For many NSW councils, financial sustainability is a real risk and not just something in a risk register.  Managing financial expenditure i.e. public funds in accordance with legislation is critical. But the real financial question is not how much cash sits on the balance sheet, it is how much of that cash is actually available to use. That is why understanding restricted vs unrestricted funds in local government is critical.

In NSW local government, the restricted vs unrestricted funds distinction matters because a significant share of council cash is either legally quarantined, internally allocated for future purposes, or needed to maintain liquidity for day-to-day operations. The recent NSW Audit Office’s Local government 2025 report identified that:

• 19 councils did not have enough cash and investments not subject to external restrictions to cover three months of general expenses, and
• weaknesses in internal controls and governance were identified at most councils.

For this, and many other important reasons, restricted and unrestricted funds should be treated as a frontline governance issue, not just a finance note at year end.

The legislative and policy framework is clear. The Local Government Act 1993 (the Act) says money raised by a special rate or charge, money that legislation says can only be used for a specific purpose, and specific purpose advances or grants from government cannot be used for other purposes except in limited circumstances.

The Office of Local Government (OLG) Local Government Code of Accounting Practice and Financial Reporting (OLG Code) also requires councils to maintain adequate accounting records, systems and internal controls, and to disclose restricted and allocated cash, cash equivalents and investments in their financial statements.

Council funds sit in 3 ‘buckets’

In simple terms, council funds typically sit in three distinct ‘buckets’:

• Externally restricted funds: money that council is legally required to use for a specific purpose it was provided.
• Internally restricted funds: money that council has set aside by resolution for a specific future purpose, These funds are not ‘legally’ restricted, but they should only be moved or repurposed through formal council resolution.
• Unrestricted funds: money that is available to support day-to-day operations, manage cash flow, respond to unexpected costs and maintain financial flexibility.

Why externally restricted funds matter

Externally restricted funds are the most tightly controlled category of council cash. These are amounts that council holds because legislation or a third-party agreement says the money can only be used for a defined purpose. The OLG Code describes them as cash, cash equivalents and investments available only for specific use because of legislation or third-party contractual agreement, and requires councils to disclose both the amount and nature of those restrictions. Common examples include water funds, sewer funds, developer contributions, domestic waste management, stormwater management and tied grants.

The purpose of external restriction is simple – it protects public trust and legal compliance. Developer contributions are collected to fund future infrastructure. Tied grants are provided to deliver a specified program. Special rates and charges are levied for a stated purpose. These are not general operating funds.

The NSW Audit Office warned that low available cash (money available as unrestricted funds) increases the risk of externally restricted cash being used for an improper purpose, and reported two high-risk findings where councils breached the Act by spending externally restricted cash and investments for an improper purpose.

The strategic role of internal restricted funds

Internal restricted funds, often described as internal allocations or reserves, are different. They are not imposed by legislation or grant conditions. They are set aside by council resolution or policy for a defined future purpose.

The OLG Code says internal allocations are cash, cash equivalents and investments allocated by council resolution or policy to identified programs of work and forward plans, and because they remain at council’s discretion they are disclosed but not deducted from total cash and investments in the same way as external restrictions.

This is where good financial leadership and governance becomes visible. Internal allocations are how councils plan ahead to smooth future costs instead of lurching from one budget shock to the next. Internal restricted funds can be used for plant and vehicle replacement, employee leave entitlements, asset replacement, IT renewal, carryover works, quarry remediation and bonds and deposits. That is exactly what a mature, proactive reserve framework should do – convert foreseeable liabilities, renewal needs and cyclical expenditures into transparent funding strategies.

The IP&R framework also reinforces this discipline. NSW councils must prepare and adopt a Long-Term Financial Plan, use it to inform decision-making, and review and update its assumptions, projected income, expenditure, balance sheet and cash flow at least annually as part of the Operational Plan.

A Council’s Annual Report is also framed as a key point of accountability to the community and must include the council’s audited financial statements. In other words, internal allocations should never sit outside strategy; they should be linked directly to the Long-Term Financial Plan, Delivery Program and Operational Plan.

Why unrestricted funds are the real test of resilience

Unrestricted funds are the balances genuinely available to support day-to-day operations and liquidity, absorb shocks and fund priorities that are not already allocated elsewhere. Unrestricted funds are the cash councils rely on to pay suppliers, continue services, retain staff, manage timing differences in capital delivery and maintain financial flexibility.

The Audit Office’s 2025 report makes it clear why this is important. 19 councils lacked enough available cash to meet three months of general expenses, and the unrestricted current ratio remains an important indicator of short-term financial capacity. The report notes the previous OLG benchmark of 1.5, meaning $1.50 in unrestricted current assets for every $1 in current liabilities.

Therefore, unrestricted cash as funding available for unexpected or emergency expenses, liquidity support, short-term cash flow, operational efficiency and long-term financial sustainability. It also sets a target level of unrestricted cash at the greater of $2 million or 50% of current liabilities not otherwise funded by restrictions or allocations, and treats an unrestricted current ratio below 1.5:1 as a trigger for immediate attention.

Governance arrangements for restricted vs unrestricted funds

The strongest councils do not manage restricted and unrestricted funds just via council resolutions, spreadsheets and memory. They manage them through formal governance arrangements.

That starts with a council-adopted policy that defines external restrictions, internal allocations and unrestricted cash. The policy should set approval pathways and links reserves to the Community Strategic Plan, Delivery Program, Operational Plan and Long-Term Financial Plan. Good practice requires any future internal allocation to be established by council resolution, with a defined purpose and a basis for calculating transfers.

From there, the control framework needs to be operational, not symbolic.

The NSW Audit Office’s better-practice observations are especially useful here. It found some councils still rely on highly manual annual processes to manage and report restricted cash, which increases the risk of error and breach. By contrast, one better-practice council case study linked its quarterly cash and investment budget review statement directly to the general ledger, configured the ledger to reflect externally restricted balances, and had the statement independently reviewed within the finance team.

The NSW Audit Office also highlighted the importance of regular reconciliation, enhanced processes and controls, transparent reporting to decision-makers, and ARIC oversight.

In practical terms, councils should have a clear ownership model.  Finance owns the register and reconciliations, business units own the business purpose of each reserve, executives own challenge and reprioritisation, council owns creation and release of internal allocations by resolution, and ARIC owns oversight of control effectiveness, compliance risk and remediation actions.

Rules for moving money in, out or between funds

This is where councils most often get into trouble.

Externally restricted funds cannot simply be used to solve a general fund cash pressure. Section 409 of the Act limits the use of special rates or charges, legislatively restricted money and specific purpose advances or grants to their intended purpose. Section 410 creates only a narrow pathway for alternative use of some money raised by special rates or charges once the original purpose has been achieved or is no longer required, and only after public notice through the operational plan process.

Internal allocations are more flexible, but that does not mean they should be moved casually. Council’s should adopt a policy that is sensible i.e. transfers into or out of restricted cash require council resolution, whether through a specific resolution, adoption of the Quarterly Budget Review Statement, or adoption of annual financial statements containing a schedule of movements. The policy can state that councils may borrow from internally allocated cash, but not from externally restricted cash without Ministerial consent, and any such borrowing must be authorised by resolution with the full impact disclosed and interest paid.

That is the right principle for all councils to adopt. Legal restrictions are not optional, and internal restrictions are not informal. Even where council has discretion, reserve movements should be rule-based, transparent and documented.

The biggest risks councils need to control

The governance risk is not just technical non-compliance. It is a financial control drift. When councils lose sight of what cash is restricted, allocated or genuinely free, three risks will emerge quickly.

1. Councils may misstate liquidity. A healthy cash balance can hide a weak unrestricted cash position if too much of the total balance is externally restricted. The NSW Audit Office’s analysis shows that many regional and rural councils carry high proportions of externally restricted balances, especially where water and sewer charges form a large part of cash holdings.
2. Councils may create “shadow budgets” through unmanaged internal reserves. If internal allocations are not tied to a documented purpose, target funding basis, forecast drawdown and annual review, they can become stale, duplicated or politically immovable. The IP&R framework is designed to prevent that by requiring annual review of the Long-Term Financial Plan and alignment between planning, delivery and reporting.
3. Councils may breach the Act through weak controls, errors or deliberate misconduct. The NSW Audit Office’s findings on externally restricted cash show that poor monitoring, manual processes and weak reporting are enough to create serious compliance failures.

The KPIs and reports that matter most

Councils should separate compliance reporting from decision-based reporting. At a minimum, councillors, executives and ARIC should receive a reporting pack that clearly distinguishes externally restricted balances, internal allocations and unrestricted cash.

The core KPIs should include the unrestricted current ratio, unrestricted cash as a percentage of current liabilities, months of general expenses covered by available cash, total externally restricted balances by category, internal allocations against target and forecast drawdown, local infrastructure contribution balances and spend rates, and the number and value of approved transfers, internal borrowings, breaches or near misses.

The NSW Audit Office’s financial sustainability analysis specifically used available cash, unrestricted current ratio and own source revenue to assess councils with heightened risk, which makes those measures especially useful for internal monitoring.

The reporting cycle should also be disciplined. The OLG Code states that councils must meet multiple financial reporting requirements, including annual audited financial reports, an annual operational plan, a Long-Term Financial Plan and quarterly budget review statements. The IP&R Guidelines require budget review statements to be reported to council within two months after the end of each quarter, except the fourth quarter, and the Annual Report to be prepared within five months of year end. Many councils have a monthly Investments Report for unrestricted cash oversight.

Restricted vs unrestricted funds – Takeaways

The strongest councils understand that reserve management is not about hoarding cash. It is about governing purpose.

