Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Business Solutions for Regional Australia
Implementing Internal Audit
Governance
Implementing Internal Audit Governance
www.latitude12.com.au 2
Business Solutions for Regional Australia
Executive SummaryThis white paper outlines the strategies and techniques used to implement internal
audit governance in your organisation. Internal audit provides ongoing value to your
organisation through cost effective savings identification, ensuring processes are
running optimally, waste is being minimised and implementing controls to mitigate
significant business risks. This is important for the long term sustainability of your
organisation and seeks to ensure that your resources are allocated in the most
efficient way possible.
The Internal Audit function seeks to improve business processes and deliver cost
savings by implementing a number of methodologies and creating a framework to
use them in your organisation.
This paper outlines the process for the creation of an internal audit framework, an
audit committee, details the risk management process, and the development of a
risk register. The paper goes on to discuss the importance and use of strategic audit
plans in your organisation. Finally, the paper outlines the process by which the risks
are mitigated, ensuring achievement of objectives for the organisation.
Exhibit 1. The Process of Internal Audit Governance
Develop AnDevelop an
Internal Audit Framework
Establish an Internal audit
Charter
Form an Audit
risk management
Development of a risk register
Strategic three year and annual
internal audit plans
Conduct Financial & Operational
Audits
Implementing Internal Audit Governance
www.latitude12.com.au 3
Business Solutions for Regional Australia
What is Internal Audit?Demand for Internal audit services has grown exponentially because of the growth
of overall awareness of good corporate governance, effective Risk management and
appropriate internal controls.
Internal audit provides an independent and objective review and advisory service to:
• Provide assurance to the council/board that the entity’s financial and
operational controls designed to manage the organisation’s risks and achieve
the entity’s objectives are operating in an efficient, effective and ethical
manner.
• Assist management in improving the entity’s business performance.
Internal audit provides assurance to your organisation’s leaders that your processes
and controls are operating efficiently and are aligned with your desired outcomes
and objectives .
Finally, internal audit helps you look into the future by providing tools to mitigate
risks. Internal audit does this by assessing risks present in your organisation, and
identifying those risks that are most important. This is necessary because some risks,
while present, do not pose a significant danger to your organisation. As the most
important risks are focused on, you save money by ensuring that your organisation
is safe from disaster, whilst not wasting resources needlessly.
Internal auditing is a catalyst for improving an organisation’s effectiveness and
efficiency, by providing insight and recommendations based on analyses and
assessments of data and business processes. Internal auditing provides value to
governing bodies and senior management as an objective source of independent
advice.
The scope of internal auditing within an organisation is broad and may involve topics
such as the efficacy of operations, reliability of financial reporting, deterring and
investigating fraud, safeguarding assets, and compliance with laws, regulations and
internal policies.
‘’Internal auditing is an independent,
objective assurance, and consulting
activity, designed to add value and
improve an organisation’s operations.
It helps an organisation accomplish
its objectives by bringing a systematic,
disciplined approach, to evaluate
and improve the effectiveness of risk
management, control, and governance
processes‘’
Implementing Internal Audit Governance
www.latitude12.com.au 4
Business Solutions for Regional Australia
Developing an Internal Audit FrameworkAn internal audit framework defines the governance procedure for internal audit, determines how internal audit will function in your organisation and deliver the benefits of internal audit, after creation of an Internal audit function. It includes components such as:
I. Internal Audit Charter with Responsibilities for Internal Audit function. II. Alignment to Standards of Professional Practice of Internal audit. III. Audit Committee Charter, its Terms of Reference and responsibilities.IV. Entity Wide Risk Assessment and Risk Profile.V. Three Year Strategic Internal Audit Plan & Annual Audit Work Plan.VII. Methodology of performing internal audits.VIII. Quality control system.IX. Self-assessment checklists.
X. Internal Audit Protocol.
The first step is the establishment of an internal audit function. This includes formalising an Internal Audit Charter. The internal audit charter defines the internal audit’s purpose, authority and responsibilities, and lays out the ground rules for operations.
The next task while developing an internal audit framework is to create an Audit Committee. An Audit Committee charter, once approved by Council and Board, outlines the Audit Committee’s authority and purpose. The audit committee is responsible for monitoring compliance by your organisation with proper standards of financial management and compliance with regulations and the Accounting Standards.
Once these steps have been completed, a Risk assessment is carried out following which, a three year strategic Internal audit plan is developed, and from the big picture strategy identified in that plan, a more focussed Annual Internal audit plan is designed.
The responsibility for Internal audits is a shared responsibility with ownership at all levels of the organisation. The various constituents who hold this responsibility are
described below:
Implementing Internal Audit Governance
www.latitude12.com.au 5
Business Solutions for Regional Australia
Setting up an Audit CommitteeAn audit committee is an operating committee of the board, charged with oversight
of financial reporting and disclosure. Committee members are drawn from
the organisation’s board of directors, with a chairperson selected from among
the committee members. It is best practice for the audit committee to include
independent members and may require at least one member to be a person
qualified and experienced as a professional accountant.
Typically an Audit Committee is involved in the following activities :
• Oversight of Risk management process.
• Monitoring effectiveness of internal control process and of internal audit.
• Ensuring independence of Internal and external auditor.
• Oversight of regulatory compliance.
• Oversight of Financial reporting process.
• Oversight over External auditor.
• Oversight of fraud management and other ethical practices in the organisation.
• Reporting to the Board.
Setting up Audit Committee involves the following:
• Setting up the Charter and Terms of reference of Audit Committee.
