The NSW Ministry of Health has established the Internal Audit Branch by authority of the Secretary as a key component of the organisation’s governance framework.
The mission of Internal Audit is to enhance and protect organisational value by providing stakeholders with risk-based, objective and reliable assurance, advice and insight.
This Charter provides the framework and authority for the performance of the Internal Audit function in the Ministry of Health and has been approved by the Secretary, on the advice from the Risk Management and Audit Committee.
Chief Audit Executive describes the person in the senior position responsible for managing Internal Audit of an organisation. At the NSW Ministry of Health, this is the Director, Internal Audit.
Internal Audit is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes [1].
Internal Audit provides an independent and objective review and advisory service to:
Internal Audit is required to be independent and objective, with independence essential to its effectiveness. Internal auditors must have an impartial, unbiased attitude and avoid any conflicts of interest.
Internal Audit has no direct authority or responsibility for the activities it reviews. The Internal Audit function has no responsibility for developing or implementing procedures or systems and does not prepare records or engage in original line processing functions or activities (except in carrying out its own functions).
Where the Director, IA may be responsible for a non-audit activity, there are independence safeguards in place:
All Internal Audit staff and service providers report to the Director, Internal Audit, who reports:
Functional reporting involving the Risk Management and Audit Committee includes, but is not limited to:
Administrative reporting to the Secretary includes, but is not limited to:
Within the Ministry’s governance framework, the internal audit and risk management functions have separate reporting lines, but work together to ensure effective audit and risk management practices for the organisation.
These responsibilities involve:
Conflict of interest is a situation in which an internal auditor, who is in a position of trust, has a competing professional or personal interest. A conflict of interest exists even if no unethical or improper act results. A conflict of interest can create an appearance of impropriety that can undermine confidence in the internal auditor, the Internal Audit function, and the profession. A conflict of interest could impair an individual's ability to perform his or her duties and responsibilities objectively.
Internal auditors must not provide audit services for work for which they have been responsible within the last two years.
When engaging external internal audit service providers, the Director, Internal Audit shall take steps to identify, evaluate the significance, and manage any perceived, potential or actual conflict of interest that may impinge upon internal audit work.
Instances of perceived, potential or actual conflict of interest by Internal Audit staff and service providers shall immediately be reported to the Director, Internal Audit and the Chair of the Risk Management and Audit Committee.
All Internal Audit staff are asked to sign the NSW Health’s Code of Conduct and complete a declaration of conflicts of interest annually.
The Director, Internal Audit, internal audit staff and service providers are authorised to have full, free and unrestricted access to all functions, premises, assets, personnel, records, and other documentation and information that the Director, Internal Audit considers necessary to enable the internal audit function to meet its responsibilities[2].
When responding to requests, staff and contractors are to cooperate with the internal audit function and must not knowingly mislead the internal audit function or wilfully obstruct any audit activity.
All records, documentation and information accessed in the course of undertaking internal audit activities are to be used solely for the performance of these activities. The Director, Internal Audit, internal audit staff and any service providers are responsible and accountable for maintaining the confidentiality of the information they receive during the course of their work.
All Internal Audit documentation and work papers is to remain the property of the Ministry of Health, including where Internal Audit services are provided by service providers under an outsourced or co-sourced model.
The Internal Audit function must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.
In the conduct of its activities, the internal audit function will play an active role in:
Management may request internal audit services in response to emerging business issues or risks. Internal audit will attempt to satisfy these requests, subject to the assessed level of risk, availability of resources, and endorsement of the Secretary.
Internal audit activities will encompass the following areas:
Internal audit activities include audits with the following orientation:
Assessing compliance with applicable laws, regulations and Government policies and contracts.
Considering the efficiency, effectiveness, economy and ethics of business systems and processes.
The Internal Audit function can advise management on a range of matters including:
Providing advice on the development of new programs and processes and/or significant changes to existing programs and processes including the design of appropriate controls.
Assisting management, through advice to the Ministry’s Legal and Regulatory Services Branch, to identify risks and develop risk mitigation and monitoring strategies as part of the risk management framework.
Internal Audit responsibilities also include, but are not limited to:
The scope of internal audit work embraces the wider concept of corporate governance and risk, recognising that controls exist in organisations to manage risks and promote effective and efficient governance and performance. Internal audit services may include:
Internal Audit will offer a range of services, including:
The scope and coverage of Internal Audit work is not limited in any way, and may cover any Ministry activity, operations and programs.
Internal Audit will govern itself by adherence to mandatory guidance contained in the ‘International Professional Practices Framework’ (IPPF) issued by the Institute of Internal Auditors (IIA):
Practice of Internal Auditing’. This mandatory guidance constitutes the fundamental requirements for the professional practice of internal auditing and the principles against which to evaluate the effectiveness of Internal Audit performance. The Director, Internal Audit is responsible for maintaining an up-to-date risk-based internal audit methodology that aligns with good practices promoted by the internal audit profession.
Internal Audit, including service providers, will perform their work in accordance with the IPPF. While the IPPF will cover the majority of internal audits, technology audits may be performed using applicable standards, such as the ISACA standards contained in the ‘Information Technology Assurance Framework’ (ITAF).
Internal and external audit activities will be coordinated to help ensure the adequacy of overall audit coverage and to minimise duplication of effort.
Periodic meetings and contact between internal and external audit shall be held to discuss matters of mutual interest and facilitate coordination. External audit will have full and free access to all internal audit plans, working papers and reports.
The Director, Internal Audit will prepare a riskbased annual internal audit work plan in a form and in accordance with a timetable agreed with the Risk Management and Audit Committee.
The Director, Internal Audit will report to each meeting of the Risk Management and Audit Committee on:
The Internal Audit function will also report to the Risk Management and Audit Committee at least annually on the overall state of internal controls in the Ministry of Health and any systemic issues requiring management attention based on the work of the Internal Audit function (and other assurance providers).
Any change to the role of the Director, Internal Audit will be approved by the Secretary in consultation with the Risk Management and Audit Committee.
The Director, Internal Audit will arrange for an internal review, at least annually, and a periodic independent review, at least every five years, of the efficiency and effectiveness of the operations of the Internal Audit function. The results of the reviews will be reported to the Risk Management and Audit Committee who will provide advice to the Secretary on those results.
This Charter will be reviewed at least annually by the Risk Management and Audit Committee. Any substantive changes will be formally approved by the Secretary on the recommendation of the Risk Management and Audit Committee.
Prepared by Lorraine Stevens, A/Director, Internal Audit [16 August 2022]
Endorsed by Carolyn Walsh, Independent Chair, Risk Management Audit Committee [5 September 2022]
Approved by Susan Pearce, Secretary, NSW Health [9 August 2022]