Internal Audit Performance
Overview
Internal audit is an independent, objective assurance and consulting activity designed to add value and improve an agency’s operations. It is an important part of the internal control framework and helps an agency accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, internal controls and governance processes.
In Victorian Government departments, the internal audit function provides the head of the department—the Secretary—and the audit committee and senior executives with assurance that key risks to the achievement of the department’s objectives are being appropriately addressed.
In this audit, we examined the internal audit functions of all seven portfolio departments and assessed how well they use their internal audit resources. We evaluated the role and positioning of the internal audit function within departments, its independence and objectivity, the alignment of internal audit plans with departmental goals and risks, quality assurance and resourcing, performance against stakeholder expectations, and the communication of internal audit outcomes and insights.
We made 10 recommendations to portfolio departments.
Message
Ordered to be printed
VICTORIAN GOVERNMENT PRINTER August 2017
PP No 257, Session 2014–17
President
Legislative Council
Parliament House
Melbourne
Speaker
Legislative Assembly
Parliament House
Melbourne
Dear Presiding Officers
Under the provisions of section 16AB of the Audit Act 1994, I transmit my report Internal Audit Performance.
Yours faithfully
Dave Barry
Deputy Auditor-General
9 August 2017
Acronyms
ANAO | Australian National Audit Office |
CAE | Chief audit executive |
CFO | Chief financial officer |
DEDJTR | Department of Economic Development, Jobs, Transport and Resources |
DELWP | Department of Environment, Land, Water and Planning |
DET | Department of Education and Training |
DHHS | Department of Health and Human Services |
DJR | Department of Justice and Regulation |
DPC | Department of Premier and Cabinet |
DTF | Department of Treasury and Finance |
GAIN | Global Audit Information Network |
IBAC | Independent Broad-based Anti-corruption Commission |
IIA | Institute of Internal Auditors |
IPPF | International Professional Practices Framework |
VAGO | Victorian Auditor-General's Office |
Audit overview
Internal audit is intended to be an independent, objective assurance and consulting activity designed to add value and improve an agency's operations. It can be an important part of the internal control framework and help an agency accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, internal controls and governance processes.
In Victorian Government departments, the internal audit function provides the head of the department —the Secretary —and the audit committee and senior executives with assurance that key risks to the achievement of a department's objectives are being appropriately addressed.
Although internal audit is part of a department, its reporting structures should be operationally independent from line management. To achieve this, internal audit typically has a dual reporting structure —it reports on its plans and activities to the audit committee, and reports administratively to the Secretary of the department. The chief audit executive (CAE) is the most senior officer responsible for the internal audit function. An internal audit charter defines the roles and responsibilities of internal audit.
We examined the internal audit functions of all seven portfolio departments and assessed how well they use their resources. We evaluated the role and positioning of the internal audit function within departments, its independence and objectivity, the alignment of internal audit plans with departmental goals and risks, quality assurance and resourcing, performance against stakeholder expectations, and the communication of internal audit outcomes and insights.
Past performance audits have questioned the effectiveness of agencies' use of internal audit. Recurring issues relate to the adequacy of internal audit resources—their capacity and capability—and whether the way they are used in the risk and control environments of each agency maximises their value and impact.
Conclusion
Departments use internal audit resources effectively to provide a reasonable level of assurance on the effectiveness of risk management, controls and governance processes.
Internal audit generally performs the core aspects of its role well across all departments. Some departments, particularly the Department of Education and Training (DET) and the Department of Justice and Regulation (DJR), go much further than complying with the minimum legislative requirements and adopt many aspects of better practice.
Internal audit largely meets the current expectations of both departmental management and the respective audit committees. However, it could add greater value by enhancing communication and sharing insights, identifying trends and systemic issues, and providing a more comprehensive view of department-wide assurance activities. This would provide greater assurance on risk management, controls and governance processes.
Findings
Establishing effective internal audit functions
Charters
Charters define the purpose of internal audit and its authority and responsibility. Internal audit charters of all departments comply with mandatory legislative requirements, except that three departments' internal audit functions have not communicated the charter to their departments.
Each department's charter, except for that of the Department of Treasury and Finance (DTF), reflects most of the better practice elements and provides robust foundations for an effective internal audit function.
Chief audit executive
To achieve true organisational independence and align with better practice guidance, internal audit should ideally report functionally to the audit committee and administratively to the Secretary.
All departments have established dual functional and administrative reporting lines for internal audit. Strong working relationships between all CAEs and audit committee chairs are evident. Administrative reporting lines, however, do not reflect better practice, with all CAEs reporting to a management delegate instead of reporting directly to the Secretary of the department.
The current positioning of the CAE in some departments, at three to five levels from the Secretary, diminishes the importance of the internal audit function. In two departments, the CAEs are at manager level and are not involved in executive forums —this is a missed opportunity for these CAEs to engage in strategic discussions, raise risk or control issues, and to be fully informed of operational developments, changes and emerging risks.
Direct reporting lines facilitate access. Only the DTF CAE meets regularly with the Secretary. All departments advised that there is no restriction on CAEs meeting with the Secretary, and meetings do occur when required, although in practice they are infrequent. To address this issue, DET and the Department of Health and Human Services (DHHS) recently established quarterly meetings.
The Department of Environment, Land, Water and Planning (DELWP), the Department of Premier and Cabinet (DPC) and DTF —three departments that outsource the internal audit function —each have an internal staff member responsible for actively monitoring the performance of the provider, although these positions are not formally designated as CAE roles.
The CAEs of five departments have relevant tertiary degrees, professional accounting qualifications and internal audit experience, which is consistent with better practice.
Managing objectivity and potential conflicts of interest
All departments actively manage the objectivity of internal audit and conflicts of interest. They do this through an established process for audit committee review and approval of proposed consulting work by outsourced internal audit providers.
Using transparent processes to manage consulting work enables the audit committee to monitor and manage any financial interest the external provider may have in the department. The presence of a financial interest has the potential to impair internal audit independence and objectivity.
Planning
Strategic alignment
Internal audit adds the greatest value when its activities support the department to achieve its goals. Aligning the audit plan with the department's goals and risks ensures that audit efforts focus on providing assurance that the risks to the achievement of the department's goals are effectively controlled.
All departments conduct extensive engagement to inform the development of the internal audit plan. All internal audit plans clearly demonstrate alignment with departmental objectives and risks, and include assurance maps. Audit committees approve all changes to audit plans and detailed audit scopes.
Assurance mapping visually represents assurance activities against risks. This provides an overview of risks and highlights areas of inadequate or duplicated coverage.
All departments conduct assurance mapping, but only the Department of Economic Development, Jobs, Transport and Resources (DEDJTR), DJR and DPC assurance maps provide a comprehensive view of agency-wide assurance and include assessments of risk appetite and the adequacy of assurance coverage. The other departments have an incomplete view of their assurance coverage, which may affect their audit committees' ability to assess the adequacy of coverage of departmental risks.
Horizons
Each department, except DTF and DEDJTR, has an approved three- to four-year rolling internal audit plan that includes the detailed annual work program required by the Standing Directions of the Minister for Finance 2016 (the Standing Directions). Guidance supporting the Standing Directions indicates the purpose of the three- to four-year rolling plan is to link with the department's business plan period.
DTF had an annual plan and has recently developed the 2017 –18 internal audit plan, which includes a three-year strategic internal audit plan.
DEDJTR developed a four-year rolling plan, which was discussed in a workshop with the audit committee. However, the audit committee did not formally approve the rolling plan, as it required changes, and approved only the annual plan. Plans must be approved by the audit committee to demonstrate endorsement of the intended coverage.
Program quality and execution
Delivery against plan
All internal audit functions monitor and regularly report progress against the plan at each audit committee meeting. Five departments delivered their 2015–6 internal audit plans with approved exceptions.
The two departments that did not deliver their audit plan in 2015 –16—DET and DEDJTR—were affected by resourcing challenges, departmental restructuring and a high volume of planned audits. Delivery of the DET internal audit plan was affected by unplanned activities, including ad-hoc audits, Integrity Reform Program projects in response to Independent Broad-based Anti-corruption Commission (IBAC) hearings, and an increased number of audit committee meetings due to IBAC commitments. The audit committee approved all changes and deferred audits to be considered in the following year's internal audit planning process.
Reporting results of audits
All internal audit reports include overall ratings and risk-rated findings. This supports departments in prioritising efforts to address areas of greatest risk. We did not observe any significant delays in communicating internal audit findings to the audit committee. Timely conduct and reporting ensures internal audit findings are relevant and have impact.
Audit committee chairs of each department brief the Secretary following each audit committee meeting, or at regular intervals during the year, and discuss any issues relating to internal performance, report findings or the implementation of recommendations.
Internal audit in most departments identifies and reports the root cause of findings in internal audit reports. This enables the department to address the reason the issue occurred rather than just the result. DELWP, DET, DHHS, DJR and DPC identify root causes and categorise them into themed groups for cumulative reporting to the audit committee. This has been recently implemented at DHHS and DELWP. Organisational themes are summarised annually and reported to the audit committee with limited analysis in all departments except DET.
All departments have processes to monitor and report on the status of audit recommendations to the audit committee.
Quality
All departments demonstrate a commitment to quality and continuous improvement, and all audit charters adopt the internationally recognised professional standards issued by the Institute of Internal Auditors (IIA —the International Standards for the Professional Practice of Internal Auditing (the IIA Standards).
However, only DHHS, DET and DEDJTR—departments with co‑sourced internal audit functions provided by a combination of internal staff and external service providers and managed within the department—met the IIA Standards requirement of conducting an external quality assessment at least every five years. Departments that do not conduct external assessments are not measuring the quality of their internal audit work against professional standards.
Measuring and monitoring performance
Internal audit perspectives
Performance reporting can support a department's investment in internal audit and reflects a commitment to continuous improvement. Measuring and reporting against agreed measures demonstrates internal audit's level of performance to the audit committee.
All departments have developed a range of quantitative and qualitative performance measures to evaluate the efficiency and effectiveness of their internal audit functions. The frequency of measurement, analysis and reporting against performance measures varies between departments.
The most common measures relate to the timeliness of the delivery of the internal audit program and audit engagement customer satisfaction surveys. The results of these measures are also the focus of routine reporting of internal audit performance to audit committee meetings. These performance indicators are useful, but they do not assess the full range of internal audit activities.
The range of measures in place to evaluate internal audit performance should reflect the key activities of the function and be agreed with the audit committee. Comprehensive reporting to the audit committee should occur at least annually.
DEDJTR, DET, DPC, DJR and DTF each provide an annual performance assessment to their audit committees, as required by the Standing Directions. DET and DJR provide their audit committees with comprehensive annual internal audit performance reports that include analysis of results and identify trends in performance and areas for improvement. The DET annual report of internal audit includes achievements, opportunities for improvement, performance trends, self‑assessment against the IIA Standards, and progress against the most recent external quality assessment. DET's report is a good example of better practice.
Departmental perspectives
DET also demonstrates better practice in reporting on the departmental internal control environment. DET's internal audit provides an annual report that summarises themes and trends from its work, management engagement, departmental surveys and feedback from other integrity agencies. The report highlights departmental achievements and areas of concern. It discusses systemic themes, indicates the trend for each area and evaluates the impacts on the audit plan. This enables the audit committee and management to address agency-wide issues that may have broader organisational benefits.
Recommendations
Our recommendations are directed to specific departments. Figure A provides an overview of relevant recommendations, by department.
Figure A
Overview of recommendations, by department
Department |
Relevant recommendations |
---|---|
Department of Economic Development, Jobs, Transport and Resources (DEDJTR) |
2, 4, 9, 10 |
Department of Environment, Land, Water and Planning (DELWP) |
2, 3, 4, 5, 6, 8, 9, 10 |
Department of Education and Training (DET) |
2, 8 |
Department of Health and Human Services (DHHS) |
1, 2, 5, 8, 9, 10 |
Department of Justice and Regulation (DJR) |
2, 4, 5, 6, 10 |
Department of Premier and Cabinet (DPC) |
1, 2, 3, 4, 5, 6, 9, 10 |
Department of Treasury and Finance (DTF) |
2, 3, 5, 6, 7, 8, 9, 10 |
Source: VAGO.
