Introduction of internal audit

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Establishing the inner review role in any business require ritual to make sure that it is understood not only by the board and management but also by its client across the party and, where basic, those external to the organization The internal audit assurance and consulting role should be explained clearly in a charter to minimize any expectation gaps at board and organization level. When the role is being established, it is important that internal audit management should have an input into the formal process through discussion with the board and management .The institute of internal auditor as the global professional body representing internal audit in every country, has always recommended and now require in its international standards for professional practice of internal auditing (standard) that "the purpose ,authority and responsibility of an internal audit activity … should be formally approved and kept under review at the highest level in an organization " in some sector this may be also a requirement of one or more of an organization ' stakeholder, such as government or a sector's regulator

Internal audit definition

Auditing Standard ASA 610 Considering the Work of Internal Audit, issued by the Auditing and Assurance Standards Board (AUASB) defines internal audit as follows:

"Internal audit" means an appraisal activity established within an entity as a service to the entity. Its functions include, amongst other things, monitoring internal control.

In addition, the Institute of Internal Auditors (IIA) has developed the globally accepted definition of 'internal auditing' as follows:

'Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an agency accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.'


The scope of internal audit activity embraces the wider concepts of corporate governance and risk - recognizing that control exists in an organization to manage risk and promote effective governance.

The two types of internal audit services contemplated by the definition have been defined by the IIA as follows

.Assurance Services - an objective examination of evidence for the purpose of providing an independent assessment of risk management, control or governance processes for the organization.

.Consulting Services - advisory and related client activities, the nature and scope of which are agreed upon with the client and which are intended to add value and improve an organization's operations.

Throughout this document all references to "internal audit" will encompass both of these services. Wed by internal audit management

History of internal audit

The Internal Auditing profession evolved steadily with the progress of management science after World War II. It is conceptually similar in many ways to financial auditing by public accounting firms, quality assurance and banking compliance activities. Much of the theory underlying internal auditing is derived from management consulting and public accounting professions. With the implementation in the United States of the Sarbanes-Oxley act of 2002, the profession's growth accelerated, as many internal auditors possess the skills required to help companies meet the requirements of the law

Nature of internal audit activity

Based on a risk assessment of the organization, internal auditors, management and oversight Boards determine where to focus internal auditing efforts. Internal auditing activity is generally conducted as one or more discrete projects. A typical internal audit project [7] involves the following steps:

Establish and communicate the scope and objectives for the audit to appropriate management.

Develop an understanding of the business area under review. This includes objectives, measurements, and key transaction types. This involves review of documents and interviews. Flowcharts and narratives may be created if necessary.

Describe the key risks facing the business activities within the scope of the audit.

Identify control procedures used to ensure each key risk and transaction type is properly controlled and monitored.

Develop and execute a risk-based sampling and testing approach to determine whether the most important controls are operating as intended.

Report problems identified and negotiate action plans with management to address the problems.

Follow-up on reported findings at appropriate intervals. Internal audit departments maintain a follow-up database for this purpose.

Project length varies based on the complexity of the activity being audited and Internal Audit resources available. Many of the above steps are iterative and may not all occur in the sequence indicated.

By analyzing and recommending business improvements in critical areas, auditors help the organization meet its objectives. In addition to assessing business processes, specialists called Information Technology (IT) Auditors review information technology controls.

Internal audit procedure


The purpose of this procedure is to ensure that both an initial internal audit and follow-up internal audits are carried out in accordance with ISO9002.


This procedure covers the performance of regular internal audits which are to be carried out on all procedures as listed under the Quality Management System.


This procedure is written in compliance with ISO9002 clause 4.17.


4.1 INTERNAL AUDITOR: A delegated staff member who has undertaken an internal auditing workshop conducted within the department.

4.2 INTERNAL AUDIT: An audit to be carried out by an internal auditor who is independent of the procedure being audited. To be carried out on a regular basis to verify the effectiveness of the procedure in accordance to ISO9002.

4.3 AUDITEE: Staff member who is audited and who is either directly responsible for or familiar with the duties as set out by the relevant procedure which is being audited.

