It would be difficult to find a person who would not agree that 2020 was a difficult year. It was a year of challenge, uncertainty and risks, many of which could not be foreseen.
As we settle into 2021 – a year that must be better than 2020 – it is important to consider emerging risks and test the design of controls. This is especially important as organisations resume new and "normal" business-as-usual patterns.
At Centium, we have spent some time reviewing Audit Office reports, scanning the media, researching industry issues, and brainstorming ways in which various sectors can minimise their risks. Here we're sharing our research and recent experiences by suggesting which topics and areas will be of most relevance this year when it comes to risk management and internal audit.
We're hoping that this will provide "food for thought" for audit and risk professionals as they prepare and/or recast annual work plans across Government and the private sector.
By now, our State Government colleagues would have read the new Internal Audit and Risk Management Policy for the General Government Sector (TPP 20-08). This policy refreshes previous policy guidance and strongly aligns with better practice standards and frameworks.
It's both reassuring and exciting to see that the new policy promotes the need for a positive and comprehensive risk culture, clear accountabilities for managers and decision-makers, and consideration of contemporary risks associated with cyber security and climate change.
Based on our research, our suggestions for internal audit hot topics in 2021 are as follows:
- Ethical Culture –The ethical culture is the character of an organisation; the accepted values, beliefs, behaviours, goals, attitudes, and work practices that underpin organisational decision-making. It is how the people in an organisation approach their work and interact with others to deliver the business of the organisation. An ethical culture has a profound impact on the way organisations do business and is key to minimising reputational risk, with the media quick to jump on those organisations not behaving ethically. An ethical culture audit can provide reasonable assurance that an organisation's ethical culture is reasonable and suitable, given its unique context.
- Business Continuity / Resilience – Despite the State's COVID-19 response, and in particular the achievements of most agencies in enacting a sound Business Continuity Plan, this activity remains highly relevant. A recent Audit Office of NSW report found that 23% of agencies had not conducted a Business Impact Analysis (BIA) to identify critical business functions and determine business continuity priorities. Prior to their COVID-19 response, 40% had not conducted a business continuity scenario testing exercise; and of the 60% that did, very few briefed their executive management or audit committee on the results. A business continuity/disaster recovery audit against recognised standards can ensure that your organisation can effectively plan, act and recover from an unexpected event.
- Contractors & Third Parties – Contracts often form a large part of agency expenditure. To ensure value for money, it is important post-award processes are well-controlled, and that contract costs and supplier performance is actively monitored. Agencies are also obliged to publicly report certain contracts and ensure that sufficient planning is undertaken when contracts need to be re-tendered. Poorly designed controls can result in financial and reputational risk (and in worst-case scenarios, allegations of fraud, corruption and/or maladministration. A contract management audit can assess the effectiveness of your policies and procedures via sampled testing of key business contracts.
- Future Workforce – Agencies have learned a great deal about flexible working practices during 2020. While this year will hopefully see employees return to the workplace in some capacity, it may be timely to audit flexible working arrangements, performance management and development, attendance and leave management and/or office space utilisation. Related audits could also test the voracity of controls over business processes impacted by reduced staff "visibility" and COVID-19 workarounds.
- Delegations Management – In 2020, the Audit Office of NSW found that issues relating to internal controls and delegations have remained outstanding across multiple agencies over the past four years. Examples included out-of-date and/or missing policies, poor recordkeeping and document retention, and incomplete or inaccurate information registers. Delegations were specifically raised for agencies impacted by machinery of government changes. Organisations should regularly review (and audit) their delegations for adequacy and implementation effectiveness, particularly regarding key business decisions.
2021 promises to be a big year with the postponed Local Council elections due to be held in September. With this election comes a new cycle of Integrated Planning and Reporting, including community strategic planning, delivery plans, operational and resourcing plans.
Councils are probably aware that the NSW Office of Local Government plans to release the Risk Management and Internal Audit Framework in 2021. This principles-based framework will include changes to existing legislation, regulation and internal audit guidelines.
In this context, Councils should review their existing risk management and internal audit activities to consider new directions, priorities, and emerging risks. Based on our research, Centium's suggestions for Local Government internal audits include:
- Procurement & Tendering – The internal controls over procurement and tendering are essential in minimising financial and reputational risks, particularly given the increasing value of contracts managed by Councils. Following a review of LG procurement and tendering, the Audit Office of NSW has made several recommendations to improve transparency, internal controls and compliance. A procurement and tendering audit can compare a Council's policies and procedures with good practice and/or ensure that these policies and procedures are understood and followed by staff at all levels of Council.
