Guide to Internal Audit Frequently Asked Questions About Developing and Maintaining an Effective Internal Audit Function in Australia Second Edition
Index Introduction 1 Overview of the Requirement for an Internal Audit Function 1 1 What is internal auditing? 1 2 How does CLERP 9 relate to the ASX Principles? 1 3 Does CLERP 9 have any specific requirements in relation to internal audit? 1 4 What do ASX Principles require? 1 5 How does a company demonstrate compliance with the ASX Principles? 1 6 Does the ASX provide listed companies with any instructions or guidance beyond the Principles? 1 7 Do the ASX Principles apply to private companies? 1 8 What other issues should management consider in ensuring compliance with Principle 7? 1 9 Do the ASX Principles require a company to hire new internal audit employees? 1 10 What is required if a company already has an internal audit function? 1 11 Are part-time internal auditors sufficient? 1 12 Is a written internal audit charter required? 1 13 What should be in a charter? Is there a model charter? 1 14 Do the ASX Principles require that the IIA Standards be followed? 1 15 Is there any minimum amount of expenditure or effort required under the ASX Principles? 1 16 What additional guidance is available for specific industry sectors? 1 17 What are specific requirements for the public sector? 1 18 Is there a preferred internal control / enterprise risk management framework to be utilised by the internal audit function? 1 The Internal Audit Profession 1 19 How is the internal audit profession regulated? 1 20 Is continuing professional education (CPE) required for internal auditors? 1 21 Are internal auditors required to be certified? 1 22 Are there professional standards that govern the practice of internal auditing? 1 23 Are internal audit functions required to follow the IIA Standards? 1 24 What are the IIA Practice Advisories? 1 25 Are Australian Auditing Standards relevant to internal auditors? 1 26 What jurisdiction does the ASX and ASIC have over internal auditors? 1
Index continued 27 Can existing employees become internal auditors? 1 28 What personal qualities, knowledge and skills should internal auditors possess? 1 29 How much should a company spend on internal auditors? 30 Are there industry groups for internal auditors? 1 31 Isn t internal auditing a duplication of what external auditors do? 1 32 How is independence achieved if internal auditors are appointed by management? 1 33 What role and responsibility do internal auditors have for fraud? 1 34 Are there university programs in internal auditing? 1 35 How do we start an internal function? 1 36 How should an internal audit function be staffed? 1 37 To whom should the head of internal audit report? 1 38 Can employees in the company participate in internal audits? 1 39 What are the pros and cons of outsourcing/co-sourcing internal audit? 1 40 Where do I get more information on internal auditing? 1 The Process of Internal Auditing 1 41 How is internal audit work actually performed? 1 42 Should an internal audit function consider information technology risks? 1 43 What types of IT audit skills should be included in an internal audit department? 1 44 Should Internal Audit report provide a rating? 1 45 What is control self-assessment (CSA)? 1 46 Is there a standard definition for internal controls? 1 47 Are internal auditors required to follow COSO? 1 48 Are there specific performance measures for internal auditing? 1 Management and Audit Committee Considerations 1 49 How can management utilise internal audit most effectively? 1 50 What is an audit committee s role with respect to an internal audit function? 1 51 Should executive sessions (without management present) be held with the internal auditors as part of an audit committee meeting? 1 52 What should internal audit report to the audit committee? 1 53 How should the audit committee evaluate the effectiveness of the internal audit function? 1 54 Should internal audit functions receive a quality assurance review (QAR) periodically? 1 Guide to Internal Audit FAQs
Index continued External Auditor Considerations 1 55 Can we use our external auditors to perform internal audit work? 1 56 Can external auditors rely on the work of internal auditors in connection with their financial statement audit? 1 57 Do all internal audit reports need to be reviewed by the external auditor? 1 About Protiviti Pty. Ltd. 1 About The Institute of Internal Auditors 1 Internal Audit-Related Organisations and Links 1 Glossary of Commonly Used Acronyms and Terms 1 Appendix A Appendix B
Introduction Internal audit is a key pillar of good governance. It is concerned with the adequacy of risk management and internal control systems, efficiency and effectiveness of operations, asset safeguarding and regulatory compliance. It provides an organisation s audit committee and executive management with an independent view on whether the organisation has an appropriate risk and internal control environment while also acting as a catalyst for a strong risk and compliance culture within an organisation. Overview of the Requirement for an Internal Audit Function 1. What is internal auditing? The IIA provides the following internationally recognised definition: Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. This definition is part of the IIA s International Professional Practices Framework (IPPF). Conformance with the IIA Standards necessarily includes adherence to this definition. There are limited regulatory requirements on how an organisation should define its internal audit activity. However, given the authoritative and widespread nature of the IIA s definition, it would be logical to assume that regulatory bodies would adopt this definition. 2. How does CLERP 9 relate to the ASX Principles? One of the outcomes of the Australian Federal Government s Corporate Law Economic Reform Program (CLERP) was the establishment of the ASX Corporate Governance Council. This Council was established on 1 August 2002 and subsequently produced both the Principles of Good Corporate Governance and Best Practice Recommendations (March 2003) and the Corporate Governance Principles and Recommendations (August 2007). 3. Does CLERP 9 have any specific requirements in relation to internal audit? There are no specific provisions relating to internal audit. However, there is an implied impact on internal audit as discussed below. ASX Corporate Governance council, a body that represents CLERP has issued a revised Principle 7 Good Corporate Principles and Recommendations (August 2007). The revised Principle 7 requires the board to disclose if it has received assurance from the management that the material business risks are effectively managed. The revised Principle 7 also requires the board to disclose if it has received assurance from the CEO and the CFO (or equivalents) that the declaration provided in accordance with section 295A of the Corporations Act is based on a sound system of risk management and internal control and that the system is operating effectively in all material respects in relation to financial reporting risks. Guide to Internal Audit FAQs
In order for the CEO and CFO to attest to the integrity of the financial statements and provide such assurance on the effective management of material business risks, by implication there would generally be an evaluation of the company s risk management and internal control and compliance framework. Many companies now use internal audit functions to assist with this attestation process. 4. What do the ASX Principles require? ASX Principle 7, Recognise and Manage Risk, states that listed companies should establish a sound system of risk oversight, risk management and internal control. Further guidance contained within the Principle states: Companies should require management to design and implement a risk management and internal control system to manage the company s material business risks and report to the Board on whether those risks are being managed effectively. An internal audit function will generally carry out the analysis and independent appraisal of the adequacy and effectiveness of the company s risk management and internal control system. A company should therefore consider having an internal audit function. An alternative mechanism may be used to achieve the same outcome depending on the company s size and complexity and the types of risk involved.. The audit committee should recommend to the board the appointment, and if necessary the dismissal of the head of internal audit..the internal audit function should be independent of the external auditor. The internal audit function and the audit committee should have direct access to each other and should have all necessary access to management and the right to seek information and explanations.. The audit committee should oversee the scope of the internal audit and should have access to the head of internal audit without management present. ASX Principle 4, Safeguard Integrity in Financial Reporting, also states that listed companies should have a structure to independently verify and safeguard the integrity of their financial reporting. The Principle recommends that the board should establish an audit committee. Added commentary states: In accordance with ASX Listing Rule 12.7, an entity included in the S&P All Ordinaries Index at the beginning of its financial year is required to have an audit committee during that year. All entities in the top 300 of the Index must comply with all recommendations under Principle 4, Safeguard Integrity in Financial Reporting, by way of the composition, operation and responsibilities of the audit committee. Principle 4 provides further recommendations and guidance on the structure of the audit committee and the formal charter that the audit committee should have. The ASX Principles and Recommendations are not mandatory and are intended only to provide a reference point. Under ASX Listing Rule 4.10, companies are required to provide a statement in their annual report disclosing the extent to which they have followed the good practice recommendations in the reporting period. Where companies have not followed all the recommendations, they must identify the recommendations that have not been followed and give reasons for not following them. 5. How does a company demonstrate compliance with the ASX Principles? The recommendations contained in the ASX Principles are not mandatory, however, any departures are required to be explained and justified (full disclosure) in a company s annual report. Recommendation 7.4 states that companies should provide information indicated in the Guide to reporting on Principle 7 which requires any departures from Principal 7 to be included in the corporate governance section of the annual report. ASX listing rule 4.10.3 requires listed companies to disclose any departures from Principles and Recommendations during the reporting period and require explanation for departures.
6. Does the ASX provide listed companies with any instructions or guidance beyond the Principles? The ASX issued its own Frequently Asked Questions document, which addresses interpretative issues, general issues and usability queries relating to the Principles. The ASX Corporate Governance Council has also provided a supplementary guidance document specifically in relation to the interpretation of Principle 7. 7. Do the ASX Principles apply to private companies? No, the Principles and Recommendations currently apply only to ASX-listed companies. However, private companies may find that developing an effective internal audit function will assist them in maintaining, validating and improving internal controls; identifying opportunities to reduce costs and improve processes; and enhancing their corporate governance. Many large Australian private companies have recognised the benefits an effective internal audit function can bring to their operations and compliance efforts, and have created such functions with positive and measurable results. 8. What other issues should management consider in ensuring compliance with Principle 7? Based on the 2nd edition of Corporate Governance Principles and Recommendation and the guidance of the Group of 100 publication Guide to Compliance with ASX Principle 7: Recognise and Manage Risk, management should ensure that the following issues are considered: Each company should establish risk management policies outlining all elements of risk management and internal controls system and any internal audit function. Summary of these policies should be disclosed Roles, responsibilities and accountability of the board, management, audit committees and/or other committees should be clearly defined in the risk management policy The Board should require management to implement the risk management and internal control system to manage material business risks and require management to report on the effectiveness of risk management and internal controls to address material business risks Management should design and implement a sound risk management and internal control model to identify, assess, monitor and manage financial and nonfinancial risk. Management should review the appropriateness of the risk management system The board assumes the ultimate responsibility for risk oversight / management and should meet its responsibility for assessing the effectiveness of the company s system by review in the effectiveness of the system periodically (at least annually) A reasonable level of assurance should be obtained from testing. Testing processes adopted are a matter of professional judgement and will vary from company to company. Analysis and assessment of effectiveness of risk management and controls system are generally performed by internal audit; a company may use an alternative approach based on size, complexity and nature of risks involved All subsidiaries must be included and all material associates and joint ventures should be included within the scope of Principle 7 s compliance activities. Where material associates and joint ventures are not included within the scope this should be disclosed in the compliance statement to the annual report The internal audit function of an organisation will provide valuable advice in relation to the above issues, including determining what is considered a reasonable level of testing and conducting the testing. Guide to Internal Audit FAQs
9. Do the ASX Principles require a company to hire new internal audit employees? No, the ASX Principles do not require new internal audit employees to be hired. To the extent that the company already employs qualified professionals who can serve effectively in the capacity of internal auditors, those individuals could be transferred to the internal audit function. Existing functions should be examined for risk-based audit planning, technical competency, and independence in areas such as reporting lines and scope coverage. The Institute of Internal Auditors (IIA) Policy Agenda issued in February 2010 suggests that all Internal Auditors must be at a minimum IIA certified. Outsourcing and co-sourcing is an attractive option for many companies that find they need to quickly establish an internal audit function or have had difficulty maintaining a high quality function. Companies that find they do not have the appropriate level of resources and talent internally and that do not want to spend time on a long search process may find outsourcing allows for accelerated start-up. There is also potential for greater independence and objectivity, access to substantially greater skills than a full in-house function, and more flexibility to increase or decrease internal audit activities to meet changing risks and conditions. Additionally, outsourcing allows a company to curtail or halt internal audit work at certain times of the year when there may be conflicting priorities such as plant closings, mandatory vacations, yearend reporting, annual planning and budgeting, etc. Many companies find that some form of rotation in and out of an internal audit function can be beneficial to both the employee and the organisation. Under this approach, a company utilises full-time professionals with important knowledge and understanding of the company s business and operations. These individuals gain valuable experience in seeing, understanding, evaluating and helping to improve many areas within the organisation. Also, once their rotation is completed, these employees are better prepared to identify, understand and deal with internal control and risk management-related issues. This type of program, in a sense, fertilises the organisation with professionals who gain practical knowledge and background regarding internal controls and business risks. The IIA provides useful guidance in connection with resources through their position paper entitled IIA Position Paper on Resourcing Alternatives for the Internal Audit Function, which is available on www.theiia.org. 10. What is required if a company already has an internal audit function? Whilst there are no mandatory requirements for internal audit contained in the ASX Principles, if a company has an existing internal audit function, it should determine the adequacy of the existing internal audit function. We recommend that companies with existing internal audit functions review their appropriateness and adequacy by asking themselves the following questions: Do we have an adequately resourced internal audit function? Do we have appropriate reporting lines for the head of Internal Audit? How does our function compare to other companies in our industry? Does our internal audit function meet The IIA Standards? Has our internal audit function undergone a quality assurance or peer review recently? Do the board, management, audit committee and key process owners believe internal audit is a value-added activity to the organisation? If not, how should the function change to be more effective? The Institute of Internal Auditors Policy Agenda (Feb 2010) suggests internal audit be required in all sectors where there is a separation of ownership/stewardship from management.
