Internal audit and risk management

Other pages in this section

More about internal audit & risk

The Internal Audit and Risk Management Policy for the General Government Sector (TPP20-08) (Policy) is a mandatory policy to assist agencies in fulfilling their legislative obligations under the Government Sector Finance Act 2018 (GSF Act) by outlining minimum standards for risk management, internal audit and Audit and Risk Committees (ARCs).

The GSF Act strengthens accountability, transparency, performance and innovation in the New South Wales Government. It sets out the key roles and responsibilities of Accountable Authorities for the financial and performance management their agencies. Section 3.6 of the GSF Act requires the Accountable Authority of a GSF agency “to establish, maintain and keep under review effective systems for risk management, internal control and assurance (including by means of internal audits) that are appropriate systems for the agency”.

The Policy extends further than simply requiring agency compliance. It establishes an overarching framework and promotes the use of best practice standards and frameworks, and the tailoring of these frameworks for agencies to implement, develop, enhance and manage. It supports strengthening internal audit, risk management and governance processes across the NSW public sector and promotes the integrity of, and accountability for, the allocation and management of the State’s resources.

A copy of the updated Policy is available at this link: Internal Audit and Risk Management Policy for the General Government Sector (TPP20-08).

 

Background

The Policy was first issued as a Treasurer’s Direction in 2009 as the Internal Audit and Risk Management Policy for the NSW Public Sector (TPP09-05) and re-issued in 2015 as the Internal Audit and Risk Management Policy for the NSW Public Sector (TPP15-03). TPP09-05 and TPP15-03 outlined a ‘better practice’ approach to internal audit and risk management that drew on the standards endorsed by professional associations and the practice of exemplar agencies in the public and private sectors.

The Policy has been updated in 2020 and issued as a mandatory policy that supersedes TPP15-03 but retains the same broad policy direction.

The Policy also supersedes the Guidance on Shared Arrangements and Subcommittees for Audit and Risk Committees (TPP16-02) and incorporates guidance to enable agencies to form Shared Arrangements and to form Subcommittees of ARCs.

 

Requirements

A) Principles and Core Requirements

The Internal Audit and Risk Management Policy requires agencies to comply with the Core Requirements of the Policy.

 

1. Risk Management Framework

  

Principle 1:

Effective risk management arrangements should support the agency in achieving its objectives by systematically identifying and managing risks to:

  • increase the likelihood and impact of positive events
  • mitigate the likelihood and impact of negative events.

Core Requirement 1.1

The Accountable Authority shall accept ultimate responsibility and accountability for risk management in the agency.

Core Requirement 1.2 

The Accountable Authority shall establish and maintain a risk management framework that is appropriate for the agency. The Accountable Authority shall ensure the framework is consistent with AS ISO 31000:2018.

2. Internal Audit Function

  

Principle 2:

An internal audit function should provide timely and useful information to management about:

  • the adequacy of, and compliance with, the system of internal control
  • whether agency results are consistent with established objectives
  • whether operations or programs are being carried out as planned.

Core Requirement 2.1 

The Accountable Authority shall establish and maintain an internal audit function that is appropriate for the agency and fit for purpose.

Core Requirement 2.2 

The Accountable Authority shall ensure the internal audit function operates consistent with the International Standards for Professional Practice for Internal Auditing.

Core Requirement 2.3 

The Accountable Authority shall ensure the agency has an Internal Audit Charter that is consistent with the content of the ‘model charter.’

3. Audit and Risk Committee

  

Principle 3:

An independent Audit and Risk Committee with appropriate expertise should provide relevant and timely advice to the Accountable Authority on the agency’s governance, risk and control frameworks and its external accountability obligations.

Core Requirement 3.1

The Accountable Authority shall establish and maintain efficient and effective arrangements for independent Audit and Risk Committee oversight to provide advice and guidance to the Accountable Authority on the agency’s governance processes, risk management and control frameworks, and its external accountability obligations.

