policy directive - ministry of health · document number pd2016_051 publication date 08-nov-2016...
TRANSCRIPT
Policy Directive
Ministry of Health, NSW73 Miller Street North Sydney NSW 2060
Locked Mail Bag 961 North Sydney NSW 2059Telephone (02) 9391 9000 Fax (02) 9391 9101
http://www.health.nsw.gov.au/policies/
spacespace
Internal Auditspace
Document Number PD2016_051
Publication date 08-Nov-2016
Functional Sub group Corporate Administration - Governance
Summary This Policy Directive describes the internal audit framework andgovernance practices that NSW Health Organisations must implementand maintain to ensure objective oversight of the organisations activities.
Replaces Doc. No. Internal Audit [PD2010_039]
Author Branch Legal and Regulatory Services
Branch contact Legal and Regulatory Services 02 9391 9654
Applies to Local Health Districts, Board Governed Statutory Health Corporations,Affiliated Health Organisations, Public Health System Support Division,NSW Ambulance Service, Ministry of Health, Public Hospitals, NSWHealth Pathology, Cancer Institute (NSW)
Audience Boards, Audit and Risk Committees, All staff, Audit, Governance and Riskstaff, Senior Management
Distributed to Public Health System, NSW Ambulance Service, Ministry of Health,Private Hospitals and Day Procedure Centres
Review date 08-Nov-2021
Policy Manual Not applicable
File No. 08/8578-4
Status Active
Director-GeneralspaceThis Policy Directive may be varied, withdrawn or replaced at any time. Compliance with this directive is mandatoryfor NSW Health and is a condition of subsidy for public health organisations.
POLICY STATEMENT
INTERNAL AUDIT
PURPOSE NSW Health Organisations are required to maintain an effective, independent Internal Audit function in accordance with this Policy Directive and Procedures. The Public Finance and Audit Act 1983 section 11(2), together with the NSW Treasury Internal Audit and Risk Management Policy for the NSW Public Sector (TPP15_03), establishes the basis for Internal Audit across NSW Government. As TPP15_03 does not apply directly to NSW Health Organisations,1 the relevant requirements of TPP15_03 are applied to the NSW Health system through this Health Policy Directive and Procedures in a way that accommodates NSW Health’s devolved governance model.2
MANDATORY REQUIREMENTS • Each NSW Health Organisation must establish and maintain an adequately
resourced Internal Audit function that is independent of management. This may be delivered by an in-house model, an out-sourced model or a combination of both.
• An experienced senior employee must be appointed as Chief Audit Executive with accountability to lead the Internal Audit function and responsibility for its services.
• Each NSW Health Organisation must establish an Audit and Risk Committee in accordance with this Policy Directive and Procedures, and any relevant By-law.
• An Audit and Risk Committee must have an independent Chair and a majority of independent members (which includes the Chairperson), appointed from NSW Treasury’s Panel of Prequalified Audit and Risk Committee Chairs and Members.
• The Internal Audit function and Audit and Risk Committee should each operate under a Charter consistent with the Model Charters included in this Policy Directive.
• The Internal Audit function must operate in accordance with Institute of Internal Auditors Standards and any other requirements outlined in this Policy Directive.
• Each NSW Health Organisation must submit to the Ministry of Health an annual Internal Audit and Risk Management Attestation Statement by 17 July.
ROLES AND RESPONSIBILITIES Chief Executives must:
• Ensure there is an effective and adequately resourced Internal Audit function, with clear separation from operational management
1 TPP15_03 is issued as a Direction to ‘department heads’ under the Annual Reports (Departments) Act 1985 (s18), ‘Statutory bodies’ under the Annual Reports (Statutory Bodies) Act 1984 (s15) and ‘officers of an authority’ and ‘accounting officers’ under the Public Finance and Audit Act 1983 (s9). 2 Accordingly, where inconsistency exists between this PD and TPP15_03, this PD shall prevail with respect to NSW Health Organisations.
PD2016_051 Issue date: November-2016 Page 1 of 3
POLICY STATEMENT • Appoint, on advice from the Audit and Risk Committee, a Chief Audit Executive to
manage the Internal Audit function; where out-sourced or co-sourced, the Chief Audit Executive must be an experienced and appropriately qualified senior employee
• Ensure that an Audit and Risk Committee is established; where the organisation is Board governed, as a sub-committee of the Board
• Ensure dual Chief Audit Executive reporting lines, both administratively to the Chief Executive and functionally to the Audit and Risk Committee
• Ensure that the Audit and Risk Committee is kept informed on matters concerning the business and operating environment of the organisation
• On advice from the Audit and Risk Committee, approve the Internal Audit work plan
• Ensure that an annual Internal Audit and Risk Management Attestation Statement is prepared for sign off by the Board (where Board governed) or Chief Executive (where Chief Executive governed) and submitted to the Ministry of Health
• Ensure the ARC Chair is supported in discharging her / his responsibilities. Chief Audit Executives must:
• Develop an Internal Audit Charter consistent with this Policy Directive and submit it to the Chief Executive for approval, on advice from the Audit and Risk Committee
• Prepare for the Audit and Risk Committee’s consideration an Internal Audit annual audit work plan (prepared based on the NSW Health Organisation’s risk register), in a form agreed by the Committee, for the next financial year’s audit activities
• Report to the Audit and Risk Committee on Internal Audit findings and related recommendations, which are to be risk assessed in accordance with the NSW Health Policy Directive - Risk Management Enterprise-Wide Policy and Framework
• Make recommendations for every audit finding and ensure recommendations are communicated to management for formal response
• Monitor progress of implementation for ‘agreed actions’ and undertake follow-up audits or reviews on a risk basis. Where agreed actions are not implemented in a timely manner, report on the progress of these to the Audit and Risk Committee
• Manage and participate in quality improvement programs designed to promote networking and sharing of better practice, and to strengthen accountability, transparency and professional practice for NSW Health Internal Audit professionals
• Where the Internal Audit function is outsourced, control of the strategic direction of Internal Audit must be retained and service provider performance actively monitored
• Ensure that the Internal Audit function operates in accordance with the Institute of Internal Auditor’s Standards for the Professional Practice of Internal Auditing.
