For many NSW councils, financial sustainability is a real risk and not just something in a risk register.  Managing financial expenditure i.e. public funds in accordance with legislation is critical. But the real financial question is not how much cash sits on the balance sheet, it is how much of that cash is actually available to use. That is why understanding restricted vs unrestricted funds in local government is critical.

In NSW local government, the restricted vs unrestricted funds distinction matters because a significant share of council cash is either legally quarantined, internally allocated for future purposes, or needed to maintain liquidity for day-to-day operations. The recent NSW Audit Office’s Local government 2025 report identified that:

• 19 councils did not have enough cash and investments not subject to external restrictions to cover three months of general expenses, and
• weaknesses in internal controls and governance were identified at most councils.

For this, and many other important reasons, restricted and unrestricted funds should be treated as a frontline governance issue, not just a finance note at year end.

The legislative and policy framework is clear. The Local Government Act 1993 (the Act) says money raised by a special rate or charge, money that legislation says can only be used for a specific purpose, and specific purpose advances or grants from government cannot be used for other purposes except in limited circumstances.

The Office of Local Government (OLG) Local Government Code of Accounting Practice and Financial Reporting (OLG Code) also requires councils to maintain adequate accounting records, systems and internal controls, and to disclose restricted and allocated cash, cash equivalents and investments in their financial statements.

Council funds sit in 3 ‘buckets’

In simple terms, council funds typically sit in three distinct ‘buckets’:

• Externally restricted funds: money that council is legally required to use for a specific purpose it was provided.
• Internally restricted funds: money that council has set aside by resolution for a specific future purpose, These funds are not ‘legally’ restricted, but they should only be moved or repurposed through formal council resolution.
• Unrestricted funds: money that is available to support day-to-day operations, manage cash flow, respond to unexpected costs and maintain financial flexibility.

Why externally restricted funds matter

Externally restricted funds are the most tightly controlled category of council cash. These are amounts that council holds because legislation or a third-party agreement says the money can only be used for a defined purpose. The OLG Code describes them as cash, cash equivalents and investments available only for specific use because of legislation or third-party contractual agreement, and requires councils to disclose both the amount and nature of those restrictions. Common examples include water funds, sewer funds, developer contributions, domestic waste management, stormwater management and tied grants.

The purpose of external restriction is simple – it protects public trust and legal compliance. Developer contributions are collected to fund future infrastructure. Tied grants are provided to deliver a specified program. Special rates and charges are levied for a stated purpose. These are not general operating funds.

The NSW Audit Office warned that low available cash (money available as unrestricted funds) increases the risk of externally restricted cash being used for an improper purpose, and reported two high-risk findings where councils breached the Act by spending externally restricted cash and investments for an improper purpose.

The strategic role of internal restricted funds

Internal restricted funds, often described as internal allocations or reserves, are different. They are not imposed by legislation or grant conditions. They are set aside by council resolution or policy for a defined future purpose.

The OLG Code says internal allocations are cash, cash equivalents and investments allocated by council resolution or policy to identified programs of work and forward plans, and because they remain at council’s discretion they are disclosed but not deducted from total cash and investments in the same way as external restrictions.

This is where good financial leadership and governance becomes visible. Internal allocations are how councils plan ahead to smooth future costs instead of lurching from one budget shock to the next. Internal restricted funds can be used for plant and vehicle replacement, employee leave entitlements, asset replacement, IT renewal, carryover works, quarry remediation and bonds and deposits. That is exactly what a mature, proactive reserve framework should do – convert foreseeable liabilities, renewal needs and cyclical expenditures into transparent funding strategies.

The IP&R framework also reinforces this discipline. NSW councils must prepare and adopt a Long-Term Financial Plan, use it to inform decision-making, and review and update its assumptions, projected income, expenditure, balance sheet and cash flow at least annually as part of the Operational Plan.

A Council’s Annual Report is also framed as a key point of accountability to the community and must include the council’s audited financial statements. In other words, internal allocations should never sit outside strategy; they should be linked directly to the Long-Term Financial Plan, Delivery Program and Operational Plan.

Why unrestricted funds are the real test of resilience

Unrestricted funds are the balances genuinely available to support day-to-day operations and liquidity, absorb shocks and fund priorities that are not already allocated elsewhere. Unrestricted funds are the cash councils rely on to pay suppliers, continue services, retain staff, manage timing differences in capital delivery and maintain financial flexibility.

The Audit Office’s 2025 report makes it clear why this is important. 19 councils lacked enough available cash to meet three months of general expenses, and the unrestricted current ratio remains an important indicator of short-term financial capacity. The report notes the previous OLG benchmark of 1.5, meaning $1.50 in unrestricted current assets for every $1 in current liabilities.

Therefore, unrestricted cash as funding available for unexpected or emergency expenses, liquidity support, short-term cash flow, operational efficiency and long-term financial sustainability. It also sets a target level of unrestricted cash at the greater of $2 million or 50% of current liabilities not otherwise funded by restrictions or allocations, and treats an unrestricted current ratio below 1.5:1 as a trigger for immediate attention.

Governance arrangements for restricted vs unrestricted funds

The strongest councils do not manage restricted and unrestricted funds just via council resolutions, spreadsheets and memory. They manage them through formal governance arrangements.

That starts with a council-adopted policy that defines external restrictions, internal allocations and unrestricted cash. The policy should set approval pathways and links reserves to the Community Strategic Plan, Delivery Program, Operational Plan and Long-Term Financial Plan. Good practice requires any future internal allocation to be established by council resolution, with a defined purpose and a basis for calculating transfers.

From there, the control framework needs to be operational, not symbolic.

The NSW Audit Office’s better-practice observations are especially useful here. It found some councils still rely on highly manual annual processes to manage and report restricted cash, which increases the risk of error and breach. By contrast, one better-practice council case study linked its quarterly cash and investment budget review statement directly to the general ledger, configured the ledger to reflect externally restricted balances, and had the statement independently reviewed within the finance team.

The NSW Audit Office also highlighted the importance of regular reconciliation, enhanced processes and controls, transparent reporting to decision-makers, and ARIC oversight.

In practical terms, councils should have a clear ownership model.  Finance owns the register and reconciliations, business units own the business purpose of each reserve, executives own challenge and reprioritisation, council owns creation and release of internal allocations by resolution, and ARIC owns oversight of control effectiveness, compliance risk and remediation actions.

Rules for moving money in, out or between funds

This is where councils most often get into trouble.

Externally restricted funds cannot simply be used to solve a general fund cash pressure. Section 409 of the Act limits the use of special rates or charges, legislatively restricted money and specific purpose advances or grants to their intended purpose. Section 410 creates only a narrow pathway for alternative use of some money raised by special rates or charges once the original purpose has been achieved or is no longer required, and only after public notice through the operational plan process.

Internal allocations are more flexible, but that does not mean they should be moved casually. Council’s should adopt a policy that is sensible i.e. transfers into or out of restricted cash require council resolution, whether through a specific resolution, adoption of the Quarterly Budget Review Statement, or adoption of annual financial statements containing a schedule of movements. The policy can state that councils may borrow from internally allocated cash, but not from externally restricted cash without Ministerial consent, and any such borrowing must be authorised by resolution with the full impact disclosed and interest paid.

That is the right principle for all councils to adopt. Legal restrictions are not optional, and internal restrictions are not informal. Even where council has discretion, reserve movements should be rule-based, transparent and documented.

The biggest risks councils need to control

The governance risk is not just technical non-compliance. It is a financial control drift. When councils lose sight of what cash is restricted, allocated or genuinely free, three risks will emerge quickly.

1. Councils may misstate liquidity. A healthy cash balance can hide a weak unrestricted cash position if too much of the total balance is externally restricted. The NSW Audit Office’s analysis shows that many regional and rural councils carry high proportions of externally restricted balances, especially where water and sewer charges form a large part of cash holdings.
2. Councils may create “shadow budgets” through unmanaged internal reserves. If internal allocations are not tied to a documented purpose, target funding basis, forecast drawdown and annual review, they can become stale, duplicated or politically immovable. The IP&R framework is designed to prevent that by requiring annual review of the Long-Term Financial Plan and alignment between planning, delivery and reporting.
3. Councils may breach the Act through weak controls, errors or deliberate misconduct. The NSW Audit Office’s findings on externally restricted cash show that poor monitoring, manual processes and weak reporting are enough to create serious compliance failures.

