Many NSW Councils have breathed a sigh of relief as one busy financial year ends and the new one eases in. However, while the busyness may have eased for the moment, the long-term financial picture for many Councils is less than rosy.
This is thanks to Covid-19, a series of natural disasters, and an infrastructure backlog pushing budgets into deficit. The 2021-2022 half-yearly review forecasted the NSW government’s budget deficit would be $3.6 billion. The actual deficit? $11.3 billion. And many Councils are facing the same issues.
Centium has been working with several Council clients in recent months to help them address financial sustainability issues. This work has covered finance and budget training for new Councillors and executive and management staff, support to shape and improve workforce and long-term financial plans, and the preparation of a rating strategy and community engagement required for a Special Rate Variation.
With IP&R Resourcing Strategies adopted in June 2022, the ongoing challenge for Councils is an integrated monitoring and review process whereby relevant resource managers can understand and manage the complex issues that are impacting Council finances, assets, and workforce. The six-monthly reporting cycle can facilitate resourcing conversations to better manage current pressures such as disaster recovery, high turnover and other changes in the workforce, ongoing impacts of covid-19, and an unpredictable funding environment.
New requirements for service reviews can also offer the routine and discipline to find, implement, and communicate better and more efficient ways of delivering Council services.
Centium has recently been working with our Council clients to embed an integrated approach to their resourcing strategies, requiring managers to work across silos and develop skills and organisational disciplines that ensure ongoing conversations, understanding, and shared solutions to workforce, assets, and financial challenges.
In between elections, NSW Councils have a window of opportunity to apply for a Special Rate Variation, and the process that IPART requires in order to gain approval is rigorous and extensive, as shown below:
Councils need to demonstrate to IPART that their own house is in order by identifying productivity improvements and efficiencies, and they need to enlist community support by engendering trust and offering a program of expenditure that matches community priorities. Clear, comprehensive, and strategic asset management systems and processes can offer the community some evidence that Council is ready to collect and spend additional rating income.
Not all Councils have the requisite skills and experience in developing SRVs that address these requirements and therefore need some support to maximise their chances of receiving IPART approval.
A difficult fiscal environment requires everyone to understand and respond, and the skills to do this can be developed and enhanced for anyone who manages a budget. We are currently offering a development program for senior and middle managers to develop their financial management capabilities.
The program addresses the following:
Centium’s depth and breadth of experience in providing performance and improvement support to NSW Councils can deliver real improvements for your organisation. We can help you:
For further information please contact Sarah Artist, Centium’s Manager of Strategy and Engagement on 0409 830 283 or email sarah.artist@centium.com.au
All NSW State Government agencies are required to develop and maintain an ISO 27001 compliant Information Security Management System (ISMS), under the requirements of the State’s Cyber Security Policy (CSP).
Agencies must also definitively and positively attest to the CSP as part of their Annual Reporting process.
By 31 October each year, agencies must submit a report to their cluster CISO, or Cyber Security NSW. This same attestation must be provided in the Agency's annual report. The report includes an assessment against the mandatory requirements of the CSP and a maturity assessment against the Australian Cyber Security Centre’s (ACSC) Essential 8.
Non or partial compliance with this requirement may be difficult to explain to senior management and oversight bodies, such as the agency’s Audit & Risk Committee.
Start early. In our experience agencies do not start the attestation process early enough to ensure an improvement on last year. As such, there is often insufficient time to complete relatively simple remedial actions that might mitigate serious cyber risks.
Review your ISMS. An agency’s Information Security Management System should be risk-based and fit for purpose. It should be reviewed annually to ensure that it remains current and reflects any changes that may have occurred within and external to the agency (e.g. Machinery of Government, ICT systems, contracts/outsourcing, third party supplier arrangements, risk appetite/profile, policy changes, etc.)
Conduct a Mock Audit. A number of agencies have introduced a “mock audit” phase into their CSP attestation process. Using this approach, the agency has time to rectify easy-to-fix remedial issues before the attestation is due, thereby lifting their overall security posture (and CSP score).
Test your Cyber Security Incident Response Plan. A Response Plan and well-facilitated simulation exercise can tick quite a few boxes and should not be left to the last minute. Agencies are required to attest that they have an up-to-date Plan. Importantly, in demonstrating cyber maturity they are also required to attest that the Plan has actually been tested within the past year.
Deliver Awareness and Training sessions. A significant proportion of cyber incidents are caused by human factors, many of which could be avoided by ongoing cyber training and awareness sessions. Such training should be mandatory, engaging, relevant…and most importantly, regular.
We have a team of ISMS experts and cybersecurity specialists who have worked with dozens of State Government agencies across NSW over the past three years. During that time, Centium has assisted numerous agencies to migrate from the DISP to the CSP and to update their ISMSs to meet the new obligations. We have also mapped across the Essential 8 and have many shortcuts and helpful “lessons learnt” to share with our clients.
We can help you be CSP Ready by:
And, when the time comes, we can provide an independent assessment of your CSP performance, which entails:
For more information, please contact Scott Thomson, Director, Cyber & IT on 0412 562 797 or scott.thomson@centium.com.au.
Explore Centium's robust and proven Cyber, IT & Business Continuity for small and medium Government organisations.
All businesses are required to comply with rules and regulations, including, for example, taxation and superannuation rules, employee entitlements, health and safety legislation, public health orders, etc. The risk of non-compliance ranges from legal and financial penalties, status loss (registration, licence, etc.) to loss of reputation, which in turn could adversely impact business relationships and viability.
Organisations thus have a responsibility to ensure compliance, including through the establishment of good systems and processes, management oversight, and independent audit. Compliance audits are also a requirement of some government funding and grants programs.
Compliance audits can be costly and feel repetitive, particularly if an organisation already has a crowded, risk-based internal audit program. However, if done correctly they can generate significant benefits to your organisation.
An effective compliance audit enables well-run organisations to continuously improve, as well as demonstrate conformity with various rules and regulations. We work with organisations across various industries and sectors to deliver cost-effective, value-adding engagements.
Centium offers an independent, insightful and practical perspective. Importantly, we develop strong partnerships with our clients to provide assurance, build capacity and facilitate ownership of outcomes. We are also available to provide advice and facilitate management discussions regarding risk.
Browse Centium's range of Risk & Assurance services or talk to us about how we can help.
Local Councillors play a fundamental role at the community level in our democracy. They participate in shaping the places they live in and act in the best interest of their communities. In so doing, they come to understand the most difficult and most critical pressures facing their communities.
Local Government is often a training ground for other leadership roles, whether in government at all levels or in other walks of life. That’s why, following Council elections, a good post-election induction process is vital. It ensures that the new Council understands the legal responsibilities of its role, builds a sense of camaraderie and willingness to work together, and sets up parameters to guide future decisions about priorities and programmes.
After being postponed twice by Covid-19, NSW Council elections were held in December 2021. This delay meant the 2021 post-election induction process was particularly challenging because it compressed the time frame within which to meet legislative deadlines. It also required newly elected Councillors and their Councils to complete mandatory tasks during the Christmas break.
Moreover, because the next elections are scheduled for September 2024, the upcoming Council term is shorter than the usual three years, so new Councils have less time to set goals and priorities.
This doesn’t necessarily mean the effectiveness of this term needs to be impacted. Elections and the changes that come with them are a great time for Councils to change and improve internal strategies and priorities, leading to better community outcomes. So, what can we learn from those going out, those coming in, and the challenging circumstances of this election to make the next Council term a better one?
As part of our support training and strategic planning with Council clients, Centium has introduced a new process which has resulted in the recording of fifty-six interviews with individual Councillors, both new and outgoing, from four different Councils.
The interviews are de-identified and anonymous, allowing all Councillors to speak freely in a ‘thinking out loud’ environment, away from the rigors and restrictions of public debate. Councillors were encouraged to:
Here, we have summarised the information collected so that it can be harnessed to shape and direct the support new Councillors need to fulfil their roles.
Many Councils are implementing an information portal that is hosted on their intranet. Full access and visibility to shared information should be implemented – a Councillor calendar for events and attendance, reports on resolutions status, business papers.
“I’ve experienced senior staff who worked very hard to show that they were here for all of us. We had a serious level of respect for those staff. There were people who made sure it was a ‘no embarrassment’ Council. The trust needs to be developed to have an exchange of views with Councillors in a non-adversarial way.”
It can sometimes be difficult to drive change, but the weeks and months post-election is one of the best times to implement new strategies within Council.
Centium has been working with several NSW Councils both before and after the recent election to ensure that Councils and Councillors are set up for success. We support Councils and Councillors to ensure that they are best placed to make good decisions that benefit their communities. We can provide:
The governing body plays a crucial role in a highly functioning Council, and specific strategies can be introduced to ensure that Councillors are guided and supported to enhance the reputation and performance of their Councils.