The Audit and Risk Committee must:
• Review and oversight the Internal Audit function, including relevant Internal Audit plans and reports. This will include oversight of internal controls, risk management, corruption and fraud prevention strategies, applicable laws and regulations, NSW Government and NSW Health Policy Directives, Annual Internal Audit and Risk
PD2016_051 Issue date: November-2016 Page 2 of 3
POLICY STATEMENT
Management Attestation Statements, external accountability statements (including the financial statements) and external financial and performance audits
• Have direct access to internal and external auditors without management being present, and must meet with the internal and external auditors at least annually
• Be entitled to seek clarification / information from any employee of the organisation, and able to seek independent expert advice when required
• Ensure an annual Self-Assessment Checklist is completed
• Have an Independent Chair who reports directly to the Board (where Board governed) or Chief Executive (where there is no Board). Where the organisation is Board governed, ARCs must be established as a Board subcommittee.
REVISION HISTORY Version Approved by Amendment notes November 2016 (PD2016_051)
Deputy Secretary Governance, Workforce and Corporate
Incorporating NSW Treasury TPP15_03, where relevant. Further improvements to align with maturity in devolved governance model.
October 2015 PD2015_043
Deputy Director General Governance, Workforce & Corporate
Draft for consultation Updated to incorporate NSW Health governance changes and revision to central agency policies.
June 2010 (PD2009_039)
Deputy Director General Health System Support
Rescinds PD2008_069 Policy updated in line with NSW Treasury6 policy TPP15_03
December 2008 (PD2008_069)
Deputy Director General Health System Support
Rescinds PD2005_616 Complete rewrite of policy
August 2005 (PD2005_6160)
Director-General New policy directive
ATTACHMENT 1. Internal Audit: Procedures.
PD2016_051 Issue date: November-2016 Page 3 of 3
Internal Audit
PROCEDURES
Issue date: November-2016
PD2016_051
Internal Audit
PROCEDURES
CONTENTS
1 INTERNAL AUDIT FUNCTION ............................................................................................. 1 1.1 Introduction ................................................................................................................... 1 1.2 Key Definitions .............................................................................................................. 2 1.3 Chief Audit Executive .................................................................................................... 3 1.4 Charter for the Internal Audit Function ...................................................................... 3 1.5 Governance of the Internal Audit Function ............................................................... 4 1.6 Resourcing of the Internal Audit Function ................................................................ 4 1.7 Internal Audit Quality Assurance and Improvement ................................................. 5 1.8 Annual Attestation Statements .................................................................................. 5
2 AUDIT AND RISK COMMITTEE ........................................................................................... 5 2.1 Establishment ................................................................................................................ 6 2.2 Membership and Appointments ................................................................................. 6 2.3 Independent Members ................................................................................................ 6
2.3.1 Eligibility to sit as an "Independent Member" ...................................................... 7 2.3.2 Appointment of Independent Member as Chair .................................................. 7 2.3.3 Support for Independent Members ..................................................................... 8
2.4 Audit and Risk Committee Members ......................................................................... 8 2.4.1 Eligibility to sit as an Audit and Risk Committee member ................................... 8 2.4.2 Skills and experience of Members ..................................................................... 8
2.5 Remuneration, Insurance and other entitlements ..................................................... 8 2.5.1 Remuneration .................................................................................................... 8 2.5.2 Insurance ........................................................................................................... 9 2.5.3 Other entitlements .............................................................................................. 9
2.6 Conduct ....................................................................................................................... 9 2.6.1 Codes of Conduct .............................................................................................. 9 2.6.2 Conflicts of Interest .......................................................................................... 10
2.7 Term ........................................................................................................................... 10 2.8 Termination ................................................................................................................ 11
3 MODEL CHARTER AND AUDIT & RISK COMMITTEE OPERATIONS ............................. 11 3.1 Audit and Risk Committee Charter .......................................................................... 11 3.2 Audit and Risk Committee Operation ...................................................................... 12
4 RISK MANAGEMENT STANDARDS ................................................................................. 12
5 INTERNAL AUDIT STANDARDS ....................................................................................... 12 5.1 Institute of Internal Auditors – Standards for Internal Auditing ............................. 13 5.2 Additional Requirements .......................................................................................... 13
5.2.1 Audit Reports ................................................................................................... 13 5.2.2 Risk Rating of Audit Findings ........................................................................... 13 5.2.3 Agreed Action Plans ........................................................................................ 14 5.2.4 Monitoring of Agreed Action Plans ................................................................... 14 5.2.5 Internal Audit Manual ....................................................................................... 14 5.2.6 Records Retention ........................................................................................... 16
PD2016_051 Issue date: November-2016 Contents page
Internal Audit
PROCEDURES
5.3 Model Internal Audit Charter ........................................................................................ 16 5.4 Model Charter for the Audit and Risk Committee ......................................................... 16 5.5 Internal Audit and Risk Management Attestation Statement ........................................ 16 5.6 Internal Audit Programs developed by Health Audit Working Party (HAWP) ................ 16 5.7 Audit and Risk Committee Self-Assessment Checklist ................................................ 16 5.8 Audit and Risk Committee Letter of Offer Template ..................................................... 16
6 OTHER USEFUL REFERENCES: ...................................................................................... 16
PD2016_051 Issue date: November-2016 Contents page
Internal Audit
PROCEDURES
1 INTERNAL AUDIT FUNCTION
1.1 Introduction
The NSW Ministry of Health requires NSW Health Organisations to maintain an effective and independent Internal Audit function in accordance with section 11 (2) of the NSW Public Finance and Audit Act 1983, and the NSW Treasury Internal Audit and Risk Management Policy for the NSW Public Sector (TPP15_03). As TPP15_03 does not apply directly to NSW Health Organisations,1 the NSW Ministry of Health applies the relevant requirements of TPP15_03 to the NSW Health system through this Health policy directive. To the extent that any inconsistency exists between this NSW Health Policy Directive and Procedures and TPP15_03, this NSW Policy Directive and Procedures shall prevail with respect to application to NSW Health Organisations. This Policy and Procedures establishes a state-wide NSW Health standard that seeks to strengthen internal audit, corporate governance and risk management2 practices across the NSW Health. Consistent with TPP15_03, this policy applies the following three (3) Principles: 1. NSW Health Organisations recognise that risk is inevitable and have a risk management framework in place that supports the organisation to achieve its objectives by systematically identifying and managing risks to: Increase the likelihood and impact of positive events Mitigate the likelihood and impact of negative events.