The KPIs and reports that matter most

Councils should separate compliance reporting from decision-based reporting. At a minimum, councillors, executives and ARIC should receive a reporting pack that clearly distinguishes externally restricted balances, internal allocations and unrestricted cash.

The core KPIs should include the unrestricted current ratio, unrestricted cash as a percentage of current liabilities, months of general expenses covered by available cash, total externally restricted balances by category, internal allocations against target and forecast drawdown, local infrastructure contribution balances and spend rates, and the number and value of approved transfers, internal borrowings, breaches or near misses.

The NSW Audit Office’s financial sustainability analysis specifically used available cash, unrestricted current ratio and own source revenue to assess councils with heightened risk, which makes those measures especially useful for internal monitoring.

The reporting cycle should also be disciplined. The OLG Code states that councils must meet multiple financial reporting requirements, including annual audited financial reports, an annual operational plan, a Long-Term Financial Plan and quarterly budget review statements. The IP&R Guidelines require budget review statements to be reported to council within two months after the end of each quarter, except the fourth quarter, and the Annual Report to be prepared within five months of year end. Many councils have a monthly Investments Report for unrestricted cash oversight.

Restricted vs unrestricted funds – Takeaways

The strongest councils understand that reserve management is not about hoarding cash. It is about governing purpose.

Externally restricted funds protect legal and community obligations. Internal restricted funds protect future service capacity and planned asset renewal. Unrestricted funds protect resilience, liquidity and strategic choice.

When councils clearly define each category, set strict movement rules, link reserves to long-term planning, and report them transparently to council, ARIC and the community, they do more than stay compliant. They become more credible, more sustainable and strengthen the financial management and control culture.

Can we help?

Since 2001, we have worked with more than 115 NSW councils to strengthen risk management, resilience and internal controls through our internal audit and assurance services.  Whichever service you choose, our goal remains the same, to help you manage risk with confidence and provide practical advice that supports informed, effective decision-making.

Can we help? If your council is reviewing its approach to restricted and unrestricted funds, reserve governance or financial control settings, contact us to discuss how we can support your needs.

#RiskManagement #InternalAudit #Assurance #Governance #LocalGovernment #FinancialSustainability #InternalControls #RestrictedFunds #UnrestrictedFunds #CouncilGovernance

The new Topical Requirements, set to be effective September 15^th 2026, will raise the bar and provide a number of benefits including:

• Defining a consistent baseline for evaluating third party risk across all industries.
• Increase confidence in assurance and auditing for leadership and key stakeholders with respect to third party risk profiles.
• Inherently strengthen the resilience of organisations with respect to third party failures, ethical breaches, cyber incidents and more.

Third Party Challenges Organisations Will Face

Despite the benefits, the introduction of the requirements also brings with it new challenges that will have to be faced uniquely by organisations of different size, complexity and industry. As they say there is more than one way to skin a cat, and it is up to organisations to determine the right way.

1. Increases in documentation and evidence

Auditors will be expected to document evidence of assessment of formally structured frameworks and their supporting procedures. The relationship between these frameworks and how they tie into the organisation’s risk management is an additional requirement that expects a level of maturity that is not commonly in place in typical Australian organisations. Even if these frameworks are in place, a lack of cohesion across the different methodologies means evidence collection will be a slow process. In the AICD 2024-25 NFP Governance & Performance Study, 53% of directors said they spent more time on duties than the prior year, reflecting a rise in compliance and assurance demands typical to director roles.

The quality of evidence also plays a key role. ASA 530 for Attribute Testing requires auditors to document a confidence of 90-95% or higher when ensuring controls are adequate. For key controls, i.e. anything relating to key vendors and processes, any deviation from the requirements must be as low as between 0-5%. This leaves very little room for exceptions and drives the outcome of any review.

2. Governance gaps in oversight

The new requirements mandate clear board oversight to ensure third party relationships are well managed. In reality, most organisations in Australia delegate the ownership and oversight of all third party risk activities to Procurement and/or IT. Being able to prove involvement by leadership will be difficult, and in some cases, require adjustment to the responsibilities of leadership roles.

Consistently, we have observed either a lack of resource to dedicate to third party management or delegation to IT roles such as a Cyber Security Lead. The latter introduces implementation concerns as Cyber Security Lead roles tend to lack the required Risk Management knowledge required to undertake third party management.

3. Consistent Risk Management throughout the Third Party lifecycle

To successfully apply a structured and repeatable method to assessing risk throughout the third party lifecycle, organisations must have a formal enterprise risk management that is clear, functional and communicated to all staff involved in the process. The risk assessment process must consistently address selection, onboarding, monitoring, and offboarding.

Private and unlisted companies such as IT service providers, SMEs, NFPs and Charities have no legal obligation to implement a risk management framework with the only exception being an ad-hoc approach for Work Health and Safety. Many third parties that would be used for IT services, marketing, legal services, etc. have no obligation to do so, increasing the risk of poor or no risk management across third party management. The Vero Insurance SME Insurance Index 2024/2025 reported that ~90% of Australian businesses lack a formal risk management process with 81–82% never or rarely conducting risk analyses when required.

4. Ongoing monitoring just got harder

Ongoing monitoring following onboarding is a process that is often not performed successfully or at all by that vast majority of organisations in Australia. The old habits of “set and forget” contracts are not good enough. Even multi-year contracts that address all requirements over the lifespan of the contract will require performance, compliance and cyber control assessment to ensure expectations are being met. Naturally, this will also lean on the risk management framework to determine if any such failures to meet expectations result in risks that are outside of the organisation’s appetite.

The McGrathNicol/YouGov study from August 2024 concluded that 82% of Australian companies do not extend risk assessments beyond Tier-1 suppliers, and 71% of companies that do assess third parties, do not include security practices in their assessment.

5. Aligning to increasing regulatory pressures

The requirements explicitly reference compliance with local, national, and international regulations. For Australian organisations, that could mean at minimum the Privacy Act. However, certain industries are also affected by the Australian Prudential Regulation Authority (APRA) Prudential Standards CPS 230 Operational Risk Management and CPS 234 Information Security. For larger critical providers, the Security of Critical Infrastructure (SOCI) Act and Modern Slavery are just some additional considerations. Achieving consistency across various different regulations and standards increases complexity.

With the delay of requirements under APRA CPS 230 relating to pre-existing contracts to July 2026 for non-Significant Financial Institutions (SFIs), we can expect a natural increase in pressure as the date approaches. If the activities of APRA CPS 234 from 2019 are also an example of what is to come, we can expect at the very least a thematic review. APRA has already committed to conducting targeted reviews of SFIs as part of their 2025-2026 Corporate Plan.

6. Strain on smaller organisations and public entities

Large corporations and enterprises will easily absorb these changes, especially multinationals, as these requirements are not new. For Local Government councils, NFPs, small businesses and providers, these new requirements will demand a new focus on audit and compliance. This new focus will come two-fold as it not only requires additional investment and resource, it could also expose gaps that previously avoided the spotlight.

7. Cultural resistance and a lack of Third Party strategy

As with any uplift of requirements and increased complexity, cultural resistance is an expected reality. Australian organisations will fail unless they can overcome the outdated concept that third party management is a procurement-only task. Overcoming this requires the understanding that third party management is not only operational but also strategic. Our dependency on third parties can be improved by better managing the entire process, resulting in cost savings, efficiencies, lower insurance premiums, greater coverage, new client opportunities and much more.

In May 2024, the Australian Privacy Commissioner highlighted third-party providers as a “weak spot” in privacy and security postures of organisations, reinforcing the need for enterprise-level third party management strategy beyond only procurement or IT.

Why These Challenges Matter

Ultimately, these challenges are worth facing. The requirements encourage stronger governance, better risk management discipline, and greater transparency across leadership into third party relationships. For Australian organisations, this means better preparedness for cyber incidents, supply chain disruptions, reputational crises, and regulatory scrutiny.

