Treasury Cluster
Internal Audit Charter
September 2015
Complies with Internal Audit & Risk Management Policy TPP 15-03 and the Revised IPPF
Standards of 2013
Contact: Chief Audit Executive
Review history:
April 2010
First published
Aug 2011, Apr 2012, Oct 2012,
Mar 2013, July 2013 (Annexure
only), Feb 2014, Aug 2014
Updates under TPP 09-05, to allow for changes to Cluster, revised IPPF
Standards and other process improvements
September 2015
Update in line with TPP 15-03 model charter. Also reflects Cluster
changes of 1 July 2015.
Table of Contents
1.
Introduction
1
2.
Purpose of internal audit
1
3.
Independence
2
4.
Authority and confidentiality
3
5.
Roles and responsibilities
3
5.1
Audit activities
5.2
Advisory services
5.3
Audit support activities
6.
Scope of internal audit activity
4
7.
Standards
5
8.
Service providers
5
9.
Relationship with external audit
6
10.
Planning
6
11.
Reporting
6
12.
Administrative arrangements
6
13.
Review of the Charter
6
The Internal Audit functions of NSW agencies are required to have a charter that is
consistent with the content of the ‘model charter’. The Chief Audit Executive is required to
review, in consultation with the agency head and the Audit and Risk Committee, their
existing Internal Audit Charter against this model. In doing so it is important that each
agency consider carefully its particular circumstances, as there may be additional agency
specific requirements that must also be addressed.
The purpose of this Internal Audit Charter is to address the role, responsibilities,
authorisation, activities and reporting relationships of the Internal Audit function. The Charter
is reviewed on a regular basis to ensure that it is consistent with changes in the Treasury
Cluster’s financial, risk management and governance arrangements and reflects
developments in Internal Audit professional practices.
Detail of the function’s practice and methodology may be found in the Treasury Cluster Audit
Manual, which can be found at http://www.treasury.nsw.gov.au/About_Us/
internal_audit_and_risk_management/audit_manual
1. Introduction
The Secretary has established the Internal Audit Branch as a key component of the Treasury
Cluster’s governance framework.
This Charter provides the framework for the conduct of the internal audit function in Treasury
and has been approved by the Secretary, taking into account the advice of the Treasury
Audit and Risk Committee.
Annexure 1 (attached) defines the entities in the Treasury Cluster in relation to their Audit
and Risk Committee arrangements. Annexure 2 lists all the entities comprising the Cluster.
2. Purpose of internal audit
Internal audit is an independent, objective assurance and consulting activity designed to add
value and improve an organisation's operations. It helps an organisation accomplish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes.1
Internal audit provides an independent and objective review and advisory service to:
1

provide assurance to the Secretary, and the Audit and Risk Committee, that
Treasury’s financial and operational controls, designed to manage the
organisation’s risks and achieve its objectives, are operating in an efficient,
effective and ethical manner, and

