The Internal Audit and Risk Management Policy for the General Government Sector (TPP20-08) (Policy) is a mandatory policy to assist agencies in fulfilling their legislative obligations under the Government Sector Finance Act 2018 (GSF Act) by outlining minimum standards for risk management, internal audit and Audit and Risk Committees (ARCs).
The GSF Act strengthens accountability, transparency, performance and innovation in the New South Wales Government. It sets out the key roles and responsibilities of Accountable Authorities for the financial and performance management their agencies. Section 3.6 of the GSF Act requires the Accountable Authority of a GSF agency “to establish, maintain and keep under review effective systems for risk management, internal control and assurance (including by means of internal audits) that are appropriate systems for the agency”.
The Policy extends further than simply requiring agency compliance. It establishes an overarching framework and promotes the use of best practice standards and frameworks, and the tailoring of these frameworks for agencies to implement, develop, enhance and manage. It supports strengthening internal audit, risk management and governance processes across the NSW public sector and promotes the integrity of, and accountability for, the allocation and management of the State’s resources.
A copy of the updated Policy is available at this link: Internal Audit and Risk Management Policy for the General Government Sector (TPP20-08).
The Policy was first issued as a Treasurer’s Direction in 2009 as the Internal Audit and Risk Management Policy for the NSW Public Sector (TPP09-05) and re-issued in 2015 as the Internal Audit and Risk Management Policy for the NSW Public Sector (TPP15-03). TPP09-05 and TPP15-03 outlined a ‘better practice’ approach to internal audit and risk management that drew on the standards endorsed by professional associations and the practice of exemplar agencies in the public and private sectors.
The Policy has been updated in 2020 and issued as a mandatory policy that supersedes TPP15-03 but retains the same broad policy direction.
The Policy also supersedes the Guidance on Shared Arrangements and Subcommittees for Audit and Risk Committees (TPP16-02) and incorporates guidance to enable agencies to form Shared Arrangements and to form Subcommittees of ARCs.
A) Principles and Core Requirements
The Internal Audit and Risk Management Policy requires agencies to comply with the Core Requirements of the Policy.
1. Risk Management Framework
Effective risk management arrangements should support the agency in achieving its objectives by systematically identifying and managing risks to:
Core Requirement 1.1
The Accountable Authority shall accept ultimate responsibility and accountability for risk management in the agency.
Core Requirement 1.2
The Accountable Authority shall establish and maintain a risk management framework that is appropriate for the agency. The Accountable Authority shall ensure the framework is consistent with AS ISO 31000:2018.
2. Internal Audit Function
An internal audit function should provide timely and useful information to management about:
Core Requirement 2.1
The Accountable Authority shall establish and maintain an internal audit function that is appropriate for the agency and fit for purpose.
Core Requirement 2.2
The Accountable Authority shall ensure the internal audit function operates consistent with the International Standards for Professional Practice for Internal Auditing.
Core Requirement 2.3
The Accountable Authority shall ensure the agency has an Internal Audit Charter that is consistent with the content of the ‘model charter.’
3. Audit and Risk Committee
An independent Audit and Risk Committee with appropriate expertise should provide relevant and timely advice to the Accountable Authority on the agency’s governance, risk and control frameworks and its external accountability obligations.
Core Requirement 3.1
The Accountable Authority shall establish and maintain efficient and effective arrangements for independent Audit and Risk Committee oversight to provide advice and guidance to the Accountable Authority on the agency’s governance processes, risk management and control frameworks, and its external accountability obligations.
Core Requirement 3.2
The Accountable Authority shall ensure the Audit and Risk Committee has a Charter that is consistent with the content of the ‘model charter.’
B) Attestation Statement included in agency’s annual report
Agencies must attest their compliance with the Core Requirements in an annual Attestation Statement (Annexure C of the Policy), which is published in the agency’s Annual Report.
Where a shared arrangement has been approved by an agency’s cluster Secretary, agencies must submit individual annual attestation statements and publish them in their annual reports accordingly. For agencies that have entered into a shared arrangement, the relevant templates from Annexure H and/or I of the Policy must be completed.
C) Copy of the Attestation Statement provided to Treasury
A copy of the Attestation Statement shall be submitted separately to Treasury on or before 31 October each year. For any non-compliance with Core Requirements, agencies will be required to also submit a copy of the relevant Responsible Minister’s approved Ministerial Exemption.
Submissions to Treasury should be emailed to: [email protected].
D) Variations that apply to the Policy
As there are varying sizes and complexities of agencies across the general government sector, the Policy allows for certain variations to support its efficient and effective implementation. Refer to the below variations to determine if they are applicable to your agency.
i) Shared Arrangements
A. Shared Audit and Risk Committee
Core requirements 3.1.2-3.1.4
ii) Ministerial Exemption Process
Ministerial exemption to one or more of the Core Requirements for up to two reporting periods.
iii) Small Agency Exemption
Ongoing exemption to comply with one or more of the Core Requirements until any of the listed circumstances occurs.
iv) Transitional Arrangements
12-month transitional period if the agency is in one or more of the following circumstances:
A summary of these requirements is provided in this link.
Internal Audit and Risk Management related policies and documents:
- Internal Audit and Risk Management Policy for the General Government Sector (TPP20-08)
- Audit and Risk Committee Independent Chairs and Members Scheme
- Prequalification Scheme: Audit and Risk Committee Independent Chairs and Members – Conditions – December 2020
- Prequalification Scheme: Audit and Risk Committee Independent Chairs and Members – Guidelines – December 2020
- Summary of the TPP20-08 requirements
Other related Treasury Policy and Guidelines Papers:
- Treasury Risk Maturity Assessment Tool Guidance Paper (TPP20-06)
- Risk Management Toolkit for NSW Public Sector agencies (TPP12-03)
- Certifying the Effectiveness of Internal Controls Over Financial Information (TPP17-06)
Templates in the Annexures of TPP20-08:
- Annexure A - Model Internal Audit Charter
- Annexure B - Model Audit and Risk Committee Charter
- Annexure C - Attestation Statement Template
- Annexure D - Ministerial Determination Template
- Small Agency Exemption
- Annexure E - Small Agency Exemption
- Annexure F - Small Agency Exemption Application Template
- Shared Arrangements
- Annexure G - Shared Arrangements
- Annexure H - Model Audit and Risk Committee Charter (Principal Department Led Shared Arrangement)
- Annexure I - Model Audit and Risk Committee Charter (Collaborative Shared Arrangement)
Audit and Risk Committee Fact Sheets
Treasury has published the following guides to assist Audit and Risk Committees (ARCs) with specific topics relevant to their role. The list is not exhaustive and further guides will be developed and added to this list in due course.
- Guide for Audit and Risk Committees – Understanding Financial Statements
- Guide for Audit and Risk Committees – Compliance Management Systems
Frequently Asked Questions
To assist and guide NSW public sector departments and agencies, below are responses to some of the frequently asked questions relating to the Internal Audit and Risk Management Policy for the General Government Sector (TPP20-08) and shared arrangements: