ANAO - Public Sector Audit Committees

2.2. Internal control

The Audit Committee will generally be responsible for reviewing the adequacy of the entity’s internal control environment to provide assurance that the entity’s key controls are designed appropriately and are operating as intended. In fulfilling this responsibility, the committee could be expected to obtain information from management and also from internal and external audit on the design and operation of key financial controls and assurance processes. To do this effectively, Audit Committees are expected to have a good understanding of the entity’s internal control framework, including the entity’s Chief Executive’s Instructions or equivalent, and mechanisms in place to periodically assess compliance with the entity’s financial management responsibilities.

Audit Committee internal control [11] responsibilities
An Audit Committee’s responsibilities in relation to an entity’s internal controls would generally be to: review whether management’s approach to maintaining an effective internal control framework, including over external parties such as contractors, is sound and effective; review whether management has in place relevant policies and procedures, including Chief Executive’s Instructions or their equivalent, and that these are periodically reviewed and updated; determine whether appropriate processes are in place to periodically assess compliance with legislation and key policies; review whether appropriate policies and supporting procedures are in place for the management and exercise of compliance, internal policy, and delegations requirements; consider how management identifies any required changes to the design or implementation of key internal controls; and assess whether management has taken steps to embed a culture which is committed to ethical and lawful behaviour.

Audit Committee internal control [11] responsibilities

An Audit Committee’s responsibilities in relation to an entity’s internal controls would generally be to:

review whether management’s approach to maintaining an effective internal control framework, including over external parties such as contractors, is sound and effective;
review whether management has in place relevant policies and procedures, including Chief Executive’s Instructions or their equivalent, and that these are periodically reviewed and updated;
determine whether appropriate processes are in place to periodically assess compliance with legislation and key policies;
review whether appropriate policies and supporting procedures are in place for the management and exercise of compliance, internal policy, and delegations requirements;
consider how management identifies any required changes to the design or implementation of key internal controls; and
assess whether management has taken steps to embed a culture which is committed to ethical and lawful behaviour.

Part 3 includes a committee and management checklist in relation to an entity’s internal control (pages 56 to 90).

[11]. Internal control can be defined as ‘the process designed, implemented and maintained by the entity to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. The term ‘controls’ refers to any aspects of one or more of the components of internal control.’ (Adapted from the definition of ‘Internal Control’ included in Australian Auditing Standard ASA 315 Identifying and Assessing the Risk of Material Misstatement Through Understanding the Entity Audit Environment.)

Previous: Risk Management

Next: Financial statements