NORTH SHORE COUNCILS

INTERNAL AUDIT

OPERATING PROTOCOLS

Prepared by Michael Quirk, Head of Internal Audit

March 2010
Endorsed by Council Audit Committees:
North Sydney 7 April 2010
Mosman 15 April 2010
Willoughby 25 August 2010
Manly 28 April 2010
Lane Cove 5 May 2010
 TABLE OF CONTENTS
Item Description Page
No No
1 Introduction 4

1.1 Background 4
1.2 Purpose and basis of the Charter 4
2 Authority of Internal Audit and Obligations of Employees 4-5

2.1 Authority to Act 4

2.2 Removal of Records 5
2.3 Specific Obligations of Staff 5
2.4 Referral of New Systems Proposals 5
3 Interaction With and By Internal Audit 5-6

3.1 Councillors 5
3.2 General Manager 6
3.3 Audit Committee Chairperson 6
3.4 External Auditor 6
3.5 Council Management and Staff 6
3.6 Complaints About the Conduct of Internal Audit 6
4 Accountabilities 7

4.1 Administrative Accountability of Audit 7

4.2 Management Accountability of Audit 7
5 Standards and Ethics 7

5.1 Auditing Standards 7

5.2 Code of Ethics and Conduct 7
5.3 Use of Contractors 7
6 Conduct of Audits and Reviews 8-10

6.1 Models of Audits and Reviews 8

6.2 Audit and Review Planning 8
6.3 Notice of Forthcoming Audits or Reviews 8
6.4 Investigations, Surprise Audits and Reviews 8
6.5 Reporting of Irregularities 8

Operating Protocols NOV2011V41.docx Page 2 of 12

 TABLE OF CONTENTS
Item Description Page
No No
6.6 Consultation during the Audit or Review 9
6.7 Audit and Review Reports 9
6.8 Shared Learnings From Internal Audits 9
6.9 Status Reports on Implementation 9
6.10 Working Papers 10
6.11 Security of Records 10
6.12 Accounting for Audit Work 10
6.13 Performance Reporting 11
7 Liaison with the External Auditor 11

7.1 Liaison For Statutory Audit Purposes 11

7.2 Availability of Internal Audit Records 11
8 Review of the Protocols 11

8.1 Requirements for Review 11

Attachment 1 – Control Environment Rating Scale 12

Operating Protocols NOV2011V41.docx Page 3 of 12

1. INTRODUCTION
1.1 Background
An Internal Audit function has been established to provide Internal Audit services to
six North Shore Councils. An agreement entered into by Hunter’s Hill, Lane Cove,
Manly, Mosman, North Sydney and Willoughby Councils, requires a single Internal
Audit function to undertake internal audits and reviews in each member Council in
accordance with the Audit Committee Charter and Audit Plan adopted by each
Council.

1.1 Purpose and basis of the Operating Protocols

This protocol defines a number of the requirements for the operation and
accountability of the Internal Audit function and is to be read in conjunction with each
member Council’s adopted Charter of Internal Audit. The protocol aims to clarify how
the Internal Audit function will operate and provide improved transparency in its
operation. The provisions of the member Council’s adopted Charter of Internal Audit
shall apply in the event of any inconsistency between this protocol and the member
Council’s adopted Charter of Internal Audit.

2. AUTHORITY OF INTERNAL AUDIT AND OBLIGATIONS OF COUNCIL

EMPLOYEES
2.1 Authority to Act
The Head of Internal Audit and his/her delegates are authorised to:
 Have unrestricted access to all functions, property, personnel, records,
information, accounts, files, monies and documentation as necessary to
conduct audits and reviews.
 Have full and free access to the General Manager and the Chairperson of
the Audit Committee and, where deemed necessary by the Head of
Internal Audit, the Mayor in relation to Internal Audit Services.
 Allocate resources, set frequencies, select subjects, determine scopes of
work and apply the techniques required to accomplish the internal audit
objectives.
 Obtain the necessary assistance of Council staff where audits are
performed, as well as specialised services from within or outside the
organisation.
 Establish enforceable timelines for the delivery of information and reports.
The Head of Internal Audit and his/her delegates are not authorised to:
 Perform any operational duties for other areas of the Council.
 Initiate or approve accounting transactions external to Internal Audit
operations.
 Direct activities of any Council employee not employed by Internal Audit,
except to the extent that such employees have been assigned or engaged
to assist Internal Audit.

