Victorian Auditor-General's Office
Search
Auditing in the Public Interest
Home About Us Index Feedback Contact Us Image
Image
  Speeches & Papers
Image

Home > About Us  > Speeches & Papers

COMPLIANCE AUDITING IN THE PUBLIC SECTOR

Presentation to
Public Sector Auditing Conference, Kuala Lumpur

By Wayne Cameron,
Auditor-General of Victoria

7 October 2003

Compliance management and audit

Compliance auditing undoubtedly means different things to different people. It is important that it not be defined too narrowly. We should not be leaving behind that what was more frequently referred to as “regularity auditing”.

The difference, I believe, comes not from its contents, but its current setting. Yet, it is more than “regularity auditing”. The concept should be viewed in an expanded context embracing:

    • legislation and delegated authority;

    • governance and risk management; and

    • maintenance of core business processes and internal controls.

All of which can impact significantly on an entity’s strategic performance and stewardship functions.

Thus, my presentation this morning will consider:

    • Context;

    Awareness;

    Integration with risk management CM in context of governance;

    • Audit response; and

    • Some case studies (if we have time).

Context

The public sector is changing, due to the changing ways that governments carry out their activities. My presentation yesterday (Challenges and issues faced by the legislative auditor) <<Kim to link to that presentation>> set out the range, nature and scope of these changes.

There are other influences also that lead me to believe that the place of the compliance audit must be developed further. This slide sets some of the key ones out. I will tease out the latter 2 on the next slides.

Increasing legislation and regulation

    • Seen to be necessary because of these other influences; and

    • The community’s desire to have clear “rules” for conducting their daily lives; also

    • Greater use of tied grants in federal government systems, such as Australia, by central government to states and territories - requiring certification and acquittance.

Narrowing financial audit focus

We don’t always test compliance as part of the annual attest audit. Financial audit, therefore, only provides limited assurance. And that’s not enough in the public sector where the “audit” objectives are wider and are expected to include aspects of regularity audit.

Devolution outsourcing and privatisation

Devolution - To staff

Outsourcing - Use of contractors, e.g. building and health

    Inspections (see case study)

    - Need to make requirements explicit – including broader public sector requirements, e.g. risk management, keeping government informed, fairness/transparency/probity etc.

    - Need to codify requirements and expectations if you want consistency and compliance

    - Need for access (to verify compliance with arrangements)

    - Need review mechanisms to test whether its working properly.

    - Need quality management systems

    - Need to put effort in at beginning and over course of the arrangement, e.g. training.

    - Need clearly understood review and action process.

Awareness of compliance management

Ensuring effective communications, within agencies is critical in order for compliance management (CM) to be effective – it’s rather like risk management. It requires a sound framework, clearly communicated, and good reporting mechanisms. Culture supports positive CM.

It’s almost a cultural thing – a high level of awareness and clarity about boundaries lessens the risk of error and subsequent embarrassment, e.g. administrative orders on restructure, compliance with appropriation, reinforcing the controller role.

The risk will revert – all the more reason to ensure good monitoring and communication systems maintained.

Penalty for failure will turn back on the delegator – e.g. outsourcing, delegation.

Integration of compliance management with organisational risk management

Features of an effective risk management risk management (RM) framework are already well documented in the literature such as:

    • Australian/NZ standards on Risk Management

    • Quality Framework

My preference is to place CM in the RM framework.

Governance arrangements and CM

Here is not the place to talk about an effective governance framework. It is essential to the long-term success of any organisation. The important points I wanted to underscore here are that:

    • RM and GG are birds of the same feather. You can’t have one without the other; and

    • It is a mistake to focus on the current/short-term RM/CM/governance model.

Any control/management framework must take the long-term view. It’s about sustainable good performance over the long-term that should be realised. Avoid the risk of seeing RM/CM in the short-term context.

Audit response

What then does this mean to us, as auditors in the public sector? And how do we respond to these forces?

    • Strategic audit plan should cover it.

    • Leading to a broad range of audit products designed to provide assurance to Parliament and, over the longer-term, lead to sound public administration.

We will need to draw on experience of other legislative auditors to maintain (develop) appropriate audit methodologies.

Case studies

Case study 1: Payroll systems

This topic was one of 2 compliance and control audits that my office undertook in 2002-03. The Australian National Audit Office now also does these types of audits.

Audit scope and criteria

    • Payroll arrangements and systems.

    • Risk management strategies.

    • Control environment.

    • Ongoing controls and processes.

    • Management information and reporting.

    • Monitoring and review functions.

    Inconsistent practices between regional locations in initiating payroll transactions.

    • Delays in receipt of changes to payroll data from regional locations resulting in a number of overpayments by one agency and costs of recovery.

    • In 7 agencies, the costs of payroll function could not be identified.

    • Only 11 out of 17 had conducted cost-benefit studies in support of outsourcing or new software decisions.

    • Four agencies identified substantial financial and other benefits in outsourcing aspects of the payroll process.

    • Eight out of 17 agencies outsourced payroll.

    • Outsourced arrangements were adequately documented.

One agency had acquired ISO 9002 certification and used the ongoing certification process as a means of ensuring that all policies and procedures for human resources and payroll were kept current.

Case Study 2: Risk management

Audit scope

We examined risk management practice across the public sector:

    • 61 agencies;

    • 4 detailed case studies; and

    • role of central agencies.

We examined risk management structures and processes at a state-sector level

Our case studies included:

    • State Trustees;

    • Kangan Batman TAFE;

    • Western Metropolitan Health Service; and

    • drinking water quality authorities

Findings

    Most organisations are engaged in risk management processes

    • 70 per cent of organisations adopt a formal approach - usually AS4360:1999

    • 66 per cent are identifying and assessing their key risks

    • Half identify and evaluate risk controls

    • 33 per cent apply risk to the whole of their business

    • 75 per cent ensure service providers apply risk management

    • 80 per cent have contingency planning – only 33 per cent testing

    • Risks to key stakeholders were not always reported

There is a need for:

    • a consistent approach by the public sector to adopt formal risk management practices appropriate to the organisation’s level of risk; and

    • Victorian Government guidance to the public sector, including requirements for public reporting and other means of accountability

Findings

Risks may go undetected at state-sector level and insufficient risk mitigation strategies could be implemented from a whole-of-State perspective.

Conclusions

There is a need for:

    • explicit guidelines to identify and manage risks in the state-sector;

    • developing the capacity to identify key State-sector risk exposures; and

    • clarity around the responsibility for the escalation of risks

Case Study 3: Food safety

We used specialists/o

    • outside experts in food safety:

    • Consortium led by Quality Food Management Systems

    • Victoria University – Centre for Hospitality and Tourism Research

    • Baldwin Solicitors; and

    • We largely outsourced inspection function.

Our report featured a number of table formats which identified good and poor practices.

Case Study 4: IT security

This was included in our Report on Public Sector Agencies, May 2003. The objective of the audit was to assess the adequacy of internet security practices in selected agencies.

Scope

Four Victorian government agencies – 2 of which had their website hosted to third party suppliers.

Specialist assistance

Citadel Security – to undertake technical scanning (vulnerabilities), and use was made of “internet security scanner” software

Tools

ACL – Interrogation

Audit – Express – Unix Security

Spreadsheet Professional

____________________________________

Site map  |  Privacy  |  Disclaimer  |  Copyright  |  Help

Last updated: 9 February 2004