Better Practice Guide September 2007
Public Sector Internal Audit
AN INVESTMENT IN ASSURANCE AND BUSINESS IMPROVEMENT
ISBN No. 0 642 809882 8
© Commonwealth of Australia 2007
COPYRIGHT INFORMATION
This work is copyright. Apart from any use as permitted under the Copyright Act 1968, no part may be
reproduced by any process without prior written permission from the Commonwealth.
Requests and inquiries concerning reproduction and rights should be addressed to the Commonwealth
Copyright Administration, Attorney-General’s Department, Robert Garran Offices, National Circuit,
Canberra ACT 2600 />Questions or comments on the Guide may be referred to the ANAO at the address below.
The Publications Manager
Australian National Audit Office
GPO Box 707
Canberra ACT 2601
Email:
Website:
i
Foreword
The responsibilities of internal audit vary considerably across public sector entities, as do
internal audit organisational arrangements and the way internal audit services are delivered.
This is to be expected, given the nature, size and complexity of the public sector.
It is our experience that better practice entities consider an appropriate level of investment in
internal audit to be an essential business decision. These entities recognise a well resourced
and effective internal audit function can play a key role in its governance arrangements.
By providing assurance on the effectiveness of an entity’s internal control environment and
identifying opportunities for performance improvement, internal audit can make a valuable
contribution to achieving an entity’s objectives.
This Guide updates and replaces the Guide issued by the ANAO in 1998. While many of
the principles remain the same, the role of internal audit has continued to evolve over time,
and this Guide incorporates practices and considerations of a better practice internal audit

function in a contemporary public sector environment. Consistent with other elements of
public sector administration, the roles and responsibilities of internal audit, together with
the skills and qualifications of internal audit staff, should be determined within the context
of each entity’s governance and risk profile.
The aim of the Guide is to provide guidance relevant to public sector entities operating
under both the Financial Management and Accountability and the Commonwealth
Authorities and Companies Acts. As with all the ANAO’s Better Practice Guides, each
entity is encouraged to use the Guide to identify, and apply, better practice principles and
practices that are tailored to its particular circumstances.
The Guide complements the ANAO’s Better Practice Guide Public Sector Audit Committees
issued in February 2005, and is intended as a reference document for Chief Executives,
Boards, members of Audit Committees, managers with responsibility for internal audit
activities, and internal audit staff.
Ian McPhee
Auditor-General
Foreword
ii Better Practice | Internal Audit in the Public Sector
Contents
Foreword i
Part 1
1. Introduction
1
1.1 Coverage 1
1.2 Common terminology
1
1.3 Key characteristics of a better practice internal audit function
2
1.4 Structure of the Guide
2
1.5 Acknowledgements

2
Key characteristics of a better practice internal audit function
3
2. Roles and responsibilities of internal audit activities 4
2.1 Introduction 4
2.2 The purpose of internal audit
4
2.3 Internal audit independence
4
2.4 Internal audit standards and values
6
2.5 Determining the role of internal audit
6
2.6 The internal audit charter
13
2.7 Contents of a better practice internal audit charter
14
3. Planning internal audit activities 16
3.1 Introduction 16
3.2 Internal audit strategic business plan
16
3.3 Purpose of an internal audit strategic business plan
16
3.4 Developing a strategic business plan
17
3.5 Contents of a better practice internal audit strategic business plan
20
3.6 Internal audit annual work plan
21
3.7 Developing a better practice internal audit annual work plan

21
3.8 Contents of an internal audit annual work plan
24
3.9 Costing of individual audits
24
3.10 Amendments to the annual work plan
25
3.11 Timing of audit planning
25
4. Relationships with key stakeholders 26
4.1 Introduction 26
4.2 Internal Audit and the Chief Executive
26
4.3 Internal audit and the Board
26
4.4 Internal Audit and the Audit Committee
27
4.5 Internal audit and management
28
4.6 Internal audit and the external auditor
28
4.7 Internal audit and other review activities and external bodies
29
4.8 Internal audit and professional bodies
29
Better Practice | Internal Audit in the Public Sector
iiiContents
5. Resourcing the internal audit function 30
5.1 Introduction 30
5.2 Internal audit budget

30
5.3 Service delivery models
31
5.4 Issues to consider in deciding the appropriate delivery model
32
5.5 Service provider panel arrangements
33
5.6 Management of a co-sourced or outsourced function
33
5.7 Head of Internal Audit
35
5.8 Resourcing the internal audit unit
37
6. Efficient and effective work practices 38
6.1 Introduction 38
6.2 Internal audit manual
38
6.3 Managing the internal audit process
39
6.4 Audit reporting
42
6.5 Audit report recommendations
44
6.6 Monitoring recommendations
45
7. Performance assessment and quality assurance 47
7.1 Introduction 47
7.2 Measuring internal audit performance
47
7.3 Measurement techniques

48
7.4 Internal audit annual performance report
48
7.5 Quality assurance
49
Part 2
Model Internal Audit Charter 51
Part 3
Example internal audit strategic business plan and annual work plan 58
Example list of contents – internal audit manual
74
Example internal audit protocol
76
Pro-forma internal audit annual work plan progress report 79
Pro-forma Implementation of recommendations progress report
80
Example key performance indicators
81
Example client survey questionnaire
82
Example audit committee internal audit questionnaire
83
Example internal audit self-review questionnaire
85
References
87
Index
89
iv Better Practice | Internal Audit in the Public Sector 1 Introduction
Internal Audit

in the Public Sector
Better Practice Guide
Part 1
Better Practice | Internal Audit in the Public Sector 11 Introduction
Part 1
1  Introduction
Public sector managers operate in an increasingly complex and challenging environment. This, in
part, reflects the increasing demands and expectations of the community, government and the
Parliament. Public sector managers have a range of resources and mechanisms available to assist
them to meet their responsibilities
4
within this environment.
In both the public and private sectors, internal audit has long been recognised by better practice
entities as a valuable resource and entities have given the internal audit function a key role in their
governance arrangements. In doing this, organisations recognise that internal audit is one of a number
of internal assurance and business review type activities that should operate in a coordinated and
complementary manner to the benefit of the organisation. These other activities include management
monitoring, evaluations, quality assurance and control self-assessment arrangements, that are all
designed to provide confidence and assurance to Chief Executives and/or Boards that management
is meeting its responsibilities and the entity is achieving its objectives.
Better practice entities also recognise that internal audit should:
be operationally independent: that is, internal audit is independent from the activities
subject to audit
have the visible and active support of the Chief Executive and/or Board, the Audit Committee
and senior management
have well defined roles, responsibilities and audit plans that are aligned with the
entity’s risk profile
have effective relationships with all stakeholders
be properly resourced to enable it to meet its responsibilities
adhere to specified professional standards

have efficient and effective work practices
be fully accountable for its performance, and
be subject to periodic review.
1.1  Coverage
The principles and considerations outlined in this Guide are generally applicable to all public sector
internal audit functions, irrespective of the particular delivery model
5
adopted by the entity to provide
internal audit services.
1.2  Common terminology
For ease of reference and presentation, the following terms are used in this Guide.
‘Chief Executive’ is used for the majority of entities subject to the
Financial Management and
Accountability Act 1997 (FMA Act) where responsibility and accountability rests with the head of
the entity.
The term ‘Board’ is used for entities where a Board is appointed as the governing body of the entity,
as is generally the case with entities subject to the
Commonwealth Authorities and Companies
Act 1997 (CAC Act).
4
Under the Financial Management and Accountability Act 1997 the Chief Executive is responsible for managing the affairs
of the entity in a way that promotes the efficient, effective and ethical use of Commonwealth resources for which the Chief
Executive is responsible. Under their enabling legislation, the Boards of Commonwealth authorities and companies subject
to the Commonwealth Authorities and Companies Act 1997 are generally similarly responsible for the efficient and effective
use of Commonwealth resources.
5
These are discussed in Chapter 5.










The principles and
considerations outlined in
this Guide are generally
applicable to all public
sector internal audit
functions, irrespective
of the particular delivery
model.
In both the public and
private sectors, internal
audit has long been
recognised by better
practice entities as a
valuable resource and
entities have given the
internal audit function
a key role in their
governance arrangements.
2 Better Practice | Internal Audit in the Public Sector
1 Introduction
2
‘Head of Internal Audit’ is used to describe the person responsible for the management of the internal
audit function. Depending on the circumstances, the Head of Internal Audit can be an employee of
the entity, a partner, director or senior employee of an external service provider

6
.
‘Audit activities’ consist of:
internal audits: including reviews of entity policies, programmes, operations, internal controls,
management information, governance frameworks and IT systems, and
advisory services: including advice to management regarding existing, new or revised
processes, procedures and IT systems
7
, risk management and fraud control facilitation,
coordination and training, observer status on management committees and the provision of
other formal or informal advice. In conducting these services, internal audit does not assume
management responsibilities.
‘Internal audit support activities’ are activities associated with internal audit or managing the internal
audit function including: developing the internal audit strategic business plan and internal audit annual
work plan; providing support services to the Audit Committee; monitoring the implementation of
agreed internal and external audit report recommendations and those of Parliamentary Committees
and other bodies;
8
internal audit staff management and training and liaison with the external auditor.
‘Non-audit activities’ are activities where internal audit undertakes management responsibilities
including: membership of management committees; the formulation of risk management and fraud
control plans; and the conduct of fraud investigations.
‘Type of audit’ is a means of classifying the primary focus or orientation
9
of an internal audit. The two
types of audit referred to in this Guide are:
compliance: that the operations under review are complying with legislative requirements,
government or entity policy and procedures, and systems of internal control, and
performance improvement: aimed at improving the efficiency and effectiveness of the
programme or operations under review.

1.3  Key characteristics of a better practice internal audit function
Characteristics of a better practice internal audit function are outlined on the following page.
1.4  Structure of the Guide
The Guide is divided into the following three parts:
Part 1 Better practice principles and considerations.
Part 2 Model internal audit charter.
Part 3 Internal audit toolkit.
1.5  Acknowledgements
The ANAO appreciates the assistance provided by MKL Consulting in preparing the Guide. In
addition, many entities and individuals contributed to the development of the Guide. These included
Chief Executives, chairs and members of a number of public sector audit committees, Heads of
Internal Audit as well as a number of people in the internal auditing and accounting professions, and
private sector organisations.
6
Where the Head of Internal Audit is not an employee of the entity, arrangements need to be put in place to ensure relevant
public sector financial and other legal requirements are met.
7
Also known as ‘systems under development’ audits.
8
These include the Management Advisory Committee, the Ombudsman and the Australian Public Service Commission.
9
In practice, audits will often have more than one focus and there are a number of other terms in use to classify audits. For example,
‘compliance’ audits can be called ‘assurance’ audits, and ‘performance improvement’ audits called ‘performance’ audits.




Audit activities consist
of internal audits and
advisory services.

Internal audit support
activities are activities
associated with internal
audit or managing the
internal audit function.
Better Practice | Internal Audit in the Public Sector
31 Introduction
Part 1
3
Key characteristics of a better practice 
internal audit function
A better practice internal audit function is distinguished by the following key characteristics:
1. Is operationally independent: that is, internal audit is independent from the activities
subject to audit.
2. Is appropriately positioned in the entity’s governance framework to ensure the work
of internal audit complements the work of other internal and external assurance and
review providers.
3. Has a well developed business strategy that clearly articulates internal audit’s future role
and responsibilities.
4. Is business focused and has audit plans that are comprehensive and balanced, and are
linked to the risks in the entity.
5. Has the confidence of key stakeholders including the Chief Executive, the Board
(if applicable), the Audit Committee and senior management.
6. Undertakes all audits in accordance with specified auditing standards.
7. Has sufficient financial resources and access to internal audit staff with the necessary
skills, experience and personal attributes to achieve what is expected of internal audit.
8. Provides internal audit reports and other services, based on efficient and effective work
practices, that are valued by stakeholders.
9. Provides an annual assessment, based on internal audit work undertaken, of
the effectiveness of the entity’s system of internal controls.

10. Advises the Audit Committee and entity management of patterns, trends or systemic
issues arising from internal audit work .
11. Facilitates communication between external audit and entity management.
12. Disseminates lessons learnt arising out of its work to relevant areas of the entity.
13. Regularly informs the Audit Committee of progress in the implementation of agreed
internal and external audit and other relevant report recommendations.
14. Actively manages any external service providers, and
15. Is subject to periodic assessment and review as part of a continuous
improvement process.
4 Better Practice | Internal Audit in the Public Sector 2 Roles and responsibilities of internal audit activities
2 Roles and responsibilities of internal audit activities
2  Roles and responsibilities of internal 
audit activities
2.1  Introduction
Internal audit is an integral part of the broad corporate governance framework that entities establish
to manage risks and achieve corporate objectives.
It is important that the position internal audit occupies in the governance framework and the role
it plays is determined by the particular assurance needs of the entity and its preferred governance
framework, now and in the foreseeable future.
2.2  The purpose of internal audit
Internal audit
10
provides an independent and objective review and advisory service to:
provide assurance to the Chief Executive and/or Board that the entity’s financial and operational
controls designed to manage the organisation’s risks and achieve the entity’s objectives, are
operating in an efficient, effective and ethical manner, and
assist management in improving the entity’s business performance.
2.3  Internal audit independence 
A distinguishing feature of internal audit is its independence. Internal audit is independent in the sense
that it is independent of the activities it audits. This independence, best described as ‘operational

independence’, assists in ensuring that internal audit acts in an objective, impartial manner free from
any conflict of interest or inherent bias or undue external influence.
However, internal audit is not independent of the organisation in the same way as the external audit
function. It provides a service to management, reports to the Audit Committee and is accountable to
the Chief Executive or the Board for the achievement of its objectives and the use of its resources.
A number of practical measures can be taken to reinforce internal audit operational independence.
These include:
internal audit reporting functionally to the Audit Committee and being accountable to the Chief
Executive of an FMA Act entity, or to the Board of a CAC Act entity
the Head of Internal Audit having direct access to the Chief Executive and/or the Chair of the
Board, and the Chair and other members of the Audit Committee
periodic ‘in camera’ meetings between the Head of Internal Audit and the Audit Committee
any change to the position of the Head of Internal Audit, or an external service provider, being
approved by the Chief Executive (or the Board, in the case of a CAC Act entity) in consultation
with the Audit Committee, and
ensuring that internal audit has no management responsibilities
11
that conflict with
its primary role.
10
The Institute of Internal Auditors defines internal audit as:
‘an independent, objective assurance and consulting activity designed to add value and improve an organization’s
operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of risk management, control, and governance processes.’
The Institute of Internal Auditors, Professional Practices Framework
(The International Standards for the Professional Practice
of Internal Auditing), July 2006 p.1.
11
Where internal audit is allocated executive or line management responsibilities, appropriate safeguards should be in place to
ensure such responsibilities can be reviewed objectively.








Internal audit is an integral
part of the broad corporate
governance framework
that entities establish to
manage risks and achieve
corporate objectives.
A distinguishing feature
of internal audit is its
operational independence.
Better Practice | Internal Audit in the Public Sector 2 Roles and responsibilities of internal audit activities
52 Roles and responsibilities of internal audit activities
Part 1
Internal audit independence is reinforced by specifying these arrangements in an internal audit charter.
Reporting lines
As noted above, independence is enhanced where internal audit reports functionally to the Audit
Committee
12
. In the case of an FMA Act entity, it is better practice for the Head of Internal Audit to
be accountable to the Chief Executive. Similarly, in the case of a CAC Act entity, the Head of Internal
Audit would be expected to be accountable to the Board
13
or a delegate of the Board, such as the
Chair of the Audit Committee

14
.
These reporting lines are illustrated below.
Figure 1:  Reporting lines for FMA and CAC entities
Note: Many entities have established an executive board or committee to assist the Chief Executive
in managing the entity.
The extent to which the Chief Executive or Board may wish to delegate some or all of their
administrative responsibilities to a senior executive in the entity is a matter to be determined by each
Chief Executive or Board. When administrative responsibility for internal audit is delegated, it should
be to a senior manager who demonstrates a commitment to the internal audit function and has, to the
extent possible, no actual or perceived conflict of interest. It is generally recognised that, because the
audit of financial systems and controls will generally feature prominently in internal audit coverage and
the Chief Financial Officer (CFO) commonly has a prominent role in determining budget allocations,
assigning responsibility of the internal audit function to the CFO creates an actual or perceived conflict
of interest. In any case, the reporting arrangements, should always provide for the Head of Internal
Audit to have direct access to the Chief Executive or Board.
12
However, there may be occasions when the Chief Executive or Board needs to be alerted quickly if there is an urgent major
issue. This can be done directly or through the Chair of the Audit Committee.
13
In cases where the entity is headed by an individual, it would be expected that the Head of Internal Audit would be
accountable to that person.
14
With direct access to the Chair of the Board, as necessary.
Administrative
Delegate
Audit
Committee
Administrative
Delegate

Audit
Committee
Chief Executive
Officer (Note)
Board
Head of
Internal Audit
Head of
Internal Audit
FMA Act agency
CAC Act Entity
Independence is enhanced
where internal audit
reports functionally to the
Audit Committee.
When administrative
responsibility for internal
audit is delegated, it should
be to a senior manager
who demonstrates a
commitment to the internal
audit function.
6 Better Practice | Internal Audit in the Public Sector 2 Roles and responsibilities of internal audit activities
2 Roles and responsibilities of internal audit activities
2.4  Internal audit standards and values
Standards
While there is no legislative or policy requirement for internal audit in the Australian Government to
comply with any particular professional standard, it is important that internal audit work is conducted
in accordance with recognised professional standards. Such standards assist in:
providing confidence in the quality and consistency of the work that has been conducted

guiding the work of auditors
delivering auditing services in an effective and efficient way, and
establishing standards and benchmarks against which to measure the performance of
internal audit.
There are a number of standards that can guide the work of the internal audit function. The most
recognised standard is the Professional Practices Framework of the Institute of Internal Auditors (IIA).
15

Other standards that may have application are the Australian Auditing Standards (ASAs), Auditing
and Assurance Standards (AUSs), standards issued by the Information Systems Audit and Control
Association (ISACA), Standards Australia and the International Standards Organisation ISO).
Values
Australian Public Service and supporting entity values can also be relevant to the work of internal
audit and the conduct of internal audit staff, and should be specified in the internal audit charter,
where relevant.
Entities should determine which standard(s) and values that must be complied with and specify them
in the internal audit charter
16
.
2.5  Determining the role of internal audit 
“We will make an impact when we understand and anticipate stakeholder needs, use our core
competencies to highlight weaknesses in a timely manner and provide meaningful recommendations that
solve the ‘big problems’.” Public Sector Head of Internal Audit
An important decision for each entity to make is deciding what role internal audit should play as part
of its governance framework
17
. Generally, this should be considered in the context of:
organisational and environmental factors, and
specific internal audit considerations.
15

The Institute of Internal Auditors, Professional Practices Framework (The International Standards for the Professional Practice
of Internal Auditing), July 2006. Many internal auditors working in the Australian Government or for private sector service
providers are members of the IIA. They are required by their membership to comply with standards issued by the IIA, to the
extent that they are not inconsistent with the law.
16
To encourage compliance with the adopted standards, consideration should be given to a form of certification on completion
of each audit report, that the audit has been conducted in accordance with the specified standards. Reference to the
standard(s) to be complied with should also be included in the internal audit charter, any contract with a third party provider,
and details included in an internal audit manual.
17
Some entities, for instance, see merit in combining the internal audit function with other activities such as risk management
and fraud control. This can result in work areas being known by such titles as Risk Management and Assurance, Audit and
Investigations, Governance and Assurance, and Assurance and Risk.






It is important that
internal audit work is
conducted in accordance
with recognised
professional standards. The
most recognised standard
is the Professional Practices
Framework of the Institute
of Internal Auditors.
An important decision for
each entity to make is

deciding what role internal
audit should play as part of
its governance framework.
Better Practice | Internal Audit in the Public Sector 2 Roles and responsibilities of internal audit activities
72 Roles and responsibilities of internal audit activities
Part 1
Organisational and environmental factors
Internal audit is one of a number of assurance and review functions or activities in many entities. Other
internal assurance and review elements of this framework can include management monitoring,
evaluations, business improvement reviews, risk management processes, quality assurance
arrangements and management control self-assessment arrangements.
This framework is illustrated below.
Figure 2:  Internal assurance and review framework
To maximise the effectiveness of internal audit, it is important that its role is considered in the context
of other assurance and business review functions so that internal audit complements, rather than
duplicates, the responsibilities of others. It is equally important to ensure that the role of internal audit
is not displaced by these other functions or that, to the extent possible, there are no significant gaps
in the entity’s assurance and review framework.
One of the factors that will influence the role allocated to internal audit compared to those allocated
to other assurance and review functions, is the importance the entity places on assurance and
review generally and independent assurance activities specifically. This is likely to be influenced to
some extent by the maturity of the other assurance and review functions and also by the culture
of the entity.
Another factor to consider in determining the role of internal audit is the role other specialist assurance
functions and business improvement advisors play in an entity. For example, there may be a need
for a specialist risk management unit and/or a unit responsible for fraud control and investigation.
This will be influenced, in part, by the nature of the business and its risks, including, for example, the
degree of external regulation, industry standards and norms, the risk of internal or external fraud and
the scale and nature of entity operations. Entities will, therefore, need to consider how well equipped
internal audit is to meet entity requirements for specialist assurance and advice.

Comprehensive
Assurance
Evaluations
Quality Assurance
Management
Control
Self-Assessment
Business
Improvement
Reviews
Internal Audit
Management
monitoring
Risk Management
To maximise the
effectiveness of internal
audit, it is important that
its role is considered in the
context of other assurance
and business review
functions so that internal
audit complements,
rather than duplicates, the
responsibilities of others.
One of the factors that will
influence the role allocated
to internal audit compared
to those allocated to
other assurance and
review functions, is the

importance the entity
places on assurance and
review generally and
independent assurance
activities specifically.
8 Better Practice | Internal Audit in the Public Sector 2 Roles and responsibilities of internal audit activities
2 Roles and responsibilities of internal audit activities
Whatever role is decided for internal audit, entities should ensure that the operational independence
of the internal audit function is not compromised by allocating it management responsibilities
that conflict with its primary roles. In situations where internal audit undertakes management
responsibilities, appropriate safeguards should be put in place to address any resultant conflict of
interest. Internal audit’s effectiveness should also be safeguarded by ensuring that its resourcing is
commensurate with its responsibilities.
Specific internal audit considerations
In deciding on the activities internal audit will undertake, it is better practice to consider the
following factors:
the types of audits it will conduct
the advisory services it will provide
internal audit support activities
any non-audit activities, and
internal and external audit responsibilities.
These matters are discussed in more detail below.
Types of audits
The classification of audits based on identifying the primary orientation or focus of an audit is a useful
way for the Audit Committee to assess the balance of the proposed internal audit plan. Within the
broad framework of the provision of assurance services, internal audits are classified in this Guide as
either audits with a compliance orientation, or a performance improvement orientation.
In classifying audits, it is recognised that individual audits will often have multiple objectives that
are designed to provide, for example, assurance regarding compliance, as well as to identify
business improvement opportunities. In addition, whatever the particular focus or objective of

individual audits, internal audit should always be alert to opportunities to optimise controls, identify

non-compliance, and improve business performance in the conduct of its work. The two types of
audits referred to above are discussed below.
Compliance audits
Under public sector governance arrangements management is responsible for:
complying with relevant legislation and government and entity policy requirements
designing, operating, and monitoring business processes to achieve the
organisation’s objectives, and
identifying risks that might prevent the entity from achieving its objectives, and developing,
implementing and monitoring controls to manage those risks.
It is generally accepted that a key role of internal audit is to review an entity’s systems of internal
control and provide independent assurance to the Chief Executive or Board, through the Audit
Committee, that an entity’s internal controls
18
are adequate and effective. This can include activities
such as providing assurance over compliance with legislative requirements, government and entity
policies, assessing the accuracy and integrity of management information, reviewing compliance
with procurement and contracting requirements and adherence to ethical standards.
18
Particularly financial system controls.








Entities should ensure

that the operational
independence of the
internal audit function
is not compromised by
allocating it management
responsibilities that conflict
with its primary roles.
Internal audit’s
effectiveness should
also be safeguarded by
ensuring that its resourcing
is commensurate with its
responsibilities.
A key role of internal audit
is to review an entity’s
systems of internal control

and provide independent
assurance to the Chief
Executive or Board, through
the Audit Committee, that
an entity’s internal controls
are adequate and effective.
Better Practice | Internal Audit in the Public Sector 2 Roles and responsibilities of internal audit activities
92 Roles and responsibilities of internal audit activities
Part 1
Given that most entities depend heavily on IT systems to support the delivery of programmes or
assist public service administration, internal audit could also be expected to provide assurance that
the controls over such systems are both well designed and are operating effectively.
Examples of audits that fall under the broad category of ‘compliance audits’ are discussed below.

Certificate of Compliance
Commencing from 2006-2007, Chief Executives and Boards of entities subject to the FMA Act and
the CAC Act report annually on the financial management and sustainability of the entity, including
compliance with the FMA Act or CAC Act by providing a completed Certificate of Compliance to the
responsible portfolio minister each year
19
.
It is expected that Chief Executives and Boards will have processes and controls in place to
provide reasonable confidence that the entity is complying with the requirements of the financial
management framework. Normally these processes and controls are likely to be an extension of
existing governance processes that provide assurance to Chief Executives and Boards that financial
and other controls are operating effectively.
Internal audit could usefully play a number of roles in relation to the Certificate of Compliance. For
example, internal audit could conduct a series of compliance reviews on key elements of the control
framework such as specific financial controls, management control self-assessment processes, if
applicable, or programme controls. Alternatively, or in addition, the Chief Executive/Board may prefer
regular, say, quarterly, or annual confirmation that the overall compliance framework can be relied on
to provide the required certification.
Periodic assessment of the effectiveness of systems of internal control
Another role that internal audit can play is the preparation of a periodic, say annual, assessment of
the effectiveness of an entity’s systems of internal controls based on the results of the internal audit
work conducted during the period. Internal audit usually conducts a number of audits each year
that assess the effectiveness of the internal controls operating in a range of individual financial or
business processes - such as payroll, grant acquittals, procurement or IT applications. The results of
individual audits are reported to the Audit Committee at the conclusion of each internal audit. Better
practice internal audit functions, are, however, increasingly being tasked with providing the Audit
Committee with an annual overall assessment, based on the internal audit coverage undertaken,
of the adequacy and effectiveness of an entity’s internal controls and any systemic issues that may
have arisen from the internal audit activity completed. Such an assessment can be used by the Chief
Executive and/or Board and the Audit Committee in forming a view about how much confidence

they can have in the entity’s control environment and any systemic issues that need management
attention. As a minimum, internal audit should be collating the results of individual audit assignments
and providing a periodic summary report to the Audit Committee on audit findings and identifying
any systemic issues.
Internal audit can also be well placed to undertake an analysis of the results of reviews conducted
by other internal and external assurance providers. This might include reports on the results of
review such as compliance with its service charter, the results of control self-assessment reviews,
the findings from quality assurance reviews, and the results of IT system control monitoring or
occupational health and safety reviews. Providing a report in this way can assist the entity to address
any “silo affect” arising out of the work of different assurance providers and assist in identifying
systemic issues arising out of the range of assurance work that is commonly conducted in entities.
This whole-of-entity perspective on the assurance risks facing the organisation and how well they
are being managed could be used to further help inform risk identification and any necessary
management action.
19
See Finance Circular 2006/8 for FMA Act agencies and Finance Circular 2006/11 for CAC Act bodies.
A role that internal
audit can play is the
preparation of a periodic,
say annual, assessment
of the effectiveness of an
entity’s systems of internal
controls based on the
results of the internal audit
work conducted during
the period.
Internal audit can also be
well placed to undertake
an analysis of the results
of reviews conducted by

other internal and external
assurance providers.
10 Better Practice | Internal Audit in the Public Sector 2 Roles and responsibilities of internal audit activities
2 Roles and responsibilities of internal audit activities
Such periodic reports are not a substitute for regular management reporting and the cost-effectiveness
of preparing such reports should be taken into account as part of any decision to task internal audit
with their preparation.
Continuous auditing
The widespread use of major IT systems for processing payments and receipts, and a desire by
internal audit to be increasingly pro-active, is leading a number of better practice entities to consider
opportunities of moving towards a process of continuous auditing. Under such an approach major
IT systems are interrogated on a regular and frequent basis, even daily, with the aim of identifying
anomalies or transactions that are outside pre-determined parameters that justify further examination.
The opportunity exists for such systems to be established by internal audit and over time, transferred
to management with internal audit being responsible for reviewing management’s actions in response
to any anomalies identified.
In deciding if a continuous auditing approach is appropriate for an individual entity, consideration
should be given to the costs and benefits involved and the capabilities required.
Performance improvement audits
It is generally accepted that internal audit not only provides assurance on compliance with procedures
and systems of internal control, but it is also well placed to assist management to improve business
performance. The objective of such assistance could include suggestions to improve the economy,
efficiency and/or effectiveness of an entity’s programmes and operations in areas such as improving
service delivery, better contract and project management, eliminating waste, reducing costs or
increasing revenue. The scope could cover all of the operations of the entity or be targeted to a
narrower set of activities associated with internal audit’s assurance role, such as matters related to
governance, controls or risk management.
Advisory services
Internal audit can also provide valuable advice to entity management and staff to assist them in
managing the entity’s risks in respect of programmes, systems, and processes, risk management

processes and fraud control. Such advisory activities can take a variety of forms including, advice on
systems of internal control, processes, procedures and policies, attending management meetings
as an observer, training managers and staff or providing informal advice in response to ad hoc
management requests.
In providing advice to management, care should be taken to maintain the operational independence of
internal audit. Internal audit can offer suggestions and recommendations but it is up to management
to accept or not accept that advice. If management accepts the advice it is then the responsibility of
management, not internal audit, to implement the advice and be accountable for its implementation.
Internal audit’s objectivity and impartiality could potentially be put at risk if internal audit takes on
management’s role. In this situation internal audit’s independence can be reinforced by reference in
an internal audit charter that distinguishes internal audit’s role from that of management.
New programmes, systems and processes
Another area where internal audit can be of particular assistance to entities is in the implementation
of new government programmes, systems or processes. The introduction of new programmes,
systems or processes, often involving substantial expenditure and tight timeframes, can present
additional risks for entities that need to be identified from the start and well managed early in the
process. The introduction of new IT systems can also be a particularly high risk activity and the
early involvement of internal audit can generate significant benefits by bringing internal audit’s specific
control expertise to bear on the task, including lessons learnt from previous similar projects in the
entity or from elsewhere.
It is generally accepted
that internal audit not
only provides assurance
on compliance with
procedures and systems
of internal control, but it is
also well placed to assist
management to improve
business performance.
Another area where internal

audit can be of particular
assistance to entities is in
the implementation of new
government programmes,
systems or processes.
Better Practice | Internal Audit in the Public Sector 2 Roles and responsibilities of internal audit activities
112 Roles and responsibilities of internal audit activities
Part 1
Internal audit can offer advice and other assistance throughout a project lifecycle from the concept,
design and implementation stages, through to the post-implementation stage of a project. Guidance
can include: advice on the design of financial and other controls or, where outsourcing or other
contracts may be involved, issues concerning the appropriate procurement method; tender
evaluation; and probity issues
20
.
To maximise the benefits of such assistance it is important that internal audit is responsive to the
needs of management for timely advice and has suitable arrangements in place to report on a real
time basis
21
.
Risk management
Risk management is a key component of public sector corporate governance. The responsibilities of
many Audit Committees include oversighting the effectiveness of the entity’s risk management
framework.
It is management’s responsibility to identify and assess risks and to implement and monitor risk
mitigation strategies. However, given its expertise in risk and control assessment generally, together
with its experience in reviewing activities across the organisation, internal audit is well placed to assist
the entity to develop and monitor its risk management framework. Internal audit’s role can include:
providing formal training and risk management advice to managers
reviewing management’s risk assessments and associated risk mitigation controls and actions

providing independent assurance over risk management processes, in particular, reporting
against the achievement of control strategies
providing an opinion on the overall effectiveness of the entity’s risk management framework, and
facilitating or co-ordinating risk management processes in the entity.
The role that internal audit can play in developing and maintaining an entity’s risk management
framework will be influenced by the maturity of the framework and the extent that risk management
is embedded in day to day operations. This is likely to change and evolve over time as the maturity
of the risk management framework changes. For example, entities that have some way to go with
the introduction of their risk management framework may give internal audit a key role in assisting
management to identify risks and develop appropriate strategies and monitoring and reporting
arrangements. On the other hand, where entities have in place a robust and mature risk management
framework that operates throughout the organisation and where practical mitigation strategies are
monitored at senior levels, internal audit’s role might be more focused on providing independent
assurance on the effectiveness of the mitigation strategies and/or an assessment of the overall
effectiveness of the framework.
Whatever role internal audit plays in risk management, appropriate arrangements should be in place
to maintain the operational independence of internal audit.
Fraud control
Responsibility for managing the risk of fraud, like responsibility for managing all risks, rests with
management as part of its ongoing responsibilities. However, internal audit can assist an entity to
manage fraud control by providing advice on the risk of fraud and/or by advising on the design or
adequacy of internal controls to minimise the risk of fraud occurring. It can assist in detecting fraud
by considering fraud risks as part of its audit planning and being alert to indicators that fraud may
have occurred. Fraud investigation is a matter that requires specialist knowledge and skills.
20
Because internal audit may act as probity auditor it is better practice that internal audit is not the initial probity advisor.
21
Such arrangements will also usually involve periodically reporting on a summary basis to the Audit Committee.






The role that internal audit
can play in developing and
maintaining an entity’s risk
management framework
will be influenced by the
maturity of the framework
and the extent that risk
management is embedded
in day to day operations.
Whatever role internal
audit plays in risk
management, appropriate
arrangements should be
in place to maintain the
operational independence
of internal audit.
12 Better Practice | Internal Audit in the Public Sector 2 Roles and responsibilities of internal audit activities
2 Roles and responsibilities of internal audit activities
Any decision to allocate management responsibility to internal audit for the investigation of fraud
should be taken in the full knowledge of the special risks involved and skills required in collecting and
collating evidence that may be used in any legal proceedings.
The role of internal audit in relation to fraud control should be considered as part of the organisation’s
overall fraud risk assessment and fraud policy
22
.
Internal audit support activities
It is important that as much internal audit time as possible is spent on audit or advisory work.

Nevertheless, time spent on internal audit support activities such as business and audit planning,
monitoring the implementation of agreed internal and external audit and other report recommendations,
assisting the Audit Committee to meet its legal obligations and servicing the Audit Committee, internal
and external liaison, recruitment and staff development is an essential pre-requisite for an effective
internal audit function.
The relative balance of resources devoted to internal audit support activities compared with audit and
advisory activities, is a matter for consideration by the Audit Committee when considering internal
audit plans and budgets.
Non-audit activities
Internal audit operational independence is maintained when internal audit has no management
responsibilities other than for the internal audit function itself. Nevertheless, in limited circumstances,
it is recognised that internal audit may be called upon to perform activities that are management
responsibilities. These could include such activities as membership of management committees (as
distinct from having observer status), formulating fraud or risk management plans, or conducting
fraud investigations. The line between being an advisor to management and taking on management
responsibility for a task can sometimes be blurred. Consequently, it is important that professional
judgement is applied and appropriate safeguards put in place to maintain operational independence,
to the extent possible.
Where internal audit is to have responsibility for non-audit activities, these should also be specified
in the internal audit charter.
Internal audit and external audit responsibilities
Under the Auditor-General Act 1997, the Auditor-General is responsible for auditing the financial
statements of Australian Government entities
23
. Responsibility for keeping accounts and records
24

and for preparing the financial statements rests with entities
25
. Under section 49 of the FMA Act,

Chief Executives must state whether, in their opinion, the financial statements give a true and fair
view of the matters required by the FMA Orders. In CAC Act entities, the Board is responsible for
certifying that entities’ financial statements comply with the CAC Act Finance Minister’s Orders.
22
Under the Commonwealth Fraud Control Guidelines, agency heads are required to certify in their annual reports that
their agency has prepared fraud risk assessments and fraud control plans and has in place appropriate fraud prevention,
detection, investigation, reporting and data collection procedures and processes that meet the specific needs of the agency
and comply with the
Commonwealth Fraud Control Guidelines. The Attorney-General’s Department, Commonwealth Fraud
Control Guidelines, May 2002 and the ANAO Better Practice Guide, Fraud Control in Australian Government Agencies,
August 2004 provide guidance on the risk assessment and control of fraud in the APS.
23
Auditor-General Act Part 4 Division 1.
24
FMA Act s 48 and CAC Act s 20.
25
FMA Act s 49 and CAC Act Schedule 1, Part 1, Clause 2.
The role of internal audit
in relation to fraud control
should be considered as
part of the organisation’s
overall fraud risk
assessment and fraud
policy.
The relative balance of
resources devoted to
internal audit support
activities compared
with audit and advisory
activities, is a matter

for consideration by the
Audit Committee when
considering internal audit
plans and budgets.
Better Practice | Internal Audit in the Public Sector 2 Roles and responsibilities of internal audit activities
132 Roles and responsibilities of internal audit activities
Part 1
In this context, the responsibilities of the Audit Committees of FMA agencies as specified by section
2.1 of the FMA Orders include:
as far as practicable, the coordination of audit programmes conducted by internal auditors and
those conducted by the Auditor-General, and
the provision of advice to the Chief Executive on the preparation and review of financial
statements of the Agency.
Professional standards also encourage co-operation between internal and external audit in the
context of the audit of an entity’s financial statements and to increase audit efficiency by minimising
duplication. There are mutual benefits for entities and the external auditor in internal audit conducting
work that can be relied on by the external auditor, particularly in the areas of legal compliance and
financial system controls.
It is important, therefore, for entities to fully explore with external audit what review role internal audit
can play in the preparation of the entity’s financial statements and in coordinating its plans with those
of the external auditor. For example, internal audit can usefully review the adequacy of the quality
assurance arrangements put in place by the Chief Financial Officer.
There is also an opportunity for internal audit to act as a liaison point with the external auditor. This
can assist not only in improving the efficiency of the overall audit process but also in developing a
good working relationship between internal and external audit.
2.6  The internal audit charter
To formalise the position of internal audit in the governance framework, the roles and responsibilities
of internal audit should be articulated in an internal audit charter. An internal audit charter is
a document that formally outlines internal audit’s role, responsibilities, authority
26

, standards
and accountabilities.
The charter should be developed by the Head of Internal Audit. Consultation with stakeholders,
particularly the Chief Executive and the Audit Committee, as part of developing the charter is an
important means of understanding stakeholder needs and expectations. Any expectation gaps can
be identified and addressed as part of the development process. The charter should be consistent
with the Audit Committee’s responsibilities for oversighting the internal audit function as outlined in
the Committee’s charter.
27

The charter should be approved by the Chief Executive, or the Board in the case of a CAC Act
entity, on the advice of the Audit Committee. Because the charter is a means of communicating
the role, responsibilities and authority of internal audit it is important that, once approved, it is made
widely available throughout the entity. Many entities also make the charter publicly available via
their website.
As governance requirements change in response to changing risks and the business environment,
the role of internal audit is also likely to change. The charter should, therefore, be reviewed at
least annually to have confidence that the role of internal audit continues to meet the needs of
the organisation.
26
Internal audit is different from most other parts of the organisation in that it operates outside of its own boundaries across the
whole of the organisation. Because of internal audit’s broad mandate, it needs formal authority to access people and records
outside its own area to meet its responsibilities. Some entities also see benefit in reinforcing the role of internal audit in their
Chief Executive’s Instructions or equivalent policy documents.
27
The role of Audit Committees in respect of internal audit is outlined in the Australian National Audit Office, Public Sector
Audit Committees, Better Practice Guide, February 2005.


Professional standards

encourage co-operation
between internal and
external audit in the context
of the audit of an entity’s
financial statements.
As governance
requirements change in
response to changing
risks and the business
environment, the role of
internal audit is also likely
to change.
14 Better Practice | Internal Audit in the Public Sector 2 Roles and responsibilities of internal audit activities
2 Roles and responsibilities of internal audit activities
2.7  Contents of a better practice internal audit charter 
Better practice suggests that, as a minimum, an internal audit charter should include the following:
Introduction
specifies that the internal audit function has been established by the Chief Executive/Board and
the charter has been approved by the Chief Executive/Board
Purpose of internal audit
defines the purpose of internal audit
Independence
specifies the organisational independence of internal audit
defines the reporting arrangements and lines of accountability between the Head of Internal
Audit, the Chief Executive or Board, and the Audit Committee
provides for unrestricted access to the Chief Executive, the Board (if applicable) and the Audit
Committee Chair and members
provides for periodic ‘in camera’ meetings with the Audit Committee
Authority and confidentiality
details internal audit’s authority to access all records, assets, personnel and premises and its

authority to obtain such information as it considers necessary to fulfil its responsibilities
specifies information accessed in the course of internal audits will only be used for
auditing purposes.
Role and responsibilities
details the role and responsibilities of internal audit including its role in undertaking:
audit activities
audit support activities
non-audit activities (if any)
Scope of internal audit activity
defines the scope of internal audit, that is, the programmes, activities, processes, systems and
organisations that are (and are not) subject to internal audit review
Standards
specifies the professional and other standards that will be followed when conducting internal
audit assignments
Relationship with external audit
defines the relationship between internal audit and external audit
Planning
specifies the requirement for an internal audit strategic business plan and an internal audit
annual work plan

















The charter should define
the scope of internal audit,
that is, the programmes,
activities, processes,
systems and organisations
that are subject to internal
audit review.
The charter should also
specify the requirement for
an internal audit strategic
business plan and annual
work plan.
Better Practice | Internal Audit in the Public Sector 2 Roles and responsibilities of internal audit activities
152 Roles and responsibilities of internal audit activities
Part 1
Reporting
specifies the reporting arrangements required including the provision of an annual assessment
of the entity’s system of internal controls and advice to the Audit Committee and entity
management of patterns, trends or systemic issues arising from internal audit work
Administrative arrangements
specifies adherence to the internal audit manual and protocols
specifies internal audit performance will be assessed annually, based on key performance
indicators approved by the Audit Committee
specifies that any change to the position of the Head of Internal Audit, if provided in-house or an
external service provider if outsourced, will be approved by the Chief Executive, or the Board in

the case of a CAC Act entity, in consultation with the Audit Committee
provides for an independent periodic review of the internal audit function, and
Review of charter
provides for the periodic review of the Charter by the Audit Committee and approval of any
substantive changes by the Chief Executive, or the Board in the case of a CAC Act entity, on the
advice of the Audit Committee.
Model internal audit charter
Part 2 of the Guide includes a model internal audit charter.






Roles and responsibilities checklist
Have the following factors been considered in determining the roles and responsibilities of
internal audit?
other assurance and business review functions
the role other specialist advisors play in the entity e.g. in relation to risk and fraud control
the types of audits to be undertaken
the advisory, support or non-audit activities to be undertaken
the extent to which internal audit can assist external audit in meeting its responsibilities.