2.2 Removal of Records

Operating Protocols NOV2011V41.docx Page 4 of 12

During the course of audits, reviews or investigations it may be necessary to remove
records or other information. A record will be maintained of any item temporarily
removed by Internal Audit staff. Information provided in hard copy or electronic
media to the Internal Audit will be receipted and returned in accordance with Unit
procedures.

2.3 Specific Obligations of Staff

Any employee, when called upon by a member of Internal Audit, shall furnish such
information deemed necessary for the proper conduct of an audit, review or
investigation. Employees must produce for counting as required all moneys and
value documents held by them on behalf of Council. Employees must also produce
for counting and inspection all stores, plant and equipment and other assets when
required by Internal Audit, and furnish within 14 days (or as advised) written replies
and explanations requested of them by Audit memoranda, surveys, questionnaires or
other form of inquiry.

2.4 Referral of Significant New Systems Proposals

Any employee responsible for the development and/or implementation of significant
new systems and procedures, or enhancement of existing systems and procedures,
should consider the impact on the control environment and consult with the Head of
Internal Audit where appropriate.

3. INTERACTION WITH AND BY INTERNAL AUDIT

Internal Audit is required to communicate with a wide range of people in the delivery
of the Internal Audit Plan. The Department of Local Government Guidelines for
Internal Audit provide a framework for InternalAudit reporting lines (Sections 2.3 and
3.4). The following protocols aim to provide a consistent basis for such
communications and clarify the expectations of relevant parties.

3.1 Councillors and Independent Audit Committee Members

Interaction is to be in accordance with Code of Conduct and any adopted policies for
interaction between Councillors and staff. Requests of Internal Audit are to be
directed through the General Manager, or the Chair of the Audit Committee for action
by resolution of the Committee. The Head of Internal Audit may liaise with the Mayor
on matters relating to the conduct of the General Manager.

3.2 General Manager

Interaction is to be in accordance with Code of Conduct and reasonable business
practice. Internal Audit reports administratively to the General Manager and regular
interaction is expected.
The Head of Internal Audit will meet periodically with the General Managers of the
member Councils to aid in the planning and review of the Internal Audit function.

3.3 Audit Committee Chairperson

Interaction is to be in accordance with Code of Conduct and reasonable business
practice. The Chairperson of the Audit Committee may meet privately with the Head
Operating Protocols NOV2011V41.docx Page 5 of 12
of Internal Audit.

3.4 External Auditor

Interaction is to be in accordance with the Code of Conduct and reasonable business
practice. Regular communication between Internal and External Audit is
encouraged. The external auditor may meet privately with the Head of Internal Audit.

3.5 Council Management and Staff

Interaction is to be in accordance with the Code of Conduct, Internal Audit Charter
and reasonable business practice.
The Head of Internal Audit may report to the General Manager instances where
Council staff fail to adequately provide information, property or personnel as detailed
in Section 2 of this Protocol.
Where a member of staff raises matters with Internal Audit that relate to staff
grievances, or matters covered by the Council’s Protected Disclosure Policy(s), the
Head of Internal Audit will report such matters to the relevant Human Resources
Manager, Public Officer, Protected Disclosures Co-ordinator or the General
Manager.

3.6 Complaints About the Conduct of Internal Audit

Where a member of staff or other person wish to complain about the conduct of an
internal audit, or of the auditor, the member of staff or other person should raise the
complaint with the Head of Internal Audit in the first instance. Where the matter
cannot be resolved at management level (or relates to the conduct of the Head of
Internal Audit), the matter is to be referred to the relevant General Manager and if not
resolved by the General Manager to be reported to the Audit Committee.

Operating Protocols NOV2011V41.docx Page 6 of 12

4. ACCOUNTABILITIES
4.1 Administrative Accountability
On matters of administration, budgeting, finance and human resources management
of Internal Audit, the Head of Internal Audit shall be accountable to the General
Manager.