4.4 AUDIT SCHEDULE: Time set aside for the procedure to be audited by an internal auditor.

4.5 AUDIT REPORT: A report which confirms that an audit took place and which details the internal audit session. To be completed and returned to the Quality Co-Ordinator. There are four sections to this report; Part One - audit findings by the Internal Auditor, Part Two - comments and/or recommendations. Both Part One and Two to be completed by the Internal Auditor. Part Three - auditee's comments and actions. Part Four - comments by the Quality Co-Ordinator.

4.6 CORRECTIVE ACTION: Updating of procedures to reflect the current duties which are carried out by all the sections as listed under the Quality Management System.




 Document ID

Incident/Opportunity Report

All Sections



6.1 Initial Audits and follow-up audits shall be scheduled on a regular basis by the Quality Co-ordinator or delegated person. To view this file go to the following web address and follow the links to the latest session:

6.2 Scheduled times of audits shall be confirmed/negotiated between auditor and auditee.

6.3 Auditor and Auditee shall have a copy of and work from, the latest procedure being audited.

6.4 The Internal Auditor shall complete an audit report within ten days of the completed internal audit. A separate "Incident/Opportunity Report" shall be completed for each non-compliance found.

6.5 The audit report shall be passed on from the Auditor to the Auditee for his/her comments after which it is then passed on to the Quality Co-ordinator for further comment and signing off.

6.6 The Audit, with the Section Manager, shall implement necessary corrections to procedures and request sign-off from the Auditor. The Auditor shall verify corrections and notify the Quality Co-ordinate

6.7 The Quality Co-ordinate shall keep a record of the following:

schedule for all initial and follow-up audits

dates of completed audits

all audit reports

6.8 The Quality Co-ordinator shall check that any follow-ups on all procedures which have been audit are carried out.


See actions


8.1 Internal audit reports kept on file with the Quality Co-ordinator, as well as all copies of any Incident/Opportunity Reports submitted.



Roles, Responsibilities and Accountabilities

Governing Body

The 'governing body' of an agency is responsible for its governance, including the design and operation of risk management and internal control frameworks.


Throughout this document the term 'governing body' is used to designate the most senior recognised level of authority of an agency. For an administrative unit (Department) this is the Chief Executive. For a Territory authority it is generally the Board. In the absence of a Board (for example where there is an advisory board only) the governing body of a Territory authority would be the Chief Executive (or equivalent).

The governing body is responsible to the relevant Minister and accountable to the Legislative Assembly through the Minister. It is acknowledged that the Minister also has responsibilities for Territory agencies, including responsibility for their financial and operational performance. This relationship is recognised in the framework in relation to the interaction between the Minister and the Audit Committee in particular.

Governance is variously defined in terms of the stewardship (accountability), leadership (performance), and control (conformance) functions of governing bodies. It is generally agreed that it deals with the systems, processes and activities undertaken by the governing body to direct and control an organisation, and with the discharge of the governing bodies' own accountability. The table on the following page lists key activities undertaken by the governing body.

The separation between 'governing body' and management responsibilities may be characterised between setting, implementation and monitoring. The governing body establishes key structures and processes and monitors the operation of these. Management implements the governing body's intentions and supports and assists the governing body to discharge its responsibilities. Management is accountable to the governing body.

Key responsibilities of management are to:

ô€‚ƒ€ recommend the strategic direction and translate the strategic plan into the operations of the business;

ô€‚ƒ€ manage the human, physical, financial and information resources to achieve the organisation's objectives;

ô€‚ƒ€ develop, implement and manage the risk management and internal control frameworks;

ô€‚ƒ€ assume day to day responsibility for conformance with relevant laws and regulations and its compliance framework;

ô€‚ƒ€ provide information to the governing body; and

ô€‚ƒ€ act as a conduit between the governing body and the organisation.

Table 1: Governing Body Roles and Responsibilities Stewardship (protect the organisation's resources and reputation, ensure the interests of stakeholders are upheld):

ô€‚ƒ€ establish the vision, mission, values and ethical standards

ô€‚ƒ€ delegate an appropriate level of authority to management

ô€‚ƒ€ oversee aspects of the employment of the management team including remuneration, performance and succession planning

ô€‚ƒ€ understand and protect the financial position

ô€‚ƒ€ monitor and assess performance of the organisation, the governing body itself, management, and major projects

ô€‚ƒ€ approve annual accounts, annual report and other public documents/sensitive reports

ô€‚ƒ€ ensure effective communication to shareholders and other stakeholders

ô€‚ƒ€ crisis management

Leadership (direct the organisation and ensure that it performs):