2. NSW Health Organisations’ internal audit functions provide timely and useful information about: The adequacy of, and compliance with, the system of internal control Whether organisation results are consistent with established objectives Whether operations or programs are being carried out as planned.
3. The Boards and Chief Executives of NSW Health Organisations receive relevant and timely advice on their respective organisation’s governance, risk and control frameworks and its external accountability obligations from an independent and qualified Audit and Risk Committee. These Principles are further articulated through eight (8) Core requirements, which must be implemented. These are: Risk Management Framework 1. The organisation’s Board (where Board governed) or Chief Executive (where Chief executive governed) is ultimately responsible and accountable for risk management in the organisation
1 Treasury Policy TPP15_03 is issued as a Direction to: ‘department heads’ under section 18 of the Annual Reports (Departments) Act 1985; ‘Statutory bodies’ under section 15 of the Annual Reports (Statutory Bodies) Act 1984; and, ‘officers of an authority’ and ‘accounting officers’ under section 9 of the Public Finance and Audit Act 1983. 2This should be read in conjunction with NSW Health Policy Directive on Risk Management Enterprise Wide Policy and Framework (PD2015_043).
PD2016_051 Issue date: November-2016 Page 1 of 19
Internal Audit
PROCEDURES
2. A risk management framework that is appropriate to the organisation has been established and maintained, consistent with AS/NZS ISO 31000:2009. Internal Audit Function 3. An internal audit function has been established and is maintained 4. The operation of the internal audit function is consistent with the International Standards for the Professional Practice of Internal Auditing 5. The NSW Health Organisation has an Internal Audit Charter that is consistent with the ‘model charter’ Audit and Risk Committee 6. An independent and qualified Audit and Risk Committee has been established 7. The Audit and Risk Committee is an advisory committee providing assistance to the organisation Board (where Board governed) or Chief Executive (where Chief executive governed) on the organisation’s governance processes, risk management and control frameworks, and its external accountability obligations 8. The Audit and Risk Committee has a Charter that is consistent with the ‘model charter’ NSW Health has contextualised the core requirements of TPP15_03 into this Policy Directive to ensure the specific needs of NSW Health and to comply with the “best practice” attributes for internal audit and corporate governance as outlined in TPP15_03. To the extent that any inconsistency exists between this Policy Directive and TPP15_03, this Policy Directive shall prevail with respect its application to NSW Health Organisations. For the purposes of this Policy Directive, unless otherwise specified, the Chief Executive of a Board governed NSW Health Organisation will be referred to in this Policy Directive as the person responsible for the Internal Audit function.
1.2 Key Definitions
Audit and Risk Committee has an independent Chair and a majority of independent members, and is tasked with the oversight and monitoring of governance, risk and internal control frameworks and external accountability obligations affecting the operations of the NSW Health Organisation. Chief Audit Executive is the head of the Internal Audit function for the NSW Health Organisation with the responsibility for providing strategic leadership and managing of the internal audit function. The Chief Audit Executive must be appropriately experienced and qualified. Co-sourced Internal Audit function means where the core Internal Audit functions are maintained by the organisation, but some Internal Audit services or reviews are conducted by a qualified external provider. NSW Health Organisation means a Public Health Organisation (Local health district, specialty network, statutory health corporation and affiliated health organisation), Units of the Health Administration Corporation (including NSW Ambulance, HealthShare NSW, eHealth NSW, Health Infrastructure, NSW Health Pathology), and health bodies established under their own statute.
PD2016_051 Issue date: November-2016 Page 2 of 19
Internal Audit
PROCEDURES
Internal Audit means3 an independent activity designed to add value and improve operations through:
• Assurance services that involve an objective examination of evidence for the purpose of providing an independent assessment of risk management, control or governance processes for the organisation and
• Advisory services that are related to client activities, the nature and scope of which are agreed upon with the client and which are intended to add value and improve an organisation’s operations.
The Internal Audit function may also undertake audit support activities, including secretariat support to the Audit and Risk Committee.
1.3 Chief Audit Executive
The Chief Audit Executive is responsible for the Internal Audit function and must:
• Be classified at a sufficiently senior level to ensure that the position holder is able to discuss and negotiate internal audit results with senior management on a reasonably equal footing and
• Possess relevant qualifications, skills, knowledge, professional standing, and personal qualities that can ensure the credibility and acceptance of the Internal Audit function they lead.
Where the Internal Audit function is established using an out-sourced service delivery model, the Chief Audit Executive is the most senior position within the NSW Health Organisation with responsibility for Internal Audit. The Chief Executive must consult with the Audit and Risk Committee when designating, appointing or removing a Chief Audit Executive. Consultation will include either seeking advice or involve an independent member of the Audit and Risk Committee in the selection process. The Deputy Secretary, Governance, Workforce and Corporate, NSW Ministry of Health, must be notified of the intention by the NSW Health Organisation to advertise for a Chief Audit Executive position, to appoint a new Chief Audit Executive, and prior to removing an appointed Chief Audit Executive. Once employed, the Chief Audit Executive term of employment / engagement should not be amended without formally notifying the Deputy Secretary, Governance, Workforce and Corporate.
1.4 Charter for the Internal Audit Function
The Chief Executive must ensure that the Internal Audit function has a Charter that is consistent with the content of the ‘Model Charter’ in this Policy Directive. The Model Charter sets out ‘common’ content for an Internal Audit Charter. The Internal Audit Charter must be developed for approval by the Chief Executive on the advice from the Audit and Risk Committee. The Charter may include additional provisions
3 The Institute of Internal Auditors (IIA) defines Internal Audit as “An independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
PD2016_051 Issue date: November-2016 Page 3 of 19
Internal Audit
PROCEDURES
to those set out in the Model Charter, providing that these do not conflict with the Model Charter.
1.5 Governance of the Internal Audit Function
The Chief Executive must ensure there is a clear separation of operational management from the Internal Audit function. To achieve operational independence of the Internal Audit function, the Chief Audit Executive should have a dual reporting line that reports:
• Administratively to the Chief Executive to facilitate day-to-day operations of the Internal Audit function, and
• Functionally to the Audit and Risk Committee for strategic direction and accountability of the Internal Audit function.