- Cyber Security – Strong IT controls are critical in protecting a Council's systems, networks, and programs. Cyber-attacks aim to disrupt/interrupt normal business processes; gain access to information with the aim of stealing, changing or destroying content; and/or extort money from individuals or organisation. A cyber security audit against a recognised Standard will determine whether Council has strong and effective controls in place to protect sensitive information and minimise business disruption.
- Operational Audits – Councils provide a broad range of front-line services to their respective communities. Operational audits provide an excellent opportunity to test the effectiveness of internal controls, efficiency of processes, and compliance with relevant legislation. In our experience, operational audits provide valuable insights regarding customer service and community engagement; the interaction between different business units; and the keeping of complete and accurate records. Topical audits include tree management; swimming pool compliance; city planning and certifications; and child care centres.
- Grants Administration & Management – One of the positive effects of COVID-19 is the availability of grants funding to support businesses, programs, and communities. As both a giver and receiver of funding, an audit of grants administration and management is well worth considering to minimise financial, operational/project, and fraud-related risks and confirm whether intended benefits have been realised.
- Commercial Entities – Councils manage a range of commercial entities depending on local need. These entities' ongoing financial viability presents an ongoing risk for Council, as does the need to comply with a myriad of legislation, regulation, and policy. In some cases, there is also a risk of conflict of interest, whereby Council is responsible for enforcing their own legislative and regulatory compliance (e.g. property development). An audit of Council's commercial entities can provide reasonable assurance that these conflicts of interest are appropriately managed and that services are being delivered as intended.
Small – Medium Enterprises
2020 was a difficult year for small to medium businesses, many of whom relied upon Job Keeper and other Government assistance to survive. For many, the recovery phase will be equally as challenging as they find new "normal" ways of operating and meet ever-changing operating requirements.
Our high-level suggestions for small-medium businesses, noting the difficulties in predicting across the immense range of industry groups, are as follows:
- Wages and Entitlements – We've lost count of the number of companies named in the media for incorrect and/or underpayment of staff wages and entitlements. Errors often dated back many years and cost organisations millions of dollars in back payments and, in some cases, fines and legal fees. Periodic audits of wages and entitlements could provide independent, reasonable assurance that your organisation is paying staff (who are after all your most important resource) correctly.
- Work Health & Safety – The importance of minimising workplace injury and illness cannot be overstated. Employers and businesses have a primary duty of care to their workers and visitors to their workplace, including contractors and volunteers. There are numerous strategies and processes that employers and businesses need to have in place to comply with workplace health and safety legislation. An audit or health check against recognised standards can identify any gaps in compliance, minimise risks and suggest improvements.
- Cyber Security – Loss of information and/or disruption can make or break a business and be felt across its broader supply chain. A cyber security health check can provide reassurance and assist organisations to get on with the business of doing business. The support of a cyber security expert can also assist businesses by providing the latest information about existing and emerging threats.
- Fraud & Financial Risks – The prospect of losing money is bad for most businesses. Good financial management means that businesses can readily identify underperforming areas and take appropriate action. This relies on good processes, systems, and records, as well as the expertise to interpret ever-changing accounting and taxation requirements. An audit of your key financial controls can assess compliance, suggest improvements, and prevent or detect incidences of finance-related fraud.
- Payment Card Industry Compliance – The Payment Card Industry Data Security Standard (PCI DSS) is a set of Security Standards aimed at safeguarding credit and debit card transactions against data theft and fraud. Many businesses are still unclear about their responsibilities and requirements under PCI DSS, leaving them at an increased risk of being found non-compliant and facing hefty fines. The best way to avoid the above misconceptions and PCI fines and penalties is to involve qualified PCI DSS professionals to help your organisation understand its PCI DSS obligations correctly and assist with cost-effective and optimal compliance.
Centium's Approach to Internal Audit
An effective assurance framework enables well-run organisations to identify and manage risks, make informed decisions, improve their internal systems and processes, and ultimately enhance their business.
One of Centium's key differentiators is our approach to risk and assurance projects, including routine and complex reviews. We use proven methodologies and always consider our client's context, geographic and regional issues, operating model, objectives, and challenges.
Centium offers an independent and practical perspective. Importantly, we create strong partnerships with our clients to build capacity, improve organisational resilience and facilitate ownership of outcomes.
Click here to see our range of Risk & Assurance services. Click here to talk to us about how we can help.