We recommend that:
1. DHHS and DPC review the position of the chief audit executive (CAE) and ensure the CAE:
- is positioned at an appropriate level in the department to participate in executive forums and engage in strategic conversations (see Section 2.2)
- reports administratively to the Secretary or a senior executive delegate who is not the chief financial officer and has no actual or perceived conflict, but does have sufficient authority to promote independence and ensure that internal audit communications and recommendations are adequately considered and acted on (see Section 2.2)
2. all departments review existing internal audit performance indicators to ensure they reflect a balanced scorecard approach and agree on a set of indicators, measures and reporting frequency with the audit committee (see Section 3.2)
3. DELWP, DPC and DTF clearly define the role and responsibilities of the CAE in the nominated officer's position description (see Section 2.2)
4. DEDJTR, DELWP, DJR and DPC schedule regular meetings, at least quarterly, between the CAE and the Secretary to provide the opportunity to discuss strategic objectives and emerging risks (see Section 2.2)
5. DELWP, DHHS, DJR, DPC and DTF complete a self-assessment of compliance with the International Standards for the Professional Practice of Internal Auditing (the IIA Standards), consistent with the adoption of the IIA Standards in their internal audit charters, and report the results and action plans to address gaps to the audit committee, and conduct future assessments annually (see Section 2.3).
6. DELWP, DJR, DPC and DTF conduct an external quality assurance review of internal audit, consistent with the adoption of the IIA Standards in their internal audit charters, report the results to the audit committee and conduct future assessments at least every five years (see Section 2.3)
7. DTF develop a three- to four-year rolling strategic internal audit plan, consistent with the requirements of the Standing Directions of the Minister for Finance 2016 (the Standing Directions), and have the plan approved by the audit committee (see Section 2.5)
8. DELWP, DET, DHHS and DTF improve assurance mapping to include all sources of assurance and an assessment of the adequacy of risk coverage to provide the audit committee with a comprehensive view of the level of assurance (see Section 2.5)
9. DEDJTR, DELWP, DHHS, DPC and DTF provide an annual report on internal audit performance to the audit committee detailing internal audit activity, achievements, and opportunities for improvement and performance against agreed measures, as required by the Standing Directions (see Section 3.2)
10. DEDJTR, DELWP, DHHS, DJR, DPC and DTF provide an annual report on internal controls to the audit committee that provides an overall assessment of the internal control environment, to satisfy Standing Directions requirements, and identifies organisational themes and trends (see Section 3.3).
Responses to recommendations
We have consulted with DEDJTR, DELWP, DET, DHHS, DJR, DPC and DTF, and we considered their views when reaching our audit conclusions. As required by section 16(3) of the Audit Act 1994, we gave a draft copy of this report to those agencies and asked for their submissions and comments.
The following is a summary of those responses. The full responses are included in Appendix A.
DEDJTR, DET, DELWP, DHHS and DJR accept our recommendations and have developed action plans to address them.
DPC accepts most of our recommendations. DPC will seek advice from its external internal audit service provider regarding the need for self-assessment and external quality assessments against the IIA Standards. In regard to scheduling regular meetings between the CAE and the Secretary, DPC considers that the current reporting arrangements are effective.
DTF accepts most of our recommendations and has developed an action plan to address them. DTF does not support two recommendations relating to the conduct of self-assessment and external quality assessment against the IIA Standards. DTF advised that application of the IIA Standards is supplementary to the mandatory requirements of the Standing Directions and that the Financial Management Act 1994 only permits the mandating of Australian Accounting Standards. DTF does not consider conducting a self-assessment or external assessment against the standards a necessary part of internal audit practice.
1 Audit context
Internal audit is a key pillar of good governance. It provides the audit committee, the Secretary of a department, senior executives and stakeholders with an independent view on whether the department has an appropriate risk and control environment. It also helps promote a strong risk management and compliance culture within a department.
According to the IIA, internal audit helps a department accomplish its objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, internal controls and governance processes.
An internal audit function can be delivered in various ways:
- in-house—provided by internal departmental staff
- co-sourced—provided by a combination of internal staff and an external service provider or providers, and managed within the department
- outsourced—provided by an external service provider contracted to deliver a range of internal audit services.
1.1 Role of internal audit
Internal audit is an important part of a department's internal control framework. It provides an independent and objective assessment of the efficiency and effectiveness of controls, and makes recommendations for their improvement.
Internal audit provides the audit committee and departmental Secretary with assurance that key risks to the achievement of the department's objectives are addressed.
To foster independence, the internal audit function should report on its plans and activities to the audit committee, while being administratively accountable to the Secretary. The internal audit charter provides the framework for the conduct of the internal audit function.
The CAE is the most senior officer responsible for the internal audit function, consistent with the internal audit charter and professional standards.
The assurance environment
Agencies use a range of activities to provide assurance that they are effectively governed.
Figure 1A shows the three lines of defence model, a better practice model of an assurance environment. This approach involves integrating and aligning assurance processes from multiple sources.
Figure 1A
Three lines of defence model
Source: VAGO, based on IIA Australia.
In this model:
- the first line of defence manages the risks and establishes mechanisms to demonstrate that controls are working effectively
- the second line of defence monitors, reviews and tests the effectiveness of first‑line control and management of risks
- the third line of defence independently evaluates and gives an opinion on the adequacy and effectiveness of both first-line and second-line risk management approaches.
1.2 Legislation, standards and better practice
Appendix B outlines legislation, guidance and better practice for internal audit and cross-references information to sections of this report.
Legislation and guidance
Internal audit in Victorian public sector agencies is governed by legislation and supporting guidelines. The Financial Management Act 1994 (the Act) sets the financial management accountability, reporting and financial administration obligations of the Victorian public sector.
The obligations in the Act are supported by the Standing Directions. The Standing Directions specify standards for governance, including oversight and assurance responsibilities for audit committees and internal audit. DTF provides non-mandatory guidance to help departments follow the Standing Directions.
Professional standards and better practice guidelines
Internal auditors should apply professional standards to ensure quality and consistency in their work. The Standing Directions require internal audit to apply relevant professional standards for internal audit activities. The most widely recognised professional standards are contained in the IIA's International Professional Practices Framework (IPPF), which consists of core principles, a code of ethics, the definition of internal audit and the IIA Standards. Standing Directions guidance refers to the IIA Standards for better practice. Internal auditors who are members of the IIA must comply with the IIA Standards and code of ethics.
The IIA issues practice guides on various topics to help internal auditors. The Australian National Audit Office (ANAO) Public Sector Internal Audit Better Practice Guide is a reference document for chief executives, boards, members of audit committees, managers with responsibility for internal audit activities, and internal audit staff.
Figure 1B shows the mandatory, recommended and better practice internal audit standards and guidelines that apply to the Victorian public sector.
Figure 1B
Internal audit standards and guidelines
Source: VAGO.
1.3 Public sector internal audit functions
Standing Directions requirements
Standing Direction 3.2.2 states that public sector agencies must establish and maintain, and may dismiss, the internal audit function. Internal audit may be sourced internally or externally. Agencies must ensure the internal audit function:
- is independent of management
- has suitably experienced and qualified internal auditors
- has access to the Secretary, the audit committee and chief financial officer (CFO), and has sufficient information to enable it to perform its function
- is subject to a protocol to manage conflicts of interest for internal auditors.
The Standing Directions also set out the responsibilities of the internal audit function, which are to:
- prepare and maintain an internal audit charter, for approval by the audit committee, which is clearly understandable and made available to all agency management and staff
- each year, prepare, maintain and implement a strategic internal audit plan based on the governance, risks and controls of the agency, with a rolling period of three or four years
- each year, prepare, maintain and implement an audit work program, based on the governance, risks and controls of the agency, that sets out the key areas of internal audit work for the year
- in its strategic audit plan and audit work program, include audits of business processes or units likely to be vulnerable to fraud, corruption and other losses
- each year, provide to the audit committee an independent and objective assessment of the effectiveness and efficiency of the agency's financial and internal control systems, reporting processes and activities in accordance with its work program
- assist the Secretary to identify deficiencies in financial risk management
- develop and implement systems to ensure the internal audit function operates effectively and efficiently and is appropriate for the agency's needs
- apply relevant professional standards relating to internal audit
- report to the audit committee on the effectiveness of the internal audit function.
Department service-delivery models
All departments have established an internal audit function, as required by the Standing Directions. The seven Victorian departments vary in size, operations and complexity and use different internal audit delivery models. Three are co-sourced—DEDJTR, DET and DHHS—and the remainder are outsourced.
Audit committees
Under the Standing Directions, agencies must establish an audit committee. Audit committees play a key accountability role in the governance framework of Victorian public sector agencies. While the department retains ultimate accountability for operations, the audit committee enhances governance practices by independently reviewing and assessing the effectiveness of key aspects of an agency's operations, including:
- risk management
- financial statements
- internal controls
- compliance requirements
- internal audit
- implementation of management actions in response to internal and external audit recommendations.
The audit committee's responsibilities for internal audit are to:
- review and approve the internal audit charter, the strategic internal audit plan and the annual audit work program
- review the effectiveness and efficiency of the internal audit function
- advise the agency on the appointment and performance of internal auditors
- meet privately with internal auditors if necessary.
Our 2016 report Audit Committee Governance provides further information on the role and performance of audit committees.
1.4 Why this audit is important
Internal audit is a cornerstone of good governance and can play an important role in an agency's financial and non-financial management and accountability, and in continuous improvement. In the public sector, internal audit is a critical element in the assurance environment and is a valuable tool for managing risk more effectively.
IBAC's examination of specific activities at DET—Operation Ord—highlighted the importance of the role of internal audit in providing risk assurance. An internal audit report had alerted the department to the high risk of fraud associated with the coordinator school program.
We conducted our audit in accordance with section 15 of the Audit Act 1994 and the Australian Auditing and Assurance Standards. The cost of this audit was $560 000.
1.5 What this audit examined and how
Our objective was to establish how well departments are using their internal audit resources and to assess whether:
- internal audit is sufficiently independent and objective to provide effective assurance
- the internal audit plans are aligned with the departments' organisational goals and risks
- internal audit is delivering high-quality services
- internal audit is performing to stakeholder expectations and adding value.
We looked at all Victorian portfolio departments—DEDJTR, DELWP, DET, DHHS, DJR, DPC and DTF.
We examined the systems and processes that departments use to plan, conduct and evaluate internal audit activities.
We looked at a sample of internal audit working paper files to assess their completeness and whether they provide enough evidence of the planning, execution and reporting of internal audit activities and appropriate quality controls.
We also analysed quantitative data on key internal audit operational metrics. The key metrics on internal audit staffing we looked at included staff and cost ratios, strategies for sourcing staff, and their competencies, capabilities, and skills coverage. We also looked at departments' acceptance of internal audit recommendations and the timeliness of implementing them. We used better practice guidance and benchmarking data from both the public and private sectors to inform our assessments.
1.6 Report structure
The remainder of this report is structured as follows:
- Part 2 examines the role, position and influence of the CAE, assesses the resourcing and quality of internal audit services in the seven portfolio departments in the Victorian public sector, evaluates internal audit charters, and assesses the alignment of internal audit plans with departmental objectives and risks
- Part 3 examines how internal audit measures performance and communicates insights.
2 Establishing effective internal audit functions
For the internal audit function to be effective, it must be able to carry out its responsibilities independently and objectively, without interference. Operational independence ensures that internal audit operates free from conflicts of interest, bias and management influence.
In this part of the report, we discuss the role, position and influence of the CAE, and the resourcing and quality assurance of the internal audit function in the seven portfolio departments in the Victorian public sector. We also evaluate internal audit charters and the alignment of internal audit plans with the departments' objectives and risks.
2.1 Conclusion
The internal audit functions in the seven portfolio departments are sufficiently independent from management to perform effectively. The departments have established organisational independence for internal audit by establishing dual reporting lines, with functional reporting to the audit committee and administrative reporting to a management representative.
The positioning of the CAE within some departments is three to five levels from the Secretary, which serves to diminish the importance of the internal audit function and the key role of the CAE. It also limits the CAE's ability to fully engage with the executive, have appropriate influence, raise risk or control issues, and be fully informed of operational developments, changes and emerging risks.
All internal audit plans are risk based and align with departmental objectives. Internal audit plans should include assurance maps that show the extent of coverage of departmental risks by all assurance providers. Some departments need to improve their assurance maps so they provide a complete view of the coverage of organisational risks and enable the audit committee to assess how well departmental risks are covered.
Overall, internal audit uses its resources effectively, but could provide further value by focusing on better practice, continuous improvement and compliance with professional standards. This would enable departments to demonstrate a commitment to quality assurance and continuous improvement. It would also improve internal audit communication and increase the confidence of the audit committee and management in the standard of assurance that the internal audit function provides.