4.2 Functional Accountability

The Head of Internal Audit is accountable to the Audit Committee for the overall
effective performance of Internal Audit.

5. STANDARDS AND ETHICS

5.1 Auditing Standards
In conducting audits, Internal Audit will meet or exceed the Standards for the
Professional Practice of Internal Auditing as promulgated by The Institute of Internal
Auditors.

5.2 Codes of Ethics and Conduct

Internal Audit shall conform to the Code of Ethics of the International Institute of
Internal Auditors, and to the relevant Council’s Code of Conduct.

5.3 Use of Contractors

Where Internal Audit engages contractors, there shall be a written agreement with
the practitioner that specifies project objectives, scope, reporting relationships, the
powers of the contractor, and the rights of Council to examine contractor
documentation.
Contractors shall only be engaged in full compliance with Council policy and
procedures.

Operating Protocols NOV2011V41.docx Page 7 of 12

6. CONDUCT OF AUDITS AND REVIEWS
6.1 Models of Audits and Reviews
A number of different operating models for conducting internal audits will be used to
deliver the Internal Audit Plan. Alternative methods including task secondment, self
assessment and total data sampling, aim to improve internal audit efficiency.
Alternative methods will generally provide more work for the relevant Council staff
but require less substantive testing by the Internal Auditor.

The use of alternative models for conducting internal audits will be communicated
to the relevant Council management well in advance of the commencement of the
audit.

6.2 Audit and Review Planning

Prior to approval by the Audit Committee the Internal Audit Plan will be approved by
the General Manager of the six member Councils. Audits and reviews will be
planned and conducted in accordance with the Internal Audit Plan. This plan may
be reviewed and altered if priorities change, subject to the concurrence of the
General Managers of the six member Councils, and respective Audit Committees
notified in accordance with the adopted Internal Audit Charter .

6.3 Notification of Forthcoming Audits or Reviews

Internal Audit will provide managers with adequate notice prior to the
commencement of each audit or review, to ensure that the audit or review
objectives and scope are fully disclosed, and that management can make
arrangements for the appropriate records, accommodation and liaison staff to be
available.

6.4 Investigations, Surprise Audits and Reviews

Unplanned investigations, spot checks and surprise audits should be the exception
rather than the rule. Such activities are authorised by the relevant General
Manager, and all aspects of these activities will be considered confidential within
Internal Audit.

6.5 Reporting of Irregularities

As a general rule, queries raised by Internal Audit will be resolved with line
management and reported accordingly. Where an irregularity is disclosed by an
audit or review which involves moneys, stores and other assets which cannot be
accounted for, and which may be due to theft, defalcation or a serious breakdown in
control, such matters will be reported immediately to the relevant General Manager.

6.6 Consultation during the Audit or Review

Internal Audit will advise managers in writing of matters requiring attention during
the course of the audit or review. The results of the activity will be reviewed with
the manager of the relevant area to enable agreement or otherwise to the audit or

Operating Protocols NOV2011V41.docx Page 8 of 12

review findings and recommendations.

6.7 Audit and Review Reports

A report will be prepared at the completion of each audit comprising the findings
and any recommendations arising from the audit. The audit report will also include
a rating of the effectiveness of the control environment in accordance with the scale
shown at Attachment 1.
Where reports are prepared, a draft will be provided to the appropriate senior
manager for comment and discussion prior to the preparation of the final report. A
management response to the draft will generally be expected within 21 days. The
final report, incorporating management responses, will be provided to the General
Manager for comment.
An Executive Summary of the findings, recommendations and current status of
each completed audit will be prepared. The Executive Summary will form part of
the business papers for the Audit Committee Meetings. A copy of the Executive
Summary will also be provided to the External Auditor on request.
A copy of the Internal Audit final reports will be available at the relevant Audit
Committee Meetings. Audit reports with an overall rating of 1 or 2 will be available
in full at the Audit Committee meeting.