ô€‚ƒ€ formulate and oversee implementation of corporate strategy

ô€‚ƒ€ formulate the organisational design / structure

ô€‚ƒ€ formulate outcomes / outputs and key performance indicators

ô€‚ƒ€ approve the business plan, budget and corporate policies

ô€‚ƒ€ monitor developments in the public sector and operating environment

Control (control the organisation and ensure that it conforms):

ô€‚ƒ€ oversee the risk management framework and monitoring business risks

ô€‚ƒ€ require and monitor legal and regulatory compliance (incl. accounting standards, Trade Practices Act, OH&S, Privacy and Environmental legislation)

ô€‚ƒ€ ensure that an effective system of internal controls exists and is operating as expected

Audit Committee

The Governing Body of each agency is responsible for establishing the Audit Committee and the Committee is accountable to the Governing Body.


The creation of an Audit Committee is one means by which the governing body is able to obtain support to fulfilling its role and discharging its responsibilities.

The governing body determines the scope of Audit Committee operations. The creation of an Audit Committee does not abrogate the governing body from its overall responsibility for the functions that are delegated to the Audit Committee.

The Audit Committee is directly accountable to the governing body for its effectiveness.

Each agency shall establish an Audit Committee as a separately constituted body where it is practicable and cost effective to do so.


An Audit Committee does not focus solely on internal audit activities or on financial issues. Recent trends are for it to take on broader roles and responsibilities. The establishment of an Audit Committee affords the opportunity to set aside time to focus on governance, risk and control issues.

The key responsibilities of an Audit Committee include:

ô€‚ƒ€ overseeing the risk management framework and processes;

ô€‚ƒ€ reviewing compliance related matters and internal controls;

ô€‚ƒ€ overseeing the relationship, appointment and work of the external and internal auditors; and

ô€‚ƒ€ reviewing the annual financial statements and recommending them for governing body approval.

As it relates to oversight of the internal audit function, the responsibilities of Committee's include:

ô€‚ƒ€ ensuring that internal audit activity is structured to achieve organisational independence;

ô€‚ƒ€ ensuring the internal audit charter permits full and unrestricted access to top management, the Audit Committee and the governing body;

ô€‚ƒ€ ensuring unrestricted access by internal auditors to records, personnel, and physical properties;

ô€‚ƒ€ ensuring the function is appropriately resourced; and

ô€‚ƒ€ ensuring the function is operating effectively.

In relation to its other roles, Audit Committee responsibilities could include:

ô€‚ƒ€ review, with management, the adequacy of policies and practices for risk management and the operation of the internal control system;

ô€‚ƒ€ review, with management, the adequacy of polices and practices to ensure compliance and their ability to monitor compliance;

ô€‚ƒ€ review, with management, the adequacy of financial information presented to the governing body including the acceptability of and correct accounting treatment for and disclosure of significant transactions which are not part of the agency's normal course of business; and

ô€‚ƒ€ manage on behalf of the governing body all aspects of the relationship with the external auditors.

In the case of a small Territory authority it may not be practical to establish a separately constituted Audit Committee as a sub-committee of the board. In these cases it would be appropriate for the full board to act as the Audit Committee. It would be important for the board to set aside time specifically for separate consideration of matters ordinarily reviewed by an Audit Committee.

In the case of a small agency with no board, the governing body may elect not to delegate their 'conformance' responsibilities and functions to a committee. However, this decision should be balanced against the benefits afforded by the 'independent' view and support able to be afforded by a well constituted Audit Committee.

Internal Audit

The Governing Body of each agency is responsible for establishing the internal audit function and the head of internal audit is primarily accountable to the Governing Body. The head of internal audit will report to the Audit Committee on their function, and to the chief executive (or to an officer nominated by the chief executive) for administrative purposes such as for authorisation of expenditure and approval of travel and leave.


The governing body is responsible for determining the need for and scope of internal audit activity. It may delegate this responsibility to the Audit Committee.

The head of internal audit ideally would have no executive or managerial powers, authorities, functions or duties except those relating to the management of the internal audit function.

The head of internal audit should be responsible to an individual in the organisation with sufficient authority to promote independence and to ensure broad audit coverage, adequate consideration of engagement communications and appropriate action on engagement recommendations.

Each agency must establish an internal audit function where it is cost effective to do so.