The Chief Executive must ensure that Internal Audit reporting lines are clearly documented within both the Internal Audit Charter and the Audit and Risk Committee Charter, and that the Internal Audit function is operationally independent from the activities it audits. The Audit and Risk Committee oversees Internal Audit in accordance with the ARC Charter and the Internal Audit Charter. The Chief Executive must ensure that the Internal Audit function is appropriately positioned within the organisation’s governance framework to work with external audit and internal business units.
1.6 Resourcing of the Internal Audit Function
The Chief Executive must ensure that the Internal Audit function has sufficient resources, both financial and professional staff with the necessary skills and experience relative to the risks and assurance needs facing the Health organisation. The Chief Executive must determine the budget and level of resourcing for the Internal Audit function in consultation with the Audit and Risk Committee. Where the Audit and Risk Committee or Chief Audit Executive considers the level of resourcing for the Internal Audit function is insufficient relative to the risks and assurance needs of the Health organisation, this should draw this to the attention of the Chief Executive and, where appropriate, the Board. The Chief Executive should ensure that professional staff of the Internal Audit function have reasonable access to training and professional development through the relevant professional associations, e.g. Institute of Internal Auditors (IIA), Certified Practising Accountants (CPA) etc. The Chief Audit Executive must:
• Ensure that all Internal Audit staff are provided with sufficient information on the risks and operations of the organisation in order for them to perform their roles
• Set minimum professional development targets for all Internal Audit staff
• Inform the Audit and Risk Committee of planned and actual time spent on professional development each year.
PD2016_051 Issue date: November-2016 Page 4 of 19
Internal Audit
PROCEDURES
The Audit and Risk Committee should monitor the professional development of the Internal Audit function.
1.7 Internal Audit Quality Assurance and Improvement
The Chief Executive must ensure that the Internal Audit function, whether in-house, co-sourced, or outsourced, is subject to a quality assurance review by an accredited provider or reviewer at least once every five (5) years, as required by the Institute of Internal Auditors. The Chief Audit Executive may facilitate the quality assurance review by an accredited provider or reviewer of the Internal Audit function. The results of the quality assurance review must be communicated to the Audit and Risk Committee, Board (where Board governed), Chief Executive, NSW Ministry of Health and to the staff within the Internal Audit function.
1.8 Annual Attestation Statements
The Internal Audit and Risk Management Attestation Statement is an annual statement about the NSW Health Organisation’s conformance or otherwise to this Policy Directive. The Chief Executive must ensure an annual Internal Audit and Risk Management Attestation Statement is submitted to the NSW Ministry of Health by 17 July each year, stating whether the NSW Health Organisation complies to this Policy Directive. The Chief Executive may seek advice, opinion or feedback from the Audit and Risk Committee in relation to compliance with this Policy Directive. Where a NSW Health Organisation is not able to comply with any of the requirements of this Policy Directive, the Chief Executive may apply to the Secretary of the NSW Ministry of Health for an exception from the relevant policy requirement(s). Any request for an exception is to be submitted in writing to the Secretary, NSW Ministry of Health prior to 31 March of the year for which the exemption is sought. A determination with respect to an exception will be effective for one reporting period only (one year) and, even if circumstances for the initial exception are ongoing, further exceptions must be renewed annually. Where an exception has been granted, the Chief Executive is required to indicate this on their organisation’s Internal Audit and Risk Management Attestation Statement A copy of the final completed Internal Audit and Risk Management Attestation Statement must be communicated to the Audit and Risk Committee and to the Board (where Board governed). The Internal Audit and Risk Management Attestation Statement templates, can be downloaded from the References and Templates section in this procedure.
2 AUDIT AND RISK COMMITTEE
PD2016_051 Issue date: November-2016 Page 5 of 19
Internal Audit
PROCEDURES
2.1 Establishment
The establishment and responsibilities of an Audit and Risk Committee are outlined in the Roles and Responsibilities section of this Policy Directive. The Committee is an integral component of a NSW Health Organisation’s corporate governance arrangements. Its responsibilities will generally cover review and oversight of the following areas:
• Internal controls
• Risk management
• Corruption and fraud prevention
• External accountability (including the financial statements)
• Compliance with applicable laws and regulations
• Internal audit
• External audit.
2.2 Membership and Appointments
The Audit and Risk Committee must have no fewer than 3 and no more than 5 members. The majority of members must be Independent Members (including the Chair). The initial term for members of the Audit and Risk Committee must be at least three (3) years and must not exceed five (5) years. Members may be reappointed or extended for further terms but the total period of continuous membership on the Committee must not exceed eight (8) years (inclusive of any term as chair of the Committee). Appointment of members should be made after consultation with the Audit and Risk Committee Chair. Any reappointment or extension of membership on the Audit and Risk Committee must be approved only after a formal assessment of the member’s performance as a committee member has been undertaken. Continuity of knowledge and experience on the Audit and Risk Committee is integral to its operation. It is strongly recommended that membership renewal dates be staggered so significant knowledge is not lost to the Audit and Risk Committee. Ideally, no more than one (1) member should leave the Audit and Risk Committee because of rotation in any one (1) year. A Letter of Offer template can be downloaded from the References and Templates section of this procedure and should be used when appointing members to a NSW Health Organisation Audit and Risk Committee.
2.3 Independent Members
Independent members must be sourced from the NSW Treasury / Department of Finance, Services and Innovation’s Prequalification Scheme for Audit and risk committee independent chairs and members. For scheme details, including terms and conditions and remuneration, refer to the NSW Government Procurement Portal:
PD2016_051 Issue date: November-2016 Page 6 of 19
Internal Audit
PROCEDURES
https://www.procurepoint.nsw.gov.au/before-you-buy/prequalification-schemes-0/audit-and-risk-committee-independent-chairs-and-members.
2.3.1 Eligibility to sit as an "Independent Member" Independent Members must be selected from the NSW Treasury’s Government Pre-Qualification Scheme. NSW Health Board members registered with Treasury’s Pre-Qualification Scheme may serve as an Independent Member on an Audit and Risk Committee, provided the member has, prior to accepting the appointment:
• Consulted with their existing Board Chair (where Board governed) or Chief Executive (where Chief Executive governed) on any potential conflicts of interest issues, and
• Advised the proposed Audit and Risk Committee Chair of their existing NSW Health Board role.
