The Internal Audit and Risk Management Policy for the NSW Public Sector was issued in 2009 to strengthen internal audit, risk management and governance processes across the NSW public sector and promote the integrity of, and accountability for, the allocation and management of the State’s resources. The Policy has since been reviewed and an updated Policy was released in 2015. A copy of the updated Policy is available at this link.

The Policy implemented key recommendations of the Department of Premier and Cabinet’s (DPC) Performance Review of the Internal Audit Capacity in the NSW Public Sector. The Review’s key recommendation was to strengthen the “whole of government” policy and regulatory arrangements for the governance of internal audit and risk management.

The Internal Audit and Risk Management Policy requires agencies to comply with the Core Requirements of the Policy, and to provide an attestation to this effect to Treasury on an annual basis. That attestation is also published in the agency’s annual report.

Where a shared arrangement has been approved by NSW Treasury, agencies must submit individual annual attestations and publish these attestations in their annual reports accordingly. For agencies that have entered into a shared arrangement, the relevant templates must be used from Guidance on Shared Arrangements and Subcommittees for Audit and Risk Committees (TPP16-02).

Frequently Asked Questions

To assist and guide NSW public sector departments and agencies, below are responses to some of the frequently asked questions relating to the Internal Audit and Risk Management Policy for the NSW Public Sector (TPP 15-03) and the Guidance on Shared Arrangements and Subcommittees for Audit and Risk Committees (TPP 16-02):

There is no specific limitation on the number of agencies that may be oversighted by a shared ARC and, ultimately, this is a business decision for the departments and agencies involved in the shared arrangement.  However, TPP 12-04 recommends that the number of agencies oversighted by an ARC should not exceed a number that an ARC can comfortably oversight in a meeting day.

The Internal Audit and Risk Management Policy requires all independent chairs and members on ARCs to be selected from the Panel of prequalified individuals as constituted under the Prequalification Scheme: Audit and Risk Committee Independent Chairs and Members (the Scheme). This requirement also applies to members of the governing board of a statutory body who wish to be members of the ARC.
The Scheme was established by the Department of Premier and Cabinet in 2009 with the following objectives:

  • “improve probity standards and quality assurance by allowing for third party assessment of independent persons available for engagement to public sector Audit and Risk Committee positions; and
  • streamline the engagement of suitable persons to public sector Audit and Risk Committee positions by pre-qualifying independent individuals with demonstrated skills and experience in the area.”

Accordingly, the Scheme requires consideration by the Assessment Committee of a range of specific evaluation criteria including the knowledge and experience of applicants in relevant areas such as risk management, performance management, internal and external auditing, and financial reporting.

While there will be occasions where board members of an agency will also meet the evaluation criteria applied for the purposes of prequalification, this may not always be the case.  The criteria applied for appointments to statutory boards vary considerably across different boards.

For example, it may be required that the governing board of a statutory authority is comprised of representatives from a specified profession, and/or representatives of certain organisations, and/or representatives of a specific community sector. In some instances, it is required that an appointment to a board has knowledge of, or experience in, a specific subject such as science or the arts. In many cases, the criteria applied have no relationship to the criteria applied for ARC chairs and members. 

Whether or not a board member has the requisite experience and knowledge to qualify them as members of an ARC can only be determined on a case by case basis. For consistency, it is appropriate that this assessment is carried out by the Assessment Panel administered by the Department of Finance, Services and Innovation in accordance with the evaluation criteria of the Scheme. This assessment process is generally straightforward and able to be completed expeditiously.

TPP 16-02 states that “It is expected that shared ARC meetings for each agency would normally be held sequentially on the same day”. The requirement to hold shared ARC meetings for each entity sequentially is consistent with the better practice guidance of the Australian National Audit Office about the proper management of the business of entities in a shared arrangement.

However, there are other reasons for the requirement to conduct meetings of multi-agency ARCs sequentially. One of the most significant reasons is that sequential meetings facilitate participation by the Audit Office in ARC meetings without breach of s.38 (Secrecy) of the Public Finance and Audit Act 1983.

Section 38 prohibits the Auditor General or his representatives from revealing information to people who are not officers of the particular entity that is subject of that information. In a joint meeting covering a number of entities, senior staff and other employees from the respective entities who have been invited to attend for one or more agenda items are likely to be in attendance. Further, in the case of a Principal Department led-ARC, non-independent members of the Principal Department are likely to be present.  The Auditor-General, an auditor or other authorised person from the Audit Office would be prevented, by section 38, from disclosing information about an audit or financial matter of an entity in such a multi-agency environment that includes officers from other entities. This issue has been examined by the Crown Solicitor who has confirmed that the duty of secrecy in section 38 limits the ability of the Auditor General, an auditor or other authorised person to disclose information in such a multi-agency environment.

As such, at this time, legislation does not support the conduct of joint meetings of shared ARCs. Treasury will continue to examine this issue in consultation with the Audit Office and the Parliamentary Counsel’s Office towards the identification and implementation of arrangements that will appropriately address the legislative and other policy concerns.