Requirements
A) Principles and Core Requirements
The Internal Audit and Risk Management Policy requires agencies to comply with the Core Requirements of the Policy.
1. Risk Management Framework
|
|
Principle 1:
Effective risk management arrangements should support the agency in achieving its objectives by systematically identifying and managing risks to:
- increase the likelihood and impact of positive events
- mitigate the likelihood and impact of negative events.
|
Core Requirement 1.1
The Accountable Authority shall accept ultimate responsibility and accountability for risk management in the agency.
Core Requirement 1.2
The Accountable Authority shall establish and maintain a risk management framework that is appropriate for the agency. The Accountable Authority shall ensure the framework is consistent with AS ISO 31000:2018.
|
2. Internal Audit Function
|
|
Principle 2:
An internal audit function should provide timely and useful information to management about:
- the adequacy of, and compliance with, the system of internal control
- whether agency results are consistent with established objectives
- whether operations or programs are being carried out as planned.
|
Core Requirement 2.1
The Accountable Authority shall establish and maintain an internal audit function that is appropriate for the agency and fit for purpose.
Core Requirement 2.2
The Accountable Authority shall ensure the internal audit function operates consistent with the International Standards for Professional Practice for Internal Auditing.
Core Requirement 2.3
The Accountable Authority shall ensure the agency has an Internal Audit Charter that is consistent with the content of the ‘model charter.’
|
3. Audit and Risk Committee
|
|
Principle 3:
An independent Audit and Risk Committee with appropriate expertise should provide relevant and timely advice to the Accountable Authority on the agency’s governance, risk and control frameworks and its external accountability obligations.
|
Core Requirement 3.1
The Accountable Authority shall establish and maintain efficient and effective arrangements for independent Audit and Risk Committee oversight to provide advice and guidance to the Accountable Authority on the agency’s governance processes, risk management and control frameworks, and its external accountability obligations.
Core Requirement 3.2
The Accountable Authority shall ensure the Audit and Risk Committee has a Charter that is consistent with the content of the ‘model charter.’
|
B) Attestation Statement included in agency’s annual report
Agencies must attest their compliance with the Core Requirements in an annual Attestation Statement (Annexure C of the Policy), which is published in the agency’s Annual Report.
Where a shared arrangement has been approved by an agency’s cluster Secretary, agencies must submit individual annual attestation statements and publish them in their annual reports accordingly. For agencies that have entered into a shared arrangement, the relevant templates from Annexure H and/or I of the Policy must be completed.
C) Copy of the Attestation Statement provided to Treasury
A copy of the Attestation Statement shall be submitted separately to Treasury on or before 31 October each year. For any non-compliance with Core Requirements, agencies will be required to also submit a copy of the relevant Responsible Minister’s approved Ministerial Exemption.
Submissions to Treasury should be emailed to: [email protected].
D) Variations that apply to the Policy
As there are varying sizes and complexities of agencies across the general government sector, the Policy allows for certain variations to support its efficient and effective implementation. Refer to the below variations to determine if they are applicable to your agency.
Variations |
Page references |
i) Shared Arrangements
A. Shared Audit and Risk Committee
B. Shared Chief Audit Executive
C. Shared Internal Audit Function
|
Pages 12-14
Core requirements 3.1.2-3.1.4
Annexure G
|
ii) Ministerial Exemption Process
Ministerial exemption to one or more of the Core Requirements for up to two reporting periods.
|
Pages 14-15
Annexure D
|
iii) Small Agency Exemption
Ongoing exemption to comply with one or more of the Core Requirements until any of the listed circumstances occurs.
|
Pages 15-16
Annexure E
|
iv) Transitional Arrangements
12-month transitional period if the agency is in one or more of the following circumstances:
- during the first twelve months from the commencement date of the Policy
- new agency required to comply with the Core Requirement(s) of the Policy; or
- impacted by Machinery of Government (MoG) changes.
|
Pages 16-17 |
A summary of these requirements is provided in this link.
Audit and Risk Committee
Audit and Risk Committee Prequalification Scheme
The Audit and Risk Committee (ARC) Prequalification Scheme (the Scheme) was established in 2009 as a requirement of TPP20-08 Internal Audit and Risk Management Policy for the General Government Sector.
The ‘prequalification list’ of the Scheme is a list of highly skilled individuals with extensive experience across a range of policy areas. Prequalification allows someone to be considered for appointment as a chair or member of NSW Government ARCs.
The Scheme is now open to new applicants.
Find out more
Fact Sheets
Treasury has published the following guides to assist ARCs with specific topics relevant to their role. The list is not exhaustive and further guides will be developed and added to this list in due course.
Resources
Internal Audit and Risk Management related policies and documents:
Other related Treasury Policy and Guidelines Papers:
Templates in the Annexures of TPP20-08:
Frequently Asked Questions