Public Sector Internal Audit An InveStment In ASSurAnce And BuSIneSS ImProvement potx

‘Internal audt support actvtes’ are actvtes assocated wth nternal audt or managng the nternal audt functon ncludng: developng the nternal audt strategc busness plan and nternal audt annu

Better Practice Guide September 2007

Public Sector Internal Audit

An InveStment In ASSurAnce And BuSIneSS ImProvement

ISBN No 0 642 809882 8

© Commonwealth of Australia 2007

COPYRIGHT INFORMATION

This work is copyright Apart from any use as permitted under the Copyright Act 1968, no part may be

reproduced by any process without prior written permission from the Commonwealth

Requests and inquiries concerning reproduction and rights should be addressed to the Commonwealth Copyright Administration, Attorney-General’s Department, Robert Garran Offices, National Circuit, Canberra ACT 2600 http://www.ag.gov.au/cca

Questions or comments on the Guide may be referred to the ANAO at the address below

The Publications Manager

Australian National Audit Office

GPO Box 707

Canberra ACT 2601

Email: webmaster@anao.gov.au

Website: http://www.anao.gov.au

The responsbltes of nternal audt vary consderably across publc sector enttes, as do

nternal audt organsatonal arrangements and the way nternal audt servces are delvered

Ths s to be expected, gven the nature, sze and complexty of the publc sector

It s our experence that better practce enttes consder an approprate level of nvestment n

nternal audt to be an essental busness decson These enttes recognse a well resourced

and effectve nternal audt functon can play a key role n ts governance arrangements

By provdng assurance on the effectveness of an entty’s nternal control envronment and

dentfyng opportuntes for performance mprovement, nternal audt can make a valuable

contrbuton to achevng an entty’s objectves.

Ths Gude updates and replaces the Gude ssued by the ANAO n 1998 Whle many of

the prncples reman the same, the role of nternal audt has contnued to evolve over tme,

and ths Gude ncorporates practces and consderatons of a better practce nternal audt

functon n a contemporary publc sector envronment Consstent wth other elements of

publc sector admnstraton, the roles and responsbltes of nternal audt, together wth

the sklls and qualficatons of nternal audt staff, should be determned wthn the context

of each entty’s governance and rsk profile.

The am of the Gude s to provde gudance relevant to publc sector enttes operatng

under both the Fnancal Management and Accountablty and the Commonwealth

Authortes and Companes Acts As wth all the ANAO’s Better Practce Gudes, each

entty s encouraged to use the Gude to dentfy, and apply, better practce prncples and

practces that are talored to ts partcular crcumstances.

The Gude complements the ANAO’s Better Practce Gude Publc Sector Audt Commttees

ssued n February 2005, and s ntended as a reference document for Chef Executves,

Boards, members of Audt Commttees, managers wth responsblty for nternal audt

actvtes, and nternal audt staff.

Ian McPhee

Audtor-General

Foreword 

Part 1 1 Introducton 1

1.1 Coverage 1

1.2 Common termnology 1

1.3 Key characterstcs of a better practce nternal audt functon 2

1.4 Structure of the Gude 2

1.5 Acknowledgements 2

Key characterstcs of a better practce nternal audt functon 3

2 Roles and responsbltes of nternal audt actvtes 4

2.1 Introducton 4

2.2 The purpose of nternal audt 4

2.3 Internal audt ndependence 4

2.4 Internal audt standards and values 6

2.5 Determnng the role of nternal audt 6

2.6 The nternal audt charter 13

2.7 Contents of a better practce nternal audt charter 14

3 Plannng nternal audt actvtes 16

3.1 Introducton 16

3.2 Internal audt strategc busness plan 16

3.3 Purpose of an nternal audt strategc busness plan 16

3.4 Developng a strategc busness plan 17

3.5 Contents of a better practce nternal audt strategc busness plan 20

3.6 Internal audt annual work plan 21

3.7 Developng a better practce nternal audt annual work plan 21

3.8 Contents of an nternal audt annual work plan 24

3.9 Costng of ndvdual audts 24

3.10 Amendments to the annual work plan 25

3.11 Tmng of audt plannng 25

4 Relatonshps wth key stakeholders 26

4.1 Introducton 26

4.2 Internal Audt and the Chef Executve 26

4.3 Internal audt and the Board 26

4.4 Internal Audt and the Audt Commttee 27

4.5 Internal audt and management 28

4.6 Internal audt and the external audtor 28

4.7 Internal audt and other revew actvtes and external bodes 29

4.8 Internal audt and professonal bodes 29

5 Resourcng the nternal audt functon 30

5.1 Introducton 30

5.2 Internal audt budget 30

5.3 Servce delvery models 31

5.4 Issues to consder n decdng the approprate delvery model 32

5.5 Servce provder panel arrangements 33

5.6 Management of a co-sourced or outsourced functon 33

5.7 Head of Internal Audt 35

5.8 Resourcng the nternal audt unt 37

6 Efficent and effectve work practces 38

6.1 Introducton 38

6.2 Internal audt manual 38

6.3 Managng the nternal audt process 39

6.4 Audt reportng 42

6.5 Audt report recommendatons 44

6.6 Montorng recommendatons 45

7 Performance assessment and qualty assurance 47

7.1 Introducton 47

7.2 Measurng nternal audt performance 47

7.3 Measurement technques 48

7.4 Internal audt annual performance report 48

7.5 Qualty assurance 49

Part 2 Model Internal Audt Charter 51

Part 3 Example nternal audt strategc busness plan and annual work plan 58

Example lst of contents – nternal audt manual 74

Example nternal audt protocol 76

Pro-forma nternal audt annual work plan progress report 79

Pro-forma Implementaton of recommendatons progress report 80

Example key performance ndcators 81

Example clent survey questonnare 82

Example audt commttee nternal audt questonnare 83

Example nternal audt self-revew questonnare 85

References 87

Index 89

Internal Audit

in the Public Sector

Better Practice Guide

Part 1

Part 1

1  IntroductionPublc sector managers operate n an ncreasngly complex and challengng envronment Ths, n part, reflects the ncreasng demands and expectatons of the communty, government and the Parlament Publc sector managers have a range of resources and mechansms avalable to assst

In both the publc and prvate sectors, nternal audt has long been recognsed by better practce enttes as a valuable resource and enttes have gven the nternal audt functon a key role n ther governance arrangements In dong ths, organsatons recognse that nternal audt s one of a number

of nternal assurance and busness revew type actvtes that should operate n a coordnated and complementary manner to the benefit of the organsaton These other actvtes nclude management montorng, evaluatons, qualty assurance and control self-assessment arrangements, that are all desgned to provde confidence and assurance to Chef Executves and/or Boards that management

s meetng ts responsbltes and the entty s achevng ts objectves

Better practce enttes also recognse that nternal audt should:

be operatonally ndependent: that s, nternal audt s ndependent from the actvtes subject to audt

have the vsble and actve support of the Chef Executve and/or Board, the Audt Commttee and senor management

have well defined roles, responsbltes and audt plans that are algned wth the entty’s rsk profile

have effectve relatonshps wth all stakeholders

be properly resourced to enable t to meet ts responsbltesadhere to specfied professonal standards

have efficent and effectve work practces

be fully accountable for ts performance, and

be subject to perodc revew

1.1  CoverageThe prncples and consderatons outlned n ths Gude are generally applcable to all publc sector

nternal audt servces

1.2  Common terminologyFor ease of reference and presentaton, the followng terms are used n ths Gude

‘Chef Executve’ s used for the majorty of enttes subject to the Financial Management and Accountability Act 1997 (FMA Act) where responsblty and accountablty rests wth the head of

the entty

The term ‘Board’ s used for enttes where a Board s apponted as the governng body of the entty,

as s generally the case wth enttes subject to the Commonwealth Authorities and Companies Act 1997 (CAC Act).

4 Under the Financial Management and Accountability Act 1997 the Chef Executve s responsble for managng the affars

of the entty n a way that promotes the efficent, effectve and ethcal use of Commonwealth resources for whch the Chef Executve s responsble Under ther enablng legslaton, the Boards of Commonwealth authortes and companes subject

to the Commonwealth Authorities and Companies Act 1997 are generally smlarly responsble for the efficent and effectve

use of Commonwealth resources

5 These are dscussed n Chapter 5.

of the particular delivery model.

In both the public and private sectors, internal audit has long been recognised by better practice entities as a valuable resource and entities have given the internal audit function

a key role in their governance arrangements.

‘Head of Internal Audt’ s used to descrbe the person responsble for the management of the nternal audt functon Dependng on the crcumstances, the Head of Internal Audt can be an employee of

‘Audt actvtes’ consst of:

nternal audts: ncludng revews of entty polces, programmes, operatons, nternal controls, management nformaton, governance frameworks and IT systems, and

advsory servces: ncludng advce to management regardng exstng, new or revsed

coordnaton and tranng, observer status on management commttees and the provson of other formal or nformal advce In conductng these servces, nternal audt does not assume management responsbltes

‘Internal audt support actvtes’ are actvtes assocated wth nternal audt or managng the nternal audt functon ncludng: developng the nternal audt strategc busness plan and nternal audt annual work plan; provdng support servces to the Audt Commttee; montorng the mplementaton of agreed nternal and external audt report recommendatons and those of Parlamentary Commttees

‘Non-audt actvtes’ are actvtes where nternal audt undertakes management responsbltes

ncludng: membershp of management commttees; the formulaton of rsk management and fraud control plans; and the conduct of fraud nvestgatons

types of audt referred to n ths Gude are:

complance: that the operatons under revew are complyng wth legslatve requrements, government or entty polcy and procedures, and systems of nternal control, and

performance mprovement: amed at mprovng the efficency and effectveness of the programme or operatons under revew

1.3  Key characteristics of a better practice internal audit functionCharacterstcs of a better practce nternal audt functon are outlned on the followng page

1.4  Structure of the GuideThe Gude s dvded nto the followng three parts:

Part 1 Better practice principles and considerations.