2.2 Chief audit executive
The CAE is the most senior officer responsible for the internal audit function, consistent with the internal audit charter and professional standards. The CAE should have a strong understanding of internal audit to be able to effectively manage the function.
All departments should have a CAE, even if the internal audit function is outsourced. Although CAEs of departments with outsourced internal audit functions partly perform a contract management role, they still have key responsibilities as the CAE. These include ensuring internal audit's performance is consistent with its charter requirements, and that it applies professional standards, effectively uses resources to deliver the internal audit plan, adds value and contributes to improving the department's performance.
Managing and overseeing internal audit includes assessing the service provider's competence, independence, objectivity and performance. CAEs who manage the contract of an external provider need a strong understanding of internal audit principles and techniques to perform this role effectively.
Role and qualifications of the CAE
Four departments clearly define the role and responsibilities of the CAE in the position description for the role —DEDJTR, DET, DHHS and DJR.
Three of the departments with outsourced audit functions —DELWP, DPC and DTF —have an officer responsible for internal audit who monitors the performance of the provider, although they do not formally nominate these roles as the CAE in their position descriptions or clearly articulate their responsibilities.
Qualifications of the CAE and internal audit team
There are no mandated qualifications for internal auditors. Guidance that supports the Standing Directions recommends that CAEs have relevant tertiary qualifications and suggests that professional designation, such as membership of the IIA, is helpful to support professional knowledge and continuing education. 'Relevant tertiary qualification' is not defined. Traditionally a relevant qualification for internal audit was an accounting background, although this has broadened to include other disciplines such as information technology, law and engineering.
The IIA Standards require the CAE and others reporting to the CAE to have appropriate professional certifications and qualifications. In Global Public Sector Insight: Policy Setting for Public Sector Auditing in the Absence of Government Legislation, the IIA recommends that the minimum qualifications for the CAE should include a combination of years of auditing, leadership experience, audit-specific certifications and relevant tertiary qualifications. Internal audit-specific qualifications are globally recognised professional certifications issued by the IIA and include professional membership of the IIA. The most common certification is Certified Internal Auditor.
CAEs of all departments meet leadership requirements and have tertiary qualifications, although only some have membership or certifications of professional accounting or internal audit bodies or have internal audit-specific qualifications.
All co-sourced internal audit departments have personnel with a suitable mix of qualifications and experience to provide high-quality internal services. All DHHS internal audit staff are professional members of the IIA or Information Systems Audit and Control Association —the global association for information systems professionals. All DEDJTR and DET internal audit staff have tertiary qualifications, and most have professional accounting qualifications and are associate or professional members of the IIA. All senior staff members of external providers have tertiary qualifications, professional accounting qualifications, or internal audit qualifications and experience.
Position and influence in the organisation
All CAEs report functionally to the audit committee and none has a direct administrative reporting line to the Secretary.
All CAEs have strong working relationships with audit committee chairs and meet with them regularly. Internal auditors at DET, DHHS, DPC and DTF meet with the audit committee chairs before each audit committee meeting to discuss internal audit matters.
All audit committees should meet with the internal auditors, in the absence of management, at least once every 12 months. The absence of management ensures frank discussions without management influence. A meeting between the audit committee and internal auditors, without management present, is formally scheduled on the annual audit committee work plan of all departments except DELWP and DJR. DJR has addressed this in its 2017 –18 audit committee work program, which was approved on 30 June 2017.
In practice, these meetings have occurred in all departments in the past 12 months, except at DELWP and DHHS. In these two departments, internal audit or the audit committee can request a meeting if they deem it necessary, but neither party did so in the past year.
All CAEs report administratively to a senior management representative. Better practice recommends that this senior executive should have no actual or perceived conflict. The senior executive should also have sufficient authority to promote independence and to ensure broad audit coverage and adequate consideration and action on internal audit communications and recommendations.
The role of the CAE is positioned at various levels in the seven departments. Figure 2A shows the administrative reporting line of the CAE position in each department.
Figure 2A
Organisational position of the CAE
Note: Restructuring within DHHS, effective July 2017, added a Deputy Secretary to the reporting line.
Source: VAGO.
The CAEs at DHHS and DPC are not involved in executive forums, which is a missed opportunity for them to engage in strategic discussions and increase their awareness and understanding of departmental issues, risks and objectives. The CAE role at DHHS is relatively junior, given the complexity and breadth of the internal audit activity and operations. The CAE at DPC is at manager level and reports to the CFO, which creates an actual or potential conflict of interest as the CFO is responsible for many areas of the department that are subject to audit.
Deputy Secretaries in the administrative reporting line of internal audit are members of the audit committee in four departments (DET, DHHS, DJR and DTF). This creates a risk that internal audit independence could be compromised. DPC is the only department with a fully independent audit committee. The Standing Directions require audit committees to have a majority of independent members and an independent chair, but allow management membership, except for the Secretary and CFO. DJR's audit committee charter states that internal members of the audit committee cannot vote on issues related to their functional area of responsibility due to a conflict of interest.
We interviewed all CAEs and audit committee chairs, and did not identify any specific issues that would suggest interference with the independence of internal audit due to management presence on the audit committee. Audit committee chairs generally see the presence of management staff as a great benefit, due to the knowledge of the business they bring to discussions. This could also be achieved by audit committees issuing a standing invitation to relevant management representatives to attend audit committee meetings.
Access to the audit committee, Secretary, personnel and records
To be effective, internal audit must engage in executive forums and be aware of strategic issues and emerging risks. Where reporting lines or operational arrangements do not require internal audit to be regularly involved in executive-level discussions, there is a greater need for internal audit to have direct access to the Secretary. Without regular access, it may be difficult for the CAE and the Secretary to establish a strong relationship, and the CAE will have limited opportunities to share organisational insights, communicate concerns, and increase awareness of strategic issues and emerging risks.
Only the DTF CAE advised that regular independent meetings are scheduled with the Secretary. We interviewed the CAEs of each department and a selection of internal audit stakeholders, including the audit committee chairs, some Secretaries, Deputy Secretaries and executive directors, about the effectiveness of the positioning and degree of access of the CAE to the Secretary. All departments' internal audit charters, with the exception of DTF, state that the CAE has direct access to the Secretary. DTF advised that there is no restriction on the CAE meeting with the Secretary and meetings occur when required. DET and DHHS have recently scheduled quarterly meetings between the CAE and the Secretary to address this issue. This is a positive initiative.
In all departments, the audit committee chair meets with the Secretary following each audit committee meeting or at regular intervals during the year. The CAE at DHHS attends the beginning of the audit committee chair's post-committee meeting with the Secretary.
All internal audit staff members have access to records, systems and other personnel to enable them to fulfil their responsibilities. We interviewed in-house and outsourced internal audit teams to confirm that they had free and unrestricted access to records, systems and personnel.
Managing objectivity and potential conflicts of interest
Objectivity allows internal audit to evaluate issues based on evidence without personal influence. Objectivity may be impaired if an auditor has had operational responsibility for areas subject to audit or has personal or financial relationships with individuals under review.
All departments actively manage internal audit objectivity and conflicts of interest. DET has established an annual declaration process for members of the internal audit team to declare their independence, conflicts of interest, objectivity, and compliance with the code of ethics and training obligations.
Operational responsibilities
None of the in-house internal audit staff has a current operational role or has had one in the past. However, the CAE at DEDJTR —which has a co-sourced internal audit function —has operational responsibility for risk management and integrity. DEDJTR revised its charter in June 2017 to include particular protocols for audits of risk and integrity to minimise potential impairment to objectivity.
In all departments with fully outsourced functions, processes are in place to ensure internal audit does not involve departmental staff with operational responsibilities for the area audited.
Consulting work by internal audit providers
Internal audit activity includes assurance and consulting services. Internal audit consulting activity involves providing advice or review of systems and processes, and does not include policy or program implementation or design.
Internal audit service providers may deliver other professional services to the department, including design and development of systems and processes, and tax or strategic advice. This may create a financial interest, which has the potential to impair objectivity and affect internal audit service providers' ability to conduct internal audit work in areas where they have provided other consulting services.
All departments have processes to review and approve proposed consulting work of outsourced internal audit providers to identify and manage any potential conflicts of interest. Audit committee chairs are also involved in this process. However, the formality and timing of this process varies across departments. In some cases, this process occurs before a consultant bids for work, whereas in other departments it is discussed with the audit committee chair only when a bid has been successful. In DPC, the approval of consulting work is not formally documented.
Audit committees closely monitor the level of consulting work allocated to outsourced internal audit providers. Payments to outsourced providers for consulting services exceeded internal audit fees in DEDJTR, DELWP, DHHS, DJR and DPC in 2015 –16, and this poses a challenge for managing perceived conflicts of interest and financial independence.
Our consultation with all audit committee chairs indicates that this issue is being actively managed. DEDJTR advised us that the high level of consulting fees is a legacy of machinery-of-government changes that took effect in January 2015. One of the two departments that combined to form DEDJTR had used the other department's internal audit provider for consulting services. Existing internal audit contracts remained in place until the new internal audit contract for DEDJTR commenced on 1 July 2016.
Figure 2B shows consulting services fees paid to internal audit service providers as a percentage of total internal audit fees for the years 2015–16 and 2016–17 (until February 2017).
Figure 2B
Consulting services as a percentage of internal audit fees
Note: DELWP expenditure includes a multi-year contract for consulting services that was signed before the internal audit services contract.
Source: VAGO, based on departmental data.
DELWP, DHHS and DJR have increased the transparency and reporting of consulting activity by including a summary of consulting work performed in the internal audit status report to the audit committee. DJR includes a list of the external provider's consulting work as part of the internal audit planning processes.
Management of potential conflicts of interest
Departments manage potential conflicts by having non-exclusive contractual arrangements with their internal audit provider. This allows them to engage other auditors if the external provider has previously been engaged in consulting work related to the particular audit area.
DELWP can access providers from an assurance panel, and the other departments can use the whole‑of‑government consulting panel. DELWP has redirected work to other assurance providers to manage possible conflicts in the current year. The DJR audit committee has expressed concern about the volume of consulting work its provider performs, and has requested a review of audits to consider a future transfer to another provider.
DET has a conflict of interest procedure to manage real or perceived conflicts of interest for in-house internal audit staff. DET in-house staff members each provide an annual audit declaration, which includes a conflict of interest declaration. The CAE assesses these declarations and takes any necessary action.
DEDJTR and DHHS have no conflict of interest procedures to manage conflicts of in‑house internal audit staff.
Figure 2C shows the results of our assessment of each department's overall performance for the role of the CAE.
Figure 2C
CAE role and managing conflicts of interest
Aspect |
DEDJTR |
DELWP |
DET |
DHHS |
DJR |
DPC |
DTF |
---|---|---|---|---|---|---|---|
CAE role and managing conflicts of interest |
◕ |
◕ |
◕ |
◑ |
◕ |
◔ |
◕ |
Legend |
|
● |
Meets mandatory requirements and demonstrates most aspects of better practice |
◕ |
Meets mandatory requirements and demonstrates some aspects of better practice |
◑ |
Meets mandatory requirements and demonstrates few aspects of better practice |
◔ |
Meets mandatory requirements |
○ |
Does not meet mandatory requirements |
2.3 Internal audit resourcing and quality assurance
Resourcing
Internal audit costs
Internal audit cost as a percentage of the total operating expenditure is one measure of the adequacy of internal audit resourcing. The average internal audit cost as a percentage of the total controlled operating expenditure for the seven Victorian departments was 0.024 per cent in 2015 –16.
We looked at internal audit cost and total operating expenditure for 2015 –16 for all departments. The internal audit cost includes outsourced providers' fees and in-house costs for audit work, contract management and follow-up of audit recommendations, and excludes audit committee secretariat work that internal auditors performed.
The optimal value for internal audit cost as a percentage of total operating expenditure varies depending on the size and nature of an agency.
The Queensland Audit Office's Results of Audits: Internal Control Systems 2013–14 reported the average internal audit budget for the Queensland Government as a percentage of total operating expenditure for 2012–13 as 0.128 per cent. The New South Wales Department of Premier and Cabinet's Internal Audit Capacity in the NSW Public Sector noted the average New South Wales Government internal audit budget for 2007–08 was 0.1 per cent. New South Wales and Queensland have a large number of small departments. Most Victorian departments are large and have achieved economies of scale that are not available for the smaller departments in New South Wales and Queensland, so their figures are not directly comparable with the lower Victorian average.
