Guest Post by James Kline (first posted on CERM ® RISK INSIGHTS – reposted here with permission)
In September 2019, the Local Government Department of the Australian State of New South Wales (NSW), issued “A New Risk Management And Internal Audit Framework” (1). The Minister of Local Government in a forward to the framework states: “Formal risk management and internal audit is a vital part of the NSW Government’s plan to ensure that councils achieve their strategic objectives in the most efficient effective and economical manner. A strong and effective risk management and internal audit framework will result in better services for the community, reduced opportunities for fraud and corruption, increased accountability of councils to their communities and a culture of continuous improvement in councils.” The framework, therefore, is seen as a way of helping local governments realize their strategic objectives.
The framework is an extension of the practices carried out by NSW and the Commonwealth of Australia. Both have implemented Enterprise Risk Management (ERM). Both have Audit Committees. Both use auditors to evaluate the ERM process. In addition, the framework has elements of the ERM guidelines used by the Commonwealth. The elements include; risks are identified correctly; risks are managed constant with the organization’s risk appetitive and that risk information is being consistently communicated in a timely manner. The elements allow management to monitor ERM performance and auditors to evaluate the implementation process. (2) This article looks at the major elements: the mandate, the core requirements and the assurance.
The statement makes it clear that NSW sees ERM and audits as important activities which help local governments meet their strategic objectives. Further, the framework notes that both ERM and auditing are supposed to meet international standards. In the case of ERM, the standard is ISO 31000:2018. The audit standard is the Professional Practices Framework established by the Institute of Internal Auditors.
To facilitate implementation, a timeline is laid out. Local governments are required by 2021 to establish an Audit, Risk and Improvement Committee. By 2022 they are to “proactively manage any risks they face.” The risk management framework is to be fully implemented by 2024. Finally, by 2026, the Audit, Risk and Improvement Committee’s role is to include compliance, fraud control, financial management, governance, integrated planning and reporting, service reviews, performance measurement data and performance improvement.
As can be seen, the framework has three aspects. One is to implement ERM. The second is to establish an audit committee, which is to over see compliance and service reviews. The last is to have auditors evaluate compliance with the ERM mandate. These elements and the timeline are linked with nine core requirements.
The core requirements are:
- Appoint an independent Audit, Risk and Improvement Committee.
- Establish a risk management framework consistent with current Australian risk management standards.
- Establish an internal audit function mandated by an Internal Audit Charter.
- Appoint internal audit personnel and establish report line.
- Develop an agreed internal audit work program.
- How to perform and report internal audits.
- Undertake ongoing monitoring and reporting.
- Establish a quality assurance and improvement program.
- Councils can establish shared internal audit arrangements.
The requirements are designed to guide local government in the implementation process. They also help with the annual assurance review.
The assurance review includes the following.
- A summary of the work the Committee performed to discharge its responsibilities during the preceding year.
- Advice on the appropriateness of the Committee’s terms of the reference.
- An overall assessment of the following aspects of the council’s operations in accordance with the Local Government Act.
- Risk management
- Fraud control
- Implementation of the strategic plan, delivery program and strategies
- Service reviews.
- Collection of performance measurement data by the council.
With respect to risk management, the review is to examine whether,
- ERM is effective and regularly reviewed.
- Risk are correctly identified.
- Risk are being managed to a level consistent with the organization’s risk appetite, goals and objectives.
- Risk information is being captured and communicated in a timely manner on an organization wide basis.
Once the review is completed, the Audit, Risk and Improvement Committee is to advise the general manager and senior managers of the audit findings. Further, the Chief Audit Executive is to develop an action plan for the correction of any issue identified in the annual review. This plan is to be presented to the governing body and the general manager.
The framework integrates ERM with performance audits, which are to be overseen by the Audit, Risk and Improvement Committee. Once the audits are completed, the committee is to develop a plan to correct any deficiencies.
The NSW framework is designed to extend practices which are being used by both the Commonwealth and NSW. It mandates the establishment of an Audit Committee, the implementation of ERM using ISO 31000:2018 and the conducting of audits consistent with the Professional Practices Framework established by the Institute of Internal Auditors. In addition, the Audit Committee is charged with overseeing not only an annual financial audit, but a review of the ERM implementation process. Once the review is completed, the Audit Committee is to advise the general manager and senior managers of the findings. Finally, the Chief Audit Executive is to develop a plan to correct any of the identified issues. The plan is to be presented to the governing body and the general manager.
In developing the framework and establishing a timeline, the state of NSW has clearly indicated that these three elements are considered important to assisting the local governments in meeting their strategic objectives. It also represents a major shift in the way governments are utilizing the tools available to them. ERM, and performance audits are now being combined in order to improve organizational performance.
- New South Wales Government, 2019, A New Risk Management And Internal Audit Framework for local councils in NSW, September, www.olg.nsw.gov.au/cotnet/new-risk-management-and-internal-audit-framework-local-councils-nsw
- Kline, James J., 2019, Enterprise Risk Management in Government: Implementing ISO 31000:2018, CERMACADEMY, Portland OR, available on Amazon. The Australian Commonwealth’s and NSW ERM performance audits are discussed in detail in Chapter 14.
James J. Kline is a Senior Member of ASQ, a Six Sigma Green Belt, a Manager of Quality/Organizational Excellence and a Certified Enterprise Risk Manager. He has over ten year’s supervisory and managerial experience in both the public and private sector. He has consulted on economic, quality and workforce development issues for state and local governments. He has authored numerous articles on quality in government and risk analysis. He can be reached at email@example.com