Part 2 Model internal audit charter.

Part 3 Internal audit toolkit.

1.5  AcknowledgementsThe ANAO apprecates the assstance provded by MKL Consultng n preparng the Gude In addton, many enttes and ndvduals contrbuted to the development of the Gude These ncluded Chef Executves, chars and members of a number of publc sector audt commttees, Heads of Internal Audt as well as a number of people n the nternal audtng and accountng professons, and prvate sector organsatons

6 Where the Head of Internal Audt s not an employee of the entty, arrangements need to be put n place to ensure relevant publc sector financal and other legal requrements are met.

7 Also known as ‘systems under development’ audts.

8 These nclude the Management Advsory Commttee, the Ombudsman and the Australan Publc Servce Commsson









Audit activities consist

of internal audits and

advisory services.

Internal audit support

activities are activities

associated with internal

audit or managing the

internal audit function.

Part 1

Key characteristics of a better practice  internal audit function

A better practce nternal audt functon s dstngushed by the followng key characterstcs:

subject to audt.

of nternal audt complements the work of other nternal and external assurance and revew provders

and responsbltes.

lnked to the rsks n the entty.

(f applcable), the Audt Commttee and senor management.

sklls, experence and personal attrbutes to acheve what s expected of nternal audt.

practces, that are valued by stakeholders.

the effectveness of the entty’s system of nternal controls.

ssues arsng from nternal audt work

nternal and external audt and other relevant report recommendatons

mprovement process.

2  Roles and responsibilities of internal 

audit activities 2.1  Introduction

Internal audt s an ntegral part of the broad corporate governance framework that enttes establsh

to manage rsks and acheve corporate objectves

It s mportant that the poston nternal audt occupes n the governance framework and the role

t plays s determned by the partcular assurance needs of the entty and ts preferred governance framework, now and n the foreseeable future

2.2  The purpose of internal audit

provde assurance to the Chef Executve and/or Board that the entty’s financal and operatonal controls desgned to manage the organsaton’s rsks and acheve the entty’s objectves, are operatng n an efficent, effectve and ethcal manner, and

assst management n mprovng the entty’s busness performance

A number of practcal measures can be taken to renforce nternal audt operatonal ndependence

ts prmary role

10 The Insttute of Internal Audtors defines nternal audt as:

‘an ndependent, objectve assurance and consultng actvty desgned to add value and mprove an organzaton’s operatons It helps an organzaton accomplsh ts objectves by brngng a systematc, dscplned approach to evaluate and mprove the effectveness of rsk management, control, and governance processes.’

The Insttute of Internal Audtors, Professonal Practces Framework (The International Standards for the Professional Practice

of Internal Auditing), July 2006 p.1.

11 Where nternal audt s allocated executve or lne management responsbltes, approprate safeguards should be n place to

Internal audit is an integral

part of the broad corporate

governance framework

that entities establish to

manage risks and achieve

corporate objectives.

A distinguishing feature

of internal audit is its

operational independence.

Part 1

Internal audt ndependence s renforced by specfyng these arrangements n an nternal audt charter

Reporting lines

As noted above, ndependence s enhanced where nternal audt reports functonally to the Audt

be accountable to the Chef Executve Smlarly, n the case of a CAC Act entty, the Head of Internal

These reportng lnes are llustrated below

Figure 1:  Reporting lines for FMA and CAC entities

Note: Many enttes have establshed an executve board or commttee to assst the Chef Executve

n managng the entty

The extent to whch the Chef Executve or Board may wsh to delegate some or all of ther admnstratve responsbltes to a senor executve n the entty s a matter to be determned by each Chef Executve or Board When admnstratve responsblty for nternal audt s delegated, t should

be to a senor manager who demonstrates a commtment to the nternal audt functon and has, to the extent possble, no actual or perceved conflct of nterest It s generally recognsed that, because the audt of financal systems and controls wll generally feature promnently n nternal audt coverage and the Chef Fnancal Officer (CFO) commonly has a promnent role n determnng budget allocatons, assgnng responsblty of the nternal audt functon to the CFO creates an actual or perceved conflct

of nterest In any case, the reportng arrangements, should always provde for the Head of Internal Audt to have drect access to the Chef Executve or Board

12 However, there may be occasons when the Chef Executve or Board needs to be alerted quckly f there s an urgent major

ssue Ths can be done drectly or through the Char of the Audt Commttee.

13 In cases where the entty s headed by an ndvdual, t would be expected that the Head of Internal Audt would be accountable to that person.

14 Wth drect access to the Char of the Board, as necessary.

Administrative Delegate

Audit Committee

Administrative Delegate

Audit Committee

Chief Executive

Head of Internal Audit

Head of Internal Audit

Independence is enhanced where internal audit reports functionally to the Audit Committee.

When administrative responsibility for internal audit is delegated, it should

be to a senior manager who demonstrates a commitment to the internal audit function.

2.4  Internal audit standards and values Standards

Whle there s no legslatve or polcy requrement for nternal audt n the Australan Government to comply wth any partcular professonal standard, t s mportant that nternal audt work s conducted

n accordance wth recognsed professonal standards Such standards assst n:

provdng confidence n the qualty and consstency of the work that has been conducted gudng the work of audtors

delverng audtng servces n an effectve and efficent way, and establshng standards and benchmarks aganst whch to measure the performance of

nternal audt

There are a number of standards that can gude the work of the nternal audt functon The most

Other standards that may have applcaton are the Australan Audtng Standards (ASAs), Audtng and Assurance Standards (AUSs), standards ssued by the Informaton Systems Audt and Control Assocaton (ISACA), Standards Australa and the Internatonal Standards Organsaton ISO)

ValuesAustralan Publc Servce and supportng entty values can also be relevant to the work of nternal audt and the conduct of nternal audt staff, and should be specfied n the nternal audt charter, where relevant

Enttes should determne whch standard(s) and values that must be compled wth and specfy them

2.5  Determining the role of internal audit 

“We will make an impact when we understand and anticipate stakeholder needs, use our core competencies to highlight weaknesses in a timely manner and provide meaningful recommendations that solve the ‘big problems’.” Publc Sector Head of Internal Audt

An mportant decson for each entty to make s decdng what role nternal audt should play as part

organsatonal and envronmental factors, andspecfic nternal audt consderatons

15 The Insttute of Internal Audtors, Professional Practices Framework (The International Standards for the Professional Practice

of Internal Auditing), July 2006 Many nternal audtors workng n the Australan Government or for prvate sector servce

provders are members of the IIA They are requred by ther membershp to comply wth standards ssued by the IIA, to the extent that they are not nconsstent wth the law

16 To encourage complance wth the adopted standards, consderaton should be gven to a form of certficaton on completon

of each audt report, that the audt has been conducted n accordance wth the specfied standards Reference to the standard(s) to be compled wth should also be ncluded n the nternal audt charter, any contract wth a thrd party provder, and detals ncluded n an nternal audt manual.

17 Some enttes, for nstance, see mert n combnng the nternal audt functon wth other actvtes such as rsk management and fraud control Ths can result n work areas beng known by such ttles as Rsk Management and Assurance, Audt and Investgatons, Governance and Assurance, and Assurance and Rsk

professional standards The

most recognised standard

is the Professional Practices

Framework of the Institute

of Internal Auditors.

An important decision for

each entity to make is

deciding what role internal

audit should play as part of

its governance framework.

Ths framework s llustrated below.

Figure 2:  Internal assurance and review framework

To maxmse the effectveness of nternal audt, t s mportant that ts role s consdered n the context

of other assurance and busness revew functons so that nternal audt complements, rather than duplcates, the responsbltes of others It s equally mportant to ensure that the role of nternal audt

s not dsplaced by these other functons or that, to the extent possble, there are no sgnficant gaps

n the entty’s assurance and revew framework

One of the factors that wll nfluence the role allocated to nternal audt compared to those allocated

to other assurance and revew functons, s the mportance the entty places on assurance and revew generally and ndependent assurance actvtes specfically Ths s lkely to be nfluenced to some extent by the maturty of the other assurance and revew functons and also by the culture

of the entty

Another factor to consder n determnng the role of nternal audt s the role other specalst assurance functons and busness mprovement advsors play n an entty For example, there may be a need for a specalst rsk management unt and/or a unt responsble for fraud control and nvestgaton

Ths wll be nfluenced, n part, by the nature of the busness and ts rsks, ncludng, for example, the degree of external regulaton, ndustry standards and norms, the rsk of nternal or external fraud and the scale and nature of entty operatons Enttes wll, therefore, need to consder how well equpped

nternal audt s to meet entty requrements for specalst assurance and advce

Comprehensive Assurance

Management Control Self-Assessment

Business Improvement Reviews

Internal Audit Management

monitoring Risk Management

To maximise the effectiveness of internal audit, it is important that its role is considered in the context of other assurance and business review functions so that internal audit complements, rather than duplicates, the responsibilities of others.

One of the factors that will influence the role allocated

to internal audit compared

to those allocated to other assurance and review functions, is the importance the entity places on assurance and review generally and independent assurance activities specifically.