The diverse nature of business and the complexity of department operations affect the level of resources required to provide adequate assurance over risks, and this may not be reflected in the operating expenditure of the department. Internal audit cost as a percentage of the total operating expenditure is just one of a number of indicators that can be used to assess the adequacy of departments' internal audit budgets.
Benchmarking
We developed a model to benchmark the adequacy of internal audit resourcing based on the premise that departments with higher total expenditure should have a lower benchmark to account for the economies of scale available to larger agencies. Regardless of the size of the agency, establishment costs for the internal audit function include the costs of developing and reviewing an internal audit charter, preparing the internal audit plan, reporting to the audit committee and tracking audit recommendations. Smaller agencies have to meet these costs without the benefits of reductions through economies of scale.
We developed the benchmark based on the most recent available Australian public sector data. In 2013–14, the Queensland Audit Office benchmarked departments' internal audit costs based on the results of the Global Audit Information Network (GAIN) benchmarking performed on Queensland Government departments. GAIN benchmarking is a tool the IIA uses to compare internal audit departments on different metrics such as departmental costs and staffing, organisational statistics and performance measures. Queensland benchmarking results are included in the report Results of Audits: Internal Control Systems 2013–14.
Our benchmark starts at 0.74 per cent for small departments and reduces to 0.02 per cent for larger departments, with a slowing rate of decrease as the total expenditure increases.
Figure 2D shows the internal audit costs as a percentage of the benchmark for the year 2015 –16. Five departments lie within the range of 50–150 per cent of the benchmark. DJR and DPC are below 50 per cent of the benchmark. DJR's current internal audit services contract is in its fifth year and has recently been re-tendered. Current costs may not reflect the future cost of internal audit services.
Figure 2D
Internal audit cost as a percentage of the benchmark, 2015–16
Source: VAGO, based on departmental data.
Trends in internal audit costs
Internal audit expenditure has been relatively consistent in 2014–15 and 2015–16 and compared with the current year's budget. We considered actual costs incurred for 2014–15 and 2015–16, and we used the budgeted cost for 2016–17 because the full‑year actual expense data was not available at the time of the audit.
Some departments have provided extra funding to internal audit to address new and emerging risks, and to conduct additional unplanned audits. DPC had extra funding approved for audits relating to family violence when the government allocated significant new funding to this area in 2016–17. DET's internal audit costs include coverage of Victorian government schools and statutory authorities and the work undertaken to support the IBAC public hearings and subsequent Integrity Reform Program activities within the department.
Figure 2E shows the change in internal audit costs for the years 2014–15 to 2015–16 and from 2015–16 to 2016–17. The overall change from 2014–15 to 2015–16 is a decrease of 9 per cent, and for 2015–16 to 2016–17 it is an increase of 20 per cent.
Figure 2E
Trends in internal audit costs
Note: DJR budgeted cost for 2016–17 includes some budget funding carried forward from 2015–16. The cost for internal audit at DEDJTR in 2014–15 was not available due to machinery-of-government changes effective 1 January 2015. Internal audit costs for DEDJTR before this have been difficult to determine, due to the nature of the restructure and available financial data.
Source: VAGO, based on departmental data.
Quality assurance and continuous improvement
Adoption of the IIA Standards
Internal auditors should apply professional standards to ensure quality and consistency in their work. The Standing Directions state the 'internal audit function must apply relevant professional standards relating to internal audit'.
All departments' internal audit charters, except DELWP and DHHS, state that they follow the IIA Standards, which are the only applicable standards relevant to internal audit in Australia. The DELWP and DHHS charters state that they will apply relevant professional standards, and the CAEs of these departments confirmed this means the IIA Standards.
All departments, including those with outsourced internal audit functions, should be following the IIA Standards.
Internal and external quality assessments
All departments demonstrate a commitment to quality assurance and continuous improvement. While all departments practise elements of quality assurance, only DET has a documented quality assurance and improvement program in place.
All departments demonstrate aspects of ongoing internal assessment of internal audit. Only departments with co-sourced internal audit functions—DEDJTR, DET and DHHS—have conducted an external quality assessment within the past five years and reported the results to the audit committee.
Departments with outsourced internal audit functions have not conducted an external quality assessment. An external quality assessment can help build stakeholder confidence in the internal audit function as it demonstrates a commitment to quality assurance, continuous improvement and a professional approach to internal audit.
An external assessment provides an independent objective evaluation of the internal audit function's compliance with the IIA mandatory requirements (the IIA Standards and code of ethics), the legislation and the internal audit charter. It also includes expectations of management and the audit committee, a review of audit techniques and staff capability, and an assessment of internal audit's ability to add value and improve operations.
An audit opinion of 'generally conforms' means that the internal audit function's activities are conducted in accordance with the IIA Standards. An external quality assessment must be performed at least once every five years for all internal audit functions, regardless of the type of service delivery. An external self-assessment can take the form of a full external assessment or a self-assessment with external independent validation. Appendix F includes the template for self-assessment against the IIA Standards.
DET demonstrates better practice in quality assurance and continuous improvement. DET is the only department to conduct an annual self-assessment against the IIA Standards and provide an annual report to the audit committee on internal audit achievements and performance. Its internal audit has an extensive quality assurance program.
DEDJTR began its current internal audit service delivery model in July 2016, and has planned internal audit quality assurance activities for the end of the 2016–17 financial year. DEDJTR will not conduct a self-assessment this year, as an external assessment is underway.
Figure 2F shows the elements of quality assurance in place in the seven departments.
Figure 2F
Quality assurance assessments
Key performance indicator |
DEDJTR |
DELWP |
DET |
DHHS |
DJR |
DPC |
DTF |
---|---|---|---|---|---|---|---|
Internal quality assessment —ongoing |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
✘ |
✘ |
✘ |
✘ |
✘ |
✘ |
✘ |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
Internal quality assessment —periodic |
✘ |
✘ |
✔ |
✘ |
✔ |
✔ |
✘ |
|
✘ |
✔ |
✔ |
✔ |
✔ |
✔ |
✘ |
|
✘ |
✘ |
✔ |
✘ |
✘ |
✘ |
✘ |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
✘ |
✘ |
✘ |
✘ |
✔ |
✔ |
✘ |
|
✘ |
✘ |
✔ |
✘ |
✘ |
✘ |
✘ |
|
✘ |
✘ |
✔ |
✘ |
✘ |
✘ |
✘ |
|
✔ |
✘ |
✔ |
✔ |
✘ |
✘ |
✘ |
(a) Although formal performance evaluations are not in place for each engagement, all departments provide feedback to auditors on performance as part of the draft report finalisation process and through contract management meetings.
(b) The DEDJTR internal audit charter was first approved in September 2015. The audit committee revised and approved it in June 2017.
(c) DEDJTR will not conduct a self-assessment this year, as an external assessment is underway.
(d) DEDJTR intends to issue the 2016 –17 survey shortly and report the results to its October 2017 audit committee meeting.
(e) DEDJTR's internal audit charter was updated in June 2017 to include the requirement for in-house staff and external providers to complete conflict of interest declarations. In-house staff declarations were scheduled to be completed in July 2017. Scope documents for outsourced audits now incorporate a conflict of interest statement.
(f) In the past 12 months, DEDJTR has been subject to three external evaluations that included a review of working papers. DEDJTR has advised that in future it will undertake reviews of internal audit files either as part of ongoing quality assessment or annually as part of the performance assessment of the service provider.
Source: VAGO, based on departmental data and IIA Standard 1311-1 and Implementation Guide Standard 1312 External Assessments.
Figure 2G shows the results of our assessment of departmental performance for internal audit resourcing and quality.
Figure 2G
Internal audit resourcing and quality in portfolio departments
Aspect |
DEDJTR |
DELWP |
DET |
DHHS |
DJR |
DPC |
DTF |
---|---|---|---|---|---|---|---|
Internal audit resourcing and quality |
◕ |
◕ |
◕ |
◑ |
◕ |
◔ |
◕ |
Legend |
|
● |
Meets mandatory requirements and demonstrates most aspects of better practice |
◕ |
Meets mandatory requirements and demonstrates some aspects of better practice |
◑ |
Meets mandatory requirements and demonstrates few aspects of better practice |
◔ |
Meets mandatory requirements |
○ |
Does not meet mandatory requirements |
2.4 Internal audit governance
Internal audit charter
The internal audit charter defines the purpose, roles, responsibilities, authority and accountability of the internal audit function.
Standing Directions compliance
All departments except DTF fulfil the mandatory requirements of the Standing Directions by having an internal audit charter approved by the audit committee.
DTF's charter was undated and had been reviewed by the audit committee chair, although there was no evidence that the charter had been submitted to the audit committee for approval in the past three years. DTF's audit committee reviewed and approved the internal audit charter in April 2017.
At the time of our audit, the internal audit charters of three departments did not include the following elements of Standing Directions guidance:
- annual review of the charter by the audit committee (DEDJTR and DPC)
- review of the independence and objectivity of the internal audit function (DEDJTR)
- details of outsourcing and co-sourcing arrangements (DTF).
The DEDJTR audit committee approved a revised internal audit charter in June 2017, which includes requirements for annual review of the charter and addresses internal audit independence and objectivity.
DPC reviews its charter annually, even though annual revision is not specified in the charter.
Better practice
Six of the seven departments' charters include the majority (between 10 and 15) of the 17 better practice elements we assessed. Of the seven departments, the DHHS charter is the best aligned with better practice guidance.
DTF's charter includes six better practice elements. DTF has not reviewed its charter on an annual basis as required by its charter. Our detailed assessment of the departments' internal audit charters is included in Appendix C.
Communicating the role of internal audit
The DET, DHHS, DJR and DPC charters are available on their intranet sites. DELWP has a brief summary on its intranet about the role of internal audit and a guide to engaging with internal audit. DEDJTR, DELWP and DTF have not adequately communicated with their management and staff about the role of internal audit and the charter, as required by the Standing Directions. DTF has recently added a link on its intranet to address this. DEDJTR removed its internal audit charter from the department's intranet in late 2016 while it was being updated. The update will include information on the role of internal audit and a copy of the internal audit charter.
Better practice internal audit functions communicate information about the assurance role to all stakeholders and provide details in the governance section of an agency's annual report.
Departmental annual reports provide limited information about the role of internal audit within departments. The annual reports of four of the seven departments —DELWP, DET, DJR and DPC —provide no information about the role of internal audit, its composition, work program or resourcing. The annual reports of the remaining three departments —DHHS, DJR and DPC —contain limited information.
Figure 2H shows the results of our assessment of department performance for internal audit governance.
Figure 2H
Internal audit governance in the portfolio departments
Aspect |
DEDJTR |
DELWP |
DET |
DHHS |
DJR |
DPC |
DTF |
---|---|---|---|---|---|---|---|
Internal audit governance |
◕ |
◑ |
◕ |
● |
◕ |
◕ |
◑ |
Legend |
|
● |
Meets mandatory requirements and demonstrates most aspects of better practice |
◕ |
Meets mandatory requirements and demonstrates some aspects of better practice |
◑ |
Meets mandatory requirements and demonstrates few aspects of better practice |
◔ |
Meets mandatory requirements |
○ |
Does not meet mandatory requirements |
Source: VAGO.
2.5 Internal audit planning
The purpose of internal audit planning is to direct audit resources to areas of greatest risk. Internal audit does this effectively when its activities are fully aligned with the agency's objectives and identified risks.
Internal audit in all departments engages extensively within the department and with the audit committee to inform the development of the annual internal audit plan.
Compliance with the Standing Directions
Five departments have an approved three- to four-year rolling internal audit plan that includes an annual work program, as required by the Standing Directions.
DTF has an annual plan but has not developed a three- to four-year rolling internal audit plan. DTF stated that the current plan contains the elements of a multi-year plan as it identifies recurring audits and operations not recently audited. All other departments consider these elements and include a detailed forward plan, listing audits to be conducted over the next three to four years.
In July 2017, DTF provided us with its draft 2017 –18 internal audit plan, which includes a three-year strategic plan for 2017 –2020, consistent with the Standing Directions. DTF expects its audit committee will approve the plan in August 2017.
DEDJTR has developed a four-year rolling plan, but only the annual plan has been approved by its audit committee. The audit committee discussed the four-year internal audit plan in its annual planning workshop in July 2016 but did not formally approve it.
