-Assessment Reviews
To maximise the effectiveness of internal audit, it is important that its role is considered in the context
of other assurance and business review functions so that internal audit complements, rather than
duplicates, the responsibilities of others. It is equally important to ensure that the role of internal audit
is not displaced by these other functions or that, to the extent possible, there are no significant gaps
in the entity’s assurance and review framework.
One of the factors that will influence the role allocated to internal audit compared to those allocated
to other assurance and review functions, is the importance the entity places on assurance and One of the factors that will
review generally and independent assurance activities specifically. This is likely to be influenced to influence the role allocated
some extent by the maturity of the other assurance and review functions and also by the culture to internal audit compared
of the entity. to those allocated to
other assurance and
Another factor to consider in determining the role of internal audit is the role other specialist assurance
review functions, is the
functions and business improvement advisors play in an entity. For example, there may be a need
importance the entity
for a specialist risk management unit and/or a unit responsible for fraud control and investigation.
places on assurance and
This will be influenced, in part, by the nature of the business and its risks, including, for example, the
review generally and
degree of external regulation, industry standards and norms, the risk of internal or external fraud and
independent assurance
the scale and nature of entity operations. Entities will, therefore, need to consider how well equipped
activities specifically.
internal audit is to meet entity requirements for specialist assurance and advice.

Entities should ensure Whatever role is decided for internal audit, entities should ensure that the operational independence
that the operational of the internal audit function is not compromised by allocating it management responsibilities
independence of the that conflict with its primary roles. In situations where internal audit undertakes management
internal audit function responsibilities, appropriate safeguards should be put in place to address any resultant conflict of
is not compromised by interest. Internal audit’s effectiveness should also be safeguarded by ensuring that its resourcing is
allocating it management commensurate with its responsibilities.
responsibilities that conflict
with its primary roles. Specific internal audit considerations
In deciding on the activities internal audit will undertake, it is better practice to consider the
following factors:
 the types of audits it will conduct

 the advisory services it will provide
 internal audit support activities
 any non-audit activities, and
 internal and external audit responsibilities.
These matters are discussed in more detail below.

Internal audit’s
effectiveness should
Types of audits
also be safeguarded by
ensuring that its resourcing The classification of audits based on identifying the primary orientation or focus of an audit is a useful
is commensurate with its way for the Audit Committee to assess the balance of the proposed internal audit plan. Within the
responsibilities. broad framework of the provision of assurance services, internal audits are classified in this Guide as
either audits with a compliance orientation, or a performance improvement orientation.
In classifying audits, it is recognised that individual audits will often have multiple objectives that
are designed to provide, for example, assurance regarding compliance, as well as to identify
business improvement opportunities. In addition, whatever the particular focus or objective of
individual audits, internal audit should always be alert to opportunities to optimise controls, identify
non-compliance, and improve business performance in the conduct of its work. The two types of
audits referred to above are discussed below.
Compliance audits
Under public sector governance arrangements management is responsible for:
 complying with relevant legislation and government and entity policy requirements
A key role of internal audit  d
esigning, operating, and monitoring business processes to achieve the
is to review an entity’s organisation’s objectives, and
systems of internal control
 identifying risks that might prevent the entity from achieving its objectives, and developing,
and provide independent
implementing and monitoring controls to manage those risks.
assurance to the Chief
Executive or Board, through It is generally accepted that a key role of internal audit is to review an entity’s systems of internal
the Audit Committee, that control and provide independent assurance to the Chief Executive or Board, through the Audit
an entity’s internal controls Committee, that an entity’s internal controls18 are adequate and effective. This can include activities
are adequate and effective. such as providing assurance over compliance with legislative requirements, government and entity
policies, assessing the accuracy and integrity of management information, reviewing compliance
with procurement and contracting requirements and adherence to ethical standards.
Particularly financial system controls.

18

Part 1
Given that most entities depend heavily on IT systems to support the delivery of programmes or
assist public service administration, internal audit could also be expected to provide assurance that
the controls over such systems are both well designed and are operating effectively.
Examples of audits that fall under the broad category of ‘compliance audits’ are discussed below.
Certificate of Compliance A role that internal

audit can play is the
Commencing from 2006-2007, Chief Executives and Boards of entities subject to the FMA Act and
preparation of a periodic,
the CAC Act report annually on the financial management and sustainability of the entity, including
say annual, assessment
compliance with the FMA Act or CAC Act by providing a completed Certificate of Compliance to the
of the effectiveness of an
responsible portfolio minister each year19.
entity’s systems of internal
It is expected that Chief Executives and Boards will have processes and controls in place to controls based on the
provide reasonable confidence that the entity is complying with the requirements of the financial results of the internal audit
management framework. Normally these processes and controls are likely to be an extension of work conducted during
existing governance processes that provide assurance to Chief Executives and Boards that financial the period.
and other controls are operating effectively.
Internal audit could usefully play a number of roles in relation to the Certificate of Compliance. For
example, internal audit could conduct a series of compliance reviews on key elements of the control
framework such as specific financial controls, management control self-assessment processes, if
applicable, or programme controls. Alternatively, or in addition, the Chief Executive/Board may prefer
regular, say, quarterly, or annual confirmation that the overall compliance framework can be relied on
to provide the required certification.
Periodic assessment of the effectiveness of systems of internal control
Another role that internal audit can play is the preparation of a periodic, say annual, assessment of
the effectiveness of an entity’s systems of internal controls based on the results of the internal audit
work conducted during the period. Internal audit usually conducts a number of audits each year
that assess the effectiveness of the internal controls operating in a range of individual financial or
business processes - such as payroll, grant acquittals, procurement or IT applications. The results of
individual audits are reported to the Audit Committee at the conclusion of each internal audit. Better
practice internal audit functions, are, however, increasingly being tasked with providing the Audit
Committee with an annual overall assessment, based on the internal audit coverage undertaken,
of the adequacy and effectiveness of an entity’s internal controls and any systemic issues that may
have arisen from the internal audit activity completed. Such an assessment can be used by the Chief
Executive and/or Board and the Audit Committee in forming a view about how much confidence
they can have in the entity’s control environment and any systemic issues that need management
Internal audit can also be
attention. As a minimum, internal audit should be collating the results of individual audit assignments
well placed to undertake
and providing a periodic summary report to the Audit Committee on audit findings and identifying
an analysis of the results
any systemic issues.
of reviews conducted by
Internal audit can also be well placed to undertake an analysis of the results of reviews conducted other internal and external
by other internal and external assurance providers. This might include reports on the results of assurance providers.
review such as compliance with its service charter, the results of control self-assessment reviews,
the findings from quality assurance reviews, and the results of IT system control monitoring or
occupational health and safety reviews. Providing a report in this way can assist the entity to address
any “silo affect” arising out of the work of different assurance providers and assist in identifying
systemic issues arising out of the range of assurance work that is commonly conducted in entities.
This whole-of-entity perspective on the assurance risks facing the organisation and how well they
are being managed could be used to further help inform risk identification and any necessary
management action.
19
See Finance Circular 2006/8 for FMA Act agencies and Finance Circular 2006/11 for CAC Act bodies.

Such periodic reports are not a substitute for regular management reporting and the cost-effectiveness
of preparing such reports should be taken into account as part of any decision to task internal audit
with their preparation.
Continuous auditing
The widespread use of major IT systems for processing payments and receipts, and a desire by
internal audit to be increasingly pro-active, is leading a number of better practice entities to consider
opportunities of moving towards a process of continuous auditing. Under such an approach major
IT systems are interrogated on a regular and frequent basis, even daily, with the aim of identifying
It is generally accepted anomalies or transactions that are outside pre-determined parameters that justify further examination.
that internal audit not The opportunity exists for such systems to be established by internal audit and over time, transferred
only provides assurance to management with internal audit being responsible for reviewing management’s actions in response
on compliance with to any anomalies identified.
procedures and systems
In deciding if a continuous auditing approach is appropriate for an individual entity, consideration
of internal control, but it is
should be given to the costs and benefits involved and the capabilities required.
also well placed to assist
management to improve Performance improvement audits
business performance.
It is generally accepted that internal audit not only provides assurance on compliance with procedures
and systems of internal control, but it is also well placed to assist management to improve business
performance. The objective of such assistance could include suggestions to improve the economy,
efficiency and/or effectiveness of an entity’s programmes and operations in areas such as improving
service delivery, better contract and project management, eliminating waste, reducing costs or
increasing revenue. The scope could cover all of the operations of the entity or be targeted to a
narrower set of activities associated with internal audit’s assurance role, such as matters related to
governance, controls or risk management.
Advisory services
Internal audit can also provide valuable advice to entity management and staff to assist them in
managing the entity’s risks in respect of programmes, systems, and processes, risk management
processes and fraud control. Such advisory activities can take a variety of forms including, advice on
systems of internal control, processes, procedures and policies, attending management meetings
as an observer, training managers and staff or providing informal advice in response to ad hoc
management requests.
In providing advice to management, care should be taken to maintain the operational independence of
internal audit. Internal audit can offer suggestions and recommendations but it is up to management
to accept or not accept that advice. If management accepts the advice it is then the responsibility of
management, not internal audit, to implement the advice and be accountable for its implementation.
Internal audit’s objectivity and impartiality could potentially be put at risk if internal audit takes on
management’s role. In this situation internal audit’s independence can be reinforced by reference in
Another area where internal an internal audit charter that distinguishes internal audit’s role from that of management.
audit can be of particular
assistance to entities is in New programmes, systems and processes
the implementation of new
Another area where internal audit can be of particular assistance to entities is in the implementation
government programmes,
of new government programmes, systems or processes. The introduction of new programmes,
systems or processes.
systems or processes, often involving substantial expenditure and tight timeframes, can present
additional risks for entities that need to be identified from the start and well managed early in the
process. The introduction of new IT systems can also be a particularly high risk activity and the
early involvement of internal audit can generate significant benefits by bringing internal audit’s specific
control expertise to bear on the task, including lessons learnt from previous similar projects in the
entity or from elsewhere.
10 Better Practice | Internal Audit in the Public Sector

Part 1
Internal audit can offer advice and other assistance throughout a project lifecycle from the concept,
design and implementation stages, through to the post-implementation stage of a project. Guidance
can include: advice on the design of financial and other controls or, where outsourcing or other
contracts may be involved, issues concerning the appropriate procurement method; tender
evaluation; and probity issues20.
The role that internal audit
To maximise the benefits of such assistance it is important that internal audit is responsive to the can play in developing and
needs of management for timely advice and has suitable arrangements in place to report on a real maintaining an entity’s risk
time basis21. management framework
will be influenced by the
Risk management maturity of the framework
and the extent that risk
Risk management is a key component of public sector corporate governance. The responsibilities of
management is embedded
many Audit Committees include oversighting the effectiveness of the entity’s risk management
in day to day operations.
framework.
It is management’s responsibility to identify and assess risks and to implement and monitor risk
mitigation strategies. However, given its expertise in risk and control assessment generally, together
with its experience in reviewing activities across the organisation, internal audit is well placed to assist
the entity to develop and monitor its risk management framework. Internal audit’s role can include:
 providing formal training and risk management advice to managers

 reviewing management’s risk assessments and associated risk mitigation controls and actions
 p
roviding independent assurance over risk management processes, in particular, reporting
against the achievement of control strategies
 providing an opinion on the overall effectiveness of the entity’s risk management framework, and
 facilitating or co-ordinating risk management processes in the entity.
The role that internal audit can play in developing and maintaining an entity’s risk management
framework will be influenced by the maturity of the framework and the extent that risk management
is embedded in day to day operations. This is likely to change and evolve over time as the maturity
of the risk management framework changes. For example, entities that have some way to go with
the introduction of their risk management framework may give internal audit a key role in assisting
management to identify risks and develop appropriate strategies and monitoring and reporting
arrangements. On the other hand, where entities have in place a robust and mature risk management
framework that operates throughout the organisation and where practical mitigation strategies are
monitored at senior levels, internal audit’s role might be more focused on providing independent
assurance on the effectiveness of the mitigation strategies and/or an assessment of the overall Whatever role internal
effectiveness of the framework. audit plays in risk
management, appropriate
Whatever role internal audit plays in risk management, appropriate arrangements should be in place
arrangements should be
to maintain the operational independence of internal audit.
in place to maintain the
Fraud control operational independence
of internal audit.
Responsibility for managing the risk of fraud, like responsibility for managing all risks, rests with
management as part of its ongoing responsibilities. However, internal audit can assist an entity to
manage fraud control by providing advice on the risk of fraud and/or by advising on the design or
adequacy of internal controls to minimise the risk of fraud occurring. It can assist in detecting fraud
by considering fraud risks as part of its audit planning and being alert to indicators that fraud may
have occurred. Fraud investigation is a matter that requires specialist knowledge and skills.
20
Because internal audit may act as probity auditor it is better practice that internal audit is not the initial probity advisor.
21
Such arrangements will also usually involve periodically reporting on a summary basis to the Audit Committee.
2 Roles and responsibilities of internal audit activities 11

Any decision to allocate management responsibility to internal audit for the investigation of fraud
should be taken in the full knowledge of the special risks involved and skills required in collecting and
collating evidence that may be used in any legal proceedings.
The role of internal audit in relation to fraud control should be considered as part of the organisation’s
overall fraud risk assessment and fraud policy22.
The role of internal audit

Internal audit support activities
in relation to fraud control
should be considered as It is important that as much internal audit time as possible is spent on audit or advisory work.
part of the organisation’s Nevertheless, time spent on internal audit support activities such as business and audit planning,
overall fraud risk monitoring the implementation of agreed internal and external audit and other report recommendations,
assessment and fraud assisting the Audit Committee to meet its legal obligations and servicing the Audit Committee, internal
policy. and external liaison, recruitment and staff development is an essential pre-requisite for an effective
internal audit function.
The relative balance of resources devoted to internal audit support activities compared with audit and
advisory activities, is a matter for consideration by the Audit Committee when considering internal
audit plans and budgets.
Non-audit activities
Internal audit operational independence is maintained when internal audit has no management
responsibilities other than for the internal audit function itself. Nevertheless, in limited circumstances,
it is recognised that internal audit may be called upon to perform activities that are management
responsibilities. These could include such activities as membership of management committees (as
distinct from having observer status), formulating fraud or risk management plans, or conducting
fraud investigations. The line between being an advisor to management and taking on management
responsibility for a task can sometimes be blurred. Consequently, it is important that professional
judgement is applied and appropriate safeguards put in place to maintain operational independence,
to the extent possible.
Where internal audit is to have responsibility for non-audit activities, these should also be specified
in the internal audit charter.
The relative balance of

resources devoted to
Internal audit and external audit responsibilities
internal audit support Under the Auditor-General Act 1997, the Auditor-General is responsible for auditing the financial
activities compared statements of Australian Government entities23. Responsibility for keeping accounts and records24
with audit and advisory and for preparing the financial statements rests with entities25. Under section 49 of the FMA Act,
activities, is a matter Chief Executives must state whether, in their opinion, the financial statements give a true and fair
for consideration by the view of the matters required by the FMA Orders. In CAC Act entities, the Board is responsible for
Audit Committee when certifying that entities’ financial statements comply with the CAC Act Finance Minister’s Orders.
considering internal audit
plans and budgets.
22
U
nder the Commonwealth Fraud Control Guidelines, agency heads are required to certify in their annual reports that
their agency has prepared fraud risk assessments and fraud control plans and has in place appropriate fraud prevention,
detection, investigation, reporting and data collection procedures and processes that meet the specific needs of the agency
and comply with the Commonwealth Fraud Control Guidelines. The Attorney-General’s Department, Commonwealth Fraud
Control Guidelines, May 2002 and the ANAO Better Practice Guide, Fraud Control in Australian Government Agencies,
August 2004 provide guidance on the risk assessment and control of fraud in the APS.
23
Auditor-General Act Part 4 Division 1.
24
FMA Act s 48 and CAC Act s 20.
25
FMA Act s 49 and CAC Act Schedule 1, Part 1, Clause 2.

Part 1
In this context, the responsibilities of the Audit Committees of FMA agencies as specified by section
2.1 of the FMA Orders include:
 a
s far as practicable, the coordination of audit programmes conducted by internal auditors and
those conducted by the Auditor-General, and
 the provision of advice to the Chief Executive on the preparation and review of financial
statements of the Agency.
Professional standards also encourage co-operation between internal and external audit in the
context of the audit of an entity’s financial statements and to increase audit efficiency by minimising
duplication. There are mutual benefits for entities and the external auditor in internal audit conducting
work that can be relied on by the external auditor, particularly in the areas of legal compliance and
financial system controls. Professional standards
encourage co-operation
It is important, therefore, for entities to fully explore with external audit what review role internal audit
between internal and
can play in the preparation of the entity’s financial statements and in coordinating its plans with those
external audit in the context
of the external auditor. For example, internal audit can usefully review the adequacy of the quality
of the audit of an entity’s
assurance arrangements put in place by the Chief Financial Officer.
financial statements.
There is also an opportunity for internal audit to act as a liaison point with the external auditor. This
can assist not only in improving the efficiency of the overall audit process but also in developing a
good working relationship between internal and external audit.
2.6 The internal audit charter

To formalise the position of internal audit in the governance framework, the roles and responsibilities
of internal audit should be articulated in an internal audit charter. An internal audit charter is
a document that formally outlines internal audit’s role, responsibilities, authority26, standards
and accountabilities.
The charter should be developed by the Head of Internal Audit. Consultation with stakeholders,
particularly the Chief Executive and the Audit Committee, as part of developing the charter is an
important means of understanding stakeholder needs and expectations. Any expectation gaps can
be identified and addressed as part of the development process. The charter should be consistent
with the Audit Committee’s responsibilities for oversighting the internal audit function as outlined in
the Committee’s charter.27
The charter should be approved by the Chief Executive, or the Board in the case of a CAC Act
entity, on the advice of the Audit Committee. Because the charter is a means of communicating
the role, responsibilities and authority of internal audit it is important that, once approved, it is made As governance
widely available throughout the entity. Many entities also make the charter publicly available via requirements change in
their website. response to changing
risks and the business
As governance requirements change in response to changing risks and the business environment, environment, the role of
the role of internal audit is also likely to change. The charter should, therefore, be reviewed at internal audit is also likely
least annually to have confidence that the role of internal audit continues to meet the needs of to change.
the organisation.
26
Internal audit is different from most other parts of the organisation in that it operates outside of its own boundaries across the
whole of the organisation. Because of internal audit’s broad mandate, it needs formal authority to access people and records
outside its own area to meet its responsibilities. Some entities also see benefit in reinforcing the role of internal audit in their
Chief Executive’s Instructions or equivalent policy documents.
27
T
he role of Audit Committees in respect of internal audit is outlined in the Australian National Audit Office, Public Sector
Audit Committees, Better Practice Guide, February 2005.