Whatever role s decded for nternal audt, enttes should ensure that the operatonal ndependence

of the nternal audt functon s not compromsed by allocatng t management responsbltes that conflct wth ts prmary roles In stuatons where nternal audt undertakes management responsbltes, approprate safeguards should be put n place to address any resultant conflct of

nterest Internal audt’s effectveness should also be safeguarded by ensurng that ts resourcng s commensurate wth ts responsbltes

Specific internal audit considerations

In decdng on the actvtes nternal audt wll undertake, t s better practce to consder the followng factors:

the types of audts t wll conductthe advsory servces t wll provde

nternal audt support actvtesany non-audt actvtes, and

nternal and external audt responsbltes

These matters are dscussed n more detal below

Types of audits The classficaton of audts based on dentfyng the prmary orentaton or focus of an audt s a useful way for the Audt Commttee to assess the balance of the proposed nternal audt plan Wthn the broad framework of the provson of assurance servces, nternal audts are classfied n ths Gude as ether audts wth a complance orentaton, or a performance mprovement orentaton

In classfyng audts, t s recognsed that ndvdual audts wll often have multple objectves that are desgned to provde, for example, assurance regardng complance, as well as to dentfy busness mprovement opportuntes In addton, whatever the partcular focus or objectve of

ndvdual audts, nternal audt should always be alert to opportuntes to optmse controls, dentfy non-complance, and mprove busness performance n the conduct of ts work The two types of audts referred to above are dscussed below

Compliance audits

Under publc sector governance arrangements management s responsble for:

complyng wth relevant legslaton and government and entty polcy requrements desgnng, operatng, and montorng busness processes to acheve the

organsaton’s objectves, and dentfyng rsks that mght prevent the entty from achevng ts objectves, and developng,

mplementng and montorng controls to manage those rsks

It s generally accepted that a key role of nternal audt s to revew an entty’s systems of nternal control and provde ndependent assurance to the Chef Executve or Board, through the Audt

such as provdng assurance over complance wth legslatve requrements, government and entty polces, assessng the accuracy and ntegrty of management nformaton, revewng complance wth procurement and contractng requrements and adherence to ethcal standards

18 Partcularly financal system controls.

Entities should ensure

that the operational

independence of the

internal audit function

is not compromised by

allocating it management

responsibilities that conflict

with its primary roles.

Internal audit’s

effectiveness should

also be safeguarded by

ensuring that its resourcing

is commensurate with its

responsibilities.

A key role of internal audit

is to review an entity’s

systems of internal control

and provide independent

assurance to the Chief

Executive or Board, through

the Audit Committee, that

an entity’s internal controls

are adequate and effective.

Part 1

Gven that most enttes depend heavly on IT systems to support the delvery of programmes or assst publc servce admnstraton, nternal audt could also be expected to provde assurance that the controls over such systems are both well desgned and are operatng effectvely

Examples of audts that fall under the broad category of ‘complance audts’ are dscussed below

Certificate of Compliance

Commencng from 2006-2007, Chef Executves and Boards of enttes subject to the FMA Act and the CAC Act report annually on the financal management and sustanablty of the entty, ncludng complance wth the FMA Act or CAC Act by provdng a completed Certficate of Complance to the

It s expected that Chef Executves and Boards wll have processes and controls n place to provde reasonable confidence that the entty s complyng wth the requrements of the financal management framework Normally these processes and controls are lkely to be an extenson of exstng governance processes that provde assurance to Chef Executves and Boards that financal and other controls are operatng effectvely

Internal audt could usefully play a number of roles n relaton to the Certficate of Complance For example, nternal audt could conduct a seres of complance revews on key elements of the control framework such as specfic financal controls, management control self-assessment processes, f applcable, or programme controls Alternatvely, or n addton, the Chef Executve/Board may prefer regular, say, quarterly, or annual confirmaton that the overall complance framework can be reled on

to provde the requred certficaton

Periodic assessment of the effectiveness of systems of internal control

Another role that nternal audt can play s the preparaton of a perodc, say annual, assessment of the effectveness of an entty’s systems of nternal controls based on the results of the nternal audt work conducted durng the perod Internal audt usually conducts a number of audts each year that assess the effectveness of the nternal controls operatng n a range of ndvdual financal or busness processes - such as payroll, grant acquttals, procurement or IT applcatons The results of

ndvdual audts are reported to the Audt Commttee at the concluson of each nternal audt Better practce nternal audt functons, are, however, ncreasngly beng tasked wth provdng the Audt Commttee wth an annual overall assessment, based on the nternal audt coverage undertaken,

of the adequacy and effectveness of an entty’s nternal controls and any systemc ssues that may have arsen from the nternal audt actvty completed Such an assessment can be used by the Chef Executve and/or Board and the Audt Commttee n formng a vew about how much confidence they can have n the entty’s control envronment and any systemc ssues that need management attenton As a mnmum, nternal audt should be collatng the results of ndvdual audt assgnments and provdng a perodc summary report to the Audt Commttee on audt findngs and dentfyng any systemc ssues

Internal audt can also be well placed to undertake an analyss of the results of revews conducted

by other nternal and external assurance provders Ths mght nclude reports on the results of revew such as complance wth ts servce charter, the results of control self-assessment revews, the findngs from qualty assurance revews, and the results of IT system control montorng or occupatonal health and safety revews Provdng a report n ths way can assst the entty to address any “slo affect” arsng out of the work of dfferent assurance provders and assst n dentfyng systemc ssues arsng out of the range of assurance work that s commonly conducted n enttes

Ths whole-of-entty perspectve on the assurance rsks facng the organsaton and how well they are beng managed could be used to further help nform rsk dentficaton and any necessary management acton

19 See Fnance Crcular 2006/8 for FMA Act agences and Fnance Crcular 2006/11 for CAC Act bodes.

A role that internal audit can play is the preparation of a periodic, say annual, assessment

of the effectiveness of an entity’s systems of internal controls based on the results of the internal audit work conducted during the period.

Internal audit can also be well placed to undertake

an analysis of the results

of reviews conducted by other internal and external assurance providers.

Such perodc reports are not a substtute for regular management reportng and the cost-effectveness

of preparng such reports should be taken nto account as part of any decson to task nternal audt wth ther preparaton

Continuous auditing

The wdespread use of major IT systems for processng payments and recepts, and a desre by

nternal audt to be ncreasngly pro-actve, s leadng a number of better practce enttes to consder opportuntes of movng towards a process of contnuous audtng Under such an approach major

IT systems are nterrogated on a regular and frequent bass, even daly, wth the am of dentfyng anomales or transactons that are outsde pre-determned parameters that justfy further examnaton

The opportunty exsts for such systems to be establshed by nternal audt and over tme, transferred

to management wth nternal audt beng responsble for revewng management’s actons n response

to any anomales dentfied

In decdng f a contnuous audtng approach s approprate for an ndvdual entty, consderaton should be gven to the costs and benefits nvolved and the capabltes requred

Performance improvement audits

It s generally accepted that nternal audt not only provdes assurance on complance wth procedures and systems of nternal control, but t s also well placed to assst management to mprove busness performance The objectve of such assstance could nclude suggestons to mprove the economy, efficency and/or effectveness of an entty’s programmes and operatons n areas such as mprovng servce delvery, better contract and project management, elmnatng waste, reducng costs or

ncreasng revenue The scope could cover all of the operatons of the entty or be targeted to a narrower set of actvtes assocated wth nternal audt’s assurance role, such as matters related to governance, controls or rsk management

Advisory servicesInternal audt can also provde valuable advce to entty management and staff to assst them n managng the entty’s rsks n respect of programmes, systems, and processes, rsk management processes and fraud control Such advsory actvtes can take a varety of forms ncludng, advce on systems of nternal control, processes, procedures and polces, attendng management meetngs

as an observer, tranng managers and staff or provdng nformal advce n response to ad hoc management requests

In provdng advce to management, care should be taken to mantan the operatonal ndependence of

nternal audt Internal audt can offer suggestons and recommendatons but t s up to management

to accept or not accept that advce If management accepts the advce t s then the responsblty of management, not nternal audt, to mplement the advce and be accountable for ts mplementaton

Internal audt’s objectvty and mpartalty could potentally be put at rsk f nternal audt takes on management’s role In ths stuaton nternal audt’s ndependence can be renforced by reference n

an nternal audt charter that dstngushes nternal audt’s role from that of management

New programmes, systems and processes

Another area where nternal audt can be of partcular assstance to enttes s n the mplementaton

of new government programmes, systems or processes The ntroducton of new programmes, systems or processes, often nvolvng substantal expendture and tght tmeframes, can present addtonal rsks for enttes that need to be dentfied from the start and well managed early n the process The ntroducton of new IT systems can also be a partcularly hgh rsk actvty and the early nvolvement of nternal audt can generate sgnficant benefits by brngng nternal audt’s specfic control expertse to bear on the task, ncludng lessons learnt from prevous smlar projects n the entty or from elsewhere

It is generally accepted

that internal audit not

only provides assurance

on compliance with

procedures and systems

of internal control, but it is

also well placed to assist

management to improve

business performance.

Another area where internal

audit can be of particular

assistance to entities is in

the implementation of new

government programmes,

systems or processes.