Developing the internal audit plan
Consultation and engagement
Internal audit engages extensively in each department to inform the development of the internal audit plan. This involves meetings with the Secretary and Deputy Secretary, risk management and key business areas. Internal audit socialises and tests draft internal audit plans with the department's executive and audit committee.
We interviewed several department Secretaries and all audit committee chairs to seek their views about the extent of planning engagement, and all of them were satisfied with the level of engagement. DHHS uses sector specialists and advisers from the external provider to test the rigour of its internal audit plan.
Alignment with risk and business objectives
All departments demonstrated effective internal audit planning practices. Internal audit invests significant effort in developing the internal audit plan. All internal audit plans we reviewed clearly demonstrated alignment with departmental objectives and risks, and the relevant audit assurance requirements (compliance, financial or operational), and listed resources and time lines.
The internal audit budget does not limit development of the plan but is considered when determining priorities. Our discussions with the Secretaries of DET and DHHS and all audit committee chairs indicate they are comfortable that internal audit plans address business objectives and key risks, and this is consistent with our assessment.
Types of audits
The internal audit plans of each department consider compliance requirements, the work of the external auditors, and strategic goals and risks. Departments focus on operational audits that link to strategic risks and business objectives to provide value. This is consistent with the role of internal audit.
We analysed internal audit plans for 2015 –16 and classified audits by key audit types —operational audits, compliance audits and financial audits. The blend of work included in the plans is risk based, and audits are directed towards key organisational outcomes.
All plans incorporate legislative requirements from the Standing Directions and rotational audits of key financial activities. The plans also link operational audits to departmental strategy and risk.
Figure 2I shows the mix of audit types for all departments.
Figure 2I
Key audit types in the annual internal audit plans across departments
Source: VAGO, based on departmental data.
Figure 2J shows the mix of audit types for each department.
Figure 2J
Key audit types in departments' annual internal audit plans
Note: DET's 'follow-up audits' are compliance and operational audits with a component of follow up. These are explicitly identified in the 'follow-up audits' section of the internal audit plan to enable acquittal of DET's Integrity Reform Program actions.
Source: VAGO, based on departmental data.
Approval and changes to the internal audit plan
The DHHS and DEDJTR internal audit plans were not approved by their audit committees until two months after the beginning of the plan year.
DHHS delayed the internal audit planning process to finalise its contract with a new external service provider and to involve it in the planning process. DHHS advised that the Secretary gave verbal approval to begin audits before the plan was formally approved.
At DEDJTR, only approved 2015 –16 audits that were rolled forward into the 2016 –17 internal audit program began before the 2016 –17 program was formally approved. The delay in approval did not affect the delivery of DEDJTR's internal audit program.
The audit committees in all departments approve changes to the internal audit plan. Internal audit reviews its plan annually and also completes the planning cycle annually, based on the forward schedule of the previous year's plan. Internal audit considers management requests for additional audit activity in consultation with the audit committee, and also presents audit scopes and reports for all additional unplanned audits to the audit committee.
Mapping assurance coverage
Internal audit is one of a number of activities that provide assurance on how well each department is managing risks. Other sources of assurance include management, risk and quality assessments, and external audits and reviews by integrity agencies and independent contractors. It is important that the work of internal audit complements the work of other providers rather than duplicating it. Better practice internal audit departments use assurance maps to provide an agency-wide view of assurance coverage of strategic risks.
An assurance map can help an audit committee to be well-informed about the department's governance, risk and control environments. It is also a valuable tool for developing the internal audit plan. Using a collaborative approach to mapping assurance coverage helps to identify gaps and duplication of effort. It enables internal audit to direct resources to areas of greatest value to the department, and to minimise the cost of assurance activities.
All departments' internal audit plans include assurance maps. The maps of four departments—DET, DELWP, DHHS and DTF—include internal audit and external audit activity but do not provide a complete view of assurance across the department.
DEDJTR, DJR and DPC demonstrate better practice in assurance mapping. DJR conducted an extensive assurance mapping exercise across the whole department in 2014 and 2016 as part of its risk attestation process. This work forms the basis of DJR's internal audit planning, although the internal audit plan contains more detail. DPC's assurance map provides an indication of the risk appetite against each strategic risk and an assessment of the adequacy of the coverage provided. DEDJTR's assurance map includes management committees, and internal audit and external audit coverage, and assesses the adequacy of the coverage provided.
Appendix D contains an example of an assurance map.
External audit reliance on the work of internal audit
The type and mix of internal audit activity depends on the department's desired approach to providing assurance over departmental risks. The objectives of internal audit and external audits generally differ, as do the evidentiary requirements.
As part of annual audit planning, our financial auditors evaluate each department's inherent risk and internal control environment. Our performance auditors look at internal audit plans in the development of the VAGO annual plan. As an independent assurance function, internal audit is considered an important element of departments' internal control environments, which are subject to annual review.
Our financial auditors also review each department's internal audit plan to identify audits with a financial focus that could be relied on for the purposes of forming an opinion on the financial statements. Our financial auditors reflect this in their financial audit strategy for each department, which is presented to the audit committee.
Our departmental financial audit strategies for 2017 indicate some reliance on the work of internal audit in the departments we reviewed. Factors that can affect the extent of external financial audit reliance on the work of internal audit include:
- the quality and independence of the internal audit work performed
- the relevance of the completed internal audits to the formation of an opinion on the annual financial statements
- the extent of the internal audits with a financial focus
- the adequacy of the internal audit sample methodology or sample size for external audit purposes
- whether internal audit working papers meet the evidentiary requirements of external audit
- whether internal audit time frames coincide with the financial year, as the timing of audits may not meet external audit time lines.
If the internal audit testing period is for only part of the financial year, it may be more cost-effective or efficient for external financial audit to re-test the full period rather than re-perform internal audit work for part of the year and separately test the balance.
All internal audit charters, with the exception of DEDJTR's and DET's charters, refer to internal audit engaging with external audit. Although some engagement occurs across all departments, an opportunity exists to enhance engagement between internal and external audit to minimise factors that can affect external audit's ability to rely on the work of the internal audit function.
Figure 2K shows the results of our assessment of departmental performance for internal audit planning.
Figure 2K
Internal audit planning in the portfolio departments
Aspect |
DEDJTR |
DELWP |
DET |
DHHS |
DJR |
DPC |
DTF |
---|---|---|---|---|---|---|---|
Internal audit planning |
◕ |
● |
● |
◕ |
● |
● |
◔ |
Legend |
|
● |
Meets mandatory requirements and demonstrates most aspects of better practice |
◕ |
Meets mandatory requirements and demonstrates some aspects of better practice |
◑ |
Meets mandatory requirements and demonstrates few aspects of better practice |
◔ |
Meets mandatory requirements |
○ |
Does not meet mandatory requirements |
Source: VAGO.
3 Measuring performance and communicating insights
Internal audit should demonstrate its performance and value as part of the department's governance framework. It can do this by delivering on its objectives, communicating meaningful insights, reporting on implementation of audit recommendations, and showing commitment to quality and continuous improvement by establishing, measuring and reporting against performance measures. This builds credibility and trust with the audit committee and management.
This part of the report looks at how effectively the seven portfolio departments' internal audit functions perform against key success areas, and how they measure and report on their performance, communicate insights, and monitor and report on outstanding audit recommendations.
3.1 Conclusion
In most departments, internal audit delivers against its annual plan and receives good client feedback on its performance and value. Some departments also apply professional standards and their performance has been subject to external review.
While stakeholders recognised the value of internal audit, internal audit could provide greater value, particularly through better communication of departmental insights. The existing communication of internal audit findings does not identify department-wide trends and themes or, with the exception of internal audit reporting at DET, provide an overall opinion on the internal control environment to highlight areas for improvement.
In most departments, measures used to assess the performance of internal audit do not reflect a balanced scorecard approach. This better practice approach measures performance against key performance categories including financial performance, client services, internal processes, and professional development and innovation.
Monitoring and reporting of performance need to be more comprehensive to ensure that the expectations of internal audit and its benefits to the department are clear. Without comprehensive annual internal audit performance reporting, it is difficult for internal audit to demonstrate its achievements and performance, and identify areas for improvement.
3.2 Measuring and reporting
Measuring performance
Internal audit performance can be measured in various ways, including:
- measuring performance against established key performance measures
- receiving feedback from internal audit clients based on their audit experience
- the audit committee undertaking assessments of performance
- successful delivery of the internal audit plan
- conducting independent assessments.
Internal audit plan delivery
All but two departments delivered their 2015–16 internal audit plans with approved exceptions. DEDJTR and DET did not deliver their internal audit plans for the 2015−16 year.
DET experienced high staff turnover and departmental changes, and was involved with other integrity activities that affected delivery of internal audit activities against its plan.
Staff leave that was not anticipated when developing the internal audit plan affected DEDJTR's in-house capacity.
The high volume of audits in these departments has also affected the delivery of their plans, due to the significant resourcing needed. Audit plans with a high volume of audits risk not being delivered unless there is access to stable in-house resources or additional external capacity when required.
The purpose of a risk-based internal audit plan is to provide coverage of the department's risks. If the plan is not delivered, the internal audit program will not have the expected coverage, which may leave the department exposed to key risks.
Client satisfaction surveys
Internal audit issues surveys to clients at the conclusion of each audit to evaluate the audit process and client engagement. This allows the client to provide feedback and identify opportunities for improvement.
Results of client surveys for all departments were positive. Results are reported to the audit committee through the internal audit status report, and evidence shows examples of departments using client comments to improve processes.
DELWP's internal audit status report and DET's annual internal audit performance report include an internal audit response to areas for improvement identified through customer satisfaction surveys, which outline actions to address client feedback.
Key stakeholder feedback
We interviewed key internal audit stakeholders including all audit committee chairs, Deputy Secretaries, executive directors, and the Secretaries who agreed to meet with us—from DET and DHHS—to obtain their feedback. All were positive about the value of internal audit and its performance.
Audit committee chairs expressed a desire for increased analysis of audit findings to identify the root causes of identified issues, and enhanced reporting to link individual audit outcomes to organisational or systemic issues that require attention from the audit committee and management.
Audit committee chairs of two departments raised concerns about the timeliness of audit completion and reporting.
External quality assessments
All three departments with co-sourced internal audit functions conducted external quality assessments before the machinery-of-government changes in 2015.
Departments with outsourced internal audit functions have not conducted external quality assessments. They rely on the external provider's internal quality assurance processes but these are not equivalent to an external quality assessment with a broad focus. External assessments contain opinions on internal audit activity that cover:
- compliance with IIA Standards, internal audit charter, policies and procedures, and legislative requirements
- expectations of the audit committee and senior management
- integration of internal audit into the department's governance framework
- internal audit tools and techniques
- knowledge and experience of staff
- opportunities to improve processes
- assessment of whether internal audit adds value and improves departmental operations
- identification and benchmarking of leading practices.
A review of the internal audit function in the Department of Education and Early Childhood Development—now DET—in 2013 concluded that internal audit partially conformed with the IIA Standards. The assessment found that reporting lines for the CAE did not reflect better practice and the internal audit plan did not fully align with risk due to the immaturity of the risk management framework. Departmental management questioned the value of internal audit and indicated the need for a more strategic focus. DET has since implemented recommendations from the 2013 external assessment to improve the internal audit function. Progress against recommendations is reported annually to the audit committee.
A review of the internal audit function in the Department of Human Services—now DHHS—in 2013 found that it complied with the IIA Standards and noted opportunities for minor improvement.
In 2014, an external review of internal audit in the Department of Transport, Planning and Local Infrastructure —one of the precursor departments to DEDJTR and DELWP —found the internal audit function generally conformed to the IIA Standards. However, the department structure and internal audit function have changed significantly since then. DEDJTR has recently begun an external quality assessment. The results of this review were not available at the time of our audit.
Performance against established measures
Departments develop their own sets of performance measures and report their performance against these measures to the audit committee. DEDJTR and DHHS have recently developed new performance measures and have not yet completed a full year's reporting against the measures. Complete comparable data is not available for departmental performance measures.
Figure 3A summarises the seven portfolio departments' internal audit performance against key measures.