11. Are part-time internal auditors sufficient? As long as individuals can maintain objectivity, part-time internal auditors could meet the recommendations of the ASX Principles. At smaller organisations, the extent of key business risks and therefore the amount of appropriate time and effort required to address such risks may not justify full-time resources. Independence and objectivity of resources should be strongly considered. Similarly, the capability of individuals should be considered. There are a number of qualifications available for internal audit such as the Certified Internal Auditor (CIA). It is recommended that internal auditors at a minimum are an IIA member and should be encouraged to obtain further certifications. However, care should be taken to ensure part-time internal auditors do not audit areas that they themselves supervise, or in which they initiate, complete, approve, record or reconcile transactions. Also, if part-time internal audit employees with other organisational duties are required to audit areas for which their own supervisors have responsibility, it could impair their objectivity either in fact or appearance and bring into question the value or veracity of their audit findings. In most cases, part-time resources would not fulfil the spirit of internal audit requirements, and would not be in management s, the audit committee s or the shareholders best interests. 12. Is a written internal audit charter required? Attribute Standard 1000 of the Standards requires the following: The purpose, authority and responsibility of the internal audit activity must be formally defined in an internal audit charter, consistent with the Definition of Internal Auditing, the Code of Ethics, and the Standards. The chief audit executive must periodically review the internal audit charter and present it to senior management and the board for approval. (For additional information refer to www.theiia.org/guidance/standards-and-guidance/ippf/standards/ standards-items.) There are no specific requirements to disclose the internal audit charter (or whether such a charter exists) in the ASX CGC Principles or Listing Rules. However, the commentary to Recommendation 7.2 in the ASX CGC Principles provides that an internal audit activity will generally carry out the analysis and independent appraisal of the adequacy and effectiveness of the company s risk management and internal control system. Irrespective of whether there is a regulatory requirement, a charter greatly assists to drive the internal audit activity and therefore in most cases is a useful investment of time and effort. 13. What should be in a charter? Is there a model charter? The internal audit charter is a formal document that defines the internal audit activity s purpose, authority, and responsibility. The internal audit charter establishes the internal audit activity s position within the organisation; authorises access to records, personnel, and physical properties relevant to the performance of engagements; and defines the scope of internal audit activities. Final approval of the internal audit charter resides with the board. Attribute Standards 1000.A1 and 1000.C1 also provide that the nature of the assurance and consulting services must be defined in the internal audit charter. For a sample internal audit charter refer to www.theiia.org/guidance/standards-and-guidance/auditcommittees-board-of-directors/internal-audit-department-charter. Guide to Internal Audit FAQs
14. Do the ASX Principles require that the IIA Standards be followed? The ASX CGC Principles do not explicitly require companies to adhere to the IIA s Standards. However, the commentary to Principle 7 notes that guidance on the internal audit function is found in the Technical Information and Guidance section of The IIA s website. Internal auditing is conducted in diverse legal and cultural environments; within organisations that vary in purpose, size, complexity, and structure; and by persons within or outside the organisation. While differences may affect the practice of internal auditing in each environment, conformance with the IIA s Standards is essential in meeting responsibilities of internal auditors and the internal audit activity. The Standards also establish the basis for the evaluation of internal audit performance, and facilitate optimal coordination with the external auditor by ensuring consistency and thus maximum reliance placed on the results of internal audit procedures. In addition, the IIA s By-Law 104 states that: All members are bound by the International Standards for the Professional Practice of Internal Auditing and the Code of Ethics, as published. This binding is given authority by the Articles for Agreement for National Institutes, the Constitution, and by applicants for membership signing the membership application form. 15. Is there any minimum amount of expenditure or effort required under the ASX Principles? No, there is no minimum specified. However, it is wise and prudent for boards, management and their audit committees to consider the following factors when allocating resources for an internal audit department. Evaluate the results of the entity-level risk assessment What key risks have been identified and how should internal audit be involved in those areas? What level of effort does the risk assessment seem to indicate? Understand internal audit investment made by comparable companies What is the level of expenditure and effort of similarly sized companies in your industry? Are there some obvious differences that would support spending less or more? (For example, obvious or significant differences in business model, organisation, degree of centralisation or decentralisation, regulation, scope of services, etc.) The board and management s preferences What role and scope has management and the audit committee established for its internal audit function? Past, present and future Have there been, are there or will there be events, issues, risks or major changes that would warrant more or less investment in internal audit?
Other complementary functions Are there other functions within the company that serve to evaluate key areas and risks objectively, such as: Quality control and loss prevention? Regulatory and legal compliance? Risk management and insurance? Operational and financial control units? If so, are these risk mitigation and control efforts already performed to a degree that a professional internal audit function might otherwise perform? Is there inherent conflict of interest in performance feedback for existing functions? 16. What additional guidance is available for specific industry sectors? In Australia there are various industry specific regulators that have made pronouncements relating to internal audit. The majority of such guidance pronouncements have been made in the financial services sector by the Australian Prudential Regulatory Authority (APRA). Examples of these pronouncements are provided in Appendix A. It is recommended to check the latest requirements as these are subject to frequent change. 17. What are specific requirements for the public sector? The internal audit requirements in the public sector in Australia are generally more comprehensive and prescriptive than that of the private sector. Key governance requirements are contained in the legislation at the Federal, State/Territory, and Local Governments levels. These requirements are detailed in Appendix B. It is recommended to check the latest requirements as these are subject to frequent change. 18. Is there a preferred internal control / enterprise risk management framework to be utilised by the internal audit function? While responsibility for the risk management framework within an organisation is that of management, the internal audit activity performs an important role in the internal control and risk management framework of an organisation. The definition of internal auditing and Performance Standard 2120 in the IPPF require the internal audit activity to evaluate the effectiveness and contribute to the improvement of risk management processes. Released in November 2009, ISO 31000 is the world s first international standard on risk management. Intended for use by the widest range of organisations and practitioners, it is expected that over time the ISO 31000 standard will have other subordinate standards and will become universally accepted as the authoritative standard on risk management replacing existing diverse national or industry specific standards. The standard is supported by ISO Guide 73 which provides definitions of risk management terms, and ISO/IEC 31010 which provides guidance on the selection and application of techniques for risk assessment. The two internal control frameworks available are the COSO Integrated Framework and the CoCo Control Framework. Further guidance on internal controls and risk management are available from the following resources: IIA (2007): Guidance on implementing Principle 7: Recognise and Manage Risk of the 2007 Edition of the ASX Corporate Governance Principles and Recommendations Standards Australia (2006): HB158-2006 Delivering assurance based on AS/NZS 4360:2004 Risk Management (soon to be replaced with equivalent handbook based on ISO 31000) Group of 100 (2008): Recognise and manage risk A Guide to compliance with ASX Principle 7 Guide to Internal Audit FAQs 10
The Internal Audit Profession 19. How is the internal audit profession regulated? The internal audit profession presently is not regulated by the Australian Federal Government. The IIA is the self-governing professional body that includes the Internal Auditing Standards Board (IASB), which is charged with evaluating and developing practice standards that are issued in draft form and subject to a public comment period, much like other professional standards and accounting pronouncements. The IIA promulgates internal audit standards and practice advisories. Effective January 2004, The IASB is responsible for revising and updating the International Standards for the Professional Practice of Internal Auditing (Standards). The Standards are updated to reflect current risk management and governance requirements. Ongoing updates incorporate numerous comments on issues received through a worldwide solicitation and public exposure process, upon which the IASB approves the Standards for implementation. It is worth noting that in some jurisdictions around the world, there is a move toward the regulation of Internal Audit. For example, the Governments of both Canada and South Africa have introduced regulation relating to the Internal Audit profession in the government sector. The IIA Standards include a code of ethics that members must follow or face disciplinary action, including expulsion. Self-regulated Role of the IIA HQ (IPPF, Standards) Role of IIA-Aus By-Laws 20. Is continuing professional education (CPE) required for internal auditors? All members are required to undertake Continuing Professional Education (CPE) to a minimum of 60 hours every two years, with a minimum of 15 hours in any one year. This requirement differs for certified members (80 hours every two years) or retired members. The types of activities which qualify include: attendance at technical sessions, seminars and conferences; college or university courses; formal correspondence programs; reading books, articles and research papers. Full details of the CPE requirement can be found in section 209 of the IIA s Constitution. Attribute Standard 1230 of the Standards also states that internal auditors must enhance their knowledge, skills, and other competencies through continuing professional development. 11
21. Are internal auditors required to be certified? No. However, the IIA Standards require technical competence and training that can be demonstrated by various certifications, depending upon expertise and professional experience. The IIA also sponsors several additional certifications beyond the CIA, such as: CFSA Certified Financial Services Auditor CCSA Certification in Control Self-Assessment CGAP Certified Government Auditing Professional Additional internal audit-related certifications supported by other independent professional organisations include: CISA Certified Information Systems Auditor CFE Certified Fraud Examiner Effective internal audit functions require most existing professionals and new hires to obtain and then maintain at least one certification including, but not limited to, the CIA,CPA, CA, CISA and CFE. All certifications require annual CPE training. Skill sets, experience and industry familiarity are crucial in order to exhibit competence, identify and address risks appropriately, and perform in a manner that provides value to the organisation. Strong internal auditors bring various skills together ranging from specialised industry and technical knowledge to seasoned business acumen that includes advanced degrees in business administration, finance and even law. It is not uncommon for internal auditors to possess professional designations from other disciplines beyond accounting. After all, internal audit functions examine all aspects of a business entity, especially in today s complex business climate. Therefore, while not required or mandated specifically, it is considered best practice for internal auditors to possess and maintain professional certifications applicable to their focus and responsibilities. 22. Are there professional standards that govern the practice of internal auditing? Internal auditors follow professional standards that advise them how best to perform their work. The IPPF is a set of authoritative guidance produced by IIA Global which apply to 160,000 internal auditors worldwide. The IPPF includes both mandatory and strongly recommended guidance. The mandatory guidance consists of the Definition of Internal Auditing, International Standards and Code of Ethics. 23. Are internal audit functions required to follow the IIA Standards? All IIA members and Certified Internal Auditors (CIAs) agree to abide by the Code of Ethics, which requires internal auditors to perform internal auditing services in accordance with the Standards. Therefore, the Standards are mandatory for all internal auditors who are CIAs or members of the IIA. This mandatory requirement also applies to entities that provide internal auditing services. Many internal auditing activities are required by their charters to provide services in accordance with the Standards, and compliance with the Standards is also written into legislation or regulation in some jurisdictions. All internal auditors, whether or not they are members of the IIA, are highly encouraged to adopt the Standards and the Code of Ethics. Practice professionals usually look to the Practice Advisories for the IIA s recommendations on matters related to situations that are not covered directly in the Standards. Concepts of due professional care permeate all practice activity and apparent violations are investigated by the IIA. Guide to Internal Audit FAQs 12
24. What are the IIA Practice Advisories? Practice Advisories assist internal auditors in applying the Definition of Internal Auditing, the Code of Ethics, and the Standards and in promoting good practices. Practice Advisories address internal auditing s approach, methodologies, and consideration, but not detailed processes or procedures. They include practices relating to international, country, or industry-specific issues; specific types of engagements; and legal or regulatory issues. 25. Are Australian Auditing Standards relevant to internal auditors? The primary purpose of Standards issued by the AUASB is to provide guidance to auditors who are professional accountants in public practice. They are not designed to meet either the needs of the internal audit profession or an organisation s internal audit function. Accordingly, while AUASB Standards may provide guidance on generic audit matters, they should not be used as the basis for operating an internal audit function and conducting internal audit activity. The IPPF promulgated by the IIA provides such a basis and is specifically designed to meet the needs of the internal audit profession. 26. What jurisdiction does the ASX and ASIC have over internal auditors? The ASX and ASIC have no direct jurisdiction over internal auditors. The internal audit profession, like the legal profession, continues to be self-regulated. 27. Can existing employees become internal auditors? Yes, provided protocols are put in place to ensure independence and objectivity are not compromised. These aspects are covered in the Standards. Transferring employees would be expected to comply with all IPPF requirements, including the Definition of Internal Auditing, the Code of Ethics, and the Standards. 28. What personal qualities, knowledge and skills should internal auditors possess? Internal auditors should possess and demonstrate through their work, actions and communication a number of traits, including but not limited to: A commitment to and demonstration of competence in the field of internal auditing Strong financial and operational background in accounting, IT, regulatory compliance or the industry in which a company operates Honesty and integrity Strong work ethic and attention to detail In general, internal auditors should develop and maintain a healthy level of professional skepticism, objectivity and independence to assist in evaluating information and making judgments. Additionally, internal audit professionals should possess exceptional verbal and written communication skills, and be proficient in negotiating and reasoning with a variety of departments and groups over which internal audit may have no formal authority. Finally, personal integrity, professional due diligence and curiosity are important traits for individuals tasked with conducting internal audit work. 13