Contact our Manager Strategy and Engagement for a no-obligation discussion on 0409 830 283 or at sarah.artist@centium.com.au. You may also reach out to us at info@centium.com.au if you're a government or not-for-profit organisation that has an interest in our services and wish to discuss
We're thrilled to announce our strategic alliance with CT Management Group (CTMG), one of Australia’s most trusted providers of local government professional services. This alliance is a big step towards expanding our range of services to new locations across Victoria and Queensland.
The partnership is the result of a close professional relationship that we are confident will only continue to grow. We’re delighted to build a partnership with an organisation that not only has a great reputation, but also shares our values, standards and professional skills.
By combining the strengths and expertise of our two firms, we will continue to deliver exceptional services to our clients in the government and not-for-profit sectors.
Centium and CTMG share a common goal of providing honest and effective support to organisations, and we are thrilled to expand our range of professional offerings to a broader range of clients - both in terms of services and location.
In addition to Centium's current service offerings, government and not-for-profit organisations across Victoria and Queensland will now be able to access a new range of services and expert knowledge that includes asset management, financial management, and strategic service planning. The full range is listed below.
Our current and future clients based in our existing locations of Sydney, Melbourne, and regional areas will also be able to access this expanded range of services.
Over the coming months, we’ll be showcasing various Success Stories and team member profiles of both Centium and CTMG. This will show the variety of new value adding services and expertise we offer.
Our partnership covers the range of services below:
CT Management Group has been one of Australia’s most trusted providers of local government professional services for over 25 years.
CT Management Group provides professional services to state government, councils, and not-for-profit organisations across the eastern states of Australia. They are listed on all relevant government panels in each of those states.
You can learn more about CTMG by heading to their website.
We look forward to working together with CTMG to assist our clients with improving their governance and managing their assets and risks.
If you're a government or not-for-profit organisation that has an interest in our services, you can reach out to us at info@centium.com.au to discuss your needs, or to find out more about how our alliance could benefit you.
In most public sector jurisdictions, internal audit is a mandatory requirement. There will always be some routine “tick and flick” type audits that will be required from time to time to confirm the adequacy of controls for generic activities. But effective Internal Audit is about so much more than the old “tick and flick”.
Ever since non-core services were first contracted out en masse in the 1990s, Internal Audit has too often been perceived as some sort of generic commodity. This is a fallacy. While the physical process of auditing can be somewhat generic, the professional judgement, expertise, care, professionalism, as well as the depth and breadth of experience, are key differentiators of quality.
A worthy service provider will not only provide you with a good price, but even better value.
Say you are in the market for some chilled drinking water. There are three taps on the wall from three different suppliers and you must choose only one. They all look pretty similar, except that one of the taps is gold-plated. Prices are competitive in relation to the water that each tap provides. The gold-plated tap looks nice and shiny, so you choose that one.
You turn the shiny gold tap and find that the water pressure is very low. It takes ages to fill your glass. The water itself, while safe to drink, is slightly warm and tastes a bit strange.
Disappointed, you then turn the next tap. The water pressure is good, but the water looks rusty and smells. You don’t even risk tasting it.
Shaking your head, you turn the last tap. The water flows out at good pace, is cool, looks clear, and tastes fine.
So which tap provides the best value? Most people would agree that it’s the third tap. The first tap looks great and technically meets your needs, but the water it provides and the manner in which it provides, is not really what you wanted. The second tap, while it provides sufficient water, doesn’t really meet the brief at all.
Only the third tap provides a product that services both your needs and your wants at a competitive price.
Setting out what makes a good Internal Audit service provider, instead of an average one (or a poor one…) can be difficult. Based on our long experience working with clients across all sectors, we’ve developed a summary of the high-value versus the not so good aspects of internal audit service delivery.
| Ineffective IA service delivery | Why not? |
| Labour-intensive: Clients do not want to ‘hold the hand’ of the auditor for an extended period. | - Time is better spent elsewhere. - Auditors should be skilled enough to operate independently. - Auditors should have relevant experience, preferably regarding the subject matter or within the sector. |
| Not risk-based: Clients do not want lots of low-risk “housekeeping” audit recommendations. | - Management and the Audit Committee spend a disproportionate time monitoring low-risk actions that do not add much value or mitigate key risks. - Line management experience audit fatigue as they do not have time to implement change before the next audit. |
| Lacking quality: Clients do not want to perform badly against external Quality Assurance Reviews of the Internal Audit function. | - An external review is a requirement of the IA’s International Professional Practice Framework, and is built into public sector policies and procedures. - Poor performance may lead to reputational damage and create a new suite of tasks to complete. |
| Dictatorial: Clients do not want or appreciate an auditor who tells them how to run their business. | - Over-prescriptive audit recommendations that are not fit for purpose or do not engage management. - A “one-size fits all” or “been there done that” approach does not encourage an understanding of the risks or ownership of internal controls. |
| Not inclusive: Clients do not want an auditor who fails to keep the Chief Audit Executive or Project Sponsor in the loop. | - By not keeping the CAE fully apprised throughout the audit undermines the credibility of both the CAE and the audit function overall. - Audit activity could be driven by service provider preferences rather than organisational needs. |
| Passive: Clients do not want an auditor who is not prepared to identify and report bad news. | - Auditors need to be frank, and at times, make findings regarding high risks that management might not want to hear / read. |
| False economy: Clients do not want auditors who lowball on price so that they can use audit as a ‘loss leader’ to find more lucrative consulting opportunities. | - Service providers might not deliver on the quality audit team promised when the contract was signed, instead sending in “raw” junior staff. - This can lead to price gouging and a waste of public funds. |
| Poor communication: Clients do not want reports that are poorly written, unclear, difficult to understand and easy to ignore. | - Poorly written reports make it hard to gain acceptance of audit findings and the associated recommendations. - This has the potential to damage the credibility of Internal Audit. |
The value and/or performance of internal audit should be regularly monitored and reported. Good metrics for internal audit effectiveness include:
An internal audit service provider should also be the “right fit” for your business. Senior personnel should be qualified, responsive and willing to share their time, experiences and knowledge of better, innovative practice. They should also be attuned to and readily fit in with the prevailing culture of the organisation, whilst sill remaining independent at all times.
Centium’s Risk & Assurance team comprises experienced Senior Auditors that understand business and the public sector environment. Each and every member of the team has a proven track record across multiple sectors and jurisdictions. This experience lends itself to our team members being able to make helpful and pragmatic recommendations and suggestions for improvements, based on their extensive learnings across the public and private sectors.
Centium’s Senior Auditors understand risk management, the competing demands on your time and your expectations regarding cost-effectiveness; we always scale and present our audit recommendations in a manner that best suits your business.
Our Auditors perform sufficient testing, maintain good working papers to ensure compliance with the IIA’s Standards and are willing and able to provide them to you on demand. The team writes well and we stand by the quality of our audit reports.
Our Director Risk & Assurance will support and work in partnership with the Chief Audit Executive / Project Sponsor to meet the needs of both the organisation and the Audit Committee. Our team is professional and can call on broad, collective experience to identify poorly-controlled risks, initiate a call to action, and provide appropriate advice as to how other organisations have addressed similar risks.
Finally, our Risk & Assurance team charges sustainably for their services (an ethical requirement) and provides value for money for both assurance and consulting engagements. We also have a range of discrete, low-cost management tools that help diagnose and assess organisational maturity across a range of risk-based issues.
If you have questions or concerns about finding the right internal audit provider, or would like to further discuss Centium’s audit offering, you can contact Director Risk & Assurance, Penny Corkill at penelope.corkill@centium.com.au or 0409 251 011 for a confidential, no obligation conversation.
The PCI Security Standards Council (PCI SSC) published a new version of the PCI Data Security Standard (PCI DSS) on 31st March 2022.
The new standard V4.0 provides a baseline of technical and operational requirements designed to protect payment data and will replace version 3.2.1 to help combat emerging threats and technologies.
The new requirements included in PCI DSS v4.0 are either:
The current version, v3.2.1, will remain active for two years until March 31, 2024. This will provide relevant organisations with time to understand v4.0 and implement the updates. We advise organisations to timely adopt the new PCI DSS 4.0 requirements to protect their payment data.
Three key types of changes are introduced, and they are as follows:
Our team of PCI DSS experts and specialists have worked with dozens of merchants, service providers, and acquiring banks. We have also mapped all related processes and requirements across the new PCI DSS V4.0.
If your organisation needs a helping hand in complying with PCI DSS V4.0 Standard to increase your security and meet your compliance requirements, our team would be more than happy to discuss how we can help you. You can view further information about our service, team and experience in our Service Capability info sheet.
For more information, please contact Scott Thomson, Director Cyber & IT on 0412 562 797 or scott.thomson@centium.com.au.
Our thanks to the PCI Security Standards Council for proactively updating PCI DSS requirements and providing us with supporting guidance and a supplemental "At A Glance: PCI DSS V4.0" document to understand the context of these changes. At-A-Glance: PCI DSS v4.0 is provided with permission of PCI Security Standards Council, LLC (“PCI SSC”). All rights reserved. Neither PCI SSC nor its licensors endorse this presentation, its provider or the methods, procedures, statements, views, opinions or advice contained herein. All references to documents, materials or portions or requirements thereof provided by PCI SSC should be read as qualified by the actual materials made available by PCI SSC. For questions regarding such materials, please contact PCI SSC through its website at https://www.pcisecuritystandards.org.
Over the last few years both State-based and International anti-corruption bodies have been busily dealing with a steady stream of fraud and corruption cases. This has included well-publicised cases involving all levels of Government, as well as organisations across the Not-for-Profit and Private sectors. No industry, occupational group or sector is immune from the threat of fraudulent conduct.
“Worker sentenced to 30 months’ imprisonment for defrauding $244,000 from the Chris O’Brien Lifehouse, including by changing the bank account details of a cancer patient who died to an account she had access to”
- The Sydney Morning Herald (SMH), 3 March 2022
“Former head of Surf Life Saving NSW will spend at least 19 months behind bars after he defrauded the organisation during eight years at its helm…”
- SMH, 18 February 2022
“Australia records its worst ever score on anti-corruption index after decline to match Hungary’s”
- The Guardian, 25 January 2022
“Significant corruption allegations and findings within Council revealed.”
- Cairns Post, September 2021
“Council asks corruption watchdog to look into missing $4 million”
- SMH, 15 March 2021
“Council referred to corruption watchdog over defamation legal spend”
- The Brisbane Times, 5 January 2021
Fraud and corruption prevention is important in every organisation. Whether it be public sector agencies responsible for exercising the business of government, or Not-for-Profits appropriately using grant funding from government, the risks posed by fraud and corruption are simply bad for business. And there’s plenty of these risks: reputational damage, financial loss, legal costs, business disruption, staff turnover, etc.
But when organisations are facing challenges like shrinking budgets and increased service delivery expectations, the importance of fraud and corruption prevention can sometimes be overlooked. It can thus be difficult to determine whether your organisation’s fraud and corruption control system is fit for purpose. This is further exacerbated when changes to working arrangements and loss of long-term staff members lead to the loss of valuable knowledge about an organisation’s fraud and corruption risks and how to control them.
As you are probably aware, an almost bewildering array of written technical resources and standards exist to guide the prevention/detection of fraud and corruption control. However, many existing resources are generic in nature and may not be entirely appropriate for your organisation.
For example, the Australian Standard on Fraud and Corruption Control (i.e. AS8001:2021) runs to more than 50 pages. Small agencies are therefore likely to find it onerous and costly to fully implement. On the other hand, the NSW Audit Office’s Fraud Control Improvement Kit, which breaks fraud (but not corruption) control down into 10 attributes and 38 individual control elements, does not easily align to the Standard.
There is also a plethora of guidance and compliance requirements for public sector organisations, including Internal Audit, Risk Management, Audit Committees, Cyber security, recordkeeping, information classification and handling, supplier due diligence, and so on and so forth.
The sheer volume of information can be overwhelming – it can be even tougher to independently assess whether your organisation’s fraud and corruption control system is both compliant and fit for purpose.
FACET is a Fraud and Corruption Evaluation Tool that, when applied, will provide your organisation with contextual and appropriate advice to ‘correct-size’ your fraud and corruption controls. FACET is specifically designed to measure:
FACET has been developed by Centium, using our vast experience and knowledge of fraud prevention, risk management and internal audit.
FACET results, which will be presented in easy to understand graphics for each risk exposure (refer sample below), are not designed to drive you blindly towards best practice regardless of the appropriateness or cost of such an approach. They are designed to help you match the control system to your organisation’s risk profile and resources, i.e. to find a perfect balance between risk and control!
If you would like to know more about FACET or any of our other intelligent fraud and corruption control services (risk assessment & register, audits, etc), please contact Centium’s Director Risk & Assurance, Penny Corkill on 0409 251 011 or penelope.corkill@centium.com.au.
View our range of Risk & Assurance services. Alternatively, talk to us about how we can help.
We all started last year with high hopes, not realising that it would end up being a virtual repeat of 2020. It's taught us to be a little warier. And so, going into 2022, many organisations are feeling more cautious than optimistic.