Figure 3A
Performance of internal audit against key measures
Performance measure |
DHHS |
DET |
DEDJTR |
DJR |
DELWP |
DPC |
DTF |
---|---|---|---|---|---|---|---|
Completion of audits in approved annual internal 2015 –16 audit plan within year |
86% |
48% (d) |
71% |
86% |
100% |
100% |
100% |
Client survey feedback for audit engagements — average overall satisfaction, year to date |
75% |
85% |
87% |
89% |
90% |
85% |
87.5% |
Client satisfaction survey target |
≥95% |
≥90% |
≥80% |
95% average |
>80% |
≥70% |
75% average |
Audit committee survey results—overall satisfaction |
(a) |
(a) |
(a) |
80% |
(a) |
86% |
(a) |
External quality assessment—compliance with IIA Standards |
Generally conforms |
Partially conforms (e) |
Generally conforms (c) |
(b) |
(b) |
(b) |
(b) |
(a) No separate survey of internal audit performance. The audit committee survey is a self‑assessment of the effectiveness of how well the audit committee oversees the internal audit function, not an evaluation of internal audit performance.
(b) No external quality assessment conducted.
(c) Assessment conducted of Department of Transport, Planning and Local Infrastructure.
(d) Internal audit plan delivery was affected by unplanned activities, including, ad-hoc audits, delivery of Integrity Reform Program projects in response to IBAC hearings and an increased number of audit committee meetings due to IBAC commitments. Deferred audits were considered in the following year's internal audit planning process and all changes were agreed with audit committee.
(e) DET has implemented a number of recommendations from this review, conducted in 2013.
Source: VAGO, based on information from departments.
Performance measures and reporting
Periodic assessment of internal audit against performance measures approved by the audit committee enables departments to measure internal audit's effectiveness and identify opportunities for improvement. The Standing Directions require internal audit to report to the audit committee on its performance annually. The Standing Directions also require the audit committee to report on internal audit performance to the Secretary. Figure B6 in Appendix B gives guidance on performance measures.
Identifying performance measures
Each department has developed qualitative and quantitative performance measures to evaluate the efficiency and effectiveness of internal audit. They have identified measures and targets for each performance measure, although not all departments have identified the reporting frequency.
Internal audit reports on performance measures and results to the audit committee. Our discussions with audit committee chairs indicate that, although not all audit committee chairs have been directly involved in the establishment of measures, they are comfortable with the range of measures in place.
Figure 3B compares the measures that departments use with the selected better practice measures outlined in Appendix E. All departments report on the delivery of the internal audit plan and the results of audit engagement client satisfaction surveys.
Figure 3B
Comparison of reported departmental measures with selected better practice measures
Key performance indicator |
DHHS |
DET |
DEDJTR |
DJR |
DELWP |
DPC |
DTF |
---|---|---|---|---|---|---|---|
Internal audit processes |
|||||||
Completion of approved annual internal audit plan |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
Completion of internal audit plan within budget |
✔ |
✘ |
✔ |
✔ |
✘ |
✔ |
✔ |
Management/stakeholders |
|||||||
Audit recommendations accepted |
✘ |
n/a (a) |
✔ |
✔ |
✘ |
✘ |
✘ |
Client feedback surveys for audit engagements |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
Audit committee |
|||||||
Results of survey of audit committee members |
✘ |
✘ |
✔ |
✔ |
✘ |
✔ |
✔ |
Quality |
|||||||
Professional development of in-house staff |
✘ |
✘ |
✔ |
n/a |
n/a |
n/a |
n/a |
Staff turnover or external provider continuity |
✘ |
✘ |
✔ |
✔ |
✘ |
✔ |
✔ |
(a) DET does not provide internal audit recommendations but works with management to develop management action plans.
Source: VAGO, based on IIA, Internal Audit in Australia, 2016, and IPPF – Practice Guide: Measuring Internal Audit Effectiveness and Efficiency, 2010.
In practice, DET and DELWP manage delivery of the internal audit plan within budget but they do not report on this measure to the audit committee.
Reporting
The frequency of measurement, analysis and reporting against performance measures varies between departments.
Ongoing reporting
All internal audit functions prepare a cumulative internal audit status report for each audit committee meeting that provides an update on a range of matters, including:
- progress against the audit plan
- audits completed for the period
- changes to the plan
- results of customer satisfaction surveys issued at the completion of each audit engagement.
DET and DTF report against their performance metrics to every audit committee meeting, and DEDJTR provides an assessment quarterly.
Periodic reporting
Reporting against internal audit performance measures varies between departments. The Standing Directions require internal audit to report to the audit committee on the effectiveness of internal audit. Five departments—DEDJTR, DET, DJR, DPC and DTF—provide an annual internal audit performance assessment to the audit committee.
DHHS has measures in place with its external provider. As the model is new, DHHS plans to report performance to the audit committee in October 2017. The audit committee approved key performance measures in April 2017.
DJR also prepares an annual internal audit performance report that provides a dashboard of performance over the past three years and commentary against each result. The report takes a balanced scorecard approach —measuring performance against oversight, management and process —and includes:
- compliance with each element of the internal audit charter
- results of the audit committee survey of internal audit
- audit recommendations made and accepted
- completion of plan and performance against budget
- expertise, mix of resources and continuity of staff
- contractual service-level commitments
- other work.
Under the Standing Directions, audit committees must review the effectiveness and efficiency of the internal audit function and advise the department on the performance of the internal auditors.
Only DELWP provides a formal report, which includes an assessment of internal audit performance from the audit committee to the Secretary, to acquit this requirement. The report uses different measures of performance to the performance measures in place with the provider, which are more detailed, contractual measures. The external provider does not provide an annual internal audit performance report to the audit committee.
All other departments address this requirement through regular meetings of the audit committee chair and the Secretary. Secretaries also rely on the annual audit committee self-assessment survey, which includes questions on the effectiveness of audit committee oversight of internal audit. The audit committee provides a copy of the self-assessment survey to the Secretary.
Figure 3C describes better practice reporting of internal audit performance.
Figure 3C
Case study: Better practice reporting of internal audit performance at DET
DET provides a comprehensive annual internal audit performance report to its audit committee that reflects better practice. The report includes internal audit's:
|
Source: VAGO.
Using results for continuous improvement
Our discussions with CAEs and audit committee chairs, and our review of minutes of audit committee meetings, indicate that there is regular engagement and discussion about internal audit processes and opportunities for improvement.
Annual reporting of performance enables detailed analysis of performance results and supports quality assurance and improvement processes. DET's annual performance report includes an improvement plan to address identified weaknesses.
Figure 3D shows the results of our assessment of departments' internal audit performance.
Figure 3D
Internal audit performance
Aspect |
DEDJTR |
DELWP |
DET |
DHHS |
DJR |
DPC |
DTF |
---|---|---|---|---|---|---|---|
Internal audit performance |
◕ |
◑ |
◕ |
◑ |
● |
◑ |
◑ |
Legend |
|
● |
Meets mandatory requirements and demonstrates most aspects of better practice |
◕ |
Meets mandatory requirements and demonstrates some aspects of better practice |
◑ |
Meets mandatory requirements and demonstrates few aspects of better practice |
◔ |
Meets mandatory requirements |
○ |
Does not meet mandatory requirements |
Source: VAGO.
3.3 Communicating outcomes and insights
Reporting the results of internal audits
All internal audit reports include an overall rating of the control environments, and each audit finding is risk rated to indicate the significance or impact of the issue, and to enable departments to prioritise actions to address the issues. Audit committees and relevant departmental staff receive all internal audit reports.
The audit committee chair of each department briefs the Secretary following each audit committee meeting or at regular intervals during the year, and discusses any issues relating to internal audit performance, its findings and implementation of recommendations. Two Secretaries (at DPC and DTF) receive internal audit reports through audit committee papers and two (at DET and DJR) receive high-risk-rated reports only. The DJR Secretary receives audit committee agendas and minutes. The Secretary at DHHS receives copies of all final internal audit reports and audit committee papers. At DET, the Secretary also receives draft audit committee minutes.
Annual report on internal controls
Providing an annual report to the audit committee on the department's control environment draws attention to strategic issues, identifies emerging risks, and highlights patterns and trends across the department.
The Standing Directions require internal audit to provide independent and objective assessment of the effectiveness and efficiency of the agency's financial and internal control systems, reporting processes and activities each year.
DET provides a detailed annual report on internal controls to the audit committee. All departments undertake a range of activities related to internal controls, such as conducting audits of core financial processes and controls, ICT and risk reporting.
Some departments consider that their existing activities meet the Standing Directions requirement for internal audit to provide an assessment of the agency's financial and internal control systems. However, this requirement could be more clearly and effectively met if internal audit provided an annual report to the audit committee of the activities it has undertaken to address requirements and an overall assessment of the internal control environment.
Root causes and themes
Internal audit is well positioned to strategically share insights from audit activity and organisational engagement with the audit committee and executive. Instead of reporting only on the outcomes of individual audits, themes-based reporting links the outcomes of internal audit activity, and knowledge gained through engagement, into higher-level themes, which provides a strategic organisational and systemic perspective. Departments should include theme-based reporting as part of the annual report on internal controls.
All departments identify and report the root causes of findings in internal audit reports. The root cause analysis is the process of identifying why something happened.
Five departments—DELWP, DET, DHHS, DJR and DPC—identify root causes and categorise them into themed groups for reporting purposes. Examples of themes used include people and culture, information systems, policy and guidelines, controls, data integrity, and monitoring and oversight. Internal audit collates and reports this information to the audit committee in the internal audit status report. At the end of the audit plan year, DJR and DPC summarise organisational themes and report them to the audit committee with limited analysis. This is a new initiative in DELWP and DHHS, and themed annual reporting will be introduced in the current financial year.
DEDJTR and DTF only provide root cause information within individual audit reports, and do not collate information to identify themes across the audit program. Figure 3E describes better practice annual reporting of internal controls at DET.
Figure 3E
Case study: Better practice annual report on internal controls at DET
DET provides an annual thematic report that summarises themes and trends informed by internal audits, discussions with management, results of organisational culture surveys, feedback from other integrity agencies and participation on committees. The report includes an assessment of the overall control environment and highlights DET's areas of improvement and areas of concern, systemic themes and the trends for each theme, and the impact on internal audit plan. |
Source: VAGO.
There is limited evidence of responses, such as recommendations, arising from the themes analysis. In our discussions with CAEs and audit committee chairs, we noted that audit committee chairs are encouraging increased reporting on the root causes of audit issues and themes.
Monitoring and reporting against recommendations
Internal audits identify weaknesses in internal controls and make recommendations to mitigate risks. If recommendations are not implemented in a timely manner, the value of the internal audit activity is not realised and leaves the agency exposed to risks.
Processes for monitoring and reporting
All departments have processes to monitor and report on the status of audit recommendations to the audit committee. Departments use various tools to track audit recommendations, ranging from spreadsheets to risk management systems and audit management systems.
DHHS is a large department, based on its total expenditure, and is subject to a high volume of audits and independent integrity agency reviews. DHHS lacks an effective system to monitor and report on audit recommendations and is currently investigating solutions. It currently uses spreadsheets to track audit recommendations, which involves significant administrative effort, and does not have a full-time staff member responsible for tracking audit recommendations. Due to these limitations, the status of audit recommendations is reported to the audit committee every six months.
All other departments report this information to every audit committee meeting, in line with better practice. Monitoring audit recommendations on a quarterly basis, at a minimum, maintains focus on implementation.
The process that departments use for reviewing implementation dates for overdue recommendations lacks rigour. More than 25 per cent of the overdue audit recommendations within four departments —DEDJTR, DELWP, DJR and DPC —have passed their original or revised due dates, and the implementation date has not been updated to reflect new time lines.
Figure 3F shows the ageing of open internal audit recommendations from original implementation dates for each department. This highlights the need for effective management of overdue audit recommendations. DELWP has a large number of high‑risk overdue actions that require attention. To increase oversight, the DELWP Deputy Secretaries have begun delivering presentations to the audit committee on high‑risk overdue actions.
Figure 3F
Ageing of open internal audit recommendations from original implementation dates
Note: Departments monitor internal audit recommendations at various levels, such as broad internal audit findings, recommendations or more detailed management action plans. As a result, we compared departments by considering how they track issues identified by internal audit.
Note: Recs = recommendations.
Note: DET has a large number of management actions that are not yet due as a result of the increased number of audits recently completed.
Source: VAGO.
All departments report changes in the status of audit recommendations between reporting dates. Four department —DELWP, DET, DHHS and DTF—report on the ageing of overdue items. The other three departments—DEDJTR, DJR and DPC—report the number of overdue recommendations to the audit committee. DJR reports on the ageing of overdue audit recommendations at a divisional level by rotating divisional reports to the audit committee.
In most departments, the audit committee approves revisions to original implementation dates. In some departments, management or the audit committee revises due dates, depending on the risk rating of the issue.