Externally restricted funds protect legal and community obligations. Internal restricted funds protect future service capacity and planned asset renewal. Unrestricted funds protect resilience, liquidity and strategic choice.

When councils clearly define each category, set strict movement rules, link reserves to long-term planning, and report them transparently to council, ARIC and the community, they do more than stay compliant. They become more credible, more sustainable and strengthen the financial management and control culture.

Can we help?

Since 2001, we have worked with more than 115 NSW councils to strengthen risk management, resilience and internal controls through our internal audit and assurance services.  Whichever service you choose, our goal remains the same, to help you manage risk with confidence and provide practical advice that supports informed, effective decision-making.

Can we help? If your council is reviewing its approach to restricted and unrestricted funds, reserve governance or financial control settings, contact us to discuss how we can support your needs.

#RiskManagement #InternalAudit #Assurance #Governance #LocalGovernment #FinancialSustainability #InternalControls #RestrictedFunds #UnrestrictedFunds #CouncilGovernance

The most effective chief risk officers don’t just see threats, they see themselves. They understand that their character, their style, and their approach to people are as critical as any technical skill. This is where the power of chief risk officer archetypes comes into play.

By exploring these universal models of leadership, you can unlock another level of self-awareness allowing you to not only understand your natural strengths but also strategically adapt your approach to master the ever-evolving landscape of risk.

What is an Archetype?

An archetype is a universal model or pattern. Think of an archetype as a basic blueprint for a character, idea, or behaviour that appears again and again across different cultures and stories.

In business, archetypes are often applied to brands to help companies define their identity, guide strategy, and connect with customers on a deeper, more emotional level. They serve as psychological shortcuts that make complex ideas more relatable and memorable.  For example, “The Hero” archetype is used for brands that empower customers to be their best. Think of Nike and its “Just Do It” slogan. Another example is “The Outlaw” archetype that is used for brands that challenge the status quo and empower rebellion. Harley-Davidson and Virgin are well-known for this.

Archetypes can also be used to understand and categorise leadership styles and professional roles. This helps in talent management, team building, personal development and recruiting the “right” person.

For example, when recruiting a new Chief Executive Officer (CEO), archetypes help identify which leader fits the company’s current stage of growth. The Fix-It Leader, or Change-Catalyst, is a specialised archetype used for company turnarounds. This leader is not a builder or innovator. They are a turnaround expert whose main goal is to diagnose problems, make difficult decisions and start the changes to restore a company’s health.

Using Chief Risk Officer Archetypes

By categorising risk leaders into archetypes, it may help the board and  CEO understand what kind of expertise and risk leadership is required to manage complex challenges. This approach allows for a more intentional and strategic approach to talent management and organisational design within the C-suite.

Warning, archetypes are not static “personality types” as we see in the The Myers-Briggs Type Indicator (MBTI) tool for understanding personality. The MBTI’s goal is to sort people into one of 16 distinct, static “personality types” (like INTJ or ESFP) based on their preferences in four dichotomous categories. In contrast, archetypes are more dynamic and symbolic. An individual may be influenced by several archetypes at different times and in different ways.

The 4 Chief Risk Officer Archetypes

From our literary review, there are a handful of chief risk officer archetypes already identified mainly from large and credible consulting firms.  Most of these models have presented three archetypes for risk leadership.

Deeper research into these models and a reflection from our real-world experience that include our assessment of various risk management frameworks, risk leadership, risk culture, risk maturity and risk capability across public and private sector organisations has revealed a fourth, distinct profile. In total, we have identified four chief risk officer archetypes that serve as strategic blueprints for how a risk leader operates within an organisation. And remember, a risk leader may be influenced by several archetypes at different times and in different ways.

These archetypes aren’t about a person’s personality type. They describe a leader’s primary focus, motivation, and style. Leaders can tailor these approaches to a company’s specific needs at different stages of its risk maturity.

1. The Innovator

The Innovator is a risk leader who see risk as strategic tool for growth and competitive advantage, not a barrier.

They are not just managing risk but actively using it to drive the business forward.  They are forward-looking, visionary, and a strong partner to the business.

Innovators work hand-in-hand with the business to help drive growth and capture new opportunities. Instead of focusing solely on protection, they are visionaries who use advanced technology, risk models and a higher risk appetite to help the C-suite build new business models, launch ventures, and expand into new markets.

They have a higher tolerance for risk and focus on identifying opportunities within higher levels of uncertainty and complexity.   Operating in higher levels of uncertainty is their comfort zone.

Their key questions are “How can we use risk to our advantage?” and “What’s the best way to take a calculated risk?”

As their core motivation is value creation, Innovators are ideal for high-growth companies, start-ups, new product launches, market expansion, M&A projects or supporting innovation within a larger corporation.

2. The Guardian

The Guardians are risk leaders who prioritise building a resilient and sustainable organisation. They see themselves as the ultimate protectors of the organisation.

Their primary focus is on long-term protection, sustainability and resilience – not just short-term problem solving. They typically create strong and stable foundations to withstand future shocks.

Guardians methodically structure their work and focus heavily on risk governance. They build robust frameworks, embed a strong risk culture, and ensure compliance with regulations. Their main concern is with what could go wrong and how to prevent it.

In essence, the Guardians’ mission is to safeguard the organisation from the ground up, thereby making sure it can weather any storm and any emerging risk.

They often ask, “Are we prepared for the future?” and “What safeguards do we need?”

Guardians thrive in established, risk-averse, and highly regulated organisations. In these environments, long-term stability and resilience matter more than aggressive growth. Consequently, the Guardian’s methodical and protective nature perfectly suits sectors where failure is costly and compliance is mandatory. This is why Guardians are prominent in financial services, healthcare, and public sector agencies.

3. The Operator

The Operators are the risk leaders who excel at the practical, day-to-day management of risk. They are pragmatic problem-solvers who excel at managing the day-to-day realities of risk. They are very hands-on and focus on efficiency, crisis management, and immediate results.

Operators thrive in situations demanding efficiency, decisive action, and stability.

They are action-oriented and decisive, with a strong focus on the present. For this reason, they are often brought in to help stabilise a business, resolve a crisis, or streamline operations. Furthermore, they prioritise getting the fundamentals right and aren’t afraid to make tough, unpopular decisions. Ultimately, Operators are all about managing immediate challenges, whether they’re navigating a crisis or ensuring smooth, efficient operations by de-risking them.

Their key questions are “How can we fix this right now?” and “What is the most efficient way to manage this?”

Their value lies in their ability to handle real-world challenges with speed and precision, ensuring the company remains stable and on course.

Operators are ideal for organisations facing a range of immediate risks and resilience challenges, undergoing restructuring, or those that prioritise efficiency and stability over radical growth. They excel in environments where direct problem-solving is a top priority. Operators thrive in organisations with known risk management issues, companies in crisis, and highly regulated industries. Their pragmatic, action-oriented approach helps them solve problems directly.

4. The Influencer

The Influencers are risk leaders who rely on collaboration and communication to achieve their goals. Instead of using a top-down, command-and-control approach, they use soft power to build consensus and unite disparate teams. In other words, they don’t lead through authority, but through collaboration and persuasion.

Influencers are catalysts for change, focusing on uniting people and building a shared understanding of risk across the entire organisation.

They are collaborative, communicative, and empathetic. They build strong networks, facilitate cross-functional dialogue, and empower others to take ownership of risk.

Their primary question is “How can we get everyone on the same page?” and “How do we build trust?”

Therefore, they are natural facilitators who create open dialogue and a common language around risk, ensuring that risk management becomes a collective responsibility rather than a siloed function.

The Influencer archetype is ideal for organisations that need to foster a collaborative risk culture, break down silos, or manage complex transformations where buy-in from multiple stakeholders is critical. Their strength lies in their ability to unite disparate teams and build consensus. Influencers thrive in large, complex organisations, companies undergoing major transformations, and industries where collaboration, project-based work, and teamwork are critical to success.

Final Thoughts

These four archetypes provide a powerful lens for understanding different styles, moving beyond a one-size-fits-all approach to risk leadership.

It is possible for a chief risk officer to possess elements of all four archetypes, but it’s highly unlikely they will master them all equally. Most individuals have a dominant, natural style they rely on, with secondary styles they can develop and use when a situation calls for it.

Ultimately, by recognising if you’re predominantly an Innovator, Guardian, Operator, or Influencer, you can leverage your natural strengths and identify your blind spots. In turn, this allows you to intentionally adapt your approach to fit your organisation’s specific needs.

These archetypes transform the abstract idea of a “risk personality” into a practical framework for self-awareness and professional growth. This lets you do more than just manage risk. It also helps you engage better with key stakeholders and master your role in shaping a resilient, successful future.

The goal isn’t to be all four at once, but to understand which style a given situation demands and to be flexible enough to apply it.

How We Can Help You Take Better Risks

We are here to help strengthen your risk management capabilities, systems and processes.  Our risk management capabilities include:

• Providing an interim Chief Risk Officer to backfill a vacancy.
• Providing a dedicated Risk Officer on demand through our Virtual Risk Officer service.
• Helping organisations take their first steps towards implementing a formal and proactive enterprise-wide risk management framework.
• Performing an independent review or health check of your existing risk management framework to identify gaps and level of maturity.
• Conducting risk workshops covering strategic, operational and project risks.
• Conducting risk culture assessments.
• Risk management transformation.
• Supporting you across a range of risk management services including business continuity, crisis management, cyber risk, climate change risk, third party risk and fraud risk.

Take risk management to the next level and contact us to discuss your needs.

The Chief Audit Executives (CAE) now has a significant opportunity to incorporate the latest developments in good practice and drive transformation to increase the value that IA can provide to stakeholders.

