Internal audit and risk management

The Policy was first issued as a Treasurer’s Direction in 2009 as the Internal Audit and Risk Management Policy for the NSW Public Sector (TPP09-05) and re-issued in 2015 as the Internal Audit and Risk Management Policy for the NSW Public Sector (TPP15-03). TPP09-05 and TPP15-03 outlined a ‘better practice’ approach to internal audit and risk management that drew on the standards endorsed by professional associations and the practice of exemplar agencies in the public and private sectors.

The Policy has been updated in 2020 and issued as a mandatory policy that supersedes TPP15-03 but retains the same broad policy direction.

The Policy also supersedes the Guidance on Shared Arrangements and Subcommittees for Audit and Risk Committees (TPP16-02) and incorporates guidance to enable agencies to form Shared Arrangements and to form Subcommittees of ARCs.

There is no specific limitation on the number of agencies that may be overseen by a shared ARC. Ultimately, this is a business decision for the departments and agencies involved in the shared arrangement.  However, TPP20-08 requires the independent ARC chair and members to:

• have the time and capacity to sufficiently cover all agencies in the shared ARC, and
• maintain an appropriate level of visibility of each of the agency’s operations and reporting relationship with each Accountable Authority.

Therefore, the number of agencies overseen by an ARC should not exceed a number that would prevent these requirements from being followed.

Refer to Annexure G of TPP20-08 for further information.

The Internal Audit and Risk Management Policy requires all independent chairs and members on ARCs to be selected from the Panel of prequalified individuals as constituted under the Prequalification Scheme: Audit and Risk Committee Independent Chairs and Members (the Scheme). This requirement also applies to members of the governing board of a statutory body who wish to be members of the ARC.

The Scheme was first established by the Department of Premier and Cabinet in 2009 with the following objectives:

• “improve probity standards and quality assurance by allowing for third party assessment of independent persons available for engagement to public sector Audit and Risk Committee positions; and
• streamline the engagement of suitable persons to public sector Audit and Risk Committee positions by pre-qualifying independent individuals with demonstrated skills and experience in the area.”

Accordingly, the Scheme requires consideration by the Assessment Committee of a range of specific evaluation criteria including the knowledge and experience of applicants in relevant areas such as risk management, performance management, internal and external auditing, and financial reporting.

While there will be occasions where board members of an agency will also meet the evaluation criteria applied for the purposes of prequalification, this may not always be the case. The criteria applied for appointments to statutory boards vary considerably across different boards.

For example, it may be required that the governing board of a statutory authority is comprised of representatives from a specified profession, and/or representatives of certain organisations, and/or representatives of a specific community sector. In some instances, it is required that an appointment to a board has knowledge of, or experience in, a specific subject such as science or the arts. In many cases, the criteria applied have no relationship to the criteria applied for ARC chairs and members. 

Whether or not a board member has the requisite experience and knowledge to qualify them as members of an ARC can only be determined on a case by case basis. For consistency, it is appropriate that this assessment is carried out by the Assessment Panel administered by NSW Procurement in accordance with the evaluation criteria of the Scheme. This assessment process is generally straightforward and able to be completed expeditiously.

TPP20-08 states in the requirements for Shared ARCs that “the ARC covers each agency’s business separately in sequential meetings and not joint sittings.” The requirement to hold sequential shared ARC meetings is consistent with the better practice guidance of the Australian National Audit Office about the proper management of the business of entities in a shared arrangement.

There are also other reasons for sequential meetings. Firstly, the oversight role of an ARC is to provide advice and guidance to the Accountable Authority of individual agencies on their governance processes, risk management and control frameworks, and their external accountability obligations. Therefore, this requires ARC meetings to be held sequentially for each agency in a shared ARC. Regardless of the form of arrangement, a shared ARC will operate as an individual ARC for each separate agency and provide independent advice and oversight for each participating agency. This supports an appropriate level of visibility of each of the agency’s operations irrespective of their size and maintains a reporting relationship with each Accountable Authority.

Sequential meetings also facilitate participation by the Audit Office in ARC meetings without breach of section 38 (Secrecy) of the Public Finance and Audit Act 1983. Section 38 prohibits the Auditor General or their representatives from revealing information to people who are not officers of the particular entity that is subject of that information. In a joint meeting covering a number of entities, senior staff and other employees from the respective entities who have been invited to attend for one or more agenda items are likely to be in attendance. Further, in the case of a Principal Department Led ARC, non-independent members of the Principal Department are likely to be present.  The Auditor-General, an auditor or other authorised person from the Audit Office would be prevented, by section 38, from disclosing information about an audit or financial matter of an entity in such a multi-agency environment that includes officers from other entities. This issue has been examined by the Crown Solicitor who has confirmed that the duty of secrecy in section 38 limits the ability of the Auditor General, an auditor or other authorised person to disclose information in such a multi-agency environment. As such, at this time, legislation does not support the conduct of joint meetings of shared ARCs.

However, under the provisions of TPP20-08, sequential meetings in specific circumstances may allow for cluster representatives (including the Accountable Authority, Chief Financial Officers, Senior Accounting Officers, Chief Risk Officers and Chief Audit Executives) to attend the ARC meetings for all agencies within their shared arrangement. This at the invitation of the Chair and with the consent of all participating agencies. However, external audit representatives (i.e. the Auditor-General, an auditor or other authorised person from the Audit Office) may consider that discussing individual agency matters at ARC meetings when cluster representatives are present is incompatible with the secrecy provisions in section 38 and their professional membership obligations. Where this is the case, the external audit representatives may seek to discuss matters with the ARC and relevant agency through in camera sessions.

Treasury will continue to examine this issue in consultation with the Audit Office towards the identification and implementation of appropriate arrangements.