Core Requirement 3.2

The Accountable Authority shall ensure the Audit and Risk Committee has a Charter that is consistent with the content of the ‘model charter.’

B) Attestation Statement included in agency’s annual report

Agencies must attest their compliance with the Core Requirements in an annual Attestation Statement (Annexure C of the Policy), which is published in the agency’s Annual Report.

Where a shared arrangement has been approved by an agency’s cluster Secretary, agencies must submit individual annual attestation statements and publish them in their annual reports accordingly. For agencies that have entered into a shared arrangement, the relevant templates from Annexure H and/or I of the Policy must be completed.

 

C) Copy of the Attestation Statement provided to Treasury

A copy of the Attestation Statement shall be submitted separately to Treasury on or before 31 October each year. For any non-compliance with Core Requirements, agencies will be required to also submit a copy of the relevant Responsible Minister’s approved Ministerial Exemption.

Submissions to Treasury should be emailed to: [email protected].

 

D) Variations that apply to the Policy

As there are varying sizes and complexities of agencies across the general government sector, the Policy allows for certain variations to support its efficient and effective implementation. Refer to the below variations to determine if they are applicable to your agency.

 

Variations Page references

i) Shared Arrangements

A. Shared Audit and Risk Committee
B. Shared Chief Audit Executive
C. Shared Internal Audit Function

Pages 12-14

Core requirements 3.1.2-3.1.4

Annexure G

ii) Ministerial Exemption Process

Ministerial exemption to one or more of the Core Requirements for up to two reporting periods.

Pages 14-15

Annexure D

iii) Small Agency Exemption

Ongoing exemption to comply with one or more of the Core Requirements until any of the listed circumstances occurs.

Pages 15-16

Annexure E

iv) Transitional Arrangements

12-month transitional period if the agency is in one or more of the following circumstances: 

  • during the first twelve months from the commencement date of the Policy
  • new agency required to comply with the Core Requirement(s) of the Policy; or
  • impacted by Machinery of Government (MoG) changes.
 Pages 16-17

A summary of these requirements is provided in this link.

 

Resources

Internal Audit and Risk Management related policies and documents:

 

Other related Treasury Policy and Guidelines Papers:

 

Templates in the Annexures of TPP20-08:

 

Audit and Risk Committee Fact Sheets

Treasury has published the following guides to assist Audit and Risk Committees (ARCs) with specific topics relevant to their role. The list is not exhaustive and further guides will be developed and added to this list in due course.

 

Frequently Asked Questions

To assist and guide NSW public sector departments and agencies, below are responses to some of the frequently asked questions relating to the Internal Audit and Risk Management Policy for the General Government Sector (TPP20-08) and shared arrangements:

There is no specific limitation on the number of agencies that may be overseen by a shared ARC. Ultimately, this is a business decision for the departments and agencies involved in the shared arrangement.  However, TPP20-08 requires the independent ARC chair and members to:

  • have the time and capacity to sufficiently cover all agencies in the shared ARC, and
  • maintain an appropriate level of visibility of each of the agency’s operations and reporting relationship with each Accountable Authority.

Therefore, the number of agencies overseen by an ARC should not exceed a number that would prevent these requirements from being followed.

Refer to Annexure G of TPP20-08 for further information.

 

The Internal Audit and Risk Management Policy requires all independent chairs and members on ARCs to be selected from the Panel of prequalified individuals as constituted under the Prequalification Scheme: Audit and Risk Committee Independent Chairs and Members (the Scheme). This requirement also applies to members of the governing board of a statutory body who wish to be members of the ARC.

The Scheme was first established by the Department of Premier and Cabinet in 2009 with the following objectives:

  • “improve probity standards and quality assurance by allowing for third party assessment of independent persons available for engagement to public sector Audit and Risk Committee positions; and
  • streamline the engagement of suitable persons to public sector Audit and Risk Committee positions by pre-qualifying independent individuals with demonstrated skills and experience in the area.”