2.7 Contents of a better practice internal audit charter
Better practice suggests that, as a minimum, an internal audit charter should include the following:
The charter should define Introduction

the scope of internal audit,
 s pecifies that the internal audit function has been established by the Chief Executive/Board and
that is, the programmes,
the charter has been approved by the Chief Executive/Board
activities, processes,
systems and organisations Purpose of internal audit
that are subject to internal
audit review.  defines the purpose of internal audit
Independence
 specifies the organisational independence of internal audit

 d
efines the reporting arrangements and lines of accountability between the Head of Internal
Audit, the Chief Executive or Board, and the Audit Committee
 p
rovides for unrestricted access to the Chief Executive, the Board (if applicable) and the Audit
Committee Chair and members
 provides for periodic ‘in camera’ meetings with the Audit Committee
Authority and confidentiality
 d
etails internal audit’s authority to access all records, assets, personnel and premises and its
authority to obtain such information as it considers necessary to fulfil its responsibilities
 s pecifies information accessed in the course of internal audits will only be used for
auditing purposes.
Role and responsibilities
 details the role and responsibilities of internal audit including its role in undertaking:
 audit activities
 audit support activities
 non-audit activities (if any)
Scope of internal audit activity
 d
efines the scope of internal audit, that is, the programmes, activities, processes, systems and
organisations that are (and are not) subject to internal audit review
Standards
The charter should also
specify the requirement for  s pecifies the professional and other standards that will be followed when conducting internal
an internal audit strategic audit assignments
business plan and annual
Relationship with external audit
work plan.
 defines the relationship between internal audit and external audit
Planning
 s pecifies the requirement for an internal audit strategic business plan and an internal audit
annual work plan

Part 1
Reporting
 s pecifies the reporting arrangements required including the provision of an annual assessment
of the entity’s system of internal controls and advice to the Audit Committee and entity
management of patterns, trends or systemic issues arising from internal audit work
Administrative arrangements
 specifies adherence to the internal audit manual and protocols

 s pecifies internal audit performance will be assessed annually, based on key performance
indicators approved by the Audit Committee
 s pecifies that any change to the position of the Head of Internal Audit, if provided in-house or an
external service provider if outsourced, will be approved by the Chief Executive, or the Board in
the case of a CAC Act entity, in consultation with the Audit Committee
 provides for an independent periodic review of the internal audit function, and
Review of charter
 p
rovides for the periodic review of the Charter by the Audit Committee and approval of any
substantive changes by the Chief Executive, or the Board in the case of a CAC Act entity, on the
advice of the Audit Committee.
Model internal audit charter

Part 2 of the Guide includes a model internal audit charter.
Roles and responsibilities checklist

Have the following factors been considered in determining the roles and responsibilities of
internal audit?
 other assurance and business review functions

 the role other specialist advisors play in the entity e.g. in relation to risk and fraud control
 the types of audits to be undertaken
 the advisory, support or non-audit activities to be undertaken
 the extent to which internal audit can assist external audit in meeting its responsibilities.

3 Planning internal audit activities
3.1 Introduction
It is important that the work of internal audit is focussed on the risks that might prevent an entity’s
business objectives being achieved. The key principle, therefore, in planning the activities that internal
audit will undertake is that there is an alignment between the entity’s objectives and risks, including
those ongoing and recurring risks, on the one hand, and the strategic direction and plans of internal
Better practice internal
audit on the other.
audit planning consists of
a strategic business plan Better practice internal audit planning consists of a strategic business plan that is supported by a
that is supported by a more more detailed annual work plan28. Together, these plans serve the purpose of setting out in strategic
detailed annual work plan. and operational terms the broad roles and responsibilities that are articulated in the internal audit
charter and identifying key issues relating to managing the internal audit function. Given their close
interrelationship, these plans would normally be developed at the same time and could either be
consolidated into one document or be separately presented.
“By focussing our planning efforts on the things that matter to the business and asking the right
questions, we make sure internal audit is seen as part of the business and contributes to its success.”
Public Sector Head of Internal Audit
3.2 Internal audit strategic business plan

Similar to other key business activities, the work of internal audit should be considered at both a
strategic and operational level. An internal audit strategic business plan outlines the broad strategic
direction of internal audit over the medium term and provides an important link between the internal
audit charter and the detailed internal audit annual work plan. It should articulate the primary focus
and direction of the internal audit function over the period covered by the plan; outline the objectives
to be achieved in the period; and identify the key management strategies and actions that will be
needed to achieve these objectives. It should also set out broad details of the audit, audit support
and non-audit activities that internal audit will undertake and the proportion of resources that
will be devoted to the different types of activities that will be undertaken. For example, the plan
should indicate the relative proportion of resources to be devoted to audits, advisory services and
audit support activities.
The period covered by the strategic business plan can vary, but would normally cover a three year
An internal audit strategic rolling period29 and be updated at least annually at the same time the internal audit annual work
business plan helps in plan is prepared.
focusing internal audit
effort where it is most 3.3 Purpose of an internal audit strategic business plan
useful and effective.
An internal audit strategic business plan helps in:
 focusing internal audit effort where it is most useful and effective

 c
ommunicating the medium-term direction of internal audit and how it supports the
organisation’s objectives and addresses the entity’s risks
 ensuring there are no unintended gaps in internal audit coverage over time
 identifying the resources, skills and experience required to deliver an effective internal audit service
T
28
he internal audit annual work plan is, in turn, supported by specific plans for individual audit assignments. Better practice
on planning individual audit assignments is described in Chapter 6 of the Guide.
Where an entity has a formal strategic planning cycle it is better practice to align the internal audit strategic plan with that cycle.
29

Part 1
 s etting the direction for a continuous improvement culture and identifying priorities in the
management of the internal audit function
 identifying initiatives to mitigate the risks associated specifically with the internal audit function, and
 providing a framework against which to measure the performance of internal audit.
3.4 Developing a strategic business plan

To align the strategic
The Head of Internal Audit would be expected to be responsible for developing a draft strategic business plan with the
business plan for approval by the Audit Committee30 in consultation with the Chief Executive as entity’s strategic direction,
required. Once approved, the plan should be made available to entity staff through the entity’s internal audit should have
normal communication channels such as an entity intranet. Any significant changes should be a good understanding of
approved by the Audit Committee. the goals, objectives and
priorities of the entity.
The time and resources involved in developing the plan should be commensurate with the size and
complexity of each entity, as well as the entity’s risk profile, and the extent of the entity’s investment
in the internal audit function. For example, entities would not be expected to undertake detailed
planning for audits proposed in the two out-years. The process would also be expected to be
consistent with the entity’s usual business planning processes.
In developing the plan, consideration should be given to the following factors:
The entity’s goals and objectives

To align the strategic business plan with the entity’s strategic direction, internal audit should have
a good understanding of the goals, objectives and priorities of the entity as they are articulated in
corporate and business plans, and similar documents. At a more detailed level, business goals
and objectives can also be outlined in other strategic documents such as workforce planning and
information technology strategies and asset management plans.
Consultation with the Chief Executive, members of the Audit Committee, and senior managers is
important in assisting internal audit in understanding existing and emerging business strategies
and risks.
Better Practice Tip: Discussing audit plans

Discussing audit plans with senior managers concurrently with the entity-wide risk
The entity’s risk profile
management and business planning processes provides an opportunity for internal audit
and how it may change
to encourage managers to see internal audit as a service to help them better manage
over time will also be an
their business.
important determinant of
the size and nature of the
The entity’s risks internal audit programme
and the types of audits that
“Without an adequate risk analysis internal audit cannot proceed with its strategy.” are undertaken.
HM Treasury Audit Strategy Good Practice Guide
The entity’s risk profile and how it may change over time will also be an important determinant of the
size and nature of the internal audit programme and the types of audits that are undertaken. Provided
the entity’s risk identification process and risk management framework is mature, the entity’s risk
management plans will be a key source of information in developing the strategic business plan.
In situations where the entity does not have a mature risk management framework, it would be
expected that internal audit would develop its own entity risk profile that should be subject to
confirmation with the Audit Committee and the senior management of the entity.
30
The FMA Orders for FMA agencies provide for the Audit Committee to approve the strategic audit plan of the agency.
3 Planning internal audit activities 17

Entities also see benefit in conducting a series of compliance audits across the entity on a cyclical
basis to provide assurance that key governance policies, procedures and controls are in place and
operating effectively.
External environment risks

External sources, including reports from Parliamentary Committees, public sector management
In situations where the
advisory groups31, central agencies, regulators and the ANAO, can also illustrate potential sources of
entity does not have a
risk. Trends in accounting and governance matters can also point to areas that might impact on the
mature risk management
achievement of the entity’s objectives and may require internal audit review.
framework, it would be
expected that internal audit
The work of other review activities or functions
would develop its own
entity risk profile.
“Internal Audit should be seamlessly integrated within the overall governance framework.”
Public Sector Chief Executive
Consideration also needs to be given to the responsibilities and proposed coverage of other
internal or external review activities or functions. Internal review functions, as noted earlier, include
management monitoring and committees, evaluations, business improvement reviews, risk
management processes, quality assurance arrangements and management control self-assessment
arrangements. In addition, there are a number of external assurance and review bodies including
Parliamentary Committees, external audit, regulators, and the Ombudsman.
This is illustrated in figure 3 below.
Figure 3: Internal and external assurance and review framework
Management Management Business

Control Reviews Internal Audit Risk Management Improvement
Self-Assessment and Committees Reviews
External sources, including

reports from Parliamentary
Committees, public sector
management advisory
Evaluations
Comprehensive Quality Assurance
groups, central agencies, Assurance
regulators and the ANAO,
can also illustrate potential
sources of risk.
Parliamentary
External Audit Ombudsman Regulators
Committees
Internal Assurance External Assurance
For example, the Management Advisory Committee established under the Public Service Act 1999.
31

Part 1
It is important that the planned internal audit coverage complements, rather than duplicates, the
work of other internal and external assurance and review activities.
To assist in determining the appropriate internal audit coverage entities increasingly see a benefit of
conducting an assurance mapping exercise. This consists of an analysis of the risks facing the entity
and the extent to which each of the various assurance and business review elements address these
risks. Such an exercise can be a very useful way of obtaining a broad entity-wide perspective of the
‘assurance landscape’ and assist in identifying any gaps or duplication.32
To assist in determining
the appropriate internal
Stakeholder expectations
audit coverage entities
In consultation with key stakeholders, it is also important for internal audit to obtain the views increasingly see a benefit
of stakeholders about their expectations of internal audit. In this regard, it can be expected that of conducting an assurance
stakeholders could have differing views about their expectations of internal audit and its focus and mapping exercise.
priorities. In these circumstances it is important for internal audit to ‘work through’ the different
perspectives and have follow-up discussions, as required, to ensure that the draft strategic business
plan fully takes into account the views of all stakeholders. In its consideration of the draft plan, the
Audit Committee should be made aware, at least in broad terms, of the views of key stakeholders
particularly if they are not reflected in the final draft of the plan.
Budget considerations
As a matter of principle, the internal audit strategic business plan should first address all the activities
that internal audit, the Audit Committee and other stakeholders consider should be included, before
reflecting on the possible budget available.
The size of the investment the entity wishes to make in internal audit would normally be determined
by the Chief Executive/Board on the advice of the Audit Committee33. Factors that influence the level
of this investment are outlined in Chapter 5, Resourcing the internal audit function.
Internal audit business objectives and management strategies

Developing a statement of business objectives for the internal audit function by the Head of Internal
Audit, in consultation with the Audit Committee, communicates the direction internal audit intends to
The size of the investment
pursue over the life of the plan. Such a statement also provides a focus to develop and prioritise a
the entity wishes to make
set of management strategies and tasks designed to achieve those objectives. The most appropriate
in internal audit would
business objectives will vary between entities according to their particular circumstances and may
normally be determined by
change over time. Business objectives can vary considerably, but often include matters relating to
the Chief Executive/Board
the quality, cost-effectiveness and nature of the audit and other services provided by internal audit
on the advice of the Audit
designed to meet the entity’s needs.
Committee.
The business objectives decided on for the internal audit function will, in turn, affect the management
strategies required to achieve those objectives. Such strategies will also vary considerably but can often
involve plans affecting staff training and development, clarifying stakeholder expectations, improving
audit and other processes, introducing new technologies or enhancing performance measurement.
For example, one of the internal audit’s business objectives could be to increase internal audit’s
capability and capacity to undertake audits of systems under development. This will require strategies
to have staff and/or contract resources with the necessary skills to undertake these audits.
32
A
n example of an assurance map is shown as part of the Example of an internal audit strategic business plan and audit
work plan in Part 3 of the Guide.
33
See Australian National Audit Office, Public Sector Audit Committees, Better Practice Guide, February 2005, p.13.

The service delivery model in place, and any proposed changes, will also influence the management
strategies adopted. For example, an in-house service delivery model will require the development
of strategies designed to ensure that the staff have the appropriate level of skills and experience to
undertake the proposed audit coverage. The use of a co-sourced or outsourced model will require
strategies and plans to help ensure appropriate quality and accountability is maintained.
The precise format
and content of the 3.5 Contents of a better practice internal audit strategic business plan
strategic business plan
The precise format and content of the strategic business plan will vary depending on the preferences
will vary depending
of stakeholders and the size and nature of the internal audit function itself. However, it would be
on the preferences of
expected that better practice plans will contain all or a majority of the following matters:
stakeholders and the size
and nature of the internal  the key business objectives and direction of internal audit over the period of the plan that are
audit function itself. consistent with the internal audit charter
 a brief outline of the methodology used in developing the plan and key stakeholders consulted
 a
summary of the key objectives and strategic direction of the entity and a description of any
planned major initiatives
 an outline of the entity’s key business risks
 a description of emerging external issues and trends that may impact on the entity
 a
n outline of the entity’s identified business risks mapped to the various internal and external
assurance and review providers
 a description of the audit strategies and priorities for internal audit over the life of the plan
 a summary of the proposed internal audit coverage over the period of the plan showing by year, the
• relevant audit theme34
• audit title
• area responsible
• type of audit
• priority
 a
summary of the proposed internal audit coverage over the period of the plan against a
background of the previous two years’ coverage
The strategic business plan
 the relative allocation of internal audit resources between
should outline details in
• audit, advisory services and audit support activities
relation to the management
of the internal audit • the different types of audits, and
function itself. • different business and/or programme and/or geographical locations.
The plan should also outline details in relation to the management of the internal audit function
itself such as:
 d
etails of the financial and human resource budgets for internal audit activities over the life
of the plan
 the management strategies and approaches to help ensure that internal audit has access to the
necessary level of skilled and experienced staff, and that its methodologies and work practices
reflect contemporary better practice
 identification of the risks and actions proposed to manage the risks of not achieving internal
audit’s objectives
 d
etails of the performance measures to be used to measure the performance of internal
audit, and
 arrangements for the review and update of the plan.
34
These themes should be aligned with the entity’s main business risks.

Part 1
Alignment with the entity’s risk management plan
To assist in demonstrating an alignment between the entity’s risks and the proposed internal audit Better practice entities
coverage and to highlight entity risks that are not being addressed by internal audit, better practice see benefit in grouping
entities see benefit in grouping proposed internal audits under a series of ‘audit risk themes’ that proposed internal audits
mirror the risk categories identified in the entity’s risk profile. Examples of possible internal audit risk under a series of ‘audit risk
themes include governance, policy and strategic planning, programme and project management, themes’ that mirror the risk
client relationships, financial, human resources and IT systems. categories identified in the
entity’s risk profile.
As noted earlier, where entities do not have a mature risk management framework, it would be
expected that internal audit would develop its own risk profile.
Better Practice Tip: Knowledge Champions

Appointing each audit team member as a knowledge champion to develop special expertise in
a relevant specialist area such as government procurement and probity, emerging technology,
eCommerce, contract law, intellectual property and auditing trends and techniques can
increase the specialist knowledge available to internal audit while providing increased job
satisfaction for staff.
Previous internal audit coverage

The benefit of developing a medium term internal audit plan against a background of the last
two years is to enable the Audit Committee and management to assess whether the full range of
risks, especially compliance risks, are covered over an appropriate period (some may need to be
undertaken every year and others less frequently).
3.6 Internal audit annual work plan

A detailed internal audit annual audit work plan should be prepared that specifies the proposed
internal audit coverage for the next 12 months. The considerations in developing an annual audit
work plan are similar to those for the internal audit strategic business plan, albeit at a more detailed
level. Audit Committees of FMA entities are required to approve the annual audit plan. Depending on
their charter, Audit Committees of CAC Act entities may also approve these plans. Alternatively, they A detailed internal audit
should be approved by the Board on a recommendation of the Audit Committee. annual audit work plan
should be prepared that
specifies the proposed
3.7 Developing a better practice internal audit annual work plan
internal audit coverage for
In developing the annual audit work plan, it is appropriate to also consider the following matters. the next 12 months.
Prioritising internal audit topics

Once the broad strategic direction for audit coverage has been determined, a choice needs to be
made about the number and scope of specific audit topics to be included in an internal audit annual
work plan. The final selection of internal audit topics is ultimately a matter for the Chief Executive/Board
and the Audit Committee, and a structured approach assists in the decision-making process.
To assist in prioritising audit topics it is helpful to develop a set of criteria that can be used to assess
and rank potential topics35. Criteria can vary but would normally include:
 the strategic and operational risks identified in the entity’s risk management plan or business unit
plans or in the absence of a mature risk management framework, as identified by internal audit
 materiality and risks arising from the external environment
 the potential or expected benefits of an audit
35
It can be helpful to maintain a list of potential audit topics as part of an ‘audit universe’ or a listing of auditable areas
or topics.

 any specific requests from the Chief Executive, the Board, the Audit Committee or management
 the degree of alignment with the audit strategies identified in the internal audit
 the importance of the programme or activity
 the significance of the findings from any previous internal or external audit or review, particularly
relevant reports and recommendations from Parliamentary Committees
 any coverage required to support the preparation of the financial statements, and
 the length of time since any previous internal or external audit as part of a cyclical
review process.
Some entities see benefit in allocating numerical “scores” to each of the criteria and aggregating the
scores to arrive at an overall audit ranking. Although audit “scores” can help to rank audit topics it should
be recognised that such a process still involves judgement in the allocation of individual scores.
A comprehensive internal
audit annual work plan will Comprehensive annual work plan
generally include audits A comprehensive internal audit annual work plan will generally include all or a majority of the following
that review particular activities:
topics across the whole
entity, such as procurement  advice on new systems and processes– these are referred to as ‘systems under development’ audits36
practices, recordkeeping  a
udits of major IT systems focussing, in particular, on security and access matters, and audits
and ethical conduct and of major projects
compliance with APS
 a
number of annual audits to review key areas of financial, human resource or governance
and entity values, that
matters across different business units and geographical locations or a series of audits that are
are aimed at addressing
conducted each year, for example, to provide assurance over the quality of the preparation of
potential systemic risks.
the financial statements
 a
udits that review particular topics across the whole entity, such as procurement practices,
recordkeeping and ethical conduct and compliance with APS and entity values, that are aimed
at addressing potential systemic risks
 a
udits of areas where the risk is judged to be high but the controls are considered to be effective
in managing the risk. These audits can provide assurance that the controls are in fact operating
as intended
 follow-up audits of areas audited previously where shortcomings have been identified
 a
n allowance to undertake ad hoc or special request audits, particularly from the Chief Executive
and the Audit Committee, and
 a number of reserve audit topics that could be substituted if planned audits do not proceed.
36
It is important that internal audit advice is communicated to management in a timely manner to enable the advice to be
considered before the system is implemented.

