Overview
We provide tools and guidelines to help public sector agencies strengthen internal audit functions and risk management. These include frameworks for assessing risk maturity, fraud prevention strategies, and the Audit and Risk Committee Prequalification Scheme.
These resources support agencies in establishing sound governance structures, detecting and mitigating risks, and continuously improving risk management practices.
Internal audit and risk management
The Internal Audit and Risk Management Policy for the General Government Sector (TPP20-08) (PDF 1.38MB) is a mandatory policy that helps agencies meet their legislative obligations under the Government Sector Finance Act 2018 (GSF Act). It sets minimum standards for risk management, internal audit, and Audit and Risk Committees (ARCs).
The GSF Act enhances accountability, transparency, performance, and innovation across the NSW Government. It defines the key roles and responsibilities of Accountable Authorities in managing their agencies' finances and performance. Under Section 3.6, Accountable Authorities must establish, maintain, and review effective systems for risk management, internal control, and assurance. This includes internal audits that are appropriate for the agency.
The policy goes beyond compliance. It provides a framework that encourages agencies to adopt best practices, tailor risk management strategies, and strengthen governance processes. It helps improve internal audit, risk management, and accountability across the NSW public sector, ensuring the responsible management of state resources.
For more information, contact Treasury’s Financial Management Policy team at finpol@treasury.nsw.gov.au.
Internal Audit and Risk Management Policy for the General Government Sector
The Internal Audit and Risk Management Policy was first issued in 2009 as a Treasurer’s Direction under the title Internal Audit and Risk Management Policy for the NSW Public Sector (TPP09-05). It was reissued in 2015 as TPP15-03 (PDF 761.66KB). Both versions promoted a better practice approach to internal audit and risk management, drawing on professional standards and best practices from leading public and private sector agencies.
In 2020, the policy was updated and issued as a mandatory policy, replacing TPP15-03 while maintaining its overall direction.
The updated policy also replaces the Guidance on Shared Arrangements and Subcommittees for Audit and Risk Committees (TPP16-02). It now includes guidance to help agencies establish Shared Arrangements and Audit and Risk Committee (ARC) Subcommittees.
(A) Principles and Core Requirements
The Internal Audit and Risk Management Policy requires agencies to follow its Core Requirements.
| 1. Risk Management Framework | |
|---|---|
Principle 1: Effective risk management arrangements should support the agency in achieving its objectives by systematically identifying and managing risks to:
| Core Requirement 1.1 The Accountable Authority shall accept ultimate responsibility and accountability for risk management in the agency. |
Core Requirement 1.2 The Accountable Authority shall establish and maintain a risk management framework that is appropriate for the agency. The Accountable Authority shall ensure the framework is consistent with AS ISO 31000:2018. | |
| 2. Internal Audit Function | |
|---|---|
Principle 2: An internal audit function should provide timely and useful information to management about:
| Core Requirement 2.1 The Accountable Authority shall establish and maintain an internal audit function that is appropriate for the agency and fit for purpose. |
Core Requirement 2.2 The Accountable Authority shall ensure the internal audit function operates consistent with the International Standards for Professional Practice for Internal Auditing. | |
Core Requirement 2.3 The Accountable Authority shall ensure the agency has an Internal Audit Charter that is consistent with the content of the ‘model charter.’ | |
| 3. Audit and Risk Committee | |
|---|---|
Principle 3: An independent Audit and Risk Committee with appropriate expertise should provide relevant and timely advice to the Accountable Authority on the agency’s governance, risk and control frameworks and its external accountability obligations. | Core Requirement 3.1 The Accountable Authority shall establish and maintain efficient and effective arrangements for independent Audit and Risk Committee oversight to provide advice and guidance to the Accountable Authority on the agency’s governance processes, risk management and control frameworks, and its external accountability obligations. |
Core Requirement 3.2 The Accountable Authority shall ensure the Audit and Risk Committee has a Charter that is consistent with the content of the ‘model charter.’ | |
B) Attestation Statement in the Agency’s Annual Report
Agencies must confirm their compliance with the Core Requirements in an Attestation Statement (Annexure C of the Policy), published in their Annual Report.
If an agency’s cluster Secretary approves a shared arrangement, each agency must still submit its own Attestation Statement and publish it in its Annual Report. Agencies in a shared arrangement must complete the relevant templates from Annexure H and or I of the Policy.
C) Submitting the Attestation Statement to Treasury
Agencies must submit a copy of their Attestation Statement to Treasury by 31 October each year.
If an agency does not fully comply with the Core Requirements, it must also submit the Ministerial Exemption approved by the Responsible Minister.
Send submissions to Treasury via email: finpol@treasury.nsw.gov.au.
