Internal Audit Charter March 20131 Complies with Internal Audit & Risk Management Policy of August 2009 and the Revised IPPF Standards of 2013 Contact: Chief Audit Executive 1 First published April 2010. Updated August 2011, April 2012, October 2012, March 2013. Internal Audit Function Charter Table of Contents 1. Introduction 1 2. Purpose of internal audit 1 3. Independence 1 4. Authority and confidentiality 2 5. Roles and responsibilities 3 5.1 Audit activities 3 5.2 Advisory services 3 5.3 Audit support activities 3 6. Scope of internal audit activity 4 7. Standards 4 8. Service providers 4 9. Relationship with external audit 5 10. Planning 5 11. Reporting 6 12. Administrative arrangements 6 13. Review of the Charter 6 Annexure 1 (entities covered by Treasury internal audit) 7 Internal Audit Function Charter The purpose of this Internal Audit Charter is to define the nature of assurance services provided to NSW Treasury and address the role, responsibilities, authorisation, activities and reporting relationships of the Internal Audit function. The charter is reviewed on a regular basis to ensure that it is consistent with changes in Treasury’s financial, risk management and governance arrangements and reflects developments in Internal Audit professional practices. Detail of the function’s practice and methodology may be found in the Treasury Audit Manual which can be found under “About Us” on Treasury’s website. 1. Introduction The Secretary has established the Chief Audit Executive’s functions as a key component of Treasury’s governance framework. Annexure 1 (attached) defines the entities encompassed in this document by the term “Treasury”. The Treasury Audit & Risk Committee advises the Secretary in relation to all entities listed in the Annexure. The Committee also oversees audit and risk for the Total State Sector Accounts. This charter provides the framework for the conduct of the Internal Audit function in Treasury and has been approved by the Secretary on the advice of the Audit and Risk Committee. 2. Purpose of internal audit Internal audit is an independent, objective assurance and consulting activity designed to provide assurance services, add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.2 Internal audit provides an independent and objective review and advisory service to: provide assurance to the Secretary, and the Audit and Risk Committee, that Treasury’s financial and operational controls, designed to identify and manage the organisation’s risks and achieve the entity’s objectives, are operating in an efficient, effective and ethical manner, and assist management in improving Treasury’s business performance. 3. Independence Independence is essential to the effectiveness of the Internal Audit function. Internal audit activity must be independent, and internal auditors must be objective in performing their work. Internal auditors must have an impartial, unbiased attitude and avoid any conflicts of interest. The Internal Audit function has no direct authority or responsibility for the activities it reviews. The Internal Audit function has no responsibility for developing or implementing procedures or systems, except for those related to governance and internal audit. It does not prepare records or engage in original line processing functions or activities (except as noted below). The Internal Audit function is responsible on a day to day basis to the Chief Audit Executive. The Internal Audit function, through the Chief Audit Executive, reports functionally to the Audit and Risk Committee on the results of completed audits and for strategic direction and 2 As defined by the International Standards for the Professional Practice of Internal Audit (IIA)(2011). Where relevant, sections of this Charter also incorporate other elements of the International Standards for the Professional Practice of Internal Auditing. Internal Audit Function Charter 1 accountability purposes, and reports administratively to the Secretary to facilitate day to day operations. The following reporting line is prescribed: Secretary Audit & Risk Committee Chief Audit Executive (Internal Audit Function) Any audit that may be compromised by a conflict in the CAE’s accountabilities should be fully outsourced. In these circumstances, the roles usually performed by the CAE during audit assignments should be allocated to a senior member of the management team independent of the area/process being audited. Similarly, any audit that may be compromised by a conflict of interests on the part of an outsourced service provider should be promptly identified, and if the CAE agrees there is a real or perceived conflict, the audit should be passed to another provider. The internal audit function – comprising (a) the Branch and (b) the outsourced service provider confirms its independence to the Audit & Risk Committee at least once a year. The CAE and/or the Partner representing the service provider will immediately report to the Committee anything perceived to impinge on that independence. Definition of Independence: The 2013 IPPF Standard defines “independence” as “the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the CAE has direct and unrestricted access to executive management and the Audit and Risk Committee. This can be achieved through a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement, functional and organisational levels.” 