Internal Audit and Risk Management Policy

In August 2009 NSW Treasury issued the Internal Audit and Risk Management Policy for the NSW Public Sector.

Background

The policy implements Government approved actions of the 2008 Department of Premier and Cabinet performance review report Internal Audit Capacity in the NSW Public Sector. It was developed under the auspices of an Implementation Steering Committee comprising senior internal audit practitioners from across the NSW public sector. The policy will strengthen key corporate governance practices across the NSW public sector by reinforcing the existing Public Finance and Audit Act 1983 requirement for operating a system of internal control.

Application of the Policy

The policy:

• is issued as a direction to department heads and statutory bodies under NSW Treasury Circular TC 09/08
• is set out in NSW Treasury Policy & Guidelines Paper TPP09-5
• withdraws and replaces previous NSW Treasury Policy & Guidelines Papers TPP95a, TPP95b and TPP97-3
• is not a requirement for State Owned Corporations which should refer to Treasury’s Commercial Policy Framework for corporate governance guidelines.

Summary of the Policy Arrangements

In summary the policy arrangements require departments and statutory bodies to implement a set of ‘core requirements’ to provide greater assurance on internal audit and risk management, including:

• an operationally independent internal audit function
• appointment of a Chief Audit Executive
• an Audit and Risk Committee with an independent chair and a majority of independent members appointed from the central register of ‘pre-qualified’ individuals established by DPC Circular C2009-13 Prequalification Scheme: Audit and Risk Committees
• consistent application of a ‘model charter’ for Audit and Risk Committees
• adoption of current standards for enterprise risk management
• adoption of current standards for professional practice in internal audit.

Summary of the Regulatory Arrangements

In summary the regulatory arrangements for the policy:

• require all departments and statutory bodies to comply with the ‘core requirements’ by the end of the financial year ending on or after 30 June 2010
• require all department heads and governing boards of statutory bodies to attest and report compliance annually, commencing with the 2009-10 Annual Report
• provide a process for departments and statutory bodies to apply, in limited circumstances, to the relevant portfolio Minister for an exception to core requirements provided alternative measures to achieve an equivalent level of assurance are implemented
• provides for the Auditor-General to monitor compliance through his compliance audit and reporting program.

Attestation and Annual Report Disclosure Statement Templates (Annexes D and E) have been updated for the 2010-11 reporting period and to remove inconsistencies with the policy.

• Annexe E now includes a disclosure within the Annual Report Disclosure Template that department heads and governing boards of statutory bodies have completed and submitted an attestation statement to Treasury.
• Agencies should note the requirement within the policy to disclose the internal audit and service delivery model and reasons for its selection (TPP 09-05, 1.2.8) is not required and continues to be omitted from the templates.

Departments and statutory bodies must refer to TPP09-5 for the full compliance and reporting requirements of the policy.

This web page has been developed to provide departments and statutory bodies with a quick reference guide on the internal audit and risk management policy, including model charters and annual reporting templates. It also contains links to related NSW public sector policies, and current standards for professional practice in internal audit and risk management.