Third parties are already the bread and butter of many critical functions within Australian organisations. We cannot expect adequate operations, security and assurance without expecting a level of quality that matches that of our own internal processes.

Where To Start with Third Party Management

In Part 2 of our Third Party Management publication we will go over some key steps to consider and to help you succeed in third party management.

How We Can Help You Build Organisational Resilience

We are here to help strengthen your organisational resilience, systems and processes. Our third party risk management capabilities include:

• In-house developed comprehensives vulnerability scanning of third parties.
• Comprehensive third party risk management assessments to provide independent assurance.
• Helping organisations take their first steps towards implementing a formal and proactive third party management framework.
• Performing an independent review or health check of your existing third party management framework to identify gaps and level of maturity.
• Conducting third party risk and cyber risk awareness workshops covering strategic, operational and project risks.
• Conducting third party penetration tests and comprehensive audits.
• Supporting you across a range of third party services including governance, business continuity, crisis management, cyber risk, third party monitoring and more.

Take risk management to the next level and contact us to discuss your needs.

Therefore, internal audit is an important function within any organisation. Managed well and aligned to strategic initiatives, internal audit can be one of the organisations most valuable assets. Managed poorly, it can be a waste of money, time and valuable resources.

Many boards and CEOs value an effective internal audit function, but we cannot always say that internal audit is valued by all stakeholders. Sometimes, the relationship between the CEO, management and internal audit can come under strain due to the competing priorities of each party.

Having worked closely with boards, audit committees, CEOs, senior managers and internal auditors and having collectively performed thousands of internal audits over 20 years, the internal audit team at InConsult looked at the role of the CEO in internal audit and identified a number of strategies to guide the CEO to get more value from internal audit.

The Sources of Audit Tension

Tensions to a positive internal audit experience can come from internal audit, CEO, management and the board and can occur for many reasons.

Competing objectives and priorities

Management’s focus is primarily on achieving strategic goals and financial performance.  Internal audit also interested in the organisation achieving its goal. However, if management is so focussed on the outcome that they don’t pay proper regard to the process, skimp on compliance and don’t manage risks effectively, it can lead to conflicts, disagreements and tensions between the parties.

Lack of understanding

Management may not fully understand or appreciate the purpose, value and importance of the internal audit function. They may view it as a compliance-driven activity rather than recognising its role in providing independent assurance and valuable insights to improve organisational processes and controls.

Perception of criticism

Internal audit’s role is designed to assess and evaluate the effectiveness of controls, processes, and risk management practices of management. If management perceives these assessments as personal criticisms or threats to their authority, it can strain the relationship.  When internal audit identifies control weaknesses or areas for improvement, it can be perceived by the CEO as a criticism of their leadership or decision-making. This can lead to defensiveness and strained relations between the CEO and internal audit.

Ineffective communication

Effective communication is essential for a strong relationship between internal audit, the board, CEO and management. If there are communication gaps, misunderstandings can occur, leading to mistrust and strained relations. Lack of clarity in explaining audit findings and recommendations can further exacerbate these issues.

Gaps in internal audit capabilities

Poor internal audit practices or an under resourced internal audit team will compromise the quality of internal audit work. Limited staffing, budget, or access to necessary information can impact the quality and timeliness of audit work, leading to frustrations on both sides.

Lack of trust and independence

Internal audit must operate with a high degree of independence to provide unbiased assessments. Internal audit must have unfettered access to information.  If management perceives internal audit as lacking independence or being influenced by external factors, it can erode trust and strain the relationship.

Resistance to audit recommendations

Internal audit often provides recommendations for improving controls, processes, and risk management. If management is not confident in internal audits capabilities, resists findings or fails to take recommendations seriously, it can create a perception that the internal audit function’s efforts are being disregarded or undervalued.

Strategies for the CEO to Establish Solid Foundations

Whilst internal audit is an independent function, the CEO is often in the drivers seat for ensuring it is effective, with some oversight from the audit committee and/or board for larger organisations.  An effective internal audit function is built on a solid foundation of key principles, practices, and structures.  The CEO should work with the Chief Audit Executive and support laying these foundations.

Recruit a capable audit team

Internal auditors should possess the necessary knowledge, skills, and professional qualifications/certifications. The internal audit department should also follow the standards and ethical guidelines of the profession as set out by the Institute of Internal Auditors.

Ensure adequate resourcing

For internal audit to be effective, it needs to have the appropriate resources in terms of staffing, budget, and technology. The CEO should ensure that the internal audit department is adequately resourced and has the necessary tools and technology to do its job effectively.

Use a risk-based audit approach

Due to budget and time constraints, internal audit should take a risk-based approach to its work, focusing on areas where the organisation is most at risk and providing assurance that the internal controls are designed and operating effectively to mitigate these risks.

By engaging with key stakeholders, contextualising the organisational objectives and conducting a comprehensive risk assessment (or using risk information from the risk management department), the internal audit department can identify the areas of the company where the risk of loss or failure to achieve objectives is greatest. This helps the internal audit function to focus on the areas of the company that are most at risk and provides assurance that the company’s internal controls are designed and operating effectively to mitigate these risks.

Open communication between audit and management

Establish regular communication channels between internal audit and management to enhance understanding and address any concerns or misunderstandings promptly.

Clear audit plans and reports

The internal audit function should have plans and reports in place to communicate its intentions, approach, findings and recommendations to the CEO, the board of directors, and other stakeholders.  Key plans and reports include:

• Strategic Audit Plan – outlines the internal audit activities and objectives for a three-year period. It serves as a roadmap for the internal audit function, guiding its efforts in evaluating and assessing the organisation’s operations, risks, controls, and governance processes over the specified timeframe.
• Audit Engagement Plan – outlines the specific details and objectives of an upcoming audit engagement. It is a roadmap for the internal audit team, providing a structured approach to conducting the audit and ensuring that all relevant areas are addressed.
• Audit Report – summarises the audit approach, methodology, findings, observations, and recommendations resulting from an internal audit engagement. The report is a communication tool between internal audit and management, providing valuable insights and recommendations for improving processes, controls, and risk management practices.
• Quarterly Audit Report – provides an update on the progress of audit engagements completed, highlights key issues, and tracks the progress of audit recommendations to completion/closure.

Be visible

It’s important that the CEO is visible and promotes internal audit and encourages management take appropriate actions on the recommendations in a timely manner. This shows the importance placed on internal audit and helps to maintain the integrity of the internal control environment.  Also, it’s important that the internal audit team is seen as approachable by any member of staff, which enhances their standing within the organisation and provides an avenue to identify issues at the coalface.

Continuous audit improvement

The internal audit function should be continuously looking for ways to improve its processes and procedures. The department should also monitor and evaluate the effectiveness of its work and the impact of its recommendations to continually improve the control environment. Every 5 years, internal audit process should undergo an external independent review.

Strategies for Optimising Internal Audit

Having the foundations in place helps to ensure that the internal audit function is able to provide the assurance that the CEO and the board of directors need, but it may not relieve all the tension. The CEO and board can expect more from internal audit.  They may expect internal audit to take a more proactive approach to identifying and assessing risks, rather than just being reactive to issues that have already occurred.

Monitoring and analysis of key performance indicators

The internal audit department can use monitoring and analysis of key performance indicators (KPIs) to identify potential issues and risks before they become major problems. This could include monitoring the company’s financial performance, compliance with laws and regulations, and the effectiveness of key processes and systems.

Data analytics

Internal audit can use data analytics tools to identify patterns or anomalies in data that may indicate a potential risk or control weakness. These tools can help internal audit to uncover issues that may be hidden and would not be identified through traditional audit methods.

Continuous control monitoring

The internal audit function can be proactive by continuously looking for ways to improve its processes and procedures. This could include ongoing monitoring of the control environment.

Predictive auditing

Predictive auditing is a new way of auditing that allows internal audit to make predictions about future events, scenarios, or risks, by identifying and analysing patterns or trends, and build in assessments and controls to prevent potential events from happening.