4. Authority and confidentiality Internal auditors are authorised to have full, free and unrestricted access to all functions, premises, assets, personnel, records, and other documentation and information that the Chief Audit Executive considers necessary to enable the Internal Audit function to meet its responsibilities. All records, documentation and information accessed in the course of undertaking internal audit activities are to be used solely for the conduct of these activities. The Chief Audit Executive and individual internal audit staff are responsible and accountable for maintaining the confidentiality of the information they receive during the course of their work. Internal Audit Function Charter 2 All internal audit documentation is to remain the property of NSW Treasury, including where internal audit services are performed by an external third party provider. 5. Roles and responsibilities The Internal Audit function must evaluate and contribute to the improvement of governance, risk management and control processes using a systematic and disciplined approach based on established Aus/NZ/ISO Standards. In the conduct of its activities, the Internal Audit function will play an active role in: developing and maintaining a culture of accountability and integrity facilitating the integration of risk management into day-to-day business activities and processes, and promoting a culture of cost-consciousness, self-assessment and adherence to high ethical standards. Internal audit activities will encompass the following areas: 5.1 Audit activities including audits with the following orientation: 5.1.1 Risk Management evaluate the effectiveness of, and contribute to the improvement in, risk management processes provide assurance that risk exposures relating to the organisation's strategy, governance, operations, and information systems are correctly evaluated, including: o reliability and integrity of financial and operational information o effectiveness, efficiency and economy of operations, and o safeguarding of assets evaluate the design, implementation, and effectiveness of the organisation's ethics-related objectives, programs, and activities assess whether the information technology governance of the organisation sustains and supports the organisation's strategies and objectives 5.1.2 compliance with applicable laws, regulations, policies, procedures and contracts. 5.1.3 Compliance Performance improvement the efficiency, effectiveness, and economy of Treasury’s business systems, processes and programs. 5.2 Advisory services The Internal Audit function can advise Treasury’s management on a range of matters including: 5.2.1 New programs, systems and processes providing advice on the development of new programs and processes and/or significant changes to existing programs and processes including the design of appropriate controls Internal Audit Function Charter 3 5.2.2 Risk management assisting management to identify risks and develop risk mitigation and monitoring strategies as part of the risk management framework 5.2.3 Fraud control evaluating the potential for the occurrence of fraud and how the organisation manages fraud risk assisting management to investigate fraud, identify the risks of fraud and develop fraud prevention and monitoring strategies. 5.3 Audit support activities The Internal Audit function is also responsible for: assisting the Audit and Risk Committee to discharge its responsibilities providing secretariat support to the Audit and Risk Committee monitoring the implementation of agreed recommendations disseminating across the entity better practice and lessons learned arising from its audit activities. 6. Scope of internal audit activity Internal audit reviews cover all programs and activities of Treasury, including all entities and accounts mentioned in Annexure 1. They may also extend to Treasury’s interface with key external service providers, notably ServiceFirst. Internal audit activity encompasses the review of all financial and non-financial policies and operations, including the Total State Sector Accounts. 7. Standards Internal audit activities will be conducted in accordance with relevant professional standards including: International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors Standards for audit and for risk management issued by Standards Australia and the International Standards Organisation. In the conduct of internal audit work, internal audit staff will: comply with relevant professional standards of conduct possess the knowledge, skills and technical proficiency relevant to the performance of their duties be skilled in dealing with people and communicating audit, risk management and related issues effectively exercise due professional care. 8. Service Providers Treasury’s business model requires that all internal audits and related reviews will be provided by external service providers. In normal circumstances there will be a single service provider. However, even where this is the case, Treasury