Under Treasury’s Pre-qualification scheme, Independent Members may only sit on up to 5 public sector Audit and Risk Committees at any one time. Current employees of any NSW government sector agency, other than State Owned Corporations, cannot serve as members or chairs of an Audit and Risk Committee.
2.3.2 Appointment of Independent Member as Chair The Chair of the Audit and Risk Committee must be appointed for one (1) term only for a period of at least three (3) years, with a maximum period of five (5) years. The term of appointment for the Chair can be extended but any extension must not cause the total term to exceed five (5) years as a chair of the Audit and Risk Committee. A member registered on NSW Treasury’s Pre-qualification Scheme who is prequalified as a Chair may be appointed as a Chair either prior to or subsequent to a term as a Member. However, the member’s total term as a chair must not exceed five (5) years and the member’s total term on the Committee (inclusive of a term as chair and a term as a member) must not exceed a total of eight (8) years. For example a member of the Prequalification Scheme might be appointed for an initial term of three (3) years as a member and then be appointed as chair of the Committee for a period of five (5) years or vice or versa. Attributes for a Chair of an Audit and Risk Committee include:
• Leadership qualities and the ability to promote effective working relationships in complex organisations
• An ability to communicate complex and sensitive assessments in a tactful and influential manner to Chief Audit Executives, Chief Executives, senior management, Board members and Ministers
• A sound understanding of: o The principles of good organisational governance and capacity to understand
public sector accountability, including financial reporting o The business of the Ministry or statutory body or the environment in which it
operates o Contemporary Internal Audit operations, including selection and review of Chief
Audit Executives o Risk management principles and standards.
PD2016_051 Issue date: November-2016 Page 7 of 19
Internal Audit
PROCEDURES
2.3.3 Support for Independent Members Independent Members and Chairs are, by definition, external to the organisation and, as such, the NSW Health Organisation should provide the support necessary to assist them when commencing their roles. This could include: • Providing a package of relevant information about the structure, function and role of
the organisation and information relevant to the Audit and Risk Committee role within the organisation
• Participation in local induction and Board member induction sessions.
2.4 Audit and Risk Committee Members
2.4.1 Eligibility to sit as an Audit and Risk Committee member • A Member of a NSW Health Organisation’s Audit and Risk Committee is to be
nominated by the Board (where Board governed) or the Chief Executive (where Chief Executive governed)
• Board members are eligible to sit as an Audit and Risk Committee member • A Board Chair, Chief Executive, Chief Audit Executive and finance and accounting
officers of a NSW Health Organisation are not eligible for appointment to the Audit and Risk Committee. However, given their primary roles and accountabilities, they may be asked to attend Committee meetings to provide advice on matters related to their role or function of responsibility.
2.4.2 Skills and experience of Members Members should possess skills, knowledge and experience that are relevant to, and which will enhance, the Committee’s operations. These may include:
• Financial literacy • Broad operational and / or financial management experience • Understanding of, or experience within, the public sector • Understanding of the organisation’s operational responsibilities • Familiarity with risk identification, evaluation and management • Understanding of internal controls and compliance systems, including information
technology systems • Knowledge of applicable accounting and auditing standards, and major public
sector reporting issues • Familiarity with relevant legislative requirements • Strong understanding of the roles of internal and external audit.
2.5 Remuneration, Insurance and other entitlements
2.5.1 Remuneration Board members are not entitled to be remunerated for service on the Audit and Risk Committee of the same organisation. Remuneration rates for independent Chairs and members of Audit and Risk Committees are prescribed under the NSW Treasury Prequalification Scheme for Audit and Risk Committee Chairs and Members and administered by the Department of Finance,
PD2016_051 Issue date: November-2016 Page 8 of 19
Internal Audit
PROCEDURES
Services and Innovation. Further information may be obtained from the Director, Corporate Governance and Risk Management ([email protected]).
2.5.2 Insurance Board Members, Directors and Officers of NSW Health Boards and Committees are covered by the Treasury Management Fund (TMF) in their capacity as members on such groups for certain ‘wrongful acts’4 committed during their period of cover. Audit and Risk Committee members are provided the same level Officer and Director indemnity as NSW Health Organisation Board members.
2.5.3 Other entitlements Any other claims for expenses should be in accordance with normal requirements imposed on employees when claiming for work related expenses. Audit and Risk Committee Chairs and their members can be reimbursed for the reasonable expenses incurred when travelling to and from meetings provided that claims are supported by relevant receipts for expenditure. Appropriate expenditure for reimbursement includes public transport fares, taxi fares, parking fees, tolls, and use of the member’s own private vehicle. Where Audit and Risk Committee members are unable to travel to and from meetings within one day, a NSW Health Organisation, at its expense, should arrange travel and accommodation for the member. All travel, accommodation and other allowances must comply with the Public Sector Industrial Relations PSIR Circular (TC14/30) on Review of Meal, Travelling and Other Allowances.
2.6 Conduct
2.6.1 Codes of Conduct Members of Audit and Risk Committees in NSW Health Organisations are “public officials” and are subject to the same Code of Conduct that applies to Health Service employees. Members must familiarise themselves with the NSW Ministry of Health Code of Conduct, which can be accessed here http://www0.health.nsw.gov.au/policies/pd/2012/pdf/PD2012_018.pdf.
In addition to the Health Code of Conduct, Independent Members, as part of their pre-qualified appointment, are also required to comply with the Pre-qualification Scheme Code of Conduct: Audit and Risk Committee Chairs and Members, which can be accessed here: https://www.procurepoint.nsw.gov.au/scm2421. Members are also subject to the general principles of conduct that apply to public sector employees. In particular, these include:
• the Code of Conduct: Audit and Risk Committee Chairs and Members (http://www.treasury.nsw.gov.au/__data/assets/pdf_file/0017/25127/Code_of_Conduct_-_Audit_and_Risk_Committee_Chairs_and_Members.pdf)
4 A “wrongful act” is defined under the Treasury Management Fund Policy, and may include certain acts, omissions or misstatements while acting as a member of the Audit and Risk Management Committee. See Treasury Management Fund Policy for exact coverage.
