Internal Audit and Audit Committees
This bulletin has been prepared to assist councils in implementing and maintaining an efficient and effective internal audit function and audit committee to provide the council with assurance that the internal control environment is effective. It also provides information about the benefits that can be achieved by having an appropriate internal audit and audit committee function.
Under the Local Government Act 2009, Local Government Regulation 2012, City of Brisbane Act 2010 and the City of Brisbane Regulation 2012 (the Acts), all local governments in Queensland are required to establish an efficient and effective internal audit function and establish an Audit Committee.
International Professional Practices Framework
The Department has used information from the International Professional Practices Framework (IPPF) published by the Institute of Internal Auditors (IIA) in this bulletin. In addition reference has been made to resources issued by the Australian National Audit Office (ANAO) and Queensland Treasury.
What is internal audit?
The Acts do not define internal audit, instead they specify some requirements that a council's internal audit function must perform.
The IPPF provides a useful definition however, which demonstrates the wide range of activity performed by an internal audit function:
'Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.'
The difference between internal and external audit
Council's internal audit function performs a different role to external audit.
The external audit provides independent assurance that council's annual financial statements are reliable and comply with prescribed requirements. It is primarily a financial audit which assesses council's internal control framework and focuses on the material components of council's financial statements and how significant financial reporting risks have been dealt with by management.
In contrast, the type of internal audits performed each year will vary depending upon each council's needs. They should be based on a strategic analysis of the individual council's risks and operations. The aim of the audits is to improve operations and manage risk, and they may include:
- operational audits which look at the efficiency and effectiveness of operations
- compliance audits which look at compliance with applicable laws and rules (e.g. workplace health and safety)
- fraud audits which comprise both fraud detection audits and fraud investigations, and
- IT audits, primarily of and using council's IT systems.
External audits may seek to rely on some of the work undertaken by internal audit, if appropriate, to avoid duplication of effort and to achieve a more efficient audit process. Such reliance will only occur where external audit is satisfied that the work of internal audit is adequate for the purpose of the external audit.
Benefits of an internal audit function
An effective internal audit function will assist chief executive officers (CEOs) and senior management to improve the effectiveness of operations (including the cost effectiveness), and to manage risks.
Internal audit can significantly add value to a council's internal control, risk management, and governance processes. Internal audit assesses both the financial and non-financial performance of council.
Characteristics of an internal audit function
An excellent resource to explain the role of internal audit in council is the Australian National Audit Office's 2012 best practice guide, Public Sector Internal Audit – An investment in assurance and business improvement. This guide contains many useful tools including a model internal audit charter and proforma internal audit strategy, work plan and reports.
Another excellent source of information on internal audit is Queensland Treasury's Information Sheet 2.9.
Indicators of an efficient and effective internal audit function include:
- internal audit is identified as an independent function within council's structure
- council has a well-developed strategy for the function which clearly identifies the role and responsibilities and the contribution that internal audit makes to council
- the function reports directly to the CEO and is independent from operational functions
- council provides an appropriate level of funding to enable this function to operate effectively
- the function is adequately resourced with appropriately qualified people
- if the function is outsourced, a robust selection process is undertaken to ensure that the people undertaking the work are appropriately qualified and any conflicts of interest are managed
- an appropriate internal audit charter and internal audit strategy exist
- an internal audit work plan, which is consistent with the charter and strategy, exists. This will identify the specific audit activity that will be undertaken in the financial year and how it relates to risk. The work plan and strategy may be combined into one document incorporating the legislative requirements for an internal audit plan.
- an audit plan is in place, and is followed, for each specific audit undertaken. This plan at a minimum should:
- identify the area for the proposed audit
- outline the 'risk' being reviewed
- identify the key stakeholders
- explain the type of audit to be undertaken
- estimate duration and costs.
- senior management periodically evaluate the effectiveness of the internal audit function
- for each completed audit a report of findings and recommendations is presented to management and the Audit Committee.
Internal audit charter
Council's internal audit charter must be consistent with generally accepted auditing and ethical standards, including the IPPF. It should be approved by the CEO and reviewed annually.