Part 1
Better Practice Tip: Plan for contingencies
Retaining 10%-15% of the internal audit annual work plan as a contingency for unforseen
audits helps internal audit to accommodate requests for special or urgent audits.
Objectives and scope of audits In developing the annual

work plan, it is important
Part of the process of selecting audit topics is consideration of the objectives and scope of individual to consult with the
audits. These factors can have a significant affect on the cost of the internal audit annual work external auditor to gain
plan or the number of audits included in the plan. In particular, consideration should be given to an understanding of
whether it is better to have fewer, more in-depth audits, more audits with a narrower focus, or a their perspective on the
combination of both. business risks facing the
entity and the external
The views of the external auditor auditor’s proposed financial
statement and performance
In developing the plan, it is important to consult with the external auditor to gain an understanding of audit coverage.
their perspective on the business risks facing the entity and the external auditor’s proposed financial
statement and performance audit coverage. This information is necessary to help ensure that
potential duplication and gaps in overall audit coverage are identified, and to identify opportunities
for the external auditor to rely on the work of internal audit. Any significant areas that are not covered
or are duplicated should be drawn to the attention of the Audit Committee.
Size and nature of the internal audit annual work plan

Factors that would be expected to affect the size and nature of the internal audit annual work
plan include:
 the risk tolerance37 and the risk profile38 of the entity: an entity with a low risk tolerance and a
substantial number of risks and, by extension, controls designed to assist in managing the risks,
could be expected to have a larger internal audit programme than an entity with a higher risk
tolerance and a smaller risk profile
 the size and complexity of the entity’s business: the larger the number of separate business
activities and programmes, the more audits that could be expected to be required
 the stability of the entity: internal audit might be required to do more in times of significant change.
As with the internal audit strategic business plan, the size of the internal audit annual work plan will
also be influenced by the level of investment in internal audit an entity wishes to make.
Internal audit support activities Factors that would be

expected to affect the size
In preparing the plan, sufficient time and resources should also be included to: and nature of the annual
work plan include the risk
 manage the internal audit function
tolerance and the risk
 m
onitor and report to the Audit Committee the implementation of agreed recommendations in profile of the entity.
internal and external audit reports and from Parliamentary Committees and other review bodies
 a
nalyse the risk, control and governance issues arising from internal audit work, or the work of
other assurance providers, with a view to providing periodic reports to the Audit Committee on
systemic issues and trends
 support the Audit Committee in discharging its legal obligations
37
T
he concept of risk tolerance embraces the level of exposure which is considered tolerable and justifiable should it be
realised. Depending on the maturity of the entity’s risk management framework, the tolerance level can be formally stated or
may reflect more the culture of the entity.
38
This term refers to the extent and nature of the risks facing an entity.

 p
rovide secretarial support to the Audit Committee (assuming this is a responsibility of
internal audit)
 d
evelop and periodically review the internal audit strategic business plan and the internal audit
annual work plan
 provide appropriate professional development to internal audit staff, and
 liaise with the external auditor and other relevant external bodies.
Where some or all services Where some or all services are provided by an external party, sufficient time should also be provided
are provided by an external to enable the contract, or contracts, to be properly managed.
party, sufficient time should
also be provided to enable 3.8 Contents of an internal audit annual work plan
the contract, or contracts,
to be properly managed. The plan should be sufficiently detailed to enable the Audit Committee and, as necessary, the Chief
Executive, to be satisfied that the proposed coverage is adequate. It would be expected that, as a
minimum, the plan should outline for each proposed audit the:
 audit risk theme being addressed

 audit title
 area responsible and sponsor
 type of audit
 summary description of the audit
 expected benefit to be added by the audit or the rationale for the audit
 p
riority and resources to be used to conduct the audit – in-house, contractors or a
combination of both
 estimated duration and cost
 p
roposed timing of the audit including the month it is expected to be completed, and
the Audit Committee meeting at which the audit will be considered.
Some entities also see benefit in including a list of topics that rank just below those selected for
inclusion in the plan. This assists the Audit Committee to assess the proposed plan in the context of
risks that will not be addressed.
It is generally accepted that
for resource management The presentation of the annual work plan to the Audit Committee will generally be enhanced through
and accountability the use of summaries, graphs and charts which can be used, for example, to indicate the mix of
purposes internal audit audit types to be undertaken, the spread of audit activity across the entity by work group or by
units should have a formal geographical location.
time recording system to
record the time auditors 3.9 Costing of individual audits
spend on audit and
related tasks. It is generally accepted that for resource management and accountability purposes, internal audit
units should have a formal time recording system to record the time auditors spend on audit and
related tasks. Each entity also needs to decide if there are benefits in implementing and maintaining
a cost recording system that captures the cost of each individual audit. In making such a decision,
care should be exercised in specifying the degree of precision required from such a system and in
ensuring that the benefits are balanced against the degree of administrative effort and financial cost
involved in establishing and maintaining the system.

4 Relationships with key stakeholders
4.1 Introduction
To be effective, internal audit must have the confidence and trust of the key stakeholders it works with.
This confidence should not be assumed to be ‘a given’. It can only be established and maintained
by having effective working relationships, delivering high quality and timely advice and internal audit
reports, that are seen to be contributing directly to assisting the entity to meet its responsibilities.
To be effective, internal
The key stakeholders of internal audit are:
audit must have the
confidence and trust of  the Chief Executive, in the case of FMA Act entities,
the key stakeholders it
 the Board and Chief Executive in the case of CAC Act entities
works with.
 the Audit Committee
 senior management
 the external auditor
 other review activities and external bodies, and
 professional bodies.
While it is important that details of these relationships are formalised in documents such as the
internal audit charter, the Audit Committee charter and management protocols, good relationships
also need to exist at a practical working level to be effective.
4.2 Internal Audit and the Chief Executive

Better practice FMA Act entities recognise the advantages in having the Head of Internal Audit being
directly accountable to the Chief Executive. This not only sends a clear signal about the importance
of the internal audit function, it also facilitates regular contact between the Chief Executive and
internal audit. This contact should be used as an opportunity for internal audit to gain insights into
new and emerging risks and issues facing the entity and to discuss the role the Chief Executive
wishes internal audit to fulfil in the entity.
Good relationships need to In situations where the Head of Internal Audit is accountable to someone other than the Chief
exist at a practical working Executive, it is important that the Head of Internal Audit has direct access, on an as required basis,
level to be effective. to the Chief Executive.
4.3 Internal audit and the Board

In CAC Act entities, internal audit generally formally reports to the Board on the effectiveness of
the internal audit function. As the Audit Committee is usually a sub-committee of the Board, this
responsibility is often delegated to the Audit Committee. Although the Head of Internal Audit will meet
regularly with the Chair and members of the Audit Committee, some Boards periodically meet with
the Head of Internal Audit to exchange views and ideas. As a minimum, it is important that the Head
of Internal Audit has direct access to the Chair of the Board and the Chief Executive as required.

Part 1
4.4 Internal Audit and the Audit Committee
The relationship between internal audit and the Audit Committee is also a crucial one and is likely to
have a number of dimensions. These involve:
 internal audit assisting the Audit Committee to comply with its obligations under the FMA It is important that both
or CAC Acts formal and informal
lines of communication
 internal audit being functionally responsible to the committee, for the conduct of the internal
be established between
audit programme; this places the committee in the role of being internal audit’s primary client and
internal audit and the
requires internal audit to have a close professional relationship with the committee as a whole
audit committee and with
and each of its members
individual committee
 internal audit through its reports and its general interaction with the committee, being a key members, particularly
source of information on the effectiveness of controls and the performance of the entity the Chair.
 internal audit providing secretariat support to the committee in many entities
 the Audit Committee being responsible for either reviewing and approving internal audit plans, or
recommending their approval by the Chief Executive/Board, and
 the Audit Committee being involved in assessing the performance of internal audit and in any
change of the Head of Internal Audit and/or any external service provider(s).
Given this relationship, it is important that both formal and informal lines of communication be
established between internal audit and the audit committee and with individual committee members,
particularly the Chair. Audit Committee members should be in a position to be able to openly discuss
matters of interest with the Head of Internal Audit. In doing this, committee members must be
confident that such discussions will be treated in confidence by internal audit.
It is generally accepted that the Head of Internal Audit, and any external service providers, will attend
Audit Committee meetings unless there are exceptional circumstances why they should be excluded
for a whole meeting or a particular agenda item, or items. It is also good practice for the Audit
Committee to meet privately with the Head of Internal Audit and any external service providers, from
time to time. This provides the Committee the opportunity to ask questions and to seek feedback
from internal audit without management being present. This practice also supports the independent
role of internal audit.
To meet the Audit
To meet the Audit Committee’s monitoring responsibilities, internal audit should report to the
Committee’s monitoring
Committee on a regular basis on the status of the internal audit annual work plan. This report
responsibilities, internal
should provide details of audit activity against planned audits, together with explanations of any
audit should report to the
significant variations.
Committee on a regular
Internal audit should also report regularly on the status of management’s actions to implement basis on the status of
agreed internal and external audit report recommendations and agreed Parliamentary Committee the internal audit annual
and other review body recommendations, providing details of who is responsible for implementing work plan.
the recommendations and an assessment of progress achieved.
As discussed earlier, better practice internal audit functions increasingly are providing Audit
Committees and Chief Executives with periodic reports on the patterns, trends and systemic issues
identified as a result of internal audit activities undertaken.
Better practice Audit Committees will formally review the performance of internal audit on at least an
annual basis. To assist the Committee in doing this, internal audit should provide an annual report in
an agreed format to the Committee on its achievements and on the use of its resources.
4 Relationships with key stakeholders 27

Part 1
3.10 Amendments to the annual work plan
The plan should be kept under periodic review and any substantive amendments should be approved
by the audit committee. Many audit committees find it appropriate to authorise the Chair of the
committee to approve changes to the plan out of session, where this is required.
3.11 Timing of audit planning

It is better practice for internal audit plans to be prepared and submitted to the Audit Committee,
and the Chief Executive where appropriate, to enable them to be considered and approved prior
to the commencement of the next financial year. (The same imperative exists for plans that are
prepared on a calendar year basis.) This would generally require planning to commence in time to
allow consideration of a draft plan by the Audit Committee to take place at the penultimate Audit
Committee meeting before the end of the year (often this is in March/April).
Better Practice Tip: Timing of audit planning

Aligning the timing of the internal audit planning process with that of the entity’s business
planning processes can assist in internal audit planning being aligned with the objectives and
priorities of the entity. It is better practice for
internal audit plans to be
In circumstances where the full internal audit work plan is not approved, an interim work plan
prepared and submitted to
for the first three or six months should be approved prior to the commencement of the year to
the Audit Committee, and
which the plan relates.
the Chief Executive where
appropriate, to enable
Example internal audit strategic business plan and internal audit annual them to be considered
work plan. and approved prior to the
Part 3 of the Guide includes an example internal audit strategic business plan and internal audit commencement of the next
annual work plan. financial year.
Planning internal audit activities checklist

Have the following factors been considered in planning internal audit activities?
 the entity’s overall goals and objectives

 the entity’s risk profile
 the work of other review functions or activities
 the expectations of key stakeholders
 the level of investment in the internal audit function
 the actual and proposed financial and performance audit coverage by external audit
 the types, mix and location of proposed audits and advisory services
 the extent of audit support activities to be undertaken
 the business strategies and priorities of the internal audit function.

4.5 Internal audit and management
To be able to effectively fulfil its responsibilities, internal audit needs to have a professional and
constructive relationship with senior management, in particular, and with the management cadre of
the entity in general.
Better practice internal audit functions will interact on a regular basis with members of the senior
Meetings with entity management team, and through the delivery of practical, business focussed and useful reports and
managers should be used advice, will build a relationship that is based on cooperation, collaboration and mutual respect.
as an opportunity to be
briefed on key business Meetings with entity managers should be used as an opportunity to be briefed on key business
developments and the developments and the impact they have on the risks facing the entity. These meetings should also be
impact they have on the used to obtain informal feedback about the performance of internal audit and to assist in identifying
risks facing the entity. ways that internal audit can best assist entity management. In this context, better practice internal
audit units will encourage managers to seek their advice and assistance on either an informal or
formal basis as the need arises. One measure of the effectiveness of internal audit is the extent to
which managers seek out internal audit to assist them in managing their business.
In interacting with management, internal audit will be privy to information which can impact on
professional and, at times, personal reputations. It is important that internal audit respect the
confidentiality of such information and its communication to others be on a strictly need to know
basis. In situations where managers consider that such information is being used inappropriately, the
reputation and credibility of internal audit is likely to be adversely impacted.
Better Practice Tip: Audit Liaison Officer

Some larger entities have found the use of Audit Liaison Officers in business areas or regions a
useful way to facilitate audit planning, the conduct of audits and the implementation of agreed
audit recommendations.
4.6 Internal audit and the external auditor

Establishing a professional working relationship between internal audit and the external auditor
Establishing a professional should deliver benefits to both parties. It is important that internal audit seek input from the external
working relationship auditor in developing the internal audit strategic business plan and internal audit annual work plan.
between internal audit It is also important that internal audit consult with the external auditor during the planning phase of
and the external auditor individual audits that address key financial and business systems that underpin the entity’s financial
should deliver benefits to statements or relevant areas of proposed performance audit coverage. By engaging external audit
both parties. in this way, potential overlaps and gaps in overall audit coverage can be identified and addressed,
and it will assist in maximising the extent to which external audit is able to rely on the work of internal
audit in undertaking its work.
Internal audit often will be responsible for liaising with external audit on behalf of the entity and be
tasked with coordinating external audit activity in an entity. This role can be a useful way for internal
audit to be aware of planned and actual external audit coverage, while at the same time being
cognisant of external auditors’ need for access to individuals and records to enable them to meet
their own audit responsibilities.

Part 1
4.7 Internal audit and other review activities and external bodies
As noted earlier, internal audit is one of a number of internal and external review-type activities that It is generally expected
exist as part of entities’ governance arrangements. It is critical that all these activities operate in a that individual internal
coordinated and complementary manner. This requires regular formal and informal contact between audit staff will be
them to help ensure that duplication and overlap are kept to a minimum, or preferably eliminated. members of the Institute
Some organisations see benefit in protocols being formalised between such activities, which provide, of Internal Auditors
for example, for the regular exchange of views and information and for the reporting of the results of and/or other relevant
work undertaken in a coordinated manner. professional bodies.
Such arrangements can be particularly important in situations where internal audit needs to
work closely with programme or internal audit units of other entities as a result of inter-agency or
other agreements.
4.8 Internal audit and professional bodies

It is generally expected that individual internal audit staff will be members of the Institute of Internal
Auditors and/or other relevant professional bodies such as the Australian Society of Certified
Practising Accountants, the Institute of Chartered Accountants in Australia and, for IT auditors, the
Information Systems Audit & Control Association. It is important that internal audit staff use their
membership of such bodies to keep abreast of professional and industry developments and use
networking opportunities to assist in their ongoing professional development. In doing this, and in
accordance with applicable ethical codes of behaviour, care needs to be exercised to ensure that
appropriate confidentiality relating to entity activities and audit findings is maintained.
4 Relationships with key stakeholders 29

5 Resourcing the internal audit function
5.1 Introduction
To be able to provide the entity with the services expected of it, it is important that the internal audit
function has an adequate budget and access to sufficient resources with the necessary skills and
experience. The quantum and mix of resources required will be influenced by a number of factors,
To provide an effective
especially the particular service delivery model chosen.
internal audit function it is
important that the budget
is sufficient to implement 5.2 Internal audit budget
the role expected of
To provide an effective internal audit function it is important that the budget is sufficient to implement
internal audit.
the role expected of internal audit and, in particular, the internal audit strategic business plan and
internal audit annual work plan. It is the Chief Executive or the Board who would normally approve
the budget, on advice from the Audit Committee.
The factors that will influence the quantum and mix of the internal audit budget include the:
 n
umber and types of audits included in the annual work plan: an annual work plan with more
business improvement audits is likely to cost more than one that has a more compliance focus
 c
omplexity of the annual work plan: the weight given to audits requiring specialist skills such as
expertise in information technology, could add to the cost of the annual work plan
 g
eographic spread of audit work: the more travel that is required the greater the required budget
is likely to be
 e
xtent of audit support activities: the inclusion of a large number of audit support activities is
likely to require increased resources
 o
ther non-audit services required of the internal audit function: it could be expected that the
broader the role expected of internal audit the greater the internal audit budget
 c
ost of the service delivery model chosen to provide internal audit services: the difference in cost
between the service delivery model chosen by the entity and the cost of alternatives will affect
the budget needed, and
If the audit committee  c
ost of implementing the management strategies outlined in the internal audit strategic
considers the internal audit business plan: the internal audit budget will need to take into account the cost of agreed
budget to be insufficient, management strategies.
compared to the risks
facing the entity, it should The ANAO is aware that studies are undertaken from time to time that benchmark expenditure on
draw this to the attention of internal audit against a number of variables. Generally, they relate to private sector organisations but
the Chief Executive/Board. they may be of assistance in reviewing internal audit budgets in the public sector. Opportunities also
exist for internal audit to benchmark their budgets against similar public sector auditees as part of a
planned management strategy.
It is important that, in presenting the internal audit strategic business plan and internal audit annual
work plan to the Audit Committee, the Head of Internal Audit draws the committee’s attention to the
impact that any budget shortfall might have on the ability of internal audit to meet the expectations
of stakeholders and the exposure this might represent to the entity.
The Audit Committee will then be in a position to make an informed judgement on the adequacy or
otherwise of the budget. If the audit committee considers the budget internal audit to be insufficient,
compared to the risks facing the entity, it should draw this to the attention of the Chief Executive/Board.