reserves the right to award individual reviews to other providers as the Secretary sees fit – for example if a conflict of interest exists or may be Internal Audit Function Charter 4 perceived, or if the review is deemed to require a specialist. The Audit and Risk Committee will always be consulted in such cases. An external service provider, whether long-term or single-engagement, will be expected to operate according to the Treasury Audit Manual and will be engaged under a formal contract. When internal audit activity is provided by an external service, the agency retains the responsibility for maintaining an effective internal audit activity. This is demonstrated through a quality assurance and improvement program which assesses conformance with the Audit Manual, the Code of Ethics, and the latest IPPF Standards. The Quality Assurance and Improvement program must provide ongoing (at least annual) internal assessments of the performance of internal audit activity, and at external assessments at least once every five years. The results of the QAIP should be reported annually to the Audit & Risk Committee and the Secretary. Internal auditors must have sufficient skills, knowledge and other competencies to perform their assigned work, and must decline the work if they lack these attributes in relation to performing all or part of the engagement. They must exercise due professional care by considering: The extent of work needed to achieve the engagement’s objectives The relative complexity, materiality or significance of matters to which assurance procedures are being applied The adequacy and effectiveness of governance, risk management and control processes The probability of significant errors, fraud or noncompliance; and The cost of assurance in relation to the potential benefits The application to an engagement of technology-based auditing and data analysis techniques. 9. Relationship with external audit Internal and external audit activities will be coordinated to help ensure the adequacy of overall audit coverage and to minimise duplication of effort. Periodic meetings and contact between internal and external audit shall be held to discuss matters of mutual interest and facilitate coordination. External audit will have full and free access to all internal audit plans, working papers and reports. 10. Planning The Chief Audit Executive will prepare, for the Audit and Risk Committee’s consideration, a long-term Strategic Audit Plan providing for the review of all significant operations of the organisation over a three-year cycle. Flowing from this will be the annual preparation of a oneyear Audit Plan, which will provide more specific direction than the long-term plan. The Strategic Plan must be constructed in such a way that it gives each annual plan the flexibility to deploy one or two reviews to cover newly emerging issues. In preparing the plan, the Chief Audit Executive must identify and consider the expectations of senior management, the board and other stakeholders for internal audit opinions and other conclusions. Internal Audit Function Charter 5 11. Reporting The Chief Audit Executive will report to each meeting of the Audit and Risk Committee on: audits completed progress in implementing the annual audit work plan, and the implementation status of agreed internal and external audit recommendations issues required by the Committee or the Committee’s agreed Charter. The Internal Audit function will also report to the Audit and Risk Committee at least annually on the overall state of internal controls in Treasury and any systemic issues requiring management attention based on the work of the Internal Audit function (and other assurance providers). 12. Administrative arrangements Any change to the position of the Chief Audit Executive, or to the internal audit service provider, will be approved by the Secretary in consultation with the Audit and Risk Committee. The Chief Audit Executive will arrange for an internal review, at least annually, and a periodic independent review, at least every five (5) years, of the efficiency and effectiveness of the operations of the Internal Audit function. The most recent of these occurred in the first half of 2011. 13. Review of the charter This charter will be reviewed at least annually by the Audit and Risk Committee. Any substantive changes will be formally approved by the Secretary on the recommendation of the Audit and Risk Committee. Chief Audit Executive March 2013 Internal Audit Function Charter 6 Annexure 1 For the purposes of the Audit & Risk Committee, it is agreed that the term “Treasury” encompasses: Treasury Crown Entity State Rail Authority Residual Holding Corporation Liability Management Ministerial Corporation Residual Business Management Corporation Lotteries Assets Ministerial Holding Corporation NSW Self Insurance Corporation, including the Home Warranty Insurance Fund Building Insurers’ Guarantee Corporation Long Service Corporation The Committee also acts as the Audit & Risk Committee for the Total State Sector Accounts. (The Treasury Corporation (TCorp) has its own Audit & Risk Committee and this Charter has no application to it.) Internal Audit Function Charter 7