Accordingly, the Scheme requires consideration by the Assessment Committee of a range of specific evaluation criteria including the knowledge and experience of applicants in relevant areas such as risk management, performance management, internal and external auditing, and financial reporting.

While there will be occasions where board members of an agency will also meet the evaluation criteria applied for the purposes of prequalification, this may not always be the case.  The criteria applied for appointments to statutory boards vary considerably across different boards.

For example, it may be required that the governing board of a statutory authority is comprised of representatives from a specified profession, and/or representatives of certain organisations, and/or representatives of a specific community sector. In some instances, it is required that an appointment to a board has knowledge of, or experience in, a specific subject such as science or the arts. In many cases, the criteria applied have no relationship to the criteria applied for ARC chairs and members. 

Whether or not a board member has the requisite experience and knowledge to qualify them as members of an ARC can only be determined on a case by case basis. For consistency, it is appropriate that this assessment is carried out by the Assessment Panel administered by NSW Procurement in accordance with the evaluation criteria of the Scheme. This assessment process is generally straightforward and able to be completed expeditiously.

 

TPP20-08 states in the requirements for Shared ARCs that “the ARC covers each agency’s business separately in sequential meetings and not joint sittings.” The requirement to hold sequential shared ARC meetings is consistent with the better practice guidance of the Australian National Audit Office about the proper management of the business of entities in a shared arrangement.

There are also other reasons for sequential meetings. Firstly, the oversight role of an ARC is to provide advice and guidance to the Accountable Authority of individual agencies on their governance processes, risk management and control frameworks, and their external accountability obligations. Therefore, this requires ARC meetings to be held sequentially for each agency in a shared ARC. Regardless of the form of arrangement, a shared ARC will operate as an individual ARC for each separate agency and provide independent advice and oversight for each participating agency. This supports an appropriate level of visibility of each of the agency’s operations irrespective of their size and maintains a reporting relationship with each Accountable Authority.

Sequential meetings also facilitate participation by the Audit Office in ARC meetings without breach of section 38 (Secrecy) of the Public Finance and Audit Act 1983. Section 38 prohibits the Auditor General or their representatives from revealing information to people who are not officers of the particular entity that is subject of that information. In a joint meeting covering a number of entities, senior staff and other employees from the respective entities who have been invited to attend for one or more agenda items are likely to be in attendance. Further, in the case of a Principal Department Led ARC, non-independent members of the Principal Department are likely to be present.  The Auditor-General, an auditor or other authorised person from the Audit Office would be prevented, by section 38, from disclosing information about an audit or financial matter of an entity in such a multi-agency environment that includes officers from other entities. This issue has been examined by the Crown Solicitor who has confirmed that the duty of secrecy in section 38 limits the ability of the Auditor General, an auditor or other authorised person to disclose information in such a multi-agency environment. As such, at this time, legislation does not support the conduct of joint meetings of shared ARCs.

However, under the provisions of TPP20-08, sequential meetings in specific circumstances may allow for cluster representatives (including the Accountable Authority, Chief Financial Officers, Senior Accounting Officers, Chief Risk Officers and Chief Audit Executives) to attend the ARC meetings for all agencies within their shared arrangement. This at the invitation of the Chair and with the consent of all participating agencies. However, external audit representatives (i.e. the Auditor-General, an auditor or other authorised person from the Audit Office) may consider that discussing individual agency matters at ARC meetings when cluster representatives are present is incompatible with the secrecy provisions in section 38 and their professional membership obligations. Where this is the case, the external audit representatives may seek to discuss matters with the ARC and relevant agency through in camera sessions.

Treasury will continue to examine this issue in consultation with the Audit Office towards the identification and implementation of appropriate arrangements.

Contact us

For further information, contact Treasury’s Financial Management Governance & Analytics team at [email protected].

Last updated: 23/02/2022