Part 1
5.3 Service delivery models
“If co-sourcing or outsourcing internal audit service delivery, you need to be an informed purchaser.”
Chair Public Sector Audit Committee
As noted earlier in the Guide, within the Australian Government sector, internal audit is performed
in a range of entities that vary considerably in purpose, size, structure, and complexity. As a result,
there is a range of models used to deliver internal audit services. These are illustrated in the following
diagram.
Figure 4: Service delivery models
In-house: Internal audit function exclusively or

Model 1 predominately provided by in‑house resources.
Managed in-house.
There is a range of models

used to deliver internal
Co-sourced: Internal audit function provided by a audit services. The most
appropriate model will
Model 2 combination of in‑house and contract resources.
Managed in-house. depend on the entity’s
particular needs that could
well change over time as
circumstances change.
Outsourced with in-house management: Internal
Model 3 audit services provided by contract resources, with
in‑house management of the internal audit function.
Outsourced: All internal audit services provided by

Model 4 contract resources. Project management of contract(s)
undertaken in‑house.
Each model has its benefits and its risks. The most appropriate model will depend on the entity’s
particular needs that could well change over time as circumstances change. It is important, therefore,
to periodically consider which service delivery model will best suit the entity’s needs as part of the
Audit Committee’s consideration of the internal audit strategic business plan.
5 Resourcing the internal audit function 31

5.4 Issues to consider in deciding the appropriate delivery model
The following factors should be taken into account when considering the appropriate service
delivery model.
Ability to attract and retain suitable staff

For a variety of reasons it may be difficult to attract and retain suitably skilled in-house audit staff. As
Generally, in-house staff
a consequence, co-sourcing or outsourcing the internal audit function to an external service provider,
could be expected to
who assumes some or all of the responsibility for recruiting and managing the required staff, may be
have a greater knowledge
an effective means of overcoming staff shortages.
of the entity’s business
objectives, systems, risks Alternatively, the development and implementation of a comprehensive staffing strategy as part of
and culture. the internal audit strategic business plan may be successful in obtaining sufficient staff with the
necessary skills and experience.
The skills and experience required

Generally, in-house staff could be expected to have a greater knowledge of the entity’s business
objectives, systems, risks and culture. They can be seen as ‘part of the team’ and can be more easily
approached for informal and ad hoc advice. There are no issues over possible conflicts of interest
The cost of in-house and there is more direct control over the quality of work undertaken. Corporate knowledge may also
provision compared be more readily retained by in-house staff and in-house internal audit units are in a position to offer a
with the alternatives is a good training ground for future senior managers.
key consideration.
On the other hand, service providers may have access to leading practices and expertise from the
public and private sectors in Australia and overseas that may be helpful to the entity.
Cost
The cost of in-house provision compared with the alternatives is a key consideration. It is important
when comparing costs to take into account the full costs of the different options including the
salaries of in-house staff plus overheads such as training, leave, superannuation, staff management,
accommodation and facilities. In the case of co-sourcing or outsourcing, the costs of contract
management as well as of the contract itself should also be taken into account.
Flexibility
Many internal audits require access to special technical audit skills from that are either not available
or not cost-effective to maintain in-house. The ability to respond quickly to new requests for audits
without disrupting the planned programme or the need to resource workload peaks can also be
For some small entities important. Co-sourced or outsourced arrangements may be able to provide the required flexibility in
there may not be the such circumstances.
critical mass to make
an in-house internal Viability
audit function viable
and sustainable. For some small entities there may not be the critical mass to make an in-house internal audit function
viable and sustainable. Small internal audit units may find it difficult to supply sufficient staff with
the full range of skills necessary to undertake a comprehensive internal audit plan. In this situation,
there is a risk the audit plan will be determined more by the skills of the staff available rather than
the needs of the entity. Limited career progression and development opportunities can also act as a
disincentive for the recruitment and retention of staff.

Part 1
5.5 Service provider panel arrangements
Where a decision is made to co-source or outsource the internal audit function, a decision on
the number of external service providers to engage also needs to be made. This decision will be
influenced by the extent and nature of the services required. In many circumstances one service
provider will be the most appropriate choice. In situations where there is an extensive audit plan and
a broad range of skills are required, it may be appropriate to establish a panel of service providers.
Such an arrangement can provide access to extra skill sets and provide additional flexibility compared
to a single provider. There are a number of different panel arrangements that can be established.
For example, the panel could consist of a number of pre-qualified providers who tender for specific
internal audits. Alternatively, it could involve two or more providers who each have a contract to
provide a specified number of work days over a particular period and the work is allocated to the
provider best suited to the particular audit.
If a panel arrangement is adopted, consideration needs to be given to striking a balance between the
number of providers required to provide sufficient flexibility and access to skilled staff and the need
to avoid spreading work too thinly. Where an external provider is contracted to only perform a small
parcel of work there is limited opportunity for the provider to develop the required understanding
If a panel arrangement is
of the entity and its business needs. The arrangement also has to be commercially viable from the
adopted, consideration
provider’s perspective.
needs to be given to
striking a balance between
5.6 Management of a co-sourced or outsourced function the number of providers
required to provide
The key to success in managing external providers, like the management of any outsourced
sufficient flexibility and
service, involves:
access to skilled staff and
 c
hoosing the right provider with the right experience, on the basis of a value for the need to avoid spreading
money assessment work too thinly.
 establishing clear expectations with the service provider, and

 a
ctively monitoring the performance of the provider and managing the relationship throughout
the life of the contract.
For better practice guidance on developing contracts and managing service providers see the
Australian National Audit Office and Department of Finance and Administration, Developing and
Managing Contracts, Better Practice Guide, February 2007.
Choosing the right provider

Issues to consider in choosing an external provider include:
 the provider’s experience in providing internal audit services

 knowledge of the entity’s objectives, governance arrangements, values and culture
 the knowledge, skills and availability of the personnel involved in conducting and
supervising the work
 knowledge of the public sector generally, including accountability requirements
 quality assurance arrangements, and
 cost.

Establishing clear deliverables
Service delivery requirements should be outlined in a contract with the internal service provider
following a procurement process, such as a Request for Tender, and negotiations with the successful
tenderer. Matters that should be incorporated in a contract include:
Even though the internal  the services to be provided, including specific deliverables such as progress reports; the
audit function may be provision of draft and final audit reports; other services such as the development of internal audit
completely outsourced, strategies and plans; advice and assistance to management, including disseminating examples
responsibility for the overall of better practice and lessons learnt throughout the entity; the provision of secretariat and other
efficiency and effectiveness services to the Audit Committee and attendance at Audit Committee meetings
of the internal audit  the standards and procedures to be followed, including quality assurance arrangements
function remains with
 expected timeframes for audits
the entity.
 the authority to access relevant records, personnel and property
 ownership and custody of working papers
 confidentiality of information, and
 remuneration arrangements.
A key safeguard in helping to ensure that an external provider delivers a quality internal audit service
is to be satisfied that the provider allocates staff with appropriate skills and experience to audit
assignments and has in place effective supervision arrangements including sufficient oversight/
review by a partner or experienced senior auditor. To this end, it is generally appropriate to include
a clause in the contract nominating the personnel who will provide the audit services and to require
the entity to be consulted before other staff are used. This will also facilitate obtaining any necessary
security clearances.
Managing an outsourced service provider

Even though the internal audit function may be completely outsourced, responsibility for the overall
efficiency and effectiveness of the internal audit function remains with the entity. It is therefore
important for the entity to retain control of the internal audit strategic direction and to actively monitor
the performance of the provider.
The effectiveness of
This can be achieved through the Audit Committee’s review or approval of the internal audit
an outsourced provider
strategic business plan, internal audit annual work plan and the periodic assessment of the
when the function is
provider’s performance.
fully outsourced, will be
enhanced by appointing The effectiveness of an outsourced provider when the function is fully outsourced, will be enhanced
a staff member as an by appointing a staff member as an in-house liaison officer for the provider. Such a person has
in-house liaison officer for specific responsibility for the overall effectiveness of the internal audit function including monitoring
the provider. the provider’s performance, managing the contract and the relationship, and acting as a day-to-day
‘sounding board’ for the external provider. This latter role can be of great assistance to the provider
as it can act as a reality check on internal audit findings and recommendations, help the provider to
understand particular organisational nuances and provide advice on sensitive matters.
Careful judgement should be exercised in the choice of the individual to play this role. The operational
independence of the person should be considered, as should their experience, skills and personal
attributes. It would be expected that the type of experience and skills needed for such a role would
be similar to those found in a Head of Internal Audit at a senior executive level.

Part 1
5.7 Head of Internal Audit
“The Head of Internal Audit should live and breathe the business - not live and breathe auditing.”
Chair, Public Sector Audit Committee
Role
The Head of Internal Audit39 is the most senior position within the entity responsible for internal audit
and is vital to the success of the function40. The person should play both a strategic leadership role
and ensure that the internal audit programme is delivered efficiently and effectively.
Responsibilities
The Head of Internal
The Head of Internal Audit is normally responsible for: Audit is the most senior
position within the entity
 the efficient and effective operation of the internal audit function
responsible for internal
 e
stablishing appropriate policies and procedures, and implementing audit plans and audit and is vital to the
management strategies to achieve internal audit’s objectives success of the function.
 d
eveloping strong relationships with key stakeholders including the Chief Executive, the Board,
the Audit Committee, senior managers and the external auditor
 providing effective and timely advice to senior management
 d
eveloping the internal audit strategic business plan and annual work plan that outline the
objectives, priorities and proposed internal audit coverage
 liaising with other internal and external assurance providers and business improvement advisors
in the development of internal audit plans
 formulating staffing and budget requirements to help ensure that internal audit resources are
effectively deployed
 e
nsuring the timely completion of internal audit assignments and the prompt presentation of high
quality reports to the Audit Committee
 monitoring the implementation of internal audit plans and management strategies
 m
aintaining an appropriate process for monitoring and reporting the status of previous
agreed internal or external audit recommendations or agreed recommendations
from Parliamentary Committees or other review bodies
 the overall performance of the internal audit function
 recruiting and managing staff with appropriate experience and skills
 p
roviding opportunities for training and development to increase internal audit staff knowledge of
the entity and its risks and maintain their internal auditing skills, and
 o
versighting external providers where entities have co-sourced or outsourced
internal audit arrangements.
39
T
he position of Head of Internal Audit is given a variety of titles such as chief internal auditor, chief audit executive or head of
assurance and risk management.
40
In situations where the internal audit function is outsourced, this person could be a partner, director or senior employee of
the service provider.

Skills
To operate effectively, the Head of Internal Audit requires a broad range of skills, together with a
number of specific personal qualities. The skills and personal qualities displayed by the Head of
Internal Audit are critical to the credibility and acceptance of the internal audit function they lead.
In addition to the skills expected of a senior executive in the public sector, the particular skills and
qualities that could be expected that the Head of Internal Audit would possess include:
The Head of Internal Audit  a

clear understanding of the contribution internal audit can make to effective governance, and
needs to be sufficiently the ability to develop strategies and plans to ensure internal audit maximises its contribution to
senior to be able to discuss helping the entity achieve its objectives
and negotiate internal
 h
aving strong business acumen and the ability to anticipate and assess business risks
audit results with senior
and opportunities
management colleagues on
 b
eing able to build strong networks, relationships and credibility with the Chief Executive, the
a reasonably equal footing.
Board, the Audit Committee and senior management, and
 the ability to stand firm when necessary.
Status
The Head of Internal Audit needs to be sufficiently senior to be able to discuss and negotiate internal
audit results with senior management colleagues on a reasonably equal footing.
The position is one that can have a significant impact on the entity’s risk management, financial
and operational controls and its performance. The position should therefore be classified and
remunerated accordingly.
Appointment
Given the importance of the position, the ANAO Better Practice Guide on Public Sector
Audit Committees41 suggests that the Audit Committee advise the Chief Executive/Board on
the appointment of the Head of Internal Audit. This implies the active involvement of the Audit
The need to establish Committee, or at least the Chair, in appointing the Head of Internal Audit or an external service
and maintain an internal provider. This involvement will help to ensure there is a good working relationship with the Committee
audit unit that is staffed and a clear understanding of the expectations of the Committee. Including a management
with people who have member the Audit Committee on the selection panel is also an option that involves the Committee
the necessary skills and in the selection process42.
experience is an ongoing
issue for most, if not
all, entities.
Australian National Audit Office, Public Sector Audit Committees, Better Practice Guide, February 2005.
41
S
42
imilarly the Audit Committee should be actively involved in the appointment of an external service provider and any
changes in the position of the Head of Internal Audit or an external service provider.

Part 1
5.8 Resourcing the internal audit unit
The need to establish and maintain an internal audit unit that is staffed with people who have the
necessary skills and experience is an ongoing issue for most, if not all, entities. The secondment of
staff to internal audit can be a useful way of supplementing internal audit resources.
A number of secondment options are available, including the following:
 internal secondments to internal audit for a fixed period of time. This benefits the organisation Rotating graduates through
and the individuals involved by developing officers who have a good understanding of the internal audit as part of
entity’s governance and accountability arrangements and a good overview of the different parts their development, offers
of the entity. Some entities see merit in rotating potential senior managers through internal them an opportunity to
audit for set periods as part of their career development43. Internal secondments also benefit quickly gain a practical
internal audit by having auditors with operational experience in the organisation who can understanding of the
provide a reality check on audit findings and conclusions. However, to ensure such staff remain entity, its governance
objective and to avoid any perception there may be a conflict of interest, effective training and arrangements and of the
supervision are important. importance of systems of
 u
sing subject matter experts from within the organisation for particular audits. This can provide internal controls.
additional resources for internal audit for a specified period and can also avoid the learning
curve often involved with complex audits. Such experts can also add credibility to the audit
findings and conclusions. Like other internal secondments, adequate training and supervision are
necessary to help ensure objectivity.
 s econdments of staff from other APS agencies. This arrangement provides an opportunity for
internal audit to gain specialist expertise and/or extra resources from outside the entity and for
the individual to gain experience in a different organisation and/or work area.
Many entities also have graduate recruitment programmes. Rotating graduates through internal audit
as part of their development, offers them an opportunity to quickly gain a practical understanding of
the entity, its governance arrangements and of the importance of systems of internal controls.
The effectiveness of such strategies is enhanced when supported by senior management, particularly the Chief Executive.
43

6 Efficient and effective work practices
6.1 Introduction
It is important that internal audit processes are as efficient and effective as possible. Protracted or
It is important that internal
inefficient processes can result in a loss of confidence by key stakeholders in the results of internal
audit processes are as
audits or in the internal audit function itself.
efficient and effective
as possible. There are a number of measures and actions that can be put in place, or taken, aimed at
ensuring an efficient and effective internal audit function. These include the measures and actions
outlined below.
6.2 Internal audit manual

Documenting the policies and procedures for conducting audits and managing the internal audit
function in an internal audit manual is important to:
 encourage a consistent approach that achieves a quality result

Documenting the policies
 assist new starters to understand the internal audit process
and procedures for
conducting audits and  demonstrate an objective, systematic and fair approach to the conduct of internal audits, and
managing the internal audit  provide a basis for review and improvement.
function in an internal audit
manual is important. The internal audit manual should be tailored to the needs of the internal audit unit. It would generally
include policies and procedures for:
 internal audit strategic business and annual audit planning

 planning individual audit assignments
 internal audit fieldwork and supervision including the standards, methodologies and protocols
to be followed
 reporting audit results and categorising overall audit findings and audit recommendations
 servicing the audit committee
 assessing internal audit performance, including conducting client surveys
 records management and security procedures, and
 reviewing the internal audit manual.
The internal audit manual should distinguish between mandatory requirements and supporting
guidance. Using diagrams, flowcharts and checklists can help to generate a better understanding of
The internal audit manual the processes involved; while including references to templates and any planning and auditing tools,
should distinguish between assists in promoting the support available to audit teams. Maintaining an electronic version of the
mandatory requirements manual enables it to be updated easily and including links to the location of stored electronic copies
and supporting guidance. of key documents allows audit staff to readily access such documents.
Example internal audit manual list of contents

Part 3 of the Guide includes an example list of contents for an internal audit manual.

Part 1
6.3 Managing the internal audit process
There are a number of characteristics that lead to a successful audit including:
 a detailed audit assignment plan

 an appropriate audit approach and methodology Before commencing an
 effective communication with stakeholders audit, it is good practice
to review with line
 effective supervision
management if the issues
 continuous monitoring, and identified during the
 the application of due care. annual planning phase
remain relevant.
These characteristics are outlined in more detail below.
Audit planning
A detailed plan should be prepared for each audit assignment specifying the:
 objectives and scope of the audit

 the audit approach and methodology to be followed
 audit deliverables, such as draft and final reports, and related target dates, and
 resource requirements.
To provide a timely report to management and the Audit Committee, a key aim in planning an audit
should be to complete the audit in the minimum time necessary. It is therefore important that in planning
and scoping audits, audit effort and resources are directed to the key issues that matter most.
Before commencing an audit, it is good practice to review with line management if the issues identified
during the annual planning phase remain relevant. This can avoid conducting work that could prove Where internal audits
to be unnecessary and free up audit resources for other reviews where internal audit can add greater involve areas of interest to
value; alternatively, a change in scope may be required. In either case, approval should be sought other business areas or to
from the Audit Committee to maintain the integrity of the process. external service delivery
providers, it is important to
Where internal audits involve areas of interest to other business partners such as purchasing
get their perspective on the
departments or to external service delivery providers, it is important to get their perspective on the
issues to be addressed.
issues to be addressed.
It is also important that the plan is sufficiently flexible that it can be adjusted if circumstances require it.
Audit approach
There are a number of different audit approaches and techniques that can be adopted in an
audit. These include interviews, document reviews, sampling, testing of controls and analysis of
transactions, processes and management information.44 Generally, an audit will involve a combination
of such approaches. The audit approach selected should be the most time and cost-effective given
the objectives and scope of the audit. It should aim to collect sufficient appropriate evidence that
enables the auditor to come to well-founded conclusions about the programme or activity under
review and to make appropriate recommendations.
Decisions will have to be made at each stage of the audit about the need for specific testing, data
collection and analysis by internal audit and the extent that reliance can be placed on work of other
internal or external reviewers.
44
There are a number of model control frameworks that can assist internal audit in developing an appropriate audit approach.
These include:
• various publications of the Committee of Sponsoring Organisations of the Treadway Commission (COSO)
• the Canadian Institute of Chartered Accountants – Guidance on Assessing Control – The CoCo Principles, and
• ISACA, Control Objectives for Information and Related Technology (Cobit).
6 Efficient and effective work practices 39

Effective communication
Effective communication with stakeholders throughout the audit process is essential for a successful
audit outcome. The aim should be to ensure that there are no surprises for the management and
staff of the area under review.
Communication starts at the initial planning phase and continues right through to the implementation
of audit recommendations.
Effective communication Internal audit units commonly produce an internal audit protocol to aid in the communication process
with stakeholders that sets out agreed arrangements for the conduct of audits. The protocol usually sets out the
throughout the audit sequence of events in an audit and the opportunities for consultation during the process. It is good
process is essential for a practice, as part of the protocol, to identify a “sponsor” for each audit. This will normally be the
successful audit outcome. senior manager with overall responsibility for the business area being reviewed. This person will be
the primary senior point of contact for the audit and be responsible for responding to the audit report
and for oversighting or implementing agreed recommendations.
In addition to the formal stages of contact outlined in the internal audit protocol, it is also important
that the auditors communicate regularly with the area under review both in terms of ‘testing’ emerging
findings, conclusions and recommendations as well as keeping them informed about the progress
of the audit.
Example internal audit protocol.