Follow up of audit recommendations
Five departments—DEDJTR, DELWP, DET, DHHS and DTF—verify evidence of implementation of audit recommendations before reporting to the audit committee. All departments except DEDJTR perform follow-up audits to confirm that the action taken has adequately addressed the risk identified. DEDJTR and DHHS follow up implementation of audit recommendations as part of individual follow-up audits of areas included in the internal audit plan.
DELWP and DJR performed follow-up audits covering all open recommendations during the current year. These audits identified long-outstanding recommendations that are no longer relevant, due to departmental change or duplicate recommendations. DELWP and DET conducted a full follow up of outstanding audit recommendations in consultation with Deputy Secretaries during the current year. This identified some recommendations that were no longer relevant and revised implementation dates for overdue recommendations.
Initiatives to address outstanding recommendations
Discussions with key stakeholders indicate that delays in implementation are due to a combination of factors including management committing to ambitious time lines for completion of recommendations, a lack of consideration of audit recommendations in the business-as-usual activities, and departmental restructuring.
In most departments, internal audit asks management to provide updates to the audit recommendation tracking register before every audit committee meeting. However, integrating the audit recommendation tracking into the business on a day-to-day basis would increase the visibility of open audit recommendations and facilitate regular monitoring.
Several departments, including DEDJTR and DJR, use risk and performance reporting systems to monitor and report against open audit recommendations. The use of business systems integrates audit recommendation tracking into the business on a day‑to-day basis, increases the visibility of open audit recommendations and facilitates regular monitoring. The numbers of open recommendations have reduced in DEDJTR and DJR since they introduced these systems.
In our 2016 report Audit Committee Governance, we examined audit recommendations and reporting to audit committees, and the challenges departments face in managing the volume of audit recommendations and overdue actions.
Positive initiatives are evident in a number of departments to drive implementation of outstanding actions. Some departments are developing processes to finalise issues that are no longer relevant and consolidate recommendations, with approval from the executive board and the audit committee.
At DET, internal audit meets quarterly with Deputy Secretaries to review outstanding recommendations and help resolve outstanding items. At DELWP, DET, DHHS and DJR, Deputy Secretaries address open audit recommendations in rotating presentations to the audit committee. This process is designed to ensure high-risk actions are addressed, and has focused departments' attention on implementing outstanding issues.
Our discussions with audit committee chairs and key stakeholders indicate that audit committees focus on this area. All departments have introduced business area reporting of open audit recommendations to the audit committee. This has helped departments implement outstanding recommendations and understand challenging outstanding issues.
Figure 3G shows the results of our assessment of internal audit's performance on communicating outcomes and insights across the departments.
Figure 3G
Internal audit's performance on communicating outcomes and insights
Aspect |
DEDJTR |
DELWP |
DET |
DHHS |
DJR |
DPC |
DTF |
---|---|---|---|---|---|---|---|
Communicating outcomes and insights |
◑ |
◑ |
● |
◑ |
◕ |
◕ |
◕ |
Legend |
|
● |
Meets mandatory requirements and demonstrates most aspects of better practice |
◕ |
Meets mandatory requirements and demonstrates some aspects of better practice |
◑ |
Meets mandatory requirements and demonstrates few aspects of better practice |
◔ |
Meets mandatory requirements |
○ |
Does not meet mandatory requirements |
Source: VAGO.
Appendix A Audit Act 1994 section 16—submissions and comments
We have consulted with DEDJTR, DELWP, DET, DHHS, DJR, DPC and DTF, and we considered their views when reaching our audit conclusions. As required by section 16(3) of the Audit Act 1994, we gave a draft copy of this report, or relevant extracts, to those agencies and asked for their submissions and comments.
Responsibility for the accuracy, fairness and balance of those comments rests solely with the agency head.
Responses were received as follows:
RESPONSE provided by the Acting Lead Deputy Secretary, DEDJTR
RESPONSE provided by the Acting Secretary, DELWP
RESPONSE provided by the Secretary, DET
RESPONSE provided by the Secretary, DHHS
RESPONSE provided by the Secretary, DJR
RESPONSE provided by the Secretary, DPC
RESPONSE provided by the Secretary, DTF
Appendix B Legislation, guidance and better practice
Appendix B Legislation, guidance and better practice
The figures in this appendix list the detailed legislation and guidance in the Victorian public sector, and in better practice guides, for managing internal audit, measuring performance and communicating insights. The section numbers in the figures are cross-references to sections of this report.
Figure B1
Figures in this appendix
Figure |
Title |
---|---|
Figure B2 |
CAE |
Figure B3 |
Internal audit resourcing and quality assurance |
Figure B4 |
Internal audit governance |
Figure B5 |
Internal audit planning |
Figure B6 |
Internal audit performance |
Figure B7 |
Communicating outcomes and insights |
Source: VAGO.
Figure B2
CAE
Section 2.2 |
Role and qualifications of the CAE |
---|---|
Legislation |
|
No legislation describes the role of the CAE.The Standing Directions require internal auditors to be suitably experienced and qualified. |
|
Standing Directions guidance |
|
The Standing Directions guidance recommends that the CAE has a relevant tertiary qualification. A professional designation (such as membership of the IIA) is not mandatory but helps ensure internal auditors are suitably qualified and keep their knowledge and expertise up to date with developments in internal auditing through ongoing professional development. |
|
Better practice |
|
No guidance on the role of the CAE is provided in the IIA Standards. The ANAO Public Sector Internal Audit Better Practice Guide describes the CAE as the officer responsible for the effective performance of the internal audit function. The IIA report Global Public Sector Insight: Policy Setting for Public Sector Auditing in the Absence of Government Legislation prescribes that the CAE should be at a sufficiently senior level (remuneration and profile) to be able to discuss audit results with senior management on an equal footing. The IIA Standards require the CAE or others reporting to the CAE to have appropriate professional certifications and qualifications. The IIA report Global Public Sector Insight: Policy Setting for Public Sector Auditing in the Absence of Government Legislation recommends the minimum qualifications for the CAE include a combination of years of auditing and/or leadership experience, audit-specific certifications and relevant tertiary qualifications. |
|
Section 2.2 |
Position and influence in the organisation |
Legislation |
|
The Standing Directions require the Secretary to establish an internal audit function independent of management. |
|
Standing Directions guidance |
|
For functional matters, the internal audit function is accountable to the responsible body generally through its audit committee. For administrative matters such as human resource administration and budgets, the internal audit function reports to management, such as an accountable officer or delegate. |
|
Better practice |
|
To maximise operational independence of internal audit, the IIA Standards, the IIA Internal Audit in Australia and the ANAO Public Sector Internal Audit Better Practice Guide recommend:
Support of senior management assists internal audit to gain the cooperation of clients and conduct their work without management interference. When the CAE reports directly to the Secretary, this sends a clear message about the importance of internal audit. Reporting to the Secretary facilitates regular contact, which provides the CAE with insights into new and emerging risks and issues facing the agency. At a minimum, the CAE should have direct access to the audit committee chair and the Secretary when required. The ANAO Public Sector Internal Audit Better Practice Guide states that where the Secretary chooses to delegate administrative reporting responsibility for internal audit, this should be to a senior executive with a commitment to internal audit who has no actual or perceived conflict. The IIA Standards recommend at the minimum the CAE needs to report to an individual with sufficient authority to promote independence and ensure broad audit coverage, adequate consideration of audit communications and appropriate action on recommendations. Internal audit should have dual reporting lines, as shown below. According to the IIA Standards, functional reporting includes:
Administrative reporting includes:
|
|
Section 2.2 |
Access to the audit committee, secretary, personnel and records |
Legislation |
|
The internal audit function should have access to the Secretary, audit committee and chief financial officer. |
|
Standing Directions guidance |
|
No further information is provided. |
|
Better practice |
|
To maximise operational independence of internal audit, the IIA Standards, the IIA Internal Audit in Australia and the ANAO Public Sector Internal Audit Better Practice Guide recommend:
Support of senior management assists internal audit to gain the cooperation of clients and conduct their work without management interference. When the CAE reports directly to the Secretary, this sends a clear message about the importance of internal audit. Reporting to the Secretary facilitates regular contact, which provides the CAE with insights into new and emerging risks and issues facing the agency. At a minimum, the CAE should have direct access to the audit committee chair and the Secretary when required. Internal audit should meet with the audit committee without the presence of management, at least annually. The IIA emphasises the importance of a strong working relationship between internal audit and the audit committee for effective internal audit performance and to allow audit committees to drive internal audit to meet expectations. |
|
Section 2.2 |
Managing objectivity and potential conflicts of interest |
Legislation |
|
The internal audit function should have sufficient information to enable it to perform its function and be subject to a protocol to manage conflicts of interest. |
|
Standing Directions guidance |
|
Internal auditors must be independent of management in carrying out their functions. Independence includes that they must not:
When the internal audit role is to be filled by an external service provider, relationships that may be seen to impair an internal audit member's independence could include:
Where the CAE has operational responsibility for areas such as risk and integrity, safeguards should be established to prevent actual or perceived conflicts of interest. When the operational area for which the CAE is responsible is subject to audit, the role of the CAE should be assigned to an individual who is independent of the internal audit function.
|
Source: VAGO.
Figure B3
Internal audit resourcing and quality assurance
Section 2.3 |
Quality assurance and continuous improvement |
---|---|
Legislation |
|
The Standing Directions require internal audit to apply relevant professional standards relating to internal audit. |
|
Standing Directions guidance |
|
The Standing Directions guidance refers to the IIA Standards and IIA Australia website for better practice information. |
|
Better practice |
|
The most widely recognised professional standards are contained within the IIA's IPPF, which includes the IIA Standards. The internal audit charter and external service provider contract should reflect the standards adopted by the department. The IIA Standards require the CAE to maintain a quality assurance and improvement program consisting of internal and external assessments, and to report the results to the audit committee. Quality assurance reviews focus on adherence to standards and the quality of internal audit work, and identify areas for continuous improvement. A quality assurance and improvement program includes internal and external assessment:
Internal quality assessment—ongoing Ongoing internal quality assessment includes:
Internal quality assessment—periodic Periodic internal quality assessment includes:
External quality assessment An external quality assessment evaluates compliance with the IIA Standards, the definition of internal audit and the code of ethics. The requirement for an external quality assessment applies to all agencies, regardless of the size of the internal audit function and the nature of the service delivery model—in‑house, co-sourced or outsourced. It is conducted at an agency level and includes assessment of the work of the service provider. The benefits of an external quality assessment are that it builds stakeholder confidence in the internal audit function, as it demonstrates a commitment to quality assurance, continuous improvement and a professional approach to internal audit. An audit opinion of 'generally conforms' allows the internal audit function to state that its internal audit activities are conducted in accordance with the IIA Standards. According to the IIA Standards, an external quality assurance review should be conducted, at a minimum, every five years by an appropriately qualified, independent, external party. This may be a consultant or qualified peers from another audit function. The timing of this review should be reflected in the internal audit plan and the results reported to the audit committee. |
Source: VAGO.
Figure B4
Internal audit governance
Section 2.4 |
Internal audit charter |
---|---|
Legislation |
|
The Standing Directions require the internal audit function to prepare and maintain an internal audit charter for approval by the audit committee. It also requires that the internal audit charter is available to all agency management and staff. |
|
Standing Directions guidance |
|
The Standing Directions guidance requires the internal audit charter to specify minimum requirements such as:
|
|
Better practice |
|
Better practice internal audit charters go beyond the fundamental requirements of the internal audit function and outline how internal audit will provide value to the agency. A better practice internal audit charter sets out the expectations of the audit committee and describes the monitoring and reporting requirements. The internal audit charter establishes internal audit's position within the agency, including the CAE's reporting lines, reporting of annual assessment of internal controls, trends and themes, and measurement of internal audit performance and quality. The ANAO Public Sector Internal Audit Better Practice Guide outlines the elements of a better practice internal audit charter. The model internal audit charter issued by the IIA covers the requirements of the IIA Standards for the internal audit function. |
Source: VAGO, IIA Australia and the ANAO Public Sector Internal Audit Better Practice Guide.
