Internal audit charter

​The NSW Ministry of Health has established the Internal Audit Branch by authority of the Secretary as a key component of the organisation’s governance framework.

On this page

The mission of Internal Audit is to enhance and protect organisational value by providing stakeholders with risk-based, objective and reliable assurance, advice and insight.

This Charter provides the framework and authority for the performance of the Internal Audit function in the Ministry of Health and has been approved by the Secretary, on the advice from the Risk Management and Audit Committee.

Chief Audit Executive describes the person in the senior position responsible for managing Internal Audit of an organisation. At the NSW Ministry of Health, this is the Director, Internal Audit.

Purpose of Internal Audit

Internal Audit is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes [1].

Internal Audit provides an independent and objective review and advisory service to:

  • provide assurance to the Secretary, NSW Health and the Ministry of Health’s Risk Management and Audit Committee, that the organisation’s financial and non-financial controls, designed to manage the organisation’s risks and achieve the entity’s objectives, are operating in an efficient, effective, economical and ethical manner
  • assist management in improving the organisation’s business performance.

Independence

Internal Audit is required to be independent and objective, with independence essential to its effectiveness. Internal auditors must have an impartial, unbiased attitude and avoid any conflicts of interest.

Internal Audit has no direct authority or responsibility for the activities it reviews. The Internal Audit function has no responsibility for developing or implementing procedures or systems and does not prepare records or engage in original line processing functions or activities (except in carrying out its own functions).

Where the Director, IA may be responsible for a non-audit activity, there are independence safeguards in place:

  • when responsible for non-audit activities, the Director, IA is not performing Internal Audit duties when managing or performing those activities
  • review of non-audit activities must be managed and performed independently of the Director, IA and reported direct to the Risk Management and Audit Committee.

Reporting lines

All Internal Audit staff and service providers report to the Director, Internal Audit, who reports:

  • functionally for operations to the Risk Management and Audit Committee through the Chair
  • administratively to the Secretary. The Director, Internal Audit has direct access to the Secretary to discuss audit and risk issues when required.

Functional reporting involving the Risk Management and Audit Committee includes, but is not limited to:

  • reviewing and endorsing the Internal Audit Charter
  • endorsing decisions regarding appointment and removal of the Director, Internal Audit including remuneration
  • assessing performance of the Director, Internal Audit
  • reviewing and endorsing the Internal Audit Plan, and any changes to the plan
  • reviewing reports on the results of audits, audit-related activities, audit team capability, audit performance, and other important matters
  • monitoring compliance with standards, together with quality and improvement arrangements
  • meeting privately with the Director, Internal Audit at least once a year without the Secretary or other management present
  • making enquiries of the Director, Internal Audit to determine any scope or budget limitations that may impede the execution of Internal Audit responsibilities
  • the implementation status of agreed internal and external audit recommendations.

Administrative reporting to the Secretary includes, but is not limited to:

  • Internal Audit resources and annual budget
  • provision of corporate services to Internal Audit including office accommodation, computers and equipment
  • human resource administration.

 

Context

Within the Ministry’s governance framework, the internal audit and risk management functions have separate reporting lines, but work together to ensure effective audit and risk management practices for the organisation.

These responsibilities involve:

  • internal audit function, which has a dual reporting line to the RMAC and the Secretary
  • risk management function, which reports to the Secretary through the Deputy Secretary, Governance, Workforce and Corporate, are responsible for providing the RMAC with necessary reports to provide the information and foundation for the RMAC to fulfil its obligations regarding risk management.

 

Conflicts of interest

Conflict of interest is a situation in which an internal auditor, who is in a position of trust, has a competing professional or personal interest. A conflict of interest exists even if no unethical or improper act results. A conflict of interest can create an appearance of impropriety that can undermine confidence in the internal auditor, the Internal Audit function, and the profession. A conflict of interest could impair an individual's ability to perform his or her duties and responsibilities objectively.

Internal auditors must not provide audit services for work for which they have been responsible within the last two years.

When engaging external internal audit service providers, the Director, Internal Audit shall take steps to identify, evaluate the significance, and manage any perceived, potential or actual conflict of interest that may impinge upon internal audit work.