assist management in improving the business performance of Treasury and its
related entities.
As defined by the International Standards for the Professional Practice of Internal Audit (IIA) (2013). Where relevant,
sections of this Charter also incorporate other elements of the International Standards for the Professional Practice of
Internal Auditing.
Treasury Cluster Internal Audit Charter
1
3. Independence
Independence is essential to the effectiveness of the internal audit function. Internal audit
activity must be independent, and internal auditors must be objective in performing their work.
Internal auditors must have an impartial, unbiased attitude and avoid any conflicts of interest.
The internal audit function has no direct authority or responsibility for the activities it reviews.
The internal audit function has no responsibility for developing or implementing procedures
or systems and does not prepare records or engage in original line processing functions or
activities (except in carrying out its own functions).
The internal audit function is responsible on a day to day basis to the Chief Audit Executive.
The internal audit function, through the Chief Audit Executive, reports functionally to the
Audit and Risk Committee on the results of completed audits, and for strategic direction and
accountability purposes, and reports administratively to the Secretary2 to facilitate day to day
operations.
The following reporting line is prescribed by the combination of TPP 15-03 and TPP 12-04,
which governs shared arrangements. Annexure 1 clarifies which entities are indicated.
Principal
Department Head
(Secretary)
(Treasury)
Entity head
(Secretary)
(Other entities for
which the Secretary
is CEO)
Directors
(Port Lessor
Companies)
Audit and Risk Committee (ARC)
Chief Audit Executive
(and Internal Audit function)
The internal audit function – comprising (a) the Branch and (b) the outsourced service
provider - confirms its independence to each Audit & Risk Committee quarterly. The CAE
and/or the Partner representing the service provider will immediately report to the Committee
anything perceived to impinge on that independence.
IPPF Definition of Independence:
The 2013 IPPF Standard defines “independence” as “the freedom from conditions that threaten the
ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.
To achieve the degree of independence necessary to effectively carry out the responsibilities of the
internal audit activity, the CAE has direct and unrestricted access to executive management and the
Audit and Risk Committee. This can be achieved through a dual-reporting relationship. Threats to
independence must be managed at the individual auditor, engagement, functional and organisational
levels.”
2
Some small entities who are signatories to Treasury’s Shared Arrangement Agreement have agency heads other than
the Treasury Secretary. When any part of this Charter is read as pertaining to one of them, the term “Secretary” should
be taken to refer to that entity’s CEO or Board/Director, and the term “Treasury” should be taken to refer to that entity.
Treasury Cluster Internal Audit Charter
2
4. Authority and confidentiality
Internal auditors are authorised to have full, free and unrestricted access to all functions,
premises, assets, personnel, records, and other documentation and information that the
Chief Audit Executive considers necessary to enable the internal audit function to meet its
responsibilities3.
All records, documentation and information accessed in the course of undertaking internal
audit activities are to be used solely for the conduct of these activities. The Chief Audit
Executive and individual internal audit staff are responsible and accountable for maintaining
the confidentiality of the information they receive during the course of their work.
All internal audit documentation is to remain the property of Treasury, or the audited entity
where different, including where internal audit services are performed by an external third
party provider.
5. Roles and responsibilities
The internal audit function must evaluate and contribute to the improvement of governance,
risk management and control processes using a systematic and disciplined approach.
In the conduct of its activities, the internal audit function will play an active role in:

developing and maintaining a culture of accountability and integrity

facilitating the integration of risk management into day-to-day business activities
and processes, and

promoting a culture of cost-consciousness, self-assessment and adherence to
high ethical standards.
Internal audit activities will encompass the following areas:
Audit activities including audits with the following orientation:
Risk Management

evaluate the effectiveness, and contribute to the improvement, of risk management
processes

provide assurance that risk exposures relating to the organisation's governance,
operations, and information systems are correctly evaluated, including:
 reliability and integrity of financial and operational information
 effectiveness, efficiency and economy of operations, and
 safeguarding of assets

evaluate the design, implementation, and effectiveness of the organisation's ethicsrelated objectives, programs, and activities

assess whether the information technology governance of the organisation sustains
and supports the organisation's strategies and objectives
3
Subject to any overriding legislative restrictions on information. Any request for access to information deemed
‘commercial in confidence’ must be authorised by the Secretary [or other agency head], in consultation with the Audit &
Risk Committee.
Treasury Cluster Internal Audit Charter
3
Compliance

compliance with applicable laws, regulations and Government policies and directions
Performance improvement

the efficiency, effectiveness, and economy of the Treasury Cluster’s business
systems, processes and programs.
Advisory services
The internal audit function can advise the management of Treasury and other cluster entities
on a range of matters including:
New programs, systems and processes

providing advice on the development of new programs and processes and/or
significant changes to existing programs and processes including the design of
appropriate controls
Risk management

assisting management to identify risks and develop risk mitigation and monitoring
strategies as part of the risk management framework
Fraud control

evaluating the potential for the occurrence of fraud and how the organisation manages
fraud risk

assisting management to investigate fraud, identify the risks of fraud and develop
fraud prevention and monitoring strategies.
Audit support activities
The internal audit function is also responsible for:

managing the internal audit function

assisting the Treasury (and any shared arrangements) Audit and Risk Committee
to discharge its responsibilities