The Key Changes

The 2024 Global Internal Audit Standards mark a significant step forward in aligning internal audit practices with modern business challenges and governance expectations. By structuring the standards into 5 specific domains and emphasizing areas like cybersecurity, IT governance, and ethical conduct, the IIA aims to enhance the professionalism, efficiency, and impact of internal audit functions globally. Organisations are encouraged to transition to these updated standards ahead of their January 2025 effective date to maximize their internal audit function’s alignment with contemporary governance and risk management practices.

A Restructure – One Document

The 2024 Standards have been restructured for better clarity and practical application. The Standards are now combined into one document, the five mandatory components – Purpose of Internal Auditing, Ethics and Professionalism, Governing the Internal Audit Function, Managing the Internal Audit Function, and Performing Internal Audit Services, as well as one of the recommended non-mandatory elements, the Implementation Guidance. The Standards use the word “must” in the Requirements sections and the words “should” and “may” to specify common and preferred practices in the Considerations for Implementation sections

This new structure aims to streamline the standards for easier navigation and application in diverse auditing environments.

Both assurance and advising (formerly consulting) initiatives are included in the main body of the Standards and are not distinguished from one another by the Standards. With very few exceptions, the requirements for advisory and ad hoc initiatives now resemble those of risk-based assurance audits.

The only non-mandatory section of the International Professional Practices Framework (IPPF) is the IIA’s ‘Global Guidance’ which includes non-mandatory information, advice and best practices for performing engagements.

The 5 Domains and 15 Principles of the new International Professional Practices Framework (IPPF)

Refined Purpose of Internal Auditing

The previous Standards focused broadly on the purpose and necessity of standards for internal auditing effectiveness. The 2024 Standards clarify that internal auditing serves to enhance and protect organisational value, guiding adherence to a systematic, disciplined approach.

Stronger Emphasis on Ethics and Professionalism

The 2024 revision introduces a stronger emphasis on ethics and professionalism, consolidating related standards to ensure internal auditors uphold integrity, objectivity, and confidentiality in their conduct.

New Governance Framework

The Governing the Internal Audit Function domain is new in 2024 and underscores the importance of proper governance structures for internal auditing, highlighting roles and responsibilities from the board and executive management in supporting the audit function.

According to the IIA, the new standards aims strengthen governance frameworks to help organisations be more responsive to rapidly changing conditions.

Unified Approach and Leadership Involvement

The standards emphasize the need for a unified approach to internal auditing that involves board or equivalent oversight. This alignment is intended to strengthen the organisation’s overall approach to risk management and optimize assurance and monitoring activities.

Domain III, ‘Governing the Internal Audit Function’, specifies what the CAE must do in order to support the Board and Senior Management to perform necessary oversight responsibilities for an effective IA function.

Each of the Standards in Domain III now define the ‘Essential Conditions’ for the Board and Senior Management that must be present for the IA function to be able to meet its mandate and fulfil the Purpose of Internal Auditing.

Aligning Internal Audit Planning and Performance Evaluation

There is additional focus on the internal audit’s mandate, vision, strategic planning, and performance measurement. This is aimed at ensuring that internal audits are strategically aligned with the organisation’s goals and are effectively tracking and evaluating their findings and impact.

In order to support the organisation’s success and strategic objectives, the CAE must now create and implement an IA strategy that meets the expectations of the Board, Senior Management, and other important stakeholders.  Creating a vision, strategic goals, and auxiliary projects for the IA function are all included in this.

Building Trust and Relationships

The CAE must create a strategy for the IA function to cultivate strong relationships, connections and confidence with important stakeholders. Surveys, interviews, workshops, and continuing unofficial contacts with the organisation’s staff are all recommended by guidance.

There’s a greater emphasis on how internal audit functions serve the public interest, alongside new requirements for quality assurance and improvement programs. This reflects a broader scope in the governance role of internal audits.

Execution – Planning, Performing and Reporting

The latest standards enhance the focus on the execution of internal audit engagements, detailing methodologies for risk assessment, engagement planning, and reporting. The standards also incorporate current trends such as cybersecurity and information technology governance

It is now a requirement to have “an engagement conclusion that summarises the engagement conclusion results relative to the engagement objectives and management’s objectives.” According to each unique level of relevance, engagement findings must be prioritised. In the section under “Consideration for Implementation,” ratings and rankings are suggested as an improved practice but are not necessary.

Internal Audit Technology

While the 2017 Standards focused on individual and organisational attributes for effective auditing, the 2024 Standards provide a comprehensive framework on managing audit resources, skills, and technological tools to maintain functionality and adapt to organisational changes.

The chief audit executive must now regularly evaluate the technology used by the internal audit function and pursue opportunities to improve effectiveness and efficiency and to engage with the organisations IT and cyber security functions.

Internal Audit Performance

In order to assess the effectiveness of the IA function, the CAE must set objectives and evaluate IA performance. Example Key Performance Indicators (KPIs) to be taken into account when implementing the Standard include:

• Percentage of the organisation’s key risks and controls reviewed,
• Percentage of internal audit plan (as adjusted and approved) completed on time
• The percentage of recommendations or action plans completed by management

The objectives and KPIs should be a component of the CAEs performance measuring approach, which also needs to involve creating an action plan to deal with problems and areas that might use improvement.

More Flexibility and Relevance

The standards have been updated to be more flexible, allowing them to be more relevant across various industries and geographic regions. This includes specific guidance for public sector audits and smaller audit functions, ensuring adaptability to different global contexts.

Whilst the previous draft Standards were widely considered to be too prescriptive and difficult to implement, especially for smaller IA functions, Chief Audit Executives (CAEs) now have more leeway in how they execute the Standards as many of the “must” have aspects from the draft 2023 Standards have been moved to the “Considerations for Implementation” portions of the Standards.

New Topical Requirements

New guidance addresses contemporary risk areas like Cybersecurity, Information Technology Governance, Privacy Risk Management, Sustainability, ESG (Environmental, Social & Governance), and Third-party Management. These additions aim to help internal audit functions focus on strategic risks and enhance their value to stakeholders.

Emphasis on Quality Assurance and Improvement

There is a renewed focus on continuous improvement and quality assurance in internal auditing, urging functions to implement regular and systematic reviews of their activities and outcomes.

Implications for Key Stakeholders

So what does this mean for key stakeholders like the Board, Audit and Risk Committee and the C suite?

1. The 2024 IPPF emphasises a more strategic role for internal auditing within governance frameworks. This includes a greater emphasis on risk management and ensuring that internal audit activities are aligned with the broader strategic objectives of the organisation. This alignment is crucial for ensuring that internal audit provides value in identifying and mitigating potential risks before they impact the organisation.
2. There is a renewed focus on ethics and professionalism within the internal audit sector. The 2024 IPPF consolidates standards related to ethical behaviour, integrity, objectivity, and confidentiality. This ensures that internal auditors are held to a high standard of conduct, which is critical for maintaining stakeholder trust and the credibility of the audit function.
3. The new framework incorporates contemporary risk areas such as cybersecurity and information technology governance. This update acknowledges the increasing significance of technology in business processes and the associated risks. Ensuring that internal audits cover these areas can help protect organisations against emerging threats and enhance their resilience.

Step-by-Step Guide to Adapting to the 2024 Changes

As a Chief Audit Executive, you play a critical role in transitioning your organisation to align with the new 2024 Global Internal Audit Standards. Here’s our strategic roadmap to guide your next steps:

1. Begin by thoroughly understanding the key changes in the 2024 standards that are likely to impact your IA function and organisation. Focus on the restructured domains, new focus areas like cybersecurity, and the enhanced requirements for governance and risk management.
2. Conduct a comprehensive review of your current internal audit practices against the 2024 standards. Identify areas of compliance and gaps where enhancements are needed, particularly in the areas of IT governance, ethics, and professionalism.
3. Revise your internal audit charter and other key documents to reflect the changes in the standards. This includes updating the audit plan, risk assessment methodologies, and reporting formats. Ensure you enhance your quality assurance and improvement program to ensure continuous compliance with the new standards. Set up regular reviews and audits to monitor adherence and effectiveness.
4. Review IA resources and potential capability and training needs.
5. Engage with key stakeholders, including the board of directors, senior management, and audit committees, to discuss the implications of the new standards and the expected changes in the internal audit function.
6. Clearly communicate the changes and enhancements in your internal audit function to relevant stakeholders. Ensure transparency in how these changes improve governance, risk management, and overall organisational resilience.
7. Begin implementing the necessary changes to align with the new standards. This may involve enhancing IT systems, revising governance structures, and introducing new audit tools and technologies.
8. Continuously monitor the effectiveness of the new practices and make adjustments as necessary. Stay informed about any further updates from the IIA regarding the standards.

Ready to Transform Internal Audit?

Are you ready to elevate your internal audit function, protect organisational value, and lead with confidence? Your journey towards internal audit excellence starts here.  Here is how we can help:

Establishing a new internal audit function: We specialise in setting up comprehensive internal audit systems tailored to your specific business needs and budget. Our expert team provides end-to-end solutions—from assessing your current risk and controls and developing a strategic audit plan to implementing auditing processes that are in line with the new standards.

Co-sourcing: We work alongside your internal audit team on specific projects, providing additional expertise or manpower where needed.

Specialised expertise: We bring specialised knowledge that your internal team might not possess, such as IT audits, cybersecurity, regulatory compliance, insurance, reinsurance, ESG, sustainability and environmental audits.

Technology support: With the increasing integration of technology in auditing processes, external auditors can assist in implementing new audit software, analytics tools, or other technologies that enhance the internal team’s capabilities.

Contact us today to schedule a consultation and discover how our services can help your audit function rise to the challenges of the 2024 standards.

Implementing robust fraud risk management strategies is not only essential for protecting an organisation’s bottom line but also for upholding its ethical integrity and sustaining long-term success.

