We all started last year with high hopes, not realising that it would end up being a virtual repeat of 2020. It's taught us to be a little warier. And so, going into 2022, many organisations are feeling more cautious than optimistic.
While hope can push us forward, there is nothing wrong with combining this hope with measured caution. In fact, being prepared for everything - aware of emerging risks and the systems and processes to mitigate them - is one of the best ways to ensure long term success.
At Centium, we've been preparing for 2022. Our team has been reviewing Audit Office reports, scanning the media, researching industry issues, and brainstorming ways in which various sectors can minimise their risks. We have augmented this research by reviewing the audit programs and special audits undertaken within our extensive client base.
As a result of these activities, we are now sharing our research and recent experiences by suggesting which topics and areas will be of most relevance this year when it comes to risk management and internal audit. We’re hoping that this will provide “food for thought” for audit and risk professionals as they prepare and/or recast annual work plans across all levels of Government.
Centium is thrilled to announce that we have recently been appointed to the Australian Government’s Management Advisory Services (MAS) Panel for internal audit services.
Given the election cycle, it is anticipated to be a busy time for Australian Government agencies. This activity also presents an opportunity for internal audit to review controls associated with high risks, as well as the effectiveness of governance frameworks to ensure agencies remain accountable, impartial and committed to service during any resultant Machinery of Government changes.
Topical suggestions for internal audit include:
Grants programs (and equivalent research and tax incentives) should be robust and demonstrate value for money, particularly given that it is public money. Core to each grants program should be the key principles of transparency, accountability, and probity. Sounds eminently reasonable, yet grants administration has emerged as a substantial reputational risk for Government at all levels. Together with probity advisors, internal audit has an important role to play in providing assurance over grants programs and ensuring the continuous improvement of grants administration.
With changing working conditions, staff shortages and the impending threat of a ‘great resignation’, agencies remain vulnerable if they have not acted to identify (and regularly review) future staffing and training needs. Several Australian Government agencies have been the subject of workforce planning performance audits, including the Australian Security Intelligence Organisation (ASIO) in 2020-2021. An internal audit would similarly include strategic workforce planning, including:
This audit is particularly relevant given the upcoming Federal Government election and anticipated post-election reshuffles.
Sustainable or resilient agencies understand the value of Economic, Social and Governance factors to their stakeholders. The Institute of Internal Auditors (Australia) believes that
“Globally the world is sitting up and taking notice of ESG, not only from the benefits it provides to organisations, investors and stakeholders, but also to the positive impacts experienced by the community, both locally and globally”.The Institute of Internal Auditors (Australia)
These benefits are similarly applicable to Australian Government agencies and should be subject to transparent reporting about achievements and areas for improvement. Internal audit can provide assurance regarding the efficiency, effectiveness, economy and ethics of agency business activities. Where appropriate, audits would also consider ESG factors for third party suppliers – service delivery through other entities was recently the subject of an Australian National Audit Office Report. See also our suggestions for a separate audit below.
Recent private sector Executive removals, together with high profile media coverage would appear to (finally!) indicate a decreased tolerance regarding poor and unacceptable workplace behaviour. All organisations need to ensure that the ‘tone at the top’ is such that a culture of respectful and appropriate behaviour towards employees is fostered and rewarded. It is also critical that employee complaints are taken seriously and quickly acted upon. Internal audits can assess how culture is managed and monitored. It can also provide an independent assessment as to whether an agency has effective practice systems, processes and controls in place to prevent bullying and harassment.
As the dust settles on another round of Machinery of Government changes, State Government agencies are expected to face pressures managing return-to-work arrangements and increasing scrutiny, all of which will assume increased focus as the March 2023 elections approach.
Based on our research, our suggestions for internal audit hot topics in 2022 are as follows:
Contracts often form a large part of agency expenditure – yet the inadequate management of third-party suppliers was over-represented in recent Audit Office reports. Service delivery through other entities was also recently the subject of an Australian National Audit Office Report. A comprehensive audit of third-party supplier offers the opportunity to assess inter-related business activities, from Service Level Agreements (SLAs) and governance, standard contract terms (e.g. ICT controls and business continuity) to contract variations (and possibly procurement processes) and records management and mandatory reporting. The alternative is ongoing inadequate or inconsistent third-party monitoring, which could result in poor performance, increased costs, and reputational damage.
Basic payroll and entitlement issues were similarly identified in the Audit Office reports for most clusters. As payroll expenses account for a substantial proportion of the budget (and people are an organisation’s most important asset), it is important to establish and maintain good controls over payroll and entitlements. An audit can walkthrough and test controls over employee Masterfile data, payroll variations, time and attendance procedures, roster management, mandatory superannuation and taxation obligations, etc. Payroll access should also be regularly audited, as should the segregation of duties between key payroll activities.