While hope can push us forward, there is nothing wrong with combining this hope with measured caution. In fact, being prepared for everything - aware of emerging risks and the systems and processes to mitigate them - is one of the best ways to ensure long term success.
At Centium, we've been preparing for 2022. Our team has been reviewing Audit Office reports, scanning the media, researching industry issues, and brainstorming ways in which various sectors can minimise their risks. We have augmented this research by reviewing the audit programs and special audits undertaken within our extensive client base.
As a result of these activities, we are now sharing our research and recent experiences by suggesting which topics and areas will be of most relevance this year when it comes to risk management and internal audit. We’re hoping that this will provide “food for thought” for audit and risk professionals as they prepare and/or recast annual work plans across all levels of Government.
Centium is thrilled to announce that we have recently been appointed to the Australian Government’s Management Advisory Services (MAS) Panel for internal audit services.
Given the election cycle, it is anticipated to be a busy time for Australian Government agencies. This activity also presents an opportunity for internal audit to review controls associated with high risks, as well as the effectiveness of governance frameworks to ensure agencies remain accountable, impartial and committed to service during any resultant Machinery of Government changes.
Topical suggestions for internal audit include:
Grants programs (and equivalent research and tax incentives) should be robust and demonstrate value for money, particularly given that it is public money. Core to each grants program should be the key principles of transparency, accountability, and probity. Sounds eminently reasonable, yet grants administration has emerged as a substantial reputational risk for Government at all levels. Together with probity advisors, internal audit has an important role to play in providing assurance over grants programs and ensuring the continuous improvement of grants administration.
With changing working conditions, staff shortages and the impending threat of a ‘great resignation’, agencies remain vulnerable if they have not acted to identify (and regularly review) future staffing and training needs. Several Australian Government agencies have been the subject of workforce planning performance audits, including the Australian Security Intelligence Organisation (ASIO) in 2020-2021. An internal audit would similarly include strategic workforce planning, including:
This audit is particularly relevant given the upcoming Federal Government election and anticipated post-election reshuffles.
Sustainable or resilient agencies understand the value of Economic, Social and Governance factors to their stakeholders. The Institute of Internal Auditors (Australia) believes that
“Globally the world is sitting up and taking notice of ESG, not only from the benefits it provides to organisations, investors and stakeholders, but also to the positive impacts experienced by the community, both locally and globally”.
The Institute of Internal Auditors (Australia)
These benefits are similarly applicable to Australian Government agencies and should be subject to transparent reporting about achievements and areas for improvement. Internal audit can provide assurance regarding the efficiency, effectiveness, economy and ethics of agency business activities. Where appropriate, audits would also consider ESG factors for third party suppliers – service delivery through other entities was recently the subject of an Australian National Audit Office Report. See also our suggestions for a separate audit below.
Recent private sector Executive removals, together with high profile media coverage would appear to (finally!) indicate a decreased tolerance regarding poor and unacceptable workplace behaviour. All organisations need to ensure that the ‘tone at the top’ is such that a culture of respectful and appropriate behaviour towards employees is fostered and rewarded. It is also critical that employee complaints are taken seriously and quickly acted upon. Internal audits can assess how culture is managed and monitored. It can also provide an independent assessment as to whether an agency has effective practice systems, processes and controls in place to prevent bullying and harassment.
As the dust settles on another round of Machinery of Government changes, State Government agencies are expected to face pressures managing return-to-work arrangements and increasing scrutiny, all of which will assume increased focus as the March 2023 elections approach.
Based on our research, our suggestions for internal audit hot topics in 2022 are as follows:
Contracts often form a large part of agency expenditure – yet the inadequate management of third-party suppliers was over-represented in recent Audit Office reports. Service delivery through other entities was also recently the subject of an Australian National Audit Office Report. A comprehensive audit of third-party supplier offers the opportunity to assess inter-related business activities, from Service Level Agreements (SLAs) and governance, standard contract terms (e.g. ICT controls and business continuity) to contract variations (and possibly procurement processes) and records management and mandatory reporting. The alternative is ongoing inadequate or inconsistent third-party monitoring, which could result in poor performance, increased costs, and reputational damage.
Basic payroll and entitlement issues were similarly identified in the Audit Office reports for most clusters. As payroll expenses account for a substantial proportion of the budget (and people are an organisation’s most important asset), it is important to establish and maintain good controls over payroll and entitlements. An audit can walkthrough and test controls over employee Masterfile data, payroll variations, time and attendance procedures, roster management, mandatory superannuation and taxation obligations, etc. Payroll access should also be regularly audited, as should the segregation of duties between key payroll activities.
The ethical culture is the character of an organisation; the accepted values, beliefs, behaviours, goals, attitudes, and work practices that underpin organisational decision-making. It is how the people in an organisation approach their work and interact with others to deliver the business of the organisation. An ethical culture has a profound impact on the way organisations do business and is key to minimising reputational risk, with the media quick to jump on those organisations not behaving ethically.
Strong IT controls are critical in protecting an agency’s systems, networks, and programs. Cyber-attacks aim to disrupt/interrupt normal business processes, gain access to information with the aim of stealing, changing, or destroying content and/or extorting money from individuals or organisations. NSW Government agencies are required to assess maturity and report results against the Cyber Security Policy (CSP) and Essential 8 – noting that there are equivalent security policies and standards applicable in other jurisdictions. It is important that an independent, specialist assessment is periodically undertaken to ensure that organisational maturity is not overstated.
In 2021, the Audit Office of NSW once again found shortcomings relating to basic governance controls. Examples included out-of-date and/or missing policies, poor recordkeeping and document retention, incomplete or inaccurate information registers, and superseded bank signatories. Organisations should regularly review (and audit) their policies, procedures and delegations for adequacy and implementation effectiveness, particularly regarding key business decisions. Such controls underpin effective and efficient organisations and are key to preventing fraud and corruption.
It’s been a busy time for Local Government in NSW with recent elections and the induction of new and returned Councillors. There are several key policy changes, either finalised or in draft, all of which have impacts for Council Integrated Planning & Reporting Processes and overall risk management.
In this context, Councils should continue to ensure that their risk management and internal audit activities address new directions, priorities, and emerging risks. Centium’s suggestions for Local Government internal audits include:
Given the value and number of Council’s assets (and the complexity of asset categories), it is important that there are sound and robust controls in place around asset management. While external auditors focus on asset valuation, internal audits provide an excellent opportunity to test both a Council’s Asset Management Framework and its practices across nominated asset categories. These categories could include roads, plant and fleet, property, leisure and community facilities, natural environment, waterways, trees, etc. Asset management audits can also be expanded to include procurement and disposal processes, both of which present a high inherent risk for Councils.
All councils in NSW use the Integrated Planning & Reporting (IP&R) framework to guide their planning and reporting activities. As part of this process, Councils are required to report on their progress towards achieving the vision outlined in their Community Strategic Plan. It is important that Council deliverables can be validated to ensure transparent reporting to the community on what has been achieved. Internal Audit can independently review performance against deliverables, trends and patterns, and the appropriateness of extant measures and targets.
Financial management/investment represents a significant and substantial activity for a Council. An audit of financial management/investment can provide assurance over the effectiveness and appropriateness of the Council’s governance operations. Such an audit can also be expanded to consider the management of a Council’s restricted reserves (e.g. funds limited by legislative, administrative or internal requirements).
Cyber security is an increasing risk for all businesses, including Councils that act as custodians of confidential information and cannot afford to lose time and money due to cyber-attacks. Cyber Security NSW has developed a draft Cyber Security Guideline for Local Government, which has in turn been released by OLG. This guideline is intended to be used by Councils to help increase their cyber maturity. While currently not mandatory to assess and report, there is an opportunity to benchmark maturity and remediate gaps. Centium’s Cyber Security professionals have worked with several proactive Council’s to conduct Health Checks and develop prioritised improvement plans.
The importance of minimising workplace injury and illness cannot be overstated. Employers and businesses have a primary duty of care to their workers and visitors to their workplace, including contractors and volunteers. There are numerous strategies and processes that employers and businesses need to have in place to comply with workplace health and safety legislation. An audit or health check against recognised standards can identify any gaps in compliance, minimise risks and suggest improvements.
We’ve all had enough surprises over the past two years. The right approach to risk management and internal audit can ensure you don’t experience more shocks than you need to in 2022 – plus enable you and your team to be fully prepared and ready to go.
To ensure audits are carried out thoroughly and in accordance with any relevant policies or standards, the importance of an experienced and independent perspective cannot be overlooked. Centium offers independent and practical internal audit services and can provide additional support to improve or adjust any processes or frameworks that aren’t consistent with better practice.
Importantly, our qualified team is committed to creating strong partnerships and building client capacity, improving organisational resilience and facilitating the ownership of outcomes. One of Centium's key differentiators is our approach to risk and assurance projects, including routine and complex reviews. We use proven methodologies and tailor our audit practices to each client, always considering context, geographic and regional issues, operating model, objectives, and challenges.