16 Better Practice | Internal Audit in the Public Sector
3 Planning internal audit activities
3 Planning internal audit activities

3.1  Introduction
It is important that the work of internal audit is focussed on the risks that might prevent an entity’s
business objectives being achieved. The key principle, therefore, in planning the activities that internal
audit will undertake is that there is an alignment between the entity’s objectives and risks, including
those ongoing and recurring risks, on the one hand, and the strategic direction and plans of internal
audit on the other.
Better practice internal audit planning consists of a strategic business plan that is supported by a
more detailed annual work plan
28
. Together, these plans serve the purpose of setting out in strategic
and operational terms the broad roles and responsibilities that are articulated in the internal audit
charter and identifying key issues relating to managing the internal audit function. Given their close
interrelationship, these plans would normally be developed at the same time and could either be
consolidated into one document or be separately presented.
“By focussing our planning efforts on the things that matter to the business and asking the right
questions, we make sure internal audit is seen as part of the business and contributes to its success.”
Public Sector Head of Internal Audit
3.2  Internal audit strategic business plan
Similar to other key business activities, the work of internal audit should be considered at both a
strategic and operational level. An internal audit strategic business plan outlines the broad strategic
direction of internal audit over the medium term and provides an important link between the internal
audit charter and the detailed internal audit annual work plan. It should articulate the primary focus
and direction of the internal audit function over the period covered by the plan; outline the objectives
to be achieved in the period; and identify the key management strategies and actions that will be
needed to achieve these objectives. It should also set out broad details of the audit, audit support
and non-audit activities that internal audit will undertake and the proportion of resources that
will be devoted to the different types of activities that will be undertaken. For example, the plan
should indicate the relative proportion of resources to be devoted to audits, advisory services and
audit support activities.
The period covered by the strategic business plan can vary, but would normally cover a three year

rolling period
29
and be updated at least annually at the same time the internal audit annual work
plan is prepared.
3.3  Purpose of an internal audit strategic business plan
An internal audit strategic business plan helps in:
focusing internal audit effort where it is most useful and effective
communicating the medium-term direction of internal audit and how it supports the
organisation’s objectives and addresses the entity’s risks
ensuring there are no unintended gaps in internal audit coverage over time
identifying the resources, skills and experience required to deliver an effective internal audit service
28
The internal audit annual work plan is, in turn, supported by specific plans for individual audit assignments. Better practice
on planning individual audit assignments is described in Chapter 6 of the Guide.
29
Where an entity has a formal strategic planning cycle it is better practice to align the internal audit strategic plan with that cycle.




Better practice internal
audit planning consists of
a strategic business plan
that is supported by a more
detailed annual work plan.
An internal audit strategic
business plan helps in
focusing internal audit
effort where it is most
useful and effective.

Better Practice | Internal Audit in the Public Sector
173 Planning internal audit activities
Part 1
setting the direction for a continuous improvement culture and identifying priorities in the
management of the internal audit function
identifying initiatives to mitigate the risks associated specifically with the internal audit function, and
providing a framework against which to measure the performance of internal audit.
3.4  Developing a strategic business plan
The Head of Internal Audit would be expected to be responsible for developing a draft strategic
business plan for approval by the Audit Committee
30
in consultation with the Chief Executive as
required. Once approved, the plan should be made available to entity staff through the entity’s
normal communication channels such as an entity intranet. Any significant changes should be
approved by the Audit Committee.
The time and resources involved in developing the plan should be commensurate with the size and
complexity of each entity, as well as the entity’s risk profile, and the extent of the entity’s investment
in the internal audit function. For example, entities would not be expected to undertake detailed
planning for audits proposed in the two out-years. The process would also be expected to be
consistent with the entity’s usual business planning processes.
In developing the plan, consideration should be given to the following factors:
The entity’s goals and objectives
To align the strategic business plan with the entity’s strategic direction, internal audit should have
a good understanding of the goals, objectives and priorities of the entity as they are articulated in
corporate and business plans, and similar documents. At a more detailed level, business goals
and objectives can also be outlined in other strategic documents such as workforce planning and
information technology strategies and asset management plans.
Consultation with the Chief Executive, members of the Audit Committee, and senior managers is
important in assisting internal audit in understanding existing and emerging business strategies
and risks.

Better Practice Tip: Discussing audit plans
Discussing audit plans with senior managers concurrently with the entity-wide risk
management and business planning processes provides an opportunity for internal audit
to encourage managers to see internal audit as a service to help them better manage
their business.
The entity’s risks
“Without an adequate risk analysis internal audit cannot proceed with its strategy.”
HM Treasury Audit Strategy Good Practice Guide
The entity’s risk profile and how it may change over time will also be an important determinant of the
size and nature of the internal audit programme and the types of audits that are undertaken. Provided
the entity’s risk identification process and risk management framework is mature, the entity’s risk
management plans will be a key source of information in developing the strategic business plan.
In situations where the entity does not have a mature risk management framework, it would be
expected that internal audit would develop its own entity risk profile that should be subject to
confirmation with the Audit Committee and the senior management of the entity.
30
The FMA Orders for FMA agencies provide for the Audit Committee to approve the strategic audit plan of the agency.



To align the strategic
business plan with the
entity’s strategic direction,
internal audit should have
a good understanding of
the goals, objectives and
priorities of the entity.
The entity’s risk profile
and how it may change
over time will also be an

important determinant of
the size and nature of the
internal audit programme
and the types of audits that
are undertaken.
18 Better Practice | Internal Audit in the Public Sector
3 Planning internal audit activities
Entities also see benefit in conducting a series of compliance audits across the entity on a cyclical
basis to provide assurance that key governance policies, procedures and controls are in place and
operating effectively.
External environment risks
External sources, including reports from Parliamentary Committees, public sector management
advisory groups
31
, central agencies, regulators and the ANAO, can also illustrate potential sources of
risk. Trends in accounting and governance matters can also point to areas that might impact on the
achievement of the entity’s objectives and may require internal audit review.
The work of other review activities or functions
“Internal Audit should be seamlessly integrated within the overall governance framework.”
Public Sector Chief Executive
Consideration also needs to be given to the responsibilities and proposed coverage of other
internal or external review activities or functions. Internal review functions, as noted earlier, include
management monitoring and committees, evaluations, business improvement reviews, risk
management processes, quality assurance arrangements and management control self-assessment
arrangements. In addition, there are a number of external assurance and review bodies including
Parliamentary Committees, external audit, regulators, and the Ombudsman.
This is illustrated in figure 3 below.
Figure 3:  Internal and external assurance and review framework
31
For example, the Management Advisory Committee established under the Public Service Act 1999.

In situations where the
entity does not have a
mature risk management
framework, it would be
expected that internal audit
would develop its own
entity risk profile.
External sources, including
reports from Parliamentary
Committees, public sector
management advisory
groups, central agencies,
regulators and the ANAO,
can also illustrate potential
sources of risk.
Comprehensive
Assurance
Evaluations
Quality Assurance
External Audit Ombudsman
Parliamentary
Committees
Regulators
Internal Audit
Management
Reviews
and Committees
Risk Management
Business
Improvement

Reviews
Management
Control
Self-Assessment
Internal Assurance External Assurance