Many Governance, Risk and Compliance Managers are now including Work Health and Safety (WHS) audits as a part of their overall audit strategy. But does the audit program provide adequate coverage of critical WHS issues across the organisation? Understanding WHS regulatory requirements, internal systems and WHS risks are fundamental to designing a comprehensive audit program. This is where Centium can help.
The following describes a three year program of audits that our auditors have undertaken for a major university with over 40,000 students and 3000 staff. Covering a range of faculties, activities, facilities and support units, our audits are helping our client improve WHS culture, performance and compliance at all levels.
In 2014 the university’s Audit and Risk Committee set about improving the scope of their internal audit process to better understand and manage corporate WHS risks. Key to this was the design of a holistic three-year program of annual audits, and one which complimented the existing audit program carried out by the Health and Safety Team.
Working together to ensure these objectives were met in the audit program, the team developed a three-year program to answer three strategic questions:
Year 1 – Do we do what we say we will do, and is it enough? Evaluate WHS management systems to determine whether the system demonstrates appropriate corporate governance of the university’s WHS commitment, is designed effectively in order to eliminate or reduce risks and is effectively communicated, implemented and monitored/reported.
Year 2 – Do our infrastructure and systems facilitate compliance? Evaluate individual faculty/school facilities, equipment and processes (for students, academics, members of the public and contractors) against applicable compliance obligations (including student housing).
Year 3 – How well do we manage our off-campus WHS risks? Evaluate adequacy, effectiveness and regulatory compliance of students and staff performing offsite activities, including local, inter-state and international fieldwork, student placements and research facilities.
One of our experienced WHS auditors was assigned to the three-year audit program. For the client, this ensured familiarity with internal facilities, activities and processes, consistency of approach and findings, and a deeper understanding of root causes. The audit program sampled faculties/schools and business units across the university and involved Deans, managers, academic staff, support staff, students and non-university stakeholders such as placement hosts.
The client has recognised immediate compliance improvements across the university in areas such as hazardous substances, emergency management, equipment safety and electrical risks. Positive changes to safety culture and the approach to managing risks at faculty/school level are also becoming evident through audit findings as the program progresses, and it’s this that sets the university up for continual improvement in the future. Our understanding of client needs and work environments, as well as WHS systems and regulatory requirements, have been the critical drivers of this successful audit program.
Over the years, the Centium team has assisted many organisations to design, build, implement and maintain effective corporate governance structures. These help coordinate the business rules, relationships, policies, systems and processes used to manage performance, reduce risks, control operations and ensure compliance, all towards achievement of organisational goals and objectives.
We were appointed by a Government body to undertake a performance review of the governance framework for a leading Authority in the Gaming Sector; an industry that is traditionally heavily regulated and scrutinised. On this occasion, the Authority had been left to largely regulate itself, with no meaningful reviews having been conducted for several years. As a result, the review posed particular challenges for the review team to gain the confidence of staff and obtain access to the information and records needed for the review.
The objective of the review was to assess the adequacy and effectiveness of the Authority’s internal control framework (including the legislative framework, management, operations and governance arrangements) in managing its key strategic and operational risks.
The scope included:
Working closely with the management team, we gathered information through interviews with members of the Authority, the governing Agency and key stakeholders. Data analytics were performed to assess financial performance, and desktop reviews undertaken of various legislation, regulations, contracts, policies and procedures. A gap analysis was undertaken to assess the adequacy of the compliance framework when compared to better practice requirements in other jurisdictions. We developed a comprehensive Risk and Control Matrix to help determine the inherent risks in the various scope areas, and the expected controls to be tested. For each scope item, we performed detailed analysis and testing. Findings from the review were each given a risk rating based on the categories in the enterprise risk management framework, and a controls effectiveness rating was applied to each control tested.
The review highlighted a large number of shortcomings across all scope items indicating significant failings in the overall governance framework. Although somewhat surprised by the outcome, management accepted the report recommendations as a positive roadmap of prioritised actions required to improve business planning, implement a risk management framework, strengthen internal controls, streamline operational processes, and address non-compliance issues.
The review is a timely reminder that sometimes a business can become so focused on outcomes that they neglect to implement the governance measures required to enforce the high ethical standards of behaviour and business practices needed to protect its reputation, and demonstrate integrity, transparency and accountability in all areas of its administration.
Usually, corporate investigations are the consequence of some sort of wrongdoing that results in the organisation having to recovery from an undesirable loss or impact such as fraud, reputational damage or regulatory non-compliance. However, sometimes there can be a positive outcome.
The following account describes a recent investigation that Centium was asked to undertake where we were able to assist management to recover from a situation caused by staff over-enthusiastically negotiating an unfavourable arrangement with a third party that could potentially cost the organisation a considerable amount of money. Our investigation helped them reduce the impact of the loss. Here is the story……
In June 2016, Senior Management from a NSW Government Agency contacted us about concerns they had with the process adopted by Agency staff to negotiate a lease agreement with a third party for a commercial property owned by the Agency.
Staff, acting in good faith but motivated by a desire to achieve the best lease rate possible, incorporated an incentive clause in the contract outside of prescribed procedures. This entitled the third party to a large percentage bonus of the first years rent for any amount over and above the estimated rental value of the property.
The third party was able to lease the property for significantly more than the estimated rental value and netted a bonus payment almost 6 times more than the fee they would normally have been paid.
Centium was asked by the Agency to investigate the circumstances that led to staff negotiating this risk and reward incentive clause. Agency management felt that there were a number of irregular aspects to the process, especially that the Agency’s Executive were not advised of the outcome until they raise a query about a request for a budget amendment, sometime after the lease had been concluded.
We undertook a comprehensive investigation of the matter by interviewing staff who were a party to the negotiations and reviewing the process adopted, compared with prescribed policy and procedures. We also performed some background checks on the parties to the leasing arrangement and during the course of our enquiries, we identified some information about potential conflicts of interest that the Agency might be able to leverage to reduce the bonus payable to the third party.
As a direct result of the investigation, the Agency was able to renegotiate the fee, resulting in a saving of $400K. The investigation also provided sufficient detail to enable Agency Management to take appropriate action against staff who negotiated the agreement in violation of a number of Agency policies.
Centium was engaged by a leading NSW Government Agency to undertake an internal audit of the fiduciary controls framework for a smaller business entity in the Cluster, whose corporate and administrative services were transitioned across to the Agency following a restructure. The review formed part of the due diligence process of the Agency for the transition.
The objective of the internal audit was to provide the Agency with reasonable assurance that the fiduciary controls and financial management framework operating in the entity were acceptable. The review specifically examined the adequacy and effectiveness of the following key areas:
In preparation for the review of each of the scope items, we developed a comprehensive Risk and Control Matrix to identify the inherent risks in the process and the controls to be tested. For each scope item we undertook a detailed review of the business processes through a combination of interviews with staff, review of procedures and supporting documentation, and substantive testing. Each scope item was given a risk rating based on the Agency’s risk management framework, and a controls effectiveness rating.
The overall conclusion from the audit was that the fiduciary internal control framework was largely ineffective. The report provided Agency Management with a concise summary of each audit finding, the implication of the finding if not addressed, and practical, value adding recommendations to strengthen controls and suggested improvements to improve efficiency. The report also included a short, but focused, executive summary to provide Senior Management and the Audit and Risk Committee with an overall conclusion about fiduciary risks in the entity and an assessment of the controls effectiveness. Overall, the report identified 42 issues requiring attention and made 21 recommendations to address control failings, and 26 suggested improvements to streamline business processes. Agency Management was pleased with the outcome of the audit as it formed an important part of the due diligence process for the transitioning in of the corporate and administrative services. The report helped Management to baseline fiduciary controls to help measure performance improvement and support the business decision to transition the services to the Agency.
Our client is a medium sized, regionally-based organisation with significant community contact. The work undertaken by employees has rapidly changed over a short period of time, with many employees now required to work outside normal business hours and on weekends to meet community service deliver expectations.
We were initially engaged to confirm that employees were appropriately remunerated outside of normal business hours, including by way of allowances, on-call payments and/or shift penalties. We were also asked to provide advice regarding roles and employee numbers.
At the client’s request, the project was largely undertaken as a desktop exercise. Consultation was also undertaken with HR specialists, nominated job experts and other key personnel to understand and confirm working patterns and service delivery requirements.
We undertook a comprehensive review of the employee timesheets over a twelve-month period to ascertain the extent of work undertaken out-of-hours. We then applied data analytic techniques to analyse and graph the information by a number of categories, including weekday, role type, location, region, etc.
The results were subsequently re-modelled and costed using different remuneration structures, including shift penalties, overtime and grouped allowances. Modelling against comparable agency Award structures was also undertaken.
This engagement provided our client with collated, empirical evidence regarding the extent of out-of-hours work performed by employees. In addition to costed remuneration modelling options, the project also provided management with workload data and highlighted differences in team performance. Our data expertise, extensive human resources experience, solid understanding of the business and its operations, allowed us to exceed client expectations regarding project deliverables. We were subsequently asked to review role descriptions for this client.
Our client is a medium sized agency that employs a diverse range of occupations, including professionals, managers, para-professionals, administrators and outdoor employees. Roles were not well defined, which had implications for individual performance and overall corporate governance.
We were engaged to prepare a full suite of role descriptions for employees across the agency. All role descriptions were required to include key accountabilities, decision boundaries and essential recruitment criteria.
We used our role consultation methodology to undertake the project and met with employees representing all of the varied roles. Importantly, we listened to as many employees as were interested to facilitate future ownership of the roles, responsibilities and accountabilities. We found the overwhelming majority of employees to be enthusiastic and positive throughout the consultation process. Draft role descriptions were then tweaked following feedback from managers and employees.
At the completion of the project, we had produced in excess of 50 role descriptions. These role descriptions are now being used by the agency to recruit appropriately skilled employees. In addition, these role descriptions are the cornerstone of ongoing performance and development conversations between managers and employees.
The NSW Digital Information Security Policy requires all agencies to build, operate and continually improve an Information Security Management System (ISMS) in line with the ISO 27001 standard.
Agencies whose risk profile warrants it, or who provide shared services, need to attain formal certification to the standard.
Developing an ISMS from scratch can be a daunting task. Where do you start? What should be included? How far should you go? What needs to be in place before you go for certification? These are common questions asked by agencies who are seeking to develop an ISMS.
For those agencies that already have an ISMS, how can they operate in harmony with other “management systems” such as the risk management system, the quality management system, the work health & safety management system and the environmental management system?
Centium has been asked to assist agencies with their ISMS in a number of ways:
In each case, we helped demystify the misunderstandings and fears associated with ISMS. This involved staff awareness training and linkages back to day to day workflows within an agency to help understand how an ISMS need simply be embedded and overlaid upon existing practices and operations.
For agencies that did not have an ISMS in place, we have designed and deployed an easy-to-operate, easy-to-understand, non burdensome management system that operated within existing business practices without the need for extra red tape and administration.
For agencies with an existing ISMS, we have developed an overarching “Integrated Management System” that pulls together other (disjointed) “management systems” in place such as risk management, compliance management, complaints management, business continuity management, environmental management and quality management. These were brought together as part of a singular, tactical, useable and understandable “integrated management system” with dashboard-style reporting tools for various stakeholders to reference. From Senior Executives, to Audit & Risk Committees, to middle management and front line staff.
For agencies who were preparing for certification, we have conducted pre certification checks and ISMS internal audits to identify gaps and areas for improvement. These have ranged from audits of “management system” elements through to detailed testing of selected “Annex A” controls per an agency’s Statement of Applicability and documented procedures.
Each of the agencies we have assisted have attained full certification, first time, all the time.
The ISMSs we have built have been practical and seamless. They have remained integrated as part of existing workflows and business operations without the need for additional overhead or “red tape”. Information security has been integrated as part of IT and non IT project lifecycles, change management processes as well as procurement and contract management procedures.
As a result of our work, information security has been adopted as a business issue; not just an IT issue.
Rather than building an isolated, disjointed “new set of rules”, we have integrated an agency's existing “management systems” into a unified whole with practical dashboard-style reporting to relevant stakeholders.
A business resiliency audit of a NSW Government Agency by the NSW Audit Office found that its ability to respond to emergencies, recover IT systems and to continue business operations was lacking and the Agency’s plans were inadequate, somewhat outdated, and had not been adequately “proven”.
Centium was engaged to review and remediate the Agency’s business resilience capabilities. We were asked to consider and risk assess key threat scenarios faced by the Agency that could give rise to business disruptions and to document existing (and additionally required) preventive controls and associated procedures and to develop emergency response procedures, IT (disaster) recovery procedures and business continuity procedures.
We conducted a threat and risk assessment using the agency’s existing Enterprise Risk Management Framework (including its risk definitions) to determine likely threats and events that could give rise to business disruption scenarios. For example, we considered scenarios that could result in loss of: access to premises; key personnel; core IT systems; electronic and paper records; key suppliers; and of course, to clients and their access to Agencies systems.
We then documented existing controls and associated procedures and for each threat scenario, wedeveloped business continuity plans that covered the three phases following a business disruption events, namely: initial emergency response procedures; business continuance procedures (for key business services within Maximum Acceptable Outage timeframes), and procedures for resumption to a “business as usual” state. Included with this, we also developed technical IT recovery procedures to assist IT personnel to recover, restore and assure failed IT systems. To round out the resiliency framework, we helped our Client develop a detailed stakeholder communication plan, which included procedures about how to liaise with the media, in the event this was necessary.
Central to the success of any resiliency planning is staff awareness so once the plans were developed, we created engaging eLearning videos to teach different teams of staff what is required of them in response to different incident scenarios. This included the “play out” of hypotheticals so that staff could understand first-hand what they should do.
We also conducted a semi-live exercise of the plans. This included the setup of a mass communication alerting system (SMS in this case) to alert personnel of an incident and the deployment of a 1800 emergency number for staff to call for regular updates. It involved the test-relocation of key personnel to an alternate site, the rebuild and/or failover of core IT systems, the testing of a supplier “contact tree” and the implementation of “lessons learnt” (improvements) arising from the exercise.
