Internal Control

Framework
October 2019
 contents
1 Introduction 1
2 What is an internal control framework 1
3 Why have an effective internal control framework? 1
4 Three lines of defence 2
5 Responsibilities 3
6 Components of internal control 3
7 Limitations of internal control 7
8 Annual CFO certification and management control questionnaire 8
9 Contact Point 8
10 Review 8
Our insights inform and challenge government to improve outcomes for citizens

1 Introduction
In 2013 the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released
its revised Internal Control – Integrated Framework. It is recognised as a leading framework for
designing, implementing, and conducting internal control and assessing the effectiveness of internal
control.

The Audit Office’s Internal Control Framework is based on the internal control guidelines
recommended by the COSO as adopted by the auditing profession as their definition of internal
control.

2 What is an internal control framework

COSO defines internal control as ‘a process, effected by an entity’s board of directors, management,
and other personnel, designed to provide reasonable assurance regarding the achievement of
objectives relating to operations, reporting, and compliance.’

This definition reflects certain fundamental concepts. Internal control is:

• geared to the achievement of objectives

• a process consisting of ongoing tasks and activities - a means to an end, not an end in itself
• effected by people - not merely about policy and procedures, systems, and forms, but about
people and the actions they take at every level of the Audit Office to affect internal control
• able to provide reasonable assurance - but not absolute assurance, to an entity’s senior
management and the Office Executive
• adaptable to the entity structure - flexible in application for the entire Audit Office, branch, unit or
business process.

An effective internal control system provides reasonable, but not absolute, assurance that assets are
safeguarded, financial and other information is reliable, laws, directions and Audit Office policies are
being complied with and that errors and fraud are prevented.

3 Why have an effective internal control framework?

Internal controls are used to help the Audit Office achieve its goals and objectives. By identifying risks
that will prevent these goals and objectives being achieved, we can identify what effective controls we
need to have in place.

Effective internal controls help to mitigate:

• Reputational risk – so that the Audit Office continues to be recognised for its independence
and integrity and the value it delivers through high quality independent assurance services. The
Audit Office’s reputation may be severely damaged if it issues an incorrect opinion, conclusion
or misleading report.
• Strategic and Operational risks – so that the Audit Office’s objectives and goals are achieved,
resources are acquired economically and employed efficiently, and quality business processes
and continuous improvement are emphasised.
• Fraud risk – so that the Audit Office’s resources (including its people, systems and information)
are adequately protected.
• Compliance risk – so that the actions of all staff comply with Audit Office policies, plans and
procedures and all relevant laws, standards, central agency directions and applicable
Auditor-General’s report recommendations.
• The risk of error in the Audit Office’s financial statements – so that internally and externally
published information is accurate, reliable and timely.

D1904341 Internal Control Framework – October 2019 1

Our insights inform and challenge government to improve outcomes for citizens

4 Three lines of defence

The Three Lines of Defence model provides a simple and effective way to communicate the roles and
responsibilities surrounding risk and controls within the Audit Office to achieve our objectives.

AUDITOR-GENERAL
Advise AUDIT AND RISK COMMITTEE
(Office Executive)

Assurance Assurance

Provides independent assurance by

3rd line of defense evaluating and giving an opinion on the Internal audit
Provides independent adequacy and effectiveness of risk ACAG peer reviews

PAC (quadrennial review)

assurance management and controls.

External Audit
Reviews and challenges (including DAG, FAE, PAE, QARC, TIC
2nd line of defense testing) the effectiveness of controls by CFO, CIO, CRO, CAE
Oversees having oversight of business processes WHS Committee, Remuneration
and risks. Committee, Project Steering Committees

Risk owners & management who Management Controls

1st line of defense implement and maintain operational Internal Control Measures
Owns and manages controls and demonstrate controls are (policies, procedures, systems,
effective. frameworks, structures and people)

The three lines of defence are:

1. First line of defence: owns and manages

Comprises of senior management and risk owners who implement and maintain operational controls
in each branch or unit or specific areas of responsibility. This involves Directors and Executive
Managers but may also include risk owners within specific functions such as WHS or Information
Security.

