Implementing Internal Audit Governance

Business Solutions for Regional Australia

Implementing Internal Audit

Governance

Implementing Internal Audit Governance

www.latitude12.com.au 2


Executive SummaryThis white paper outlines the strategies and techniques used to implement internal

audit governance in your organisation. Internal audit provides ongoing value to your

organisation through cost effective savings identification, ensuring processes are

running optimally, waste is being minimised and implementing controls to mitigate

significant business risks. This is important for the long term sustainability of your

organisation and seeks to ensure that your resources are allocated in the most

efficient way possible.

The Internal Audit function seeks to improve business processes and deliver cost

savings by implementing a number of methodologies and creating a framework to

use them in your organisation.

This paper outlines the process for the creation of an internal audit framework, an

audit committee, details the risk management process, and the development of a

risk register. The paper goes on to discuss the importance and use of strategic audit

plans in your organisation. Finally, the paper outlines the process by which the risks

are mitigated, ensuring achievement of objectives for the organisation.

Exhibit 1. The Process of Internal Audit Governance

Develop AnDevelop an

Internal Audit Framework

Establish an Internal audit

Charter

Form an Audit

risk management

Development of a risk register

Strategic three year and annual

internal audit plans

Conduct Financial & Operational

Audits




What is Internal Audit?Demand for Internal audit services has grown exponentially because of the growth

of overall awareness of good corporate governance, effective Risk management and

appropriate internal controls.

Internal audit provides an independent and objective review and advisory service to:

• Provide assurance to the council/board that the entity’s financial and

operational controls designed to manage the organisation’s risks and achieve

the entity’s objectives are operating in an efficient, effective and ethical

manner.

• Assist management in improving the entity’s business performance.

Internal audit provides assurance to your organisation’s leaders that your processes

and controls are operating efficiently and are aligned with your desired outcomes

and objectives .

Finally, internal audit helps you look into the future by providing tools to mitigate

risks. Internal audit does this by assessing risks present in your organisation, and

identifying those risks that are most important. This is necessary because some risks,

while present, do not pose a significant danger to your organisation. As the most

important risks are focused on, you save money by ensuring that your organisation

is safe from disaster, whilst not wasting resources needlessly.

Internal auditing is a catalyst for improving an organisation’s effectiveness and

efficiency, by providing insight and recommendations based on analyses and

assessments of data and business processes. Internal auditing provides value to

governing bodies and senior management as an objective source of independent

advice.

The scope of internal auditing within an organisation is broad and may involve topics

such as the efficacy of operations, reliability of financial reporting, deterring and

investigating fraud, safeguarding assets, and compliance with laws, regulations and

internal policies.

‘’Internal auditing is an independent,

objective assurance, and consulting

activity, designed to add value and

improve an organisation’s operations.

It helps an organisation accomplish

its objectives by bringing a systematic,

disciplined approach, to evaluate

and improve the effectiveness of risk

management, control, and governance

processes‘’




Developing an Internal Audit FrameworkAn internal audit framework defines the governance procedure for internal audit, determines how internal audit will function in your organisation and deliver the benefits of internal audit, after creation of an Internal audit function. It includes components such as:

I. Internal Audit Charter with Responsibilities for Internal Audit function. II. Alignment to Standards of Professional Practice of Internal audit. III. Audit Committee Charter, its Terms of Reference and responsibilities.IV. Entity Wide Risk Assessment and Risk Profile.V. Three Year Strategic Internal Audit Plan & Annual Audit Work Plan.VII. Methodology of performing internal audits.VIII. Quality control system.IX. Self-assessment checklists.

X. Internal Audit Protocol.

The first step is the establishment of an internal audit function. This includes formalising an Internal Audit Charter. The internal audit charter defines the internal audit’s purpose, authority and responsibilities, and lays out the ground rules for operations.

The next task while developing an internal audit framework is to create an Audit Committee. An Audit Committee charter, once approved by Council and Board, outlines the Audit Committee’s authority and purpose. The audit committee is responsible for monitoring compliance by your organisation with proper standards of financial management and compliance with regulations and the Accounting Standards.

Once these steps have been completed, a Risk assessment is carried out following which, a three year strategic Internal audit plan is developed, and from the big picture strategy identified in that plan, a more focussed Annual Internal audit plan is designed.

The responsibility for Internal audits is a shared responsibility with ownership at all levels of the organisation. The various constituents who hold this responsibility are

described below:




Setting up an Audit CommitteeAn audit committee is an operating committee of the board, charged with oversight

of financial reporting and disclosure. Committee members are drawn from

the organisation’s board of directors, with a chairperson selected from among

the committee members. It is best practice for the audit committee to include

independent members and may require at least one member to be a person

qualified and experienced as a professional accountant.

Typically an Audit Committee is involved in the following activities :

• Oversight of Risk management process.

• Monitoring effectiveness of internal control process and of internal audit.

• Ensuring independence of Internal and external auditor.

• Oversight of regulatory compliance.

• Oversight of Financial reporting process.

• Oversight over External auditor.

• Oversight of fraud management and other ethical practices in the organisation.

• Reporting to the Board.

