Internal audit arrangements and risk management
Strengthened governance and assurance initiatives
We now have governance initiatives in place to drive a more capable, open, and accountable organisation. An integral part of these initiatives is a new Governance and Assurance Branch which was established in December 2005. The branch’s principal responsibilities include the management of a significantly enhanced Internal Audit Programme (IAP) and the building of a more robust governance and assurance capability.
The branch managed a strengthened IAP, expanded from $1.375 million in 2004-05 to $2.266 million in 2005-06, focussing on compliance and addressing other high risk activities.
The branch has developed a principles-based National Quality Assurance Framework to facilitate the development of strategic and activity-based assurance processes, through Systems for People.
In addition, the branch has established the Governance and Leadership Prominent Speaker Programme for senior executives, in which prominent public and private sector speakers with current knowledge of significant themes in governance address our SES staff on a regular basis. The inaugural speaker was Dr. Peter Shergold AM, the Secretary of the Department of Prime Minister and Cabinet, who spoke on the government’s expectations in relation to good governance in the Australian Public Service, and in particular, on the nexus between leadership and good governance.
Internal audit
Internal audit is a fundamental element of our governance structure. It gives the Secretary independent assurance that a robust internal control structure is in place and our outputs and activities are operating effectively, efficiently, and lawfully.
The internal audit function is managed by the Governance and Assurance Branch (which reports directly to the Secretary) and operates under the authority of the Internal Audit Charter. The IAP is primarily delivered by an external provider, Ernst & Young. During 2005-06, a supplementary panel of external providers was appointed to provide audit, risk management, fraud control, and business continuity management services. The panel will assist in situations where there are capacity concerns or possible conflict of interest issues with the primary provider.
We work cooperatively with the Australian National Audit Office (ANAO) to coordinate overall audit activity within the department, and to ensure there is no duplication of effort. The ANAO is invited to Departmental Audit and Evaluation Committee (DAEC) meetings and is regularly offered the opportunity to meet privately with the DAEC to discuss issues of mutual interest. The ANAO also attends the DAEC’s Financial Statements Sub-Committee meetings.
The annual IAP is one of our principal risk mitigation tools and an integral element of our assurance and risk management arrangements. The IAP is designed to closely align internal audit activity with the key risks we face. The IAP for 2005-06 was developed following a rigorous analysis of our risk profile, which was created after extensive consultation with our senior managers. The initial IAP was approved by the DAEC and endorsed by the Executive Management Committee. It comprised 19 audits.
Following the adverse findings of the Palmer and Comrie Inquiries, additional funding was allocated to the IAP as part of our strategy to strengthen the overall assurance framework. Consequently, the IAP was reprioritised and enhanced to provide a greater focus on compliance auditing.
Quality assurance
In the post-Palmer and Comrie Inquiries environment, we have made a priority of addressing quality assurance.
In broad consultation with a wide range of stakeholders, the Governance and Assurance Branch developed a principles-based National Quality Assurance Framework. This promoted the basic principles of quality assurance, and provided guidance on the design and review of quality assurance processes. The framework ensures that quality assurance methods and principles are applied consistently, enabling programme managers and the DAEC to identify trends and emerging portfolio-wide risks.
We have had targeted quality assurance processes in place for some time in a number of different areas of the department. These ‘control self-assessment’ tools aim to monitor performance and compliance using internally-developed checklists. Periodic reports are made to the DAEC on the level of compliance with controls, and on remedial action proposed or undertaken to address identified shortcomings.
We apply financially-based financial accountability and control tools in national and state and territory offices, and we use quality control codes, to review decision-making and decision-making processes onshore. We use another quality assurance tool – the office audit and security checklist - to ensure compliance with controls at overseas posts.
Risk management
During 2005-06, we continued to integrate formal risk management practices into a range of governance activities, including resource and business planning, contract management, and internal audit planning.
Our internal auditors conducted a rolling programme of internal audits examining the implementation of risk management across the portfolio. Audit findings and recommendations included the need for a more formal approach to the management of risk. In response to this, we developed a Chief Executive Instruction (CEI) on risk management.
We also implemented a communications strategy to help raise awareness among staff of risk management principles and to promote an understanding and knowledge of our Risk Management Framework. This strategy involved the development of risk management promotional material and risk management training modules. It also promoted the establishment of a network of risk management contacts throughout the department, and wider promotion of the in-house Risk Management Helpdesk.
In 2005-06, in addition to the Risk Management Helpdesk, a panel of external risk management consultants was established to help ensure that risk management expertise was accessible by all business areas.