Part 1

Internal audt can offer advce and other assstance throughout a project lfecycle from the concept, desgn and mplementaton stages, through to the post-mplementaton stage of a project Gudance can nclude: advce on the desgn of financal and other controls or, where outsourcng or other contracts may be nvolved, ssues concernng the approprate procurement method; tender

To maxmse the benefits of such assstance t s mportant that nternal audt s responsve to the needs of management for tmely advce and has sutable arrangements n place to report on a real

Risk management

Rsk management s a key component of publc sector corporate governance The responsbltes of many Audt Commttees nclude oversghtng the effectveness of the entty’s rsk management framework

It s management’s responsblty to dentfy and assess rsks and to mplement and montor rsk mtgaton strateges However, gven ts expertse n rsk and control assessment generally, together wth ts experence n revewng actvtes across the organsaton, nternal audt s well placed to assst the entty to develop and montor ts rsk management framework Internal audt’s role can nclude:

provdng formal tranng and rsk management advce to managers revewng management’s rsk assessments and assocated rsk mtgaton controls and actons provdng ndependent assurance over rsk management processes, n partcular, reportng aganst the achevement of control strateges

provdng an opnon on the overall effectveness of the entty’s rsk management framework, andfacltatng or co-ordnatng rsk management processes n the entty

The role that nternal audt can play n developng and mantanng an entty’s rsk management framework wll be nfluenced by the maturty of the framework and the extent that rsk management

s embedded n day to day operatons Ths s lkely to change and evolve over tme as the maturty

of the rsk management framework changes For example, enttes that have some way to go wth the ntroducton of ther rsk management framework may gve nternal audt a key role n assstng management to dentfy rsks and develop approprate strateges and montorng and reportng arrangements On the other hand, where enttes have n place a robust and mature rsk management framework that operates throughout the organsaton and where practcal mtgaton strateges are montored at senor levels, nternal audt’s role mght be more focused on provdng ndependent assurance on the effectveness of the mtgaton strateges and/or an assessment of the overall effectveness of the framework

Whatever role nternal audt plays n rsk management, approprate arrangements should be n place

to mantan the operatonal ndependence of nternal audt

Fraud control

Responsblty for managng the rsk of fraud, lke responsblty for managng all rsks, rests wth management as part of ts ongong responsbltes However, nternal audt can assst an entty to manage fraud control by provdng advce on the rsk of fraud and/or by advsng on the desgn or adequacy of nternal controls to mnmse the rsk of fraud occurrng It can assst n detectng fraud

by consderng fraud rsks as part of ts audt plannng and beng alert to ndcators that fraud may have occurred Fraud nvestgaton s a matter that requres specalst knowledge and sklls

20 Because nternal audt may act as probty audtor t s better practce that nternal audt s not the ntal probty advsor

21 Such arrangements wll also usually nvolve perodcally reportng on a summary bass to the Audt Commttee.

in day to day operations.

Whatever role internal audit plays in risk management, appropriate arrangements should be

in place to maintain the operational independence

of internal audit

Any decson to allocate management responsblty to nternal audt for the nvestgaton of fraud should be taken n the full knowledge of the specal rsks nvolved and sklls requred n collectng and collatng evdence that may be used n any legal proceedngs

The role of nternal audt n relaton to fraud control should be consdered as part of the organsaton’s

Internal audit support activities

It s mportant that as much nternal audt tme as possble s spent on audt or advsory work

Nevertheless, tme spent on nternal audt support actvtes such as busness and audt plannng, montorng the mplementaton of agreed nternal and external audt and other report recommendatons, assstng the Audt Commttee to meet ts legal oblgatons and servcng the Audt Commttee, nternal and external lason, recrutment and staff development s an essental pre-requste for an effectve

nternal audt functon

The relatve balance of resources devoted to nternal audt support actvtes compared wth audt and advsory actvtes, s a matter for consderaton by the Audt Commttee when consderng nternal audt plans and budgets

Non-audit activitiesInternal audt operatonal ndependence s mantaned when nternal audt has no management responsbltes other than for the nternal audt functon tself Nevertheless, n lmted crcumstances,

t s recognsed that nternal audt may be called upon to perform actvtes that are management responsbltes These could nclude such actvtes as membershp of management commttees (as dstnct from havng observer status), formulatng fraud or rsk management plans, or conductng fraud nvestgatons The lne between beng an advsor to management and takng on management responsblty for a task can sometmes be blurred Consequently, t s mportant that professonal judgement s appled and approprate safeguards put n place to mantan operatonal ndependence,

to the extent possble

Where nternal audt s to have responsblty for non-audt actvtes, these should also be specfied

n the nternal audt charter

Internal audit and external audit responsibilitiesUnder the Audtor-General Act 1997, the Audtor-General s responsble for audtng the financal

Chef Executves must state whether, n ther opnon, the financal statements gve a true and far vew of the matters requred by the FMA Orders In CAC Act enttes, the Board s responsble for certfyng that enttes’ financal statements comply wth the CAC Act Fnance Mnster’s Orders

22 Under the Commonwealth Fraud Control Gudelnes, agency heads are requred to certfy n ther annual reports that ther agency has prepared fraud rsk assessments and fraud control plans and has n place approprate fraud preventon, detecton, nvestgaton, reportng and data collecton procedures and processes that meet the specfic needs of the agency

and comply wth the Commonwealth Fraud Control Guidelines The Attorney-General’s Department, Commonwealth Fraud Control Guidelines, May 2002 and the ANAO Better Practce Gude, Fraud Control in Australian Government Agencies,

August 2004 provde gudance on the rsk assessment and control of fraud n the APS

23 Audtor-General Act Part 4 Dvson 1.

24 FMA Act s 48 and CAC Act s 20

25 FMA Act s 49 and CAC Act Schedule 1, Part 1, Clause 2.

The role of internal audit

in relation to fraud control

should be considered as

part of the organisation’s

overall fraud risk

assessment and fraud

for consideration by the

Audit Committee when

considering internal audit

plans and budgets

It s mportant, therefore, for enttes to fully explore wth external audt what revew role nternal audt can play n the preparaton of the entty’s financal statements and n coordnatng ts plans wth those

of the external audtor For example, nternal audt can usefully revew the adequacy of the qualty assurance arrangements put n place by the Chef Fnancal Officer

There s also an opportunty for nternal audt to act as a lason pont wth the external audtor Ths can assst not only n mprovng the efficency of the overall audt process but also n developng a good workng relatonshp between nternal and external audt

2.6  The internal audit charter

To formalse the poston of nternal audt n the governance framework, the roles and responsbltes

of nternal audt should be artculated n an nternal audt charter An nternal audt charter s

and accountabltes

The charter should be developed by the Head of Internal Audt Consultaton wth stakeholders, partcularly the Chef Executve and the Audt Commttee, as part of developng the charter s an

mportant means of understandng stakeholder needs and expectatons Any expectaton gaps can

be dentfied and addressed as part of the development process The charter should be consstent wth the Audt Commttee’s responsbltes for oversghtng the nternal audt functon as outlned n

The charter should be approved by the Chef Executve, or the Board n the case of a CAC Act entty, on the advce of the Audt Commttee Because the charter s a means of communcatng the role, responsbltes and authorty of nternal audt t s mportant that, once approved, t s made wdely avalable throughout the entty Many enttes also make the charter publcly avalable va ther webste

As governance requrements change n response to changng rsks and the busness envronment, the role of nternal audt s also lkely to change The charter should, therefore, be revewed at least annually to have confidence that the role of nternal audt contnues to meet the needs of the organsaton

26 Internal audt s dfferent from most other parts of the organsaton n that t operates outsde of ts own boundares across the whole of the organsaton Because of nternal audt’s broad mandate, t needs formal authorty to access people and records outsde ts own area to meet ts responsbltes Some enttes also see benefit n renforcng the role of nternal audt n ther Chef Executve’s Instructons or equvalent polcy documents.

27 The role of Audt Commttees n respect of nternal audt s outlned n the Australan Natonal Audt Office, Public Sector Audit Committees, Better Practce Gude, February 2005





Professional standards encourage co-operation between internal and external audit in the context

of the audit of an entity’s financial statements.

As governance requirements change in response to changing risks and the business environment, the role of internal audit is also likely

to change

2.7  Contents of a better practice internal audit charter Better practce suggests that, as a mnmum, an nternal audt charter should nclude the followng:

Introduction

specfies that the nternal audt functon has been establshed by the Chef Executve/Board and the charter has been approved by the Chef Executve/Board

Purpose of internal audit

defines the purpose of nternal audt

Independence

specfies the organsatonal ndependence of nternal audt defines the reportng arrangements and lnes of accountablty between the Head of Internal Audt, the Chef Executve or Board, and the Audt Commttee

provdes for unrestrcted access to the Chef Executve, the Board (f applcable) and the Audt Commttee Char and members

provdes for perodc ‘n camera’ meetngs wth the Audt Commttee

Authority and confidentiality

detals nternal audt’s authorty to access all records, assets, personnel and premses and ts authorty to obtan such nformaton as t consders necessary to fulfil ts responsbltes specfies nformaton accessed n the course of nternal audts wll only be used for audtng purposes

Role and responsibilities

detals the role and responsbltes of nternal audt ncludng ts role n undertakng:

audt actvtesaudt support actvtesnon-audt actvtes (f any)

Scope of internal audit activity

defines the scope of nternal audt, that s, the programmes, actvtes, processes, systems and organsatons that are (and are not) subject to nternal audt revew

Standards

specfies the professonal and other standards that wll be followed when conductng nternal audt assgnments

Relationship with external audit

defines the relatonshp between nternal audt and external audt

The charter should define

the scope of internal audit,

that is, the programmes,

activities, processes,

systems and organisations

that are subject to internal

audit review

The charter should also

specify the requirement for

an internal audit strategic

business plan and annual

work plan

Part 1

Reporting

specfies the reportng arrangements requred ncludng the provson of an annual assessment

of the entty’s system of nternal controls and advce to the Audt Commttee and entty management of patterns, trends or systemc ssues arsng from nternal audt work

provdes for an ndependent perodc revew of the nternal audt functon, and

Review of charter

provdes for the perodc revew of the Charter by the Audt Commttee and approval of any substantve changes by the Chef Executve, or the Board n the case of a CAC Act entty, on the advce of the Audt Commttee

Model internal audit charterPart 2 of the Gude ncludes a model nternal audt charter

nternal audt?

other assurance and busness revew functonsthe role other specalst advsors play n the entty e.g n relaton to rsk and fraud controlthe types of audts to be undertaken

the advsory, support or non-audt actvtes to be undertakenthe extent to whch nternal audt can assst external audt n meetng ts responsbltes

3 Planning internal audit activities 3.1  Introduction

It s mportant that the work of nternal audt s focussed on the rsks that mght prevent an entty’s busness objectves beng acheved The key prncple, therefore, n plannng the actvtes that nternal audt wll undertake s that there s an algnment between the entty’s objectves and rsks, ncludng those ongong and recurrng rsks, on the one hand, and the strategc drecton and plans of nternal audt on the other

Better practce nternal audt plannng conssts of a strategc busness plan that s supported by a

and operatonal terms the broad roles and responsbltes that are artculated n the nternal audt charter and dentfyng key ssues relatng to managng the nternal audt functon Gven ther close

nterrelatonshp, these plans would normally be developed at the same tme and could ether be consoldated nto one document or be separately presented

“By focussing our planning efforts on the things that matter to the business and asking the right questions, we make sure internal audit is seen as part of the business and contributes to its success.”