Building a culture of fraud reporting is crucial.  By fostering an environment where employees feel safe and empowered to report suspicious activities, organisations can identify and address fraud early, protecting their interests and stakeholders.

In this publication, the InConsult team explore the essential steps in creating a culture of fraud reporting within an organisation to help combat such unethical behaviour.

Establish a Clear Code of Ethics and Conduct

A robust and transparent code of ethics and conduct serves as the foundation for fostering integrity within an organisation. This code should clearly outline the expectations for ethical behaviour, including zero tolerance for fraud, bribery, corruption, and other dishonest practices. It should also emphasize the importance of reporting any violations or suspicions without fear of retaliation.

The Code of Ethics and Conduct should be provided to all employees during onboarding.  It should be reviewed and signed as acknowledgement.  Elements of the organisations Code of Ethics and Conduct should be included in induction training and reinforced periodically at least annually by leaders and executives. Regular communication sets the tone for the entire organisation.

Lead by Example

Culture is usually top-down and not bottom-up, so creating a culture of fraud reporting starts at the top.  Leaders must “walk the talk” and demonstrate a real commitment to fraud prevention.  They must explain to employees that fraud is morally wrong and it will not be tolerated.  Leaders and executives must:

• actively encourage employees to report incidents and do so themselves,
• lead by example and consistently adhere to the organisation’s ethical standards, and
• demonstrate integrity in decision-making and day-to-day behaviours.

Establish Clear Boundaries, Policies and Procedures

Guided by the governing body or board, leaders and executives need to provide clear and transparent fraud and corruption prevention policies as well as clear reporting guidelines and procedures that include the expectations, responsibilities and appropriate channels for reporting fraud incidents.

Ensure such policies are communicated to all employees and stakeholders and easily accessible to employees and external service providers/public.

Consider using the AS 8001:2021 Fraud & Corruption Control standard as a guide to establish the foundations of your fraud and corruption prevention framework, including reporting. AS 8001:2021 is very comprehensive and covers all elements of fraud and corruption, including reporting.

Key aspects of the framework should be modified for local laws that are specific to each country the organisation operates in.  Also, whilst many fraud risks are homogenous, some fraud risks that can be specific to an industry.

Communicate the Importance of Fraud Reporting

Regular communication about the significance of fraud reporting is essential.

Organisations should conduct workshops, training sessions, and awareness campaigns to educate employees about the potential consequences of fraud, the reporting process, and the protection provided to whistleblowers. Employees need to understand that their actions play a crucial role in safeguarding the organisation’s financial and reputational well-being.

Anonymous Fraud Reporting Channels

Many employees are reluctant to report fraud due to fear of retaliation or reprisals from colleagues or superiors. Providing anonymous reporting channels for whistleblowers, such as hotlines or dedicated email accounts, can address these concerns. Anonymity empowers employees to come forward without the fear of their identity being revealed.

Whistleblowers play an important role in identifying and calling out misconduct and harm to consumers and the community.  Research by the Association of Certified Fraud Examiners (ACFE) found that 46% of all frauds were uncovered by whistleblowers i.e. anonymous reporting channels, while only 3% were detected by law enforcement.

Protect Whistleblowers

Ensuring the protection of whistleblowers is paramount in creating a culture of fraud reporting. Implementing strict policies against retaliation and taking measures to safeguard the identity of the reporter will encourage more individuals to step forward with crucial information. Whistleblower protection laws may vary by jurisdiction, so organisations should be compliant with the relevant legislation.

In Australia, the Corporations Act 2001 (Corporations Act) gives certain people legal rights and protections as whistleblowers to encourage them to come forward with their concerns and protect them when they do.

Company officers, company auditors, and other senior people within companies have obligations under the Corporations Act if they receive a report from a whistleblower.

Both the ACFE and the Organisation for Economic Co-operation and Development (OECD) recognise the important role of whistleblowers and whistleblower protection in the detection of fraud, bribery and corruption.

Foster Trust and Open Communication

Organisations must build trust with their employees to encourage honest and open communication. Creating an environment where employees feel comfortable discussing their concerns or suspicions with supervisors or designated compliance officers is essential. Trust can be built through transparency, responsiveness, and consistent support for ethical behaviour.

Implement a Comprehensive Fraud Reporting Process

A well-defined and comprehensive fraud reporting process simplifies the reporting procedure for employees, suppliers and the public. This process should specify the types of fraudulent activities that should be reported, the channels for reporting, and the steps that will be taken to investigate and address reported incidents. Regularly updating employees on the status of reported cases ensures confidence in the system.

Conduct Regular Audits and Fraud Monitoring

Frequent internal audits and monitoring mechanisms can help identify potential fraudulent activities proactively. Audits provide an opportunity to assess the effectiveness of the fraud reporting culture and ensure that the organisation is adhering to its code of ethics.

AS 8001:2021 Fraud & Corruption Control standard requires an organisation implement procedures aimed at assessing the effectiveness of internal controls that are specifically designed or intended to mitigate fraud and corruption risks.  Examples of pressure tests include desktop review of case studies, process walk-throughs and data analysis.

Takeaways

Creating a culture of fraud reporting is an ongoing effort that requires commitment and dedication from an organisation’s leadership and employees. By fostering transparency, trust, and open communication, organisations can build a robust framework that encourages employees to report fraud without hesitation. Emphasizing the importance of ethics and providing effective reporting channels and protection for whistleblowers can significantly contribute to detecting and preventing fraudulent activities, safeguarding the organisation’s reputation and financial health in the long run.

How we can help

InConsult is committed to helping organisations better understand the benefits and value of fraud and corruption control.  We have extensive experience in fraud and corruption prevention, cyber security, investigations, crisis management, internal auditing, risk management, probity, business continuity, climate risk management and pandemic planning.

Can we help? Find out more about our fraud and corruption prevention services.  If you would like to know more, contact us to discuss your needs.

#fraud #corruption #control #FCCS #fraudcorruption #as8001 #whistleblowing

Therefore, internal audit is an important function within any organisation. Managed well and aligned to strategic initiatives, internal audit can be one of the organisations most valuable assets. Managed poorly, it can be a waste of money, time and valuable resources.

Many boards and CEOs value an effective internal audit function, but we cannot always say that internal audit is valued by all stakeholders. Sometimes, the relationship between the CEO, management and internal audit can come under strain due to the competing priorities of each party.

Having worked closely with boards, audit committees, CEOs, senior managers and internal auditors and having collectively performed thousands of internal audits over 20 years, the internal audit team at InConsult looked at the role of the CEO in internal audit and identified a number of strategies to guide the CEO to get more value from internal audit.

The Sources of Audit Tension

Tensions to a positive internal audit experience can come from internal audit, CEO, management and the board and can occur for many reasons.

Competing objectives and priorities

Management’s focus is primarily on achieving strategic goals and financial performance.  Internal audit also interested in the organisation achieving its goal. However, if management is so focussed on the outcome that they don’t pay proper regard to the process, skimp on compliance and don’t manage risks effectively, it can lead to conflicts, disagreements and tensions between the parties.

Lack of understanding

Management may not fully understand or appreciate the purpose, value and importance of the internal audit function. They may view it as a compliance-driven activity rather than recognising its role in providing independent assurance and valuable insights to improve organisational processes and controls.

Perception of criticism

Internal audit’s role is designed to assess and evaluate the effectiveness of controls, processes, and risk management practices of management. If management perceives these assessments as personal criticisms or threats to their authority, it can strain the relationship.  When internal audit identifies control weaknesses or areas for improvement, it can be perceived by the CEO as a criticism of their leadership or decision-making. This can lead to defensiveness and strained relations between the CEO and internal audit.

Ineffective communication

Effective communication is essential for a strong relationship between internal audit, the board, CEO and management. If there are communication gaps, misunderstandings can occur, leading to mistrust and strained relations. Lack of clarity in explaining audit findings and recommendations can further exacerbate these issues.

Gaps in internal audit capabilities

Poor internal audit practices or an under resourced internal audit team will compromise the quality of internal audit work. Limited staffing, budget, or access to necessary information can impact the quality and timeliness of audit work, leading to frustrations on both sides.

Lack of trust and independence

Internal audit must operate with a high degree of independence to provide unbiased assessments. Internal audit must have unfettered access to information.  If management perceives internal audit as lacking independence or being influenced by external factors, it can erode trust and strain the relationship.

Resistance to audit recommendations

Internal audit often provides recommendations for improving controls, processes, and risk management. If management is not confident in internal audits capabilities, resists findings or fails to take recommendations seriously, it can create a perception that the internal audit function’s efforts are being disregarded or undervalued.

Strategies for the CEO to Establish Solid Foundations

Whilst internal audit is an independent function, the CEO is often in the drivers seat for ensuring it is effective, with some oversight from the audit committee and/or board for larger organisations.  An effective internal audit function is built on a solid foundation of key principles, practices, and structures.  The CEO should work with the Chief Audit Executive and support laying these foundations.

Recruit a capable audit team

Internal auditors should possess the necessary knowledge, skills, and professional qualifications/certifications. The internal audit department should also follow the standards and ethical guidelines of the profession as set out by the Institute of Internal Auditors.

Ensure adequate resourcing

For internal audit to be effective, it needs to have the appropriate resources in terms of staffing, budget, and technology. The CEO should ensure that the internal audit department is adequately resourced and has the necessary tools and technology to do its job effectively.

Use a risk-based audit approach

Due to budget and time constraints, internal audit should take a risk-based approach to its work, focusing on areas where the organisation is most at risk and providing assurance that the internal controls are designed and operating effectively to mitigate these risks.