An internal audit function should be established, unless the costs of such a function outweigh the benefits to be derived. This may be the case where size, risks, complexity, geographical distribution or materiality do not justify the associated cost.

In determining the need for an internal audit function, consider:

ô€‚ƒ€ the size and scale of the organisation;

ô€‚ƒ€ the organisation's complexity / diversity;

ô€‚ƒ€ the organisation's overall risk profile;

ô€‚ƒ€ the history of past issues and incidents;

ô€‚ƒ€ cost benefit; and

ô€‚ƒ€ the existence of alternative mechanisms to provide adequate assurance on compliance and the operation of internal controls.

If an internal audit function is not warranted the governing body must take alternative steps to obtain an appropriate level of assurance from an equivalent function. Alternative in-house assurance activities and / or compliance functions that are sufficiently robust and rigorous may be regarded as an "equivalent function".

The need for an internal audit function should be reviewed annually.


Audit Committee

A written charter for the operation of the Audit Committee must be developed and approved by the governing body.


The roles and responsibilities of the Audit Committee must be clearly defined and approved by the governing body and provided to each member of the Audit Committee. A written charter provides a clear mechanism to establish the authority and powers of the Audit Committee.

The charter should stipulate matters including:

ô€‚ƒ€ the structure of the Audit Committee;

ô€‚ƒ€ the requirements for membership of the Audit Committee;

ô€‚ƒ€ the nature and scope of the Audit Committee's duties; and

ô€‚ƒ€ the processes to be used by the Audit Committee in discharging its duties including frequency, quorums and records of meetings; orientation for new members; and performance review and reporting.

The charter should be reviewed annually for continued relevance.

Internal Audit

A written charter for the internal audit function must be developed and approved by the governing body and the Audit Committee.


The internal audit charter provides the necessary authority for the internal audit activity to undertake its responsibilities.

Charters should:

ô€‚ƒ€ establish internal audit activity's independent position and role within the organisation;

ô€‚ƒ€ authorise access to records, personnel and physical properties relevant to the performance of engagements;

ô€‚ƒ€ define the scope of internal audit activities; and

ô€‚ƒ€ set out the reporting lines of internal audit.

The charter should be reviewed annually for continued relevance.


Audit Committee

The Audit Committee shall have a minimum of three members and a maximum of five members and shall have at least two external members in the case of committees of more than three members.


To be effective it is generally recognised that the Audit Committee should be comprised of at least three members. This requirement recognises the broader mix of skill, knowledge and experience required of an Audit Committee to discharge its responsibilities.

There is also an upper limit on membership beyond which the operation of the Audit Committee may become inefficient and ineffective. It would be unusual for an Audit Committee to exceed five members. This recognises that the Audit Committee has the power to seek advice and explanations from experts both within and outside the agency.

To this end, the head of internal audit, the external auditors and the chief financial officer would ordinarily attend Audit Committee meetings in this advisory role.

Where an external board exists there is a trend to include only, or a majority of, non-executive directors on the Audit Committee. Non-executive directors are by definition not part of the management of the agency and should provide an independent perspective to the deliberations of the Audit Committee.

For a department, a similar process would be to establish an Audit Committee whose membership is primarily external to the organisation. However, this is not a direct analogy, as the over-riding requirement for membership of a Board Audit Committee is that its members have a relationship with the agency as board members and therefore they have a fiduciary duty to the agency.

To maintain an independent perspective external members of the Audit Committee should be free from any business or other relationship that could materially interfere with the exercise of their judgement.

An external member can include an appropriate person from another ACT agency.

The Chair of the Audit Committee shall be external to the agency and independent of the agency.


A Chairperson who is not part of executive management is able to provide the Audit Committee with an objective viewpoint as a balance to the primarily internal focus of those committee members who are part of executive management. The Chair of the governing body (or Chief Executive) should also not ordinarily be a member of the Audit Committee.

The Chair and Deputy Chair of the Audit Committee shall be appointed by the Minister on the recommendation of the governing body.


To ensure complete independence, Audit Committee Chairpersons and Deputy Chairpersons are to be appointed by the relevant portfolio Minister. In relation to an administrative unit, this appointment will be on the basis of the Chief Executive's recommendation. In relation to other agencies this would be on the basis of a recommendation of the Chair of the governing body.