29. How much should a company spend on an internal audit function? The amount invested should depend on the level and complexity of risks a company faces and the responsibilities given to the internal audit function. IIA Global has identified a general range of between 0.02 percent and 0.14 percent of revenues for an internal audit budget. The percentage is higher for companies with less than $1 billion in annual revenues. This covers a very broad range of companies in many different industries and of varying sizes. However, the costs should be driven by risk and complexity of the overall business environment, including potential exposures to business failure. General guidance provided from The IIA Global Audit Information Network (GAIN) Report is illustrated below: There are well-established practices and benchmarks tracked by The IIA that provide average internal audit costs based upon revenue, although these often vary by industry (e.g., banking versus manufacturing or high-tech). Although these are estimations, they provide a general guideline for expenditures and number of auditors. Keep in mind that this represents average internal audit costs of in-house resources depending on the strategy, risks and scope of the internal audit work, it is not uncommon for costs to fluctuate based upon significant events or changes that expose an organisation to additional risks. Again, costs, focus and size of an internal audit function should be tailored to each company s individual needs. Average Audit Costs by Company Revenue Size ($USD) Revenue Average Audit Average Revenue Average Average Range Staff Count (Millions) Internal Audit Internal Audit (Thousands) as % of Revenue under $500M 8.89 274 948 0.41% $500M - $1B 6.96 736 929 0.13% $1B - $5B 14.35 2,446 2,123 0.09% $5B - $15B 39.29 8,550 5,310 0.06% $15B - $25B 41.67 18,507 6,960 0.04% $25B > 107.34 69,099 19,519 0.03% Source: IIA GLOBAL AUDITING INFORMATION NETWORK (GAIN) 2006 survey. Includes the results of 662 companies. For more information, visit www.gain2.org. 30. Are there industry groups for internal auditors? The IIA is the professional body for all internal auditors. There are also a number of self-organised interest groups in areas including: Financial services Universities Local government State government Credit unions and mutuals Their size and degree of formality vary widely. Guide to Internal Audit FAQs 14
31. Isn t internal auditing a duplication of what external auditors do? No, not at all. Internal auditors are often confused with external auditors, but there are significant differences between the two groups. Internal auditors look at all the risks facing an organisation and what is being done to manage these risks. External auditors on the other hand look at financial risks and accounts. 32. How is independence achieved if internal auditors are appointed by management? Internal audit must be structurally independent and free from coercion by management to be effective in its role. Accordingly, appropriate reporting lines for the activity and CAE must be inplace to achieve independence. Functional reporting to an appropriately constituted audit committee on key issues ensures that the CAE is able to report objectively without fear and favour and to know that action will be taken by the governing body if required. In particular, the IIA recommends that where an effective and appropriately structured audit committee is in place: Hiring and firing of the CAE should be a decision reserved by the governing body on recommendation by the audit committee Remuneration of the CAE should be a decision reserved by the audit committee The scope and budget of internal audit should be a decision reserved by the audit committee on recommendation by the CAE All internal audit work should be required to be reported to the audit committee and the audit committee should periodically request confirmation that all required reports have been tabled The audit committee should meet privately during the year with the CAE. The audit committee should also meet at least annually wit the CAE without management present 33. What role and responsibility do internal auditors have for fraud? Performance standard 2120.A2 in the Standards requires the internal audit activity to evaluate the potential for the occurrence of fraud and how the organisation manages fraud risk, while Performance Standard 2210.A2 requires the consideration of the probability of fraud when developing engagement objectives. In addition, Attribute Standard 1210.A2 in the Standards provides the following: Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organisation, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. There is also a Practice Guide Internal Auditing and Fraud published by IIA Global in December 2009 that outlines typical roles and responsibilities for fraud management and detection. 34. Are there university programs in internal auditing? Internal auditors are in high demand, as companies are rapidly addressing financial and other business risks. Internal auditing concepts may be incorporated into general accounting, auditing and corporate governance subjects in Australian Universities, although a career in internal auditing is possible through a broad range of educational backgrounds. Deakin University commenced a Graduate Certificate of Internal Audit (GCIA) in 2010 which will be available off-campus and on a part-time basis. 15
The GCIA is a professionally oriented course, aligned with the IIA s professional development program. The overall aim of the course is to prepare graduates with a solid understanding of internal audit and risks. It will enable graduates to successfully enter the profession and undertake the CIA examinations. At present, the GCIA is the only award program in Australia specifically provided for graduates who wish to undertake the CIA professional qualification and to develop a career in the highly regarded global profession of internal audit. 35. How do we start an internal function? A suggested set of guidelines for starting an internal audit function includes: Clarify expectations with senior management, the board and audit committee, including required ASX listing rules and best practice Principles. Non-ASX listed organisations should consider voluntary compliance Develop an audit charter, with audit committee input and approval Consider the appropriate budget and staffing model (e.g., in-house, co-sourced or outsourced). As part of this process, research actions taken by similar companies in your industry Formulate reporting responsibilities of the internal audit function Identify the universe of auditable entities within the organisation Complete an initial risk assessment with company management and audit committee involvement. Consider using recognised approaches and frameworks for this effort, such as the COSO Internal Control and COSO Enterprise Risk Management frameworks Develop an internal audit plan, responsive to the risk assessment Plan and execute audit work called for in the audit plan, including a system to monitor and follow up on audit recommendations Update the risk assessment for changing circumstances during the year Continuously enhance and modify the internal audit function to meet changing needs of management and the audit committee Refer to www.theiia.org/guidance/additional-resources/establishing-an-audit-shop for a listing of 16 steps, developed by The IIA, for creating an internal audit function. 36. How should an internal audit function be staffed? Internal audit functions must be resourced adequately to ensure an effective evaluation of internal controls, associated risks and execution of the internal audit plan to provide assurance desired by the company directors. The annual audit plan is based upon a risk assessment at both the entity and process levels, and should be approved by the audit committee and board. Companies should look to their individual risk profiles to drive staffing decisions. A business facing a significant number of risks or particularly complex risks will require a range of specialists and expertise. Most internal audit departments are headed by a chief audit executive and include layers of staff such as managers, senior auditors and auditors. Yet many companies also rely on other in-house professionals or tap into the specialised skill sets of outside providers. 37. To whom should the head of internal audit report? The IIA Policy Agenda lists five policies developed by the IIA that are applicable to all organisations, irrespective of industry sector. The third principle states that Reporting lines for the head of internal audit should be appropriate. Furthermore: Guide to Internal Audit FAQs 16
Principle 3.4 states that All internal audit work should be required to be reported to the audit committee and the audit committee should periodically request confirmation that all required reports have been tabled. Principle 3.5 states that The audit committee chair should meet privately during the year with the head of internal audit. The audit committee should also meet at least annually with the head of internal audit without management present. Unlike the company s external audit firm, which is effectively hired by and reports to shareholders, internal audit has a broader role to play through serving as a resource for both the audit committee and company management. Though this dual reporting is a somewhat sensitive arrangement and can be tricky in practice, it nevertheless provides important benefits to the company as a whole, including helping to achieve its overall corporate governance objectives as well as management s objectives for reliable financial reporting, compliance with applicable laws and regulations, and efficiency and effectiveness of operations (the COSO objectives of internal control). 38. Can employees in the company participate in internal audits? Yes, as long as the employee is able to maintain objectivity. Many companies choose to source management-training programs, employees with specific experience or guest internal auditor programs as part of resource planning. Some organisations have established two- to four-year rotation programs to assist management in better understanding the internal control environment and other operational areas, and to provide individuals with management-training experience and career progression. We believe this type of flexibility and training enhances organisational understanding of risk management and internal controls systems, and motivates program candidates to strive for excellence. Conversely, internal audit management should be aware, in every instance, of the same conflicts of interest that arise naturally from such relationships in considering these candidates for potential positions in operations. For example, there may be a conflict of interest for individuals that join the IA department from an existing corporate function that would preclude them from auditing their former colleagues. Other situations include a natural tendency by a rotating internal auditor to hold a favourable bias in evaluating a business unit or function in which he or she may be seeking a full-time position. 39. What are the pros and cons of outsourcing/co-sourcing internal audit? Throughout the 1980s, most company internal audit functions were staffed primarily in-house with full-time, dedicated employees. This structure worked adequately and can still be effective today, but only if full-time internal auditors possess all of the skills needed to address key business risks faced by the organisation. If this is not the case, then the internal audit function places its employer company at risk by not being able to address adequately the key risks that it has been asked to audit. During the 1980s, the concept of core competency gained more attention. Companies evaluated many of their business functions and the potential for outsourcing them. Payroll, benefits, real estate, printing, information systems operation and maintenance, and even aspects of design or manufacturing, among other functions, were considered. Many companies found clear and tangible benefits, positive return on investment (ROI), and improved service levels as a result of outsourcing. In some cases, capital expenditures were reduced and the cost of these functions became more variable rather than fixed. Internal audit functions were a part of this analysis, and several new internal audit outsourcing and co-sourcing organisations, including the large accounting firms, created new structures to provide such services. Today, all businesses, government and not-for-profit organisations face a myriad of risks due to the dynamic operating climates in which they operate. New and fast-changing regulations; significant technology-related risks such as security, business continuity, application and data integrity; heightened instances of or opportunities for fraud and abuse. These professionals must be able to 17
address, react to and effectively audit and report on this more complex and faster-changing risk universe. Given this dynamic risk environment, it is unlikely that a majority of internal audit functions have the in-house capability to adequately address every risk they and their organisations must face. Thus contracting, partnering or working with outside organisations that can provide specialised resources improves an internal audit function s ability to address risks and meet customer expectations. Additionally, many times these co-sourcing arrangements assist in the knowledge transfer process to in-house resources, raising the level of competency of the function s full-time employees. Likewise, many listed companies working with the new ASX Principles and for that matter, companies on other exchanges, large and diverse private companies, and even governmental entities and not-for-profit organisations may find that full or partial outsourcing of their internal audit functions makes sense, is cost-effective and provides significant short- and long-term benefits. Benefits of outsourcing include: Quick start-up of the function and execution of work, including already-developed methodologies and audit tools provided by the outsourcing organisation A variable cost arrangement rather than a fixed cost function Access to a greater number and range of resources than the organisation would have on its own Potentially greater objectivity and independence Ultimately, it s not a matter of what the pros and cons are of outsourcing, but a matter of asking: If we currently do not have an internal audit function, are we better off taking the time and effort to start our own in-house internal audit function? Or should we initially outsource it to gain quick start-up and access to a greater level of expertise and broader level of resources, and then monitor this decision and delivery model to ensure it is effective? If we already have an internal audit function, do we have the resources we need to effectively address all of the key risks we face and in which internal audit should be involved? Do we need to have all of these resources in-house all of the time? Might we be better off considering an arrangement to have one or more outside organisations assist us with addressing our risks? There are many excellent internal audit functions consisting of primarily in-house, fully dedicated employee resources. What makes these functions most valuable, effective and appropriate, however, is a recognition of their own limitations. Many large internal audit functions (greater than 25 fulltime employees) recognise they do not have, nor do they need, all of the right resources all of the time because to do so can be cost-prohibitive in today s complex business environment. They also understand that various forms of co-sourcing arrangements have benefited them greatly along with the companies, management and audit committees they serve. 40. Where do I get more information on internal auditing? The primary information resource on internal auditing is The IIA. Other sources include consulting companies, various online information portals and universities with related programs. There are additional resources of internal audit information on the web, including www. knowledgeleader.com, an online subscription-based repository from Protiviti (with free trials) that provides practice guidance, topical work programs, and white papers on internal audit, business risk and technology risk. Guide to Internal Audit FAQs 18
The Process of Internal Auditing 41. How is internal audit work actually performed? Once a company forms an internal audit function, completes the risk-assessment process and develops an internal audit plan that is responsive to the risk assessment, it can initiate individual internal audit assignments. A framework for initiating and executing internal audit projects should include the following actions: Confirm the audit assignment (timing, purpose, scope, etc.) with the area or process to be audited (in some cases, it may be appropriate to not announce the audit, but to perform the work on a surprise or unannounced basis). Complete appropriate planning for the audit assignment. This can include the following: Risk assess the specific area to be reviewed Develop a written work program Agree on scope, locations, sample sizes and period under review Develop a report format that will be effective Request and receive certain advance information from the area to be reviewed Access operating information, performance measures, etc., on the area to be reviewed Review any prior audits of this area by internal audit or other parties such as regulators, external auditors, consultants, etc Hold joint planning discussions with management and process owners of the area to be reviewed to obtain their areas of interest and concern Consider if self-assessment activities would be helpful Gather outside information on best practices Identify the internal audit resources to be assigned to the audit and ensure they have an appropriate level of experience and competency Determine if outside resources or guest auditors should be utilised, including information technology resources Consider formal entrance and closing meetings Execute actual internal audit work including testing methods such as inquiry, observation, examination and re-performance. Discuss and clear items noted and potential findings with management and process owners. Develop a report or other appropriate communication method responsive to the work completed and findings made. Example report areas which might be considered include: Executive summary of major issues and findings Background, objectives and scope 19
Audit findings with supporting root cause analysis, management s response and plan for addressing audit findings (ensure that management s response/action plans address audit findings) Other analysis and information, including appendices The actual format of internal audit reports may vary between companies. What is most important is to create an approach that is effective at communicating key issues and achieving positive change and resolution to the issues reported. For example, some companies may find that using single-page reports are effective. Others may find that management should respond separate and apart from the audit report itself. One size does not fit all. In addition, many times the circulation of a draft report for discussion is an appropriate and effective approach to refine wording and ensure the accuracy of all information in the report. Develop an effective method for tracking and following up on audit findings and agreed-upon actions by management. This may include recording all findings into a database, scheduling follow-up audits or conference calls, or requesting status from the auditee. It may even include management of the area audited reporting to senior management and the audit committee. Internal audit should also determine the extent to which resolution of auditing findings should be validated independently. Again, there is no one-size-fits-all approach to the execution and completion of internal audit work. Internal audit leadership, management and the audit committee should work together to create an approach that is most effective for their respective organisations. The IIA Standards and Practice Advisories can also provide guidance and a framework to follow. 42. Should an internal audit function consider information technology risks? Absolutely. In fact, not considering the impact of information technology will result in an incomplete or less-than-effective internal audit function. An internal audit function should be driven by risk, and technology in today s business has a direct relationship to risk. Technology both enables key controls in the business process or function, and brings along with it certain inherent risks that surround the use of technology. Technology enables controls such as segregation of duties and limiting the execution of transactions to only those intended by management (through application security and its appropriate administration). In addition, technology provides critical controls through the programmed logic in the applications, which validates transactions, performs appropriate calculations accurately and completely, and handles error and reasonableness checks. The inherent risks around technology include the security of the company s network and data; computer networks; and related data that are subject to internal and external risks from hackers, disgruntled employees, corporate espionage and individuals who may want to disrupt the business or learn its secrets. Other inherent risks include the introduction of viruses or other damaging programs into the computer environment that may cause business interruption or corruption of programs or data, and having the appropriate technology to meet the needs of the organisation. Therefore, information technology is an integral part of any internal audit function s focus and capability. Generally speaking, all internal audit functions should have a measurable part of their activities concentrated on information technology-related risks and issues. These activities should include stand-alone initiatives and initiatives that integrate technology risks and controls into the business-process audit work. There are certain instances where the entire business process may be automated and the business-process audit, therefore, would be related entirely to the technology involved. Coordinating these efforts with a company s CIO is critical. Given the breadth and rapid change of technology and its related risks, internal audit functions should consider what outside resources, if any, are needed to supplement their own skill bases in this area. In some cases, it may be prudent to avoid increasing full-time staff levels for certain forms of information technology risks and issues, and instead rely on outside resources for recurring assistance. Guide to Internal Audit FAQs 20
43. What types of IT audit skills should be included in an internal audit department? While specific skills required for IT audit may differ by industry and an entity s applications, there are a number of technology skills customarily needed for an IT audit department: Application risk and controls skills Knowledge of how applications function is critical. Applications have programmed procedures and logic that provide for control and operation. Critical programmed controls include data validation and error-checking routines, reasonableness checks around certain key processing points, logical segregation of duties, and limitation on who can initiate and view transactions. Skills are needed around how these programmed controls interact with the manual procedures. In addition there are specific industry application skills as well as ERP-specific skills needed to audit industry-specific and ERP applications. Technology component skills These include knowledge of critical technology infrastructure such as networks, databases and platforms. A number of these skills relate to complex security requirements and require high technical skills in these areas in order to be able to assess these technical requirements. IT process skills The IT processes within an IT organisation are important to the proper functioning of technologies. There are a number of processes that need the process skills in order to audit those areas. These include security administration in both the application and technical component areas, business-continuity and disaster-recovery planning, data-centre operations, application-change management, infrastructure-change management, asset and service management, and several others. Data Mining and Analysis skills Data mining enables auditors to discover meaningful correlations and identify patterns and trends from large volumes of data. Analysis of data trends and patterns is playing a vital role in detection and deterrence of fraudulent activities. To a degree, all internal auditors should have a base-level capability related to information technology risks and controls. In many cases, deeper specialists are needed in specific applications, ERP systems and specific component (network, database, infrastructure security) reviews. In these cases, many organisations choose to develop an information technology specialty practice within their department given the magnitude and recurring nature of certain information technology-related issues and risks. Again, internal audit functions should evaluate the depth, breadth and frequency of their information technology audit resource needs, and consider when and how external resources and organisations can be of assistance to achieve the best balance of people and skills to address information technology risks and issues. 44. Should Internal Audit report provide a rating? While not universal, it is common for internal audit reports to provide some form of qualitative/ quantitative rating associated with the subject matter of the audit. Ratings can be attributed to individual findings or to the overall area subject to review. The most common forms of rating model include: A rating based on perceived level of risk to the organisation. Using this approach, individual issues may often be assigned a High, Medium or Low risk ranking based on the nature of the findings and the potential impact on the organisation. A rating based on control effectiveness. This model focuses on evaluating the effectiveness of internal controls or processes and assigning a rating to reflect the findings arising from the internal audit review. Such ratings typically are categorised in such terms as Highly Effective, Effective, Partly Effective or Not Effective. Some organisations use a capability maturity model to rank the maturity of internal control. Some rating models combine an assessment of control effectiveness and risk, given the interrelationship between these concepts. 21
Rating systems have benefits in that they aid comparability of the quality of internal controls across different areas of the organisation. However, there are a number of important aspects to be considered before a rating system is adopted: Limitations in relation to the scope and/or nature of internal audit work conducted may reduce the ability of the internal auditor to reliably determine a rating. This needs to be carefully considered as ratings based on limited testing could potentially result in inappropriate conclusions being drawn; The criteria used to determine ratings should be clearly defined and articulated. Rating levels should use consistent terminology and reflect relevant business objectives; Any rating model should be understood by management and approved by the audit committee. Use of ratings in internal audit reports is not an exact science and is primarily intended to improve the usefulness of reports and help focus attention on key areas. Use of such a model should be considered in the context of the organisational culture, the requirements of key stakeholders and the expectations on the internal audit function. 45. What is control self-assessment (CSA)? CSA is a process through which internal control effectiveness is examined and assessed by management. The objective is to provide reasonable assurance that all business objectives will be met. The responsibility for the process is shared among all employees in an organisation. CSA is conducted within a structured environment in which the process is thoroughly documented and is repetitive as an incentive for continuous improvement. The CSA process allows management and work teams directly responsible for a business function to: Participate in the assessment of internal control Evaluate risk Develop action plans to address identified weakness Assess the likelihood of achieving business objectives The IIA believes CSA is a process that generates information on internal control that is useful to management and internal auditors in judging the quality of control. It can also provide a positive influence on the control environment. As operating staff buys into the process, control consciousness increases. 46. Is there a standard definition for internal controls? There are a number of acceptable definitions of internal control. These include guidance provided by COSO (US), Turnbull Guidance on the Combined Code (UK) and CoCo (Canada). COSO Internal Control Integrated Framework The ASX have acknowledged that the COSO framework is a suitable framework for purposes of evaluating internal control. Internal control is a process, effected by an entity s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Guide to Internal Audit FAQs 22
COSO Internal Control Integrated Framework Key Concepts Internal control is a process. It is a means to an end, not an end in itself Internal control is effected by people. It is not merely policy manuals and forms, but people at every level of an organisation Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity s management and board Internal control is geared to the achievement of objectives in one or more separate but overlapping categories. Internal control consists of five interrelated components. These are derived from the way management runs a business and are integrated with the management process. Although the components apply to all entities, small and midsize companies may implement them differently than large ones. Although controls may be less formal and structured, a small company can still have effective internal controls. The components are: Control Environment Sets the tone of an organisation, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure Risk Assessment This component is the entity s identification and analysis of relevant risks to the achievement of its objectives, forming a basis for determining how the risks should be managed Control Activities Includes the policies and procedures that help ensure management directives are carried out Information and Communication This component consists of processes and systems that support the identification, capture and exchange of information in a form and time frame that enable people to carry out their responsibilities Monitoring Consists of the processes that assess the quality of internal control performance over time 23
Turnbull Guidance on the Combined Code In a 2005 report entitled Internal Control, Revised Guidance for Directors on the Combined Code, guidance on elements of a sound system of internal control include key components such as: An internal control system encompasses the policies, processes, tasks, behaviours and other aspects of a company that, taken together Facilitate its effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieving the company s objectives. This includes the safeguarding of assets from inappropriate use or from loss and fraud and ensuring that liabilities are identified and managed Help ensure the quality of internal and external reporting. This requires the maintenance of proper records and processes that generate a flow of timely, relevant and reliable information from within and outside the organisation Help ensure compliance with applicable laws and regulations, and also with internal policies with respect to the conduct of business A company s system of internal control will reflect its control environment which encompasses its organisational structure. The system will include: Control activities Information and communications processes Processes for monitoring the continuing effectiveness of the system of internal control. The system of internal control should: Be embedded in the operations of the company and form part of its culture Be capable of responding quickly to evolving risks to the business arising from factors within the company and to changes in the business environment Include procedures for reporting immediately to appropriate levels of management any significant control failings or weaknesses that are identified together with details of corrective action being undertaken. CoCo Guidance on Control The Criteria of Control Board of the Canadian Institute of Chartered Accountants (CoCo) issued Guidance on Control in 1995. Guidance on Control provided a framework for making judgements about control and stipulated that control comprises all elements of an organisation including its resources, systems, processes, culture, structure and tasks that, taken together, support people in the achievement of the company s objectives. 47. Are internal auditors required to follow COSO? No. However, the ASX recognises that the COSO framework is suitable and available for management s assessment of internal control over financial reporting. Further, the COSO framework has clearly emerged as the framework of choice in the United States. Guide to Internal Audit FAQs 24
48. Are there specific performance measures for internal auditing? Like any function or process within an organisation, appropriately developed performance measures help to drive results, performance, quality and continuous improvement. Internal audit should not be immune to having its own set of performance measures or key performance indicators. Example performance measures for internal audit could include: Quality Customer/process-owner satisfaction scores from auditees Audit committee and management evaluation scores External audit evaluation score from company s external auditor Upward feedback scores on chief audit executive and internal audit managers from internal audit staff Percentage of internal audit staff with CIA or other relevant certifications Performance evaluation scores on internal audit staff Control breakdowns/deficiencies in areas recently reviewed by internal audit Internal control scorecard results by major area within the company Results of internal and independent quality assurance reviews Cost Percentage of fully loaded internal audit cost as a percentage of company revenues and assets Actual cost per internal audit report and average Average cost per internal auditor Cost per audit hour in total Cost per audit hour based upon actual audit work only, excluding administration Travel costs of the internal audit function and average cost per trip Training cost and training cost per auditor Technology licensing costs and other outside costs Costs related to use of outside resources Timeliness Report cycle time from completion of fieldwork to issuance and finalisation of report Budgeted hours versus actual hours by individual audit Percentage of audits called for in the audit plan that are not yet complete Unresolved/incomplete recommendations from prior audit reports Average length of audit assignment in person hours or weeks Major risk areas not audited in the last year Aging/status of open, unresolved audit findings (especially those beyond their due date) 25
Other Degree of reliance on internal audit work by external auditor Turnover rates Percentage change rate in the annual audit plan Percentage of assets, revenues, locations, business units, etc., covered by the internal audit plan Linkage of key risks to specific skills of the internal audit team Degree of IT-related audit work to total audit effort A selected number (say six to 12) of key performance measures should be agreed upon between internal audit, the audit committee and management. Having too many measures is not productive in the long run, nor is utilising too few. Also, a balanced scorecard of measurements focusing on cost, quality and timeliness will help to drive the most effective result for a company. Of course, companies should develop their own specific measures that best meet their needs. Reporting of these measurements at least annually is appropriate in some cases. However, certain measurements might be reported at each audit committee meeting or more frequently than once a year. Guide to Internal Audit FAQs 26
Management and Audit Committee Considerations 49. How can management utilise internal audit most effectively? Internal audit represents a valuable resource to management as it seeks to meet business objectives, and especially as it relates to the objectives of internal control: efficiency and effectiveness of operations, reliability of financial reporting, compliance with applicable laws and regulations, and the safeguarding of assets. Each company s internal audit function possesses unique individuals, skills and competencies, which management needs to understand and then use effectively in helping meet its objectives. Internal audit should not be a function for the exclusive use of the audit committee. An internal audit function, by its very nature of being internal, is a part of management s systems of internal control and thus should be an asset and tool for management. While the charter of, need for and capability of each company s internal audit function will vary, management may find the following suggestions helpful in determining how to best leverage internal audit resources to achieve strong, well-designed and effective risk management, internal control and corporate governance processes: Utilise internal audit resources as part of the company s enterprise wide risk assessment/ management process to identify, source, measure, prioritise, and develop a plan to address and manage the most significant business risks it faces in achieving its business objectives Provide key input to the internal audit function in the development of the annual internal audit plan and changes to the plan during the year to focus limited resources on risks and areas of the greatest importance Discuss and develop plans for internal audit to assist in efforts related to the company s efforts to comply with the ASX Principles Consider how the internal audit function might be used as a rotational management-training program for company employees. Also, consider how guest auditor and short-term temporary assignments of employees can provide needed specialised skills to the function. Evaluate and discuss with internal audit the need to supplement its resource base and skill sets with outside resources Support the function in connection with its key findings, and its plan for process owners to make changes and improvements to internal controls and process issues and deficiencies. Visibly support and encourage the mission and efforts of the internal audit function with an appropriate tone at the top throughout the company Work closely with the audit committee to help ensure the internal audit function remains objective and adds value to the organisation 27
