IPC Internal Audit Manual

You can read the document below or download it here IPC Internal Audit Manual and Charter 2019-2020.


1 Introduction
1.1  Background

This manual outlines the processes in place at Information and Privacy Commission (IPC) for the management and oversight of internal audit in accordance with the core requirements as contained in Treasury Policy & Guidelines Paper TPP 15-03 Internal Audit and Risk Management Policy for the NSW Public Sector (TPP 15-03).

Core requirement 2 of TPP15-03 requires that the Internal Audit function is consistent with the International Standards for the Professional Practice of Internal Auditing (IIA Standards) and any additional practice requirements set by the Policy.

This Manual has been developed to describe IPC’s policy and procedures for the internal audit function in accordance with the IIA Standards and section 2.2.3 of TPP 15-03.  

1.2  Purpose

This manual has been prepared to provide a reference document relating to the provision of internal audit services for IPC, including the roles of staff and management in the process.

Internal audit provides an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives and satisfy statutory obligations by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, internal controls, and governance processes.

The manual outlines the overall framework for conducting internal audits within IPC, including:

  • The legislative and government framework that internal audit services sit within;
  • Who is responsible for providing audit and assurance services at IPC;
  • How audit work is planned and managed, and the level of input required from management; and
  • How recommendations identified in internal audit reviews are implemented and monitored.

This charter provides the framework for the conduct of the internal audit function in the IPC and has been approved by the CEO on the advice of the Audit and Risk Committee.

1.3  Review

The Internal Audit Manual is to be reviewed annually in conjunction with the preparation of the IPC Internal Audit Plan. It is amended on an on-going basis to reflect any other relevant new or amended Treasury Policy Statement, NSW Department of Justice Policy Statement, and from 1 July 2019 the Department of Customer Service Policy Statement or Guideline, or IIA Standard.

2 General Policies & Standards
2.1  Legislation, Policies and Standards

Under Division 2 Section 3.6 of the Government Sector Finance Act 2018, IPC is required to establish and maintain an effective internal audit service, and an effective system of internal control over the financial and related operations of IPC.

Requirements in this section include IPC reviewing its operations or programs to ascertain whether results are consistent with established objectives and goals, and whether those operations or programs are being carried out as planned; and reporting directly at regular intervals to the Chief Executive as to the result of any appraisal, inspection, investigation, examination or review made by the internal audit organisation.

To meet these requirements, IPC has governance structures in place to provide assurance to senior management, which is independent from operational management, that risks and compliance obligations are identified, managed and controlled.  The Internal Audit activities are conducted in accordance with relevant professional standards, as detailed in IPC’s Internal Audit Charter.

2.2  Internal Audit Charter

The Internal Audit Charter defines the nature of assurance services provided, and addresses the independence, role, responsibilities, authorisation, activities, and reporting relationships of the Internal Audit function.

It is mandatory that all internal audit services provided to IPC and all staff working within IPC on internal audits, whether employees or outsourced Service Providers, comply with IPC’s Internal Audit Charter.

2.3  Audit & Risk Committee

The Audit & Risk Committee is established in compliance with TPP 15-03, to provide independent assistance to the Chief Executive (CE) by overseeing and monitoring IPC’s governance, risk and control frameworks, and its external accountability requirements.

The Audit & Risk Committee Charter provides details of the Committee's objectives, membership, tenure, authority, composition, roles and responsibilities, reporting and administrative arrangements. It has been endorsed by the Audit & Risk Committee and approved by the CE.

The reporting relationship between the Audit & Risk Committee and Internal Audit is outlined in the Audit & Risk Committee Charter.

3 Internal Audit Function
3.1  Chief Audit Executive

As IPC’s Internal Audit function is established using an outsourced service delivery model, TPP 15-03 requires the Chief Audit Executive (CAE) to be ‘the most senior position within a department or statutory body with responsibility for internal audit’.