Publc Sector Head of Internal Audt

3.2  Internal audit strategic business planSmlar to other key busness actvtes, the work of nternal audt should be consdered at both a strategc and operatonal level An nternal audt strategc busness plan outlnes the broad strategc drecton of nternal audt over the medum term and provdes an mportant lnk between the nternal audt charter and the detaled nternal audt annual work plan It should artculate the prmary focus and drecton of the nternal audt functon over the perod covered by the plan; outlne the objectves

to be acheved n the perod; and dentfy the key management strateges and actons that wll be needed to acheve these objectves It should also set out broad detals of the audt, audt support and non-audt actvtes that nternal audt wll undertake and the proporton of resources that wll be devoted to the dfferent types of actvtes that wll be undertaken For example, the plan should ndcate the relatve proporton of resources to be devoted to audts, advsory servces and audt support actvtes

The perod covered by the strategc busness plan can vary, but would normally cover a three year

plan s prepared

3.3  Purpose of an internal audit strategic business plan

An nternal audt strategc busness plan helps n:

focusng nternal audt effort where t s most useful and effectve communcatng the medum-term drecton of nternal audt and how t supports the organsaton’s objectves and addresses the entty’s rsks

ensurng there are no unntended gaps n nternal audt coverage over tme dentfyng the resources, sklls and experence requred to delver an effectve nternal audt servce

28 The nternal audt annual work plan s, n turn, supported by specfic plans for ndvdual audt assgnments Better practce

on plannng ndvdual audt assgnments s descrbed n Chapter 6 of the Gude.

29 Where an entty has a formal strategc plannng cycle t s better practce to algn the nternal audt strategc plan wth that cycle.









Better practice internal

audit planning consists of

a strategic business plan

that is supported by a more

detailed annual work plan.

An internal audit strategic

business plan helps in

focusing internal audit

effort where it is most

useful and effective.

requred Once approved, the plan should be made avalable to entty staff through the entty’s normal communcaton channels such as an entty ntranet Any sgnficant changes should be approved by the Audt Commttee

The tme and resources nvolved n developng the plan should be commensurate wth the sze and complexty of each entty, as well as the entty’s rsk profile, and the extent of the entty’s nvestment

n the nternal audt functon For example, enttes would not be expected to undertake detaled plannng for audts proposed n the two out-years The process would also be expected to be consstent wth the entty’s usual busness plannng processes

In developng the plan, consderaton should be gven to the followng factors:

The entity’s goals and objectives

To algn the strategc busness plan wth the entty’s strategc drecton, nternal audt should have

a good understandng of the goals, objectves and prortes of the entty as they are artculated n corporate and busness plans, and smlar documents At a more detaled level, busness goals and objectves can also be outlned n other strategc documents such as workforce plannng and

nformaton technology strateges and asset management plans

Consultaton wth the Chef Executve, members of the Audt Commttee, and senor managers s

mportant n assstng nternal audt n understandng exstng and emergng busness strateges and rsks

Better Practice Tip: Discussing audit plans

Dscussng audt plans wth senor managers concurrently wth the entty-wde rsk management and busness plannng processes provdes an opportunty for nternal audt

to encourage managers to see nternal audt as a servce to help them better manage ther busness

The entity’s risks

“Without an adequate risk analysis internal audit cannot proceed with its strategy.”

HM Treasury Audt Strategy Good Practce Gude

The entty’s rsk profile and how t may change over tme wll also be an mportant determnant of the sze and nature of the nternal audt programme and the types of audts that are undertaken Provded the entty’s rsk dentficaton process and rsk management framework s mature, the entty’s rsk management plans wll be a key source of nformaton n developng the strategc busness plan

In stuatons where the entty does not have a mature rsk management framework, t would be expected that nternal audt would develop ts own entty rsk profile that should be subject to confirmaton wth the Audt Commttee and the senor management of the entty

30 The FMA Orders for FMA agences provde for the Audt Commttee to approve the strategc audt plan of the agency.

a good understanding of the goals, objectives and priorities of the entity.

The entity’s risk profile and how it may change over time will also be an important determinant of the size and nature of the internal audit programme and the types of audits that are undertaken.

Enttes also see benefit n conductng a seres of complance audts across the entty on a cyclcal bass to provde assurance that key governance polces, procedures and controls are n place and operatng effectvely.

External environment risksExternal sources, ncludng reports from Parlamentary Commttees, publc sector management

rsk Trends n accountng and governance matters can also pont to areas that mght mpact on the achevement of the entty’s objectves and may requre nternal audt revew

The work of other review activities or functions

“Internal Audit should be seamlessly integrated within the overall governance framework.”

Publc Sector Chef Executve

Consderaton also needs to be gven to the responsbltes and proposed coverage of other

nternal or external revew actvtes or functons Internal revew functons, as noted earler, nclude management montorng and commttees, evaluatons, busness mprovement revews, rsk management processes, qualty assurance arrangements and management control self-assessment arrangements In addton, there are a number of external assurance and revew bodes ncludng Parlamentary Commttees, external audt, regulators, and the Ombudsman

Ths s llustrated n figure 3 below

Figure 3:  Internal and external assurance and review framework

31 For example, the Management Advsory Commttee establshed under the Public Service Act 1999.

In situations where the

entity does not have a

mature risk management

framework, it would be

expected that internal audit

would develop its own

entity risk profile.

External sources, including

reports from Parliamentary

Committees, public sector

management advisory

groups, central agencies,

regulators and the ANAO,

can also illustrate potential

sources of risk.

Comprehensive Assurance

External Audit Ombudsman Parliamentary

Internal Audit

Management Reviews and Committees

Risk Management

Business Improvement Reviews

Management Control Self-Assessment

Stakeholder expectations

In consultaton wth key stakeholders, t s also mportant for nternal audt to obtan the vews

of stakeholders about ther expectatons of nternal audt In ths regard, t can be expected that stakeholders could have dfferng vews about ther expectatons of nternal audt and ts focus and prortes In these crcumstances t s mportant for nternal audt to ‘work through’ the dfferent perspectves and have follow-up dscussons, as requred, to ensure that the draft strategc busness plan fully takes nto account the vews of all stakeholders In ts consderaton of the draft plan, the Audt Commttee should be made aware, at least n broad terms, of the vews of key stakeholders partcularly f they are not reflected n the final draft of the plan

Budget considerations

As a matter of prncple, the nternal audt strategc busness plan should first address all the actvtes that nternal audt, the Audt Commttee and other stakeholders consder should be ncluded, before reflectng on the possble budget avalable

The sze of the nvestment the entty wshes to make n nternal audt would normally be determned

of ths nvestment are outlned n Chapter 5, Resourcng the nternal audt functon

Internal audit business objectives and management strategiesDevelopng a statement of busness objectves for the nternal audt functon by the Head of Internal Audt, n consultaton wth the Audt Commttee, communcates the drecton nternal audt ntends to pursue over the lfe of the plan Such a statement also provdes a focus to develop and prortse a set of management strateges and tasks desgned to acheve those objectves The most approprate busness objectves wll vary between enttes accordng to ther partcular crcumstances and may change over tme Busness objectves can vary consderably, but often nclude matters relatng to the qualty, cost-effectveness and nature of the audt and other servces provded by nternal audt desgned to meet the entty’s needs

The busness objectves decded on for the nternal audt functon wll, n turn, affect the management strateges requred to acheve those objectves Such strateges wll also vary consderably but can often

nvolve plans affectng staff tranng and development, clarfyng stakeholder expectatons, mprovng audt and other processes, ntroducng new technologes or enhancng performance measurement

For example, one of the nternal audt’s busness objectves could be to ncrease nternal audt’s capablty and capacty to undertake audts of systems under development Ths wll requre strateges

to have staff and/or contract resources wth the necessary sklls to undertake these audts

32 An example of an assurance map s shown as part of the Example of an nternal audt strategc busness plan and audt work plan n Part 3 of the Gude.

33 See Australan Natonal Audt Office, Public Sector Audit Committees, Better Practce Gude, February 2005, p.13.

To assist in determining the appropriate internal audit coverage entities increasingly see a benefit

of conducting an assurance mapping exercise.

The size of the investment the entity wishes to make

in internal audit would normally be determined by the Chief Executive/Board

on the advice of the Audit Committee.

The servce delvery model n place, and any proposed changes, wll also nfluence the management strateges adopted For example, an n-house servce delvery model wll requre the development

of strateges desgned to ensure that the staff have the approprate level of sklls and experence to undertake the proposed audt coverage The use of a co-sourced or outsourced model wll requre strateges and plans to help ensure approprate qualty and accountablty s mantaned

3.5  Contents of a better practice internal audit strategic business planThe precse format and content of the strategc busness plan wll vary dependng on the preferences

of stakeholders and the sze and nature of the nternal audt functon tself However, t would be expected that better practce plans wll contan all or a majorty of the followng matters:

the key busness objectves and drecton of nternal audt over the perod of the plan that are consstent wth the nternal audt charter

a bref outlne of the methodology used n developng the plan and key stakeholders consulted

a summary of the key objectves and strategc drecton of the entty and a descrpton of any planned major ntatves

an outlne of the entty’s key busness rsks

a descrpton of emergng external ssues and trends that may mpact on the entty

an outlne of the entty’s dentfied busness rsks mapped to the varous nternal and external assurance and revew provders

a descrpton of the audt strateges and prortes for nternal audt over the lfe of the plan

a summary of the proposed nternal audt coverage over the perod of the plan showng by year, the

audt ttle area responsble type of audtprorty

a summary of the proposed nternal audt coverage over the perod of the plan aganst a background of the prevous two years’ coverage

the relatve allocaton of nternal audt resources between audt, advsory servces and audt support actvtes the dfferent types of audts, and

dfferent busness and/or programme and/or geographcal locatons

The plan should also outlne detals n relaton to the management of the nternal audt functon

tself such as:

detals of the financal and human resource budgets for nternal audt actvtes over the lfe

of the plan the management strateges and approaches to help ensure that nternal audt has access to the necessary level of sklled and experenced staff, and that ts methodologes and work practces reflect contemporary better practce

dentficaton of the rsks and actons proposed to manage the rsks of not achevng nternal audt’s objectves

detals of the performance measures to be used to measure the performance of nternal audt, and

arrangements for the revew and update of the plan

34 These themes should be algned wth the entty’s man busness rsks

The strategic business plan

should outline details in

relation to the management

of the internal audit

function itself.