Part 3 of the Guide includes an example internal audit protocol.
Effective supervision
To assist in maintaining To assist in maintaining high quality standards, including impartiality and objectivity, it is important
high quality standards, that audit teams are properly supervised. Supervision needs will vary according to the skill and
including impartiality and experience of the team but will generally involve:
objectivity, it is important  providing suitable directions or guidance at the start of an audit
that audit teams are
 regularly monitoring audit progress
properly supervised.
 ensuring compliance with standards and the internal audit manual
 e
nsuring that audit findings, conclusions and recommendations are adequately supported by the
evidence, and
 ensuring that reports are accurate, objective, clear and concise.
Audit quality is further strengthened where the management of the audit and the emerging findings
are reviewed periodically by someone at a distance from the detail of the audit. This could be the Head
of Internal Audit, a senior audit manager, or the engagement partner if the audit is outsourced.
Monitor audit progress

The progress of the audit and the findings and conclusions emerging from the audit should also be
continually monitored. In this way:
 a
ny issues requiring immediate action by management can be brought to their attention and, if
necessary, to the attention of the Chief Executive and the Audit Committee

Part 1
 if unexpected issues emerge from the audit, an informed decision can be made to:
• examine the issues and accept the impact on the timeliness and cost of the audit, or
• defer examination of the issue to another time, or
• not examine the issue, and
 prompt action can be taken in response to any delays in the audit timetable.
Accordingly, systems and processes need to be in place to monitor emerging issues and the progress
of audits against the audit assignment plan and to alert stakeholders when action is required. In
particular, a time recording system which identifies costs and elapsed time against various audit
milestones, audit support activities and any non-audit tasks is an important means of planning
audits, allocating resources and recording data for accountability and benchmarking purposes.
A formal mid-point review, and other progress discussions as necessary, involving the Head of
Internal Audit, the audit team and the sponsor is seen as a useful means of keeping all parties
informed of audit progress and any emerging issues.
Pro-forma internal audit annual work plan progress report. Systems and processes
need to be in place to
Part 3 includes a pro-forma of a report detailing progress in implementing the annual monitor emerging issues
audit work plan. and the progress of
audits against the audit
Due care assignment plan and to
alert stakeholders when
Good audit processes are a necessary, but not sufficient, part of delivering an effective internal audit
action is required.
function. Such processes need to be supported by internal audit staff exercising due care in their
work. Due care, in the case of internal audit, means auditors working diligently and applying impartial
judgement based on integrity, skill and experience.
It also requires auditors to:
 be fair and not allow prejudice or bias to override impartiality

 declare any potential or actual conflict of interest
 n
ot accept any gifts or other benefits from third parties unless allowed by the entity’s policy
on hospitality
 use all reasonable care in obtaining sufficient, relevant and reliable evidence, and
 treat information obtained in the course of their work as confidential and not use any such
information for personal benefit.

6.4 Audit reporting
“A good audit report communicates the author’s conclusions effectively and makes recommendations
persuasively so that management understands the issues, accepts the conclusions and acts appropriately.”
HM Treasury Government Internal Audit Standards Good Practice Guidance: Reporting
The audit report is The audit report is the major means of communicating the findings, conclusions and recommendations
the major means of of an audit and much of the work of internal audit is judged on the quality of the final audit report,
communicating the including its analysis, findings, conclusions and recommendations. The recommendations, in
findings, conclusions and particular, provide the basis for:
recommendations of an  improving internal controls and/or improving business performance, and
audit and much of the work
 identifying better practice and/or lessons learnt.
of internal audit is judged
on the quality of the final To provide confidence that the audit findings and conclusions are accurate and valid and to maximise
audit report. the value derived from the review, the Head of Internal Audit should develop policies and procedures
for the reporting phase of the audit. These would normally cover the:
 quality standards and presentation requirements for the report itself

 review of draft reports to ensure quality
 c
onsultation with sponsors on the draft report, particularly regarding draft audit conclusions and
recommendations
 review of the final report
 d
issemination of better practice and lessons learnt that may have broader application
or relevance, and
 requirements for safeguarding the confidentiality of audit material.
Such policies and procedures should be included in the internal audit manual and/or in the service
contract where the internal audit function is co-sourced or outsourced.
To help ensure audit
reports are timely and Reporting standards
of the required quality,
appropriate reporting To help ensure audit reports are timely and of the required quality, appropriate standards should be
standards should developed. Such standards could include:
be developed.  a requirement for an overall audit conclusion and rating related to the audit objective(s)
 the style and format of reports, including the use of any report template
 expected timeframes for preparing draft reports and finalising reports
 the length of reports
 a requirement to include comments from the sponsor
 a
requirement to include an action plan, including the individual responsible and the timeframe,
to implement agreed recommendations, and
 a
requirement for certification that the audit has been conducted in accordance with specified
professional and other standards.
The allocation of an overall report rating that reflects the risk to the entity from any current risk
exposure assists the Audit Committee and senior management to quickly grasp the overall impact
of the report’s findings on the entity. There are various options for categorising overall ratings but
essentially they all reflect a range of risk exposures. Some describe overall performance in alpha
or numeric grades or in terms ranging from extreme, high, medium and low. Others use colours
either in the form of a ‘heat map’ for example, red, orange, yellow and green or ‘traffic lights’,
red, orange or green.
Where multiple audit providers are used it is important that a common rating system is used.

Part 1
Review of draft reports
To provide confidence in the quality of the audit reports it is important that a draft of the report
is reviewed by the Head of Internal Audit, a senior manager or the engagement partner, in the
case of outsourced audits, prior to the draft report being discussed with the sponsor. This helps to
ensure that the:
 report covers the objectives and scope of the audit

Once the draft report has
 report demonstrates a good understanding of the area under review
been reviewed it should be
 audit findings are placed in context and the report is balanced
discussed with the sponsor
 audit findings and conclusions can be supported by the evidence and analysis to seek their view on the
 report is logically structured and the final report can be understood by a reader who may not audit findings, conclusions
have a detailed understanding of the topic or area subject to review, and and recommendations.
 proposed recommendations are action-orientated, practical and cost-effective to implement.
Consultation with sponsors

Once the draft report has been reviewed it should be discussed with the sponsor to seek their view
on the audit findings, conclusions and recommendations. This is an opportunity to ensure that the
auditors have fully understood the area under review, and to test with the sponsor the practicalities
of proposed recommendations. Feedback and comments from the sponsor should be weighed
carefully and the draft report amended if necessary before being finalised.
This does not mean that all audit conclusions and/or recommendations need to be agreed, although
it would be expected that, in the majority of instances, agreement should be able to be reached
with the sponsor. In situations where agreement is not reached, the audit report should outline the
reason for this, including, if necessary, an additional comment from internal audit to assist the Audit
Committee and the Chief Executive to form a judgement on the issue(s).
Review of final reports

Prior to the release of the
Prior to the release of the final report it should be reviewed and signed off by the sponsor, the Head of final report it should be
Internal Audit and, in the case of outsourced audits, the engagement partner. This signifies all parties reviewed and signed off by
are satisfied with the content of the report and the sponsor agrees, where applicable, to the action the sponsor, the Head of
plan and timetable to address the agreed recommendations. Internal Audit and, in the
case of outsourced audits,
the engagement partner.
Better Practice Tip: Project Completion Advice
To assist future planning and to assist in demonstrating the value added by the audit some internal
audit functions require the lead auditor to complete a Project Completion Advice that provides:
 a
reconciliation to the audit plan and comments on any variance (for example, budget vs
actual cost; planned duration vs actual duration; planned audit objectives and scope vs
actual audit objectives and scope
 comments on the value added to the business by the audit
 lessons learnt, and
 ideas on future internal audit work arising from the audit.

Disseminating better practice and lessons learnt
Internal audit has a distinctive vantage point within the entity to identify better practice and lessons
learnt that could have broader application or relevance throughout the entity. Such better practice or
lessons learnt could arise out of its own work or from audits and better practice guides produced by
Australian Government or other bodies45.
Internal audit has a
distinctive vantage point Arrangements should be developed to transfer relevant examples of better practice and
within the entity to identify lessons learnt to other parts of the entity. This may require disseminating the lessons learnt in a
better practice and suitably edited version.
lessons learnt that could
have broader application The intranet and organisational newsletters can be effective means of reaching a wide audience
or relevance throughout throughout the organisation.
the entity.
Confidentiality requirements
There should be a clear understanding of what information arising out of audits will be shared with
other parties. This is particularly important where responsibility for programme or service delivery is
shared between different organisations.
In the draft report phase, information should, as far as possible, be kept confidential between internal
audit and the sponsor46. However, once finalised the report should be distributed to those with a
legitimate interest in the report such as the Chief Executive, the Audit Committee, the sponsor’s
supervisor and the external auditor.
Where appropriate, the report should be classified in line with government and entity security policies47.
Internal audit reports can be requested under Freedom of Information (FOI) legislation. Such requests
should be dealt with in accordance with the entity’s normal procedures for handling FOI requests.
6.5 Audit report recommendations

The implementation of audit report recommendations is the most visible way for the internal
audit process to add value to the entity. To encourage management buy-in and commitment, it is
Recommendations important that recommendations are developed in consultation with management. Better practice
should be categorised or recommendations exhibit a number of characteristics including that they are:
prioritised according to
the risk the audit findings  clear, practicable, workable solutions that address the issue(s) at hand
represent to the entity if  action-orientated and capable of standing alone, and
the recommendations are  cost-effective to implement.
not implemented.
Recommendations should be categorised or prioritised according to the risk the audit findings
represent to the entity if the recommendations are not implemented. This helps to determine their
relative importance and the timeframe in which the recommendations should be implemented48.
Where multiple internal audit providers are used it is important that a common categorisation
system is used.
45
The FMA Orders for FMA agencies require the Audit Committee to review all audit reports involving matters of concern to
senior management of the agency, including the identification and dissemination of good practices.
46
A clear exception would be if there were indications of a serious control matter that required immediate notification to the
Chief Executive and/or the Audit Committee.
47
Guidance on the classification of documents can be found in the Protective Security Manual (2005) issued by the Attorney-
General’s Department.
48
These can also be described in terms of a ‘heat map’ or ‘traffic lights’, in categories such as high, medium or low risk or in
numeric terms such as category one, two or three.

Part 1
To assist in achieving timely remedial action, audit reports should also include an action plan and
a realistic timeframe, agreed with management, for the implementation of the recommendation(s).
As a general rule it would be expected that recommendations designed to address the highest
category of risk exposure would be acted on immediately and implemented within one to three
months; medium risk exposures would be implemented within three to six months and low level risk
exposures within six to 12 months. Where recommendations involve a long lead time to address fully,
for example where changes to policy, purchases of new equipment or services are involved, better The benefits of
practice suggests the action plan and timeframe is broken up into stages. internal audit report
The audit report should also identify who has responsibility for implementing the recommendation recommendations are
as agreed by the sponsor. Assigning individual responsibility creates a personal commitment and reduced, and risks remain,
accountability that enhances the chances of a successful outcome. if recommendations are
not implemented within the
agreed timeframe.
6.6 Monitoring recommendations
The benefits of internal audit report recommendations are reduced, and risks remain, if
recommendations are not implemented within the agreed timeframe. It is management’s responsibility
to implement agreed recommendations but internal audit is in a good position to monitor the
progress in implementing recommendations.49 A rigorous process of follow-up of audit report
recommendations and reporting to the Audit Committee can send a strong signal that the timely
implementation of recommendations is important.
A self-assessment by line management and/or a follow-up audit by internal audit is likely to be the
most efficient and effective approach to monitor progress. The scope and timing of any follow-
up audit should be determined by the risks posed to the entity if the recommendations are not
implemented in an effective and timely manner.
Intranet-based technology offers the opportunity for internal audit to record recommendations and
implementation plans and monitor management’s progress in implementing the plans.
If internal audit is not satisfied with progress there should be a process to escalate its concerns to
senior management so management fully understands the risks involved. This would normally be
through the Audit Committee50.
If internal audit is not
Pro-forma Implementation of recommendations progress report satisfied with progress
there should be a process
Part 3 of the Guide includes a pro-forma of a report to the Audit Committee detailing progress
to escalate its concerns
in implementing agreed recommendations of internal and external audit reports, Parliamentary
to senior management
Committees and other review bodies.
so management fully
understands the
risks involved.
49
In addition to monitoring the implementation of internal audit recommendations, internal audit is often tasked with monitoring
the implementation of agreed recommendations of the external auditor, Parliamentary Committees and other review bodies.
50
One of the responsibilities for an Audit Committee identified in the ANAO’s Better Practice Guide on Public Sector Audit
Committees is monitoring management’s implementation of internal audit recommendations.

Characteristics of a better practice audit report
The content of a better practice audit report will:
 contain an executive summary

 include an overall audit conclusion that addresses the audit objective(s) and an overall rating
that reflects the risk to the entity from the exposure(s) identified
 state the professional or other standards followed in conducting the audit
 address the planned objectives and scope of the audit
 b
e based on the information needs of the readers and communicate the key information that
readers of the report need to know
 b
e concise; but contain sufficient explanation and evidence to be convincing, but not too
much that it obscures the key issues, nor too little that it leaves unanswered questions
 be accurate, realistic and objective and written in a constructive tone
 b
e even-handed, acknowledging strengths as well as aspects requiring improvement in the
area audited
 include recommendations that are practical and cost-effective to implement
 include the sponsor’s response to the recommendations indicating who will be responsible
for implementing the action plan for agreed recommendations and a realistic date when the
implementation of the action plan will be completed, and
 include the the cost of the audit to assist stakeholders measure the value of money provided
by the audit.

Part 1
7 Performance assessment and
quality assurance
7.1 Introduction By adopting meaningful
indicators, implementing
Periodically assessing performance and addressing opportunities for improvement can help maximise
a rigorous performance
the efficiency and effectiveness of the internal audit function. Measuring performance is also the
measurement regime
means whereby internal audit’s own performance is judged and internal audit is held accountable for
and acting on the results,
its use of resources.
internal audit can
By adopting meaningful indicators, implementing a rigorous performance measurement regime and demonstrate it ‘practices
acting on the results, internal audit can demonstrate it ‘practices what it preaches’ and so encourage what it preaches’.
acceptance of its role within the entity.
Given the Audit Committee is often responsible for periodically reviewing the performance of internal
audit, the Committee would normally approve the performance indicators used.
7.2 Measuring internal audit performance

The key performance indicators (KPIs) used to measure performance are of central importance
because those features that are measured are the matters that tend to receive the highest priority. It is
important, therefore, that the KPIs for internal audit are aligned with the internal audit strategic business
plan and annual work plan and help to drive the behaviour the entity expects from internal audit.
It is also important that performance is measured over time in order to identify trends, and that
performance is measured against both qualitative and quantitative targets. Such targets should be
challenging but realistic.
The most suitable KPIs will vary from entity to entity depending on their internal audit strategic
business plan. It would be expected that KPIs would be limited in number but as a minimum would
measure the timeliness, cost and quality of both audit work and any other services provided by
internal audit. Better practice KPIs include measurement of the:
It is important that
 timeliness and cost of audits performance is measured
 quality of audits, advisory services and audit support activities, including stakeholder satisfaction over time in order to
 internal audit staff satisfaction, and identify trends, and that
performance is measured
 overall contribution made by the internal audit function.
against both qualitative
It is relatively straightforward to measure the cost and timeliness of internal audit reports. It is more and, where possible,
difficult to measure, in an objective way, the quality of internal audit services or the contribution quantitative targets.
internal audit makes to the entity. Consequently, measurement of the effectiveness or the value
added by individual reports and the internal audit function itself is generally best measured by seeking
the views of key stakeholders51.
Example key performance indicators

Part 3 of the Guide includes example key performance indicators.
51
In any event, internal audit should keep track of where it has significantly influenced change in the entity.
7 Performance assessment and quality assurance 47

7.3 Measurement techniques
Management information systems and processes should be established to record and report the
required performance data in a cost-effective way.
Client satisfaction surveys at the end of an audit are a useful and well accepted way of measuring the
level of satisfaction with internal audit services. Short surveys that can be completed electronically
are an efficient means of collecting data. Any significant issues identified from such surveys should
Client satisfaction surveys be followed up in an interview, where possible.
at the end of an audit are
a useful and well accepted Key issues to address in such audit surveys include the:
way of measuring the level
 auditors’ understanding of the area under review
of satisfaction with internal
audit services.  quality of the analysis undertaken
 usefulness of the recommendations
 efficiency of the process
 level of collaboration with management, and
 overall value of the report to management.
As a key stakeholder, the Audit Committee should also be involved in providing regular feedback on
the quality and cost-effectiveness of the audit reports and other services provided by internal audit.
It would also be expected that the views of the Chief Executive and the external auditor52 would be
sought periodically, but at least once annually.
Example client survey questionnaire

Part 3 of the Guide includes an example client survey questionnaire.
Example Audit Committee questionnaire

Part 3 of the Guide includes an example Audit Committee questionnaire.
7.4 Internal audit annual performance report

As a key stakeholder,
the Audit Committee To assist the Audit Committee in reviewing the performance of internal audit it is helpful if the Head
should also be involved in of Internal Audit prepares a report for the Committee, at least annually, on progress in implementing
providing regular feedback the internal audit strategic business plan and annual work plan.
on the quality and cost-
The content of the report, which should be agreed by the Audit Committee, could be expected to:
effectiveness of the audit
reports and other services  comment on the internal audit activities and any variances from approved plans
provided by internal audit.  report on progress in implementing the internal audit strategic business plan and completing the
annual work plan
 discuss highlights and challenges during the period
 report on internal audit’s overall contribution to managing the entity’s risks and improving
performance, and
 identify issues that may require attention in relation to the internal audit function.
A summary from the report could be included in the entity’s annual report53.
It is acknowledged that the external auditor may not have a complete picture of all of the activities of the internal audit
52
function, nevertheless, as part of its planning processes the external auditor considers the effectiveness of the internal audit
function and the reliance that can be placed on its work.
The Department of Prime Minister and Cabinet Requirements for Annual Reports for Departments, Executive agencies
53
and FMA Act bodies, June 2006 suggests entities include a statement of their internal audit arrangements, including the
approach adopted to identifying areas of significant operational or financial risk, and arrangements in place to manage
those risks.

