Internal Audit and Audit Committees
Under the Local Government Act 2009, Local Government Regulation 2012, City of Brisbane Act 2010 and the City of Brisbane Regulation 2012 (the Acts), all local governments in Queensland are required to establish an efficient and effective internal audit function, and each large local government must establish an Audit Committee.
International Professional Practices Framework
The Department has used information from the International Professional Practices Framework (IPPF) published by the Institute of Internal Auditors (IIA) in this guidance. In addition reference has been made to resources issued by the Queensland Audit Office and Queensland Treasury.
What is internal audit?
The Acts do not define internal audit, instead they specify some requirements that a local government's internal audit function must perform.
The IPPF provides a useful definition which demonstrates the wide range of activities performed by an internal audit function:
'Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.'
The difference between internal and external audit
A local government's internal audit function performs a different role to external audit.
The external audit provides independent assurance that the annual financial statements are reliable and comply with prescribed requirements. It is primarily a financial audit which assesses the internal control framework and focuses on the material components of the financial statements and how significant financial reporting risks have been dealt with by management.
In contrast, the type of internal audits performed each year will vary depending upon each local government’s needs. They should be based on a strategic analysis of the individual local government’s risks and operations. The aim of the audits is to improve operations and manage risk, and they may include:
- operational audits which look at the efficiency and effectiveness of operations
- compliance audits which look at compliance with applicable laws and rules (e.g. workplace health and safety)
- fraud audits which comprise both fraud detection audits and fraud investigations, and
- IT audits.
External audits may seek to rely on some of the work undertaken by internal audit, if appropriate, to avoid duplication of effort and to achieve a more efficient audit process. Such reliance will only occur where external audit is satisfied that the work of internal audit is adequate for the purpose of the external audit.
Benefits of an internal audit function
An effective internal audit function will assist chief executive officers (CEOs) and senior management to improve the effectiveness of operations (including the cost effectiveness) and to manage risks.
Internal audit can significantly add value to a local government’s internal control, risk management, and governance processes. Internal audit assesses both the financial and non-financial performance of the local government.
Characteristics of an internal audit function
An excellent source of information on internal audit is Queensland Treasury’s Financial Accountability Handbook – Volume 2.0 Governance.
Indicators of an efficient and effective internal audit function include:
- internal audit is identified as an independent function within the local government's structure
- a well-developed strategy for the function which clearly identifies the role and responsibilities and the contribution that internal audit makes to the local government
- the function reports directly to the CEO and is independent from operational functions
- the local government provides an appropriate level of funding to enable this function to operate effectively
- the function is adequately resourced with appropriately qualified people
- if the function is outsourced, a robust selection process is undertaken to ensure that the people undertaking the work are appropriately qualified and any conflicts of interest are managed
- an appropriate internal audit charter and internal audit strategy exist
- an internal audit work plan, which is consistent with the charter and strategy, exists. This will identify the specific audit activity that will be undertaken in the financial year and how it relates to risk. The work plan and strategy may be combined into one document incorporating the legislative requirements for an internal audit plan.
- an audit plan is in place, and is followed, for each specific audit undertaken. This plan at a minimum should:
- identify the area for the proposed audit
- outline the 'risk' being reviewed
- identify the key stakeholders
- explain the type of audit to be undertaken
- estimate duration and costs.
- senior management periodically evaluate the effectiveness of the internal audit function
- a report of findings and recommendations is presented to management and the Audit Committee for each completed audit.
Internal audit charter
The internal audit charter must be consistent with generally accepted auditing and ethical standards, including the IPPF. It should be approved by the CEO and reviewed annually.
The charter defines the purpose, accountabilities, authorities, and responsibilities of the internal audit function. It should be presented in such a way that management and staff have a clear understanding of the objectives of the function.
Compliance with professional standards
All internal audit activity should be conducted in accordance with the IPPF. In addition, the people undertaking internal audit activity should possess relevant qualifications and have undertaken appropriate training.
Legislative requirements that relate to internal audit
The Acts require all local governments in Queensland to establish an efficient and effective internal audit function. In addition, the following minimum requirements are specified:
For each financial year, a local government must:
- prepare an internal audit plan;
- carry out an internal audit;
- prepare a progress report for the internal audit; and
- assess compliance with the internal audit plan.
The internal audit plan must contain statements about:
- the way in which the operational risks have been evaluated
- the most significant operational risks identified from the evaluation
- the control measures that the local government has adopted, or is to adopt, to manage the most significant operational risks.
These statements may be contained in the internal audit strategy document.
All large local governments are required to have an audit committee.
A large local government is a local government belonging to a remuneration category of 3 or higher as published in the remuneration schedule set annually by the Local Government Remuneration Commission.
Composition of audit committees
The audit committee must consist of at least three and no more than six members, and include one, but no more than two councillors. At least one member must have significant experience and skills in financial matters. The local government must appoint one of the members as chairperson.
Brisbane City Council may not appoint a councillor as chairperson.
The CEO cannot be a member of the audit committee but can attend meetings of the committee. It is also inappropriate for any person who is responsible for, or involved in, the local government’s financial or internal audit functions to be a member.
The Department recommends that at least one independent member, with relevant financial skills, is appointed to the audit committee.
Audit committee charter and annual work program
Like the internal audit function, the audit committee should have a charter. The charter guides the behaviour and activities of the audit committee and includes:
- the objectives, roles and responsibilities of the committee
- the relationship of the committee to the CEO, management, internal audit and external auditors
- authority for the committee to conduct enquiries appropriate to fulfil its responsibilities, together with a statement that full assistance is to be provided to the committee in the discharge of its duties
- authority for the committee to access documents, records and personnel and the requirement that frank, truthful and meaningful answers be given to questions by the committee
- confidentiality and independence requirements of committee members, and their ethical and reporting responsibilities
- procedures for meetings
- the process for resignation or dismissal, ensuring that grounds for dismissal refer to the skills and code of conduct as documented in the letter of appointment.
An example audit committee charter is included in Queensland Treasury’s Audit Committee Guidelines: Improving Accountability and Performance.
Each year, the audit committee should prepare and follow a work program. The program must include a review of:
- the internal audit plan for the year
- the internal audit progress report
- the local government's draft financial statements before they are certified and given to the Auditor-General for auditing
- the Auditor-General's audit report about the financial statements.
In addition, the work program should include related matters in accordance with the audit committee charter. For example:
- a review of the financial reporting valuation of the local government's assets
- tracking management action on internal and external audit findings
- assessing the performance of internal audit.
Audit committee meetings
The audit committee is required to meet at least twice each financial year. After each meeting, a report must be prepared about matters reviewed, and recommendations made at the meeting. The report must be given to the CEO who must table the report for consideration at the next council meeting.
Meetings should be conducted in accordance with the audit committee's charter.
The relationship between internal audit and the audit committee
The Acts include a requirement that internal audit provide the audit committee with progress reports, summaries of recommendations and details of any action taken or not taken in response to the recommendations. In addition to reviewing these documents the audit committee must review the internal audit plan for the current financial year.
The Institute of Internal Auditors Australia has published a wide range of fact sheets and practice guides. These can be found at: www.iia.org.au
The Queensland Audit Office has published several blogs on audit committees. These can be found at: www.qao.qld.gov.au/blog
Any enquiries on this matter should be email to:
Or addressed to:
Governance and Capability
Department of State Development, Infrastructure, Local Government and Planning
PO Box 15009
Brisbane QLD 4002
Last updated: 17 Aug 2022