Stay current with industry/sector developments

Internal audit can also be proactive by staying current with industry developments and emerging risks, such as regulatory changes and technological advancements, so they can identify potential risks to the organisation and take appropriate actions.

Takeaways

By addressing these ‘tension’ factors and promoting a culture of cooperation and mutual respect, the relationship between the CEO, internal audit and management can be improved, leading to more effective risk management, a stronger control environment and governance practices within the organisation.

Taking a proactive approach, an internal audit department can help the company to identify and manage potential risks before they become major issues, and provide assurance that the company’s internal controls are effective in mitigating those risks.

How we can help

InConsult is committed to helping organisations better understand the benefits and value of internal audit.

We have supported small to large organisations establish a cost effective internal audit function and to refine and optimise internal audit practices.

We have extensive experience in internal auditing, risk management, probity, fraud and corruption prevention, cyber security, crisis management, business continuity, climate risk management and pandemic planning.

If you would like to know more about our internal auditing services, contact us to discuss your needs.

But consider the following scenario:

• As part of the development of the organisation’s next internal audit plan, management tells the Chief Audit Executive (CAE) that “Process A” is completely defective. It’s not working as intended, there are some large risks, there are regular issues and errors and Process A desperately needs review.
• At management’s request, the CAE includes an internal audit of Process A as a high priority on the audit plan.
• Internal audit conducts an assurance audit of Process A and confirms that it is indeed a mess and needs urgent review and remedial action. Remedial options are presented and recommendations for improvement are made.
• Management expresses disappointment in the audit outcome because they already knew the process was broken and they thought an audit would help to fix it.
• Management defers or disagrees with the timing of a number of audit recommendations because there are insufficient resources available to fix the problem.

Sound familiar? How much value has internal audit really added?

The role of internal audit

Often the root cause of the above scenario is a lack of understanding about the potential roles that internal audit can play.

According to the Institute of Internal Auditors, the definition of internal audit is:

“… an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

This definition recognises that internal audit can undertake two broad types of activities – assurance and consulting. Whilst assurance engagements are relatively commonplace and generally well understood, internal audit consulting engagements are perhaps less prevalent.

Internal audit as consultants

The Internal Audit Standards define consulting services as:

“Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.”

Going back to our scenario above, would a better approach be to consider whether internal audit could provide consulting services to assist those responsible for Process A to design and implement process improvements and more robust controls? Rather than spending time and resources independently corroborating what management already knew, wouldn’t it be better to get in and help fix the problem?

The above scenario highlights a common problem whereby management and even the internal audit function have a limited or conflicting view of the role of internal audit. There is often an automatic assumption that everything on the audit plan is an assurance assignment that involves testing of controls and providing assurance. If consulting or advisory services are required these typically get added to the internal audit work program as extras or one offs after the plan has been adopted.

Extracting more value from internal audit

But there is no reason why the audit plan can’t include consulting assignments. If an area or process has already been identified as requiring remedial action and the responsible business unit needs help and assistance to do this, why can’t it be included on the audit plan as a consulting engagement?

This is envisaged by the Internal Audit Standards which state:

“2010.C1 – The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve the organization’s operations. Accepted engagements must be included in the plan.”

The Standards also provide considerable guidance on everything from scoping a consulting engagement to ensuring that internal audit maintains independence and doesn’t assume management responsibility.

For example, the Standards state:

“2201.C1 – Internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding must be documented.

2210.C1 – Consulting engagement objectives must address governance, risk management, and control processes to the extent agreed upon with the client.

2210.C2 – Consulting engagement objectives must be consistent with the organization’s values, strategies, and objectives.”

Overcoming internal audit independence issues

In relation to the potential for a consulting engagement to impair a future assurance review, the Standards provide:

“1130.A3 – The internal audit activity may provide assurance services where it had previously performed consulting services, provided the nature of the consulting did not impair objectivity and provided individual objectivity is managed when assigning resources to the engagement.”

If there are concerns that a consulting engagement may impair a future assurance review another option would be to outsource the assurance review especially if it is within a year or two of the consulting engagement. Diagram 1 below provides some guidance on consulting roles that internal audit should and shouldn’t undertake.

Diagram 1: Consulting roles internal audit should and shouldn’t undertake

As indicated already, part of the problem may stem from a lack of understanding by management and the Audit Committee that internal audit can play a consulting role as well as an assurance role. If this is the case, then there is a need for CAE’s to educate management and the Committee about the different ways in which internal audit can add value to the organisation.

In some jurisdictions, there is a specific requirement for Audit Committees to look at business improvement initiatives. For example, the NSW Local Government (Governance and Planning) Act 2016, will, once commenced, require councils to have an Audit, Risk and Improvement Committee. Amongst other things, the Committee will be required to keep under review programs and measures to improve the performance of council and the services it provides. This could be partly achieved through engaging internal audit to undertake or assist with service reviews and process improvements.

Takeaways

So in summary, it is really important to understand the role internal audit can play in your organisation to add value.  Next time someone suggest that internal audit of a broken process would be a good idea, consider whether a consulting type engagement to help fix the process would be preferable to an assurance audit that confirms what everyone already knew. If it is, then, subject to resourcing, experience and capacity constraints, include it on the internal audit plan.

How we can help

InConsult is committed to helping organisations better understand the benefits and value of internal audit.  We have extensive experience in internal auditing, risk management, probity, fraud and corruption prevention, cyber security, crisis management, business continuity, climate risk management and pandemic planning.

If you would like to know more about our internal auditing services, contact us to discuss your needs.

Council’s work within a myriad of laws and regulatory frameworks.  They must not only comply with laws that apply to most other organisations, but often have to comply with and, in some cases, enforce specific laws and regulations.  With mounting pressure for Councils to meet the changing legal environment and stakeholder expectations and address a rapidly evolving set of emerging risks, it is fast becoming a game of catch-up.  To see some of these challenges, check out our article Most Common Control Weaknesses in Top 10 Local Government Audit Areas. The top 10 audit areas listed are likely to remain high risk for councils in the immediate future, and they are all likely to continue to appear on many Council’s 3- Year Internal Audit Plan.

The audits of tomorrow

As a leading provider of internal audit services to local government serving over 90 NSW Councils, we wanted to look into our ‘crystal ball’, and with some help from the Auditor-General for New South Wales, predict what the audits of tomorrow could look like…well, at least the higher priority audits over the next 2-3 years!  Hopefully, our list can serve as a quick reference guide for Council’s Leadership Team, Chief Audit Executives and members of the Audit and Risk Improvement Committee.

1. Business continuity planning

Many services delivered by Councils are essential to the economic and social well-being of the community—a failure to deliver these could have significant consequences. Whilst we believe an effective business continuity plan is always important, it is not likely we see an end to COVID-19 cases anytime soon, so it is important that council’s have effective business continuity planning to deal with the ‘new normal’. The NSW Auditor General has also targeted this area over the next 12 months.  Does your Council have these policies and practice in place?

• Business Continuity Policy and Framework
• Business continuity planning to deal with a range of plausible disruption scenarios
• A risk assessment including a business impact analysis
• Supporting sub-plan covering specific disruptions e.g. Pandemic response, IT-Disaster Recovery, Data Breach Response Plan
• Formal training of crisis management team
• Regular exercises covering various stages of the plan and sub-plans
• Regular review and update of the plans and disruption risks

2. IT Disaster recovery planning

Most of the activities performed and services delivered by Councils rely on information and communication technology—a failure or extended outage of information systems will disrupt delivery of key services. While IT is already a focus of audit, its significance continues to grow and so does the need for validated policies and practices. The worst time to find out that your disaster recovery plans have gaps and weaknesses in them is when you really, really need them and you need to restore data quickly. Check to see your council has these policies and practices in place.

• A formal IT Disaster Recovery Plan to outline specific responsibilities and steps in recovering critical business systems
• Alignment between the IT Disaster Recovery Plan and other sub-plans
• A risk assessment of system fail points and mitigating controls
• Identification of critical third party dependencies
• Regular component testing including both tabletop exercises and functional exercises
• Regular review and update of the IT Disaster Recovery Plan

3. Cybersecurity

According to information technology industry research , Australia is one of the world’s most hacked countries, coming in at equal sixth as a target of “significant” cyber-attacks.  In June 2020, Prime Minister Scott Morrison called a snap press conference to warn that Australian Government organisations are under persistent cyber-attack from a state-based actor.  There has been an increase in phishing and spear phishing email attempts during the COVID-19 pandemic.