Instances of perceived, potential or actual conflict of interest by Internal Audit staff and service providers shall immediately be reported to the Director, Internal Audit and the Chair of the Risk Management and Audit Committee.

All Internal Audit staff are asked to sign the NSW Health’s Code of Conduct and complete a declaration of conflicts of interest annually.

Authority and confidentiality

The Director, Internal Audit, internal audit staff and service providers are authorised to have full, free and unrestricted access to all functions, premises, assets, personnel, records, and other documentation and information that the Director, Internal Audit considers necessary to enable the internal audit function to meet its responsibilities[2].

When responding to requests, staff and contractors are to cooperate with the internal audit function and must not knowingly mislead the internal audit function or wilfully obstruct any audit activity.

All records, documentation and information accessed in the course of undertaking internal audit activities are to be used solely for the performance of these activities. The Director, Internal Audit, internal audit staff and any service providers are responsible and accountable for maintaining the confidentiality of the information they receive during the course of their work.

All Internal Audit documentation and work papers is to remain the property of the Ministry of Health, including where Internal Audit services are provided by service providers under an outsourced or co-sourced model.

Roles and responsibilities

The Internal Audit function must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.

In the conduct of its activities, the internal audit function will play an active role in:

  • developing and maintaining a culture of accountability, integrity and adherence to high ethical standards
  • facilitating, through consultation with and advice to the Ministry the integration of controls and risk management into day-to-day business activities and processes
  • promoting a culture of cost-consciousness and self-assessment.

Management may request internal audit services in response to emerging business issues or risks. Internal audit will attempt to satisfy these requests, subject to the assessed level of risk, availability of resources, and endorsement of the Secretary.

Internal audit activities will encompass the following areas:

Assurance services and audit activities

Internal audit activities include audits with the following orientation:

Risk Management

  • Evaluating the effectiveness, and contribute to the improvement, of risk management processes.
  • Providing assurance to the Secretary and the Risk Management and Audit Committee on the effectiveness of the risk management framework including the design and operational effectiveness of internal controls.
  • Providing assurance that risk exposures relating to the organisation’s governance, operations, and information systems are correctly evaluated, including:
    • reliability and integrity of financial and nonfinancial information; and
    • safeguarding of assets.
  • Evaluating the design, implementation and effectiveness of the organisation’s ethical objectives, programs and activities.
  • Assessing whether the information technology governance of the organisation sustains and supports the agency’s strategies and objectives.

Compliance

Assessing compliance with applicable laws, regulations and Government policies and contracts.

Performance improvement

Considering the efficiency, effectiveness, economy and ethics of business systems and processes.

Consulting Advisory services

The Internal Audit function can advise management on a range of matters including:

New programs, systems and processes

Providing advice on the development of new programs and processes and/or significant changes to existing programs and processes including the design of appropriate controls.

Risk management

Assisting management, through advice to the Ministry’s Legal and Regulatory Services Branch, to identify risks and develop risk mitigation and monitoring strategies as part of the risk management framework.

Fraud control

  • evaluating the potential for the occurrence of fraud and how the organisation manages fraud risk​
  • assisting management to investigate fraud, identify the risks of fraud and develop fraud prevention and monitoring strategies.

Audit support activities

Internal Audit responsibilities also include, but are not limited to:

  • assisting the Risk Management and Audit Committee to discharge its responsibilities
  • disseminating across the organisation better practice and lessons learnt arising from its audit activities.

Internal Audit plan

  • Developing a risk-based internal audit plan that considers the organisation’s risks and issues, including those identified by management, and submitting the plan to the Risk Management and Audit Committee for review and endorsement.
  • Ensuring changes to the internal audit plan are endorsed by the Committee.

Internal Audit engagements

  • Performing internal audit work contained in the approved internal audit plan and produce a written report for each audit containing improvement actions.
  • Ensuring management action plans to implement improvement actions are obtained from management and included in audit reports, including a responsible person and timetable for completion.
  • Providing final audit reports to management of the area audited, the Secretary, and the Risk Management and Audit Committee. Copies may be provided to management of other areas where relevant. Copies may be provided to the external auditor if requested.