Part 1
7.5 Quality assurance
Being able to demonstrate that internal audit has a strong commitment to the quality of its work
and improving its processes is important in gaining the confidence of the Chief Executive/Board, the
Audit Committee and senior managers in the work of internal audit.
Although primary responsibility for the quality of internal audit work rests with individual auditors
supported by a system of appropriate supervision, there is also benefit in the Head of Internal Audit There is benefit in the
developing a separate quality assurance programme consisting of periodic internal and external Head of Internal Audit
reviews. The focus of these reviews should be on the quality of the internal audit work and the developing a separate
efficiency of internal audit processes. quality assurance
programme consisting
of periodic internal and
Internal quality assurance review
external reviews.
The internal review should be conducted every two to three years by an experienced member of
the internal audit team, by an auditor from another internal audit unit or a consultant. Whatever the
arrangement, it is important that the review is undertaken in an objective and unbiased manner.
The reviews should be commissioned by the Head of Internal Audit who would present the results
to the Audit Committee. The timing and cost of such reviews should be included in the strategic
business plan and internal audit budget.
Internal audit better practice self-review questionnaire

Part 3 of the Guide includes a self-review questionnaire to assess if the key elements of a better
practice internal audit function are in place.
External quality assurance review

An external quality assurance review is also an important tool in demonstrating internal audit’s
commitment to quality and external scrutiny and can provide valuable input into the internal audit
strategic business plan. As well as providing assurance over the quality of internal audit work, the
external review should assess the effectiveness and efficiency of the internal audit unit and identify
areas where processes and outcomes can be improved. This could include benchmarking the
performance of the internal audit against similar organisations. An external quality
assurance review is
Such a review should be conducted at least every 5 years and include as a minimum the: an important tool in
demonstrating internal
 compliance with the requirements of the internal audit charter
audit’s commitment
 efficiency and effectiveness of the planning processes to quality and
 timeliness, quality, costs and benefits of audits external scrutiny.
 efficiency and effectiveness of the reporting arrangements, and
 compliance with specified professional or other standards and internal audit manuals.
The review should be commissioned by the Head of Internal Audit and/or the Chair of the Audit
Committee and conducted by a consultant or by peers from another internal audit unit. The results
of the review should be reported to the Audit Committee. The timing and cost of such reviews should
also be factored into the internal audit strategic business plan and the internal audit budget.
7 Performance assessment and quality assurance 49

Internal Audit
Part 2
Model Internal
Audit Charter
Model Internal Audit Charter
Heads of Internal Audit, and external audit service providers where relevant, are encouraged to
review, in consultation with the Chief Executive/Board and the Audit Committee, their existing
charters against this model. In doing so it is important that each entity carefully consider
its particular circumstances, especially the range of responsibilities outlined in Chapter 2
of this guide.
Part 2
Introduction
The [Chief Executive/Board] has established the [name of internal audit unit] as a key component
of [entity’s] governance framework.
This charter provides the framework for the conduct of the internal audit function in the [entity]
and has been approved by the [Chief Executive/Board] on the advice of the Audit Committee.
Purpose of internal audit

Internal audit provides an independent and objective review and advisory service to:
 provide
assurance to the [Chief Executive/Board] that [the entity’s] financial and operational
controls designed to manage the organisation’s risks and achieve the entity’s objectives are
operating in an efficient, effective and ethical manner, and
Independence
Independence is essential to the effectiveness of the internal audit function.
Internal audit has no direct authority or responsibility for the activities it reviews. The internal
audit function has no responsibility for developing or implementing procedures or systems and
does not prepare records or engage in original line processing functions or activities [except as
noted below1].
Internal Audit reports functionally to the Audit Committee. The Head of Internal Audit is accountable to
the [Chief Executive2 or Board3] for the efficient and effective operation of the internal audit function.
The Head of Internal Audit has direct access to the [Chief Executive/Chair of the Board], and the Chair
and other members of the Audit Committee. Periodic ‘in camera’ meetings will be held between the
Head of Internal Audit and the Audit Committee.

Subject to compliance with [entity] security policies, internal auditors are authorised to have full,
free and unrestricted access to all functions, premises, assets, personnel, records, and other
documentation and information that the Head of Internal Audit considers necessary to enable internal
audit to meet its responsibilities.
All records, documentation and information accessed in the course of undertaking internal audit
activities are to be used solely for the conduct of these activities. The Head of Internal Audit and
individual internal audit staff are responsible and accountable for maintaining the confidentiality of the
information they receive during the course of their work.
1
Delete if not applicable.
2
For FMA Act entities.
3
For CAC Act entities.
Model Internal Audit Charter 51

Under its legislation, the Australian National Audit Office has access to all relevant [entity] documents
including internal audit reports.
Inter-agency arrangements with other entities also provide for consultation and disclosure of audit
matters affecting other entity programmes and other circumstances.
Roles and responsibilities

Internal audit’s responsibilities will be influenced by the governance arrangements established
by the entity and the existence of other separate functions with specific responsibility for some
of these matters. For example, many entities have separate organisational units responsible for
risk management and/or fraud control.
In the conduct of its activities, internal audit will play an active role in:
 developing and maintaining a culture of accountability and integrity

 facilitating the integration of risk management into day-to-day business activities and processes, and
 p
romoting a culture of cost-consciousness, self-assessment and adherence to high
ethical standards.
Internal audit activities will encompass the following areas:
Audit activities including audits with the following orientation:

Compliance
 c
ompliance with legislative requirements, Australian Government and [entity] policies and
procedures including assurance in respect of the Certificate of Compliance
 the adequacy and effectiveness of internal financial and operational controls including IT
system controls
 the recording, control and use of entity assets, and
Performance improvement
 the efficiency, effectiveness, and ethical conduct of the entity’s business systems and processes.
Advisory services
Internal audit can advise [entity] management on a range of matters including:
New programmes, systems and processes
 p
roviding advice on the development of new programmes and processes and/or significant
changes to existing programmes and processes including the design of appropriate controls.

Amend as applicable.

Internal audit’s responsibilities will be influenced by the governance arrangements established by the entity and the existence
of other separate functions with specific responsibility for some of these matters. For example, many entities have separate
organisational units responsible for risk management and/or fraud control. As a consequence, the roles and responsibilities
listed are illustrative only.

In providing advisory services, internal audit needs to maintain operational independence. It is the responsibility of entity
management to accept or reject advice provided by internal audit, to implement the advice where considered appropriate
and be accountable for decisions taken.

Risk management
 a
ssisting management to identify risks and develop risk mitigation and monitoring strategies
as part of the risk management framework
 co-ordinating the annual [entity] Risk Management Plan
 monitoring and reporting on the implementation of risk mitigation strategies
Fraud control
Part 2
 a
ssisting management to identify the risks of fraud and develop fraud prevention and
monitoring strategies
 co-ordinating the [entity] Fraud Control Plan
Audit support activities

Internal audit is also responsible for:
 assisting the Audit Committee to discharge its responsibilities

 providing secretarial support to the Audit Committee
 monitoring the implementation of agreed recommendations
 d
isseminating across the entity better practice and lessons learnt arising from
its audit activities, and
 managing the audit function.
Non-audit activities
Internal audit has management responsibility for the following areas:
[insert non-audit responsibilities if any]
Scope of internal audit activity

Internal audit reviews cover all programmes and activities of the [entity] together with associated
entities as provided for in relevant business agreements, memorandum of understanding or
contracts. Internal audit activity encompasses the review of all financial and non-financial policies
and operations.
Standards
Internal audit activities will be conducted in accordance with the Australian Public Service and
supporting [entity] values, policies and procedures.
Arising from internal and external audit reports, Parliamentary Committee reports and other external bodies such as the
Management Advisory Committee, the Australian Public Service Commission and the Ombudsman.
Delete if not applicable.


Audit activities will also be conducted in accordance with relevant professional standards including9:
 S
tandards for the Professional Practice of Internal Auditing issued by the Institute of
Internal Auditors
 S
tandards relevant to internal audit issued by the Australian Society of Certified Practising
Accountants and the Institute of Chartered Accountants in Australia
 T
he Statement on Information Systems Auditing Standards issued by the Information Systems
and Control Association, and
 Standards issued by Standards Australian and the International Standards Organisation.
In the conduct of internal audit work, internal audit staff will:
 comply with relevant professional standards of conduct

 possess the knowledge, skills and technical proficiency relevant to the performance of their duties
 b
e skilled in dealing with people and communicating audit, risk management and related
issues effectively
 their technical competence through a programme of professional development, and
 exercise due professional care in performing their duties.
Relationship with external audit

Internal and external audit activities will be coordinated to help ensure the adequacy of overall audit
coverage and to minimise duplication of effort.
Periodic meetings and contact between internal and external audit shall be held to discuss matters
of mutual interest.
External audit will have full and free access to all internal audit plans, working papers and reports.
Planning
The Head of Internal Audit will prepare, for the Audit Committee’s consideration, an internal
audit strategic business plan and an internal audit annual audit work plan in a form agreed with
the Committee.
Reporting
The Head of Internal Audit will report to each meeting of the Audit Committee on:
 audits completed
 progress in implementing the strategic business plan and audit work plan, and
 the status of the implementation of agreed internal and external audit, Parliamentary Committee
and other relevant external body recommendations.
Internal audit will also report to the Audit Committee at least once annually on the overall state
of internal controls in the [entity] and any systemic issues requiring management attention based on
the work of internal audit [and other assurance providers10].
9
Specify applicable Standards.
10
Amend as appropriate.

Administrative arrangements
Any change to the position of the Head of Internal Audit, or an external service provider, will
be approved by the [Chief Executive or Board11]. The Audit Committee will be consulted as part
of the process.
The Head of Internal Audit will arrange for a periodic, independent review of the efficiency and
effectiveness of the operations of the internal audit function at least every five years.
Part 2
Review of the charter
This charter will be reviewed at least annually by the Audit Committee. Any substantive changes will be
formally approved by the [Chief Executive or Board12] on the recommendation of the Audit Committee.
11
12

Internal Audit
Part 3
Toolkit
Toolkit
Contents
Part 3
Example internal audit strategic business plan and annual work plan....................... 58
Example list of contents – internal audit manual....................................................... 74
Example internal audit protocol................................................................................ 76
Pro-forma internal audit annual work plan progress report....................................... 79
Pro-forma Implementation of recommendations progress report............................. 80
Example key performance indicators....................................................................... 81
Example client survey questionnaire........................................................................ 82
Example Audit Committee internal audit questionnaire............................................. 83
Example internal audit self-review questionnaire...................................................... 85
Part 3 Toolkit 57
Example internal audit strategic business plan and annual work plan
Example internal audit strategic business plan

and annual work plan
The format and content of internal audit’s strategic business plan and annual work plan is a
matter for agreement between the Audit Committee and the Head of Internal Audit. This example
contains the major elements that could be expected in a comprehensive strategic business plan
and audit work plan.
It is intended as a guide only and entities should consider their own circumstances in developing
their strategic business plan and annual work plan that best suits their own environment and
governance arrangements.
Introduction
Part A of this business plan outlines the strategic direction of [Entity’s] internal audit function over a
three year period [insert date] to [insert date].
It describes in broad terms the operations, programmes and business units that will be given priority
for audit coverage and the types of audits that will be conducted in those areas.
Part A also describes the management strategies that will be implemented over the period covered
by the plan, aimed at enabling internal audit to achieve its objectives.
Part B contains the [Entity] internal audit annual work plan for [insert date] and details the specific
audit activity that will be undertaken in [insert date].
This strategic business plan is available on the [Entity’s] intranet at [insert intranet address].
PART A: Strategic Directions
Internal audit objectives

This section will provide a statement of the broad business objectives and directions for internal audit
over the period of the plan. It will focus on both audit and management goals and be consistent with
the internal audit charter.
Methodology
This section will briefly outline the approach followed in developing the plan and the key
stakeholders consulted.
Entity strategic environment

This section will summarise the goals, objectives and major initiatives of the entity. This will be
derived from a review of key strategic and other planning documents and discussions with the Chief
Executive, members of the Audit Committee and senior managers.
The aim of this section is to demonstrate that internal audit has a good understanding of the entity’s
business, what is planned for the future and how the work undertaken by internal audit assists the
entity to achieve its objectives.

Entity key business risks
This section will describe the major high level risks identified as part of the entity’s risk management
framework and discussions with key stakeholders. Where there is a less than mature risk management
framework, it will be necessary for internal audit to conduct its own risk analysis.
The aim of this section is to identify those risks that arise out of the entity’s environment and future
direction that may be addressed by internal audit and to provide a link between the proposed
direction and priorities of internal audit and the risks of the entity
Examples of risks could include:
 b
eing unable to deliver core services and maintain key financial and operational controls in
a period of rapid change
 an inability to generate sufficient revenue
 d
ifficulties in recruiting and retaining sufficient numbers of skilled staff to deliver entity
programmes in a time of strong labour market conditions
 a
lack of co-ordination of service delivery with other government entities at the Australian,
state and local government levels and non-government organisations.
 delays and cost blow-outs in major projects, and
 security and business continuity.
For ease of presentation the risks could be consolidated into strategic audit themes and audits
that address the theme grouped together.
External environment
This section will identify issues and trends relevant to the entity that arise from the external environment
that may impact on the achievement of the entity’s objectives. Such issues could come from a
number of sources including:
 parliamentary and government accountability requirements

 regulatory changes
 governance trends, and
 professional internal and external audit and accounting trends.
Other assurance and review providers

This section maps the identified business risks to the various assurance processes and providers
such as management monitoring, internal quality assurance, regulators, external audit as well
as internal audit. The aim of this mapping is to identify, for the benefit of the Chief Executive and
the Audit Committee, any risks that are not being addressed by either internal audit or another
assurance or review activities or functions or risks where assurance is being provided by one or more
such activities.
Part 3 Toolkit 59
The following example illustrates one version of an assurance map.
Business Assurance and review activities

Risk
Management Quality External Evaluations/ Regulators Internal
Monitoring Assurance audit reviews Audit
programme
A   
B   
C  
D   
F   
Key:  indicates adequate coverage of risk
Details can be provided of the specific coverage provided by each of the assurance and review
providers against the relevant business risk.
Internal audit work strategies and priorities

This section will describe the major focus of audit activities including advisory services, audit support
and any non-audit activity over the life of the plan and any changes that are required to help ensure
that the audit plan and other activities remain relevant to the strategic direction of the entity. The
purpose of the section is to broadly demonstrate how the proposed work of internal audit will assist
the entity to manage its current and emerging strategic, operational and financial risks.
The section could usefully discuss issues such as:
 w
hat audit topics will be undertaken over the period of the plan and how they address the risks
facing the entity, including risks that might otherwise remain undetected
 any rebalancing of the proportion of the different types of audit, or
 the proposed introduction of any new audit advisory or audit support activities.

Audit Coverage
This section will describe where the major audit effort will be concentrated and the areas that will receive little, or no, audit attention. It could describe not only the subject matter
that will be addressed but also the types of audits and the business units and/or geographical location of audit coverage. The aim of the section is to be able to demonstrate
that the planned audit programme is relevant to the identified risks, and to identify where gaps exist. In the light of this information the Audit Committee is then in a position to
make an informed decision on the proposed audit coverage.
For ease of presentation, the proposed audit coverage could be summarised as shown in the following example. It shows which audits are proposed to be conducted over
a three year period:
 audit theme
 audit title
 area responsible
 type of audit
 priority.
Year 1 Year 2 Year 3
Audit theme* Audit Title Area Priority Audit Title Area Priority Audit Title Area Priority
Responsible Responsible Responsible
Type of audit Type of audit Type of audit
Cyclical1 Annual Business Unit 1 High Annual Business Unit 2 High Annual Business Unit 3 High
compliance compliance compliance
review Compliance review Compliance review Compliance
Certificate of Across entity High Certificate of Across entity High Certificate of Across entity Medium
Compliance Compliance Compliance Compliance Compliance Compliance
Governance Governance Programme X High Budgeting Business Unit 1 Medium Procurement Programme Z High
of programme and reporting
delivery partners framework Performance
Compliance Advisory improvement
IT security Business Unit 2 Medium Physical security Business Unit 4 Medium
environment Performance
improvement Advisory
1
Cyclical audits are reviews that are primarily of a compliance nature and are conducted as part of a regular annual cycle to examine key risks such as financial, human resource, legal, contractual, and project
management risks.
* These themes should be aligned with the entity’s main business risks.
Part 3 Toolkit
61
62
Year 1 Year 2 Year 3
Audit theme* Audit Title Area Priority Audit Title Area Priority Audit Title Area Priority
Responsible Responsible Responsible
Type of audit Type of audit Type of audit
Programme Programme Programme Y High International Business Unit 3 High
performance grants to client programmes
Performance Performance
organisations improvement improvement

Strategy/ Implementation Across entity High IT project Business Unit 2 High Policy Business Unit 3 Medium
planning of strategic management development
changes and
organisational Performance Performance
restructure Compliance improvement improvement
Selection of a Business Unit 2 High
new financial
management
system Advisory
Human Personnel Across entity Medium Recruitment Across entity High
resources security
Performance
clearances Compliance improvement
Learning and Business Unit 1 Medium
development
Performance
improvement
Financial Asset Business Unit 4 High Accounts payable Business Unit 1 Medium Salary processing Business Unit 4 High
management Compliance Compliance Compliance
Corporate Across entity Medium Revenue Business Unit 2 High
taxation Compliance Compliance
Previous audits and planned audits
To assist the Audit Committee and other stakeholders to place the planned audit coverage in context,
this section lists the audits completed over, for example, the last two years as well as those planned
over the life of the plan. An example of how this might be presented is illustrated below.
Audit Title Year -2 Year -1 Year 1 Year 2 Year 3
A   
B  
C 
D     
E  
F  
G  
Key:  indicates extent of internal aduit coverage
Allocation of resources
This section details the relative allocation of internal audit resources between audit, including advisory,
audit support and any non-audit activities. Other options include showing the allocation of resources
between the different types of audit, business units and/or geographical locations. Details can be
provided in tabular or graphic form. The following examples illustrate graphic representations of the
allocation of resources.
Allocation of resources by Activity Resources allocation by Area Responsible
Compliance audits Business Unit 1

Performance improvements audits Business Unit 2
Advisory Business Unit 3
Audit support activities Programme X
Part 3 Toolkit 63
Audit resources
This section details the financial and human resource budgets for audit activities over the life of the
plan including the previous year for comparative purposes.
Year -1 Year 1 Year 2 Year 3

Budget
$ $ $ $
Staff (including overheads)
Travel & Accommodation
External Service Provider
Total
Year -1 Year 1 Year 2 Year 3

Human resources
Days Days Days Days
Available days:
In-house staff
External service provider(s)
Total available days
Less days applied to non‑audit activities2
Total available internal audit days
Internal audit support activities
Development of the internal audit strategic

business plan and annual work plan
Monitor audit and other report
recommendations
Prepare annual assessment report
Service the Audit Committee
Manage audit programme
Staff recruitment/training
External auditor liaison
Other internal audit support activities
Total internal audit support activity days
Total available for annual work plan
2
If specified in the internal audit charter.

