INTERNAL AUDIT POLICY Version control information Document Name: INTERNAL AUDIT POLICY Prepared by: D Davis Version: V 1.0 Date 08/06/2016 health.wa.gov.au
MP 0008-16 Effective: 1/7/2016 Title: INTERNAL AUDIT POLICY 1. Background The Financial Management Act 2006 (FMA) 1 regulates the financial administration, audit and reporting of statutory authorities and applies to Health Service Providers and their operations. Health Service Providers must comply with this policy to ensure the internal audit function, the position of Chief Audit Executive (CAE) and the Audit and Risk Management Committee are established and maintained in a manner to ensure their independence from operational management and to further facilitate an ongoing objective review of the entity s activities. 2. Scope This policy applies to Health Service Providers under the Health Services Act 2016 2 Including: North Metropolitan Health Service and its Board South Metropolitan Health Service and its Board East Metropolitan Health Service and its Board Child & Adolescent Health Service and its Board WA Country Health Service and its Board Health Support Services Quadriplegic Centre and its Board 3. Policy statement WA Health is committed to maintaining efficient and effective internal audit functions as required by the FMA through the provision of independent and objective assurance and consulting activities. This will assist WA Health accomplish its objectives by bringing a systematic and disciplined approach to evaluate and contribute to the improvement of risk management, control and governance processes. Principles of the Policy ensure the internal audit function provides independent, objective, timely and useful information to management in regard to: the adequacy of, and compliance with, the system of internal control the consistency of organisational results with established objectives wether operations or programs are being carried out as planned, and ensuring the accountable authority receives relevant and timely advice on the entities governance, risk and control frameworks and its external accountability obligations from an independent Audit and Risk Committee with appropriate expertise. The Principles are supported by Core Policy Requirements such as: the internal audit function has been established and maintained the internal audit function is independent and internal auditors are objective in performing their work. 1
4. Definitions MP 0008-16 the operation of the internal audit function is consistent with the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing 3 there is an Internal Audit Charter consistent with the content of the Model Internal Audit Charter an independent Audit and Risk Committee with appropriate expertise has been established the Audit and Risk Committee is an advisory committee providing advice, independent assurance and assistance to the accountable authority on the agency s governance processes, risk management and control frameworks and its external accountability obligations, and the Audit and Risk Committee has approved Audit and Risk Committee Terms of Reference. Internal Audit function Charter Chief Audit Executive (CAE) Means either an in-house internal audit service delivery model, co-sourced or an out-sourced internal audit service delivery model. The service delivery model selected will provide assurance, independent from operational management, risk management, control and governance processes. Is a formal document that defines purpose, authority and responsibility. In this instance the Internal Audit Charter Refers to the head of the audit function (International Standards for the Professional Practice of Internal Auditing (IIA)). 5. Roles and responsibilities The Accountable Authority: is required to develop and maintain an effective, internal audit function (FMA s53(1)). Part XII of the FMA provides the basic requirements for an effective internal audit function as prescribed by the IIA International Professional Practices Framework must determine the appropriate service delivery model for the internal audit function based on the Accountable Authority s needs and ensure the service delivery model selected will provide assurance, independent from operational management, risk management, control and governance processes. In order to promote organisational independence, the internal audit function is to be directly answerable to the Accountable Authority through the head of internal audit/chief Audit Executive (CAE) will submit to the Department CEO an annual attestation statement of compliance with the Core Policy Requirements by 30 June each year stating the health entity complies with WA Health s internal audit policy. The Audit and Risk Committee: is responsible to the accountable authority for the review and oversight of the internal audit function by reviewing and endorsing the internal audit plan and reports. This will include oversight of internal controls, risk management, corruption and fraud prevention, applicable laws and regulations, government 2
MP 0008-16 directives and Department CEO Policy Directives, external accountability and external audit, and operates under an Audit and Risk Committee Terms of Reference. The Chief Audit Executive (CAE) must: develop the internal audit charter consistent with this policy directive and Model Internal Audit Charter and ensure it is approved by the accountable authority on the advice of the Audit and Risk Committee establish and maintain a risk-based internal audit plan to determine the priorities of the internal audit resource and ensure they are consistent with the organisation s goals ensure the internal audit function adheres to the IIA s mandatory guidance including the Definition of Internal Auditing, Core Principles, Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing ensure audit findings are categorised and prioritised according to the risk represented to the organisation using a risk based audit methodology consistent with the current WA Health risk methodology recommend a course of action for every audit finding and ensure these are referred to operational management for formal response report internal audit findings and related recommendations and management responses to the Audit and Risk Committee monitor progress in implementing agreed action plans, by maintaining a register of audit findings and progress and undertaking follow-up audits based on the risks posed to the organisation and report on progress to the Audit and Risk Committee develop key performance indicators by which the internal audit function s performance may be measured and report on progress and performance relative to internal audit plan, authority, responsibility and other key operational and strategic matters affecting the function and its purpose, and communicate to the accountable authority and the Audit and Risk Committee on the internal audit activity s quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every five years. All staff members within the health entity must: on a timely basis, furnish internal audit with information, advice or explanation on such matters as may be requested, and shall render any assistance necessary for audit purposes. 6. Compliance Failure to comply with this policy may result in disciplinary action and, in serious cases, termination of employment or engagement. 7. Evaluation The Department CEO will, on a periodic basis, review the operation of the Policy to assess the efficiency and effectiveness of the arrangements, as well as to assess the sector s compliance with the requirements outlined in the Policy. The Auditor-General may undertake an assurance role in monitoring the sector s compliance with the core requirements outlined in the Policy. The Auditor-General may conduct a review of department and statutory body compliance with the Policy by 3
conducting a compliance engagement on a sample of departments and statutory bodies. 8. References 1 Financial Management Act 2006 (FMA) 2 Health Services Act 2016 3 Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing WA Health Risk Management Guidelines Australian Standards AS/NZS 31000:2009 Risk Management Principles and Guidelines and PD2009_039 9. Relevant legislation Health Services Act 2016 Financial Management Act 2006 10. Related documents Audit and Risk Committee Terms of Reference Internal Audit Tool Box Internal Audit Charter MP 0008-16 11. Authority The Department CEO may issue policy frameworks to ensure consistent approaches - Health Services Act 2016, Division 2, Policy frameworks (section 26). Internal Audit s authority is derived from Part XII of the FMA Internal Audit, which defines: The structure of the internal audit function (Treasurer s Instruction (TI) 1201) The conduct of audits and consultancy (TI 1202) and The management of the internal audit function (TI 1203). Title: Contact: Internal Audit Policy Steve Jensen Tel: 9222 4281 Email: Steve.Jensen@health.wa.gov.au Dale Davis Tel: 9222 6868 Email: Dale.A.Davis@health.wa.gov.au Directorate: Corporate Governance Version: V1.0 Date Published: 01/7/2016 Date of Last Review: 08/06/2016 Date Next Review: 01/07/2019 4
This document can be made available in alternative formats on request for a person with a disability. Department of Health 2016 Copyright to this material is vested in the State of Western Australia unless otherwise indicated. Apart from any fair dealing for the purposes of private study, research, criticism or review, as permitted under the provisions of the Copyright Act 1968, no part may be reproduced or re-used for any purposes whatsoever without written permission of the State of Western Australia.