50. What is an audit committee s role with respect to an internal audit function? Many of the recent Australian Corporate Governance pronouncements refer specifically to the need for an audit committee, vis-a-vis, the need for an internal audit function. Although the exact nature, charter, scope and reporting lines of internal audit may vary between companies, the audit committee plays a key role in supporting and overseeing aspects of an internal audit function s activities. While needing to ensure it does not assume day-to-day oversight activities on behalf of management or the internal audit function, the audit committee generally should be involved in the following matters: Provide input and approve the written charter for the internal audit function, including periodic review and updating Understand, discuss and approve the company s risk assessment and resulting internal audit plan. As appropriate, review, discuss and approve changes to the audit plan during the year At least annually, evaluate the internal audit function in relation to meeting the needs of the company and the audit committee, including compliance with its written charter Hold executive sessions with the company s chief audit executive Provide input and direction as to the appropriate escalation protocols for significant findings and issues Review, discuss and approve the compensation of the CAE, any changes therein and the hiring or termination of the CAE Understand, discuss and approve the funding level for the internal audit function, and discuss its appropriateness and adequacy with management and the CAE Review ongoing activities of the internal audit function, including its reports, and inquire as to any other matters that should be brought to the committee s attention Direct the internal audit function, as necessary, to perform special reviews on behalf of management or the audit committee, including investigations of fraud or suspected fraud Participate with internal audit to design and provide control, governance and ethics training to employees While the above listing is not intended to be all-inclusive, it provides reasonable overall guidance. Each audit committee should discuss, along with input from management, the role it should play in connection with the company s internal audit function. Of course, the requirements of all related regulations and stock exchange listing standards related to audit committees should be followed. 51. Should executive sessions (without management present) be held with the internal auditors as part of an audit committee meeting? Yes, we believe that executive sessions are beneficial to the audit committee and the company as a whole in furthering effective corporate governance. Our experience is that most high-performing audit committees already allow for such executive sessions (one each for the external and internal auditors) and that it is a best practice. Further, we believe that executive sessions should be a standing part of the audit committee s regular agenda, whether or not there are specific matters or concerns that the internal audit function would like to communicate. In this way, there is no perceived pressure or awkwardness when, during an audit committee meeting, the CAE calls for an executive session with the committee. Guide to Internal Audit FAQs 28
52. What should internal audit report to the audit committee? The appropriate reporting by internal audit will vary considerably from company to company based on a number of factors, including the charter and scope of the function, frequency and length of audit committee meetings, amount of material provided, and communications between meetings, as well as actual issues arising at the company. However, as a guide, it might be logical to expect the following information to be reported to the audit committee by internal audit (assuming that meetings are conducted quarterly): Activities and audits completed during the last quarter Presentation and discussion of key findings from audits recently completed Status of past audit recommendations requiring resolution Planned activities for next quarter Any reported instances of fraud and internal audit s role in investigating such fraud In highly regulated environments, the results of recently completed audits by outside regulatory agencies Depending on the role and scope of internal audit, a status report on calls received from the company s whistleblower hotline. An update on any new risks, issues or matters facing the company that internal audit feels should be addressed, and whether or not the current internal audit plan should be modified to take into consideration these new risks, issues and matters Other matters specifically requested of management or the audit committee Every audit committee meeting presents an opportunity for internal audit to assist in educating the committee on timely issues and current matters. As an example, it might be appropriate for internal audit s presentation to include educational materials, articles and white papers for later reading by both management and the audit committee. The internal audit function adds considerable value in reporting its findings, observations and viewpoints to management as well as to the audit committee. Though many times management is present at audit committee meetings, there should be more frequent, in-depth and informal communications between internal audit and company management. Internal audit should not be viewed solely as an instrument for the audit committee. In management s ongoing efforts to meet objectives related to risk management, controls and corporate governance, it should be working closely with internal audit. 53. How should the audit committee evaluate the effectiveness of the internal audit function? Attribute 1320 of the Standards require that the CAE must communicate the results of the quality assurance and improvement program to senior management and the board. The form, content, and frequency of communicating the results of the quality assurance and improvement program is established through discussions with senior management and the board and considers the responsibilities of the internal audit activity and CAE as contained in the internal audit charter. To demonstrate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards, the results of the external (Attribute Standard 1312 and Practice Advisory 1312-1) and periodic internal (Attribute Standard 1311 and Practice Advisory 1312-2) assessments are communicated upon completion of such assessments and the results of ongoing monitoring are communicated at least annually. The results include the reviewer s or review team s assessment with respect to the degree of conformance. 29
54. Should internal audit functions receive a quality assurance review (QAR) periodically? Attribute Standard 1312 in the IIA Standards require the following: External assessments must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organisation. The chief audit executive must discuss with the board: The need for more frequent external assessments The qualifications of the external reviewer or review team, including any potential conflict of interest In addition, the chief audit executive may only state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing if the results of the quality assurance and improvement program support this statement. Guide to Internal Audit FAQs 30
External Auditor Considerations 55. Can we use our external auditors to perform internal audit work? The APES 110 Compiled Code of Ethics for Professional Accountants issued by the Accounting Professional and Ethical Standards Boards provides a conceptual framework for professional accountants in public practice to identify, evaluate and address threats to independence. Specific guidance in relation to the provision of internal audit services to audit clients is provided in paragraphs 290.181 290.186. Paragraph 290.184 provides the following: Performing a significant portion of the Audit Client s internal audit activities may create a self-review threat and a Firm, or Network Firm, should consider the threats and proceed with caution before taking on such activities. Appropriate safeguards should be put in place and the Firm, or Network Firm, should, in particular, ensure that the Audit Client acknowledges its responsibilities for establishing, maintaining and monitoring the system of internal controls. The IIA is of the view that performance of internal audit by the external audit firm is likely to compromise the independence of the internal audit work and advice, and hence should be avoided. 56. Can external auditors rely on the work of internal auditors in connection with their financial statement audit? Auditing Standard ASA 610 Using the Work of Internal Auditors issued by the Auditing and Assurance Standards Board provides the requirements for the external auditor to: assess the internal audit activity determine the extent of reliance to be placed on work performed by the activity document the conclusions reached on the work of internal audit, and to document the audit procedures performed by the external auditor on that work. For example, in determining whether and to what extent to use the work of internal auditors in connection with the financial statement audit, paragraphs 8 and 9 of ASA 610 provide the following: 8. The external auditor shall determine: (a) Whether the work of the internal auditors is likely to be adequate for purposes of the audit; and (b) If so, the planned effect of the work of the internal auditors on the nature, timing or extent of the external auditor s procedures. 9. In determining whether the work of the internal auditors is likely to be adequate for purposes of the audit, the external auditor shall evaluate: 31 (a) The objectivity of the internal audit function (b) The technical competence of the internal auditors (c) Whether the work of the internal auditors is likely to be carried out with due professional care (d) Whether there is likely to be effective communication between the internal auditors and the external auditor
57. Do all internal audit reports need to be reviewed by the external auditor? There is no mandatory requirement for external audit to review all internal audit reports in Australia. However, Auditing Standard ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment issued by the Auditing and Assurance Standards Board requires the following: 23. If the entity has an internal audit function,1 the auditor shall obtain an understanding of the following in order to determine whether the internal audit function is likely to be relevant to the audit: (a) The nature of the internal audit function s responsibilities and how the internal audit function fits in the entity s organisational structure; and (b) The activities performed, or to be performed, by the internal audit function. Given that both the internal and external audit should be collaborating and coordinating efforts as far as practicable and feasible, it is accepted that external audit should have free access to internal audit reports. Guide to Internal Audit FAQs 32
About Protiviti Protiviti (www.protiviti.com.au) is a global business consulting and internal audit firm composed of experts specialising in risk, advisory and transaction services. We help solve problems in finance and transactions, operations, technology, litigation, governance, risk, and compliance. Our highly trained, results-oriented professionals provide a unique perspective on a wide range of critical business issues for our clients in the Americas, Asia-Pacific, Europe and the Middle East. Protiviti is proud to be a Principal Partner of The IIA. More than 700 Protiviti professionals are members of The IIA and are actively involved with local, national and international IIA leaders to provide thought leadership, speakers, best practices, training and other resources that develop and promote the internal audit profession. Protiviti has more than 60 locations worldwide and is a wholly owned subsidiary of Robert Half International Inc. (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. Protiviti has many offices in the Asia-Pacific region, including: Australia Brisbane, Canberra, Melbourne, Perth and Sydney China Beijing, Hong Kong, Shanghai and Shenzhen Japan Osaka and Tokyo Korea Seoul India New Delhi, Mumbai and Bangalore Singapore Singapore Please consult the Protiviti website, www.protiviti.com.au for contact details. Internal Audit Services Protiviti provides a full spectrum of services, technologies and skills to management, directors and the internal audit community. We provide world-class professionals and state-of-the-art methodologies and tools. Our network allows us to offer the right resources at the right time and in the right place to meet your needs, and we offer a creative and flexible approach to quality assurance reviews, from a standard compliance report to a full transformation of your capabilities. We also provide ongoing assistance for your internal staff and systems. Among the services Protiviti s internal audit practice provides include: Full outsourcing Co-sourcing and specialised resource enhancement Start-up and development advice Information technology audit Quality assurance reviews Internal audit transformation Internal audit technology and tool implementation 33
Audit committee advisory Assisting public and private companies in achieving and maintaining compliance with the Sarbanes- Oxley Act. About The Institute of Internal Auditors The Institute of Internal Auditors Australia (IIA) is the professional body representing Australian internal auditors, and is the peak body for providing assurance over governance, risk and control. With more than 3,200 members in all states and territories in Australia, our membership is made up of internal auditors in all tiers of government, as well as the corporate sector, and professional practice. The IIA in Australia is the local affiliate of the global Institute of Internal Auditors (IIA Global) which represents more than 160,000 members in 165 countries around the world. IIA Global sets the global standards for internal audit which are internationally recognised as the authoritative source for internal audit practice. The IIA runs the global Certified Internal Auditor (CIA ) program which is internationally recognised as the gold standard in internal audit certification and is the only global member on COSO (Committee of Sponsoring Organisations of the Treadway Commission). COSO is comprised of five member organisations and is the recognised global standard setter in relation to internal control. www.iia.org.au Internal Audit-Related Organisations and Links Australia General The Institute of Internal Auditors Australia Australian Stock Exchange CPA Australia Group of 100 Institute of Chartered Accountants in Australia Australian Prudential Regulation Authority Standards Australia www.iia.org.au www.asx.com.au www.cpaaustralia.com.au www.group100.com.au www.icaa.org.au www.apra.gov.au www.standards.com.au Federal Government Legislation Financial Management and Accountability Act 1997 & Financial Management and Accountability Orders 2005 & Commonwealth Authorities and Companies (CAC) Act 1997 www.comlaw.gov.au State Government Legislation VIC Financial Management Act 1994 SA Public Finance and Audit Act 1987 & Public CorporationsAct 1993 WA Financial Administration and Audit Act 1985 www.dtf.vic.gov.au www.leglislation.sa.gov.au www.dtf.wa.gov.au Guide to Internal Audit FAQs 34
QLD Financial Administration and Audit Act 1977 & Financial Management Standard 1997 NSW Public Finance and Audit Act 1983 ACT Financial Management Act 1996 TAS Government Business Enterprises Act 1995 NT Financial Management Act 2003 www.legislation.qld.gov.au www.legislation.nsw.gov.au www.legislation.act.gov.au www.tas.gov.au www.nt.gov.au International The Institute of Internal Auditors International The Institute of Internal Auditors IT Audit International American Institute of CPAs Bank for International Settlements (Basel) New York Stock Exchange Securities and Exchange Commission USA Combined Code on Corporate Governance UK Rules of the London Stock Exchange Code of Corporate Governance Singapore European Corporate Governance Institute Financial Accounting Standards Board (FASB) American Accounting Association Chief Financial Officers Council The Committee of Sponsoring Organisations The Association of Inspectors General The Government Accountability Office Information Systems Audit and Control Association Institute of Chartered Accountants in England and Wales Institute of Management Accountants Institute of Management and Administration International Federation of Accountants The Canadian Institute of Chartered Accountants Association of Certified Fraud Examiners (ACFE) Association of Healthcare Internal Auditors The Association of Public Pension Fund Auditors Association of College and University Auditors www.theiia.org www.itaudit.org www.aicpa.org www.bis.org www.nyse.com www.sec.gov www.fsa.gov.uk www.londonstockexchange.com www.ccdg.gov.sg www.ecgi.org www.fasb.org http://aaahq.org www.cfoc.gov www.coso.org www.inspectorsgeneral.org www.gao.gov www.isaca.org www.icaew.co.uk www.imanet.org www.ioma.com www.ifac.org www.cica.ca www.acfe.com www.ahia.org www.appfa.org www.acua.org 35
Other Online Resources www.knowledgeleader.com 30-day free trials are available to this unique online service providing information, tools, templates and other resources to those involved with internal audit, security and other business and technology risk issues. www.auditnet.org Auditnet.org is an electronic resource for the worldwide audit community. Its purpose is to provide auditors with access to their peers around the world as well as provide access to relevant information vital to the auditing industry. http://accounting.rutgers.edu Audit-related mailing lists and links to audit resources. Commonly Used Acronyms and Terms The Act ACCC ADI s APRA ASIC ASX Auditing Standard No. 2 AUASB CAE CEO CFO CGC CIA CISA CLERP CoCo COSO COSO ERM Framework COSO Internal Control CPE CSA Refers to the Sarbanes-Oxley Act of 2002 (see below). Also referred to as SOA Australian Competition and Consumer Commission Authorised Deposit-Taking Institutions Australian Prudential Regulatory Authority Australian Securities and Investments Commission The Australian Stock Exchange Issued by the PCAOB (see below) on March 9, 2004, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements Auditing and Assurance Standards Board Chief Audit Executive Chief Executive Officer Chief Financial Officer Corporate Goverance Council Certified Internal Auditor Certified Information Systems Auditor Corporate Law Economic Reform Program The Criteria of Control Board of the Canadian Institute of Chartered Accountants (CICA) Committee of Sponsoring Organisations of the Treadway Commission The Enterprise Risk Management Framework, developed by COSO (see above), bolsters support and extends aspects of the original COSO Internal Control Framework (see below) Integrated Framework Developed by COSO (see above), the definitive standard for public companies to follow in connection with Section 404 of the Sarbanes- Oxley Act Continuing Professional Education Control self-assessment Guide to Internal Audit FAQs 36