Audit Committee members shall have the necessary skills and experience to discharge their responsibilities.


Given the heavy financial focus of the Audit Committee, all members should have basic financial literacy and be able to understand and actively challenge information presented.

Basic financial literacy is defined as:

ô€‚ƒ€ the ability to read, comprehend and analyse financial information and financial statements, including an operating statement , a statement of changes in equity, a statement of financial position and cash flow statement; and

ô€‚ƒ€ an understanding of the fundamental accounting issues facing the agency and the impact of these issues on information reported by and policies adopted by the agency.

Members of an Audit Committee who do not have the requisite level of financial literacy at the time of their appointment should undertake training within the first six (6) months of membership of that Committee to raise their competency.

At least one member of an Audit Committee must have appropriate expertise in financial accounting and auditing.

Internal Audit

Internal audit must have the knowledge, skill and other competencies needed to perform its responsibilities.


Internal auditors should possess the knowledge, skills and other competencies needed to perform their individual responsibilities. There is generally a need for strong financial management and information technology skills.

Internal auditors should have an impartial, unbiased attitude and avoid conflicts of interest. In particular they should refrain from assessing specific operations for which they were previously responsible.

Internal auditors should enhance their competencies through continuing professional development.


Audit Committee

Induction and Training

Audit Committee members are to be provided with all necessary and relevant information regarding the Committee's responsibilities and the agency's operations and background.


Audit Committee members need to understand the agency and their duties and responsibilities. When appointed they should take appropriate and timely action to ensure they have the requisite understanding of the agency's structure, operations and financial management risks. They should also have access to updated copies of the Audit Committee and internal audit charter.

Members of Audit Committees will be from varying backgrounds and it is likely they will need some form of training to enhance their contribution to the Committee. The agency should support all Audit Committee members by providing for relevant training and advice.

Relevant training could relate to the understanding and interpretation of financial statements, risk management and internal control. Relevant advice to be provided to the Audit Committee could include significant changes in agency functions, structures and processes; changes to accounting standards and external reporting requirements; and budgeted and actual financial and operational results.

Succession Planning

Membership of the Audit Committee is to be reviewed by the governing body on a periodic basis and, as a minimum, at least every three years.


Orderly succession planning will assist in ensuring the ongoing effectiveness of the Audit Committee. A policy of staged rotation of membership may be appropriate within the constraints of the knowledge and skill requirements of members.


The Audit Committee should meet formally at least four times each year.


Operational effectiveness is enhanced where the Audit Committee meets regularly throughout the year.

An appropriate degree of formality is required of meetings to provide a structure and process for the operation of the Committee. The minimum formal requirements include:

ô€‚ƒ€ an annual agenda is prepared detailing the number, date, time and key matters for attention at each meeting;

ô€‚ƒ€ an agenda is prepared and circulated in advance of each meeting;

ô€‚ƒ€ papers and material supporting agenda items are provided to members in advance of the meeting where practicable; and

ô€‚ƒ€ a record of deliberations and decisions is maintained.

Oversight of Internal Audit

The Audit Committee oversights the internal audit function and is responsible, on behalf of the governing body, for ensuring its effectiveness.


In relation to the independence and competency of internal audit the Audit Committee should:

ô€‚ƒ€ review and endorse the internal audit charter;

ô€‚ƒ€ endorse decisions regarding the hiring or termination of the head of internal audit;

ô€‚ƒ€ be involved in performance evaluation and compensation decisions regarding the head of internal audit; and

ô€‚ƒ€ seek assurances that the qualifications and skill sets of internal audit staff are commensurate with the strategic direction and operations of the agency.

In relation to the effective operation of internal audit the Audit Committee should:

ô€‚ƒ€ endorse or approve the internal audit strategic plan and the annual audit work plan;

ô€‚ƒ€ review and approve the annual internal auditing budget and assess the appropriateness of resources allocated to internal auditing;

ô€‚ƒ€ monitor progress against the strategic and annual plan; and

ô€‚ƒ€ review internal audit reports and monitor and critique management's responses to findings and the extent to which recommendations are implemented.

It is expected that the Audit Committee will establish a register to track the implementation of internal audit recommendations. The register should include all audit recommendations, together with initial management responses, that have yet to be implemented or where implementation is in progress. The status of recommendations should be reviewed at each Audit Committee meetings.

