Personal tools
 
You are here: Home 2008 reports Audit committees in the public sector Appendix 3: Questions an audit committee might ask
Document Actions

Appendix 3: Questions an audit committee might ask

Audit committees on the public sector.

We encourage entities to adapt these examples to ensure that they are suitable and appropriate for their particular circumstances.

Risk management

Risk management and strategy

Is there a formal risk management framework?

  • If so, does the framework:
    • articulate the overall risk appetite of the entity?
    • link with the entity’s strategic documents and processes?
    • include details of reporting, monitoring, and review requirements to assess both performance of, and compliance with, the framework?
    • include a requirement to regularly review and update risk management plans?
    • address the risks associated with cross-agency governance arrangements (where applicable)?
  • What are the primary elements of the entity’s risk management approach (for example, business continuity plan, disaster recovery plan, fraud control plan, annual risk assessment) and how are these co-ordinated?
  • What communication channels are in place to advise staff of the entity’s approach to risk management?
  • Has the governing body/chief executive formally endorsed, and actively encouraged, the use of risk management in the development of the entity’s policies and procedures?
  • Does the entity have adequate insurance cover?

Responsibility for risk management

  • Has responsibility for the risk management framework and activities of the entity been clearly assigned to a senior manager?

Risk identification and assessment

  • How does the entity identify and assess risks, including fraud risks?
  • How does the entity identify and record new and emerging risks?

Risk mitigation and improvement

  • Are controls in place to effectively manage the highest inherent risks?
  • Are there any entity-wide control strategies to address “common risks”?
  • How does management ensure that risk mitigation strategies, controls, or improvements are implemented?
  • Does the entity’s fraud control policy and plan identify controls to effectively mitigate identified fraud risks?

Monitoring/reporting risk assessment activity

  • How are critical risks or control failures escalated within the entity and to whom are they reported?
  • Does senior management periodically receive reports on risk management plans and take action where necessary?
  • Does the internal auditor provide the Committee with a level of assurance over controls that mitigate key risks?
  • What information or reports does the governing body/chief executive receive on risk management?
  • Has the entity implemented procedures to track the costs of risk management activities?
  • Are sufficient resources dedicated to risk management activities?

Internal control

Policies and procedures

  • Has the entity documented its internal control systems, including identification of the key controls?
  • Are the entity’s key controls reflected in, or addressed by, its policies and procedures?
  • Are arrangements in place to ensure that the entity’s policies and procedures are appropriately reviewed, approved, and communicated to all staff?

Responsibilities and accountabilities

  • Are delegations of authority and responsibility to individuals properly approved and kept up to date?
  • Are delegations of authority communicated to all staff in the entity?
  • Has the responsibility for the development, review, and implementation of key controls and associated policies been clearly assigned to individual managers or business areas?

Business systems and internal controls

  • What are the critical internal control areas that warrant the attention of the Committee, and why are they important?
  • Does the entity’s system of internal controls mitigate controllable risks to an acceptable level?
  • Are changes to the design or implementation of key internal controls properly identified and implemented?
  • Are there processes to review the adequacy of financial and other key controls for all new systems, projects, and activities?
  • Does the entity control its electronic data processing operations effectively?
  • Do internal control arrangements address, to the extent necessary, cross-agency responsibilities and external parties, including contractors and advisers?
  • Are appropriate business continuity planning arrangements in place?
  • Do processes and systems record fraud-related information?
  • Are there appropriate security policies and procedures, covering both physical and information technology security?

Conduct and ethical behaviour

  • Does the entity effectively communicate the responsibilities of staff for ethical behaviour and conduct?
  • Are expectations regarding ethical behaviour and conduct documented and communicated to new and existing staff?

Effectiveness of the control framework

  • Are arrangements in place to periodically assess the effectiveness of the entity’s control framework (for example, through internal and external audit coverage, management review and sign-offs, and self-assessments)?
  • Are internal and external audit findings on key control deficiencies or breakdowns adequately addressed by management in a timely manner?
  • Is management aware of any material weakness in internal control?
  • Is the Committee aware of other internal control matters that require corrective action?
  • Have appropriate actions been taken in response to previous comments and recommendations by the external or internal auditors?
  • Have the external auditors modified their planned audit approach based on the results of their test of the systems of internal control?
  • Is the internal audit function adequately staffed and organised with a formal internal audit charter?
  • What activities would the internal auditors recommend the Committee carry out in connection with its overseeing of internal controls?
  • Has the entity succeeded in creating an environment conducive to the achievement of the effective systems of internal control?
  • Do the systems in place provide reasonable assurance that errors and conditions contrary to policy are reported?
  • Is the Committee aware of any situation where management exceeded its authority in any matters prescribed by the governing body/chief executive or failed to comply with any resolution passed by the governing body/chief executive?
  • Does the entity have adequate procedures to identify related party transactions?

The effectiveness of internal audit

Internal audit charter

  • Are the responsibilities, access rights, reporting arrangements, and standards of performance of the internal audit function detailed in an internal audit charter?
  • Does the charter afford the internal auditor a sufficient level of independence from management?

Internal audit delivery

  • Is the Committee satisfied with the service delivery model used to provide internal audit services? (Consider sufficiency of resource, depth of expertise, relationship with management, and the results of independent quality assessment.)
  • Where the entity tenders for internal audit, does the tender process ensure that potential conflicts of interest are identified?
  • Where the internal audit function is outsourced, are mechanisms in place to identify and manage, where appropriate, potential conflicts of interest?

    Annual internal audit coverage and audit plans

  • How has the proposed internal audit plan been developed? In particular, does the proposed coverage link to the entity’s documented strategic and operational risks?
  • Does the plan support the independence of the internal audit function from the activities it audits?
  • How are the proposed audit topics prioritised, and was this determination linked to the entity’s risk management plan and internal audit’s own risk assessment?
  • How does the internal audit plan take into account past internal and external audit activity, findings, and recommendations?
  • Is the internal audit plan an appropriate mix of compliance and performance audits?
  • Does the internal audit plan adequately detail the objective, scope, resource requirements, and for each of the audit topics proposed?
  • Has the scope of proposed internal audit activity been adversely affected by resource constraints?
  • Have there been any significant disagreements between the internal auditor and management in developing the internal audit plan? If so, have they been appropriately resolved or addressed?

Internal audit reports

  • Are internal audit reports clear and concise, and do they satisfactorily address the agreed audit objectives?
  • Are internal audit recommendations relevant and practical, and do they reflect a proper understanding of the entity’s business?
  • Is management’s response (agreed/not agreed) to internal audit recommendations included in all reports?
  • Do internal audit reports also include an implementation plan for all agreed recommendations?

Resources

  • Does the internal auditor have sufficient resources to carry out their responsibilities, including completion of the approved internal audit plan?
  • Is the Committee satisfied with the level of skills and experience of the internal auditor?
  • Is the internal auditor able to access specialist skills where required?

Performance

  • Does the internal auditor have a sufficient understanding of the entity’s business?
  • Does the internal auditor complete audit assignments in a timely manner and to a high quality?
  • Does the internal auditor have effective quality control arrangements designed to ensure that all work is carried out to the required professional standards?
  • Does the internal auditor maintain effective liaison with the external auditor?
  • Does the internal auditor have a professional and cordial relationship with management?
  • What are the key improvements identified in the internal audit quality improvement plan, and is progress being made?

Private session with the internal auditor

  • Has the internal auditor had full and unencumbered access to all entity records and information?
  • Has the internal auditor received assistance and co-operation from staff and management?
  • Are there any issues the internal auditor wishes to discuss with the Committee?
  • Does the internal auditor have any suggestions for how the work of the Committee could be improved?

External reporting

Timing

  • Are mechanisms in place to ensure that the Audit Committee is being advised throughout the year of all significant issues relating to the financial statements?
  • Are arrangements in place to ensure that the financial statements are available for audit and completed on a timely basis?
  • Are arrangements in place to ensure that the entity’s annual report is finalised and tabled in keeping with the agreed timetable?

Presentation and disclosure

  • Have any changes in accounting standards, including international accounting standards, been identified and reflected in the entity’s financial statements?
  • Do the financial statements comply fully with all reporting and disclosure requirements?

Accounting policies

  • Are changes in the entity’s accounting policies from previous reporting periods reflected in the financial statements (where necessary)?
  • Are these changes reasonable and supportable?
  • Have the financial statements been subject to appropriate quality assurance review designed to ensure that they do not contain any material errors?

Content of the financial statements

  • Have any deficiencies or breakdowns in the control environment affected the financial statements?
  • Have any significant or non-recurring transactions, events, or adjustments affected the financial statements? If so, have these been dealt with appropriately?
  • Has the financial effect of any outstanding legal or contractual matters been identified and reflected in the financial statements?
  • How do the financial results compare with the entity’s budgeted results for the year? Can all significant variations be adequately explained?
  • What are the most significant valuations, estimates, and judgements made in the preparation of the financial statements? Are these valuations, estimates, and judgements reasonable and supportable?

Management approvals

  • Are the financial statements supported by management sign-offs?

Audit of the financial statements

  • Can the assertions made in the management representation letter provided to the external auditor be fully supported?
  • Have any deficiencies or breakdowns in the control environment affected the audit of the financial statements?
  • Were there any significant adjustments to the financial statements as a result of audit scrutiny?
  • Have any errors or discrepancies identified by the external auditor not been rectified in the financial statements?
  • Have there been any significant disagreements between management and the internal or external auditors? What were the disagreements and how have they been resolved?