ERP GAIN IASB IIA IIA Code of Ethics IIA Standards Enterprise resource planning The IIA s Global Auditing Information Network The IIA s Internal Auditing Standards Board The Institute of Internal Auditors The Institute of Internal Auditors Principles relevant to the profession and practice of internal auditing, and Rules of Conduct that describe the behavior expected of internal auditors The Institute of Internal Auditors International Standards for the Professional Practice of Internal Auditing contained in the IPPF Internal control over The effectiveness of a company s internal control structure and procedures over financial reporting financial reporting IPPF ISO IT NASDAQ OECD PCAOB Professional Practices Framework QAR International Professional Practices Framework International Organization for Standardisation Information technology The computerised stock exchange established by the National Association of Securities Dealers Organisation for Economic Co-operation and Development The Public Company Accounting Oversight Board. Established by the Sarbanes- Oxley Act, PCAOB oversees the audits of the financial statements of public companies through rigorous registration, standard setting, inspection and disciplinary programs Professional standards promulgated by The IIA consisting of three categories of guidance: Standards and Code of Ethics, Practice Advisories, and Development and Practice Aids Quality assurance review Sarbanes-Oxley Corporate governance and oversight legislation signed into law on July 30, 2002. Act of 2002 (SOA) Also referred to as Sarbanes-Oxley, SOA and the Act SEC Section 301 Section 302 Section 404 SOA The U.S. Securities and Exchange Commission Refers to Section 301 of the Sarbanes-Oxley Act, which addresses public company audit committees Refers to Section 302 of the Sarbanes-Oxley Act, which addresses certifications by the principal executive officer (the CEO) and principal financial officer (usually the CFO) Refers to Section 404 of the Sarbanes-Oxley Act, which addresses internal control over financial reporting The Sarbanes-Oxley Act of 2002. Also referred to as the Act 37
Appendix A Financial services: Authorised deposit-taking institutions (Banking) APRA Prudential A regulated institution (including a foreign ADI in relation to its Australian Standard APS 510 business) must have an independent and adequately resourced internal Governance audit function. If a regulated institution does not (November 2009) believe it is necessary to have a dedicated internal audit function, it must apply to APRA, in writing, seeking an exemption from this requirement, and set out reasons why it believes it should be exempt. APRA may approve alternative arrangements for a regulated institution where APRA is satisfied that they will achieve the same objectives. The objectives of the internal audit function must include evaluation of the adequacy and effectiveness of the financial and risk management framework of the regulated institution (including a foreign ADI). To fulfil its functions, the internal auditor must, at all times, have unfettered access to all the regulated institution s business lines and support functions. The Board Audit Committee must have a charter that includes a reference to the fact that the Committee is responsible for the oversight of APRA statutory reporting requirements, as well as other financial reporting requirements, professional accounting requirements, internal and external audit, and the appointment of the regulated institution s external auditor. The Board Audit Committee must regularly review the internal and external audit plans, ensuring that they cover all material risks and financial reporting requirements of the regulated institution. It must also regularly review the findings of audits, and ensure that issues are being managed and rectified in an appropriate and timely manner. The Board Audit Committee must ensure the adequacy and independence of both the internal and external audit functions. The members of the Board Audit Committee must, at all times, have free and unfettered access to senior management, the internal auditor, the heads of all risk management functions and the regulated institution s external auditor, and vice versa. The internal auditor must have a reporting line and unfettered access to the Board Audit Committee. For foreign ADIs, the auditor of the local operation must have direct access to the Head Office audit function. APRA Prudential Standard APS 310 Audit and Related Matters (January 2009) An ADI must ensure that the scope of internal audit includes a review of the policies, processes and controls put in place by management to ensure compliance with APRA s prudential requirements. An ADI must allow its internal auditor to be represented in tripartite meetings with APRA, the ADI and its appointed auditor. An ADI must ensure that the appointed auditor has access to all data, information, reports and staff of the ADI that the appointed auditor reasonably believes is necessary to fulfil its role and responsibilities under this Prudential Guide to Internal Audit FAQs 38
Standard. This includes access to the ADI s Board, Board Audit Committee and internal auditors as required. Where an ADI is part of a Level 2 group, APRA may meet with the ADI, the head entity of the Level 2 group and the appointed auditor and the internal auditor at the same time, or separately on a Level 1 and Level 2 basis, as APRA deems appropriate. APRA Prudential Standard APS 231 Outsourcing (October 2006) This Prudential Standard only applies to outsourcing of a material business activity as defined in this Prudential Standard. For the purposes of this Prudential Standard the internal audit function must be treated as a material business activity. The ADI s internal audit function must review any proposed outsourcing of a material business activity and regularly review and report to the Board or Board Audit Committee on compliance with the ADI s outsourcing policy. Where APRA has exempted an ADI from having a dedicated internal audit function, or approved alternative arrangements under Prudential Standard APS 510 Governance, APRA may also vary the requirements of this paragraph. APRA Prudential Standard APS 232 Business Continuity Management (April 2005) The ADI s internal audit function, or an external expert, must also periodically review the BCP [Business Continuity Plan] and provide an assurance to the Board or the Committee that the BCP is in accordance with the ADI s formal policy (see paragraph 40), addresses the risks it is designed to control and that testing procedures are adequate and have been conducted satisfactorily. APRA Prudential Standard APS 330 Capital Adequacy: Public Disclosure of Prudential Information (January 2009) To ensure appropriate accountability, an ADI s Chief Executive Officer must attest to the reliability of the Prudential Disclosures in the ADI s annual declaration to APRA required under Prudential Standard APS 310 Audit and Related Arrangements for Prudential Reporting. Other references Basel Committee: Core Principles for Effective Banking Supervision (October 2006) Basel Committee: Core Methodology (October 2006) Basel Committee: Internal audit in banks and the supervisor s relationship with auditors (August 2001) Basel Committee: Enhancing corporate governance for banking organizations (February 2006) Basel Committee: Principles for Sound Liquidity Risk Management and Supervision (September 2008) These publications, along with other relevant guidance for the banking industry sector, are available at: http://www.bis.org/publ/cmtpubl.htm 39
Financial services: General insurance APRA Prudential Standard GPS 510 Governance (November 2009) APRA Prudential Standard GPS 220 Risk Management (July 2008) A regulated institution (including a Category C insurer in relation to its Australian business) must have an independent and adequately resourced internal audit function. If a regulated institution does not believe it is necessary to have a dedicated internal audit function, it must apply to APRA, in writing, seeking an exemption from this requirement, and set out reasons why it should be exempt. APRA may approve alternative arrangements for a regulated institution where APRA is satisfied that they will achieve the same objectives. The objectives of the internal audit function must include evaluation of the adequacy and effectiveness of the financial and risk management framework of the regulated institution (including a Category C insurer). To fulfil its functions, the internal auditor must, at all times, have unfettered access to all the regulated institution s business lines and support functions. Also refer to Prudential Standard GPS 220 Risk Management for the requirement for a review of an insurer s risk management framework. Such a review carried out by a role or function within the insurer other than internal audit does not relieve the internal audit function from carrying out a review of the risk management framework, though the internal audit function may rely on such other review in carrying out its own review. The Board Audit Committee must have a charter that includes a reference to the fact that the Committee is responsible for the oversight of (d) internal and external audit The Board Audit Committee must regularly review the internal and external audit plans, ensuring that they cover all material risks and financial reporting requirements of the regulated institution. It must also regularly review the findings of audits, and ensure that issues are being managed and rectified in an appropriate and timely manner. The Board Audit Committee must ensure the adequacy and independence of both the internal and external audit functions. The members of the Board Audit Committee must, at all times, have free and unfettered access to senior management, the internal auditor, the heads of all risk management functions, the insurer s Appointed Auditor and Appointed Actuary, and an authorised NOHCs external auditor, and vice versa. The internal auditor must have a reporting line and unfettered access to the Board Audit Committee. For Category C insurers, the auditor of the local operation must have direct access to the Head Office audit function. The insurer must ensure that its risk management framework is subject to effective and comprehensive review by operationally independent, appropriately trained and competent staff (including external consultants) and that the frequency and scope of this review is appropriate having regard to such factors as the size, business mix, complexity of the insurer s operations and the extent of any change to its business profile or its risk appetite. The review must include: (a) a review of the risk management function (or role); (b) a review of the RMS [Risk Management Strategy]; and (c) a review of the internal control system. Also refer to GPS 510 for the internal audit function of an insurer to have among its objectives a review of the risk management framework. Guide to Internal Audit FAQs 40
APRA Prudential This Prudential Standard only applies to outsourcing of a material business Standard GPS 231 activity as defined in this Prudential Standard. Outsourcing For the purposes of this Prudential Standard, the internal audit function must (July 2008) be treated as a material business activity. The insurer s internal audit function must review any proposed outsourcing of a material business activity and regularly review and report to the Board or Board Audit Committee on compliance with the insurer s outsourcing policy. Where APRA has exempted an insurer from having a dedicated internal audit function, or approved alternative arrangements under Prudential Standard GPS 510 Governance, APRA may also vary the requirements of this paragraph. APRA Prudential Standard GPS 222 Business Continuity Management (April 2005) The insurer s internal audit function, or an external expert, must also periodically review the BCP and provide an assurance to the Board or the Committee that the BCP is in accordance with the insurer s formal policy (see paragraph 40), addresses the risks it is designed to control and that testing procedures are adequate and have been conducted satisfactorily. Other references International Association of Insurance Supervisors: Insurance Core Principles and Methodology (October 2003) This publication, along with other relevant guidance for the insurance industry sector is available at: http://www.iaisweb.org/ Financial services: Life insurance and friendly societies APRA Prudential Standard LPS 510 Governance (November 2009) A life company (including an EFLIC [Eligible foreign life insurance company] in relation to its Australian business) must have an independent and adequately resourced internal audit function. If a life company does not believe it is necessary to have a dedicated internal audit function, it must apply to APRA, in writing, seeking an exemption from this requirement, and set out reasons why it should be exempt. APRA may approve alternative arrangements for a life company where APRA is satisfied that they will achieve the same objectives. The objectives of the internal audit function must include evaluation of the adequacy and effectiveness of the financial and risk management framework of the life company (including an EFLIC). To fulfil its functions, the internal auditor must, at all times, have unfettered access to all the life company s business lines and support functions. The Board Audit Committee must have a charter that includes a reference to the fact that the Committee is responsible for the oversight of APRA statutory reporting requirements, as well as other financial reporting requirements, professional accounting requirements, internal and external audit, and the appointment of the life company s auditor. The Board Audit Committee must regularly review the internal and external audit plans, ensuring that they cover all material risks and financial reporting requirements of the life company. It must regularly review the findings of audits, and ensure that issues are being managed and rectified in an appropriate and timely manner. The Board Audit Committee must ensure the adequacy and independence of both the internal and external audit functions. The members of the Board Audit Committee must, at all times, have free and unfettered access to senior management, the internal auditor, the heads of all risk management functions, the life company s Auditor, and the Appointed Actuary and vice versa. 41
The internal auditor must have a reporting line and unfettered access to the Board Audit Committee. For EFLICs, the auditor of the local operation must have direct access to the Head Office audit function. APRA Prudential Standard LPS 220 Risk Management (March 2007) APRA Prudential Standard LPS 231 Outsourcing (October 2006) APRA Prudential Standard LPS 232 Business Continuity Management (March 2007) Other references Life companies must implement satisfactory internal audit procedures and/or external audit arrangements to ensure compliance with, and the effectiveness of, the risk management framework. This Prudential Standard only applies to outsourcing of a material business activity as defined in this Prudential Standard. For the purposes of this Prudential Standard the internal audit function must be treated as a material business activity. The life company s internal audit function must review any proposed outsourcing of a material business activity and regularly review and report to the Board or Board Audit Committee on compliance with the life company s outsourcing policy. Where APRA has exempted a life company from having a dedicated internal audit function, or approved alternative arrangements under Prudential Standard LPS 510 Governance, APRA may also vary the requirements of this paragraph. The life company s internal audit function, or an external expert, must periodically review the BCP [Business Continuity Plan] and provide an assurance to the Board or to delegated management that: (a) the BCP is in accordance with the life company s BCM [Business Continuity Management] Policy and addresses the risks it is designed to control; and (b) testing procedures are adequate and have been conducted satisfactorily. International Association of Insurance Supervisors: Insurance Core Principles and Methodology (October 2003) This publication, along with other relevant guidance for the insurance industry sector is available at: http://www.iaisweb.org/ Appendix B The internal audit requirements in the public sector in Australia are generally more comprehensive and prescriptive than that of the private sector. Key governance requirements are contained in the legislation at the Federal, State/Territory, and Local Governments levels. These requirements are detailed below: Federal While there are no explicit requirements for an internal audit activity in the federal legislation, there are explicit requirements for an audit committee. The requirement for an internal audit activity is implicit under these audit committee requirements. Guide to Internal Audit FAQs 42