Council’s hold very important and often sensitive personal information that if in the wrong hands, could result in identity theft.  Also, some regional councils maintain essential water and sewage infrastructure and even communications infrastructure essential for emergency services.  Has your Council:

• Conducted a risk assessment to identify the various cyber threats
• Developed well documented governance protocols, policies and procedures
• Implemented effective ‘layers’ of controls to protect information e.g. password policy
• Developed systems to monitor, detect, contain and respond to attacks and intrusions
• Developed procedures and plans to recover data and systems

4. IT General Controls

IT General Controls  (ITGC) are defined as controls, other than application controls, that relate to the environment within which computer-based application systems are developed, maintained and operated, and are therefore applicable to all business applications. The objectives of ITGCs are to ensure the integrity of the data and processes that the applications support. Another area that is currently in the sights of audit, ITGCs will continue to become a more crucial aspect of Council operations. So what are the most common ITGCs that Council should ensure are in place and working effectively?

• Logical access controls over applications, data and supporting infrastructure
• Program change management controls
• Backup and recovery controls
• Computer operation controls
• Data centre physical security controls
• Information technology governance
• System development life cycle controls

5. Management of major projects

One of the most significant areas of expenditure for a typical Council is on major infrastructure projects. Small, large, simple or complex, every project has a range of inherent risks. So in order to manage projects to a successful outcome, project managers must understand the risks and mitigate them effectively.  Why do projects fail and where are the key challenges?

• Unclear project specifications or requirements
• Poor stakeholder engagement
• Incorrect or unreasonable assumptions across the project – financial, deliverables, scheduling, timing etc
• Change of scope or requirements – scope creep
• Unforeseen circumstances such as a failure of a contractor, supply chain disruption, severe weather, worksite safety incident, loss of key person or other ‘Acts of God’
• Poor project governance or lack of an effective project management office

Specifically, the NSW Auditor general has identified road asset maintenance as an audit area in the next 3 years.

6. Third-party vendor risk management

In an attempt to gain greater efficiency and reduce cost, it is common for councils to use third parties.  As the extended enterprise grows, Councils rely on more third parties, relationships can become more complex and the ability to manage third-party relationships becomes even more critical.  Managing risks that arise from third-party relationships is important for protecting and securing against a wide range of risks. Third parties should be seen as part of council… remember that outsourcing the activity does not outsource the risks. Without comprehensive due diligence, outsourcing could in fact introduce risks that otherwise would not exist, such as exposure to third or fourth-party networks or devices.  So what do the key steps in the third-party risk assessment process include?

• Identifying potential risks inherent in third-party relationships
• Classifying third parties according to their criticality to your activities, systems, networks, and data
• Reviewing service level agreements (SLAs) to ensure that your vendors perform as expected
• Determining and ensuring they meet the same level of compliance requirements
• Regularly sending vendors third-party risk assessment questionnaires
• Periodically conducting audits of select vendors to confirm  answers to their questionnaire and potential on-site visits
• Continuously monitoring for changes in their environment as well as changes to regulations

7. Long term sustainability, financial planning and budgeting

Local Government is governed by state legislation that requires Councils to prepare a series of plans which describe and forecast future activities. Corporate planning is one of many tools that governments have adopted to improve responsiveness to ensure scarce resources are employed efficiently and effectively.  In NSW, the Local Government
Amendment (Planning and Reporting) Act (2009) mandated strategic community planning and required Councils to adopt robust financial planning and reporting practices.  Councils should ensure:

• Alignment between all elements of the Integrated Planning and Reporting Framework (IPR) – internal plans
• The Community Strategic Plan considers the State Plan and other relevant state and regional plans – external plans
• The IPR process is subject to continuous improvement
• Elected representatives, council officers and the community all play an important role in the process
• The plans, whilst they can be aspirational, should be operational and support a delivery program
• Annual and periodic reports need to be accurate and reflective of the status

In addition, the NSW Auditor general has identified, annual charges, development assessment process, city deals and the coordination of agencies in precinct planning as audit areas in the next 3 years.

8. Time and attendance management 

With more people working from home during COVID-19, there is higher risk of timesheet and payroll related fraud.  There is an increasing need for development of platforms to better monitor the time and attendance of staff. In 2018, the Auditor-General for New South Wales identified 123 control weaknesses related to payroll processes.  These are some of the common control weaknesses that will subsist without changes to our new working culture:

• No review of changes made to the employee masterfile
• No review of payroll reports and timesheets
• Reconciliations not prepared or reviewed
• Lack of processes in place to reduce excessive leave balances.

Takeaways

How much assurance is enough? Our list is not exhaustive and there are many other areas that will be important for some council’s to review over the next 3 years.

Unfortunately, even the best environmental scans and our ‘crystal ball’ are not perfect.  Council’s Leadership Team and Chief Audit Executives will also need to rely on their deep understanding of their organisation, culture, processes and intuition to foresee audit areas that need more attention over the next 12-36 months.  Richard Chambers, president and CEO of The Institute of Internal Auditors once recommended that auditors ‘follow the risk’, that is, if they can’t audit everything, then they had better audit the systems, processes, controls, or risks that can inflict the most damage.

There is an increasing expectation from stakeholders to be able to verify that a council has the appropriate policies and practices in place.   For Council Officers, don’t wait until internal audit comes knocking.  Start looking closely at your own policies, procedures and risk registers as Internal Audit will be responsible for testing and providing assurance that controls are working effectively.

How we can help

InConsult is committed to helping organisations better understand the benefits of internal audit.  We have extensive experience in internal auditing, risk management, cyber security, crisis management, business continuity, emergency management, disaster management and pandemic planning.

If you would like to know more about our internal auditing services, contact us to discuss your needs.

As a leading provider of internal audit services to local government serving over 90 NSW Councils, we thought it would be interesting to profile the most common areas we have audited over the last 5 years and analyse the most commonly occurring control weaknesses.

What have we been auditing?

The list below details the top 10 areas we have been engaged to undertake audits of since July 2015. These accounted for slightly over 50% of all audit projects we have undertaken for local government clients since that time.

1. Developer Contributions/VPAs
2. Project/Contract Management
3. Procurement
4. Development Assessment
5. Accounts Payable
6. Accounts Receivable/Debt Recovery
7. Environmental and Health Compliance
8. Planning Certificates
9. Waste Management
10. Works and Maintenance

Not surprisingly, development and finance related functions/processes feature heavily. In particular, we have seen an increase in the demand for audits of developer contributions and voluntary planning agreements. Audits of the management of specific projects or project management in general have also increased as councils embark on more complex and more sensitive projects.

What have we found?

Our audits identified a wide range of good practices and positive control environments.

Very few audits resulted in findings that the control environment was totally lacking or inadequate. In most cases appropriate controls were in place but were just not being applied consistently or with sufficient rigour. In some cases this may have been due to a degree of complacency (we have implemented a control and we assume that it is working appropriately because we haven’t had any problems) or insufficient time or resources to regularly monitor or check that everything is working as intended.