• Selection of Committee members based on their qualifications, experience and independence.
• Running induction sessions for new Audit Committee members.
• Defining the role of Audit Committee, Executive Management and Internal auditors.
Implementing Internal Audit Governance
www.latitude12.com.au 6
Business Solutions for Regional Australia
Risk ManagementOne of the key components of a high quality internal audit governance initiative is
an organisation wide assessment and management of risk, the oversight of which is
provided by audit committee.
‘’Risk management’’ is the methodology which provides assurance that risks are
managed to within the organisation’s risk appetite. In other words: ‘’the processes
that manage risks to a level considered acceptable by senior management, are
working effectively and efficiently”. Risk appetite defines organisation’s capacity and
willingness to accept risks.
Risk management is the identification, assessment, and prioritisation of risks,
followed by a coordinated and economical application of measures to mitigate them.
This is designed to minimize, monitor, and control the probability and/or impact of
uncertain events, or to maximize the realisation of opportunities. Risk mitigation
ensures there is a greater chance of the organisational objectives being achieved.
Risks can come from uncertainty in operations, project failures, legal liabilities,
credit risk, accidents, natural causes and disasters, as well as events of uncertain or
unpredictable root-causes.
Risk mitigation needs to be approved by the appropriate level of management. A
good risk management plan results in development of a comprehensive risk register
to identify and assess risks, control and monitor implementation of management
actions and identify responsibility for the actions.
Exhibit 2 - An example heat map tool used for risk assessment.
Implementing Internal Audit Governance
www.latitude12.com.au 7
Business Solutions for Regional Australia
Developing a Risk RegisterResponsibility for the risk management exercise rests with management. A
risk register is a risk management tool commonly used in organisational risk
assessments. It acts as a central repository for all risks identified by the project or
organisation, and, for each risk, includes information such as risk probability, impact,
counter-measures and who is risk owner. In other words, ‘risk register is a complete
list of risks, identified by management, which threaten the objectives and processes
of the organisation’.
The risk register details for each identified risk: the likelihood, impact, severity of risk,
and compensatory controls to mitigate risks below your organisation’s ‘Risk Appetite’.
A risk register also details management actions required to reduce risks below the
risk appetite levels.
The risk register forms the groundwork of the strategic internal audit plan.
Exhibit 3 - An example ‘Risk Wheel’
1.Stakeholder
2.People Capital
Environment Sustainability
4.Projects and Systems Management
5.Financial Sustainability
6.Compliance
7.Services Development
and Expansion
Implementing Internal Audit Governance
www.latitude12.com.au 8
Business Solutions for Regional Australia
Strategic Audit PlansAs a consequence of the risk management exercise, a risk based internal audit (RBIA)
plan is derived. Following discussion of the assessed risk level, a prioritised group of
auditable areas is available as a standalone document, and is input to the three year
audit plan.
The internal audit strategic plan is an outcome of the risk management and risk
register development process. The strategic audit plan is developed once the risk
register is approved by the audit and risk management committee. The internal audit
strategic plan outlines the direction, capabilities, resources and specific objectives of
internal audit. A result of the internal audit strategic plan is the three-year audit plan
and the one year, or annual audit plan.
The strategic audit plan defines the medium term strategic outlook of internal audit
activities. It is the primary focus of the internal audit function over a three year
rolling period, and is updated annually. This allows limited resources to be targeted
appropriately, based on the entity’s Risk Assessment process and the internal audit
function’s professional judgement.
Exhibit 4 - An example ‘Strategic Internal Audit Plan ’
Implementing Internal Audit Governance
www.latitude12.com.au 9
Business Solutions for Regional Australia
Self-AssessmentOur organisation has:
� An approved Internal Audit Charter.
� An effective Audit Committee in place.
� Audit Committee’s Terms of Reference.
� An organisation wide culture and risk awareness.
� A sustained committment to the risk culture from the Board / Council and
management.
� A risk management system connected to performance management and
appraisal.
� Our risk culture is heavily embedded throughout our organisation.
� A complete and current Entity wide Risk assessment plan.
� A comprehensive Risk Register detailing the risks and their priority.
� A well-developed 3 Year Strategic Internal audit plan.
� An Annual plan of Internal audits.
� A fully resourced Internal audit function.
� A fully developed set of organisational Policies and Procedures.
Internal audit is important because
it is involved in evaluating and
improving the effectiveness of risk
management, control and governance
processes in an organisation.
- Institute of Internal Auditors,
Australia, iia.org.au
Implementing Internal Audit Governance
www.latitude12.com.au 10
Learn MoreLatitude 12 is a leading provider of internal audit and risk services in the Northern
Territory and Queensland, focusing on servicing remote and regional clients. We
have strong experience delivering internal audit solutions to shire councils, local and
state government organisations and other corporate entities.
We provide services in financial processing, records management, workplace health
and safety, payroll, and of course internal audit.
If you would like to clarify any points in this white paper, or find out more about
Latitude 12’s services or how we can assist you, please contact our internal audit team.
Aswin Kumar
Director- Internal Audit and Risk Consulting
Mobile: 0419571782
Email: [email protected]“As a managed service provider to
remote East Arnhem Shire communities,
Latitude 12 understands the
importance of quality services and
business processes in “the bush”. Whilst
assisting Council in saving $1.1M over
the past two years, Latitude 12 has
also excelled in improving the Council’s
internal business processes to remove
the “disconnect” that so often happens
between regional and city centres.”
- Kerry Whiting, Chief Financial &
Operations Officer,
East Arnhem Shire Council
Business Solutions for Regional Australia
10