Financial Section 46 Audit Committee Management and (1) A Chief Executive must establish and maintain an audit committee with Accountability Act functions that include: 1997 (a) helping the Agency to comply with obligations under this Act, the regulations and Finance Minister s Orders; and (b) providing a forum for communication between the Chief Executive, the senior managers of the Agency and the internal and external auditors of the Agency. (2) The committee must be constituted in accordance with the regulations (if any). Financial Section 22C Terms of reference of audit committees (Act, s 46) Management and (1) A Chief Executive must, when establishing an audit committee, give the Accountability committee terms of reference that include particulars of: Regulations 1997 (a) the membership of the committee; and (b) the frequency of the meetings of the committee; and (c) the functions and responsibilities of the committee. (2) The functions and responsibilities of an audit committee include: (a) the approval of internal annual and strategic audit plans of the Agency; and (b) the review of all audit reports involving matters of concern to senior management of the Agency, including the identification and dissemination of good practices; and (c) the provision of advice to the Chief Executive on action to be taken on matters of concern raised in a report of the internal auditors or in a report of the Auditor- General concerning the Agency; and (d) as far as practicable, the coordination of audit programs conducted by internal auditors and the programs conducted by the Auditor-General; and (e) the provision of advice to the Chief Executive on the preparation and review of financial statements of the Agency. (3) In subregulation (2): Auditor-General means the Auditor-General for the Commonwealth referred to in section 7 of the Auditor-General Act 1997. Commonwealth Authorities and Companies Act 1997 Further references Section 32 Audit committee (1) The directors of a Commonwealth authority must establish and maintain an audit committee with functions that include: (a) helping the authority and its directors to comply with obligations under this Act; and (b) providing a forum for communication between the directors, the senior managers of the authority and the internal and external auditors of the authority. (2) If the regulations state how the committee is to be constituted, it must be constituted in accordance with the regulations. Australian National Audit Office: Audit Report No.3 2004 05: Management of Internal Audit in Commonwealth Organisations (July 2004) Australian National Audit Office: Better Practice Guide Public Sector Audit Committees (February 2005) Australian National Audit Office: Better Practice Guide Public Sector Internal Audit (September 2007) 43
State/Territory Victoria Standing Directions Standing Direction 2.5 of the Minister for Each Public Sector Agency must, unless an exemption has been obtained, establish Finance under the and maintain an adequately resourced independent internal audit function Financial Manage- appropriate to the needs of the Public Sector Agency. Government Departments ment Act 1994 are not eligible for an exemption. The standing directions also contain procedures and guidelines for the audit committee, internal audit activity, and risk management. Further references State Services Authority: Good practice guide on governance for Victorian public sector entities, available at http://www.ssa.vic.gov.au/domino/web_notes/ssa/ ssagpg.nsf Department of Treasury & Finance: Victorian Government Risk Management Framework (July 2007) New South Wales Public Finance and Audit Act 1983 NSW Treasury Policy & Guidelines Paper TPP 09-5 2009 (implemented by Treasury Circular NSW TC 09/08) Section 11 Internal control and audit (1) The Head of an authority shall ensure that there is an effective system of internal control over the financial and related operations of the authority, including: (a) management policies and requirements made by the provisions of this Act and the prescribed requirements, (b) sound practices for the efficient, effective and economical management of functions by each organisational branch or section within the authority, (c) a system of authorisation and recording and procedures adequate to provide accounting control in relation to assets, liabilities, receipts and expenses, (d) proper segregation of functional responsibilities, and (e) procedures to review the adequacies of and compliance with the system of internal control. (2) Wherever practicable, the Head of an authority shall establish and maintain an effective internal audit organisation which shall be responsible to the Head of an authority for: (a) the regular appraisal of the adequacy of and compliance with the system of internal control, (b) the review of operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned, and (c) the reporting directly at regular intervals to the Head of the authority as to the result of any appraisal, inspection, investigation, examination or review made by the internal audit organisation. The Policy requires department heads and governing boards of statutory bodies to attest and report compliance with a prescribed set of core requirements annually. The Policy, including the procedures that department heads and governing boards of statutory bodies must follow to be compliant with the core requirements, is set out in the Policy & Guidelines Paper. The six core requirements comprise: Core Requirement 1: Internal Audit Function - this covers the requirement to establish and maintain an Internal Audit function Core Requirement 2: Audit and Risk Committee - this covers the requirement to establish and maintain an Audit and Risk Committee Guide to Internal Audit FAQs 44
Core Requirement 3: Independent Chairs and Members - this covers Committee composition, and the requirement to appoint an independent chair and a majority of independent members Core Requirement 4: Model Charter and Committee Operations - this covers the requirements to maintain governance arrangements that ensure both the real and perceived independence of the Committee and the rigour and quality of its oversight and monitoring role Core Requirement 5: Risk Management Standards - this covers the requirement to implement a risk management process that is appropriate to the needs of the department or statutory body and consistent with the current risk standard, i.e. AS/NZS 4360: 2004 Risk Management Core Requirement 6: Internal Audit Standards - this covers the requirement to ensure that operation of the Internal Audit function is consistent with the relevant standard, i.e. IIA International Standards for the Professional Practice of Internal Auditing and any additional practice requirements set by the Policy. Further references NSW Treasury Internal Audit and Risk Management Policy for the NSW Public Sector web page, available at http://www.treasury.nsw.gov.au/internal_ Audit_and_Risk_Management South Australia Public Corporations Act 1993 Section 12 Corporation s charter (1) A charter must be prepared for a public corporation by its Minister and the Treasurer after consultation with the corporation. (2) The charter must deal with the following matters (c) all requirements of the corporation s Minister or the Treasurer as to (iii) any accounting, internal auditing or financial systems or practices to be established or observed by the corporation Section 31 Internal audits and audit committee (1) A public corporation must, unless exempted by the Treasurer, establish and maintain effective internal auditing of its operations and the operations of its subsidiaries Further references Department of Treasury and Finance: Financial Management Toolkit (April 2008) Western Australia Financial Section 53 Functions of accountable authorities Management Act (1) Without limiting section 52, an accountable authority of an agency has the 2006 functions of (a) ensuring that the agency operates in a manner that is efficient and economic and achieves the agency s objectives; and (b) ensuring that the agency complies with this Act, the Treasurer s instructions and any other written law that applies to the agency; and (d) unless otherwise directed in writing by the Treasurer, developing and maintaining an effective internal audit function for the agency. Treasurer s Instructions Part XII of the Treasurer s Instructions provide the requirements for an effective internal audit function required under the Financial Management Act 2006, as prescribed by the IPPF. Treasurer s Instruction 1201: Structure of the Internal Audit Function covers the role of internal audit, the internal audit charter, resourcing, independence and objectivity, and the audit committee. 45
Treasurer s Instruction 1202: Conducts of Audits and Consultancy covers the internal audit plan, access to information, coordination with the external auditor, communication of audit results, and the use of standards for internal auditing. Treasurer s Instruction 1203: Management of the Internal Audit Function Covers performance evaluation of the internal audit function. Further references Department of Treasury and Finance: Financial Administration Bookcase (November 2009) Queensland Financial and Performance Management Standard 2009 Section 8 Internal control structure (3) If an internal audit function, audit committee or risk management committee is established for the department or statutory body, the internal control structure must ensure the efficient, effective and economic operation of the internal audit function, audit committee or risk management committee. (4) In establishing the internal control structure, the accountable officer or statutory body must have regard to the Financial Accountability Handbook published by the treasury department. Section 27 Financial information management (4) Before introducing a financial information management system or significantly changing a financial information management system, the accountable officer or statutory body must consult with (a) the head of internal audit for the department or statutory body Division 5 Internal audit and audit committees Section 29 Responsibility for internal audit function (1) Each accountable officer must establish an internal audit function for the accountable officer s department. (2) Each statutory body must establish an internal audit function for the statutory body if (a) the statutory body is directed by the appropriate Minister to establish the function; or (b) the statutory body considers it is appropriate to establish the function. (3) A department or statutory body that has established an internal audit function must develop and implement systems for ensuring the internal audit function operates efficiently, effectively and economically. Section 30 Charter of internal audit function (1) The internal audit function of a department or statutory body must operate under an internal audit charter. (2) The internal audit charter must (a) be consistent with the auditing and ethical standards set by the professional entities that govern the conduct of auditing in the State; and (b) be approved by the accountable officer of the department or the statutory body; and (c) be readily available to the officers of the department or statutory body. Section 31 Planning by internal audit function (1) The internal audit function of a department or statutory body must undertake planning appropriate to the size and functions of the department or statutory body. (2) The planning must include the preparation of (a) a strategic audit plan that provides an overall strategy for the internal audit function for a period of at least 1 year; and (b) an audit plan, for each year, that sets out the audits intended to be carried out by the internal audit function during the year. Guide to Internal Audit FAQs 46
(3) The strategic audit plan and the annual audit plan of a department or statutory body must be approved by the department s accountable officer or the statutory body. Section 32 Reports by internal audit function (1) The internal audit function of a department or statutory body must (a) give the person in charge of an audited area a copy of the proposed report on the audit for the area; and (b) include any comments by the person about the proposed report in the final report. (2) The internal audit function must give the final report to (a) for a department the department s accountable officer and its audit committee; and (b) for a statutory body the statutory body and, if the statutory body has established an audit committee, its audit committee. Section 33 Consideration of reports Each accountable officer of a department and each statutory body must (a) consider the contents of all reports given to the accountable officer or statutory body under section 32; and (b) take the actions the accountable officer or statutory body considers necessary to be taken because of a report. Section 34 Relationship with authorised auditors The head of internal audit for a department or statutory body must consult with an authorised auditor (a) during the preparation of audit plans under section 31;and (b) at other times the head of internal audit considers appropriate. Section 35 Audit committees (1) Each accountable officer of a department must, and each statutory body may, establish an audit committee for the department or statutory body. (2) If an audit committee is established, the accountable officer or statutory body must prepare terms of reference for the committee. (3) In establishing an audit committee, the accountable officer or statutory body must have regard to the document called Audit committee guidelines - improving accountability and performance published by the treasury department. (4) The audit committee for a statutory body must include members of the statutory body or, if the statutory body has a governing body, members of the governing body. (5) The audit committee for a department or statutory body must, as soon as practicable after the end of each financial year, give the department s accountable officer or the statutory body a report about the committee s operations for the year. Financial Section 78 Head of internal audit Accountability Act (1) Each accountable officer must 2009 (a) nominate either of the following to be the person responsible for the internal audit activities of the department (the head of internal audit) (i) an appropriately qualified employee of the accountable officer s department; (ii) with the approval of the Treasurer an appropriately qualified public service employee or other employee of the State; and (b) delegate to the head of internal audit the following responsibilities for the department (the minimum responsibilities) (i) provision of assessment and evaluation of the effectiveness and efficiency of departmental financial and operation systems, reporting processes and activities; (ii) provision of assistance in risk management and identifying deficiencies in risk management. (2) A regulation may prescribe the qualifications, experience or standing appropriate for a head of internal audit. 47
(3) In this section appropriately qualified, for an employee nominated under subsection (1), means having the qualifications, experience or standing prescribed under a regulation, if any, and otherwise having the qualifications, experience or standing appropriate for carrying out the responsibilities of head of internal audit. Financial Accountability Regulation 2009 Section 5 Appropriate qualifications to be head of internal audit For an employee to be appropriately qualified for nomination as head of internal audit, the employee must hold at least one of the following (a) a qualification required by The Institute of Internal Auditors Australia for ordinary membership of that organisation; (b) a qualification as (i) a certified practising accountant conferred by CPA Australia; or (ii) a chartered accountant conferred by the Institute of Chartered Accountants in Australia; or (iii) a professional national accountant conferred by the National Institute of Accountants; (c) another qualification from an overseas accounting body that is recognised by at least 2 of the organisations mentioned in paragraph (a) or (b). Further references Queensland Treasury: Financial Accountability Handbook (January 2010) Australian Capital Territory Internal audit functions are not mandated, but are referred to explicitly in guidance papers relating to the legislation. Financial Part 4 Financial management responsibilities of chief executives of departments Management Act 31 Responsibilities of chief executives of departments 1996 (1) The responsible chief executive of a department is accountable to the responsible Minister of the department for the efficient and effective financial management of the department. (2) Without limiting subsection (1), the responsible chief executive of a department is responsible, under the responsible Minister, for ensuring (a) that money spent by the department is spent in accordance with appropriations made for the department (including appropriations available under section 34B); and (b) that, as far as practicable, the operations of the department for a financial year are consistent with, and comparable to, the budget for the department for the year; and (c) that the officers and employees of the department comply with this Act (including the financial management guidelines); and Note A reference to an Act includes a reference to the statutory instruments made or in force under the Act, including any guideline (see Legislation Act, s 104). (d) that proper accounts and records are kept of the transactions and affairs of the department in accordance with generally accepted accounting principles; and (e) that adequate control is maintained over the assets of the department and assets in the control of the department; and (f) that adequate control is maintained over the incurring of liabilities by the department. Guide to Internal Audit FAQs 48
Financial To assist chief executives in meeting this responsibility [Section 31(2)(c)] Management Act it is recommended that departments have a set of Chief Executive Financial Guidance Papers: Instructions (CEFIs). These instructions provide an integral control mechanism Part 4 Financial for chief executives to ensure the efficient and effective financial management Management of ACT Government entities. Responsibilities of Executives of In addition to the CEFIs, departments should also have an effective internal Departments audit function in place, which should provide chief executives with a level of assurance on: whether the FMA and FMG are being complied with; and the effectiveness of the department s internal controls. Further references Department of Treasury: Internal Audit Framework (April 2007) Department of Treasury: Financial Management Act Guidance Papers available at http://www.treasury.act.gov.au/accounting/html/fma.htm Tasmania Financial Section 22. Responsibilities of Head of Agency Management and A Head of Agency shall be responsible for the financial management of that Agency Audit Act 1990 in an efficient, effective and economical manner including in particular (a) ensuring that expenditure by that Agency is in accordance with law; and (b) maintaining effective accounting and financial management information systems for that Agency; and (c) the development and maintenance in accordance with the Treasurer s Instructions of a system for effective internal control including, where appropriate, an internal audit function; and (d) systematically monitoring the financial performance of that Agency; and (e) the custody, control, management of and accounting for, all public property, public money, other property and other money in the possession of, or under the control of, that Agency; and (f) the proper collection of all money payable to, or collectable under, any law administered by that Agency; and (g) regular reviews at least annually of fees and charges collected by or payable to that Agency; and (h) the appointment of one or more officers in that Agency as certifying officers charged with the duty of certifying all expenditure of that Agency; and (i) any other functions and duties as may be required under this Act, any other written law or the Treasurer s Instructions. Section 23. Treasurer s Instructions (1) The Treasurer shall issue instructions with respect to the principles, practices and procedures to be observed in the financial management of all Agencies, and those instructions shall have effect unless they are inconsistent with this Act or any other written law. (2) Treasurer s Instructions, so far as they relate to the duties of a Head of Agency under section 27, shall be prepared after consultation with the Minister responsible for the administration of the State Service Act 2000. (3) Treasurer s Instructions may be issued (a) so as to apply (i) at all times or at a time specified in the Treasurer s Instructions; or (ii) to all Agencies or to Agencies specified in the Treasurer s Instructions; and (b) so as to confer a discretionary authority on a person or body or a class of persons or bodies specified in the Treasurer s Instructions. (4) It is the duty of each Head of Agency and officer to comply with any requirement 49