D) Policy variations
Agencies vary in size and complexity, so the Policy allows certain variations to support effective and efficient implementation. Check the variations below to see if they apply to your agency.
| Variations | Page references |
|---|---|
i) Shared arrangements A. Shared Audit and Risk Committee | Pages 12-14 Core requirements 3.1.2-3.1.4 Annexure G |
ii) Ministerial Exemption Process Ministerial exemption to one or more of the Core Requirements for up to 2 reporting periods. | Pages 14-15 Annexure D |
iii) Small Agency Exemption Ongoing exemption to comply with one or more of the Core Requirements until any of the listed circumstances occurs. | Pages 15-16 Annexure E |
iv) Transitional Arrangements 12-month transitional period if the agency is in one or more of the following circumstances:
| Pages 16-17 |
Audit and Risk Committee Prequalification Scheme
The Audit and Risk Committee (ARC) Prequalification Scheme helps NSW Government agencies appoint skilled, independent members to their ARCs, as required by TPP20-08 Internal Audit and Risk Management Policy (PDF 1.38MB). Agencies must select ARC chairs and members from a prequalified list of experienced professionals. Prequalified individuals can serve on up to five committees at a time.
Click here to learn more about the Audit and Risk Committee Prequalification Scheme
Risk Management Resources
Risk Management Toolkit
Under Core Requirement 1.2 of NSW Treasury’s Internal Audit and Risk Management Policy for the NSW Public Sector (TPP20-08) (PDF 1.38MB), Accountable Authorities must establish and maintain a risk management process that follows the Australian Standard AS ISO 31000:2018 Risk Management Framework.
ISO 31000 outlines principles, frameworks, and processes to help organisations manage risks, reduce uncertainty, and improve decision-making. While it is not a compliance standard, it provides best-practice guidance based on key principles.
Risk management should suit an agency’s specific needs. NSW Treasury developed the Risk Management Toolkit to help agencies design and implement their risk management framework and processes. The Toolkit includes practical advice on key elements of ISO 31000, along with templates and examples based on a hypothetical agency.
Treasury Risk Maturity Assessment Tool
The Treasury Risk Maturity Assessment Tool helps improve risk management, culture, and capability across the NSW public sector. It provides a structured, consistent approach for agencies to:
- assess their risk maturity
- identify areas for improvement
- share results with leadership teams and Audit and Risk Committees.
The tool helps agencies:
- measure their risk maturity level
- improve risk culture and capability
- support whole-of-government risk management through a consistent approach
- track progress over time.
Using the tool also helps agencies meet their obligations under section 3.6 of the Government Sector Finance Act 2018, which requires Accountable Authorities (Secretaries and agency heads) to maintain effective risk management systems.
Developed through collaboration led by us, the tool includes input from a working group of cluster risk officers, key agency risk managers, and Protiviti. NSW Treasury acknowledges and appreciates their contributions.
The Treasury Risk Maturity Assessment Tool is based on the NSW Agency Risk Operating Model, which provides the methodology for risk maturity assessments. It ensures agencies consider all factors that contribute to effective risk management.
The model helps agencies assess risk maturity in the context of their organisation. The outer sections represent key influences, including:
- regulations and standards agencies must follow
- risk classes relevant to the agency
- organisational levels and divisions responsible for managing risk, including the Three Lines Model.
Agencies should consider these factors when assessing the 3 elements and 9 attributes in the Risk Maturity Matrix to determine their maturity level.
The Treasury Risk Maturity Assessment Tool Spreadsheet (XLSX 91.36KB) allows agencies to conduct a self-assessment. It provides a summary of their risk maturity, including their current state and a plan to reach their target maturity level.
Fraud prevention
NSW Treasury encourages all agencies to design and implement an effective Fraud and Corruption Prevention Framework. To support this, Treasury has compiled guidance and resources from government and non-government organisations in Australia and the UK.
The following resources provide a starting point for agencies reviewing their frameworks.
- Fraud Control Improvement Kit: Helps organisations implement an effective fraud control framework. It outlines key framework elements and includes practical resources for implementation, review, and monitoring.
- Audit Office NSW 2012 Fraud Survey.
- Free workshops: ICAC runs free corruption prevention workshops for NSW public sector agencies and officials. Agencies can also request in-house workshops.
- Strategic responses to corruption executive short course – This workshop is targeted at senior executives who have operational responsibility for work areas that have significant vulnerability to corruption.
- Fraud Control in Australian Government Agencies: Better Practice Guide (March 2011): Explores key aspects of a strong fraud control framework and fraud control operations.
- Fraud Control in Australian Government Agencies: Quick Reference Guide (March 2011): A summary of essential conditions for effective fraud control.
- AS 8001-2021 Fraud and Corruption Control: Standards Australia’s fraud standard.
- Foundations for Corruption Prevention: ICAC NSW guidance.
- Controlling Fraud and Corruption - A Prevention Checklist: Published by Victoria’s Independent Broad-based Anti-corruption Commission.
- Fraud and Corruption Control Guidelines for Best Practice: Crime and Misconduct Commission Queensland publication.