Notwithstanding this, there were some recurrent control weaknesses and issues that arose in each of the top 10 audit areas. The most common control weakness identified included:

Developer Contributions/VPAs

• • • Outdated contributions plans
    • Errors in indexing contribution rates
    • Lack of cross-organisational oversight/engagement in developer contributions plans and processes
    • Incomplete or inadequate contributions registers
    • Lack of clear accountability/responsibility for negotiating VPAs
    • Incomplete or inadequate VPA registers
    • Inadequate monitoring of delivery of developer obligations under VPAs

Project/Contract Management

• • • Lack of contract management plans which include all contract obligations
    • Incomplete or inadequate project risk assessments
    • Lack of formal documented project management methodology
    • Inconsistent approach to project/contract management

Procurement

• • • Purchase orders not raised prior to receipt of goods/services
    • Outdated procurement policies and procedures
    • Inadequate documentation of reasons for selecting providers
    • Inequitable use of contractors on supply panels
    • No segregation between staff requisitioning and approving purchases
    • Lack of strategic approach to procurement planning
    • Lack of analysis and monitoring of procurement spend

Development Assessment

• • • Inconsistent approach to peer review of assessments
    • Lack of formally documented pre-lodgement policies and procedures
    • Inconsistent approach to pre-lodgement activities
    • Inadequate documentation of site inspections undertaken
    • Lack of documented procedures for development assessment

Accounts Payable

• • • Lack of formal process for verifying new supplier credentials
    • Inadequate or inconsistent approach to approving variations to purchase orders
    • Three way match not always completed independent of accounts section

Accounts Receivable/Debt Recovery

• • • Lack of clear process for raising and approving credit notes
    • Inconsistent and/or inefficient processes for raising of invoices
    • Delays between provision of service and issuing of invoice
    • Lack of information provided to business units re status of debts

Environmental and Health Compliance

• • • Outdated or inadequate compliance/enforcement policies
    • Inconsistent or inadequate recording of inspection details
    • Inadequate record keeping including reasons for action taken
    • Confusion over responsibilities of Council in relation to Annual Fire Safety Statements

Planning Certificates

• • • Lack of clear responsibility/accountability for maintaining accuracy of various data sets/ layers
    • Lack of clear policy on what is included in s10.7(5) certificates
    • Lack of clear processes for recording and rectifying identified anomalies in certificates produced
    • Key person dependency

Waste Management

• • • Discrepancies between number of services billed by contractors and number of bins provided by Council
    • Lack of comprehensive contract management plan and follow up to ensure contractors meet all annual requirements
    • Outdated waste management strategies and/or lack of reporting on progress in achieving objectives
    • Quarterly rise and fall adjustments by contractors not adequately checked and approved

Works and Maintenance

• • • Focus on reactive rather than proactive maintenance
    • Inadequate reporting of reasons for movement of funds between programs/projects
    • Inadequate reporting of expenditure against different sources of funding
    • Lack of coordination between planning and delivery arms of Council when developing works programs and estimating project costs
    • Inadequate or inconsistent project management methodology and/or documentation
    • Lack of alignment between Long Term Financial Plans, Asset Management Plans and works and maintenance programs

Hopefully, the above table can serve as a quick checklist of shortcomings to look for in common high risk areas.

Heads up

We also believe that audit committees will be looking for greater assurance that management actions in response to audit recommendations have been implemented appropriately. We have seen some evidence of repeat audit findings and agreed actions not being implemented as effectively as advised. This may lead to an increased expectation that auditors will verify implementation of agreed actions through follow-up audits.

Many audit committees are expressing concern that internal audit resources are not sufficient to provide audit coverage over the multitude of high risk activities and processes that councils are responsible for. This raises the question as to how the committee and management can obtain a reasonable level of assurance regarding the control environments in all of these areas. This may lead to more discussion about other methods of obtaining assurance such as control self-assessments.

A control weakness recap

Development, financial, regulatory and infrastructure related functions have featured prominently on council internal audits plans over the last five years and are likely to continue to do so moving forward. The need to provide greater assurance over the management of major projects and contracts has increased as councils become involved in more complex and higher value projects with greater levels of public scrutiny.

Whilst councils operate in different ways there are a large number of risks and controls that are common. Similarly, our audit work has highlighted that there are common control weaknesses across councils.

In future we expect that cyber, IT, financial sustainability and business continuity risks will also feature prominently on council internal audit plans. We also anticipate an increased demand from audit committees for assurance that agreed control improvements have in fact been implemented appropriately. Committees may also push for assurance processes in addition to internal audits to provide some level of assurance that appropriate controls are in place for those areas not covered by the internal audit plan.

How we can help

InConsult is committed to helping organisations better understand the benefits of internal audit.  We have extensive experience in internal auditing, risk management, cyber security, crisis management, business continuity, emergency management, disaster management and pandemic planning.

If you would like to know more about our internal auditing services, contact us to discuss your needs.

Along with forecasting, planning, organizing, commanding and coordinating, the famous management theorist Henry Fayol identified ‘controlling’ as one of the six functions of management.

AS/NZS ISO 31000:2009 Risk management – Principles and guidelines defines control as a “measure that is modifying risk” and includes “any process, policy, device, practice, or other actions”.  The standard also warns that “controls may not always exert the intended or assumed modifying effect”.  Unfortunately, it does not go further to guide risk owners in better understanding the key attributes of internal controls and their role in the risk management process.

The AS/NZS ISO 31000:2009 definition is a relatively simple one. From an organisational management context, internal audit and COSO ERM framework literature contain more comprehensive definitions of internal control, better highlight control objectives and link controls to helping the organisation achieve its objectives.

Internal Controls

Internal controls are simply processes, policies and procedures, effected by people that ensure our internal processes, designed to modify  risk, work the way we want them to so that we achieve what we want.

An organisation will have hundreds if not thousands of internal controls in place.

Examples of internal controls include separation of duties, authority delegations, policies, procedure manuals, work practices, passwords, account reconciliations, arithmetical accuracy checks, restricted physical access, stock counts, asset counts, budgets, plans etc.

With potentially thousands of different controls, with different levels of effectiveness, it is important to categorise them into different groups to better understand them.

One of the most popular ways of categorising controls is according to “when” they address the risk, error or irregularity.

Preventative Controls

Preventive controls are designed to stop, discourage or pre-empt inappropriate transactions, errors or irregularities before they occur.  These are the most desirable as they STOP problems from occurring.

Preventive controls are proactive and emphasize quality as they minimise re-work.

They tend to be more cost-effective than other controls. Preventive controls (or any control) always involve additional processes but the processes are put up front to direct outcomes so things won’t go wrong.

Some good examples include documented procedures that clearly describe steps in a process, passwords that prevent access to a system and physical controls over assets such as securely locking up trucks and equipment to prevent theft.

Detective Controls

Detective controls are designed to search for and identify errors on a timely basis after they have occurred.

Detective controls are after-the-fact controls.

Detective controls can also be used to measure the effectiveness of preventive controls.

In some cases, it may not be possible to have a preventative control and so detective controls are the most effective way to manage certain types of risks.

Examples of detective controls include account reconciliations that identify errors, periodic stock counts that identify shortages and errors and secondary authorisations to detect processing errors.

Corrective Controls

Corrective controls are designed to correct errors or risks and prevent the recurrence of further errors.

They begin when undesirable outcomes are detected and keep the “spotlight” on the problem until management can solve the problem or correct the defect.

Examples of corrective controls include quality teams that address ongoing problems to correct processes, thermostats on machines that automatically trigger cooling systems to correct temperature imbalances and insurance programs that recover financial losses to return the insured to the same financial position they were in prior to the loss.

Soft and Hard Controls

Controls may also be soft or hard.

Soft controls are intangible controls that management emphasizes to direct the organization’s expectations and behaviour.

Examples of soft controls include management philosophy, operating style, ethics, integrity, attitudes, communication, feedback, training programs and commitment and competency of employees.

Hard controls are visible, traditional internal controls such as documented procedures, reconciliations, formal systems and monitoring outputs.

Manual and Automated Controls

Controls can also be implemented by people manually or by computer systems automatically.

Manual controls are affected by, and rely on, people and are typically independent of IT processes.

Examples of manual controls include approval of manual petty cash forms and manager review of transaction listings.

Automated controls on the other hand rely on computers/technology to identify, prevent or correct errors, variations or risks. They can be preventive, detective or corrective.

Automated controls can reduce the cost of monitoring as well as lowering processing and compliance costs.

It is important to note that the above attributes of internal controls are not mutually exclusive.  i.e. a control can be corrective, hard and manual in nature.

Limitations of Internal Controls

Internal controls have their limitations too.  They can be ignored, bypassed, over-ridden, prone to errors, inconsistent and subject to judgement.

Control Effectiveness in Practice

Measuring control effectiveness is critical in the risk management process because the effectiveness of controls will have a direct impact on the level of residual risk.

