THE CHALLENGE
Shellharbour is a city located approximately 100 kilometres from the centre of Sydney. It is a growing community of around 67,000 residents and key strategic assets include Illawarra Regional Airport and the $1.5 billion dollar Shell Cove Project which is a tourist and residential development encompassing a modern boat harbour, 20 hectares of waterway, 1.5km of harbour front promenade featuring retail outlets, restaurants and residential developments.
Some years ago, Group Manager Finance, Tony Gearon and the Risk Management team began a gradual process of “cultural overhaul” through the introduction of new processes, encouraging both staff and management to enhance Council’s risk management function with the establishment of an internal audit function.
At the time, there was little understanding of the benefits of internal audit and the potential value to Council. Fortunately in 2010, the Department of Local Government introduced guidelines on internal audit and best practice risk management principles that provided the impetus for Council to establish an internal audit function.
As Tony describes, “As the benefits of Enterprise Risk Management were being proven at the same time at Shellharbour, it was felt that establishing an internal audit function would be complimentary, the two functions would fit together hand in glove.”
THE SOLUTION
Shellharbour City Council looked at the options available in setting up an internal audit function. Council wanted a trusted and independent organisation to comprehensively review and evaluate the Council’s activities and processes in a way that would add value and make staff and management feel comfortable. Council’s preferred option was to outsource internal audit to an external organisation; this was seen as the most cost effective option as well as a way to make internal audit more independent. After a scrupulous tender process, InConsult was chosen based on extensive staff expertise, reasonable pricing, reputation, ability to add value to risk management and strong emphasis on building excellent working relationships with clients.
InConsult started by obtaining a good understanding of the organisation and conducting meetings and discussions with management, staff and key stakeholders, to develop a risk based Strategic Audit Plan. InConsult also provided guidance to Council as it established its Governance, Risk and Audit Committee. Once the audit plan was approved, InConsult began conducting a series of internal audits to review and evaluate Council activities to test their effectiveness and appropriateness. After each audit, InConsult produces internal audit reports highlighting good work Shellharbour City Council is already doing and making recommendations for any improvement required in the internal control framework. Each recommendation is discussed with the auditee and prioritised for attention, based on the level of risk.
THE RESULT
Today, internal audit is embraced by all levels of management. InConsult interacts with staff at all levels without being intimidating or making staff feel uncomfortable about having their systems and processes reviewed.
According to Tony, “staff are encouraged to use the audits as a reference for future improvements. The internal audit reports are clear and easy to understand.” As part of the internal audit KPIs adopted by the Governance Risk and Audit Committee, an annual survey of Committee members and senior staff is undertaken. The most recent survey indicated a high level of satisfaction with the internal audit function and agreement that it has improved Council’s internal control framework.
“Internal audit is seen as an important third line of defence for Council. It has enabled stakeholders such as councillors and Governance, Risk and Audit Committee members to have greater visibility over Council’s risk management and internal control frameworks”.
Aligning the risk management framework with internal audit activities has also helped to improve risk analysis across departments and major projects. “It has improved the risk culture and awareness of risk, which in turn helps people to think about what could go wrong and to be more analytical in their thinking and decision making”.