The precise format

and content of the

strategic business plan

will vary depending

on the preferences of

stakeholders and the size

and nature of the internal

audit function itself.

Part 1

Better practice entities see benefit in grouping proposed internal audits under a series of ‘audit risk themes’ that mirror the risk categories identified in the entity’s risk profile.

Alignment with the entity’s risk management plan

To assst n demonstratng an algnment between the entty’s rsks and the proposed nternal audt coverage and to hghlght entty rsks that are not beng addressed by nternal audt, better practce enttes see benefit n groupng proposed nternal audts under a seres of ‘audt rsk themes’ that mrror the rsk categores dentfied n the entty’s rsk profile Examples of possble nternal audt rsk themes nclude governance, polcy and strategc plannng, programme and project management, clent relatonshps, financal, human resources and IT systems

As noted earler, where enttes do not have a mature rsk management framework, t would be expected that nternal audt would develop ts own rsk profile

Better Practice Tip: Knowledge Champions

Appontng each audt team member as a knowledge champon to develop specal expertse n

a relevant specalst area such as government procurement and probty, emergng technology, eCommerce, contract law, ntellectual property and audtng trends and technques can

ncrease the specalst knowledge avalable to nternal audt whle provdng ncreased job satsfacton for staff

Previous internal audit coverageThe benefit of developng a medum term nternal audt plan aganst a background of the last two years s to enable the Audt Commttee and management to assess whether the full range of rsks, especally complance rsks, are covered over an approprate perod (some may need to be undertaken every year and others less frequently)

3.6  Internal audit annual work plan

A detaled nternal audt annual audt work plan should be prepared that specfies the proposed

nternal audt coverage for the next 12 months The consderatons n developng an annual audt work plan are smlar to those for the nternal audt strategc busness plan, albet at a more detaled level Audt Commttees of FMA enttes are requred to approve the annual audt plan Dependng on ther charter, Audt Commttees of CAC Act enttes may also approve these plans Alternatvely, they should be approved by the Board on a recommendaton of the Audt Commttee

3.7  Developing a better practice internal audit annual work plan

In developng the annual audt work plan, t s approprate to also consder the followng matters

Prioritising internal audit topicsOnce the broad strategc drecton for audt coverage has been determned, a choce needs to be made about the number and scope of specfic audt topcs to be ncluded n an nternal audt annual work plan The final selecton of nternal audt topcs s ultmately a matter for the Chef Executve/Board and the Audt Commttee, and a structured approach asssts n the decson-makng process

To assst n prortsng audt topcs t s helpful to develop a set of crtera that can be used to assess

the strategc and operatonal rsks dentfied n the entty’s rsk management plan or busness unt plans or n the absence of a mature rsk management framework, as dentfied by nternal audtmateralty and rsks arsng from the external envronment

the potental or expected benefits of an audt

35 It can be helpful to mantan a lst of potental audt topcs as part of an ‘audt unverse’ or a lstng of audtable areas

any specfic requests from the Chef Executve, the Board, the Audt Commttee or management the degree of algnment wth the audt strateges dentfied n the nternal audt

strategc busness plan the mportance of the programme or actvty the sgnficance of the findngs from any prevous nternal or external audt or revew, partcularly relevant reports and recommendatons from Parlamentary Commttees

any coverage requred to support the preparaton of the financal statements, and the length of tme snce any prevous nternal or external audt as part of a cyclcal revew process

Some enttes see benefit n allocatng numercal “scores” to each of the crtera and aggregatng the scores to arrve at an overall audt rankng Although audt “scores” can help to rank audt topcs t should

be recognsed that such a process stll nvolves judgement n the allocaton of ndvdual scores

Comprehensive annual work plan

A comprehensve nternal audt annual work plan wll generally nclude all or a majorty of the followng actvtes:

audts of major IT systems focussng, n partcular, on securty and access matters, and audts

of major projects

a number of annual audts to revew key areas of financal, human resource or governance matters across dfferent busness unts and geographcal locatons or a seres of audts that are conducted each year, for example, to provde assurance over the qualty of the preparaton of the financal statements

audts that revew partcular topcs across the whole entty, such as procurement practces, recordkeepng and ethcal conduct and complance wth APS and entty values, that are amed

at addressng potental systemc rsks audts of areas where the rsk s judged to be hgh but the controls are consdered to be effectve

n managng the rsk These audts can provde assurance that the controls are n fact operatng

as ntended follow-up audts of areas audted prevously where shortcomngs have been dentfied

an allowance to undertake ad hoc or specal request audts, partcularly from the Chef Executve and the Audt Commttee, and

a number of reserve audt topcs that could be substtuted f planned audts do not proceed

36 It s mportant that nternal audt advce s communcated to management n a tmely manner to enable the advce to be consdered before the system s mplemented.

audit annual work plan will

generally include audits

that review particular

topics across the whole

entity, such as procurement

practices, recordkeeping

and ethical conduct and

compliance with APS

and entity values, that

are aimed at addressing

potential systemic risks.

Part 1

Better Practice Tip: Plan for contingencies

Retanng 10%-15% of the nternal audt annual work plan as a contngency for unforseen audts helps nternal audt to accommodate requests for specal or urgent audts

Objectives and scope of auditsPart of the process of selectng audt topcs s consderaton of the objectves and scope of ndvdual audts These factors can have a sgnficant affect on the cost of the nternal audt annual work plan or the number of audts ncluded n the plan In partcular, consderaton should be gven to whether t s better to have fewer, more n-depth audts, more audts wth a narrower focus, or a combnaton of both

The views of the external auditor

In developng the plan, t s mportant to consult wth the external audtor to gan an understandng of ther perspectve on the busness rsks facng the entty and the external audtor’s proposed financal statement and performance audt coverage Ths nformaton s necessary to help ensure that potental duplcaton and gaps n overall audt coverage are dentfied, and to dentfy opportuntes for the external audtor to rely on the work of nternal audt Any sgnficant areas that are not covered

or are duplcated should be drawn to the attenton of the Audt Commttee

Size and nature of the internal audit annual work planFactors that would be expected to affect the sze and nature of the nternal audt annual work plan nclude:

substantal number of rsks and, by extenson, controls desgned to assst n managng the rsks, could be expected to have a larger nternal audt programme than an entty wth a hgher rsk tolerance and a smaller rsk profile

the sze and complexty of the entty’s busness: the larger the number of separate busness actvtes and programmes, the more audts that could be expected to be requred

the stablty of the entty: nternal audt mght be requred to do more n tmes of sgnficant change

As wth the nternal audt strategc busness plan, the sze of the nternal audt annual work plan wll also be nfluenced by the level of nvestment n nternal audt an entty wshes to make

Internal audit support activities

In preparng the plan, sufficent tme and resources should also be ncluded to:

manage the nternal audt functon montor and report to the Audt Commttee the mplementaton of agreed recommendatons n

nternal and external audt reports and from Parlamentary Commttees and other revew bodes analyse the rsk, control and governance ssues arsng from nternal audt work, or the work of other assurance provders, wth a vew to provdng perodc reports to the Audt Commttee on systemc ssues and trends

support the Audt Commttee n dschargng ts legal oblgatons

37 The concept of rsk tolerance embraces the level of exposure whch s consdered tolerable and justfiable should t be realsed Dependng on the maturty of the entty’s rsk management framework, the tolerance level can be formally stated or may reflect more the culture of the entty

38 Ths term refers to the extent and nature of the rsks facng an entty.

Factors that would be expected to affect the size and nature of the annual work plan include the risk tolerance and the risk profile of the entity.

provde secretaral support to the Audt Commttee (assumng ths s a responsblty of

nternal audt) develop and perodcally revew the nternal audt strategc busness plan and the nternal audt annual work plan

provde approprate professonal development to nternal audt staff, andlase wth the external audtor and other relevant external bodes

Where some or all servces are provded by an external party, sufficent tme should also be provded

to enable the contract, or contracts, to be properly managed

3.8  Contents of an internal audit annual work planThe plan should be sufficently detaled to enable the Audt Commttee and, as necessary, the Chef Executve, to be satsfied that the proposed coverage s adequate It would be expected that, as a mnmum, the plan should outlne for each proposed audt the:

audt rsk theme beng addressed audt ttle

area responsble and sponsortype of audt

summary descrpton of the audt expected benefit to be added by the audt or the ratonale for the audt prorty and resources to be used to conduct the audt – n-house, contractors or a combnaton of both

estmated duraton and cost proposed tmng of the audt ncludng the month t s expected to be completed, and the Audt Commttee meetng at whch the audt wll be consdered

Some enttes also see benefit n ncludng a lst of topcs that rank just below those selected for

ncluson n the plan Ths asssts the Audt Commttee to assess the proposed plan n the context of rsks that wll not be addressed

The presentaton of the annual work plan to the Audt Commttee wll generally be enhanced through the use of summares, graphs and charts whch can be used, for example, to ndcate the mx of audt types to be undertaken, the spread of audt actvty across the entty by work group or by geographcal locaton

3.9  Costing of individual audits

It s generally accepted that for resource management and accountablty purposes, nternal audt unts should have a formal tme recordng system to record the tme audtors spend on audt and related tasks Each entty also needs to decde f there are benefits n mplementng and mantanng

a cost recordng system that captures the cost of each ndvdual audt In makng such a decson, care should be exercsed n specfyng the degree of precson requred from such a system and n ensurng that the benefits are balanced aganst the degree of admnstratve effort and financal cost

nvolved n establshng and mantanng the system

It is generally accepted that

for resource management

and accountability

purposes internal audit

units should have a formal

time recording system to

record the time auditors

spend on audit and

related tasks.