By engaging with key stakeholders, contextualising the organisational objectives and conducting a comprehensive risk assessment (or using risk information from the risk management department), the internal audit department can identify the areas of the company where the risk of loss or failure to achieve objectives is greatest. This helps the internal audit function to focus on the areas of the company that are most at risk and provides assurance that the company’s internal controls are designed and operating effectively to mitigate these risks.

Open communication between audit and management

Establish regular communication channels between internal audit and management to enhance understanding and address any concerns or misunderstandings promptly.

Clear audit plans and reports

The internal audit function should have plans and reports in place to communicate its intentions, approach, findings and recommendations to the CEO, the board of directors, and other stakeholders.  Key plans and reports include:

• Strategic Audit Plan – outlines the internal audit activities and objectives for a three-year period. It serves as a roadmap for the internal audit function, guiding its efforts in evaluating and assessing the organisation’s operations, risks, controls, and governance processes over the specified timeframe.
• Audit Engagement Plan – outlines the specific details and objectives of an upcoming audit engagement. It is a roadmap for the internal audit team, providing a structured approach to conducting the audit and ensuring that all relevant areas are addressed.
• Audit Report – summarises the audit approach, methodology, findings, observations, and recommendations resulting from an internal audit engagement. The report is a communication tool between internal audit and management, providing valuable insights and recommendations for improving processes, controls, and risk management practices.
• Quarterly Audit Report – provides an update on the progress of audit engagements completed, highlights key issues, and tracks the progress of audit recommendations to completion/closure.

Be visible

It’s important that the CEO is visible and promotes internal audit and encourages management take appropriate actions on the recommendations in a timely manner. This shows the importance placed on internal audit and helps to maintain the integrity of the internal control environment.  Also, it’s important that the internal audit team is seen as approachable by any member of staff, which enhances their standing within the organisation and provides an avenue to identify issues at the coalface.

Continuous audit improvement

The internal audit function should be continuously looking for ways to improve its processes and procedures. The department should also monitor and evaluate the effectiveness of its work and the impact of its recommendations to continually improve the control environment. Every 5 years, internal audit process should undergo an external independent review.

Strategies for Optimising Internal Audit

Having the foundations in place helps to ensure that the internal audit function is able to provide the assurance that the CEO and the board of directors need, but it may not relieve all the tension. The CEO and board can expect more from internal audit.  They may expect internal audit to take a more proactive approach to identifying and assessing risks, rather than just being reactive to issues that have already occurred.

Monitoring and analysis of key performance indicators

The internal audit department can use monitoring and analysis of key performance indicators (KPIs) to identify potential issues and risks before they become major problems. This could include monitoring the company’s financial performance, compliance with laws and regulations, and the effectiveness of key processes and systems.

Data analytics

Internal audit can use data analytics tools to identify patterns or anomalies in data that may indicate a potential risk or control weakness. These tools can help internal audit to uncover issues that may be hidden and would not be identified through traditional audit methods.

Continuous control monitoring

The internal audit function can be proactive by continuously looking for ways to improve its processes and procedures. This could include ongoing monitoring of the control environment.

Predictive auditing

Predictive auditing is a new way of auditing that allows internal audit to make predictions about future events, scenarios, or risks, by identifying and analysing patterns or trends, and build in assessments and controls to prevent potential events from happening.

Stay current with industry/sector developments

Internal audit can also be proactive by staying current with industry developments and emerging risks, such as regulatory changes and technological advancements, so they can identify potential risks to the organisation and take appropriate actions.

Takeaways

By addressing these ‘tension’ factors and promoting a culture of cooperation and mutual respect, the relationship between the CEO, internal audit and management can be improved, leading to more effective risk management, a stronger control environment and governance practices within the organisation.

Taking a proactive approach, an internal audit department can help the company to identify and manage potential risks before they become major issues, and provide assurance that the company’s internal controls are effective in mitigating those risks.

How we can help

InConsult is committed to helping organisations better understand the benefits and value of internal audit.

We have supported small to large organisations establish a cost effective internal audit function and to refine and optimise internal audit practices.

We have extensive experience in internal auditing, risk management, probity, fraud and corruption prevention, cyber security, crisis management, business continuity, climate risk management and pandemic planning.

If you would like to know more about our internal auditing services, contact us to discuss your needs.

What is modern slavery?

Modern slavery is where coercion, threats or deception are used to exploit a person and undermine their freedom. The Commonwealth Modern Slavery Act 2018 (“Commonwealth Act”) includes the following types of exploitation in its definition of modern slavery:

• Trafficking in people
• Slavery
• Servitude
• Forced labour
• Forced marriage
• Debt bondage
• The worst forms of child labour
• Deceptive recruiting for labour or services

Modern Slavery Legislation in Australia and NSW

Australia has recognised the need for organisations to address modern slavery in their operations and supply chains. Our publication on Managing the Risk of Modern Slavery provides general information on modern slavery and the requirements of the Commonwealth Act.

New South Wales passed the Modern Slavery Act (NSW) (“NSW Act”) in 2018 prior to the Commonwealth Act being passed. The NSW Act was inconsistent with the Commonwealth Act in a number of aspects and for this reason the NSW Government delayed its commencement. After several years of review, debate and public consultation, on 19 November 2021, the New South Wales Parliament passed the Modern Slavery Amendment Act 2021 (NSW) (“Amendment Act”) which made amendments to the NSW Act and several others including the Crimes Act 1900 and the Local Government Act 1993. The amended NSW Act came into force on 1 January 2022.

For most NSW organisations the NSW Act will not make any difference to their modern slavery reporting obligations. However, NSW state and local governments and government agencies that are explicitly excluded from the reporting requirements of the Commonwealth Act will be affected by the NSW Act. The NSW Act applies to NSW “government agencies” and councils are specifically included in the definition of a “government agency” along with government sector agencies, NSW government agencies and public or local authorities.

Unlike the Commonwealth, NSW will appoint an Anti-slavery Commissioner. Their powers and responsibilities include monitoring government policies and action in combating modern slavery, issuing codes of practice, referring information relating to instances or suspected instances of modern slavery to the police or other agencies and maintaining a public register that identifies government agencies failing to comply.

As the Anti-slavery Commissioner monitors the effectiveness of the legislation in addressing modern slavery and recommends NSW policy and legislative changes, and with the 2022 review of the Commonwealth Act, the obligations on local councils (and other reporting entities) could change.

NSW Modern Slavery Reporting Obligations

State and local governments, and government agencies have new modern slavery reporting obligations as a result of the NSW Act and amendments to other legislation.

The amendments to the Local Government Act 1993 will require local councils, after July 2022, to include statements in their annual reports detailing:

1. the action taken in relation to any significant modern slavery issue raised by the Anti-slavery Commissioner during the year concerning council operations; and
2. the steps taken to ensure that goods and services procured by and for the council during the year were not the product of modern slavery.

Under the NSW Act, Government Sector Finance (GSF) agencies under the Government Sector Finance Act (2018) must include similar statements in their annual reports, and NSW State owned corporations are required to publish a Modern Slavery Statement under the Commonwealth Act.

Government agencies may also be required to provide the Commissioner with specific information to include in the modern slavery register. We will need to wait until the government produces Modern Slavery Regulations to know what these may entail.

Councils’ obligations in Circular 22-09

In April 2022, the Office of Local Government released additional guidelines – Circular 22-09 Councils’ obligations under the Modern Slavery Act 2018 to provide additional guidelines to councils.

It states that from 1 July 2022, councils will be required to take reasonable steps to ensure that goods and services procured by and for the council are not the product of modern slavery within the meaning of the Modern Slavery Act 2018 (NSW).

In addition, commencing from the 2022/23 financial year, each council will be required to publish in their annual reports:

• a statement of the action taken by the council in relation to any issue raised by the Anti-slavery Commissioner during the year concerning the operations of the council and identified by the Commissioner as being a significant issue, and
• a statement of steps taken to ensure that goods and services procured by and for the council during the year were not the product of modern slavery within the meaning of the Modern Slavery Act 2018 (NSW).

NSW Modern Slavery Due Diligence

The Auditor General has a role under the NSW Act, to conduct risk-based audits of activities of government agencies to determine if the government agency is ensuring that goods and services procured by and for it are not the product of modern slavery. The Auditor-General will consider if the agency has exercised due diligence in relation to the procurement of goods and services. This will entail a determination of how reasonable the steps taken by the agency were to ensure the primary supplier of goods and services is responsible for implementing processes to eliminate or minimise the risks of goods and services being produced by modern slavery.

Businesses that deal with local councils and the NSW government will need to ensure that they also have stringent due diligence processes in place to satisfy NSW councils’ due diligence obligations.

Modern Slavery Due Diligence

Modern slavery supply chain due diligence will require having a robust framework comprising of key elements to address modern slavery risks. The following diagram describes such a framework.

Actions Councils Should be Starting Now

Councils will need to begin to develop their modern slavery risk governance framework, develop risk strategies and assess their modern slavery risks now, to ensure that they are in a position to satisfy the reporting requirements for the 2022-2023 period and to meet any audit requirements of the Auditor-General.

This means:

• identifying and assessing the risks of modern slavery in their supply chains, and their operations – at minimum, focussing on higher risk categories such as clothing;
• ensuring whistleblowing and grievance policies and practices cover modern slavery and allow anonymous reporting of human rights violations;
• developing and implementing effective due diligence procedures to ensure that the goods and services that they procure are not the product of modern slavery;
• updating procurement policies and practices to address modern slavery and embedding ethical purchasing into the council’s business processes;
• updating council’s statement of business ethics to address modern slavery;
• reviewing supply contracts and including appropriate clauses to deal with the ethical performance of suppliers, expressly prohibiting modern slavery;
• ensuring contracts also include other contractual provisions such as the right to audit suppliers and/or request additional information;
• working with suppliers to ensure they understand their obligations to implement processes to eliminate or minimise the risks of goods and services being produced by modern slavery;
• provide training and awareness of modern slavery to staff and suppliers;
• co-operating with the Anti-slavery Commissioner in disclosing information and providing assistance and support in respect to modern slavery and its victims.

How we can help

We have hands-on experience in helping organisations understand and minimise modern slavery risks.

We are here to help you comply with your council’s modern slavery obligations. For example we can assist with:

• conducting staff and supplier awareness training and briefings on modern slavery in Australia;
• conducting a modern slavery risk assessment of your supply chains and operations;
• developing due diligence procedures to minimise the risks that council is procuring goods or services that are produced by modern slavery practices;
• conducting supplier surveys to gain visibility into their practices;
• integrating modern slavery risk management into your existing risk and procurement policies and practices;
• reviewing your contracts and policies and recommending changes to address modern slavery risks; and
• conducting internal audit / independent reviews of your modern slavery practices.

Want to know more? Contact us to discuss your needs.

This is now the largest Australian Government data breach on record.

For those unfamiliar with Frontier Software, they are the providers of the Chris21 platform used by many government bodies across Australia.  Frontier Software is a ‘vendor’ to the SA Gov and the other government bodies.

This data breach reinforces the fact that no matter how strong an organisation’s cyber security practices, never neglect the cyber security posture of your vendors, third parties and suppliers who hold sensitive information.

The data breach incident

Frontier Software first reported experiencing a cyber incident on the 16^th of November 2021 with specifics of the incident limited to system users. The data breach resulting from the incident was first discovered on the 8^th of December 2021 and quickly confirmed by the South Australian Government on 9^th December 2021.

The SA Gov were quick to act and transparent in disclosing what type of data was breached. The payroll data leaked included all sensitive information that is typical of employment enrolment such as names, residential addresses, dates of birth and even the more critical tax file numbers and banking details.

While the response by SA Gov to monitor affected individuals was quick and may prove effective, the data is still out there and often breaches are held for years before actually being exploited. The individuals affected may see unusual activity long after the increased monitoring has worn off.

Aside from the reactive approach, what proactive measures were missing that could have prevented this breach from ever occurring?

Our analysis – What we found

Using a combination of our vendor assessment tools looking at billions of datapoints, we were able to determine the weak point in Frontier Software’s security and provide a grading.

Email security was the red flag, scoring a mere 206 out of 950, resulting in a D rating. The rating was based on two critical outstanding risks, being no email SPF policy and no email DMARC policy.

These two policies are both free and simple to setup. Having neither of these meant anyone with an internet connection could easily send a fake email using real Frontier Software email addresses in a matter of minutes. A simple task that anyone with basic google knowledge could undertake thanks to some cheeky online tools that are available to the public.

There is a high probability that the lack of basic email security is the source of the ransomware attack experienced by Frontier Software. Statistically, email phishing is the most common form of attack in Australia and the lack of security would have allowed a threat actor to easily emulate a genuine internal email between staff.

Security in other areas such as network, website and malware security were on par with the industry average for third party software vendors, scoring an average of a low B rating. This in itself could be another red flag for the inadequate state of the industry average relating to cyber security. In an industry focused on providing software as a core product, cyber security should be one of the greatest strengths.

In the last week we have seen Frontier Software’s security scoring slowly increase to break through the industry average overall. Perhaps a response to the ransomware attack, though unfortunately too little too late. Organisations should be addressing these issues prior to a data breach and having independent assessments performed regularly to test and validate their controls.

How we find potential data breach vulnerabilities

A risk assessment much like the one we performed on Frontier Software requires a combination of tools that check external public facing security controls. This is the same place that a threat actor would start and often using similar tools to search for the weak points. Once we identify them, these weak points are categorised into different types of security and given a severity rating based on their potential impact.

By identifying these weak points and providing remediation advice, organisations can set a clear path and prioritise the changes required to ensure higher impact threats are mitigated before they occur.

What could they have done to prevent the data breach?

It is easy to point the finger and blame the software provider for having poor controls that resulted in a data breach. In actuality, it is both sides of the fence that are responsible for the lack of controls.

The poor state of Frontier Software’s email security not only highlights that independent cyber posture assessments weren’t performed, but it also means Frontier Software’s clients and vendors do not have strict enough due diligence processes that are catered to the vendor. A software provider should be assessed for specific technical controls such as email security policies before they are onboarded.

Organisations should be monitoring and assessing their own and their vendors’ cyber postures at least annually. With the rapidly evolving cyber threat landscape, choosing to assume a secure environment or vendor can have drastic effects in a mere matter of months.

If Frontier Software had penetration testing or cyber posture assessments performed annually, these weak points would have been discovered upon initial assessment and could be rectified within a matter of days.

Similarly, if a client utilising their payroll suite had independent vendor assessments performed annually, these issues would have been identified and a roadmap put in place to rectify them before it is too late.

Email security is best addressed through the implementation of three security policies. SPF, DKIM and DMARC policies cost all of zero dollars to implement and could be completed within a single day (especially SPF and DKIM). Many email service providers such as Microsoft have built-in tools that simplify the process and even generate policies for you.

Australia is falling behind the rest of the world

With such simple setup and zero cost that could easily prevent a successful cyber attack, we really are just one click away from poor cyber security.

Globally, the three email security policies mentioned above are widely adopted. Trends suggest as much as 80% of organisations have email security policies enforced preventing email fraud and what is also known as email spoofing.

Unfortunately, in Australia the trends are just as high but in the opposite direction.

• InConsult research into email security practices in one single NSW government sector in 2021 concluded that over 90% of 128 organisations analysed had no or poorly configured email security policies allowing a threat actor to easily deliver successful email phishing attacks.
• The NSW Audit Office reported in October 2021 that  government agencies have made “insufficient progress to improve cyber security safeguards” since the introduction of the government’s cyber security policy, and “the poor levels of cyber security maturity are a significant concern.”

With the vast majority in that industry also reporting at least one successful phishing attack in 2020-2021, it’s difficult to ignore the link between the poor email security and data breaches.

Don’t forget your vendors! Independent cyber posture assessments are crucial in not only identifying flaws but ensuring they can be prioritised for remediation. There is good reason that the most commonly used cyber security frameworks have a heavy focus on independent cyber posture assessments and independent vendor assessments.

How we help strengthen vendor risk management

Organisations understand the risks of doing business with third-party vendors, but they often lack the resources or expertise to implement and maintain effective vendor risk mitigation strategies — which could turn out to be costly.  We have the expertise to help you gain insights into your vendors’ risks and recommend remediation strategies.

Our experienced cyber risk team use industry leading technology to monitor millions of companies, scan billions of data points and send targeted cyber security questionnaires to answer the question – How Risky or Secure Are My Vendors?

Our Vendor Domain Scan and Cyber Security Questionnaires delivers 6 benefits to you:

1. Know your vendors’ cyber security posture: Our analysis will provide insight into vendors’ cyber security posture and include an overall security rating.
2. Pinpoint the gaps and vulnerabilities: We help expose the vulnerabilities that may be exploitable on vendors’ websites and their cyber security practices.
3. Compare vendors across the ecosystem: Our executive reports identify which vendors pose the highest risk across your entire vendor ecosystem.
4. Security questionnaires: Targeted cyber security questionnaires with workflows allow deeper insights into a vendors’ security practices.
5. Targeted reporting: We group risks into website risks, email security, network security, phishing & malware, reputation and brand protection.
6. Start a conversation: You can work closer with your vendors to communicate, discuss and remediate any gaps or just stop using higher-risk vendors.

Take the next steps

Don’t play the waiting game. The SA Gov data breach is a timely reminder that you should not neglect the cyber security posture of your vendors and how your organisation manages vendor risks.

Now is the time to move beyond cyber security to cyber resilience. InConsult is committed to helping organisations manage cyber risks and opportunities. We have extensive experience in vendor risk management, cyber risk management, vendor audit and assurance, crisis management and business continuity.

If you would like support in becoming a more cyber resilient organisation, contact us to discuss your needs.

The first release of AS 8001 was in 2003 after a spate of corporate collapses that included Enron, WorldCom, One.Tel and HIH in the early 2000’s.  AS 8001 was updated again in 2008, right in the middle of the Global Financial Crisis.  But a lot has happened since then, especially around information technology, and the 2021 refresh of AS 8001 reflects some of these major changes.

Why is AS 8001 so important?

Whilst many standards are not legally binding unless they are specifically included in legislation, they are considered better practice guides.

AS 8001 is a very good standard.  It’s very popular and has a strong following.  This means it is widely used as a reference point by many organisations in the public and private sector to help set the foundations of their fraud and corruption policy and framework.  It is also currently the backbone of other better practice fraud and corruption prevention guidelines.  There are many instances where regulators and government agencies use standards like AS 8001 as a reference point to guide and encourage organisations to adopt them.  For example:

• the Audit Office of New South Wales’ Fraud Control Improvement Kit closely aligns to AS 8001:2008; and
• the Australian Prudential Regulation Authority (APRA) makes reference to AS 8001:2008 in prudential practice guide SPG 223 – Fraud Risk Management.

As many organisations have adopted AS 8001:2008 for fraud & corruption control, they are likely to migrate and adopt the new 2021 edition.  Therefore it is important every organisation reviews the new Standard and makes changes to their policies, plans, systems and processes to realign with the new AS 8001:2021.

A word of warning, the changes are far from ‘cosmetic’ and will require a well planned and executed approach.  You will need to involve more stakeholders to realign to the 2021 edition.  Lets look closely at some of these major changes.

AS8001 objectives

So what does the Standard aim to achieve?  The objective of the Standard is to “…provide minimum requirements and additional guidance for organisations wishing to develop, implement and maintain an effective fraud and corruption control system (FCCS) through initiatives aimed at —

• preventing fraud and corruption;
• detecting fraud and corruption; and
• responding to fraud and corruption events that have already occurred.”

Clearly, the Standard aims to guide organisations to establish and maintain the minimum requirements for an effective fraud and corruption control system.  Organisations can and should go over and above when the exposure to fraud and corruption risks are greater.  For example, whilst Crown Resorts had many risk, governance and fraud control measures in place, it is clear now that they could have done more to recognise and manage the money laundering risks in their business.

Implications: Don’t assume that compliance or adoption of a standard like AS 8001 will solve all your problems.  The fraud and corruption control system must be aligned to the level and nature of risks in your organisation.

1. More definitions and updated definitions for ‘fraud’ and ’corruption’

The first change to note is the introduction of Fraud and Corruption Control System (FCCS) in place of a Fraud and Corruption Control Plan.   This recognises the fact that fraud and corruption control works within a broader and often integrated system…not just in a policy or plan.

Secondly, the Standard introduces the term ‘minimum requirements’ by using the word “shall” instead of “should” about 90 times in the new Standard.  The word “shall” was not used in the 2008 edition.

The new Standard has doubled the number of definitions – close to 20 new definitions. Also, the definitions of fraud and corruption have been broadened to include conduct that may not be necessarily be illegal or a breach of the criminal law, but can still have negative consequences to the organisation.

Implications: When updating your fraud and corruption control system documentation, ensure you cover the entire fraud and corruption control ‘system’ in your framework and use ‘shall’ in more areas. Also ensure your definitions are in line with the new Standard.

2. More focus on the foundations

The 2008 version of the Standard started with 4 pages on “Planning and Resourcing” before moving onto Prevention – Detection – Response.  In comparison, the new standard strengthens the foundations of the fraud and corruption control system with 13  pages of guidance to help set the foundations.  It also introduces the Governing Body and appointment of an Information Security Management System’ (ISMS) professional.

Implications: When updating your fraud and corruption control system documentation, ensure your foundations are in line with the new Standard.  With 13 pages of new guidance, this will be important. Also, there are new roles and responsibilities that will require more consultation with stakeholders and integration into day-to-day fraud and corruption control processes and governance practices.

3. The governing body

The new Standard introduces the ‘Governing body’ and brings in the Board as a new line as distinct from ‘Top management’. This closely aligns with the Institute of Internal Auditors’ Three Lines Model and ISO’s ‘oversight body’.

• The Governing Body has ‘ultimate responsibility and authority’ for the organisations activities, governance and policies.
• Top management should manage the fraud and corruption risks and have an understanding of their role in combatting fraud and corruption risk and ensure they are in a position to understand the organisations risks so they can inform the Board.

Implications: When updating your fraud and corruption control system documentation, ensure you clearly define the roles of the Governing Body and Top Management in understanding and managing the risks of fraud and corruption. You may also need to enhance your reports to the Audit and Risk Committee to provide regular updates.

4. Compliance with other standards

The revised Standard introduces the concept of ‘normative references’, meaning that some other standards issued by the International Organization for Standardization (ISO), International Electrotechnical Commission (IEC), Standards Australia (SA), Auditing and Assurance Standards Board (AASB) and National Institute of Standards and Technology (NIST) must also be complied with in order to fully comply with AS 8001:2021.   The normative references in the new Standard include:

1. AS 4811, Employment screening
2. AS ISO 31000, Risk management — Guidelines
3. AS ISO 37001, Anti-bribery management systems — Requirements with guidance for use
4. AS ISO/IEC 27001, Information technology — Security techniques — Information security management systems — Requirements
5. ISO/IEC 27037, Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence
6. ISO/IEC 27041, Information technology — Security techniques – Guidance on assuring suitability and adequacy of event investigative method
7. ISO/IEC 27042, Information technology — Security techniques – Guidelines for the analysis and interpretation of digital evidence
8. ISO/IEC 27043, Information technology — Security techniques – Incident investigation principles and processes
9. ASA 240 The Auditor’s Responsibility Relating to Fraud in An Audit of a Financial Report issued by the Auditing And Assurance Standards Board
10. NIST SP 800-61 Revision 2, Computer Security Incident Handling Guide

Implications: We see this as a major challenge for small to medium organisations to fully comply with the new AS 8001:2021. Organisations should still pursue alignment with the new Standard and the normative references but recognise not all areas may be fully compliant. Recognise the standard provides an opportunity for continuous improvement and keep making small and large improvements over several years. 

5. Information security

With increasing dependency on information technology, external vendors and growing importance of cyber security, most of the normative references directly relate to information security and computer security incident handling. This is a major upgrade to the new Standard.

In addition, the new Standard now includes updated guidance in relation to preventing, detecting and responding to external “cyber-born” attacks. The definition of ‘attack’ is broad and includes any “attempt to destroy, expose, alter, disable, steal or gain unauthorised access to or make unauthorised use of an asset”.  The Standard also:

• requires appointing an Information Security Management System’ (ISMS) professional,
• requires organisations to now plan in preventing, detecting and responding to external ‘cyber-born’ attacks,
• provides guidance in relation to the capture and analysis of digital evidence, and
• introduces the concept of Digital Evidence First Response.

Implications: There are significant and complex information security processes and practices required to fully comply to the ISO/IEC 27000 series of standards that will be a challenge for many organisations.  We expect organisations to consider information security as part of their fraud and corruption control system documentation, but not always fully comply.  When updating your fraud and corruption control system documentation, ensure you include information and reference to plans and processes in your organisation designed to protect information assets, enhance information security and prevent, detect and respond to cyber attacks.  

6. Harmonise fraud and corruption with Anti-Bribery Management Systems

AS ISO 37001, Anti-bribery management systems is also a normative reference i.e. organisations must once again comply with AS ISO 37001 to comply with AS 8001:2021.  The new Standard also defines bribery as a form of corruption, introduces the term “business associate”  and requires appropriate risk-based screening and management of business associates.

Implications: Guidance in respect to anti-bribery is more comprehensive in the new Standard. When updating your fraud and corruption control system documentation, ensure there is alignment between your anti-bribery practices, the new Standard and AS ISO 37001.

7. Whistleblowing

Research by the Association of Certified Fraud Examiners (ACFE) found that 46% of all frauds were uncovered by whistleblowers, while only 3% were detected by law enforcement. Both the ACFE and the Organisation for Economic Co-operation and Development (OECD) recognise the important role of whistleblowers and whistleblower protection in the detection of fraud, bribery and corruption.

For the private sector, Australian Securities and Investments Commission (ASIC) requires public companies, large proprietary companies, and corporate trustees of APRA-regulated superannuation entities to have a whistleblower policy from 1 January 2020. In the public sector, there has been whistleblowing legislation in place for many years.  For example, in NSW, there is the Independent Commission Against Corruption Act 1988 (“the ICAC Act”) and the Public Interest Disclosures Act 1994 (“the Public Interest Diclosures Act”).

The new Standard includes better guidance in relation to whistleblower protection and misconduct reporting channels to help align to the proposed new Standard ISO 37002: 2021 Whistleblowing management systems — Guidelines.

Implications: When updating your fraud and corruption control system documentation, ensure there is alignment between your whistleblowing policies, regulatory requirements and the new Standard.

8. Pressure testing fraud and corruption internal controls

The new Standard requires an organisation implement procedures aimed at assessing the effectiveness of internal controls that are specifically designed or intended to mitigate fraud and corruption risks.  Examples of pressure tests include desktop review of case studies, process walk-throughs and data analysis.

Implications: When updating your fraud and corruption control system documentation, ensure you include information about the scope and types of pressure tests to be applied as well as the appropriate governance arrangements and responsibilities.

9. Notifying impacted third-parties about fraud and corruption

The new Standard requires an organisation to consider the impact of a fraud and corruption event on third-parties.  Third-parties include customers, clients, Government services, law enforcement, community, environment, industry and national security.

Implications: When updating your fraud and corruption control system documentation, ensure there is a notification process for impacted third-parties when responding.

10. Disruption of fraud and corruption

The Standard also recognises the fact that an investigation may not always uncover all the perpetrators or obtain enough evidence for police, regulators or prosecution. But ‘disruption’ of the activity is recognised as an adequate response because they help ensure such activities don’t continue.

Implications: When updating your fraud and corruption control system documentation, ensure disruption is included as part of the response.  Disruption activities can include increase checking and monitoring, improving exception reporting and increasing audit activity.

Takeaways

A cut and paste review and update is not enough: The revised AS 8001:2021 is a welcome change.  It will require organisations to look closely at their entire fraud and corruption control system and update many components to re-align to the 2021 edition.  A simple document edit to find “2008” and, do a cut, copy and replace with “2021” is not going to cut it….excuse the pun!

A comprehensive review is required: This presents an opportunity for each organisation to conduct a comprehensive, end-to-end review of their current fraud and corruption control system and several other supporting systems such as information security, whistleblowing, third-parties, business associates, anti-bribery, and risk management to identify shortfalls in policies, plans, responsibilities, processes and practices across the fraud and corruption control ecosystem.

The review will take time and consume resources: As the revised AS 8001:2021 spreads its tentacles into other areas through the normative reference, the refresh will take time and require input from several stakeholders – from the Governing body down.

Expect gaps between different frameworks:  The revised AS 8001:2021 edition will mean that other better practice toolkits recommended by regulators and government agencies that previously relied on the 2008 edition will need to be updated…and this may take many months or perhaps years.

How we can help

InConsult is committed to helping organisations better understand the benefits and value of fraud and corruption control.  We have extensive experience in fraud and corruption prevention, cyber security, investigations, crisis management, internal auditing, risk management, probity, business continuity, climate risk management and pandemic planning.