In NSW, the Independent Commission Against Corruption (ICAC) perceives corruption risk as inherently high in local government.  Many, if not most, councils would have all the internal controls suggested by ICAC in place e.g. code of conduct, fraud control plan, risk assessment, internal audit etc.

But the question is not if these controls are in place, but how effective they are.  For example:

• A code of conduct that is not communicated to new staff and continually reinforced is not very effective.
• A fraud control plan last updated in 2003 is probably not very effective.
• Risk assessments ‘borrowed’ from another council that did not involve key people in the process is also unlikely to be very effective.

Bottom line

It is critical that management is honest and realistic when designing, implementing and evaluating the effectiveness of controls and understand exactly how a particular control is addressing the risk.  A risk based internal audit program can also provide independent assurance about the effectiveness and efficiency of internal controls.

By better understanding the nature, characteristics and limitations of internal controls, risk owners and management will be well positioned to improve their risk management framework and achieve their objectives.

The root causes of poor internal audits

Poor internal audit outcomes generally stem from poor internal audit planning and a lack of alignment between internal audit functions and the strategic objectives of the organisation and its risk management framework. All too often we encounter audit plans that are not based on an understanding of the potential audit universe nor aligned with organisational objectives.  Even though the internal audit standards require a risk based approach to internal audit planning, the link between the organisation’s risk management framework and its internal audit plan is often tenuous or non-existent.

This situation is not always the fault of internal audit, which is often under resourced and/or misunderstood. In many cases the problem stems from management and audit committees not asking the right questions, providing the right support or direction or ensuring that a proper risk management framework is in place.

So what can be done to overcome these problems? We would suggest the following 9 steps:

1. Document internal audit’s objectives and strategic approach in both the internal audit charter and the internal audit plan

Whilst it serves as a good starting point, go beyond just regurgitating the sample internal audit charter attached to the DLG guidelines. Clearly spell out the purpose of internal audit, the resources available, the proposed approach, the linkage between internal audit and the organisation’s objectives and risk management framework

2. Summarise the organisation’s key objectives and strategies

You don’t need to repeat the entire Community Strategic Plan nor the Delivery and Operational Plans in your audit plan but you should summarise the key points. If your organisation is a growth council with huge increases in population projected to occur then this is a relevant point to note. This might lead you to conclude that functions such as strategic land use planning, development assessment and building certification are especially high risk areas that may need more frequent internal audit scrutiny than would be the case in a maintenance council.

3. Identify and document the audit universe

How can you be strategic if you don’t start by defining all of the functions of the

organisation that need to be considered when developing the internal audit plan? Developing the audit universe is not a difficult process, you can pull it together from looking at the Operational Plan, a functional organisation structure or form a well-developed corporate risk register.  The key is to get the right level i.e. don’t break it down so far that you end up with hundreds of specific activities and tasks. Keep it at a broad functional level e.g. procurement, investments, development assessment, library services, park maintenance etc.

4. Conduct a high level risk assessment of the audit universe

If your risk management framework contains some well-developed risk assessment criteria (i.e. likelihood and consequence ratings, risk categories) then use these to assess the overall level of risk involved in each of the functions listed in your audit universe. Involve managers in this process or at least get them to review the output. Make sure you assess the inherent risk level (i.e. before considering existing controls) and the residual risk level (after existing controls). This will enable you to prioritise potential audit assignments.

5. Identify audit types

What types of audits do you intend to undertake? Will some be comprehensive and others more of a limited assurance type? Will managers be required to undertake some level of self-assessment in between internal

audits? The proposed audit types and what they involve should be listed in the audit plan.

6. Develop risk based audit work plan

Based on the high level risk assessment, develop a draft internal audit work plan which prioritises proposed audit assignments. Circulate this to senior management and seek input and confirmation. You may have to make adjustments based on issues raised by management and/or other stakeholders.

7. Align to available internal audit resources

Whilst it would be nice to have the resources to audit all higher risk activities on a regular basis, this is unlikely to be the reality. At this stage you need to align the proposed work plan with available resources. Make sure you allow for other internal audit activities like special projects, attendance at audit committee meetings, investigations etc. Putting all of this together in a detailed work plan will clearly show management and the audit committee what is possible given existing resources and allow them to determine whether the proposed coverage is within their risk appetite. Again the detailed work plan should be circulated for input/ confirmation by management.

8. Use risk registers to scope internal audit assignments

Once the audit plan has been approved and you begin scoping specific audit assignments, use the organisational risk register to identify the key risks and auditable controls for the function in question. This will enable you to take a risk based approach to the assignment and demonstrate that the controls you have tested relate to the key risks involved in the function in question. If no risk register exists or the register is inadequate, you may need to commence the audit by conducting a more detailed risk assessment with key personnel. Ideally get your organisation’s risk manager to do this for you or at least with you.

9. Use a risk based scale for prioritising recommendations

Finally, when writing audit reports and making recommendations take a risk based approach. Develop some rating criteria against which you can prioritise recommendations. For example, Critical or High priorities would be those recommendations which are aimed at addressing a fundamental gap in the internal control framework that is exposing Council to significant risk and requires immediate attention. This will help managers and the audit committee prioritise audit resolutions and reduce the chances of them being overwhelmed by a large number of recommendations.

Final Word

Think strategically in both the internal audit charter and the internal audit plan and show how internal audit is proposing to align its processes to promote the organisation’s objectives and take account of the risk management framework.  Make sure your internal audit plan is built on sound fundamentals and clearly demonstrates the linkage with the organisation’s risk profile and available resources.

Introduction

The notion of “lines of defence” no doubt has its origins in military planning and sport. However the origin of the Three Lines of Defence Model is a little unclear. It appears to have gained prominence around a decade ago following its adoption by the former UK Financial Services Authority as the preferred model for managing operational risk in the UK financial sector.

Whilst there are many variations of what the model actually looks like and what each line represents it can generally be summarised as follows:

• The first line of defence is provided by front line staff and operational management. The systems, internal controls, the control environment and culture developed and implemented by these business units is crucial in anticipating and managing operational risks.
• The second line of defence is provided by the risk management and compliance functions. These functions provide the oversight and the tools, systems and advice necessary to support the first line in identifying, managing and monitoring risks.
• The third line of defence is provided by the internal audit function. This function provides a level of independent assurance that the risk management and internal control framework is working as designed.

Critics and limits

Sounds pretty logical but it is not without its critics – especially in relation to the role of the third line with many observers questioning whether internal audit should really be regarded as a line of defence. Some critics complain that the metaphor implies three organisational functions working independently rather than together in a collaborative way. Others have commented that preventative controls are necessary to constitute a “defence” whereas risk management and internal audit functions mostly play a detective role.

But if we don’t get too pedantic about the weaknesses of the metaphor itself I think there are some important principles that we can take from the model.

The first line – front line management

Firstly, the front line is really the key to success. The international risk management standard, AS/NZS ISO 31000, introduced the term “risk owner” (the person or entity with the accountability and authority to manage a risk). Watch any training video on risk management or attend any decent risk management training session and one of the key messages is always that “managers are risk owners”. Anybody in the organisation who has a delegation, deploys resources or makes decisions is responsible and accountable for managing the associated risks. In my view this principle is reinforced by the concept of front line staff and management being the “first line of defence”. Invariably it is the quality of the people, systems and culture at the coalface that is the main determinant of success.

To use a sporting metaphor, it is often said in football sports such as rugby league and union that the front line forwards lay the foundation for victory. Play strong and tight in the forwards and the rest often falls into place.

The second line – risk management & compliance

The second thing I like about the Three Lines of Defence Model is the notion that the second line i.e. the risk and compliance functions, play a support role. To be effective they need to work with and support the business. This implies the need to provide tools and advice that are practical, adaptable and effective.

ISO 31000 espouses eleven key principles that underpin effective risk management. The second of these is that risk management is an integral part of all organisational processes. It is the role of the second line to provide the systems and advice necessary to integrate risk management into key processes and allow the front line to manage for success.

Using our sporting metaphor, the second line of defence(in those sports that utilise one), usually plays a multi-faceted role – at times anticipating what might go wrong up front and being ready to react whilst at other times acting as another set of eyes for the front line and shouting advice and encouragement when needed. Sometimes the second line steps up to the front if reinforcements are necessary and other times it drops back in cover defence.

