Internal Audit Charter
March 20131
Complies with Internal Audit & Risk Management Policy of August 2009 and the
Revised IPPF Standards of 2013
Contact: Chief Audit Executive
1
First published April 2010. Updated August 2011, April 2012, October 2012, March 2013.
Internal Audit Function Charter
Table of Contents
1.
Introduction
1
2.
Purpose of internal audit
1
3.
Independence
1
4.
Authority and confidentiality
2
5.
Roles and responsibilities
3
5.1
Audit activities
3
5.2
Advisory services
3
5.3
Audit support activities
3
6.
Scope of internal audit activity
4
7.
Standards
4
8.
Service providers
4
9.
Relationship with external audit
5
10.
Planning
5
11.
Reporting
6
12.
Administrative arrangements
6
13.
Review of the Charter
6
Annexure 1 (entities covered by Treasury internal audit)
7
Internal Audit Function Charter
The purpose of this Internal Audit Charter is to define the nature of assurance services provided
to NSW Treasury and address the role, responsibilities, authorisation, activities and reporting
relationships of the Internal Audit function. The charter is reviewed on a regular basis to ensure
that it is consistent with changes in Treasury’s financial, risk management and governance
arrangements and reflects developments in Internal Audit professional practices.
Detail of the function’s practice and methodology may be found in the Treasury Audit Manual
which can be found under “About Us” on Treasury’s website.
1.
Introduction
The Secretary has established the Chief Audit Executive’s functions as a key component of
Treasury’s governance framework.
Annexure 1 (attached) defines the entities encompassed in this document by the term
“Treasury”. The Treasury Audit & Risk Committee advises the Secretary in relation to all
entities listed in the Annexure.
The Committee also oversees audit and risk for the Total State Sector Accounts.
This charter provides the framework for the conduct of the Internal Audit function in Treasury
and has been approved by the Secretary on the advice of the Audit and Risk Committee.
2.
Purpose of internal audit
Internal audit is an independent, objective assurance and consulting activity designed to provide
assurance services, add value and improve an organisation's operations. It helps an
organisation accomplish its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management, control and governance
processes.2
Internal audit provides an independent and objective review and advisory service to:

provide assurance to the Secretary, and the Audit and Risk Committee, that Treasury’s
financial and operational controls, designed to identify and manage the organisation’s risks
and achieve the entity’s objectives, are operating in an efficient, effective and ethical manner,
and

assist management in improving Treasury’s business performance.
3.
Independence
Independence is essential to the effectiveness of the Internal Audit function. Internal audit
activity must be independent, and internal auditors must be objective in performing their work.
Internal auditors must have an impartial, unbiased attitude and avoid any conflicts of interest.
The Internal Audit function has no direct authority or responsibility for the activities it reviews.
The Internal Audit function has no responsibility for developing or implementing procedures or
systems, except for those related to governance and internal audit. It does not prepare records
or engage in original line processing functions or activities (except as noted below).
The Internal Audit function is responsible on a day to day basis to the Chief Audit Executive.
The Internal Audit function, through the Chief Audit Executive, reports functionally to the Audit
and Risk Committee on the results of completed audits and for strategic direction and
2
As defined by the International Standards for the Professional Practice of Internal Audit (IIA)(2011). Where relevant,
sections of this Charter also incorporate other elements of the International Standards for the Professional Practice of
Internal Auditing.
Internal Audit Function Charter
1
accountability purposes, and reports administratively to the Secretary to facilitate day to day
operations.
The following reporting line is prescribed:
Secretary
Audit & Risk Committee
Chief Audit Executive
(Internal Audit Function)
Any audit that may be compromised by a conflict in the CAE’s accountabilities should be fully
outsourced. In these circumstances, the roles usually performed by the CAE during audit
assignments should be allocated to a senior member of the management team independent of
the area/process being audited. Similarly, any audit that may be compromised by a conflict of
interests on the part of an outsourced service provider should be promptly identified, and if the
CAE agrees there is a real or perceived conflict, the audit should be passed to another provider.
The internal audit function – comprising (a) the Branch and (b) the outsourced service provider confirms its independence to the Audit & Risk Committee at least once a year. The CAE and/or
the Partner representing the service provider will immediately report to the Committee anything
perceived to impinge on that independence.
Definition of Independence:
The 2013 IPPF Standard defines “independence” as “the freedom from conditions that threaten
the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased
manner. To achieve the degree of independence necessary to effectively carry out the
responsibilities of the internal audit activity, the CAE has direct and unrestricted access to
executive management and the Audit and Risk Committee. This can be achieved through a
dual-reporting relationship. Threats to independence must be managed at the individual
auditor, engagement, functional and organisational levels.”
4.
Authority and confidentiality
Internal auditors are authorised to have full, free and unrestricted access to all functions,
premises, assets, personnel, records, and other documentation and information that the Chief
Audit Executive considers necessary to enable the Internal Audit function to meet its
responsibilities.
All records, documentation and information accessed in the course of undertaking internal audit
activities are to be used solely for the conduct of these activities. The Chief Audit Executive and
individual internal audit staff are responsible and accountable for maintaining the confidentiality
of the information they receive during the course of their work.
Internal Audit Function Charter
2
All internal audit documentation is to remain the property of NSW Treasury, including where
internal audit services are performed by an external third party provider.
5.
Roles and responsibilities
The Internal Audit function must evaluate and contribute to the improvement of governance, risk
management and control processes using a systematic and disciplined approach based on
established Aus/NZ/ISO Standards.
In the conduct of its activities, the Internal Audit function will play an active role in:

developing and maintaining a culture of accountability and integrity

facilitating the integration of risk management into day-to-day business activities and
processes, and

promoting a culture of cost-consciousness, self-assessment and adherence to high ethical
standards.
Internal audit activities will encompass the following areas:
5.1
Audit activities
including audits with the following orientation:
5.1.1
Risk Management

evaluate the effectiveness of, and contribute to the improvement in, risk management
processes

provide assurance that risk exposures relating to the organisation's strategy, governance,
operations, and information systems are correctly evaluated, including:
o reliability and integrity of financial and operational information
o effectiveness, efficiency and economy of operations, and
o safeguarding of assets

evaluate the design, implementation, and effectiveness of the organisation's ethics-related
objectives, programs, and activities

assess whether the information technology governance of the organisation sustains and
supports the organisation's strategies and objectives
5.1.2

compliance with applicable laws, regulations, policies, procedures and contracts.
5.1.3

Compliance
Performance improvement
the efficiency, effectiveness, and economy of Treasury’s business systems, processes and
programs.
5.2
Advisory services
The Internal Audit function can advise Treasury’s management on a range of matters including:
5.2.1

New programs, systems and processes
providing advice on the development of new programs and processes and/or significant
changes to existing programs and processes including the design of appropriate controls
Internal Audit Function Charter
3
5.2.2

Risk management
assisting management to identify risks and develop risk mitigation and monitoring strategies
as part of the risk management framework
5.2.3
Fraud control

evaluating the potential for the occurrence of fraud and how the organisation manages fraud risk

assisting management to investigate fraud, identify the risks of fraud and develop fraud
prevention and monitoring strategies.
5.3
Audit support activities
The Internal Audit function is also responsible for:

assisting the Audit and Risk Committee to discharge its responsibilities

providing secretariat support to the Audit and Risk Committee

monitoring the implementation of agreed recommendations

disseminating across the entity better practice and lessons learned arising from its audit
activities.
6.
Scope of internal audit activity
Internal audit reviews cover all programs and activities of Treasury, including all entities and
accounts mentioned in Annexure 1. They may also extend to Treasury’s interface with key
external service providers, notably ServiceFirst. Internal audit activity encompasses the review
of all financial and non-financial policies and operations, including the Total State Sector
Accounts.
7.
Standards
Internal audit activities will be conducted in accordance with relevant professional standards
including:

International Standards for the Professional Practice of Internal Auditing issued by the
Institute of Internal Auditors