It was pleasing to note that the Agency “passed” its next internal and external audit follow-up review with flying colours. More importantly, they ended up with a practical, actionable, “proven” and understood business resilience framework with embedded continual improvement triggers.
Business disruption preventive controls were documented as part of a Quality Management System so that all personnel understood their role in helping to prevent a business disruption threat from materialising.
Emergency response, business continuity and IT (disaster) recovery plans were also documented so that all parties would know exactly what to do in the event of a crisis or incident.
New personnel who join the agency are now trained in the steps they need to follow in the event of a business disruption scenario via the eLearning video and role play.
We have been advised that the Agency’s IT Recovery Procedures have been initiated a couple of times with great success: systems were recovered, restored and assured within Maximum Acceptable Outage timeframes with minimal data loss. Thankfully, the agency has not yet had to instigate its Emergency Response or Business Continuity Plans; however, they continue to be tested and continually improved.
Our client has a budget of over 1 billion per year. They have a medium sized ICT Department that uses a combination of permanent employees and outsourcing to deliver its ICT functions and services to their business operations teams.
We were engaged to perform a Project Health Check on a medium sized project that had a medium residual risk.
We used our Project Health Check methodology to perform the review and found that the project was well run and followed good project management processes and methodologies. In addition, the project team followed all internal organisational processes, specifically financial delegations and approvals. We were able to provide the project team with assurance that the project’s financial, scope and change management processes were adequate and appropriate for this project. We didn’t however, stop there as our intuition directed us to compare project payments to the Systems Integrator with the estimates in the original business requirements. We found that some of the Systems Integrator invoices included variations for items that were previously agreed as part of the original scope.
Our analysis concluded that our client was invoiced $240K for variation work which was included in the standard price and our Client was able to obtain reimbursement of these monies from the Systems Integrator. This was a direct saving for the projects bottom line. Our detailed and proven project management skills were the key drivers to the success of this engagement.
Our client's revenue stream that is in excess of $600 million annually, comprises of dues that are collected and paid to our client by five external private sector organisations.
We were initially engaged to confirm the completeness and accuracy of a self declared shortfall by one of the external organisations. Following the successful completion of this review we were engaged to provide assurance on the effective operation of the collection and refund processes at the other organisations, specifically to determine whether the dues were accurately calculated and charged and/or refunded in accordance with legislation, business rules and guidelines.
Auditing transactional based systems requires the detailed analysis of data, because data tells the “true” story. Our end-to-end process reviews not only comprised of the analysis of the risks and controls associated with these processes but included analysing the data and then investigating the collection and payment of dues by these organisations. We initially identified significant shortfalls which equated to millions of dollars over the period 2011 – 2016. These shortfalls were caused by system errors, incorrect calculation of collection and refunds of dues, incorrect payments, incorrect processes and procedures, and incorrect understanding of client issued guidelines. Our analytical and investigative work resulted in the successful recovery of the shortfalls as well as penalty interest imposed by our client on some of these organisations.
This engagement has, in addition to the recovery of shortfalls (in the millions of dollars), resulted in long term ongoing assurance to our Client over the completeness and accuracy of their most significant revenue stream. Our desire to exceed client expectations, clarity of objectives, deep understanding of the business and industry, technical skills, utilisation of technology and excellent relationship management have been the key drivers of this success.
Our client managed an arrangement with an outsourced service provider that supplied advice and support directly to the public. This arrangement involved direct funding by our client of over $1,750,000 per annum.
We were initially engaged to undertake a financial audit of the income and expenditure reported by the service provider over a selected period of the formal agreement between the parties. As the project was underway, this was extended to include a review of the effectiveness of the financial management of the arrangement between our client and the service provider.
Our initial objective was the substantiation and verification of the external financial reporting and ancillary records relating to the funding of the service provider by our client. We subsequently conducted a detailed analysis of the underlying objectives of the relationship between the parties and whether the financial management principles and methodologies established in the formal agreement were the most appropriate to support this arrangement. The audit itself identified numerous instances of incorrect financial reporting by the service provider with a net cumulative result of over $1 million being erroneously reported over a four year period. This finding validated our supplementary conclusions that the financial management rights and obligations contained in the formal agreement between the parties were ineffective and required more clarity. We also determined that the financial requirements of the agreement represented an ineffective hybrid between a service provision relationship and a grant funding arrangement that was inappropriate under the existing circumstances and had contributed to the incorrect financial reporting not being detected in a more timely manner.
Following the renegotiation of the formal agreement between our client and the service provider, this project resulted in a more robust system of financial management being established between the parties that is more appropriate to the particular objectives and arrangements in place. This result was a direct outcome of our extensive experience in the financial management field and our broader focus on underlying issues and potential solutions when undertaking client engagements.