The third line – internal audit

Thirdly (and it seems appropriate when talking about the three lines of defence to make three observations), leaving aside whether internal audit is really a line of defence, referring to it as the “third” line reinforces that internal audit should never be relied upon as a primary control measure. Internal audit’s role is largely detective and corrective i.e. detect control weaknesses or breakdowns and suggest improvements or remedial action. Quite often in risk workshops managers will nominate internal audit as a key control. Whilst it might be flattering that managers see internal audit this way, it is a dangerous view. Internal audit should never be relied upon or expected to detect every control breakdown, error or deficiency. Whilst sampling should be statistically valid it is just that – sampling. Internal audit does not generally review  every single transaction.

Continuing our football metaphor, if a team continually relies on its fullback or goal keeper to save the day, it will lose more often than it wins. Internal audit has a key role to play but if the front line is relying on it to pick up everything that slips through the cracks, the organisation has a problem.

Takeaways

Models are really just tools to simplify complex functions and relationships in a way that makes them easier to explain and understand. They are rarely perfect and valid for every conceivable situation. If we bear this in mind, then the Three Lines of Model can provide a theoretical foundation for an effective risk and assurance framework. But like any model, it is only as strong as the people that work within it and it has to be tailored to the specific context in which the organisation operates. Nonetheless, if we view the three lines of defence as critical components working together rather than in independent roles, the model has much to offer. The concept of operational staff and management working in collaboration with the risk, compliance and internal audit functions to create a multi-pronged and yet integrated approach to managing risk and helping to achieve objectives has to at least be worthy of consideration.

Mitchell Morley has over 20 years experience in Local Government, governance, risk management and audit.  He can be contacted on 02 9241 1344 or via email at mitchellm@inconsult.com.au.

More on the Three Lines of Defence…Watch One Minute Risk Manager on YouTube

When managing enterprise-wide risks, the Three Lines of Defence is a simple way to communicate and clarify the responsibilities of various lines of management with respect to their control responsibilities.

NOTE: Since this article and our video first appeared, the three lines of defence model was updated by the IIA in 2020 as the Three Lines Model.

1. Forward Meeting Agenda/Plan

Most audit committees have a charter which sets out the committee’s responsibilities. These generally include oversight of the risk management and internal control frameworks, internal and external audit and perhaps oversight of legislative compliance and fraud and corruption prevention amongst other things. Whilst these responsibilities are all related aspects of an organisation’s corporate governance framework, in practice most committees struggle to cover off everything on the list.

The best way to address this is to develop a forward meeting agenda or plan which lists all of the committee’s responsibilities and indicates when and how the committee will receive reports or information on each. So for example, if the committee has as one of its responsibilities oversight of the organisation’s framework for monitoring and managing legislative compliance obligations, designate a meeting during the year at which a report on the compliance framework will be tabled.

This is obviously a simple tool but one that will enable the committee, at the end of each year, to “tick off” that it has considered all of the areas it is required to and hence met its responsibilities under its charter.

2. Staff attendance at meetings

Some committee meetings always seem to be attended by a multitude of staff that easily outnumber committee members (sometimes two to one!) whilst others are only ever attended by one or two of the same staff. I would always suggest leaning towards inviting more staff than less (within reason).

The problem with only having the same one or two staff attend each meeting is twofold. Firstly, the committee only hears information from the same people all the time which can often lead to a degree of filtering (intentional or unintentional). Secondly, many staff, including senior managers, often have little idea about what the audit committee does, who is on it or what its views and expectations are.

In my view, it is good practice to have staff come along to audit committee meetings to present or respond to reports relating to their areas of the organisation. If there is an internal audit report on the agenda regarding the recruitment process, for example, then have the HR Manager come along to answer questions and gauge the response of the committee to the findings. This will help build trust and relationships between staff and committee members which will ultimately benefit all stakeholders.

3. Member rotation

A significant risk for audit committees is that they can become very stagnant if memberships stays the same for too long. Problems can also arise if all, or a majority, of the committee members leave at the same time. The ideal solution is to stagger member tenure. So if independents are appointed for three years and there are three independents, replace one each year. This will ensure that new ideas and perspectives are being brought to the committee each year without losing continuity of knowledge.

4. KPIs and Self Evaluation

In any endeavour it is important to identify what success looks like. Audit committees should be no different. How we do we know whether the committee is achieving its objectives and making a difference?

It is good practice for a committee to adopt some KPIs and/or success measures and report against these periodically. An annual committee member self-evaluation survey can also be a useful tool.

Of course, one of the problems here is that it can be difficult to measure the success or otherwise of an audit committee. Does it depend on the number of meetings held, the number of decisions made or audit recommendations adopted or the value/benefit of improvement opportunities endorsed by the committee? There is no clear cut answer.

In my experience it is probably better to focus on how the committee works and operates. Are all members attending regularly, can the committee tick off that it has fulfilled all of its obligations under its charter each year, are members satisfied with the way meetings are run and their ability to make a contribution. If these things can all be answered in the affirmative then there is a good chance that the committee is adding value to the organisation.

5. Focus on frameworks, systems and policies

A common pitfall is for audit committees to get too involved in transactional level detail. “Can we get a report about that particular matter…” or “whatever happened to that issue with…” or “why hasn’t that issue been fixed yet..” are examples of requests that are sometimes made by committee members.

Generally the role of the committee should be to form a view as to whether management has adequate systems and controls in place to manage key risks to the achievement of the organisation’s objectives. To fulfil this role effectively, the committee needs to focus on frameworks, policies, procedures and systems. “Are they in place”, “are they robust” and “are there adequate assurance mechanisms in place” are the sorts of questions that need to be asked and answered. Yes it may be appropriate for the committee to monitor KPIs, incident statistics, lessons learnt from incidents etc. but rarely will a committee add value by focussing on the nitty gritty of what has happened or may happen.

6. Committee Member induction

Most independent members of audit committees are appointed because they have some experience in one or more areas of concern to the committee. Many have served on boards and audit committees previously. One would hope that board members (or councillors in the case of local government) nominated to the committee would also have appropriate knowledge and experience but in practice this is not always the case.

In my experience the level of induction provided to audit committee members is often very basic or in some cases non-existent. In practice, most committee members receive a copy of the committee charter and a quick briefing from the Governance Manager or the like and away they go.

Some of the problems that audit committees encounter, especially in the infancy of the committee, could be overcome by providing new members with a more thorough induction. This could be done in-house or by an external provider or a combination of both. A good induction should cover off the roles and responsibilities of the committee and its members, meeting procedures, tips for success, pitfalls to avoid, personal liability and obligations of members. A good overview of the organisation including some site visits if appropriate is also critical.

7. Adequate time for members to read agendas and reports

This is obviously a basic principle of good meeting practice for any committee however I am amazed at how often it is violated at audit committee meetings. The biggest problem is usually tabling of late items or distribution of supporting or supplementary information at the meeting. Sometimes this information is complex and quite voluminous. How any committee member is able to digest and properly understand information put in front of them for the first time at the meeting is beyond me.

Given the nature of audit committees and the fact that meeting dates are usually set many months in advance there should be very few, if any, late items. With a bit of organisational discipline, there should be no supplementary information or reports tabled at the actual meeting. Everything of substance should go out with the agenda several days beforehand.

Many, if not all, of the tips in this article come down to basic principles of good meeting practice. But it is amazing how many committees fall in to bad habits or neglect these fundamental principles. Whilst all committee members and support personnel have a role to play in ensuring the optimal functioning of the committee, the key role, in my view, is that of the chairperson. If the chairperson sets the right tone and ensures that the fundamentals are adhered to the committee is much more likely to operate effectively. By always striving to improve committee processes, committees can and should function effectively and add value to the organisation.

– – – – –

Mitchell Morley, B.Ec, MIIA (Aust), has over 20 years’ experience in internal audit, corporate governance, risk management, OH&S, records management, privacy management, insurance arrangements and administrative services. He can be contacted on 02 9241 1344 or mitchellm@inconsult.com.au.