2. Second line of defence: oversees

Comprises specialist functions that are independent of the first line of defence and challenge and
provide oversight over business processes and risks. This will include the Chief Risk Officer, Chief
Finance Officer, QARC and Project Steering Committees.

3. Third line of defence: provides independent assurance

Comprises independent assurance that the first and second lines of defence are operating effectively,
and improvements are identified and recommended. This includes the internal audit function and peer
reviews which provide independent assurance on the appropriateness and effectiveness of the risk
management and control framework.

The Auditor-General through the Office Executive and Chief Risk Officer provides the governance
structure, sets the risk appetite and establishes the risk management culture.

The Audit and Risk Committee role is to provide independent assistance to the Auditor-General by
monitoring, reviewing and providing advice about the Audit Office’s governance processes, risk
management and control frameworks. It does this by oversight and review of the results from the three
lines of defence, and more specifically through direct reports from Internal and External Audit.

D1904341 Internal Control Framework – October 2019 2

Our insights inform and challenge government to improve outcomes for citizens

5 Responsibilities
The Auditor-General has ultimate responsibility for ensuring an effective system of internal control
over the financial and related operations of the Audit Office, in line with the requirements of the Public
Finance and Audit Act 1983.

The Deputy Auditor-General, as Chief Executive Officer, has responsibility for the Audit Office’s
Internal Control Framework.

The Office Executive is accountable for oversight of internal control by establishing policies and
expectations of conduct, setting the tone at the top and managing risk in the Audit Office. The Office
Executive is responsible for ensuring necessary controls and treatment plans are in place to effectively
manage risk. Members of the Office Executive also attend Audit and Risk Committee meetings as
requested to discuss the current management of specific risks and internal controls.

The Chief Finance Officer (CFO) is responsible for conducting the annual management internal
control questionnaire as part of the annual CFO certification as to the effectiveness of the system of
internal control over financial information.

The Executive Manager, Governance, on behalf of the Chief Risk Officer, prepares status reports
for the Office Executive and Audit and Risk Committee as required regarding the Audit Office’s
Internal Control Framework.

All Audit Office Managers (Directors, Executive Managers and Executive Directors) are responsible
for contributing and achieving the Audit Office Strategic Plan; and establishing, documenting,
assessing and maintaining internal controls that mitigate risk within their team and ensuring staff in
their team, have complied with applicable Audit Office policies. Audit Office Managers are the first line
of defence.

Audit Office managers may have either a primary or secondary responsibility in ensuring compliance
with Audit Office policies. Primary responsibilities exist where a policy relates directly to a person’s
role or area of expertise. While secondary responsibility exists where Audit Office Managers have
responsibility for specific aspects of policy implementation by ensuring team members adhere to or
conduct activities in accordance with relevant policies.

For example, the Audit Office Leave Policy is owned and managed by the Executive Manager HR,
who is responsible for Audit Office wide implementation and awareness of the policy, and providing
advice and training where needed. While a Director, Executive Manager or Executive Director is
responsible for reviewing and approving leave entitlements in accordance with the leave policy.

All Audit Office staff including temporary staff and contractors must comply with internal controls and
applicable Audit Office policies within the scope of their roles. They are also responsible for reporting
to management instances where they consider internal control procedures are not adequate or are not
being complied with.

The Audit and Risk Committee is responsible provide independent assistance to the Auditor-General
by monitoring, reviewing and providing advice about the Audit Office’s governance processes, risk
management and control frameworks.

6 Components of internal control

The Audit Office has five primary components of internal controls based on the COSO guidelines (see
section 1 above for an explanation of COSO):

• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring.

D1904341 Internal Control Framework – October 2019 3

Our insights inform and challenge government to improve outcomes for citizens

6.1 Control Environment

A control environment, where competent people understand their responsibilities and authority and are
committed to acting appropriately, will provide a foundation for internal controls to exist and operate
effectively. The Office Executive establishes the tone at the top regarding the importance of internal
control including expected standards of conduct. Management reinforces expectations at the various
levels of the organisation. To ensure all Audit Office staff are aware of their responsibilities, training
and updates are provided on a timely basis and applicable Audit Office policies and procedures are
published on the Audit Office intranet. An effective internal control environment for the Audit Office
includes:

• the Office Executive provides governance oversight by having appropriate management

philosophy and operating style, providing the right tone at the top regarding the importance of
internal controls and ensuring the development and performance of internal controls
• maintaining integrity and ethical values (refer to the Code of Conduct and related policies such
as the Conflict of Interest Policy and other Employee Conduct and Obligations policies)
• processes to attract, develop and retain competent people through appropriate selection
processes, regular performance reviews, learning development programs and adequate training
• establishing structures, reporting lines and appropriate authorities and responsibilities to meet
objectives (including the Delegations Manual)
• complying with relevant laws, central agency directions (see Compliance Policy and Register),
applicable Auditor-General report recommendations, and Audit Office policies, instructions and
guidance as found on the intranet
• strategic and business planning processes to hold individuals accountable for their internal
control responsibilities in order to meet the Audit Office’s objectives by having rigour around
performance measures and incentives (refer to Audit Office Strategic Planning documents).

6.2 Risk Assessment

The Audit Office applies an enterprise wide risk management framework where risk management is
embedded within the Audit Office’s overall strategic and operational policies and practices. A key
component of the risk management framework is the strategic and operational risk reports which
captures the results of risk assessments made at both these levels. It does this by:

• establishing the context

• identifying risks
• analysing risks
• evaluating controls
• determining mitigating actions, if any, to be taken to address gaps in Audit Office processes.

The responsibility and accountability for each risk is allocated to a risk owner who must have oversight
and ensure mitigating controls are appropriately designed, operating effectively and corrective action
is taken where gaps are identified.

The Audit Office’s specific risk policies and reports can be found on the Audit Office’s intranet and
include:

• Risk Management Framework

• Strategic and operational risk reports and registers
• Risk Appetite Statement
• Fraud Control Risk Assessment
• Compliance Register.

D1904341 Internal Control Framework – October 2019 4

Our insights inform and challenge government to improve outcomes for citizens

6.3 Control Activities

Control activities are incorporated in the Audit Office’s policies, procedures and practices. Controls
can be classified as those before the event as preventive, or after the event as detective or corrective.
Examples of each of these are:

• approvals
•
Preventive •
•
authorisations
verifications
segregation of duties

• reconciliations
• reviews
Detective •
•
data analysis (e.g. budget vs. actual)
benchmarks
• computer assisted audit techniques

• systems restoration
• control changes or additions
•
Corrective •
•
data validity tests
insurance
variance reports
• training and staff awareness

Control activities are also incorporated specifically in audit assurance policies, procedures and
guidelines and include:

• using risk-based methodologies that comply with Australian Auditing Standards and other
professional and legislative requirements
• having ethical and independence policies and procedures
• requiring staff to meet professional qualification requirements
• a specialist audit support function
• structured staff training
• merit based progression through a performance management system
• peer, hot and cold reviews (see 6.5.6 below).

6.4 Information and Communication

The Audit Office’s intranet and website, Office Forum, professional development programs, strategic
and business processes, information systems and the Leadership Team, identify, capture and
communicate information that enables people to meet the requirements of their job.

D1904341 Internal Control Framework – October 2019 5

Our insights inform and challenge government to improve outcomes for citizens

6.5 Monitoring
The Audit Office has a number of oversight bodies and quality assurance processes including:

• The Office Executive

• The Audit and Risk Committee
• Internal audit
• External audit
• PAC Quadrennial Review Quality reviews
• ACAG Peer reviews
• Quality Assurance Framework and Quality Audit Review Committee (QARC)
• Other Audit Office Committees (such as WHS Committee and Remuneration Committee).

6.5.1 The Office Executive

The Office Executive is accountable to the Auditor-General and provides the leadership necessary for
the Audit Office to:

• setting and monitoring progress against the Office’s vision, values, purpose, strategic goals and
operating principles
• setting direction on key changes to standards, legislation and machinery of government change
that have a whole-of-office consequence
• ensuring the Office is compliant with relevant law, directions, codes and practices
• manage key risks through rigorous inquiry and oversight of the risk management processes and
internal control systems
• regularly measure financial performance against the Audit Office’s approved annual budget.

For more information on the role of the Office Executive refer to the Office Executive Charter.