PD2016_051 Issue date: November-2016 Page 9 of 19
Internal Audit
PROCEDURES
• Government Sector Core Values in section 7 of the Government Sector
Employment Act 2103; and • the Public Service Commission Code of Ethics and Conduct for NSW
government sector employees (http://www.psc.nsw.gov.au/employmentportal/ethics-conduct/behaving-ethically/behaving-ethically-guide/section-2/the-code-of-ethics-and-conduct-for-nsw-government-sector-employees)
Prior to appointing or reappointing a Member, the NSW Health Organisation must conduct satisfactory probity checks on the candidate. These checks should include a National Criminal Record Check and Insolvency Check for each appointment.
2.6.2 Conflicts of Interest The NSW Government Boards and Committees Guidelines set out the process and criteria for managing conflicts of interest and imposes a duty on each Member to declare any interest that may impinge on a Board or committee decision. A conflict of interest may arise when a Member could be influenced by a personal or business interest, such as through a current or recent relationship which has the potential to create an actual or perceived conflict of interest. Examples include where a Member:
• Has been employed by a NSW Health Organisation in a senior management role or in a position that can exert influence over a service provider within the last three years
• Has performed any services, including advisory roles, for the NSW Health Organisation which directly affects the subject matter of the Audit and Risk Committee, within the last three years
• Has a material business or other contractual relationship (other than as a committee member) or any other direct financial interest or material indirect financial interest with the Health organisation, or a related organisation, which could reasonably be perceived to materially interfere with the Committee member’s ability to act in the best interests of the organisation
• Has acted as an advocate of a material interest on behalf of an organisation, or a related organisation, or currently is, or has been, engaged in litigation or in resolving disputes between the organisation and third parties
• Has an immediate or close family member who is employed in a senior management role of the organisation, or is employed in any other position which can exert direct and significant influence over the subject matter of the Audit and Risk Committee.
This is not an exhaustive list, but sets out the key relationships that must be avoided or declared and appropriately managed. The Chief Executive of the NSW Health Organisation must ensure adequate procedures are in place to preserve the independence of the Chair and the Independent Members of the Audit and Risk Committee.
2.7 Term
Excluding the Chair, Audit and Risk Committee Members are to be appointed for a minimum term of 3 years with a maximum term of five years. Appointment for any
PD2016_051 Issue date: November-2016 Page 10 of 19
Internal Audit
PROCEDURES
additional terms must not exceed a total appointment of eight years. The term for the Chair of the Audit and Risk Committee is set out in 2.1.2 of this procedure. It is preferable to stagger renewal dates to reduce the potential for loss of knowledge during membership change over. A member should only be renewed for a second term where the Chair of the Audit and Risk Committee and the Board (where Board governed) or Chief Executive (where Chief Executive governed) are satisfied with the member's performance.
2.8 Termination
The letter of appointment for the Chair and members should include a provision for the removal or termination where the Chair or member:
• Becomes bankrupt, or insolvent, or enters into a scheme or arrangement with their creditors, placed under official management or receivership
• Fails to carry out their role and responsibilities with due diligence and competence. • Without reasonable cause suspends or breaches the terms of appointment • Commits a substantial breach of the terms of appointment and / or Codes of
Conduct for Audit and Risk Committees and NSW Health • Has a conflict or potential conflict of interest which will prevent them from
performing their roles and responsibilities as members.
Prior to terminating the services of a Chair of an Audit and Risk Committee, the Board Chair (where Board governed) or Chief Executive (where Chief Executive governed) must notify the Deputy Secretary, Governance, Workforce and Corporate in the NSW Ministry of Health of the intention and reasons for the proposed termination. Only a Board Chair (where Board governed) or Chief Executive (where Chief Executive governed) may terminate a Member’s appointment. Any decision to terminate a Member’s appointment (other than the Chair) on the Audit and Risk Committee must be communicated to the Executive Director, Legal and Regulatory Services in the NSW Ministry of Health.
3 MODEL CHARTER AND AUDIT & RISK COMMITTEE OPERATIONS
3.1 Audit and Risk Committee Charter
The Audit and Risk Committee must meet at least four (4) times in each financial year with additional meetings as necessary. The Chief Executive must ensure that the Audit and Risk Committee has a Charter that is consistent with the “Model Charter” in the References and Templates section of this procedure. The Model Charter sets out ‘common’ content for Audit and Risk Committee Charters. NSW Health Organisations may, where appropriate, include provisions in additional to those set out in the Model Charter, providing these do not conflict with the Model Charter. The Board (where Board governed) or Chief Executive (where Chief Executive governed) must approve the Audit and Risk Committee Charter and ensure it has been distributed
PD2016_051 Issue date: November-2016 Page 11 of 19
Internal Audit
PROCEDURES
to all members of the Audit and Risk Committee, including all new appointments, at the point of induction to the Committee. The Audit and Risk Committee must ensure that the Charter:
• Is formally reviewed by the Audit and Risk Committee at least annually to ensure its ongoing relevance, with recommendations for updates approved by the Board (where Board governed) or Chief Executive (where Chief Executive governed)
• Is sufficiently detailed and unambiguous • Has clear guidance on key aspects of the Committee’s operations.
3.2 Audit and Risk Committee Operation
The Audit and Risk Committee operations are outlined in the “Model Charter” which can be downloaded from the References and Templates section of this procedure. The Chair and members of the Audit and Risk Committee must establish and maintain an effective working relationship with management, including senior executives, and must seek to amicably resolve differences or concerns with management by way of open negotiation. Where a disputed matter cannot be resolved, the Chair of the Audit and Risk Committee may make an oral or written request to the organisation Board Chair (where Board governed) or Chief Executive (where Chief Executive governed). Where a disputed matter cannot be resolved locally, the matter is to be referred to the Secretary, NSW Ministry of Health. The Board (where Board governed) or Chief Executive (where Chief Executive governed), in consultation with the Chair of the Audit and Risk Committee, must ensure a mechanism is established to review and report on the Committee’s performance as a whole, and the performance of the Chair and each member of the Audit and Risk Committee, at least annually. The purpose of the review mechanism is to establish a robust quality assurance and improvement process that ensures the Audit and Risk Committee continues to deliver on its obligations. A Self-Assessment Checklist can be downloaded from the References and Templates section of this procedure. The Checklist is designed to be used to evaluate the effectiveness of the Audit and Risk Committee and its members. A Self-Assessment should be completed annually by the Chair in coordination with each member of the Committee and the Chief Audit Executive. The Checklist should be signed by the Board Chair (where Board governed) and Chief Executive, with copies provided to each. A signed copy of the completed Self-Assessment Checklist for the Committee should be kept on record at the NSW Health Organisation for review.