Where some or all services

are provided by an external

party, sufficient time should

also be provided to enable

the contract, or contracts,

to be properly managed.

4  Relationships with key stakeholders 4.1  Introduction

To be effectve, nternal audt must have the confidence and trust of the key stakeholders t works wth

Ths confidence should not be assumed to be ‘a gven’ It can only be establshed and mantaned

by havng effectve workng relatonshps, delverng hgh qualty and tmely advce and nternal audt reports, that are seen to be contrbutng drectly to assstng the entty to meet ts responsbltes

The key stakeholders of nternal audt are:

the Chef Executve, n the case of FMA Act enttes, the Board and Chef Executve n the case of CAC Act enttesthe Audt Commttee

senor management the external audtorother revew actvtes and external bodes, andprofessonal bodes

Whle t s mportant that detals of these relatonshps are formalsed n documents such as the

nternal audt charter, the Audt Commttee charter and management protocols, good relatonshps also need to exst at a practcal workng level to be effectve

4.2  Internal Audit and the Chief ExecutiveBetter practce FMA Act enttes recognse the advantages n havng the Head of Internal Audt beng drectly accountable to the Chef Executve Ths not only sends a clear sgnal about the mportance

of the nternal audt functon, t also facltates regular contact between the Chef Executve and

nternal audt Ths contact should be used as an opportunty for nternal audt to gan nsghts nto new and emergng rsks and ssues facng the entty and to dscuss the role the Chef Executve wshes nternal audt to fulfil n the entty

In stuatons where the Head of Internal Audt s accountable to someone other than the Chef Executve, t s mportant that the Head of Internal Audt has drect access, on an as requred bass,

to the Chef Executve

4.3  Internal audit and the Board

In CAC Act enttes, nternal audt generally formally reports to the Board on the effectveness of the nternal audt functon As the Audt Commttee s usually a sub-commttee of the Board, ths responsblty s often delegated to the Audt Commttee Although the Head of Internal Audt wll meet regularly wth the Char and members of the Audt Commttee, some Boards perodcally meet wth the Head of Internal Audt to exchange vews and deas As a mnmum, t s mportant that the Head

of Internal Audt has drect access to the Char of the Board and the Chef Executve as requred

audit must have the

confidence and trust of

the key stakeholders it

works with.

Good relationships need to

exist at a practical working

level to be effective.

Part 1

4.4  Internal Audit and the Audit CommitteeThe relatonshp between nternal audt and the Audt Commttee s also a crucal one and s lkely to have a number of dmensons These nvolve:

nternal audt assstng the Audt Commttee to comply wth ts oblgatons under the FMA

or CAC Acts nternal audt beng functonally responsble to the commttee, for the conduct of the nternal audt programme; ths places the commttee n the role of beng nternal audt’s prmary clent and requres nternal audt to have a close professonal relatonshp wth the commttee as a whole and each of ts members

nternal audt through ts reports and ts general nteracton wth the commttee, beng a key source of nformaton on the effectveness of controls and the performance of the entty

nternal audt provdng secretarat support to the commttee n many enttes the Audt Commttee beng responsble for ether revewng and approvng nternal audt plans, or recommendng ther approval by the Chef Executve/Board, and

the Audt Commttee beng nvolved n assessng the performance of nternal audt and n any change of the Head of Internal Audt and/or any external servce provder(s)

Gven ths relatonshp, t s mportant that both formal and nformal lnes of communcaton be establshed between nternal audt and the audt commttee and wth ndvdual commttee members, partcularly the Char Audt Commttee members should be n a poston to be able to openly dscuss matters of nterest wth the Head of Internal Audt In dong ths, commttee members must be confident that such dscussons wll be treated n confidence by nternal audt

It s generally accepted that the Head of Internal Audt, and any external servce provders, wll attend Audt Commttee meetngs unless there are exceptonal crcumstances why they should be excluded for a whole meetng or a partcular agenda tem, or tems It s also good practce for the Audt Commttee to meet prvately wth the Head of Internal Audt and any external servce provders, from tme to tme Ths provdes the Commttee the opportunty to ask questons and to seek feedback from nternal audt wthout management beng present Ths practce also supports the ndependent role of nternal audt

To meet the Audt Commttee’s montorng responsbltes, nternal audt should report to the Commttee on a regular bass on the status of the nternal audt annual work plan Ths report should provde detals of audt actvty aganst planned audts, together wth explanatons of any sgnficant varatons

Internal audt should also report regularly on the status of management’s actons to mplement agreed nternal and external audt report recommendatons and agreed Parlamentary Commttee and other revew body recommendatons, provdng detals of who s responsble for mplementng the recommendatons and an assessment of progress acheved

As dscussed earler, better practce nternal audt functons ncreasngly are provdng Audt Commttees and Chef Executves wth perodc reports on the patterns, trends and systemc ssues

dentfied as a result of nternal audt actvtes undertaken

Better practce Audt Commttees wll formally revew the performance of nternal audt on at least an annual bass To assst the Commttee n dong ths, nternal audt should provde an annual report n

an agreed format to the Commttee on ts achevements and on the use of ts resources

be established between internal audit and the audit committee and with individual committee members, particularly the Chair.

To meet the Audit Committee’s monitoring responsibilities, internal audit should report to the Committee on a regular basis on the status of the internal audit annual work plan.

Part 1

It is better practice for internal audit plans to be prepared and submitted to the Audit Committee, and the Chief Executive where appropriate, to enable them to be considered and approved prior to the commencement of the next financial year.

3.10  Amendments to the annual work planThe plan should be kept under perodc revew and any substantve amendments should be approved

by the audt commttee Many audt commttees find t approprate to authorse the Char of the commttee to approve changes to the plan out of sesson, where ths s requred

Better Practice Tip: Timing of audit planning

Algnng the tmng of the nternal audt plannng process wth that of the entty’s busness plannng processes can assst n nternal audt plannng beng algned wth the objectves and prortes of the entty

In crcumstances where the full nternal audt work plan s not approved, an nterm work plan for the first three or sx months should be approved pror to the commencement of the year to whch the plan relates

Example internal audit strategic business plan and internal audit annual work plan.

Part 3 of the Gude ncludes an example nternal audt strategc busness plan and nternal audt annual work plan

Planning internal audit activities checklistHave the followng factors been consdered n plannng nternal audt actvtes?

the entty’s overall goals and objectvesthe entty’s rsk profile

the work of other revew functons or actvtesthe expectatons of key stakeholders

the level of nvestment n the nternal audt functonthe actual and proposed financal and performance audt coverage by external audtthe types, mx and locaton of proposed audts and advsory servces

the extent of audt support actvtes to be undertakenthe busness strateges and prortes of the nternal audt functon

4.5  Internal audit and management

To be able to effectvely fulfil ts responsbltes, nternal audt needs to have a professonal and constructve relatonshp wth senor management, n partcular, and wth the management cadre of the entty n general

Better practce nternal audt functons wll nteract on a regular bass wth members of the senor management team, and through the delvery of practcal, busness focussed and useful reports and advce, wll buld a relatonshp that s based on cooperaton, collaboraton and mutual respect

Meetngs wth entty managers should be used as an opportunty to be brefed on key busness developments and the mpact they have on the rsks facng the entty These meetngs should also be used to obtan nformal feedback about the performance of nternal audt and to assst n dentfyng ways that nternal audt can best assst entty management In ths context, better practce nternal audt unts wll encourage managers to seek ther advce and assstance on ether an nformal or formal bass as the need arses One measure of the effectveness of nternal audt s the extent to whch managers seek out nternal audt to assst them n managng ther busness

In nteractng wth management, nternal audt wll be prvy to nformaton whch can mpact on professonal and, at tmes, personal reputatons It s mportant that nternal audt respect the confidentalty of such nformaton and ts communcaton to others be on a strctly need to know bass In stuatons where managers consder that such nformaton s beng used napproprately, the reputaton and credblty of nternal audt s lkely to be adversely mpacted

Better Practice Tip: Audit Liaison Officer

Some larger enttes have found the use of Audt Lason Officers n busness areas or regons a useful way to facltate audt plannng, the conduct of audts and the mplementaton of agreed audt recommendatons

4.6  Internal audit and the external auditorEstablshng a professonal workng relatonshp between nternal audt and the external audtor should delver benefits to both partes It s mportant that nternal audt seek nput from the external audtor n developng the nternal audt strategc busness plan and nternal audt annual work plan

It s also mportant that nternal audt consult wth the external audtor durng the plannng phase of

ndvdual audts that address key financal and busness systems that underpn the entty’s financal statements or relevant areas of proposed performance audt coverage By engagng external audt

n ths way, potental overlaps and gaps n overall audt coverage can be dentfied and addressed, and t wll assst n maxmsng the extent to whch external audt s able to rely on the work of nternal audt n undertakng ts work

Internal audt often wll be responsble for lasng wth external audt on behalf of the entty and be tasked wth coordnatng external audt actvty n an entty Ths role can be a useful way for nternal audt to be aware of planned and actual external audt coverage, whle at the same tme beng cognsant of external audtors’ need for access to ndvduals and records to enable them to meet ther own audt responsbltes

Meetings with entity

managers should be used

as an opportunity to be

briefed on key business

developments and the

impact they have on the

risks facing the entity.