On an annual basis the Audit Committee should:

ô€‚ƒ€ review the internal audit function's performance;

ô€‚ƒ€ review the interrelationship of the work of the internal auditor and the external auditor and the scope for synergies and savings;

ô€‚ƒ€ take steps to confirm that the internal auditor has not been unduly influenced by management or experienced any problems with management;

ô€‚ƒ€ meet separately and privately with the internal auditors to ensure free, frank discussions; and

ô€‚ƒ€ ensure the internal auditor has unrestricted access to the governing body.

Oversight of External Audit

The Audit Committee should review and assess key areas relating to the external audit of the agency.


The broad duties and responsibilities of an Audit Committee should include the following:

ô€‚ƒ€ communication with external audit, including meeting privately with the external auditors at least annually to ensure all significant issues and concerns have been raised;

ô€‚ƒ€ review external audit reports and management's responses to these reports;


ô€‚ƒ€ review and assess external financial and other key reports of the agency; and

ô€‚ƒ€ review and monitor related party transactions and assess their propriety.

Management Liaison

The Audit Committee should establish processes whereby relevant issues can be represented directly to the Audit Committee by management.


Issues relating to the Audit Committee's functions may from time to time be raised by management outside of the internal and external audit planning and review processes. A protocol should be established to provide for managers to make representations to the Audit Committee and if required, attend meetings.

The Chair of the Audit Committee would be the appropriate point of contact.


The Audit Committee will report regularly to the governing body.


The Audit Committee is responsible and accountable to its governing body. It should report to the governing body, preferably after each Audit Committee meeting, on significant governance, risk and internal control issues.

Specific issues that could be reported include:

ô€‚ƒ€ significant control weaknesses or breakdowns in critical controls;

ô€‚ƒ€ fraudulent or illegal activities;

ô€‚ƒ€ disagreements between the external and internal auditors and management;

ô€‚ƒ€ evaluation of the effectiveness of the internal and external audit functions; and

ô€‚ƒ€ endorsement of the financial statements.

The Audit Committee will report annually to the relevant Minister on key issues. In exceptional circumstances the Audit Committee may also report to the Minister.


While it is the governing body that has responsibility for the agency and for the establishment of the Audit Committee, the portfolio Minister also has governance responsibilities for ensuring that the governing body discharges its responsibilities for financial and operational performance under FMA Section 31 (Departments) or Section 55 / 56 (Territory authorities).

Where an Audit Committee operates, in its supporting role to the governing body, it will be well placed to provide the Minister with information on key governance, risk and control issues.

The Chair of the Audit Committee should provide a report annually to the Minister on any significant issues that have been reported to the governing body. The Audit Committee may also, in exceptional circumstances, report to the Minister. This may occur where there have been major breakdowns in controls that management has declined to address or where there have been fraudulent or illegal activities.

Any report to the Minister from the Audit Committee should be provided to the Chief Executive for comment prior to its transmittal. The Chief Executive may insert comments into the body of the report.

Relationship with the Shared Services Centre

Agency Audit Committees shall have access to internal audit reports for the Shared Services Centre (SSC), as well as reasonable access to key SSC officers for answering of questions relevant to the annual financial statements, or any other relevant issues.


As the SSC will process certain transactions and prepare financial statements for agencies, the results of internal audits of the SSC are likely to prove useful information for agency Audit Committees. Apart from the results of SSC internal audits, agency Audit Committees can also request attendance of an officer/officers from the SSC (to be determined by the SSC) at Audit Committee meetings where the annual financial statements are being considered, or at a meeting where any other relevant issue involving SSC operations is being considered.

20 Internal Audit Framework


The Audit Committee should undertake an annual evaluation of its performance and report their conclusions to the governing body.


As part of its own accountability the Audit Committee should develop appropriate performance indicators and report on its performance against these indicators to the governing body.

The performance of the Audit Committee as a whole and of the members of the Committee should be assessed. Indicators of Committee and member effectiveness relate to:

ô€‚ƒ€ its actual composition;

ô€‚ƒ€ the number and timeliness of meetings held compared to the number planned;

ô€‚ƒ€ the attendance of members at committee meetings and their contribution to meetings; and

ô€‚ƒ€ the extent of actual coverage of relevant matters compared with the stated responsibilities in the Audit Committee charter.