Figure B5
Internal audit planning
Section 2.5 |
Developing the internal audit plan |
---|---|
Legislation |
|
The Standing Directions require internal audit to annually prepare, maintain and implement:
The audit committee's role in overseeing internal audit, according to the Standing Directions, includes review and approval of the strategic internal audit plan and annual work program. |
|
Standing Directions guidance |
|
Internal audit planning needs to be appropriate for the agency's size, complexity of functions and risk profile. It should consider the key risks and areas outlined in the corporate plan and be sufficiently detailed to assure the audit committee and department that the proposed audit coverage will address the business needs and key risks. The strategic internal audit plan must cover a period of three to four years, which supports the requirement of reviewing financial management obligations over a medium‑term cycle and aligns with departments' rolling four-year corporate planning process. The strategic internal audit plan should be reviewed and updated annually and describe the role of internal audit in the agency's overall assurance processes, and provide an important link between the internal audit charter and the internal audit annual work program. Good practice internal audit planning involves a risk assessment of the areas of strategic and operational significance to the achievement of an agency's objectives to determine appropriate timing and frequency of coverage for these areas over the planning period. Key risk areas may be reviewed more frequently, even yearly, whereas lower-risk areas may only be reviewed in detail every three to four years. The strategic internal audit plan provides a comprehensive view of an agency's governance, risk and control activities and helps to focus the internal audit effort. The plan communicates the medium-term internal audit direction in supporting the achievement of the agency's objectives and the mitigation of risks. Senior management provides an important input into this planning process. |
|
Better practice |
|
Internal audit planning should be informed by:
The IIA Standards require the CAE to develop a risk-based plan to determine internal audit priorities consistent with the department's objectives. The outcome of internal audit planning is a forward plan of audit activity that shows clear alignment with the department's risks. A three- to four-year rolling internal audit plan should include a forward work plan of audits to be conducted over the next three to four years. It should contain a balance of strategic and risk-based audits, rotating financial audits to provide assurance over key financial areas, and compliance audits to meet legislative requirements. The purpose of each audit activity should be identified in the plan, and its link to risk and business objectives made clear. The first year of the internal audit plan should provide a detailed scope and details of allocated resources, and indicative timing, hours or cost for each engagement. Including past audit coverage helps to inform the plan and shows a broader view of the audit activity over time. The rolling nature of the plan requires it to be reviewed annually to ensure the plan remains relevant and reflects current organisational focus and changes to the risk environment. |
|
The blend of audits included in the internal audit plan depends on the risk profile of the organisation, size and complexity of the business, variation in the nature of business activities, stability of the organisation and the nature of information systems. Better practice internal audit plans contain a balance of compliance, financial and operational audits over the period of the plan to provide the agreed level of assurance. A risk-based audit plan focuses on the strategic goals and risks of the organisation and provides increased organisational value by delivering a greater proportion of operational audits. The blend of audits and coverage should be agreed with the audit committee. |
|
Audits can be classified into categories based on the focus or objective of the audit. The main categories of audit are:
|
|
Section 2.5 |
Approval and changes to the internal audit plan |
Legislation |
|
The annual internal audit work program sets out in detail the key areas for internal audit review for the upcoming year. |
|
Standing Directions guidance |
|
Standing Directions guidance refers to the IIA Developing the Internal Audit Strategic Plan Practice Guide and the ANAO Public Sector Internal Audit Better Practice Guide and templates. |
|
Better practice |
|
The internal audit plan should be reviewed and approved by the audit committee. Effective internal audit plans should be flexible to allow for changes. This enables the plan's focus to shift to address changing needs due to changes in the agency, the external environment or emerging risks. This can be done by including a reserve list of audits in the annual plan or deferring audits of lesser priority to later years and bringing forward or adding audits in areas of concern. Consistent with the IIA Standards and better practice—the IIA Internal Audit in Australia and the ANAO Public Sector Internal Audit Better Practice Guide—all changes to the internal audit plan should be approved by the audit committee. Internal audit should track progress against the plan and report any changes to the plan for approval. |
Source: VAGO, the IIA Standards, the IIA Internal Audit in Australia and the ANAO Public Sector Internal Audit Better Practice Guide.
Figure B6
Internal audit performance
Section 3.2 |
Measuring and reporting on performance |
---|---|
Legislation |
|
The Standing Directions require internal audit to develop and implement systems to ensure the internal audit function operates effectively and efficiently and is appropriate for the agency's needs. It also requires the internal audit to report to the audit committee on the effectiveness of the internal audit function. Under the Standing Directions, audit committees are required to review the effectiveness and efficiency of the internal audit function and advise the agency on the performance of the internal auditors. |
|
Standing Directions guidance |
|
Standing Directions guidance refers to IIA's IPPF – Practice Guide: Measuring Internal Audit Effectiveness and Efficiency to assist internal audit to measure, monitor and report the results of its effectiveness and efficiency to the audit committee. |
|
Better practice |
|
Better practice internal audit functions measure and report on their performance and use the results for continuous improvement to drive improvements in quality. Internal audit should establish performance indicators to measure its performance and achievement of its objectives. Establishing effective performance requires identification of key internal audit performance categories such as internal audit processes, audit committee, management, innovation and capability. Performance strategies should be identified for each category with measurements, targets and reporting frequency, and routinely measured, analysed and reported to the audit committee. Measures should be relevant and reflect internal audit activities and the expectations of stakeholders. They should be clear and concise, measurable and have achievable targets, and be both quantitative and qualitative. The IIA IPPF – Practice Guide: Measuring Internal Audit Effectiveness and Efficiency recommends balanced scorecard reporting of qualitative and quantitative performance measures to the audit committee. A balanced scorecard aligns performance measures into categories that reflect the perspectives of a range of stakeholders such as the audit committee, management and internal audit processes, as well as capability. See Appendix E for a selection of the better practice key performance measures represented using a balanced approach with categories of internal audit processes, management, audit committee and quality. Each key performance measure should have a basis of measurement, target and reporting frequency. |
Source: VAGO.
Figure B7
Communicating outcomes and insights
Section 3.3 |
Reporting the results of internal audits |
---|---|
Legislation |
|
No legislation. |
|
Standing Directions guidance |
|
No guidance. |
|
Better practice |
|
The IIA Standards require internal auditors to communicate the results of the audits including the engagement's objectives and scope, as well as applicable conclusions, recommendations and action plans. The IIA views insight as a critical element of its value proposition for the profession. Management and the audit committee look to internal audit to provide independent, objective assurance on the risk, governance and control frameworks of the organisation. Communicating this information effectively demonstrates the value of internal audit. The IIA White Paper Themes-based Reporting (2017) provides useful guidance on thematic reporting. |
|
Section 3.3 |
Annual report on internal controls |
Legislation |
|
The Standing Directions require the internal audit function to provide each year to the audit committee an independent and objective assessment of the effectiveness and efficiency of the agency's financial and internal control systems, reporting processes and activities in accordance with its work program. |
|
Standing Directions guidance |
|
No guidance. |
|
Better practice |
|
Better practice internal audit functions demonstrate their value by communicating information that supports the audit committee in its role. This includes:
|
|
Section 3.3 |
Monitoring and reporting progress against internal audit recommendations |
Legislation |
|
The Standing Directions require the Secretary to establish an audit committee to regularly review implementation of actions in response to internal or external audits, including remedial actions to mitigate future instances of non‑compliance. |
|
Standing Directions guidance |
|
No guidance. |
|
Better practice |
|
The IIA Standards require the CAE to establish and maintain a system to monitor the implementation of audit results communicated to management. The CAE must ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action. It is better practice for the CAE to regularly inform the audit committee of progress in the implementation of agreed internal audit and external audit recommendations. The IIA White Paper Reporting on the Status of Audit Recommendations provides useful guidance on the monitoring and reporting of audit recommendations. It recommends the CAE establish a database to log audit recommendations and monitor progress. Management should periodically update the database with the current implementation status. The CAE should analyse the status of all open recommendations to identify high‑risk and overdue items, and produce graphs illustrating movements, risk rating and ageing of overdue items. Information about the status of recommendations should be reported to every audit committee meeting or on a quarterly basis. Internal audit should conduct periodic independent reviews of completed audit recommendations to verify the evidence to confirm the closed management actions are effectively implemented and the associated risks have been mitigated. |
Source: VAGO, the IIA Standards, and the IIA White Paper Reporting on the Status of Audit Recommendations.
Appendix C Assessment of internal audit charters
Figure C1 is an assessment of recommended internal audit charter content against actual department charter content.
Figure C1
Recommended internal audit charter content
Recommended content |
DHHS |
DET |
DEDJTR |
DJR |
DELWP |
DPC |
DTF |
---|---|---|---|---|---|---|---|
Standing Directions 2016 |
|||||||
Charter approved by audit committee |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
Available to staff |
✔ |
✔ |
✘ |
✔ |
✘ |
✔ |
✘ |
Standing Directions guidance |
|||||||
Meets |
8/8 |
8/8 |
8/8 |
8/8 |
8/8 |
7/8 |
7/8 |
Purpose |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
Roles and responsibilities |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
Authority and accountability |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
Independence and objectivity |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
Outsourcing and co-sourcing arrangements |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✘ |
Reporting and monitoring |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
Annual review of the charter |
✔ |
✔ |
✔ |
✔ |
✔ |
✘(a) |
✔ |
Adoption of IIA Standards |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
Better practice |
|||||||
Meets |
15/17 |
13/17 |
14/17 |
13/17 |
10/17 |
11/17 |
6/17 |
Scope of internal audit |
✔ |
✘ |
✔ |
✔ |
✔ |
✔ |
✘ |
Independence |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
✔ |
✔ |
✘ |
✔ |
✔ |
✘ |
✔ |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✘(b) |
|
✔ |
✔ |
✔ |
✘(a) |
✘(b) |
✔ |
✘(a) |
Confidentiality |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
Relationships with external audit and key stakeholders |
✔ |
✘ |
✔ |
✔ |
✔ |
✔ |
✔ |
Planning |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✘(b) |
Audit committee reporting |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
✔ |
✔ |
✔ |
✘(a) |
✔ |
✘(a) |
✘(a) |
|
✔ |
✔ |
✔ |
✔ |
✘(a) |
✔ |
✔ |
|
✔ |
✘(a) |
✔ |
✔ |
✘ |
✘ |
✘ |
|
✘ |
✔ |
✔ |
✔ |
✘ |
✘ |
✘ |
|
✔ |
✘ |
✘ |
✘ |
✔ |
✘ |
✘ |
Performance and quality |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
✔ |
✔ |
✔ |
✘ |
✘ |
✘ |
✘ |
|
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✘ |
Recognition of: |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
✔ |
|
✔ |
✔ |
✘ |
✔ |
✘ |
✔ |
✘ |
|
✘ |
✔ |
✘ |
✔ |
✘ |
✔ |
✔ |
(a) The department performs this in practice, but the charter does not address it.
(b) Partial compliance.
Source: VAGO, IIA model charter and the ANAO model charter.
Appendix D Model assurance map
Appendix E Better practice performance measures
Figure E1 shows an example of balanced scorecard reporting of better practice performance measures.
Figure E1
Better practice performance measures
Key performance indicator |
Type of measure |
Measure |
Target |
Reporting frequency |
---|---|---|---|---|
Internal audit processes |
||||
Complete audits on approved annual internal audit plan (subject to audit committee changes) |
Efficiency/ Quantitative |
% of planned audits completed within the plan year. |
100% |
Annual |
Cost—plan completed within budget |
Efficiency/Quantitative |
% variance from approved budget for the financial year |
0% over budget |
Annual |
Management/stakeholders |
||||
Audit recommendations accepted |
Effectiveness/Qualitative |
% of recommendations accepted by management (maintaining internal audit independence) |
90% |
Annual |
Client feedback surveys for audit engagements |
Effectiveness and efficiency/Qualitative |
% of survey responses for value/overall benefit resulting from audit rating good or excellent |
90% |
Ongoing |
Audit committee |
||||
Results of survey of audit committee members |
Effectiveness and efficiency/Qualitative |
% of survey responses rated good or excellent |
90% |
Annual |
Quality |
||||
Professional development of staff (in-house staff) |
Effectiveness/Qualitative |
Completion of professional development hours |
100% |
Annual |
Staff turnover or external provider continuity |
Effectiveness and efficiency/Qualitative |
% of turnover |
0% |
Annual |
Source: VAGO, based on IIA Australia, Internal Audit in Australia, July 2016, and IPPF – Practice Guide: Measuring Internal Audit Effectiveness and Efficiency.
Appendix F Internal audit quality assessment
Figure F1 is a copy of the IIA Internal Audit Quality Analysis to conduct self‑assessment against the IIA standards.
Figure F1
IIA Internal Audit Quality Analysis
Source: Institute of Internal Auditors Australia.