6.8 Shared Learnings from Internal Audits

Where the findings and recommendations arising from the internal audit of one or
more client Councils may in the opinion of the Head of Internal Audit benefit the
other member Councils, such findings and recommendations will be communicated
to those member Councils.
In providing information on audit findings and recommendations from a client
Council to others, the Head of Internal Audit will maintain confidentiality
requirements of the client Council. In this regard, the Head of Internal Audit will
prepare a separate summary report for the information of other member Councils.
Such summary reports will not be subject to separate internal audit testing or
reporting to the member Councils’ Audit Committee.

6.9 Status Reports on Implementation

The Head of Internal Audit will periodically request updated information on the
implementation of agreed audit recommendations. Responsible officers will have a
maximum of ten working days to provide written response to such requests.
Internal Audit may conduct further testing on the implementation prior to reporting to
the Audit Committee.

6.10 Working Papers

Working papers will be maintained by Internal Audit as supporting documentation for
all audits, investigations and reviews. They will be accurate, logically arranged and
sufficiently detailed to provide the following information:
 evidence of the evaluation of the system, processes and/or people;

Operating Protocols NOV2011V41.docx Page 9 of 12

  evidence for the audit or review opinion on the key business risks and
controls, i.e. whether or not there are any minor or critical weaknesses;
 evidence of tests undertaken;
 evidence that the audit or review objectives have been met;
 a summary of overall audit or review findings;
 adequate indexing and cross-referencing of working papers;
 copies of source documentation, analysis and testing undertaken,
discussion records and research material, and
 where working papers are kept on computer media, these will be backed
up and secured from theft, accidental damage or unauthorised access to
information.

6.11 Security of Records

Reports arising from Internal Audit activity, together with any associated working
papers and evidentiary papers will be confidentially retained in the Electronic
Document Management System at Willoughby City Council.
Audit documents from one Council will not be provided to officers from another
Council without the express agreement of the originating Council’s General Manager
or Public Officer.
Access to all documents held at Willoughby City Council relating to Internal Audit
activity will be restricted to Internal Audit staff, Information Management staff (for
system administration purposes only), and to the relevant General Manager.

6.12 Accounting for Audit Work

Internal Audit activities will be recorded to the relevant project in 30 minute intervals.
Time allocation will be recorded by the Head of Internal Audit for the purposes of
performance evaluation, and for inter-council charging in relation to the six-Council
agreement.
6.13 Performance Reporting
The Head of Internal Audit will implement a performance feedback process with
managers and staff in audited areas. The results of the performance feedback will be
reported to the Audit Committee annually.

7. LIAISON WITH THE EXTERNAL AUDITOR

7.1 Liaison for Statutory Audit Purposes
The Head of Internal Audit will ensure that formal liaison, through regular meetings
with the External Auditor’s representatives, is maintained for the purposes of the
statutory audit and to minimize duplication of effort.

7.2 Availability of Service Audit and Review Records

All Internal Audit working papers, files, records and reports will be made available to
the External Auditor on request, subject to the concurrence of the relevant General

Operating Protocols NOV2011V41.docx Page 10 of 12

Manager.

8. REVIEW OF THE PROTOCOLS

8.1 Requirements for Review
These Protocols will be reviewed from time to time as required by the General
Managers to ensure its applicability to Council’s operations. In any event the Head
of Internal Audit will ensure that a review occurs at least annually and the results of
such review are reported to the General Managers and Audit Committee and
documented on file.
______________________________________________

Approved Mosman Audit Committee 15 April 2010

Reviewed Version 4 Mosman Audit Committee 24 November 2011

Reviewed Version 4 Mosman Audit Committee 22 November 2012

Operating Protocols NOV2011V41.docx Page 11 of 12

 Attachment 1

CONTROL ENVIRONMENT RATING

5 Strong Control Environment – Minimal opportunities for improvement

identified.

4 Effective Control Environment – A small number of control risk issues

mainly minor in nature / opportunities for improvement identified.

3 Control Environment Requires Improvement – Several issues of

concern noted, mainly of a Moderate nature.

2 Control Environment Below Acceptable Standards – Control

weaknesses found in a number of areas, evidenced by the number of
Significant and Moderate control risk issues identified.

1 Unsatisfactory – Pervasive, significant weaknesses in controls indicating

systemic problems evidenced by the number of Significant and Moderate
control risk issues identified.

Operating Protocols NOV2011V41.docx Page 12 of 12