2.4 Internal controls, audit and governance

Internal controls include instruments, structures and governance arrangements to manage identified risks by minimising, maintaining or modifying them.

The internal audit function examines if internal controls, systems, procedures, governance arrangements, risk management and operations are adequate and effective. Governance is the system by which an authority is controlled and operates, and the mechanisms by which its officers are held to account. Managing risks through sound internal controls and examining their adequacy through audit are part of governance.

Why are internal controls, audit and governance important?

Controlling risks helps protect the authority’s resources and maintains public trust. Implementing internal controls reduces the chances of misconduct and corruption occurring.

Audit is a necessary ‘check and balance’. It provides independent and objective assurance to the senior leadership team that resources are being managed to achieve outcomes and controls are effective. Audit can add value by improving financial and non-financial accountability; can be educative as well as detective; and contributes to a strong risk, compliance and integrity culture.

Good governance gives the community confidence in how an authority makes decisions.

2.4.1 Internal controls and governance

Internal controls are generally classified as:

  • preventative – prevent errors and irregularities from happening in the first place
  • detective – detect errors and irregularities that may have occurred or be occurring now
  • corrective – correct errors and irregularities already detected.

Examples are codes of conduct; employment and contractor screening and vetting processes; integrity training and awareness raising activities; segregation of duties; supervision; detection programs; and audit and investigations.

Integrity policies and procedures (and audit) are a fundamental part of any integrity framework. Policies and procedures:

  • set and communicate expectations
  • explain how integrity risks are managed
  • encourage consistency and proportionality in decision making
  • provide information to stakeholders about how decisions are made
  • foster stability and business continuity even during periods of change.

Ideas for good and better practice for internal controls and governance

Good practice

  • Implement core and complementary integrity policies and procedures. Examples:
    • Core areas
      • Code of conduct or charter of conduct
      • Delegations
      • Fraud and corruption control plan
      • Declaring and managing conflicts of interest (including secondary employment)
      • Offer, acceptance and provision of gifts, benefits and hospitality
      • Managing official and/or confidential information
      • Recordkeeping
      • Use of public resources
      • Reporting pathways (including public interest disclosures)
      • Discipline and investigations
    • Complementary areas
      • Risk management
      • Human resources management (including employment screening)
      • Financial management
      • Information and communication technology management
  • Base internal controls on outcomes of a risk assessment.
  • Review existing internal controls taking into account changes to operating conditions. Draw on the expertise of risk owners and check for appropriateness. For example, are the identified risks being controlled or are the controls inadequate or redundant?
  • Determine if new controls are needed. When designing new controls consider:
    • their feasibility including whether each control is fit-for-purpose and appropriate to the level of risk
    • the risk the authority is prepared to pursue, retain and take (risk appetite).
  • Make officers aware that controls are in place to manage identified risks. This may be a deterrent to misconduct and corruption.
  • Describe how officers report actual and perceived internal control weaknesses.

Better practice

  • Strengthen internal controls. Reference best practice identified in Australian and international standards, and recommendations of anti-corruption and other integrity bodies.
  • Use the outcome of detection and audit activities to address control weaknesses.
  • Map complex procedures to identify integrity risks. For example, officers with excessive influence over a process or where segregation is required to avoid an officer from having end to end control over a high risk process.
  • Link or cross-reference policies and procedures to help officers comply.
  • Identify and document potential consequences for non-compliance with policies and procedures.

2.4.2 Audit

Internal audit strengthens the internal control environment. Authorities need to establish and maintain an effective audit function. For example, public sector agencies must establish an internal audit function in line with Treasurer’s Instruction 1201: Internal Audit.

Many authorities use a combined model including audit and other activities to provide assurance to the senior leadership team. Coordinating these activities provides for holistic assurance.

Ideas for good and better practice for audit

Good practice

  • Base the structure and operation of the internal audit function on legislation and other requirements to ensure it is compliant.
  • Ensure the internal audit function:
    • is independent and objective in its work, providing a risk-based review of governance
    • is led by an officer who is suitably qualified and appropriately senior with no other management powers, functions and duties except those relating to internal audit
    • is described in a formal charter (or similar) that clearly defines its role, objectives, independence, accountability and reporting arrangements
    • has an established process to track and monitor internal and external audit actions to confirm they have been implemented
    • is responsible to the internal audit committee.
  • Ensure the internal audit committee (or similar):
    • is independent and objective in its work to oversee governance, risk management, internal controls and compliance
    • is chaired by a suitably qualified person not employed by the authority
    • is described in a formal charter (or similar) that clearly defines its independence, accountability, role and responsibilities, and reporting arrangements
    • determines the internal audit program in consultation with the accountable authority (usually the authority head)
    • uses risk analysis completed as part of risk management to inform recommendations for the internal audit program
    • is responsible to the accountable authority.

Better practice

The Western Australian Public Sector Audit Committees: Better Practice Guide has suggestions for audit committees. It includes information for smaller authorities that may find it difficult to establish audit committees that meet all of the better practice principles in the guide such as limited segregation of duties and potential conflicts of interest.

Completing the integrity framework template

In this section of the framework, document the authority’s actions and initiatives to manage governance, control integrity risks and assure itself these mechanisms are sound.

An example of a policy register is provided. An authority may already have a list of policies and procedures that includes integrity policies along with who is responsible, where the documents are located and review dates. This may be suitable for this purpose.

Describe the role, responsibilities and work of the internal audit committee or link to documents such as the internal audit charter.

Publications

Last updated:

Contact