The CAE is responsible for various internal audit activities, including (but not limited to);

  • Effectively managing the internal audit activity in accordance with the Internal Audit Charter;
  • Preparing, in conjunction with any Service Provider, an annual risk based Internal Audit Plan for the consideration of the Audit & Risk Committee and CE approval; and
  • Reporting, in conjunction with any Service Provider, to each meeting of the Audit & Risk Committee on audits completed, progress in implementing the annual audit work plan, priority of planned audits and the linkage of these auditable areas to the organisational risk management framework, and the implementation of agreed internal and external audit recommendations.
  • Periodic reporting of conformance of Internal Auditing with the IIA standards and Code of Ethics.

Details of the activities in place to maintain the independence of the CAE are included at Section 3 of the Internal Audit Charter.

3.2  Internal Audit Personnel

All members of the Internal Audit team are required to possess appropriate qualifications, experience and skill sets to enable the required auditing outcomes to be achieved. This includes membership of professional bodies such as, but not limited to, the Institute of Chartered Accountants in Australia, CPA Australia, and the Institute of Internal Auditors.

The Internal Audit team shall include high levels of senior staff with appropriate credentials. Team members should have a solid mix of professional qualifications, relevant experience and vocational skills, including well-developed interpersonal and communications skills to conduct their work and explain audit findings to IPC.

Where the internal audit function is delivered by a Service Provider, the CAE will assess the appropriateness of the skill set of the Service Provider’s nominated audit team using the CVs provided prior to engagement.

3.3  Coordination and Performance Management with a Service Provider

Where the internal audit function is delivered by a Service Provider, the Service Provider will work with the CAE to input, review and agree on the design and performance of all Internal Audit work. The CAE, and / or delegate will liaise with the Service Provider, with IPC and between both (as appropriate) to ensure internal audit services are delivered efficiently and effectively.

Formal performance management meetings are to be undertaken between the CAE (and / or delegate) and the Service Provider quarterly throughout the term of the engagement to discuss the status of the audit/s in progress against the budgeted time and schedule; any observations requiring immediate escalation; and any problems encountered in the audit.

3.4 Impairment to independence or objectivity

If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. Impairment may include, but is not limited to, personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations, such as funding.

Appropriate parties to which the details of impairment must be disclosed include the CAE and Chief Executive Officer, depending on the nature of the impairment.

Internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides

assurance services for an activity for which the internal auditor had responsibility within the previous year.  Assurance engagements for functions over which the CAE has responsibility must be overseen by a party outside the internal audit activity.

Internal Audit may provide assurance services where it had previously performed consulting services, provided the nature of the consulting did not impair objectivity and provided individual objectivity is managed when assigning resources to the engagement.

If internal auditors have potential impairments to independence or objectivity relating to proposed audit projects, disclosure must be made to the CAE prior to accepting the engagement.

4 Internal Audit Planning
4.1  Internal Audit Strategy

Strategic planning for Internal Audit and assurance services is essential to ensure that the Internal Audit effort is directed to areas that will provide the most benefit and value to IPC. Internal Audits will be designed to contribute to the improvement of the organisation’s governance, risk management and control processes through proactive evaluations offering new insights and consideration of future impact.

IPC has adopted a risk -based approach to determine the priorities for the Annual Internal Audit Plan which seeks to balance financial, compliance, performance and operational reviews and between existing business processes, future projects and change initiatives.

A rolling three -year strategic summary of Internal Audit activity should be included in the Plan to provide an overview of previous Internal Audit activity, proposed current year reviews, and potential future reviews identified during the planning process.

A risk - based planning process allows for the identification of internal audit engagements that are in the best interests of IPC and that do not overlap with other internal and external assurance and review mechanisms.

The internal audit planning process involves the establishment of an:

  • Annual Internal Audit Plan which involves the identification and documentation of auditable areas within IPC, and the prioritisation of these areas for review based on a predetermined risk assessment methodology; and
  • Internal Audit Project Brief which reflects the planning for each individual project review and documents the audit objectives, scope, approach, staff, timing, budget and reporting for each individual audit.
4.2  Annual Internal Audit Planning

An Annual Internal Audit Plan will be developed each year by the CAE and the Service Provider, in consultation with key stakeholders including the CEO, IPC’s Senior Executive team, the Audit & Risk Committee and the Audit Office of NSW.

The Internal Audit Plan will identify the internal audit priorities in the immediate to longer term.  The Plan will prioritise internal audit engagements for a given audit year, and include broad preliminary specifications (including objectives, scope, staff, timing, budget) for each engagement with a proposed schedule of when each engagement should be performed.

The internal audit activity must also evaluate the effectiveness of and contribute to the improvement of IPC’s governance and risk management processes.

The Annual Internal Audit Plan is to be recommended by the Audit & Risk Committee for approval by the CEO.

Where an internal audit activity is in the business area of the CAE, the Director Business Improvement will oversight the internal audit engagement.

5 Internal Audit Methodology
5.1  Audit Cycle

The process of performing an audit has several stages. These are collectively referred to as the Audit Cycle and cover all aspects of an audit from initial plan to final resolution of all matters raised.  The Chief Audit Executive together with the Service Provider is responsible for Step 1; the Service Provider (Internal Audit) is responsible for steps 2, 3 and 4; and the Chief Audit Executive in conjunction with the Service Provider is responsible for step 5.

The Audit Cycle is based on the performance standards outlined in the IIA International Standards for the Professional Practice of Internal Auditing.

5.2  Annual Internal Audit Plan

The development of the Internal Audit Plan is outlined at section 4.2.

Where changing priorities or emerging risks are identified that require adjustment to the Annual Internal Audit Plan, the proposed changes will be reviewed by the Audit & Risk Committee for approval by the CE.

5.3  Audit Planning

For each engagement set out in the Internal Audit Plan a detailed Internal Audit Project Brief is to be prepared during the planning phase for that audit.

5.3.1 Engagement with Management

An entry meeting is undertaken by Internal Audit, in consultation with the CAE, and relevant Senior Management to gain a more detailed understanding of the review, discuss the audit objectives and preliminary scope, discuss respective responsibilities and expectations, and particularly the strategy and objectives of the activity being reviewed and the means by which the activity controls its performance.

From the entry meeting, a more detailed Internal Audit Project Brief will be prepared and submitted to the relevant Director (s) to obtain agreement with the business stakeholder. In this regard, it is imperative that all key stakeholders of the proposed internal audit be identified and be involved in the entry meeting and sign-off stage of the Project Brief.

5.3.2 Scope

The Project Brief enables Internal Audit and management to ensure that work is focused on the audit objectives, meets accepted standards, and is carried out in the most economical and effective manner.

The internal audit scopes are developed in consultation with the CEO and the completed Project Brief must be submitted to the CAE for approval, and should be signed off by the CAE prior to the commencement of fieldwork. It is important to note that once the Project Brief has been agreed by all key stakeholders, issued as final and signed-off by the relevant staff, the start date of the audit is set. Any changes to this date must receive internal approval by the CAE or delegate.

As a minimum, all Project Briefs will include:

  • A background to the engagement, with reference to significant risks and current controls identified during planning discussions as well as considerations of legislation, standards, policies and procedures relevant to the audit;
  • The audit objectives for the engagement;
  • Engagement scope (ensuring any limitations of scope are clearly noted);
  • Proposed audit approach to address the audit objectives, including brief details of audit planning, fieldwork and reporting;
  • Key IPC contacts and stakeholders;
  • Internal Audit staff resourcing sufficient to achieve the engagement objectives, proposed timing and budget;
  • Reference to the overview of the internal audit process;
  • A statement that the audit work is completed in compliance with International Standards for the Professional Practice of Internal Auditing;
  • Reference to a feedback survey; and
  • Approval signoffs.
5.4  Fieldwork

Fieldwork involves Internal Audit executing the audit test program in accordance with the IIA Standards and this manual. Fieldwork should commence after the Project Brief has been approved by the CAE and agreement has been obtained from the business stakeholders.

