Home > Preventing corruption > Corruption risk management > Internal audit

Internal audit

In the corruption risk management context, internal audit can:

provide assurance that the organisation's financial and operational controls are operating effectively to manage corruption risks, and
assist management in improving business performance.

Internal auditors review and evaluate the financial and operational controls put in place by management, including those which prevent and detect corruption. Internal auditors identify weaknesses or failures to implement these controls and make recommendations to improve them.

Auditors also have general expertise in risk management and are therefore in a position to assist agencies with their corruption risk management process in a number of ways, for example by:

providing training and advice to managers about risk management
facilitating or coordinating the corruption risk management process in the agency
assisting in the organisation's corruption risk assessment and helping develop appropriate mitigation strategies
providing advice about fraud and corruption risks
monitoring the effectiveness of corruption risk assessments
assisting management with the design and implementation of the agency's internal controls
monitoring how well managers control risks, and
providing advice about the adequacy of risk treatment strategies.

This is not a role that is undertaken by internal audit in all public sector agencies. However, internal audit is moving beyond its traditional role of examining the effectiveness of agency controls. KPMG notes that:

The modern organisation's internal audit function is a key participant in antifraud activities, supporting management's approach to preventing, detecting, and responding to fraud and misconduct. Such responsibilities represent a change from the more traditional role of internal audit.

The extent of the role currently played by internal audit in an agency's corruption risk management process will vary. Some agencies may have little experience with risk management generally and may, consequently, give internal audit a key role in the corruption risk management process. Other agencies may be very experienced in risk management or even have a dedicated risk management officer or unit. In these agencies, internal audit's role may be more focused on the effectiveness of the corruption risk treatment strategies or processes rather than on risk identification.

Case study
A sales administrator employed by the Roads and Traffic Authority (RTA) took advantage of RTA procedures to solicit and receive payments from real estate agents retained by the RTA to sell land. In exchange for these payments, he recommended the continued use of the agents' services. He was found to have engaged in this corrupt conduct from 1989 to 1994. The ICAC found that the RTA's systems and procedures had provided the sales administrator with the opportunity to engage in corrupt conduct. In early 1991, the RTA's internal audit branch had conducted a detailed property services fraud limitation review. It had identified the risk of corrupt payments of the kind established in this inquiry and suggested a remedy. Although the remedy suggested was not accepted by RTA management, it acknowledged the existence of the risk and suggested a different remedy. However, ultimately the RTA did not implement either remedy. The sales administrator's corrupt activity commenced around 1989 and continued until the ICAC's investigation in 1994. Thanks to its audit branch, the RTA was aware of the risk that a staff member could behave just as this sales administrator did. If it had implemented measures to address this risk, it is possible that this staff member's corrupt conduct might have been discovered much sooner.

Case study

A sales administrator employed by the Roads and Traffic Authority (RTA) took advantage of RTA procedures to solicit and receive payments from real estate agents retained by the RTA to sell land. In exchange for these payments, he recommended the continued use of the agents' services. He was found to have engaged in this corrupt conduct from 1989 to 1994.

The ICAC found that the RTA's systems and procedures had provided the sales administrator with the opportunity to engage in corrupt conduct. In early 1991, the RTA's internal audit branch had conducted a detailed property services fraud limitation review. It had identified the risk of corrupt payments of the kind established in this inquiry and suggested a remedy. Although the remedy suggested was not accepted by RTA management, it acknowledged the existence of the risk and suggested a different remedy. However, ultimately the RTA did not implement either remedy. The sales administrator's corrupt activity commenced around 1989 and continued until the ICAC's investigation in 1994. Thanks to its audit branch, the RTA was aware of the risk that a staff member could behave just as this sales administrator did. If it had implemented measures to address this risk, it is possible that this staff member's corrupt conduct might have been discovered much sooner.

Resources

Publications

Fraud control, Developing an Effective Strategy, Volume 2, Audit Office of NSW and Office of Public Management, NSW Premier's Department, 1994

Fraud Risk Management – Developing a Strategy for Prevention, Detection and Response, KPMG, 2006

Monitoring and reporting on performance audit recommendations, Audit Office of NSW, June 2001

Public Sector Internal Audit, Australian National Audit Office, September 2007.
Risk Management & Internal Control: A step by step approach to managing risk more effectively, NSW Treasury, September 1997, pp. 42–55

The Role of Auditing in Public Sector Governance, Institute of Internal Auditors, November 2006.

Relevant websites

Institute of Internal Auditors, www.iia.org.au
NSW Treasury, www.treasury.nsw.gov.au
Audit Office of New South Wales, www.audit.nsw.gov.au
Australian National Audit Office, www.anao.gov.au

Internal audit

Resources

Publications

Relevant websites

Related topics on the ICAC website