Annual report

  • Are arrangements in place to ensure that financial information in the annual report is consistent with the signed financial statements?

Parliamentary committee reports and recommendations

  • Does the entity have processes to implement relevant Parliamentary committee reports and recommendations?
  • Does the entity have processes that include assigning responsibility to review and action, as appropriate, Parliamentary committee reports and recommendations?

Non-financial performance

  • Does the medium-term component (that is, the medium-term, outcome-oriented statement of intended achievements) include information on the entity’s objectives, outcomes, impacts, and operating intentions, together with related performance measures and targets, and other information required by legislation and generally accepted accounting practice (GAAP)?
  • Does the forecast annual service performance report (that is, the annual, output-oriented Statement of Forecast Service Performance or Forecast SSP) include information on the entity’s intended outputs, together with related performance measures and targets, and other information required by legislation and GAAP?
  • Is there a “framework” comprising the above two components with enough context and links to strategic-level information, and within and between the information in the two components, to provide a coherent structure for reporting and to clearly demonstrate the rationale for, and the relationships among, the contextual information, elements, performance measures, and targets?
  • Has responsibility for implementing monitoring and reporting of entity performance been clearly assigned to individual managers or business areas?

Legislative compliance

Systems and procedures

  • Is there an appropriate framework to assist the entity to comply with its legislative obligations? For example, does management have a good understanding of the entity’s legal obligations in such areas as occupational health and safety, privacy, the environment, Goods and Services Tax, Fringe Benefit Tax, superannuation, fraud, and security?
  • Does the framework identify all material legislation that the entity must comply with?

Responsibilities

  • Are procedures in place that provide for any breach of legislation to be reported to senior management?
  • Has responsibility for legislative compliance been clearly assigned to individual managers?
  • Does the entity have a culture which is supportive of, and encourages compliance with, all relevant laws and subordinate legislation?

To the external auditors about the audit

Before the start of the annual audit

  • Have all the entity’s business units been considered in formulating the planned audit scope
  • Has management attempted to restrict, or in fact restricted, the audit scope in any way?
  • Do the external auditors plan an audit scope significantly different from last year? Do they plan significant modifications this year in the nature and extent of procedures to be performed in any major locations?
  • To what extent, if at all, do they plan to rely on the entity’s systems of internal control in conducting their audit?
  • What techniques and approach do they plan to employ with respect to reviewing or auditing the information technology systems?
  • How do they plan to collaborate with the internal auditor in planning their work?
  • Is there any area in which additional entity assistance could significantly reduce the planned extent of their work?
  • To what extent does their plan reflect expected changes in accounting principles and auditing standards?
  • What areas of the planned audit merit special attention by the Committee and why?
  • Are there any additional areas of emphasis this year from the Auditor-General’s annual audit brief?
  • What is their opinion of the quality of the entity’s non-financial performance measures?
  • Has the external auditor clearly articulated the proposed financial statement and performance audit coverage?
  • Has the external auditor taken into account the internal audit coverage when establishing their audit coverage?

On completion of the audit

  • Did management attempt to or actually restrict their work in any way?
  • How co-operative were the entity’s personnel?
  • In what specific ways was their audit approach modified from the plan previously discussed with the Committee, and why?
  • Did they identify any areas of potential management bias in financial reporting?
  • Will the external auditors’ report be modified in any respect?
  • Did any possible improprieties come to their attention during the course of their audit? If so, how were they resolved?
  • What is their opinion as to the quality of the accounting and financial staff?
  • Were any important internal control deficiencies encountered?
  • Were there any significant audit adjustments? What were the causes of the errors and do they demand further investigation?
  • Were there any unadjusted audit differences that were the subject of discussion or dispute with management?
  • Did any conditions come to the auditor’s attention during the course of the audit that may warrant in-depth investigation by management, the internal auditors, or the Committee?
  • Is the application of accounting standards in the financial statements acceptable and appropriate?
  • Has the external auditor identified significant control or other issues which require management attention?
  • What is the external auditor’s opinion of the quality of systems in place to record and report non-financial performance information reported in the statement of service performance?
  • Has the external auditor kept the Committee regularly informed about the progress of audits?
  • Has the external auditor been receptive to suggestions from the Committee about proposed audit coverage and the timing of audits?
  • Has the external auditor maintained professional and cordial relations with management?
  • Has the external auditor made a useful contribution to the deliberation of the Committee?

Private sessions

  • Has the external auditor had full and free access to all records and information required to conduct their audits?
  • Has management displayed a constructive and professional approach to the external auditor?
  • Are there any issues that the external auditor wishes to raise with the Committee about the audit of the entity’s financial statements, in particular or more generally?
  • Does the external auditor have any suggestions on how the work of the Committee could be improved?
page top
Report details

Audit committees in the public sector

PDF version (449kB)

ISBN 978-0-478-18196-8

 
Powered by Plone CMS, the Open Source Content Management System