6.5.2 The Audit and Risk Committee

The Audit and Risk Committee is an independent committee of the Audit Office and reports directly to
the Auditor-General. The objective of the Audit and Risk Committee is to provide independent
assistance to the Auditor-General by monitoring, reviewing and providing advice about the Audit
Office’s:

• governance processes
• risk management and control frameworks
• its external accountability obligations including financial reporting
• compliance with applicable laws and regulations
• internal and external audit.

For more information on the role of the Audit and Risk Committee refer to the Audit and Risk
Committee Charter.

6.5.3 Internal Audit

Internal audit provides an independent and objective assurance to management on the adequacy of
internal control, risk management, financial reporting systems and governance processes through:

• reviewing and reporting on the adequacy and effectiveness of the Audit Office’s system of
internal control to manage risk
• recommending improvements to any identified control weaknesses and improve business
performance.

For more information on the role of the internal Audit Function refer to the Internal Audit Charter.

D1904341 Internal Control Framework – October 2019 6

Our insights inform and challenge government to improve outcomes for citizens

6.5.4 External Audit

External audit provides an independent audit of the Audit Office’s financial statements in accordance
with Australian Accounting and Auditing Standards and includes:

• obtaining audit evidence about the amounts and disclosures in the Audit Office’s financial
statements
• assessing the risk of material misstatement of the Audit Office’s financial statements
• considering the internal controls relevant to the preparation and fair presentation of the Audit
Office’s financial statements
• evaluating the appropriateness of the accounting policies used to prepare the Audit Office’s
financial statements
• evaluating the reasonableness of accounting estimates made in the preparation of the Audit
Office’s financial statements
• issuing an opinion on the Audit Office’s financial statements in accordance with relevant
accounting standards and other requirements.

6.5.5 PAC Quadrennial Review

A quadrennial review of the Audit Office is conducted by a person appointed by the Public Accounts
Committee under section 48A of the Public Finance and Audit Act 1983. The review is to examine the
auditing practices and standards of the Auditor-General and to determine whether the Auditor-General
is complying with those practices and standards in the carrying out of the Auditor-General’s functions
under this Act.

6.5.6 ACAG Peer reviews

The Audit Office participates in a peer review program with other Australian audit offices who regularly
review our performance and financial auditing processes under the quality assurance framework,
sponsored by the Australasian Council of Auditors General (ACAG). The Audit Office implements
recommendations from the reviews to address identified gaps in compliance.

6.5.7 Quality Assurance Framework and Quality Audit Review Committee (QARC)
The system of quality control is an important mechanism to ensure the Office and its staff comply with
Australian Auditing Standards, relevant ethical requirements, and applicable legal and regulatory
requirements; and to ensure our reports are appropriate in the circumstances. QARC is a key
component of the Audit Office’s Quality Assurance Framework.

For more information on the Quality Assurance Framework refer to Audit Office policy and for
information on the role of the QARC refer to the QARC Charter.

6.5.8 Other Audit Office Committees

The Audit Office has a number of other committees with responsibilities for oversight of specific
functions or areas including:

• Work Health and Safety Committee

• Remuneration Committee.

7 Limitations of internal control

Internal control is designed and implemented to provide reasonable assurance that the objectives and
goals of the Audit Office are achieved. It is acknowledged that there are inherent limitations of internal
control which include:

• resource constraints – benefit vs cost

• human judgement and errors
• manual and automated controls that can be circumvented by collusion

D1904341 Internal Control Framework – October 2019 7

Our insights inform and challenge government to improve outcomes for citizens

• inappropriate overriding of internal controls by management.

8 Annual CFO certification and management control

questionnaire
As part of the preparation of the annual financial statements, the CFO provides the Auditor-General
with an annual Letter of Certification as to the effectiveness of the system of internal control over
financial information. The CFO Letter of Certification is supported by a management internal control
questionnaire, which is completed by the members of the leadership team.

9 Contact Point
If staff have any questions about this framework, they should contact the Executive Manager,
Governance.

10 Review
It is intended that this policy will be reviewed every two years or earlier if significant new information,
legislative or organisational change warrants an update to this framework.

D1904341 Internal Control Framework – October 2019 8