Establishing a professional

working relationship

between internal audit

and the external auditor

should deliver benefits to

both parties.

Part 1

4.7  Internal audit and other review activities and external bodies

As noted earler, nternal audt s one of a number of nternal and external revew-type actvtes that exst as part of enttes’ governance arrangements It s crtcal that all these actvtes operate n a coordnated and complementary manner Ths requres regular formal and nformal contact between them to help ensure that duplcaton and overlap are kept to a mnmum, or preferably elmnated

Some organsatons see benefit n protocols beng formalsed between such actvtes, whch provde, for example, for the regular exchange of vews and nformaton and for the reportng of the results of work undertaken n a coordnated manner

Such arrangements can be partcularly mportant n stuatons where nternal audt needs to work closely wth programme or nternal audt unts of other enttes as a result of nter-agency or other agreements

4.8  Internal audit and professional bodies

It s generally expected that ndvdual nternal audt staff wll be members of the Insttute of Internal Audtors and/or other relevant professonal bodes such as the Australan Socety of Certfied Practsng Accountants, the Insttute of Chartered Accountants n Australa and, for IT audtors, the Informaton Systems Audt & Control Assocaton It s mportant that nternal audt staff use ther membershp of such bodes to keep abreast of professonal and ndustry developments and use networkng opportuntes to assst n ther ongong professonal development In dong ths, and n accordance wth applcable ethcal codes of behavour, care needs to be exercsed to ensure that approprate confidentalty relatng to entty actvtes and audt findngs s mantaned

It is generally expected that individual internal audit staff will be members of the Institute

of Internal Auditors and/or other relevant professional bodies.

5  Resourcing the internal audit function 5.1  Introduction

To be able to provde the entty wth the servces expected of t, t s mportant that the nternal audt functon has an adequate budget and access to sufficent resources wth the necessary sklls and experence The quantum and mx of resources requred wll be nfluenced by a number of factors, especally the partcular servce delvery model chosen

The factors that wll nfluence the quantum and mx of the nternal audt budget nclude the:

number and types of audts ncluded n the annual work plan: an annual work plan wth more busness mprovement audts s lkely to cost more than one that has a more complance focus complexty of the annual work plan: the weght gven to audts requrng specalst sklls such as expertse n nformaton technology, could add to the cost of the annual work plan

geographc spread of audt work: the more travel that s requred the greater the requred budget

s lkely to be extent of audt support actvtes: the ncluson of a large number of audt support actvtes s lkely to requre ncreased resources

other non-audt servces requred of the nternal audt functon: t could be expected that the broader the role expected of nternal audt the greater the nternal audt budget

cost of the servce delvery model chosen to provde nternal audt servces: the dfference n cost between the servce delvery model chosen by the entty and the cost of alternatves wll affect the budget needed, and

cost of mplementng the management strateges outlned n the nternal audt strategc busness plan: the nternal audt budget wll need to take nto account the cost of agreed management strateges

The ANAO s aware that studes are undertaken from tme to tme that benchmark expendture on

nternal audt aganst a number of varables Generally, they relate to prvate sector organsatons but they may be of assstance n revewng nternal audt budgets n the publc sector Opportuntes also exst for nternal audt to benchmark ther budgets aganst smlar publc sector audtees as part of a planned management strategy

It s mportant that, n presentng the nternal audt strategc busness plan and nternal audt annual work plan to the Audt Commttee, the Head of Internal Audt draws the commttee’s attenton to the

mpact that any budget shortfall mght have on the ablty of nternal audt to meet the expectatons

of stakeholders and the exposure ths mght represent to the entty

The Audt Commttee wll then be n a poston to make an nformed judgement on the adequacy or otherwse of the budget If the audt commttee consders the budget nternal audt to be nsufficent, compared to the rsks facng the entty, t should draw ths to the attenton of the Chef Executve/Board

internal audit function it is

important that the budget

is sufficient to implement

the role expected of

internal audit.

If the audit committee

considers the internal audit

budget to be insufficient,

compared to the risks

facing the entity, it should

draw this to the attention of

the Chief Executive/Board

Part 1

5.3  Service delivery models

“If co-sourcing or outsourcing internal audit service delivery, you need to be an informed purchaser.”

Char Publc Sector Audt Commttee

As noted earler n the Gude, wthn the Australan Government sector, nternal audt s performed

n a range of enttes that vary consderably n purpose, sze, structure, and complexty As a result, there s a range of models used to delver nternal audt servces These are llustrated n the followng dagram

Each model has ts benefits and ts rsks The most approprate model wll depend on the entty’s partcular needs that could well change over tme as crcumstances change It s mportant, therefore,

to perodcally consder whch servce delvery model wll best sut the entty’s needs as part of the Audt Commttee’s consderaton of the nternal audt strategc busness plan

There is a range of models used to deliver internal audit services The most appropriate model will depend on the entity’s particular needs that could well change over time as circumstances change.

Model 3 Outsourced with in-house management: Internal audt servces provded by contract resources, wth

n-house management of the nternal audt functon

Model 4 Outsourced: All nternal audt servces provded by contract resources Project management of contract(s)

undertaken n-house

5.4  Issues to consider in deciding the appropriate delivery modelThe followng factors should be taken nto account when consderng the approprate servce delvery model

Ability to attract and retain suitable staffFor a varety of reasons t may be dfficult to attract and retan sutably sklled n-house audt staff As

a consequence, co-sourcng or outsourcng the nternal audt functon to an external servce provder, who assumes some or all of the responsblty for recrutng and managng the requred staff, may be

an effectve means of overcomng staff shortages

Alternatvely, the development and mplementaton of a comprehensve staffing strategy as part of the nternal audt strategc busness plan may be successful n obtanng sufficent staff wth the necessary sklls and experence

The skills and experience requiredGenerally, n-house staff could be expected to have a greater knowledge of the entty’s busness objectves, systems, rsks and culture They can be seen as ‘part of the team’ and can be more easly approached for nformal and ad hoc advce There are no ssues over possble conflcts of nterest and there s more drect control over the qualty of work undertaken Corporate knowledge may also

be more readly retaned by n-house staff and n-house nternal audt unts are n a poston to offer a good tranng ground for future senor managers

On the other hand, servce provders may have access to leadng practces and expertse from the publc and prvate sectors n Australa and overseas that may be helpful to the entty

Cost The cost of n-house provson compared wth the alternatves s a key consderaton It s mportant when comparng costs to take nto account the full costs of the dfferent optons ncludng the salares of n-house staff plus overheads such as tranng, leave, superannuaton, staff management, accommodaton and facltes In the case of co-sourcng or outsourcng, the costs of contract management as well as of the contract tself should also be taken nto account

FlexibilityMany nternal audts requre access to specal techncal audt sklls from that are ether not avalable

or not cost-effectve to mantan n-house The ablty to respond quckly to new requests for audts wthout dsruptng the planned programme or the need to resource workload peaks can also be

mportant Co-sourced or outsourced arrangements may be able to provde the requred flexblty n such crcumstances

ViabilityFor some small enttes there may not be the crtcal mass to make an n-house nternal audt functon vable and sustanable Small nternal audt unts may find t dfficult to supply sufficent staff wth the full range of sklls necessary to undertake a comprehensve nternal audt plan In ths stuaton, there s a rsk the audt plan wll be determned more by the sklls of the staff avalable rather than the needs of the entty Lmted career progresson and development opportuntes can also act as a dsncentve for the recrutment and retenton of staff

Generally, in-house staff

could be expected to

have a greater knowledge

of the entity’s business

objectives, systems, risks

For some small entities

there may not be the

critical mass to make

an in-house internal

audit function viable

and sustainable.

Part 1

5.5  Service provider panel arrangementsWhere a decson s made to co-source or outsource the nternal audt functon, a decson on the number of external servce provders to engage also needs to be made Ths decson wll be

nfluenced by the extent and nature of the servces requred In many crcumstances one servce provder wll be the most approprate choce In stuatons where there s an extensve audt plan and

a broad range of sklls are requred, t may be approprate to establsh a panel of servce provders

Such an arrangement can provde access to extra skll sets and provde addtonal flexblty compared

to a sngle provder There are a number of dfferent panel arrangements that can be establshed

For example, the panel could consst of a number of pre-qualfied provders who tender for specfic

nternal audts Alternatvely, t could nvolve two or more provders who each have a contract to provde a specfied number of work days over a partcular perod and the work s allocated to the provder best suted to the partcular audt

If a panel arrangement s adopted, consderaton needs to be gven to strkng a balance between the number of provders requred to provde sufficent flexblty and access to sklled staff and the need

to avod spreadng work too thnly Where an external provder s contracted to only perform a small parcel of work there s lmted opportunty for the provder to develop the requred understandng

of the entty and ts busness needs The arrangement also has to be commercally vable from the provder’s perspectve

5.6  Management of a co-sourced or outsourced functionThe key to success n managng external provders, lke the management of any outsourced servce, nvolves:

choosng the rght provder wth the rght experence, on the bass of a value for money assessment

establshng clear expectatons wth the servce provder, and actvely montorng the performance of the provder and managng the relatonshp throughout the lfe of the contract

For better practce gudance on developng contracts and managng servce provders see the

Australan Natonal Audt Office and Department of Fnance and Admnstraton, Developing and Managing Contracts, Better Practce Gude, February 2007.

Choosing the right providerIssues to consder n choosng an external provder nclude:

the provder’s experence n provdng nternal audt servcesknowledge of the entty’s objectves, governance arrangements, values and culture the knowledge, sklls and avalablty of the personnel nvolved n conductng and supervsng the work

knowledge of the publc sector generally, ncludng accountablty requrementsqualty assurance arrangements, and