Internal audit management strategies
This section will describe the management strategies that will be adopted to achieve the internal
audit goals and deliver the broad audit programme described earlier.
Examples of management strategies might include:
 c
hanges in work practices and enhancement of audit methodologies to assist in ensuring that
internal audit meets the needs of stakeholders and delivers value for money
 review of the internal audit professional development programme
 introduction of new audit technology
 benchmarking exercises or external reviews, and
 the introduction of secondment programmes aimed at ensuring internal audit has the necessary
skilled and experienced staffing resources to deliver the internal audit annual work plan.
Risks to the Internal Audit Strategy

This section will describe the major risks that may prevent internal audit from achieving its objectives
and the strategies that will be implemented to mitigate such risks.
The following example illustrates possible risks and mitigation strategies.
Risk event Description of Risk Mitigation Strategy
The expiration of the external This has the potential to Immediate review of service
provider contract in 15 months result in delays in the audit delivery options followed by
time programme if there is a early commencement of the
change in audit service tendering process.
provider. There is also the risk
of increased costs, in line with
market changes over the last
three years.
Increase in staff turnover Turnover of in-house audit Allowance has been made for
staff is a significant risk over managing staff retention and
the next 12-18 months recruitment activities and the
as senior staff approach introduction of a secondment
retirement age. programme.
Management requests Internal audit unable to Programme includes
additional audits respond in a timely way to allowance for urgent and
requests for additional audits unforseen tasks subject to
that have not been included in approval by Chief Executive/
the audit work programme. Board or Audit Committee.
Performance measures
This section will list the performance measures that will be used to measure the performance of
internal audit and any changes in measures or targets over time.
Review of plan
This section will describe the timeframe and arrangements to be made for the review and update
of the plan. It would normally cover a three year rolling period and be reviewed at least annually.
It would be developed by the Head of Internal Audit for approval by either the Chief Executive/Board
or the Audit Committee.
Part 3 Toolkit 65
66
Part B: Internal audit annual work plan for [year]
Audit theme* Area Audit Audit description Potential benefit/ Priority Estimated Estimated start date
>
Responsible orientation rationale duration
Audit title Sponsor Provider Date of consideration

by Audit Committee
Governance
Cyclical compliance Business Compliance An assessment of the Provide assurance that High [ ] days Start: [Month]

check Unit 1 following key areas: an adequate control
framework is in place to
[sponsor]  Financial management manage financial and
 H
uman resource operational risks.
management
Identify systemic issues
 M
anagement Reporting
that may require action
and monitoring
across the entity.
 A
sset management,
and
 C
ommercial, legal &
Regional
project management
Office A
[sponsor] In-house To AC: [Month]
Certificate of Across entity Compliance An assessment of the Provide assurance on the High [ ] days Start: [Month]
Compliance validity of a sample of confidence that can be
management reports placed on management
regarding the Certificate of reporting in respect of the
Compliance Certificate of Compliance.
[sponsor] Contractor To AC: [Month]
>
The plan could also include the cost of individual audits.
>

by Audit Committee
Governance and Programme X Compliance To ensure that an Provide assurance that High [ ] days Start: [Month]
reporting of related appropriate framework the risks from partnering
business partners is in place to establish, are adequately identified
monitor and govern and managed.
programme delivery
partners and that Identify and quantify
adequate arrangements extent of exposures.
are in place to manage Identify improvement
associated risks opportunities in
management framework.
[sponsor] In-house To AC [Month]
IT security Business Unit Performance To review the IT security Assurance that key IT Medium [ ] days Start: [Month]
environment 2 improvement environment including controls are operating
governance, architecture effectively and that
intrusion detection and projects to improve
network encryption security have been
completed.
[sponsor] Contractor To AC [Month]
>
Part 3 Toolkit
67
68
>

by Audit Committee
Programme performance
Programme grants to Programme Y Performance To assess if the Provides an opportunity High [ ] days Start: [Month]

client organisations improvement programme is achieving to improve the efficiency
its intended objectives and effectiveness of the
and if there are programme with possible
opportunities to improve cost savings.
the management of the
programme
Strategy/planning
Implementation of Across entity Performance To assess the Provides assurance High [ ] days [Start: [Month]
strategic changes improvement effectiveness of the and opportunities for
and organisational implementation of improvement in the
restructure recent strategic changes achievement of strategic
including organisational objectives.
restructure
>
>

by Audit Committee
Selection of a new Business Unit 3 Advisory To provide advice on Management has sought High [ ] days Start: [Month]
financial management the selection of a new input from internal audit
system financial management in the selection of a new
information system for the financial management
entity system.
Human resources
Personnel security Across entity Compliance A review of the security A number of issues Medium [ ] days Start: [Month]
clearances clearance and vetting regarding security
policies and practices clearances have been
to assess whether the raised in most recent staff
entity is managing these survey.
processes in accordance
with Australian
Government policy as
outlined in the Protective
Security Manual
A sample of clearances
will be selected for
examination
>
Part 3 Toolkit
69
70
>

by Audit Committee

Financial
Asset management Business Unit 4 Compliance A review of asset Findings from an earlier High [ ] days Start: [Month]
management to audit of IT assets
assess whether the indicated there may be
overall management more systemic issues.
of the function is being
performed in accordance
with applicable legislation,
government policy
and internal control
requirements
[sponsor] In-house To AC [Month]
>
>

by Audit Committee
Corporate Taxation Across entity Compliance A review to ensure These areas have not Medium [ ] days Start: [Month]
the entity is meeting been reviewed recently.
its corporate taxation
obligations in the areas of
GST, FBT and PAYG
Contingency for [ ] days
unforseen audits
Total [ ] days
>
Part 3 Toolkit
71
72
Reserve topics
>
Audit theme* Area responsible Audit orientation Audit description Potential benefit/ Estimated duration
rationale
Audit title
Programme performance Programme A Performance improvement Review of the selection Better targeting of [ ] days
of projects to be funded assistance offers the
under Programme A potential to better achieve

the objectives of the
programme.
Achievement of funding
objectives
Strategy/ planning IT Business Unit Compliance Review of planning of a Assurance that entity [ ] days
selections of IT projects policy and procedures for
planning IT projects are
complied with.
IT project planning
High ranking topics not included in annual work plan

Audit title Area responsible Audit orientation Audit description
Environmental management Programme Z Performance improvement Review of environmental data collection
Insurance arrangements Business Unit 2 Compliance Insurance risk analysis
Resource allocation
There are a number of options that can be used to illustrate the allocation of internal audit resources
in the internal audit annual work plan. Some of these are illustrated below.
Allocation of Resources by Allocation of Resources by

Audit Orientation Area Responsible
Business Unit 1
Business Unit 2
Compliance orientation Business Unit 3
Performance improvement orientation Programme X
Across entity
Allocation of Resources by Audit Theme Allocation of Resources by Activity
Governance
Programme performance
Strategy/planning Audits
Human resources Advisory services
Financial Audit support activities
Part 3 Toolkit 73
Example list of contents - internal audit manual

An internal audit manual documents the policies and procedures for conducting audits and for
managing the internal audit function. It is an important aid in assisting internal audit to produce
high quality audit reports that meet the expectations of stakeholders.
The audit manual should be tailored to the individual needs of entities but Heads of Internal Audit
are encouraged to review their audit manuals against this example list of contents.
Introduction
Purpose of internal audit
Purpose of the manual
Application to in-house staff and external providers
Review of audit manual
Overview of entity internal audit

Internal audit charter
Audit Committee charter
Structure of entity internal audit
Roles and responsibilities of in-house and external provider positions
Internal audit protocol(s):
 entity management
 external auditor
 business partners
Internal audit professional standards
Auditing frameworks
Strategic planning
Major tasks in developing the internal audit strategic business plan
Timing of tasks
Responsibilities for tasks
Development of the annual work plan

Major tasks in developing the annual work plan
Timing of tasks
Responsibilities for tasks
Overview of the audit process

Preliminary research
Audit proposal
Audit assignment planning

Preliminary research
Preparing the assignment plan
 Objectives
 Scope
 Methodology/test programme
 Timing
 Resources
Entry interview

Fieldwork
Undertaking fieldwork
Techniques for collecting evidence and testing controls
Mid-point review
Support tools available
Supervision arrangement
Reporting
First draft report
Exit interview
Final draft report
Obtaining management response
Completing the final audit report
Audit findings and recommendations rating system
Report format
Document styles/templates
Post-audit events
Audit evaluation by sponsor
Evaluation and debrief of auditor/external provider
Disseminating better practice and lessons learnt
Quality assurance review
Recommendation monitoring and reporting

Monitoring implementation of audit and other report recommendations
Reporting progress to the Audit Committee
Appendices
Internal audit protocols
Managing external service providers

Policy and guidance
Servicing the Audit Committee

Committee papers
Internal audit management reports
Assessing internal audit performance
Key performance indicators
Records management
Registry files
Audit working papers
Audit records retention and disposal rules
Security procedures
Confidentiality
Data and document security
Asset security
Part 3 Toolkit 75
Example internal audit protocol
The format and content of the internal audit protocol is a matter for the Head of Internal Audit
in consultation with entity management. This example includes the key points found in a better
practice internal audit protocol.
Entities are encouraged to review their existing protocol against this better practice example.
Introduction
This protocol outlines the respective roles and responsibilities of internal audit and management in
the course of an audit and the opportunities for consultation during the audit process.
Purpose of internal audit1

Internal audit provides an independent and objective review and advisory service to:
 p
rovide assurance to the Chief Executive [and/or Board] that [the entity’s] financial and
operational controls designed to manage the organisation’s risks and achieve the organisation’s
objectives are operating in an efficient, effective and ethical manner, and
Independence
Internal audit has no direct authority or responsibility for the activities it reviews. Internal audit has no
responsibility for developing or implementing procedures or systems and does not prepare records
or engage in original line processing functions or activities.
Internal Audit reports functionally to the Audit Committee. The Head of Internal Audit is accountable
to the Chief Executive [or Board].

Subject to compliance with [entity] security policies, internal auditors are authorised to have full,
free and unrestricted access to all functions, premises, assets, personnel, records, and other
documentation and information that the Head of Internal Audit considers necessary to enable internal
audit to meet its responsibilities.
All records, documentation and information accessed in the course of audits are used solely for
auditing purposes. Under its legislation, the Australian National Audit Office has access to all relevant
[entity] documents including internal audit reports.
Agreements with purchasing departments also provide for consultation and disclosure of audit
matters affecting purchasing department programmes and other circumstances2.
Standards3 and values

Audit activities are also conducted in accordance with relevant professional standards including:
 S
tandards for the Professional Practice of Internal Auditing issued by the Institute of
Internal Auditors
1
For more information on the roles and responsibilities of internal audit see the internal audit charter available on the
[entity’s] intranet.
2
Include where applicable.
3
Specify applicable standards.

 S
tandards relevant to internal audit issued by the Australian Society of Certified Practising
Accountants and the Institute of Chartered Accountants in Australia, and
 T
he Statement on Information Systems Auditing Standards issued by the Information Systems
and Control Association.
Internal audit activities are conducted in accordance with the Australian Public Service and [entity]
values, policies and procedures.
Planning and consultation

Internal audit prepares a strategic business plan and annual work plan in consultation with the Chief
Executive, [the Board,] the Audit Committee and senior management. The business plan and audit
work plan are based on the risks facing [entity] and the business improvement opportunities available
to [entity].
The strategic business plan and the audit annual work plan are approved by the Chief Executive/
Board/Audit Committee. The audit work plan is available on the [entity] intranet.
In addition, audits not on the audit work plan can be commissioned by the Chief Executive, the Audit
Committee or management.
Audit process
The various stages in the audit process are outlined below.
Preliminary consultation
Prior to commencing the audit, internal audit will consult with the relevant senior manager on the:
 objectives and scope of the audit

 likely commencement date and duration
 locations to be visited, and
 nomination of an audit sponsor.
Opening interview
An opening interview will be conducted shortly before the start of the audit with management of the
area to be reviewed. The purpose of the opening interview is to:
 enable the audit team to meet key staff of the area being reviewed
 clarify the objectives, scope and timing of the audit
 p
rovide an opportunity for staff of the area being reviewed to present their views and
perspectives on the matters subject to audit
 finalise the plan for conducting the audit in terms of timing, duration, staff involvement, and
 a
rrange access to buildings, personnel, files, systems and data in order to
commence fieldwork.
Fieldwork
Internal audit is committed to a ‘no surprises’ approach and on-going discussions will be held with
management as findings emerge and conclusions are developed. At the mid point of the audit, a formal
meeting will be sought with the sponsor to discuss the audit programme and any emerging issues.
If necessary, internal audit will communicate significant matters of concern to the Chief Executive
and/or the Audit Committee prior to the completion of the final report.


Audits commissioned by management and not included in the audit work plan require the agreement of the Audit Committee.
Part 3 Toolkit 77
Exit interview
At the conclusion of the fieldwork, internal audit will prepare a first draft report to be used as the basis
for discussion at an exit interview.
The purpose of the exit interview is to:
 advise management about the provisional findings, conclusions and recommendations

 afford management the opportunity to correct any misunderstandings or misinterpretations
 discuss findings and conclusions and obtain management’s views, and
 discuss the practicality of recommendations and timeframes for any remedial action.
Draft report
Internal audit will issue a final draft audit report promptly following the exit interview, generally within
10 working days.
Management comments
On receipt of the final draft report, the sponsor and management of the work area under review should:
 consider the findings and recommendations in the draft report

 formally advise internal audit whether management agrees or disagrees with the
recommendations in the draft report
 w
here management agrees with a recommendation, management should prepare an action plan
to address the recommendation, set a timeframe for implementing the action plan and nominate
the individual responsible for implementation, and
 w
here management disagrees with a recommendation, the reason for the disagreement should
be provided6 .
Management comments are required within 10 working days of the receipt of the draft report.
Final report
Within 5 working days of the receipt of management comments, internal audit will issue a final report to:
 the Chief Executive

 the Chair and members of the audit committee
 the sponsor, and
 the sponsor’s supervisor.
Where appropriate, lessons learnt and examples of better practice will be disseminated to a wider
audience in [entity].
A client satisfaction questionnaire will be sent with the final report. The sponsor should complete the
client satisfaction questionnaire and return it to the Head of Internal Audit. The Head of Internal Audit
will follow up any feedback indicating possible shortcomings in internal audit performance.
Monitoring the implementation of agreed recommendations

The Audit Committee is responsible for examining all internal audit reports. Internal audit assists
the Audit Committee in monitoring progress in implementing agreed recommendations. Internal
audit will, therefore, periodically seek advice from management regarding progress in implementing
agreed recommendations.
6
While management agreement is not always necessary, it would be expected that discussions would be held with the
sponsor with the aim of reaching agreement. The reasons for any disagreement will be included in the final audit report
together with any internal audit response.

Pro-forma internal audit annual work plan progress report
Status of [year] internal audit plan as at [date]
Audit title Progress status1 Original date for Revised date for Percentage of Last milestone Status comment3
consideration by consideration by estimated days achieved2
Audit Committee Audit Committee used
O
Progress status legend
R Red: Significant delays
O Orange: Some delays
G Green: On track
Milestones
 Assignment planning commenced
 Entry interview
 Fieldwork commenced
 Fieldwork completed
 Exit interview completed
 Draft report issued
 Management comments received
 Report considered by Audit Committee
1
Internal audit’s assessment of audit progress represented by ‘traffic lights’.
2
Selected from list of milestones.
3
Internal audit’s commentary on audit progress. An opportunity also exists to advise the Audit Committee of the significance of any findings that are emerging from audits in progress.
Part 3 Toolkit
79
Pro-forma internal audit annual work plan progress report
Pro-forma Implementation of recommendations progress report
80
Pro-forma Implementation of recommendations progress report
Status of the implementation of internal audit and other report1 recommendations as at [date]
Report title and date Recommendation/ Progress Category/priority of Manager Original Revised Comment5

considered by audit issue3 status4 recommendation responsible for completion completion
committee2 implementation date date
Progress status legend

R Red: Significant delays
O Orange: Some delays
G Green: On track
1
Including external audit and recommendations of Parliamentary Committees and other relevant bodies.
2
Or date issued, if not considered by the Audit Committee.
3
Summary of recommendation or issue.
4
Internal audit’s assessment of progress represented by appropriate coloured ‘traffic lights’.
5
Internal audit’s commentary on the adequacy of progress, as required.
Measuring performance over time using a number of key performance indicators (KPIs) linked
to internal audit objectives, and acting on the results, is important for an effective internal
audit function.
The most appropriate KPIs will vary according to the objectives and structure of the internal
audit function, but entities are encouraged to review their existing key performance indicators
against the following example indicators.
Percentage
Performance indicator Target Actual
variation
Performance Number of audits completed

against plan
Number of audits delivered by due date
Cost of audit plan
Stakeholders Audit Committee assessment of overall

contribution of internal audit (from
committee survey questionnaire)
Client assessment of overall satisfaction

(from client survey questionnaire)
Number of requests for ad-hoc advice/ Not Not

assistance from management applicable applicable
Staff Staff satisfaction (from staff survey)
Training days per staff member
% staff turnover
Overall Audit Committee assessment of the

contribution extent audits identified key issues (from
committee survey questionnaire)
Audit Committee assessment of the

contribution internal audits made to
greater assurance and/or improvements
in performance (from Audit Committee
survey questionnaire)
Clients’ assessment of benefits resulting

from internal audits (from client survey
questionnaire)
Part 3 Toolkit 81

To assist in maintaining the efficiency of the audit process and the quality of the audit report it is
important to seek the views of management immediately after an audit has been finalised.
This example client survey questionnaire is designed to assist the Head of Internal Audit to collect
the views of management regarding the audit. Where there are significant areas of disagreement
the Head of Internal Audit should explore the matters further.
Entities are encouraged to review their existing client survey questionnaire against this example.
Rating scale
Importance: 1 = Low importance 2 = Medium importance 3 = High importance
Performance: 1 = Strongly Disagree 2 = Disagree 3 = Agree 4 = Strongly Agree
Importance Performance
The timing of the audit was appropriate. 1 2 3 1 2 3 4
My staff and I were given the opportunity to provide input, 1 2 3 1 2 3 4

including any concerns and our perspectives, to the
planning process.
The audit focused on issues that were important. 1 2 3 1 2 3 4
The internal auditor(s) kept me informed throughout the process 1 2 3 1 2 3 4

on a timely basis and there were ‘no surprises’.
The internal auditor(s) demonstrated a good knowledge of the 1 2 3 1 2 3 4
subject matter.
The internal auditor(s) demonstrated professionalism and an 1 2 3 1 2 3 4
objective approach.
There was no undue disruption to my workplace during the audit 1 2 3 1 2 3 4
and our work environment was respected, e.g. safeguarding of
documents and access to facilities.
I was given the opportunity to provide input on the findings 1 2 3 1 2 3 4
and conclusions, and on the recommendations made to
address them.
Conclusions reached were adequately supported by relevant 1 2 3 1 2 3 4
facts and thorough analysis.
The audit was completed on a timely basis. 1 2 3 1 2 3 4
The audit report was balanced and constructive. 1 2 3 1 2 3 4
Recommendations were useful, realistic, and cost-effective. 1 2 3 1 2 3 4
The audit was of benefit in providing me with assurance that 1 2 3 1 2 3 4

there were no major weaknesses and/or helped me to manage
my business better.
Overall, I was satisfied with the audit. 1 2 3 1 2 3 4
Please use the space below to explain any specific ratings, to provide additional comments, or to
offer suggestions to improve future internal audits.
Comments:

Example Audit Committee internal audit questionnaire
Example Audit Committee internal audit
questionnaire
The views of the Audit Committee on the performance of internal audit should be sought
periodically, but at least annually.
This example questionnaire is designed for use by the Audit Committee to provide feedback to the
Head of Internal Audit on the performance of the internal audit function. The questionnaire would
generally be completed by each member of the committee. Alternatively it can be completed by
the committee as a whole.
Entities are encouraged to review their existing Audit Committee internal audit survey questionnaire
against this better practice example.
Rating scale
Importance: 1 = Low importance 2 = Medium importance 3 = High importance
Performance: 1 = Strongly Disagree 2 = Disagree 3 = Agree 4 = Strongly Agree
Audit Committee Papers
Audit Committee papers were distributed in sufficient time prior 1 2 3 1 2 3 4

to the meetings.
Audit papers provided adequate pre-meeting information. 1 2 3 1 2 3 4
Audit papers were presented in a professional, well-ordered, 1 2 3 1 2 3 4

clear and concise manner.
The information provided in the audit papers assisted the Audit 1 2 3 1 2 3 4
Committee to fulfil its responsibilities under its charter.
Any changes suggested to the audit papers were implemented in 1 2 3 1 2 3 4
a timely manner.
Meetings
Internal audit actively participates in meetings. 1 2 3 1 2 3 4
Internal audit offers suggestions and solutions to issues 1 2 3 1 2 3 4

during discussions.
Minutes from meetings are accurate, concise and distributed 1 2 3 1 2 3 4
in a timely manner.
Internal audit strategic business plan and internal audit
annual work plan
The strategic business plan and annual work plan were 1 2 3 1 2 3 4
appropriately aligned with the entity’s business and operating
environment (including key issues and business risks), its strategy
and its key priorities.
Part 3 Toolkit 83
Example Audit Committee internal audit questionnaire
The internal audit strategic business plan and annual audit plan 1 2 3 1 2 3 4
was developed in consultation with the Chief Executive, the Audit
Committee and senior management.
The internal audit strategic business plan and annual audit plan 1 2 3 1 2 3 4
takes into account the work of other sources of assurance
and review.
Audit reports
The issues addressed by each audit assignment were appropriate 1 2 3 1 2 3 4

to the business needs of the entity.
Audit assignments were completed in a timely manner. 1 2 3 1 2 3 4
Reports were well structured and concise. 1 2 3 1 2 3 4
Reports reflected a realistic understanding of the area under review. 1 2 3 1 2 3 4
Recommendations were practical and cost-effective to implement. 1 2 3 1 2 3 4
Better practice suggestions and lessons learnt were disseminated 1 2 3 1 2 3 4

to relevant areas of the entity.
Audits represented good value for money. 1 2 3 1 2 3 4
Audits identified key issues. 1 2 3 1 2 3 4
Audits contributed to greater assurance and/or improvements in 1 2 3 1 2 3 4

performance.
Overall contribution
Overall, internal audit has made a valuable contribution to the 1 2 3 1 2 3 4

achievement of the entity’s objectives.
Please use the space below to explain any specific ratings, to provide additional comments, or to
offer suggestions for improvement.
Comments:

Example internal audit self-review questionnaire
This self-review questionnaire is designed to assist the Head of Internal Audit to assess if the key
elements of a better practice internal audit function are in place.
Rating scale
Ratings: 1 = Strongly Disagree 2 = Disagree 3 = Agree 4 = Strongly Agree
Rating
You have the confidence and support of:

· the Chief Executive 1 2 3 4
· the Board (where applicable) 1 2 3 4
· the Audit Committee 1 2 3 4
· senior management, and 1 2 3 4
· line management. 1 2 3 4
You have direct access to the Chief Executive/Chair of the Board and the Chair 1 2 3 4
of the Audit Committee.
Internal audit is part of an integrated governance framework. 1 2 3 4
The internal audit charter is up to date and clearly articulates the roles, 1 2 3 4
responsibilities and accountability lines of the internal audit function.
Your role is clear and well understood by management and staff in the entity. 1 2 3 4
You have access to all entity records, information and staff in the conduct of 1 2 3 4
your work.
You and your staff know the entity’s business and the risks it faces. 1 2 3 4
There is a strategic internal audit business plan and internal audit annual 1 2 3 4
work plan that is aligned with the entity’s business objectives, risks and major
business systems and processes.
You have access to sufficient skilled and experienced staff and financial resources 1 2 3 4
to meet your responsibilities and the expectations of key stakeholders.
Internal audit’s working practices are efficient and effective and are supported 1 2 3 4
by an up to date Internal Audit Manual.
Relevant professional standards are adhered to. 1 2 3 4
There is adequate supervision of audit work and review of audit reports. 1 2 3 4
Audit reports rate the risk exposure of findings to the entity. 1 2 3 4
All audit recommendations are practical, cost-effective to implement and 1 2 3 4

are risk-rated.
Part 3 Toolkit 85
Rating
Outstanding agreed internal and external audit, Parliamentary Committee 1 2 3 4

recommendations and those of other relevant bodies, are monitored effectively,
and progress in implementing recommendations reported periodically to the
Audit Committee.
Examples of better practice and lessons learnt are disseminated to relevant 1 2 3 4
areas of the entity.
An annual report that assesses the effectiveness of the entity’s internal controls 1 2 3 4
and identifies systemic issues is provided to the Audit Committee.
The key performance indicators provide effective accountability and drive 1 2 3 4
performance improvement.
The internal audit function is reviewed periodically. 1 2 3 4

References
ANAO Audit Reports
 Report No.3, 2004-05 Management of Internal Audit in Commonwealth Organisations
Better Practice Guides
 ANAO, Public Sector Audit Committees, February, 2005

 A
NAO and the Department of Finance and Administration, Developing and Managing Contracts,
February, 2007
Auditor-General Act, 1997
Financial Management and Accountability Act, 1997
Financial Management and Accountability Orders, 2005
Commonwealth Authorities and Companies Act, 1997
Department of Finance and Administration, Finance Circulars
 No.2006/08 Certificate of Compliance - FMA Act agencies

 No.2006/11 Compliance Reporting – CAC Act entities
HM Treasury, Government Internal Audit Standards, October, 2001
HM Treasury, Government Internal Audit Standards Good Practice Guidance: The Consultancy
Role of Internal Audit, February, 2003
HM Treasury, Good Practice Guidance: Reporting, 2003
HM Treasury, Government Internal Audit Standards Good Practice Guide: Audit Strategy, May, 2002
Management of Risk - Principles and Concepts, October, 2004

HM Treasury, Government Internal Audit Standards The Orange Book,
HM Treasury and National Audit Office, Co-operation between internal and External Auditors-
A Good Practice Guide
Treasury Board of Canada Secretariat, A Guide to Planning, Conducting and Reporting on Internal
Auditing Assurance Engagements in the Federal Government of Canada, April, 2004
Treasury Board of Canada Secretariat, Internal Auditing Standards for the Government of Canada,
April, 2006
Philomena Leung, Barry Cooper and Peter Robertson, The Role of Internal Audit in Corporate
Governance & Management, RMIT Publishing, 2004
The Institute of Internal Auditors, Professional Practices Framework (The International Standards for
the Professional Practice of Internal Auditing), July, 2006
The Institute of Internal Auditors Australia, Professional Practice Guide for Internal Audit, 2005
References 87
The Institute of Internal Auditors, The Role of Auditing in Public Sector Governance, November, 2006
Standards Australia, HB 158-2006 Delivering assurance based on AS/NZS 4360: 2004

Risk Management, 2006
United States General Accounting Office, Standards for Internal Control in the Federal Government,
November, 1999
Auditor-General Alberta, Examination of Internal Audit Departments, August, 2005

Index
A Auditing, continuous, 10
Auditor-General
Acknowledgements, 2 responsibilities, 12
Advisory services, 2, 10 Auditor-General Act 1997, 12
Annual performance report, 48 Australian government entities
Annual work plan audit of financial statements of, 12
amendments to, 25 Australian Public Sector values, 6
checklist, 25
Australian Society of Certified Practising
comprehensive, 22
Accountants, 29
contents, 24
contingencies, planning for, 23
B
developing, 21
example, 25, 58–73 Better practice, disseminating, 44
external auditor, views of, 23 Board
nature of, 23 definition, 1
preparation, 21 delegation by, 5
pro-forma progress report, 41, 79 internal audit and, 26
size, 21
Budget
strategic business plan, and, 16
internal audit, for, 30
timing of planning, 25
strategic business plan, 19
topics, prioritising, 21–2, 23
Business
Audit
improvement reviews, 7
approaches, 39
objectives, 19
classification of, 8
costing of, 24
see Strategic business plan
effective supervision, 40
internal see Internal audit C
planning, 39
type of, 2, 8 CAC Act, 1
Audit activities CAC Act entities

definition, 2 financial statements, 12
reporting lines, 5
Audit Committee
example questionnaire, 83 Certificate of Compliance, 9
internal audit and, 27 Chief Executive
reporting lines, 5 definition, 1
Audit Liaison Officer, 28 delegation by, 5
internal audit and, 26
Audit report
responsibilities, 1
better practice, disseminating, 44
characteristics, 46 Chief Financial Officer (CFO)
confidentiality, 44 conflict of interest, 10
cost, measuring, 47 internal audit function, 10
draft, review of, 43 Client satisfaction surveys, 48
final, review of, 43 Client survey questionnaire, 82
recommendations, 42, 44–5, 80
Communication, effective, 40
reporting standards, 42
sponsors, consultation with, 43 Compliance audit, 2, 8–9
timeliness, measuring, 47 Confidentiality, 44
Index 89
Continuous auditing, 10 Information Systems Audit & Control
Corporate objectives, achieving, 4 Association, 29
Cost In-house service delivery

individual audits, of, 24 cost, 32
in-house service delivery, 32 factors to consider, 32
flexibility, 32
D model, 31
Due care, 41 staff, 32
viability, 32
E Institute of Chartered Accountants in Australia, 29
Evaluations, 1, 7 Institute of Internal Auditors, 4, 29
External audit responsibilities, 12–13 Professional Practices Framework, 6
External auditor Internal audit

annual work plan, views about, 23 audit activity, as, 2
internal audit and, 28 budget, 30
characteristics, 3
External quality assurance review, 49
charter see Internal audit charter
framework, 18
co-sourced, 31
F definition, 4
Financial statements delegation of administrative responsibility
Australian Government entities, of, 12 for, 5
environmental factors, 7–8
FMA Act, 1
example protocol, 40, 76–8
FMA Act entities governance framework, in, 4, 6
financial statements, 12 in-house, 31
reporting lines, 5 independence, 4–5, 8, 10
Fraud control, 11–12 key role of, 1
managing process, 39
G manual, 38, 74–5
Governance framework, in, 4, 6 organisational factors, 7–8
Graduates outsourced, 31
internal audit, rotation through, 37 planning activities, 16
recruitment programs, 37 progress, monitoring, 41
purpose, 4
Guide
resourcing, 30–7
coverage, 1
responsibilities, 4, 15
structure, 2
roles, 4, 6, 15
H service delivery models, 31–2
specific considerations, 8
Head of Internal Audit
standards, 6
accountability, 10, 26
supervision, effective, 40
appointment, 36
support activities, 2, 12, 23
definition, 1–7
unit, resourcing, 37
responsibilities, 35
values, 6
role, 35
skills, 36 Internal audit charter, 6
status, 36 approval, 13
contents, 14–15
I definition, 13
development, 13
Independence
model, 15, 51–5
internal audit, of, 4–5, 8, 10
review of, 13
operational, 4, 8, 10

Internal controls, 8 checklist, 25
assessment of effectiveness, 9–10 examples, 25
Internal quality assurance review, 49 strategic business plan
framework, 18 see Strategic business plan
IT systems, 9
audits of, 22 Processes
continuous auditing, 10 new, 10
new, implementing, 10 probity of, 11
Procurement methods, 11
K Professional bodies
Key performance indicators, 47, 81 internal audit and, 29
Knowledge champions, 21 Professional Practices Framework, 6
M Project Completion Advice, 43
Management Q
control self-assessment arrangements, 1, 7
Quality assurance, 1, 7, 47–9
external reviews, 49
monitoring, 1, 7
internal reviews, 49
strategies, 19
Questionnaires
Measurement techniques, 48
Audit Committee, 83
MKL Consulting, 2 client survey, 82
Model internal audit charter, 15, 51–5 self-review, 85
N R
New programs, 10 Recommendations
advice on, 22 audit report, arising from, 42, 44–5
‘systems under development’ audits, 22 implementation progress report, 80
Non-audit activities Report see Audit report
definition, 2 Reporting lines, 5
overview, 12
Risk
risk profile of entity, 17
O sources of, 18
Other review activities strategic business plan, 17
Risk management, 4, 7, 11
strategic business plan, 18
strategic business plan, alignment of, 21
Outsourcing
choosing service provider, 33 S
clear deliverables, establishing, 34
Self-review questionnaire, 49, 85
management of, 33, 34
Service delivery models, 31–2
service delivery model, 31
service provider panel arrangements, 33 Staff
attracting and retaining, 32
P Stakeholders
Performance assessment, 47–9 confidence and trust of, 26
annual performance report, 48 effective communication with, 40
measurement techniques, 48 expectations of, 19
Performance improvement audit, 2, 10 key, relationships with, 26
who are, 26
Plans
annual work plan see Annual work plan Standards, 6
audit planning, 39
Index 91
Strategic business plan
annual work plan supporting, 16
budget considerations, 19
business objectives, 19
checklist, 25
contents, 20–1
developing, 17–20
example, 25, 58–73
external environment risks, 18
goals and objectives of entity, 17
management strategies, 19
other review activities or functions, 18
period covered by, 16
previous internal audit coverage, 21
purpose, 16–17
risk management plan, alignment with, 21
risk profile of entity, 17
stakeholder expectations, 19
Supervision, effective, 40
Systems, new, 10
T
Terminology, 1–2
V
Values, 6
W
Whole-of-entity perspective, 9
Work practices
efficient and effective, 38–46

Public Sector Internal Audit

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Public Sector Internal Audit

Uploaded by

Copyright:

Available Formats

Public Sector Internal Audit

An investment in assurance and business improvement

Better Practice Guide September 2007

© Commonwealth of Australia 2007

The Publications Manager

2. Roles and responsibilities of internal audit activities.................................................... 4

3. Planning internal audit activities............................................................................... 16

4. Relationships with key stakeholders........................................................................ 26

ii Better Practice | Internal Audit in the Public Sector

6. Efficient and effective work practices....................................................................... 38

7. Performance assessment and quality assurance..................................................... 47

Model Internal Audit Charter.................................................................................... 51

Example list of contents – internal audit manual....................................................... 74

Example internal audit protocol................................................................................ 76

Pro-forma internal audit annual work plan progress report....................................... 79

Pro-forma Implementation of recommendations progress report............................. 80

Example key performance indicators....................................................................... 81

Example client survey questionnaire........................................................................ 82

Example audit committee internal audit questionnaire.............................................. 83

Example internal audit self-review questionnaire...................................................... 85

1.2 Common terminology

‘Audit activities’ consist of:

‘Non-audit activities’ are activities where internal audit undertakes management responsibilities

1.3 Key characteristics of a better practice internal audit function

1.4 Structure of the Guide

 Better Practice | Internal Audit in the Public Sector

6. Undertakes all audits in accordance with specified auditing standards.

9. Provides an annual assessment, based on internal audit work undertaken, of

11. Facilitates communication between external audit and entity management.

14. Actively manages any external service providers, and

15. Is subject to periodic assessment and review as part of a continuous

2.3 Internal audit independence

The Institute of Internal Auditors defines internal audit as:

ensure such responsibilities can be reviewed objectively.

 Better Practice | Internal Audit in the Public Sector

Reporting lines Independence is enhanced

These reporting lines are illustrated below.

Figure 1: Reporting lines for FMA and CAC entities

FMA Act agency CAC Act Entity

Chief Executive Board

Administrative Audit Administrative Audit

2 Roles and responsibilities of internal audit activities 

2.5 Determining the role of internal audit

 organisational and environmental factors, and

 Better Practice | Internal Audit in the Public Sector

This framework is illustrated below. To maximise the

2 Roles and responsibilities of internal audit activities 

 the types of audits it will conduct

These matters are discussed in more detail below.

Under public sector governance arrangements management is responsible for:

Particularly financial system controls.

 Better Practice | Internal Audit in the Public Sector

Certificate of Compliance A role that internal

Periodic assessment of the effectiveness of systems of internal control

2 Roles and responsibilities of internal audit activities 

10 Better Practice | Internal Audit in the Public Sector

 providing formal training and risk management advice to managers

2 Roles and responsibilities of internal audit activities 11

The role of internal audit

The relative balance of

12 Better Practice | Internal Audit in the Public Sector

2.6 The internal audit charter

2 Roles and responsibilities of internal audit activities 13

The charter should define Introduction

Better Practice | Internal Audit in the Public Sector

6. Undertakes all audits in accordance with specified auditing standards.

9. Provides an annual assessment, based on internal audit work undertaken, of

14. Actively manages any external service providers, and

15. Is subject to periodic assessment and review as part of a continuous

The Institute of Internal Auditors defines internal audit as:

Better Practice | Internal Audit in the Public Sector

2 Roles and responsibilities of internal audit activities

Better Practice | Internal Audit in the Public Sector

2 Roles and responsibilities of internal audit activities

Better Practice | Internal Audit in the Public Sector

2 Roles and responsibilities of internal audit activities