The Service Provider is responsible for properly supervising the engagement to ensure objectives are achieved and quality is assured.

Activities central to this phase include: collecting and analysing information, developing audit findings, conclusions, observations and recommendations, discussing issues with appropriate IPC personnel and documenting evidence which is sufficient, reliable, relevant and useful to support the engagement results and conclusions. All audit evidence collated as part of the audit review must be appropriately documented in the audit work papers and provided to IPC at the conclusion of each engagement.

Wherever possible, any significant issues identified during fieldwork, should be brought to the attention of the responsible manager as they arise.

The fieldwork phase of the audit ends with an exit meeting with relevant key stakeholders, which provides an opportunity to:

  • Discuss the draft report and ensure a common understanding of its findings;
  • Ensure recommendations and management actions are pragmatic;
  • Agree the risk rating of each finding or observation; and
  • Resolve any misunderstandings or misinterpretations of facts on either side.

Any issues arising will be discussed with a view to resolving the issue, making amendments to the draft report considered necessary and appropriate, prior to issuing the final report.

5.5  Audit Reporting

At the conclusion of every audit project, the Service Provider will prepare a formal report to management using an agreed IPC pro-forma Internal Audit report template. The purpose of the report is to communicate to IPC management the findings and assessment of the reviewed area. Internal Audit reports must comply with the IIA Standards of accuracy, objectivity, clarity, conciseness and timeliness.

A draft report for consideration and comment should be provided by the Service Provider within 2 weeks of field work being finalised following the Exit Interview/s with the key staff from the audited area.

Management responses should be provided within 2 weeks of the draft report being issued.  Any amendments to the draft report will be made by the Service Provider at the discretion of the CAE.

Once management responses have been documented, including responsibility and timeframe for completion, these should be forwarded to the CAE. Upon receipt of the management responses, the Service Provider will convert the draft report into a final report, and issue this (generally within one week) to the CAE.

The CAE is responsible for communicating the final results to the relevant parties.

If after an audit report has been issued, it is identified that it contains a significant error or omission, the CAE must communicate corrected information to all parties who received the original report.

The CAE will report to each meeting of the Audit & Risk Committee on:

  • Internal Audits completed with a copy of the finalised Internal Audit Report;
  • Progress in implementing the annual audit work plan; and
  • Priority of planned audits and the linkage of these auditable areas to the organisational risk management framework.
5.6  Implementation & Monitoring

The CAE has the responsibility for the monitoring of progress and implementation of audit recommendations, to determine if action taken adequately and effectively addresses the matters raised by the audit.

The CAE will monitor the status of implementation of audit actions until the issue is either resolved or Senior Management accept the risk it presents.

There may be circumstances where a level of risk over a particular activity is accepted by management that may be unacceptable to IPC. When the CAE concludes that this is the case, the CAE must discuss the matter with Senior Management. If the CAE determines that the matter has not been resolved, the CAE must communicate the matter to the Chief Executive.

The status of internal audits is reported by the CAE to the Audit and Risk Committee.

5.7 Recordkeeping and Security

Documents relevant to each audit are the property of IPC. Records relevant to each audit will be maintained in accordance with NSW State Records requirements and IPC’s records management practices.