The ethical culture is the character of an organisation; the accepted values, beliefs, behaviours, goals, attitudes, and work practices that underpin organisational decision-making. It is how the people in an organisation approach their work and interact with others to deliver the business of the organisation. An ethical culture has a profound impact on the way organisations do business and is key to minimising reputational risk, with the media quick to jump on those organisations not behaving ethically.
Strong IT controls are critical in protecting an agency’s systems, networks, and programs. Cyber-attacks aim to disrupt/interrupt normal business processes, gain access to information with the aim of stealing, changing, or destroying content and/or extorting money from individuals or organisations. NSW Government agencies are required to assess maturity and report results against the Cyber Security Policy (CSP) and Essential 8 – noting that there are equivalent security policies and standards applicable in other jurisdictions. It is important that an independent, specialist assessment is periodically undertaken to ensure that organisational maturity is not overstated.
In 2021, the Audit Office of NSW once again found shortcomings relating to basic governance controls. Examples included out-of-date and/or missing policies, poor recordkeeping and document retention, incomplete or inaccurate information registers, and superseded bank signatories. Organisations should regularly review (and audit) their policies, procedures and delegations for adequacy and implementation effectiveness, particularly regarding key business decisions. Such controls underpin effective and efficient organisations and are key to preventing fraud and corruption.
It’s been a busy time for Local Government in NSW with recent elections and the induction of new and returned Councillors. There are several key policy changes, either finalised or in draft, all of which have impacts for Council Integrated Planning & Reporting Processes and overall risk management.
In this context, Councils should continue to ensure that their risk management and internal audit activities address new directions, priorities, and emerging risks. Centium’s suggestions for Local Government internal audits include:
Given the value and number of Council’s assets (and the complexity of asset categories), it is important that there are sound and robust controls in place around asset management. While external auditors focus on asset valuation, internal audits provide an excellent opportunity to test both a Council’s Asset Management Framework and its practices across nominated asset categories. These categories could include roads, plant and fleet, property, leisure and community facilities, natural environment, waterways, trees, etc. Asset management audits can also be expanded to include procurement and disposal processes, both of which present a high inherent risk for Councils.
All councils in NSW use the Integrated Planning & Reporting (IP&R) framework to guide their planning and reporting activities. As part of this process, Councils are required to report on their progress towards achieving the vision outlined in their Community Strategic Plan. It is important that Council deliverables can be validated to ensure transparent reporting to the community on what has been achieved. Internal Audit can independently review performance against deliverables, trends and patterns, and the appropriateness of extant measures and targets.
Financial management/investment represents a significant and substantial activity for a Council. An audit of financial management/investment can provide assurance over the effectiveness and appropriateness of the Council’s governance operations. Such an audit can also be expanded to consider the management of a Council’s restricted reserves (e.g. funds limited by legislative, administrative or internal requirements).
Cyber security is an increasing risk for all businesses, including Councils that act as custodians of confidential information and cannot afford to lose time and money due to cyber-attacks. Cyber Security NSW has developed a draft Cyber Security Guideline for Local Government, which has in turn been released by OLG. This guideline is intended to be used by Councils to help increase their cyber maturity. While currently not mandatory to assess and report, there is an opportunity to benchmark maturity and remediate gaps. Centium’s Cyber Security professionals have worked with several proactive Council’s to conduct Health Checks and develop prioritised improvement plans.
The importance of minimising workplace injury and illness cannot be overstated. Employers and businesses have a primary duty of care to their workers and visitors to their workplace, including contractors and volunteers. There are numerous strategies and processes that employers and businesses need to have in place to comply with workplace health and safety legislation. An audit or health check against recognised standards can identify any gaps in compliance, minimise risks and suggest improvements.
We’ve all had enough surprises over the past two years. The right approach to risk management and internal audit can ensure you don’t experience more shocks than you need to in 2022 – plus enable you and your team to be fully prepared and ready to go.
To ensure audits are carried out thoroughly and in accordance with any relevant policies or standards, the importance of an experienced and independent perspective cannot be overlooked. Centium offers independent and practical internal audit services and can provide additional support to improve or adjust any processes or frameworks that aren’t consistent with better practice.
Importantly, our qualified team is committed to creating strong partnerships and building client capacity, improving organisational resilience and facilitating the ownership of outcomes. One of Centium's key differentiators is our approach to risk and assurance projects, including routine and complex reviews. We use proven methodologies and tailor our audit practices to each client, always considering context, geographic and regional issues, operating model, objectives, and challenges.