monitoring the implementation of agreed recommendations

disseminating across the entity – and, so long as confidentiality or conflict of
interests are not issues, via Treasury’s public website – better practice and lessons
learned arising from its audit activities.
6. Scope of internal audit activity
Internal audit reviews may cover all programs and activities of Treasury and/or its associated
entities, as provided for in relevant business agreements, memoranda of understanding or
contracts. Internal audit activity encompasses the review of all financial and non-financial
policies and operations.
Treasury Cluster Internal Audit Charter
4
7. Standards
Internal audit activities will be conducted in accordance with TPP15-03 and with relevant
professional standards including International Standards for the Professional Practice of
Internal Auditing issued by the Institute of Internal Auditors.
In the conduct of internal audit work, internal audit staff will, and will ensure that any
outsourced service provider will:

comply with relevant professional standards of conduct

possess the knowledge, skills and technical proficiency relevant to the performance
of their duties

be skilled in dealing with people and communicating audit, risk management and
related issues effectively

exercise due professional care in performing their duties.
8. Service Providers
The Treasury Cluster’s business model requires that all internal audits and related reviews will
be provided by external service providers. In normal circumstances there will be a single
service provider. However, even where this is the case, the CAE reserves the right to award
individual reviews to other providers – for example if a conflict of interest exists or may be
perceived, or if the review is deemed to require a specialist. The Audit and Risk Committee
will be advised of such cases before engagement.
An external service provider, whether long-term or single-engagement, will be expected to
operate according to the Treasury Cluster Audit Manual. They will be engaged under a
formal contract and work to a formal scope.
When internal audit activity is provided by an external service, Treasury retains the
responsibility for maintaining an effective internal audit activity.
Outsourced internal auditors must have sufficient skills, knowledge and other competencies
to perform their assigned work, and must decline the work if they lack these attributes in
relation to performing all or part of the engagement. They must exercise due professional
care by considering:

The extent of work needed to achieve the engagement’s objectives

The relative complexity, materiality or significance of matters to which assurance
procedures are being applied

The adequacy and effectiveness of governance, risk management and control
processes

The probability of significant errors, fraud or noncompliance

The cost of assurance in relation to the potential benefits; and

Application to engagements of technology-based auditing and data analytic techniques.
Treasury Cluster Internal Audit Charter
5
9. Relationship with external audit
Internal and external audit activities will be coordinated to help ensure the adequacy of
overall audit coverage and to minimise duplication of effort.
Periodic meetings and contact between internal and external audit will be held to discuss
matters of mutual interest and facilitate coordination.
External audit will have full and free access to all internal audit plans, working papers and
reports.
10. Planning
The Chief Audit Executive will prepare a risk-based annual internal audit work plan in a form,
and in accordance with a timetable, agreed with the Audit and Risk Committee. The oneyear plan will be set in the context of a 3-5 year strategic audit plan, which aims to cover all
key risk types and all areas of the Treasury cluster over that period. Priority setting will be
risk-based, and each annual internal audit plan will make provision for at least one ad hoc
request or audit of an identified emerging risk.
11. Reporting
The Chief Audit Executive will report to each meeting of the Audit and Risk Committee on:
 audits completed
 progress in implementing the annual audit work plan
 implementation status of agreed internal and external audit recommendations, and
 issues nominated in the Committee’s Charter or in TPP 15-03.
The internal audit function will also report to the Audit and Risk Committee at least annually
on the overall state of internal controls in Treasury and any systemic issues requiring
management attention based on the work of the internal audit function and, where relevant,
of other assurance providers.
12. Administrative arrangements
Any change to the role of the Chief Audit Executive or the outsourced service provider will be
approved by the Secretary in consultation with the Audit and Risk Committee.
The Chief Audit Executive will arrange for an internal review, at least annually, and a
periodic independent review, at least every five (5) years, of the efficiency and effectiveness
of the operations of the internal audit function. The results of the reviews will be reported to
the Audit and Risk Committee who will provide advice to the Secretary on those results. The
most recent external review of internal audit occurred in the first half of 2011, thus the next is
due in 2016.
13. Review of the charter
This Charter will be reviewed at least annually by the Audit and Risk Committee. Any
substantive changes will be formally approved by the Secretary on the recommendation of
the Audit and Risk Committee and (where relevant) the heads of the other entities
comprising the Shared Arrangement.
Treasury Cluster Internal Audit Charter
6