6 Audit Evaluation & Performance Review
6.1  Quality Assurance & Improvement Program (QAIP)

The CAE must ensure that there is in place a quality assurance and improvement program for the Internal Audit function to conform with the IIA Standards and Code of Ethics. IPC’s Internal Audit Quality Assurance and Improvement Program (QAIP) is designed to promote continuous improvement in the Internal Audit function and provide reasonable assurance to the various stakeholders that Internal Audit:

  • Performs its work in accordance with its Charter, which is consistent with TPP 15-03 and the IIA Standards and Code of Ethics,
  • Operates in an efficient and effective manner, and
  • Is perceived by stakeholders as adding value and improving business practice.
6.2  Internal Assessments

At the conclusion of each audit project, an Internal Audit Satisfaction Survey is to be issued to the lead IPC contacts for the audit to provide feedback on the overall internal audit approach and value add from the services provided. A summary of the results of the survey is to be reported to the CEO, CAE and Audit & Risk Committee annually on completion of the Annual Internal Audit Plan.

An annual Executive Survey of Internal Audit services is to be undertaken to assess the performance of the Internal Audit function. The results of the annual survey, inclusive of previous year’s results for comparative purposes, is to be presented to the Audit & Risk Committee.

An assessment of the performance of the internal audit activity against the IIA Standards and Code of Ethics is also to be undertaken by the CAE or delegate on an annual basis. The results are presented to the Audit & Risk Committee.

6.3  External Assessments

The IIA Standards requires an external assessment of the Internal Audit function to be conducted at least once every five (5) years by a qualified, independent reviewer or review team. The CAE and any Service Provider shall facilitate the conduct of an external assessment. The CAE and any Service Provider will consult with the CE and the Audit & Risk Committee on the form and frequency of external assessments, and on the qualifications and independence of the external assessor, including any potential conflicts of interest.

It is noted that the last external assessment was conducted in March 2017.

6.4  Working Collaboratively With Management

Internal Audit will work collaboratively with management to raise the profile of internal audit within the organisation. On-going communication and the physical presence of internal audit staff are key to achieving this aim. All audit work is performed on site wherever possible, and an “open door” policy will be applied so staff have unrestricted access to the support and advice offered by internal audit.



Internal Audit Charter


We aim to be an effective organisation. Having appropriate governance structures including sound risk management and internal audit processes is one way of achieving this.


Internal audits are an integral part of the corporate governance framework of the Information and Privacy Commission (IPC). This charter provides the framework for the conduct of the internal audit function in our office.


Internal audit is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Internal audit provides an independent and objective review and advisory service to:

  • provide assurance to the CEO/Information Commissioner, IPC Leadership and Executive and the Audit and Risk Committee, that the IPC’s financial and operational controls, designed to manage the organisation's risks and achieve the entity's objectives, are operating in an efficient, effective and ethical manner; and
  • assist management in improving the entity's business performance.

Independence is essential to the effectiveness of the internal audit function. Internal audit activity must be independent, and internal auditors must be objective in performing their work. Internal auditors must have an impartial, unbiased attitude and avoid any conflicts of interest.

The Internal Audit function has no direct authority or responsibility for the activities it reviews. The Internal Audit function has no responsibility for developing or implementing procedures or systems and does not prepare records or engage in original line processing functions or activities.

The internal audit function is responsible on a day-to-day basis to the Chief Audit Executive.

The Internal audit function, through the Chief Audit Executive, reports functionally to the Audit and Risk Committee on the results of completed audits and for strategic direction and accountability purposes, and reports administratively to the CEO/Information Commissioner to facilitate day-to-day operations.

The following reporting line is prescribed:

Internal Audit

All internal audit documentation is to remain the property of the IPC, including where internal audit services are performed by an external third party provider.


Internal auditors are authorised to have full, free and unrestricted access to all functions, premises, assets, personnel, records, and other documentation and information that the Chief Audit Executive considers necessary to enable the internal audit function to meet its responsibilities.

All records, documentation and information accessed in the course of undertaking internal audit activities are to be used solely for the conduct of these activities. The Chief Audit Executive and individual internal audit staff are responsible and accountable for maintaining the confidentiality of the information they receive during the course of their work.


The internal audit function must evaluate and contribute to the improvement of governance, risk management and control processes using a systematic and disciplined approach.