Can we help? Find out more about our fraud and corruption prevention services.  If you would like to know more, contact us to discuss your needs.

#fraud #corruption #control #FCCS #fraudcorruption #as8001

But consider the following scenario:

• As part of the development of the organisation’s next internal audit plan, management tells the Chief Audit Executive (CAE) that “Process A” is completely defective. It’s not working as intended, there are some large risks, there are regular issues and errors and Process A desperately needs review.
• At management’s request, the CAE includes an internal audit of Process A as a high priority on the audit plan.
• Internal audit conducts an assurance audit of Process A and confirms that it is indeed a mess and needs urgent review and remedial action. Remedial options are presented and recommendations for improvement are made.
• Management expresses disappointment in the audit outcome because they already knew the process was broken and they thought an audit would help to fix it.
• Management defers or disagrees with the timing of a number of audit recommendations because there are insufficient resources available to fix the problem.

Sound familiar? How much value has internal audit really added?

The role of internal audit

Often the root cause of the above scenario is a lack of understanding about the potential roles that internal audit can play.

According to the Institute of Internal Auditors, the definition of internal audit is:

“… an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

This definition recognises that internal audit can undertake two broad types of activities – assurance and consulting. Whilst assurance engagements are relatively commonplace and generally well understood, internal audit consulting engagements are perhaps less prevalent.

Internal audit as consultants

The Internal Audit Standards define consulting services as:

“Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.”

Going back to our scenario above, would a better approach be to consider whether internal audit could provide consulting services to assist those responsible for Process A to design and implement process improvements and more robust controls? Rather than spending time and resources independently corroborating what management already knew, wouldn’t it be better to get in and help fix the problem?

The above scenario highlights a common problem whereby management and even the internal audit function have a limited or conflicting view of the role of internal audit. There is often an automatic assumption that everything on the audit plan is an assurance assignment that involves testing of controls and providing assurance. If consulting or advisory services are required these typically get added to the internal audit work program as extras or one offs after the plan has been adopted.

Extracting more value from internal audit

But there is no reason why the audit plan can’t include consulting assignments. If an area or process has already been identified as requiring remedial action and the responsible business unit needs help and assistance to do this, why can’t it be included on the audit plan as a consulting engagement?

This is envisaged by the Internal Audit Standards which state:

“2010.C1 – The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve the organization’s operations. Accepted engagements must be included in the plan.”

The Standards also provide considerable guidance on everything from scoping a consulting engagement to ensuring that internal audit maintains independence and doesn’t assume management responsibility.

For example, the Standards state:

“2201.C1 – Internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding must be documented.

2210.C1 – Consulting engagement objectives must address governance, risk management, and control processes to the extent agreed upon with the client.

2210.C2 – Consulting engagement objectives must be consistent with the organization’s values, strategies, and objectives.”

Overcoming internal audit independence issues

In relation to the potential for a consulting engagement to impair a future assurance review, the Standards provide:

“1130.A3 – The internal audit activity may provide assurance services where it had previously performed consulting services, provided the nature of the consulting did not impair objectivity and provided individual objectivity is managed when assigning resources to the engagement.”

If there are concerns that a consulting engagement may impair a future assurance review another option would be to outsource the assurance review especially if it is within a year or two of the consulting engagement. Diagram 1 below provides some guidance on consulting roles that internal audit should and shouldn’t undertake.

Diagram 1: Consulting roles internal audit should and shouldn’t undertake

As indicated already, part of the problem may stem from a lack of understanding by management and the Audit Committee that internal audit can play a consulting role as well as an assurance role. If this is the case, then there is a need for CAE’s to educate management and the Committee about the different ways in which internal audit can add value to the organisation.

In some jurisdictions, there is a specific requirement for Audit Committees to look at business improvement initiatives. For example, the NSW Local Government (Governance and Planning) Act 2016, will, once commenced, require councils to have an Audit, Risk and Improvement Committee. Amongst other things, the Committee will be required to keep under review programs and measures to improve the performance of council and the services it provides. This could be partly achieved through engaging internal audit to undertake or assist with service reviews and process improvements.

Takeaways

So in summary, it is really important to understand the role internal audit can play in your organisation to add value.  Next time someone suggest that internal audit of a broken process would be a good idea, consider whether a consulting type engagement to help fix the process would be preferable to an assurance audit that confirms what everyone already knew. If it is, then, subject to resourcing, experience and capacity constraints, include it on the internal audit plan.

How we can help

InConsult is committed to helping organisations better understand the benefits and value of internal audit.  We have extensive experience in internal auditing, risk management, probity, fraud and corruption prevention, cyber security, crisis management, business continuity, climate risk management and pandemic planning.

If you would like to know more about our internal auditing services, contact us to discuss your needs.

We often see organisations with ineffective policies. The problems are across a number of areas:

• Currency – out of date policies and procedures that are not reviewed regularly undermine compliance and may not reflect changes in organisational needs and legal requirements.
• Design – policies and procedures that are hard to understand, complex or too high level do not add value by providing clear guidance on management expectations and requirements and are easily forgotten.
• Training and Awareness – whilst new staff may be provided induction training covering a range of corporate policies or manager-delivered training, an ad-hoc approach to communication on changes and lack of refresher training means many staff assume they know what is required however are not across the detail.

Why is that?

Many people view that spending time on developing, reviewing or enhancing policies and procedures detracts from core responsibilities. Limited resources or a lack of a structured framework are also a factor. This is a challenge for many smaller organisations and is particularly relevant when the driver behind having the policy or procedure is viewed as a “compliance” requirement. There may be no direct penalty if not meeting requirements as management can often use the excuse that the organisation thought it was appropriate for the size, business mix and complexity of the organisation. It is for this reason that as long as documents generally meet some core requirements then any control weaknesses or process improvement opportunities are often not considered as a priority.

Many people however forget that the underlying reason for having policies and procedures is to ensure things are done right. Regulators do not dream up compliance requirements for the sake of making life difficult or to add red tape. Policies and procedures are often required to manage specific areas of risk to an organisation that may not otherwise be managed well.

Underlying rationale

Operational risk is the risk of losses from inadequate or failed internal processes, people and systems, or from external events. This means that to manage operational risk and prevent losses organisations need adequate policies and procedures to prevent human error or detect changes in the external environment and have appropriate response plans in place just in case.

Producing policies that are clear and concise and explicitly meet compliance requirements ensures there is no ambiguity and actions are consistent, timely and repeatable. This means that the standards expected by management are easier to learn for new staff and more likely to be met. This is especially important for smaller organisations where loss of staff and associated corporate knowledge has a greater impact on the organisation. If policies and / or procedures are out-of-date, then management’s commitment to managing operational risk and meeting compliance obligations may be undermined.

Professional looking documentation that can be clearly and easily understood by independent third parties demonstrate management’s capabilities and provides a level of assurance to regulators, internal audit and the Board. This helps to build a strong constructive working relationship and ensures that if there are ever any issues, they are easily solved, and the level of oversight is often lower (as the risk is lower).

Effective and efficient policies and procedures help manage risk and reduce operational losses and near miss incidents.

How can you make policy governance efficient and effective?

1. Policy Governance framework

Develop a Policy Governance framework…a policy for policies. This should include:

• Approval framework i.e. which policies, procedures or manuals should be approved by Board, executive or senior management.
• Template to ensure consistency in design and table of content e.g. owner, approver, version, next review date, scope, objectives, references and communication or training requirements.

2. Policy Governance functional oversight

Appoint a person to oversee policy governance who will assist in facilitating maintenance of policies and procedures and hence management of operational risk. This may be delegated to a governance, risk management or compliance function. Responsibilities could include:

• Sending reminders that policies or procedures are due for review.
• Assisting with understanding the policy governance framework, developing new policies and procedures or designing training and awareness.
• Reporting to the risk committee where policies or procedures are overdue for review.

3. Policy writing

Writing policies and procedures in clear, concise manner, including relevant details without too much detail is a skill that not all subject matter experts hold.

It is important that language used is not legalistic, includes relevant context and speaks to the casual reader. A plain language writing course or policy writing workshop may assist develop organisational skills.

4. Review frequency

Set the review frequency as appropriate to the topic and nature of the policy.

Many organisations set the frequency of review that may not be necessary and unable to be met. This undermines the importance of the following the policy or procedures if management do not maintain the document as it may no longer appear as relevant.

5. Independent review

If a subject matter expert writes or updates a policy or procedure, request an independent 3rd party such as a risk manager or internal auditor to review and provide feedback.

6. Policy Governance system

Maintain a policy register which includes for each policy and procedure – the owner, last review date and next review date. This may be in excel, SharePoint or a GRC system. Many organisations limit this to board approved policies which means that often the operational procedures relied upon to manage risk may not be sufficiently maintained.

This could be extended to included frequency and timing of communication and awareness training.

There are also more sophisticated integrated Policy Management systems that have online training modules and policy attestations which can maintain details of policy issuance and training provided to staff members as well as support the policy management lifecycle.

Next steps

Good policy governance is integral to enabling effective operational risk management. All organisations should conduct a high-level review of their approach on a periodic basis. This could be an assessment by governance, risk management or internal audit personnel or an external consultant. This would identify opportunities for improvement and if required assist with management commitment to a more integrated approach.

How we can help you solve the policy problem

InConsult is committed to helping organisations enhance governance and risk management frameworks. We have extensive experience in designing, reviewing and enhancing governance and risk management frameworks to ensure appropriate for the culture and operating environment of individual clients.

If you would like to know more about our governance and risk management services, including governance health checks and better practice assessment of individual policies, contact us to discuss your needs.