Chapter 1.6 – Audit, Risk and Compliance

Home 9 Policy 9 Chapter 1.6 – Audit, Risk and Compliance
Back to Policies & Procedures
[ivory-search id="40" title="AJAX Search Form"]

Purpose and Objectives

Company has established an internal audit function as a key component of Company governance framework. The establishment of an internal audit function is also mandated by the Auditing and Assurance Standards Board (AUASB).

This charter provides the framework for the conduct of the internal audit function in Rare and has been approved by the organisation. Internal audit provides an independent and objective review and advisory service to:

provide assurance that Company financial and operational controls designed to manage the organisation’s risks and achieve the entity’s objectives are operating in an efficient, effective and ethical manner, and assist management in improving the entity’s business performance and the Enterprise Risk Management Framework aims to enhance the organisation’s ability to meet its corporate and operational objectives through:

  • Infrastructure
  • Environment
  • Economy
  • Leadership

Scope

Internal audit reviews cover all programmes and activities of Rare together with associated entities as provided for in relevant business agreements, memorandum of understanding or contracts. Internal audit activity encompasses the review of all financial and nonfinancial policies and operations.

Policy Statement

Independence is essential to the effectiveness of the internal audit function. Internal audit has no direct authority or responsibility for the activities it reviews. The internal audit function has no responsibility for developing or implementing procedures or systems and does not prepare records or engage in original line processing functions or activities.

The internal audit activity will remain free from interference by any element in the organisation, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective approach to the audit.

Internal Audit reports functionally and administratively to the Chief Executive Officer.

Company will engage an external accounting firm to undertake the internal audit function.

Auditors are authorised to have full, free and unrestricted access to all functions, premises, assets, personnel, records, and other documentation and information that the Internal Auditor considers necessary to enable internal audit to meet its responsibilities. All records, documentation and information accessed in the course of undertaking internal audit activities are to be used solely for the conduct of these activities. The Auditor and individual internal audit staff are responsible and accountable for maintaining the confidentiality of the information they receive during the course of their work.

Standards

Internal audit activities will be conducted in accordance with Rare values, policies and procedures. Audit activities will also be conducted in accordance with relevant professional standards including:

  • Standards relevant to internal audits ; and
  • Standards issued by Standards Australian and the International Standards Organisation. In the conduct of internal audit work, internal audit staff will:
  • comply with relevant professional standards of conduct;
  • possess the knowledge, skills and technical proficiency relevant to the performance of their duties;
  • be skilled in dealing with people and communicating audit, risk management and related issues effectively;
  • develop their technical competence through a programme of professional development, and
  • exercise due professional care in performing their duties.

Relationships with External Audits

I​​nternal and external audit activities will be coordinated to help ensure the adequacy of overall audit coverage and to minimise duplication of effort. Periodic meetings and contact between internal and external audit shall be held to discuss matters of mutual interest. An external audit will have full and free access to all internal audit plans, working papers and reports.

Internal Audit Plan

At least annually, the Internal Auditor will submit to Chief Executive Officer an internal audit plan for review and app​​roval. The internal audit plan will consist of a work schedule as well as budget and resource requirements for the next fiscal/calendar year. The Internal Auditor will communicate the impact of resource limitations and significant interim changes to the Chief Executive Officer. The internal audit plan will be developed based on a prioritisation of the organisational environment and outcomes using a risk-based methodology. Any significant deviation from the approved internal audit plan will be communicated to Chief Executive Officer through periodic activity reports.

Enterprise Risk Management

Enterprise risk manageme​​nt is more than risk management. Enterprise risk management is a structured, coordinated approach to aligning strategy, processes, people, technology and knowledge to manage risk. While risk is inherent in all of Company‘s business activities, programs, services, projects, processes and decisions, enterprise risk management is about removing traditional divisions or barriers and including thinking about risk, not just as involving a loss, but as an occurrence that may provide opportunities which may have both positive and negative consequences. As such, Company is committed to consistent, efficient and effective risk management, sharing risk information across the organisation to allow efficient allocation of resources and reduce duplication. Enterprise risk management requires the organisation to consider the bigger risk landscape and the processes that flow from this; noting that risk management is the responsibility of employees, contractors, volunteers and suppliers. This Enterprise Risk Management Framework should be read in conjunction with the Enterprise Risk Management Policy and the Enterprise Risk Management Process Procedure. The implementation of this framework will:

  • ensure a consistent and best practice approach to risk management throughout the organisation;
  • establish a structured process for identifying, analysing, evaluating, managing, treating, monitoring, reviewing and communicating risks; and
  • encourage the integration of risk management into Council’s overall governance, planning, management, reporting processes, policies, operations, values and culture.

Responsibility

T​​he scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the organisation’s governance, risk management, and internal process as well as the quality of performance in carrying out assigned responsibilities to achieve the organisation’s stated goals and objectives. This includes:

  • Evaluating the reliability and integrity of information and the means used to identify, measure, classify and report such information.
  • Evaluating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the organisation.
  • Evaluating the means of safeguarding assets and, as appropriate, verifying the existence of such * assets.
  • Evaluating the effectiveness and efficiency with which resources are employed.
  • Evaluating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned.
  • Monitoring and evaluating governance processes.
  • Monitoring and evaluating the effectiveness of the organisation’s risk management processes.
  • Performing consulting and advisory services related to governance, risk management and control as appropriate for the organisation.
  • Reporting periodically on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan.
  • Reporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the Chief Executive Officer.

Reporting and Monitoring

A written report will be prepared and issued by the Internal Auditor or designee following the conclusion of each internal audit engagement and will be distributed as appropriate. Internal audit results will also be communicated to the Chief Executive Officer. The internal audit report may include management’s response and corrective action was taken or to be taken in regard to the specific findings and recommendations. Management’s response, whether included in the original audit report or provided thereafter (i.e. within thirty days) by the management of the audited area should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented. The internal audit activity will be responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will remain in an open issues file until cleared.

Periodic Assessment

The Internal ​​Auditor will periodically report to the Chief Executive Officer on the internal audit activity’s purpose, authority, and responsibility, as well as performance relative to its plan. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the Chief Executive Officer.

In addition, the Internal Auditor will communicate to Chief Executive Officer on the internal audit activity’s quality ​​assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every two years.

Documentation

  • Company internal audit checklist
  • Company internal audit report