The charter defines the purpose, authorities and responsibilities of the internal audit function. It should be presented in such a way that management and staff have a clear understanding of the objectives of the function.
Compliance with professional standards
All internal audit activity should be conducted in accordance with the IPPF. In addition, the people undertaking internal audit activity should possess relevant qualifications and have undertaken appropriate training, such as that provided by the IIA.
Legislative requirements that relate to internal audit
The Acts require all local governments in Queensland to establish an efficient and effective internal audit function. In addition the following minimum requirements are specified:
For each financial year, a local government must:
- prepare an internal audit plan
- carry out an internal audit
- prepare a progress report for the internal audit
- assess compliance with the internal audit plan.
In accordance with the Local Government Regulation 2012, Section 207 and City of Brisbane Regulation 2012, Section 199; an internal audit plan must contain statements about:
- the way in which the operational risks have been evaluated
- the most significant operational risks identified from the evaluation
- the control measures that the local government has adopted, or is to adopt, to manage the most significant operational risks.
These statements may be contained in the Internal Audit Strategy document.
From 1 July 2014 all local governments were required to have an audit committee.
Composition of audit committees
In accordance with the Local Government Regulation 2012, Section 210 and City of Brisbane Regulation 2012, Section 200, council's audit committee must comprise at least three but no more than six members, including at least one member who has significant experience and skills in financial matters. The audit committee of the City of Brisbane may also include up to two councillors. For all other councils, it must include a minimum of one councillor, and maximum of two councillors.
The CEO cannot be a member of the audit committee but can attend meetings of the committee. It is also inappropriate for any person who is responsible for, or involved in, council's financial or internal audit functions to be a member. The Department recommends that at least one independent member, with relevant financial skills, is appointed to the audit committee.
Audit committee charter and annual work program
Like the internal audit function, council's audit committee should have a charter. The charter guides the behaviour and activities of the audit committee and includes:
- the objectives, roles and responsibilities of the committee
- the relationship of the committee to the CEO, management, internal audit and external auditors
- authority for the committee to conduct enquiries appropriate to fulfil committee responsibilities, together with a statement that full assistance is to be provided to the committee in the discharge of its duties
- authority for the committee to access council documents, records and personnel and the requirement that frank, truthful and meaningful answers be given to questions by the committee to any council employee
- confidentiality and independence requirements of committee members, and their ethical and reporting responsibilities
- procedures for meetings
- the process for resignation or dismissal, ensuring that grounds for dismissal refer to the skills and code of conduct as documented in the letter of appointment.
An example audit committee charter is included in Queensland Treasury's Audit Committee Guidelines.
Each year, the committee should prepare and follow a work program. The program must include a review of:
- the internal audit plan for the year
- the internal audit progress report
- the local government's draft financial statements, before they are certified and given to the Auditor-General for auditingthe Auditor-General's audit report and observation report about the local government's financial statements.
In addition, the work program should include related matters in accordance with the audit committee charter. For example:
- a review of the financial reporting valuation of the local government's assets
- tracking management action on internal and external audit findings
- assessing the performance of internal audit.
Audit committee meetings
In accordance with the Local Government Regulation 2012, Section 211 and City of Brisbane Regulation 2012, Section 201, the audit committee must meet at least twice a year. After each meeting, a report must be prepared about matters reviewed, and recommendations made at the meeting. The report must be given to council's CEO who must table the report for consideration at the next council meeting. Meetings should be conducted in accordance with the audit committee's charter.
The relationship between internal audit and the audit committee
The Acts include a requirement that internal audit provide the audit committee with progress reports, summaries of recommendations and details of any action taken or not taken in response to the recommendations. In addition to reviewing these documents the audit committee must review the internal audit plan for the current financial year.
In practice, the relationship between internal audit and the audit committee may be broader than this, including for example the provision of secretariat functions.
- The Australian National Audit Office – www.anao.gov.au
- The Institute of Internal Auditors Australia – www.iia.org.au – this site contains IPPF Practice Guides.
- Queensland Treasury – www.treasury.qld.gov.au
Any further enquiries on this matter should be addressed to:
Mr Gary Kleidon
Department of Infrastructure, Local Government and Planning
PO Box 15009
Brisbane QLD 4002