It is appropriate for the Chair of the Committee to provide feedback to committee members on their performance. The Chairperson should obtain feedback from the governing body and the Minister on their own performance.

21 Internal Audit Framework

Internal Audit


Where a defined internal audit function is in place, an internal audit plan is to be developed to address relevant elements of the agency's risk profile.


The head of internal audit should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the agency's goals.

Planning is performed at two levels: strategic and annual.

The Strategic Audit Plan is designed to ensure no part of the organisation is omitted from audit consideration. It identifies the key strategic, operational and support functions and process of the organisation, the resources involved, and the associated major risks. The internal auditor has a primary interest in critical control systems that treat high inherent risks and areas of high, untreated, (residual) risk.

An internal audit strategic plan will identify those areas that organisational management should consider for internal audit activity together with a priority order and reasoning for their identification. The reasoning will be drawn from the risk analysis process.

The Annual Internal Audit Plan is a work program. It sets out how internal audit resources are to be used over a twelve-month period. The timing of audit engagements and resource allocations are set out together with the rationale and scope of the proposed audit reviews.

The required resources may include subject areas specialists and the proposed use of these should be made clear.

Based upon the resource constraints and the risk profiles of the areas under review the audit committee and the governing body will decide on the audits to be undertaken and endorse the audit plan.

The annual internal audit plan could include a summary for each audit review to be conducted. This summary could encompass:

ô€‚ƒ€ a short description of the area to be reviewed;


ô€‚ƒ€ a statement of the type of review to be conducted and what it is to achieve; and

ô€‚ƒ€ the risk factors that prompt the choice of this review.

When planning internal audits, duplication is to be avoided by agency internal auditors of audit work being undertaken by the internal auditors of the Shared Services Centre.

Access to Information

Internal audit is to have access to all records and information of the agency, held both within the agency or the Shared Services Centre (SSC).


The ability to perform an internal audit is not to be restricted due to lack of access to relevant information. If any difficulties are experienced during an audit in regard to access to information, the issue is to firstly be discussed with senior management of the area, and if not resolved, with the Chair of the agency Audit Committee.

Agency internal auditors are to have access to any records or information held by the SSC.


Internal audit should report regularly on its functions to the Audit Committee.


Internal audit should have direct communication with the Audit Committee through attendance at and participation in meetings of the Audit Committee and any other bodies with oversight responsibilities for auditing, financial reporting, organisational governance and control.

Internal audit should report at each Audit Committee meeting on the adequacy and effectiveness of internal controls, including the results of audit engagements. Reporting should also include significant risk exposures, corporate governance issues, and other matters needed or requested by the governing body and senior management.

The internal auditor should identify any differences between the management view of the risk profile of the organisation and the internal audit assessment.

23 Internal Audit Framework

Internal audit should report annually to the Audit Committee on its performance.


It is expected internal audit will develop and implement a system of qualitative and quantitative performance indicators to measure its own performance. Indicators should include outcomes, not just measurement of the efficiency of resource use.

Internal audit should prepare a report annually for the Audit Committee which sets out its performance against its annual work plan and other performance indicators.

Internal audit reports

Internal auditors typically issue reports at the end of each audit that summarize their findings, recommendations, and any responses or action plans from management. An audit report may have an executive summary; a body that includes the specific issues or findings identified and related recommendations or action plans; and appendix information such as detailed graphs and charts or process information. Each audit finding within the body of the report may contain five elements, sometimes called the "5 C's":

Condition: What is the particular problem identified?

Criteria: What is the standard that was not met? The standard may be a company policy or other benchmark.

Cause: Why did the problem occur?

Consequence: What is the risk/negative outcome (or opportunity foregone) because of the finding?

Corrective action: What should management do about the finding? What have they agreed to do and by when?

The recommendations in an internal audit report are designed to help the organization achieve its goals, which may relate to operations, financial reporting or legal/regulatory compliance. They may relate to effectiveness (i.e., whether goals were met or compliance with standards was achieved) or efficiency (i.e., whether the outputs were generated with minimum inputs).

Audit findings and recommendations also relate to particular assertions about transactions, such as whether the transactions audited were valid or authorized, completely processed, accurately valued, processed in the correct time period, and properly disclosed in financial or operational reporting, among other elements

Annual Reporting Requirements

All ACT Government entities must report on their risk management and internal audit policies and practices.