Setting up Audit Committee involves the following:

• Setting up the Charter and Terms of reference of Audit Committee.

• Selection of Committee members based on their qualifications, experience and independence.

• Running induction sessions for new Audit Committee members.

• Defining the role of Audit Committee, Executive Management and Internal auditors.




Risk ManagementOne of the key components of a high quality internal audit governance initiative is

an organisation wide assessment and management of risk, the oversight of which is

provided by audit committee.

‘’Risk management’’ is the methodology which provides assurance that risks are

managed to within the organisation’s risk appetite. In other words: ‘’the processes

that manage risks to a level considered acceptable by senior management, are

working effectively and efficiently”. Risk appetite defines organisation’s capacity and

willingness to accept risks.

Risk management is the identification, assessment, and prioritisation of risks,

followed by a coordinated and economical application of measures to mitigate them.

This is designed to minimize, monitor, and control the probability and/or impact of

uncertain events, or to maximize the realisation of opportunities. Risk mitigation

ensures there is a greater chance of the organisational objectives being achieved.

Risks can come from uncertainty in operations, project failures, legal liabilities,

credit risk, accidents, natural causes and disasters, as well as events of uncertain or

unpredictable root-causes.

Risk mitigation needs to be approved by the appropriate level of management. A

good risk management plan results in development of a comprehensive risk register

to identify and assess risks, control and monitor implementation of management

actions and identify responsibility for the actions.

Exhibit 2 - An example heat map tool used for risk assessment.




Developing a Risk RegisterResponsibility for the risk management exercise rests with management. A

risk register is a risk management tool commonly used in organisational risk

assessments. It acts as a central repository for all risks identified by the project or

organisation, and, for each risk, includes information such as risk probability, impact,

counter-measures and who is risk owner. In other words, ‘risk register is a complete

list of risks, identified by management, which threaten the objectives and processes

of the organisation’.

The risk register details for each identified risk: the likelihood, impact, severity of risk,

and compensatory controls to mitigate risks below your organisation’s ‘Risk Appetite’.

A risk register also details management actions required to reduce risks below the

risk appetite levels.

The risk register forms the groundwork of the strategic internal audit plan.

Exhibit 3 - An example ‘Risk Wheel’

1.Stakeholder

2.People Capital

Environment Sustainability

4.Projects and Systems Management

5.Financial Sustainability

6.Compliance

7.Services Development

and Expansion




Strategic Audit PlansAs a consequence of the risk management exercise, a risk based internal audit (RBIA)

plan is derived. Following discussion of the assessed risk level, a prioritised group of

auditable areas is available as a standalone document, and is input to the three year

audit plan.

The internal audit strategic plan is an outcome of the risk management and risk

register development process. The strategic audit plan is developed once the risk

register is approved by the audit and risk management committee. The internal audit

strategic plan outlines the direction, capabilities, resources and specific objectives of

internal audit. A result of the internal audit strategic plan is the three-year audit plan

and the one year, or annual audit plan.

The strategic audit plan defines the medium term strategic outlook of internal audit

activities. It is the primary focus of the internal audit function over a three year

rolling period, and is updated annually. This allows limited resources to be targeted

appropriately, based on the entity’s Risk Assessment process and the internal audit

function’s professional judgement.

Exhibit 4 - An example ‘Strategic Internal Audit Plan ’




Self-AssessmentOur organisation has:

� An approved Internal Audit Charter.

� An effective Audit Committee in place.

� Audit Committee’s Terms of Reference.

� An organisation wide culture and risk awareness.

� A sustained committment to the risk culture from the Board / Council and

management.

� A risk management system connected to performance management and

appraisal.

� Our risk culture is heavily embedded throughout our organisation.

� A complete and current Entity wide Risk assessment plan.

� A comprehensive Risk Register detailing the risks and their priority.

� A well-developed 3 Year Strategic Internal audit plan.

� An Annual plan of Internal audits.

� A fully resourced Internal audit function.

� A fully developed set of organisational Policies and Procedures.

Internal audit is important because

it is involved in evaluating and

improving the effectiveness of risk

management, control and governance

processes in an organisation.

- Institute of Internal Auditors,

Australia, iia.org.au



Learn MoreLatitude 12 is a leading provider of internal audit and risk services in the Northern

Territory and Queensland, focusing on servicing remote and regional clients. We

have strong experience delivering internal audit solutions to shire councils, local and

state government organisations and other corporate entities.

We provide services in financial processing, records management, workplace health

and safety, payroll, and of course internal audit.

If you would like to clarify any points in this white paper, or find out more about

Latitude 12’s services or how we can assist you, please contact our internal audit team.

Aswin Kumar

Director- Internal Audit and Risk Consulting

Mobile: 0419571782

Email: [email protected]“As a managed service provider to

remote East Arnhem Shire communities,

Latitude 12 understands the

importance of quality services and

business processes in “the bush”. Whilst

assisting Council in saving $1.1M over

the past two years, Latitude 12 has

also excelled in improving the Council’s

internal business processes to remove

the “disconnect” that so often happens

between regional and city centres.”

- Kerry Whiting, Chief Financial &

Operations Officer,

East Arnhem Shire Council


10

Documents

Implementing Internal Audit Governance