View our range of Risk & Assurance services. Alternatively, to talk to us about how we can help.
Last Friday, ABC News carried a story about the Board of building materials maker, James Hardie, dismissing its chief executive, Jack Truong. The Board had conducted “extensive due diligence to provide for a sincere change in Mr Truong’s behaviour”, but employees made further complaints about how he treated them. The company shares lost 4.1% on the news of the CEO’s departure.
The Chair of the Board commented that “while the transformation and share price growth that occurred under Mr Truong’s leadership was truly remarkable … Mr Truong’s conduct, while not discriminatory, extensively and materially breached the James Hardie Code of Conduct, and a Board meeting held today resolved to terminate Mr Truong’s employment, effective immediately. The Board took this action to uphold the Company’s core values, including Operating with Respect, and to maintain continuity of the management team that has been instrumental in our transformation”.
We wondered if this damage to the company’s reputation and share price as a result of an alleged misconduct Executive dismissal was an isolated phenomenon.
We found an article written by Amber Shultz in September 2021 that described three instances in 2018 of the ‘exponentially expensive’ effect of allegations about CEOs’ alleged inappropriate behaviour:
These examples appear to indicate a seachange in which Boards and shareholders are no longer prepared to put up with company executives’ poor behaviour, irrespective of the short to medium term impact it may have on share price and company value.
Plainly, publicly listed and indeed all other organisations need to ensure the ‘tone at the top’ is such that a culture of respectful and appropriate behaviour towards employees is fostered and rewarded. It is also critical that employee complaints are taken seriously and quickly acted upon.
Centium has extensive experience in discretely investigating employee complaints involving CEOs and senior executives. We have also recently developed a cost-effective Health Check that can proactively assess your organisation’s culture and prevention framework as they relate to bullying and harassment.
If you would like to check the health of your organisational culture or have a confidential no-obligation discussion, contact our Director, Ethical Conduct & Investigations, Peter Mulhall, on 0416 161 819 or peter.mulhall@centium.com.au.
In mid-November 2021, the NSW Independent Commission Against Corruption (the ICAC) made public the report on its investigation into the sourcing of software systems for the Western Sydney Institute of TAFE (WSI).
This investigation concerned allegations that the WSI Finance Manager and another Finance Officer accepted payments totalling approximately $449,000. The Finance Manager also accepted gifts including a laptop computer, a cordless telephone, and installation of built-in cupboards at his home as inducements to show favour to the provider of budgeting and planning software known as iPlan.
Complaints and enquiries into the Finance Manager’s behaviour and procurement processes stretched across multiple years:
The ICAC investigation revealed scant records of any investigations of the matter.
The final report found that the Finance Manager may not have complied with TAFE procurement rules, exceeded their delegation, and may have breached the TAFE code of conduct.
The report also recommended putting four allegations to the Finance Manager, but NSW TAFE decided that there was insufficient evidence to do that. The Finance Manager’s supervisor and that supervisor’s manager were closely involved in that decision-making. The ICAC report found this was ‘less than ideal’ because both of these people were involved in the procurement strategy involving the selection of the provider of the software, and the supervisor had approved seven purchase orders exceeding $500,000 in that year.
The ICAC was satisfied that a more robust complaint handling and investigative process would have resulted in a formal disciplinary process being instituted at that time and that the corrupt conduct could have been prevented or at least identified earlier.
The report, which you can read here, includes 14 recommendations of a range of measures to prevent future similar corrupt activity.
The immediate learnings relating to ensuring agencies have effective complaint handling and investigations protocols in place are:
Ineffective management of complaints or conduct issues can easily result in wrongdoers not being held accountable for their actions. It also leaves organisations open to considerable reputational damage.
Incidents like the one above emphasise the importance of following up all complaints and undertaking independent investigations to ensure reports are thorough and there is potential for subsequent accusations of lack of impartiality or bias.
Centium provides investigation services to more than 100 organisations and has conducted more than 2,000 workplace and code of conduct investigations over the last two decades. Our Ethical Conduct & Investigations specialists are committed to assisting our clients to achieve and maintain a robust governance framework and an ethical workplace culture. We can investigate misconduct, review reports and provide practical advice to improve complaint handling systems and processes.
To learn how we can assist your organisation, please contact Peter Mulhall, Director, Ethical Conduct & Investigations on peter.mulhall@centium.com.au or 0416 161 819 or browse Centium's Ethical Conduct & Investigations services.
Our Clients