The annual report should include the following information:

ô€‚ƒ€ membership of the internal Audit Committee, with details of:

- the number of meetings held by the committee; and

- the number of meetings attended by committee members.

ô€‚ƒ€ internal audit arrangements, including Audit Committee charter and operations, and links with risk review processes;

ô€‚ƒ€ process of developing the entity's risk management plan;

ô€‚ƒ€ approach adopted to identifying areas of significant operational or financial risk at entity and business unit level;

ô€‚ƒ€ arrangements in place to manage and monitor those risks; and

ô€‚ƒ€ process for identifying and responding to emerging risks.

Best Practices in Internal Auditing

Measuring the internal audit function

The measurement of the internal audit function can involve a balanced scorecard approach.[9 Internal audit functions are primarily evaluated based on the quality of counsel and information provided to the Audit Committee and top management. However, this is primarily qualitative and therefore difficult to measure. "Customer surveys" sent to key managers after each audit project or report can be used to measure performance, with an annual survey to the Audit Committee. Scoring on dimensions such as professionalism, quality of counsel, timeliness of work product, utility of meetings, and quality of status updates are typical with such surveys. Understanding the expectations of senior management and the audit committee represent important steps in developing a performance measurement process, as well as how such measures help align the audit function with organizational priorities.[10]

Quantitative measures can also be used to measure the function's level of execution and qualifications of its personnel. Key measures include:

Plan completion: This is a measure of the degree to which the annual plan of engagements is completed, measured at a point in time. This may be measured using the number of projects completed, weighted by the planned size of each project, with estimates for projects in-progress. Measured throughout the year, it is compared against the percentage of the year elapsed.

Report issuance: This is a measure of the time elapsed from completion of testing to issuance of the final audit report, including management's action plans. This can be measured in average days or percentage of reports issued within a certain standard, such as 30 days. Establishing expectations for the timing of management's response to report recommendations is critical. In addition, the scope and degree of change involved in the report's action plans are key variables. For example, a report for a single retail store requiring only the store manager's action might take 3-5 days to issue. However, a report consolidating findings from 20 retail stores, with action plans with national implications determined by top management, may take 30-60 days in complex organizations.

Issue closure: Reported audit findings are often called "issues" or "deficiencies." Professional standards require audit functions to track reported findings to resolution, which effectively requires the maintenance of an issues follow-up database. The number of days that reported issues remain open, or open after their agreed-upon closure date, are key measures. In addition, reporting database statistics such as the number of issues open (unresolved), closed (resolved), and issues opened/closed during a given period are useful statistics.

Staff qualifications: This can be measured through the percentage of staff with professional certifications, graduate degrees, and overall years of experience.

Staff utilization rate: This is measured as the percentage of time spent on projects, as opposed to administrative time such as training or vacation. Many internal audit departments track time by audit project. This is typically captured in a database or spreadsheet.

Staffing level: The number of positions filled relative to the authorized staffing level. Due to the challenge of finding qualified staff, departments may have rotational programs to bring in management to complete tours in the function or be "guest" auditors. Audit departments also "co-source," meaning they obtain contract auditors from service providers.

Developing and retaining staff

Developing and retaining quality professionals is a key concern in the profession.[11]Key methods for developing and retaining internal audit staff personnel include:

Providing challenging, varied assignments

Ensuring quality supervision

Ensuring staff participates in projects from start to finish, to learn all phases of the audit process

Providing opportunities to lead (in-charge) projects, starting with more structured projects such as Sarbanes-Oxley work

Participating on departmental improvement task forces, such as preparation for quality assurance review

Participating in the recruiting and interviewing process for new hires

Rotating through various audit teams (in larger departments) or audits of various businesses

Providing both outside training (e.g., seminars) and in-house training (e.g., company systems) for two weeks/year

Participation in annual risk assessment activities, whether asking key questions or just taking notes

Reporting of critical findings

The Chief Audit Executive (CAE) typically reports the most critical issues to the audit Committee quarterly, along with management's progress towards resolving them. Critical issues typically have a reasonable likelihood of causing substantial financial or reputational damage to the company. For particularly complex issues, the responsible manager may participate in the discussion. Such reporting is critical to ensure the function is respected, that the proper "tone at the top" exists in the organization, and to expedite resolution of such issues. It is a matter of considerable judgment to select appropriate issues for the Audit Committee's attention and to describe them in the proper context.