of the Treasurer s Instructions that is applicable to that Head or officer. (5) Treasurer s Instructions are not statutory rules within the meaning of the Rules Publication Act 1953. Treasurer s Instruction No 105 (July 2005) Treasurer s Instruction No 108 Internal Audit (July 2009) Further References (1) Treasurer s Instructions are issued under the authority of the Act and, subject to Instruction 105 (4), require compliance by all Heads of Agency. (2) Revised Treasurer s Instructions will be issued from time to time and will apply from the effective date. (3) Where a Head of Agency considers that a Treasurer s Instruction should be varied or not apply, the Head of Agency may seek approval from the Treasurer for particular Instructions not to apply or to be varied. The request for approval should indicate: (a) the reason why the Instruction should be varied or not apply; (b) alternatives to the existing Instructions; and (c) the effect of the Instruction being varied or not being applicable, if approved. (4) The Treasurer may vary or revoke a Treasurer s Instruction or authorise alternatives to operate in particular cases. 1. A Head of Agency will ensure that effective internal audit arrangements are established by the Agency. Treasurer s Instruction No 108 provides guidance for establishing and maintaining internal audit functions, covering areas relating to the internal audit charter, planning, scope, authority, independence, reporting, and compliance with professional standards, the audit committee, and coordination with external audit. Tasmanian Audit Office: Auditor-General Special Report No. 52 Internal Audit in the Public Sector (August 2004) Northern Territory Financial Management Act Section 15 Internal audit (1) The Accountable Officer of an Agency shall ensure that the Agency has an adequate internal audit capacity to assist the Accountable Officer in the performance of his or her functions under this Act. (2) The person in charge of an internal audit of an Agency shall, as soon as practicable after completing the internal audit, report to the Accountable Officer of the Agency the result of the audit. Part 3 Accountable Officers Section 13 Duties of Accountable Officers (1) The Accountable Officer of an Agency is responsible for the financial management of the Agency. (1A) The Accountable Officer of the Central Holding Authority is responsible for the financial management of the Central Holding Authority. (2) The Accountable Officer of an Agency must ensure that (a) proper records of all transactions affecting the Agency are kept and that employees under his or her control observe the requirements of this Act, the Regulations and the Treasurer s Directions; and (b) procedures in the Agency are such as will at all times afford a proper internal control. (2A) The Accountable Officer of the Central Holding Authority must ensure that (a) proper records of all transactions affecting the Central Holding Authority are kept and that the requirements of this Act, the Regulations and the Treasurer s Directions are observed; and Guide to Internal Audit FAQs 50
(b) the Central Holding Authority s procedures are such as will at all times afford a proper internal control of the Central Holding Authority. (3) The Treasurer may, after consultation with the relevant Minister, issue a direction to the Accountable Officer of an Agency in relation to the financial management of the Agency. (4) An Accountable Officer, and an employee of the Agency, to whom a direction under subsection (3) applies must comply with the direction. Treasurer s Directions Further References Part 3 Section 1 Accountable Officers Agency accounting and property manuals should contain procedures and appropriate controls relating to INTERNAL AUDIT (a) The development of a program of internal audit; and (b) access for auditors to relevant information, personnel and records. Part 3 Section 2 Internal Audit This Section provides a framework within which Accountable Officers can discharge their internal audit responsibilities under the Act, and covers issues relating to resourcing, access, programming, reporting, and the internal audit charter. Part 3 Section 3 Audit Committees This Section provides a framework within which Accountable Officers can establish and operate an audit committee. Northern Territory Treasury: Treasurer s Directions Governance Series, available at http://www.nt.gov.au/ntt/treasdir/ Local Government Victoria There is no legislative requirement for local governments to have an internal audit function. Local Government Act 1989 Further references Section 136 Principles of sound financial management (1) A Council must implement the principles of sound financial management Section 139 Audit committee (1) A Council must establish an audit committee. (2) An audit committee is an advisory committee. (3) An audit committee must be constituted in the prescribed manner. (4) An audit committee has the functions and responsibilities prescribed for the purposes of this section. Department of Planning and Community Development: Guide to Local Government, available at http://www.localgovernment.vic.gov.au/ Department of Infrastructure: Best Practice Guidelines Local Government Entity Audit Committees & Internal Audit (June 2000) Victorian Auditor-General: Local Government: Results of the 2006-07 Audits (February 2008) 51
New South Wales Local Government Act 1993 NSW Department of Local Government: Internal Audit Guidelines (October 2008) Section 23A Director-General s guidelines (1) For the purposes of this Act, the Director-General may from time to time prepare, adopt or vary guidelines relating to the exercise by a council of any of its functions. (2) The Director-General may only prepare, adopt or vary guidelines relating to the exercise by a council of functions conferred or imposed on the council by or under any Act or law that is not administered by or the responsibility of the Department of Local Government if the Director-General has first obtained the concurrence of the Minister administering or responsible for the administration of the other Act or law. (3) A council must take any relevant guidelines issued under this section into consideration before exercising any of its functions. (4) The guidelines for the time being in force are to be made available to councils on request and, on payment of such fee (if any) as the Director-General may determine, to any interested person. These guidelines are Director General s Guidelines for the purposes of section 23A of the Local Government Act 1993. They describe internal audit and risk management systems for Local Government in NSW. The Guidelines also include appropriate structures, functions, charter, and membership of audit and risk management committees. South Australia Explicit requirements for the establishment of an internal audit function only exist for subsidiaries of councils. Local Government Act 1999 Division 2 Internal control and audit committee Section 125 Internal control policies A council must ensure that appropriate policies, practices and procedures of internal control are implemented and maintained in order to assist the council to carry out its activities in an efficient and orderly manner to achieve its objectives, to ensure adherence to management policies, to safeguard the council s assets, and to secure (as far as possible) the accuracy and reliability of council records. Section 126 Audit committee (1) A council must have an audit committee (4) The functions of an audit committee include (a) reviewing annual financial statements to ensure that they present fairly the state of affairs of the council; and (ab) proposing, and providing information relevant to, a review of the council s strategic management plans or annual business plan; and (ac) proposing, and reviewing, the exercise of powers under section 130A; and (ad) if the council has exempted a subsidiary from the requirement to have an audit committee, the functions that would, apart from the exemption, have been performed by the subsidiary s audit committee; and (b) liaising with the council s auditor; and (c) reviewing the adequacy of the accounting, internal control, reporting and other financial management systems and practices of the council on a regular basis. Schedule 2 Provisions applicable to subsidiaries Part 1 Subsidiaries established by one council Section 3 Charter of subsidiary (1) A charter must be prepared for a subsidiary by the council. (2) The charter must address Guide to Internal Audit FAQs 52
(h) any special accounting, internal auditing or financial systems or practices to be established or observed by the subsidiary Section 13 Internal audit (1) A subsidiary must establish and maintain effective auditing of its operations. (2) A subsidiary must, unless exempted by the council, establish an audit committee. (3) Subject to the regulations, an audit committee will comprise persons determined or approved by the council. (4) The functions of an audit committee include (a) reviewing annual financial statements to ensure that they provide a timely and fair view of the state of affairs of the subsidiary; and (b) liaising with external auditors; and (c) reviewing the adequacy of the accounting, internal auditing, reporting and other financial management systems and practices of the subsidiary on a regular basis. Similar requirements exist for regional subsidiaries established by two or more councils in Schedule 2, Part 2, Sections 19 and 30. Western Australia There are no references to internal audit in the local government legislation, although local government operational guidelines refer to the internal audit function. Further references Department of Local Government and Regional Development: Local Government Operational Guidelines Number 09: Audit Committees in Local Government Their appointment, function and responsibilities (March 2006) Department of Local Government and Regional Development: Local Government Operational Guidelines Number 13: The Relationship Between Internal and External Audit (April 2006) Queensland Local Government Section 105 Auditing, including internal auditing Finance Standard (1) Each local government must establish an efficient and effective internal audit 2005 function. (2) Each large local government must also establish an audit committee. (3) A large local government is a local government that belongs to a class prescribed under a regulation. (4) An audit committee is a committee that (a) monitors and reviews (i) the integrity of financial documents; and (ii) the internal audit function; and (iii) the effectiveness and objectivity of the local government s internal auditors; and (iv) the effectiveness, independence and objectivity of the local government s external auditors; and (b) makes recommendations to the local government about the appointment of the local government s external auditors; and (c) makes recommendations to the local government about any matters that the audit committee considers need action or improvement. (5) This section applies in addition to the requirements of the Financial Accountability Act 2009. 53
Local Government (Finance, Plans and Reporting) Regulation 2009 Section 130 Plan for internal audit (1) A local government must prepare an internal audit plan. (2) Internal audit is the independent assessment of the internal control measures that are stated in the local government s audit plan. (3) The local government s internal audit plan is a document that states (a) the risks that the local government s operations are exposed to; and (b) the internal control measures that the local government has adopted, or is to adopt, to manage those risks; and (c) the internal control measures that have been adopted, or are to be adopted, by the local government to manage risks that the local government s operations are exposed to; and (d) when regular independent assessments of the internal control measures will happen. (4) The local government must give the following documents to the audit executives at least twice during the year after the internal audit is carried out (a) the report on the internal audit; (b) a summary of the recommendations that are stated in the report; (c) a summary of the actions that have been taken by the local government in response to the recommendations; (d) a summary of any actions that have not been taken by the local government in response to the recommendations. (5) The audit executives are (a) the mayor; and (b) the chief executive officer; and (c) if the local government has established an audit committee the audit committee. Section 131 Policy about audit committee (1) A large local government must prepare a policy about its audit committee. (2) A local government with a remuneration category of 3 or higher is a large local government for the Act, section 105(3), definition large local government. (3) If a local government other than a large local government has an audit committee, the local government must prepare a policy about its audit committee. (4) The policy must require that the audit committee (a) meets at least twice each financial year; and (b) reviews each of the following matters at each meeting (i) the local government s organisational structure and its systems and procedures for carrying out its responsibilities under the Act; (ii) the risks to which the local government s operations are exposed; (iii) the internal control measures that have been adopted by the local government for managing those risks; (iv) any reports prepared by the auditor-general under section 130 during the financial year in which the meeting is held; (v) any internal audit reports for assessments of the internal control measures under section 129(3)(d) that have been prepared during the financial year in which the meeting is held; and (c) gives the local government a written report stating any recommendations that the audit committee has about the matters that have been reviewed, as soon as practicable after the review is conducted. (4) An internal audit report is a document that states (a) the internal control measures that the local government has adopted that were assessed by the audit; and (b) the way in which the audit was carried out; and (c) whether the person who conducted the audit considers that the internal Guide to Internal Audit FAQs 54
control measures have been successful in managing the risks to which they relate; and (d) any recommendations of the person who conducted the audit about (i) any action that may be taken to improve the success of the internal control measures; or (ii) alternative internal control measures that the local government may adopt for managing the risks that the local government s operations are exposed to and the action that may be taken to give effect to the alternative internal control measures. Tasmania There is no mandatory requirement to establish an internal audit function in local government in the Northern Territory. Further References Local Government Association Tasmania: Audit Committees in Local Government Discussion Paper (June 2008) Northern Territory There is no mandatory requirement to establish an internal audit function in local government in Tasmania. Local Government (Accounting) Regulations Section 10 Internal controls (1) The CEO must establish and maintain internal controls to: (a) safeguard the assets of the council; and (b) ensure the accuracy, completeness and reliability of the accounting data; and (c) promote the operational efficiency of the council; and (d) ensure compliance with relevant laws in force in the Territory; and (e) ensure adherence to council policies. (2) The internal controls for safeguarding the assets of the council include the following: (a) the establishment and maintenance of a plan (a fraud protection plan) to detect and prevent fraud from within and outside the council; (b) the establishment and maintenance of an audit committee to monitor: (i) compliance by the council with proper standards of financial management; and (ii) compliance by the council with these regulations and the Accounting Standards. 55
The Americas Europe United States Alexandria Atlanta Baltimore Boston Charlotte Chicago Cincinnati Cleveland Dallas Denver Fort Lauderdale Houston Kansas City Los Angeles Milwaukee Minneapolis New York Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento Salt Lake City San Francisco Seattle Silicon Valley/ Santa Clara Stamford St. Louis Tampa Vienna Woodbridge Belgium Brussels France Paris Germany Düsseldorf Frankfurt Munich Middle East Italy Milan Rome Spain Madrid The Netherlands Amsterdam United Kingdom London Brazil Sao Paulo Canada Kitchener-Waterloo Montreal Toronto Mexico Mexico City Peru Lima* Venezuela Caracas* Kuwait Kuwait City* Oman Muscat* United Arab Emirates Dubai* Abu Dhabi* Asia-Pacific Australia Brisbane Canberra Melbourne Perth Sydney China Beijing Hong Kong Shanghai Shenzhen India Bangalore Mumbai New Delhi Indonesia Jakarta** Japan Osaka Tokyo Singapore Singapore South Korea Seoul * Protiviti Member Firm * * Protiviti Alliance Member BRISBANE Level 15, 333 Ann Street Brisbane, QLD 4000 AUSTRALIA Ph: (07) 3039 4000 Fax: (07) 3039 4098 brisbane@protiviti.com.au CANBERRA Level 5, 71 Northbourne Avenue Canberra, ACT 2600 AUSTRALIA Ph: (02) 6113 3900 Fax: (02) 6262 7567 canberra@protiviti.com.au MELBOURNE Level 17, 140 William Street Melbourne, VIC 3000 AUSTRALIA Ph: (03) 9948 1200 Fax: (03) 9602 5225 melbourne@protiviti.com.au PERTH St Martins Tower, Level 19, 44 St Georges Terrace Perth, WA 6000 AUSTRALIA Ph: (08) 6430 6801 Fax: (08) 9325 9605 perth@protiviti.com.au SYDNEY Level 45, MLC Centre 19 Martin Place Sydney, NSW 2000 AUSTRALIA Ph: (02) 8220 9500 Fax: (02) 9247 7241 sydney@protiviti.com.au 2010 Protiviti Pty Limited / An Equal Opportunity Employer / FAQ02/04-10