4 RISK MANAGEMENT STANDARDS
All NSW Health Organisation are required to establish and maintain an enterprise wide risk management framework that is consistent with the NSW Health Policy Directive - Risk Management Enterprise-Wide Policy and Framework.
5 INTERNAL AUDIT STANDARDS
PD2016_051 Issue date: November-2016 Page 12 of 19
Internal Audit
PROCEDURES
5.1 Institute of Internal Auditors – Standards for Internal Auditing
The Chief Audit Executive must ensure that the Internal Audit function operates in accordance with the Institute of Internal Auditors “International Standards for the Professional Practice of Internal Auditing” (the IIA Standards). The IIA Standards, and related professional practice guidelines are available from the Institute of Internal Auditors website http://www.iia.org.au/.
5.2 Additional Requirements
The audit report is the key means of communicating the findings and recommendations of internal audit services. It is critical that all stakeholders have confidence in the accuracy and validity of audit findings, and that appropriate standards are applied to ensure that audit recommendations are prioritised, action-oriented and cost-effective to implement. In addition to the standards set out in the IIA Standards, the NSW Health Organisation must ensure that the Internal Audit function operates in accordance with the requirements for the reporting and monitoring of internal audit activities set out in this policy.
5.2.1 Audit Reports The Chief Audit Executive must:
• Report to the Audit and Risk Committee on those Internal Audit findings and recommendations that are assessed to be significant using a risk based audit methodology consistent with the NSW Health Policy Directive - Risk Management Enterprise-Wide Policy and Framework
• Ensure that the Audit and Risk Committee has access to all Internal Audit findings and related recommendations, when required
• Develop and maintain procedures for the reporting of Internal Audit findings and recommendations in the organisation.
5.2.2 Risk Rating of Audit Findings The Chief Audit Executive must ensure that the Internal Audit function adopts a risk based audit methodology for assessing and responding to audit findings, consistent with NSW Health Policy Directive - Risk Management Enterprise-Wide Policy and Framework. The Audit and Risk Committee must approve a risk based audit methodology. Once approved, the methodology must be the basis for protocols relating to reporting of audit findings, monitoring the implementation of agreed actions, and the follow-up of outstanding agreed actions. The Chief Audit Executive must ensure that audit findings are categorised and prioritised according to the risk they represent to the NSW Health Organisation using the NSW Health Risk Matrix. The Chief Audit Executive must ensure that risk categorisation is used to communicate the relative importance of risk rated findings to the Audit and Risk Committee, Board, Chief Executive and to organisation management. The Audit and Risk Committee must review the audit findings and recommendations risk assessed as significant.
PD2016_051 Issue date: November-2016 Page 13 of 19
Internal Audit
PROCEDURES
5.2.3 Agreed Action Plans Following appropriate consultation, the Chief Audit Executive must recommend a course of action for every audit finding and ensure that the recommended actions are referred to management for a formal management response. The Chief Executive must ensure that management prepares an ‘agreed action plan’ for every internal audit finding. The agreed action plan must assign a responsible position within the organisation for the implementation of the agreed action plan. Consideration should also be given to actions being recorded in the organisation’s risk register, where warranted. Management has the right to reject the recommended actions on reasonable grounds. Agreed timeframes for response to an Internal Audit report should be reasonable in the circumstances. Where agreement on an action plan cannot be reached, the Chief Audit Executive must report to the Audit and Risk Committee on the particular areas of concern related to the audit, auditing findings and / or recommendations. The following better practice standard timeframe can be used as a guide for implementing the agreed action plan:
• Actions to address high risk findings specify an agreed implementation timeframe between one (1) and three (3) months
• Actions to address medium risk findings specify an agreed implementation timeframe between three (3) and six (6) months
• Actions to address low risk findings specify an agreed implementation timeframe between six (6) and twelve (12) months.
5.2.4 Monitoring of Agreed Action Plans The Chief Audit Executive must establish and maintain a system to monitor and follow-up progress of agreed action plans. The Chief Executive must ensure that management implements all agreed actions within agreed timeframes. To facilitate this, the Chief Executive must ensure that management monitors the progress of, and reports on, the implementation of ‘agreed action plans’ to both the Audit and Risk Committee and to the Board (where Board governed). The Chief Audit Executive must, on advice from the Audit and Risk Committee, monitor progress in implementing the ‘agreed action plans’, by undertaking follow-up audits or reviews based on the risks posed to the organisation if the agreed actions are not implemented in a timely manner, and to report on their progress to the Audit and Risk Committee. Where the Audit and Risk Committee is not satisfied with progress in the implementation of the agreed actions, it must refer its concerns to the Chief Executive so that management is made fully aware of the risks posed to the organisation.
5.2.5 Internal Audit Manual The Chief Executive, in consultation with the Audit and Risk Committee, must ensure that the Chief Audit Executive develops and maintains an Internal Audit Manual for the Internal Audit function. Where the Internal Audit function is established using an out-
PD2016_051 Issue date: November-2016 Page 14 of 19
Internal Audit
PROCEDURES
sourced service delivery model, the Chief Audit Executive must ensure that the contract for internal audit services specifies that the contractor will:
• Be consulted in the development and/or maintenance of the Internal Audit Manual • Apply audit methodologies that accord with IIA Standards • Make the audit methodologies used accessible to the organisation (subject to any
licensing or other restrictions that may be in place). The Audit and Risk Committee must approve the Internal Audit Manual after ensuring that, as a minimum, the manual is consistent with professional practices set out in the IIA Standards. It should cover the following structural elements:
1. General Policies and Standards: • Audit Charter • Audit Standards and Guiding Principles • Audit and Risk Committee Charter. 2. Personnel: • Personnel • Time Usage Analysis (All internal audit functions should have a time recording
system). 3. Audit Planning: • Planning • Strategic Audit Plan • Annual Audit Plan • Field Audit Plan • Calendar of Events. 4. Audit Methodology: • The Audit Cycle - Summary • Risk and Control Analysis (RACA) • Audit Programs (audit programs developed by the NSW Health Audit Working
Party (HAWP) can be downloaded in Section 6 References and Templates of this procedure)
• Working Papers - General • Current Working Papers • Audit Reports • Working Paper Review • Audit Sampling. 5. Ongoing Audit Engagements and Development Audits: • Audit Objectives • Audit Approach. 6. Engagement Evaluations and Performance Reviews: • Performance Reviews. 7. Quality Assurance Improvement Program:
PD2016_051 Issue date: November-2016 Page 15 of 19
Internal Audit
PROCEDURES
• IIA Standard Professional Standards. 8. Management of Investigations: • Processes for managing and reporting investigations.