Standards for audit and for risk management issued by Standards Australia and the
International Standards Organisation.
In the conduct of internal audit work, internal audit staff will:

comply with relevant professional standards of conduct

possess the knowledge, skills and technical proficiency relevant to the performance of their
duties

be skilled in dealing with people and communicating audit, risk management and related
issues effectively

exercise due professional care.
8.
Service Providers
Treasury’s business model requires that all internal audits and related reviews will be provided
by external service providers. In normal circumstances there will be a single service provider.
However, even where this is the case, Treasury reserves the right to award individual reviews to
other providers as the Secretary sees fit – for example if a conflict of interest exists or may be
Internal Audit Function Charter
4
perceived, or if the review is deemed to require a specialist. The Audit and Risk Committee will
always be consulted in such cases.
An external service provider, whether long-term or single-engagement, will be expected to
operate according to the Treasury Audit Manual and will be engaged under a formal contract.
When internal audit activity is provided by an external service, the agency retains the
responsibility for maintaining an effective internal audit activity. This is demonstrated through a
quality assurance and improvement program which assesses conformance with the Audit
Manual, the Code of Ethics, and the latest IPPF Standards.
The Quality Assurance and Improvement program must provide ongoing (at least annual)
internal assessments of the performance of internal audit activity, and at external assessments
at least once every five years. The results of the QAIP should be reported annually to the Audit
& Risk Committee and the Secretary.
Internal auditors must have sufficient skills, knowledge and other competencies to perform their
assigned work, and must decline the work if they lack these attributes in relation to performing
all or part of the engagement. They must exercise due professional care by considering:
 The extent of work needed to achieve the engagement’s objectives
 The relative complexity, materiality or significance of matters to which assurance
procedures are being applied
 The adequacy and effectiveness of governance, risk management and control
processes
 The probability of significant errors, fraud or noncompliance; and
 The cost of assurance in relation to the potential benefits
 The application to an engagement of technology-based auditing and data analysis
techniques.
9.
Relationship with external audit
Internal and external audit activities will be coordinated to help ensure the adequacy of overall
audit coverage and to minimise duplication of effort.
Periodic meetings and contact between internal and external audit shall be held to discuss
matters of mutual interest and facilitate coordination.
External audit will have full and free access to all internal audit plans, working papers and
reports.
10.
Planning
The Chief Audit Executive will prepare, for the Audit and Risk Committee’s consideration, a
long-term Strategic Audit Plan providing for the review of all significant operations of the
organisation over a three-year cycle. Flowing from this will be the annual preparation of a oneyear Audit Plan, which will provide more specific direction than the long-term plan. The
Strategic Plan must be constructed in such a way that it gives each annual plan the flexibility to
deploy one or two reviews to cover newly emerging issues.
In preparing the plan, the Chief Audit Executive must identify and consider the expectations of
senior management, the board and other stakeholders for internal audit opinions and other
conclusions.
Internal Audit Function Charter
5
11.
Reporting
The Chief Audit Executive will report to each meeting of the Audit and Risk Committee on:
 audits completed
 progress in implementing the annual audit work plan, and
 the implementation status of agreed internal and external audit recommendations
 issues required by the Committee or the Committee’s agreed Charter.
The Internal Audit function will also report to the Audit and Risk Committee at least annually on
the overall state of internal controls in Treasury and any systemic issues requiring management
attention based on the work of the Internal Audit function (and other assurance providers).
12.
Administrative arrangements
Any change to the position of the Chief Audit Executive, or to the internal audit service provider,
will be approved by the Secretary in consultation with the Audit and Risk Committee.
The Chief Audit Executive will arrange for an internal review, at least annually, and a periodic
independent review, at least every five (5) years, of the efficiency and effectiveness of the operations
of the Internal Audit function. The most recent of these occurred in the first half of 2011.
13.
Review of the charter
This charter will be reviewed at least annually by the Audit and Risk Committee. Any
substantive changes will be formally approved by the Secretary on the recommendation of the
Audit and Risk Committee.
Chief Audit Executive
March 2013
Internal Audit Function Charter
6
Annexure 1
For the purposes of the Audit & Risk Committee, it is agreed that the term “Treasury”
encompasses:









Treasury
Crown Entity
State Rail Authority Residual Holding Corporation
Liability Management Ministerial Corporation
Residual Business Management Corporation
Lotteries Assets Ministerial Holding Corporation
NSW Self Insurance Corporation, including the Home Warranty Insurance Fund
Building Insurers’ Guarantee Corporation
Long Service Corporation
The Committee also acts as the Audit & Risk Committee for the Total State Sector Accounts.
(The Treasury Corporation (TCorp) has its own Audit & Risk Committee and this Charter has no
application to it.)
Internal Audit Function Charter
7