Improvement actions

  • Establishing a system to monitor progress by management to implement internal audit improvement actions.
  • Ensuring management provides updates to Internal Audit, at least quarterly, on progress to implement management action plans.
  • Follow-up and obtain evidence that management action plans are effectively implemented by management before recommending closure to the Risk Management and Audit Committee.

Scope of internal audit activity

The scope of internal audit work embraces the wider concept of corporate governance and risk, recognising that controls exist in organisations to manage risks and promote effective and efficient governance and performance. Internal audit services may include:

  • Assurance Services – objective examination of evidence for the purpose of providing an independent assessment of risk management, control and governance processes.
  • Advisory Services – advisory and related client activities, the nature and scope of which are agreed upon with the client and which are intended to add value and improve business operations.

Internal Audit will offer a range of services, including:

  • audits with a compliance, financial or operational performance improvement focus
  • management requested services where business areas may request internal audit services, usually in response to an issue or an emerging risk
  • multi-stage audits at key project milestones of significant projects, in coordination with other assurance providers.

The scope and coverage of Internal Audit work is not limited in any way, and may cover any Ministry activity, operations and programs.

Professional standards

Internal Audit will govern itself by adherence to mandatory guidance contained in the ‘International Professional Practices Framework’ (IPPF) issued by the Institute of Internal Auditors (IIA):

  • ‘Core Principles for the Professional Practice of Internal Auditing’.
  • ‘Definition of Internal Auditing’.
  • ‘Code of Ethics’.
  • ‘International Standards for the Professional

Practice of Internal Auditing’. This mandatory guidance constitutes the fundamental requirements for the professional practice of internal auditing and the principles against which to evaluate the effectiveness of Internal Audit performance. The Director, Internal Audit is responsible for maintaining an up-to-date risk-based internal audit methodology that aligns with good practices promoted by the internal audit profession.

Internal Audit, including service providers, will perform their work in accordance with the IPPF. While the IPPF will cover the majority of internal audits, technology audits may be performed using applicable standards, such as the ISACA standards contained in the ‘Information Technology Assurance Framework’ (ITAF).

Relationship with external audit

Internal and external audit activities will be coordinated to help ensure the adequacy of overall audit coverage and to minimise duplication of effort.

Periodic meetings and contact between internal and external audit shall be held to discuss matters of mutual interest and facilitate coordination. External audit will have full and free access to all internal audit plans, working papers and reports.

Planning

The Director, Internal Audit will prepare a riskbased annual internal audit work plan in a form and in accordance with a timetable agreed with the Risk Management and Audit Committee.

Reporting

The Director, Internal Audit will report to each meeting of the Risk Management and Audit Committee on:

  • audits completed
  • progress in implementing the annual audit work plan
  • the implementation status of agreed internal audit recommendations.

The Internal Audit function will also report to the Risk Management and Audit Committee at least annually on the overall state of internal controls in the Ministry of Health and any systemic issues requiring management attention based on the work of the Internal Audit function (and other assurance providers).

Administrative arrangements

Any change to the role of the Director, Internal Audit will be approved by the Secretary in consultation with the Risk Management and Audit Committee.

The Director, Internal Audit will arrange for an internal review, at least annually, and a periodic independent review, at least every five years, of the efficiency and effectiveness of the operations of the Internal Audit function. The results of the reviews will be reported to the Risk Management and Audit Committee who will provide advice to the Secretary on those results.

Review of the Charter

This Charter will be reviewed at least annually by the Risk Management and Audit Committee. Any substantive changes will be formally approved by the Secretary on the recommendation of the Risk Management and Audit Committee.

Approval of this Charter

Prepared by Lorraine Stevens, A/Director, Internal Audit [16 August 2022]

Endorsed by Carolyn Walsh, Independent Chair, Risk Management Audit Committee [5 September 2022]

Approved by Susan Pearce, Secretary, NSW Health [9 August 2022]

Footnote

  1. As defined by the International Standards for the Professional Practice of Internal Auditing (IIA) (2017). Where relevant, sections of this Charter also incorporate other elements of the International Standards for the Professional Practice of Internal Auditing.
  2. Subject to any overriding legislative restrictions on information, such as statutory privilege.

Current as at: Tuesday 23 July 2024
Contact page owner: Internal Audit