5.2.6 Records Retention The Chief Executive must ensure policies and procedures for the retention, storage and management of internal audit documentation are developed and maintained in accordance with the State Records Act 1998 and record disposal authorities approved under that Act. All internal audit documentation is to remain the property of the NSW Health Organisation, including where the internal audit services are performed by a contractor. REFERENCES AND TEMPLATES The following documents are available on NSW Ministry of Health Corporate Governance and Risk Management Unit Intranet site at http://internal.health.nsw.gov.au/cgrm/
5.3 Model Internal Audit Charter
5.4 Model Charter for the Audit and Risk Committee
5.5 Internal Audit and Risk Management Attestation Statement
5.6 Internal Audit Programs developed by Health Audit Working Party (HAWP)
5.7 Audit and Risk Committee Self-Assessment Checklist
5.8 Audit and Risk Committee Letter of Offer Template
6 OTHER USEFUL REFERENCES:
NSW Policy Directives/Manuals:
• Code of Conduct PD 2015_035 http://www0.health.nsw.gov.au/policies/pd/2015/PD2015_035.html
• Risk Management Enterprise Wide PD2015_043 http://www0.health.nsw.gov.au/policies/pd/2009/PD2015_043.html
• Combined Delegations Manual http://www.health.nsw.gov.au/policies/manuals/Pages/combined-delegations.aspx
• Corporate Governance and Accountability Compendium http://www.health.nsw.gov.au/policies/manuals/Pages/corporate-governance-compendium.aspx
• Protecting People and Property - NSW Health Policy and Standards for Security Risk Management in NSW Health Agencies http://www.health.nsw.gov.au/policies/manuals/Pages/protecting-people-property.aspx
• Performance Framework http://www.health.nsw.gov.au/Performance/Pages/frameworks.aspx
PD2016_051 Issue date: November-2016 Page 16 of 19
Internal Audit
PROCEDURES
• NSW Treasury, TPP 15-03 Internal Audit and Risk Management for the NSW
Public Sector, 2015. • NSW Treasury, TPP 12-03 Risk Management Toolkit for NSW Public Sector
Agencies, 2012. • NSW Treasury, TPP 12-04 Guidance on Shared Arrangements and
Subcommittees for Audit and Risk Management Committees, 2012. • Prequalification Scheme: Audit and Risk Management Committee Independent
Chairs and Members Scheme Conditions. • NSW Public Sector Audit and Risk Practitioner Network. • Australian National Audit Office (ANAO) Public Sector Internal Audit: An
Investment in Assurance and Business Improvement, Better Practice Guide, 2012. • The Australian Institute of Company Directors and The Institute of Internal
Auditors, Audit Committees: A Guide to Good Practice 2012.
Key Legislation • Health Services Act 1997
http://www.legislation.nsw.gov.au/maintop/view/inforce/act+154+1997+cd+0+N • Public Finance and Audit Act (NSW) 1983. • Annual Reports (Departments) Act (NSW) 1985. • Annual Reports (Statutory Bodies) Act (NSW) 1984. • State Records Act (NSW) 1998
Professional Standards • Institute of Internal Auditors (IIA), International Standards for the Professional
Practice of Internal Auditing (Standards), 2012. • Institute of Internal Auditors (IIA), Introduction to the Code of Ethics. • Institute of Internal Auditors (IIA), The Internal Audit Function. • Institute of Internal Auditors (IIA), The Role of Internal Auditing in Enterprise Wide
Risk Management 2009. • International Standards, ISO 31000: 2009 Risk Management: Principles and
Guidelines. • International Professional Practices Frameworks (IPPF) 2013
PD2016_051 Issue date: November-2016 Page 17 of 19
Internal Audit
PROCEDURES
Attachment 1: Implementation Checklist
NSW Health Organisation:
Assessed by: Date of Assessment:
IMPLEMENTATION REQUIREMENTS Not commenced
Partial compliance Full compliance
1. An Audit and Risk Committee (ARC) and internal audit function is established and maintained in line with the NSW Health Internal Audit Policy Directive, and is approved by the Board (where governed) and Chief Executive.
Notes:
2. The ARC function is established with the appointment of a Chief Audit Executive, appointment of independent ARC Chair and members appointments in-line with this policy.
Notes:
3. The functions of the ARC have been actioned and include: 3.1. Induction training for ARC members 3.2. Clear understanding of the lines of
accountability to the Chief Executive and Board (where Board governed)
3.3. Agreed Internal Audit Charter 3.4. Agreed Charter for the Audit and Risk
Committee 3.5. Established Annual Calender of Events for
the ARC 3.6. Established process for monitoring and
reviewing risks and controls through to the Board (where Board governed) and Audit and Risk Committee
3.7. Process for establishing and approving annual IA workplan
3.8. Process for reviewing IA workplan 3.9. Undertaking ARC self-assessment 3.10. Annual reporting to the Ministry on the
ARC Attestation statement.
Notes:
4. The annual Audit and Risk Management workplan has been endorsed by management, Chief Executive, and Board (where Board governed)
Notes:
5. Chief Audit Executive ensures IA professional standards are maintained.
Notes:
6. Recommendations arising from Internal Audit audits and investigations are actioned and recommendations arising from audits undertaken by Oversight Agencies including ICAC, NSW Audit Office referred to the health organisation are completed.
Notes:
PD2016_051 Issue date: November-2016 Page 18 of 19
Internal Audit
PROCEDURES
NSW Health Organisation:
Assessed by: Date of Assessment:
IMPLEMENTATION REQUIREMENTS Not commenced
Partial compliance Full compliance
7. Risks in the organisation’s risk register are reviewed and reported to the ARC and action taken to report to the Chief Executive where risk mitigation is considered to be a risk for the organisation.
Notes:
8. Attest to their level of compliance through the provisions of their Audit and Risk Management Attestation Statement each year.
Notes:
PD2016_051 Issue date: November-2016 Page 19 of 19