In the conduct of its activities, the internal audit function will play an active role in:

  • developing and maintaining a culture of accountability and integrity
  • facilitating the integration of risk management into day-to-day business activities and processes, and
  • promoting a culture of cost-consciousness, self-assessment and adherence to high ethical standards.

Internal audit activities will encompass the following areas:

1.         Risk management

  • evaluate the effectiveness of, and contribute to the improvement in risk management processes
  • provide assurance that risk exposures relating to the organisation's governance, operations, and information systems are correctly evaluated, including:
    • reliability and integrity of financial and operational information
    • effectiveness, efficiency and economy of operations
    • safeguarding of assets
  • evaluate the design, implementation and effectiveness of the organisation's ethics-related objectives, programs, and activities
  • assess whether the information technology governance of the organisation sustains and supports the organisation's strategies and objectives.

2.         Compliance

  • evaluate compliance with applicable laws and regulations and Government policies and directions

3.         Performance improvement

  • evaluate the efficiency, effectiveness, and economy of the entity's business systems and processes.

The internal audit function can advise the IPC Executive Team on a range of matters including:

1.         New programs, systems and processes

  • providing advice on the development of new programs and processes and/or significant changes to existing programs and processes including the design of appropriate controls

2.         Risk management

  • assisting management to identify risks and develop risk mitigation and monitoring strategies as part of the risk management framework

3.         Fraud control

  • evaluate the potential for the occurrence of fraud and how the IPC manages fraud risk
  • assisting management to investigate fraud, identify the risks of fraud and develop fraud prevention and monitoring strategies.

The internal audit function is also responsible for:

  • assisting the Audit and Risk Committee to discharge its responsibilities
  • providing secretarial support to the Audit and Risk Committee
  • monitoring the implementation of agreed recommendations
  • disseminating across the entity better practice and lessons learnt arising from its audit activities.

Internal audit reviews cover all programs and activities of the IPC together with associated entities, as provided for in relevant business agreements, memoranda of understanding or contracts. Internal audit activity encompasses the review of all financial and non-financial policies and operations.


Internal audit activities will be conducted in accordance with relevant professional standards including:

  • International Standards for the Professional Practice of Internal Auditing issued by the Institute of Internal Auditors
  • standards issued by Standards Australia and the International Standards Organisation.

In the conduct of internal audit work, internal audit staff will:

  • comply with relevant professional standards of conduct
  • possess the knowledge, skills and technical proficiency relevant to the performance of their duties
  • be skilled in dealing with people and communicating audit, risk management and related issues effectively
  • exercise due professional care in performing their duties.

Internal and external audit activities will be coordinated to help ensure the adequacy of overall audit coverage and to minimise duplication of effort.

Periodic meetings and contact between internal and external audit shall be held to discuss matters of mutual interest and facilitate coordination.

External audit will have full and free access to all internal audit plans, working papers and reports.


The Chief Audit Executive will prepare, for the Audit and Risk Committee's consideration, an internal audit annual audit work plan in a form agreed with the Committee.


The Chief Audit Executive will report to each meeting of the Audit and Risk Committee on:

  • audits completed
  • progress in implementing the annual audit work plan
  • the implementation status of agreed internal and external audit recommendations.

The internal audit function will also report to the Audit and Risk Committee at least annually on the overall state of internal controls within the office and any systematic issues requiring management attention based on the work of the internal audit function and other assurance providers.


Any change to the position of the Chief Audit Executive or external service provider will be approved by the CEO/Information Commissioner in consultation with the Audit and Risk Committee.

The Chief Audit Executive will arrange for an internal review, at least annually, and a periodic independent review, at least every five years, of the efficiency and effectiveness of the operations of the internal audit function.


The Charter will be reviewed at least annually by the Audit and Risk Committee.  Any substantive changes will be formally approved by the CEO/Information Commissioner on the recommendation of the Audit and Risk Committee.


Elizabeth Tydd

CEO/Information Commissioner

Paul Crombie

Chair, Audit and Risk Committee