We recognise the continuous and deep connection to Country, of Aboriginal and Torres Strait Islander peoples as the first peoples of this nation. In this way we respectfully acknowledge the Traditional Custodians of this land, sea, the waters and sky. We pay tribute to the Elders past and present as we also respect the collective ancestry that has brought us all here today.
Author: Lili Millawithanachchi
As we get closer to 30 June, many Internal Audit functions have been casting their minds to developing their annual internal audit programs. Careful selection of audit topics can help to uncover areas of emerging risks for agencies and add the most value.
In this blog we outline audit topics that could resonate for your organisation’s audit program in unexpected areas. We have paired each of these topics with innovative approaches to delivery that can help to bring new insights and offer different ways of engaging with stakeholders.
1. Business Resilience
Business resilience remains a key area of risk for many organisations as they continue to examine aspects of operations affected by the pandemic, the economic slowdown, and change in government.
In particular, supply chain management risks brought to light during the pandemic, constrained labour markets, and hybrid working models are posing ongoing resilience challenges for organisations of all sizes.
Agile auditing techniques can provide valuable insight and assurance over key areas that impact resilience. For example, a high-level audit of talent retention may be conducted to identify whether there are any significant gaps in the approach taken by the organisation. At the mid-point of the audit, the internal audit team may determine the need for a more in-depth review of one or more gaps identified. This way, audit effort is targeted to the areas of most significant exposure, which may not be known when planning the audit program.
2. Data Governance, Security, and User Access
Data governance, and more specifically, data security, has hit centre-stage for many organisations following several high-profile hacks in the past year. This has caused closer examination of things like data retention and user access, as well the security culture of organisations.
Behavioural audits of security risk management culture can provide insights into how effectively controls are operating in practice. An audit can be designed to identify attitudes to security management, particularly in positions of influence such those in managerial or leadership roles. This can go beyond a “tick-and-flick” of whether an organisation is complying with requirements to providing insights on sticking points in improving security culture.
3. Performance Reporting
Agencies need to be prepared for the increasing level of scrutiny over performance information that will come with the Australian National Audit Office’s (ANAO’s) expansion of their annual performance statement audit program.
A series of snapshot audits through pivotal points in the performance reporting lifecycle can identify weak points and seek to address them early in 2023-24. Innovative reporting such as rapid snapshots and dashboards can be used to monitor and report on performance throughout the lifecycle. This would be useful for organisations seeking to ready themselves for an upcoming ANAO audit.
4. Indigenous Action Plans
Indigenous action plans are becoming an increasing area of focus for organisations as Australians consider the Indigenous Voice to Parliament.
If progress against the Indigenous action plan is a known weakness, a facilitative audit may be undertaken in which organisations are supported in addressing known gaps with guidance and advice to management, rather than simply leaving a number of recommendations. A facilitative audit involving Indigenous leaders or experts in the field can be a way of supporting organisations in identifying ways to improve Indigenous action plans.
5. Coordinated Assurance
A more coordinated approach to assurance activity improves efficiency in a cost-constrained environment. Assurance mapping, assurance strategies, and whole-of-organisation assurance frameworks can be leveraged by management and leaders to prioritise assurance activity in areas of greatest need, reduce duplication of effort, and improve decision making.
Internal Audit plays a pivotal role in assurance provision and is well placed to lead a more coordinated enterprise approach to assurance due to their technical expertise and visibility across the organisation. This may mean setting aside resourcing for coordinating assurance and sharing expertise to support other areas in implementing improved assurance approaches.
This can, for example, lead to supporting a second-line assurance function to develop self-assessments for evaluation of the effectiveness of a management framework.