In the first part of this series we discussed the following:
- What are internal audits?
- What are the benefits of conducting internal audits?
- What is an audit scope?
- What is usually included in an RTO internal audit?
- Who can be an internal auditor?
In this part, we will cover the following areas:
- Compliance costs and risks in terms of “risk management”
- Effective internal audit function
Compliance costs and risks in terms of “risk management”
Compliance costs for an RTO can be quite high. RTO managers are finding that cooperation across the three areas of risk management can achieve an integrated risk management solution that is beneficial to the RTO. In risk management, control is the first line of defence; risk and control monitoring is the second line of defence and the third line of defence is self-assurance through the internal audit function. Working on all three defence lines is not new, but the concept has not been widely incorporated into standard risk management practices. In an environment that perceives risks to be increasing and resources to be limited, many managers find that aligning the efforts of the three defence lines can contribute to a systematic and effective risk management process.
Effective internal audit function
To be effective, the internal audit must identify a methodology for assessing other defence lines and alleviating common challenges. Barriers to the ability of the internal audit to rely on others include lack of understanding of the first and second lines of defence by the RTO personnel. Without management that is interested to identify and resolve the risks and by not having compliance controls and checklists in place, your RTO cannot assure compliance across all its operations.
This is when you need someone completely outside the RTO to conduct an internal audit on your operations and systems and provide you with honest feedback and the mechanisms to get your RTO back on track. There is a concern in the RTO sector that relying on others for an internal audit will undermine independence and objectivity. The truth is that an internal audit can help the organisation build a more streamlined risk management process which utilises all available resources in an efficient and effective way.
Internal audits should be a blended program
Just relying on consultants for an internal audit is neither a “practical” nor “sensible” solution. You must participate in audit activities. You must understand all the in’s and out’s of the RTO system. You must ask questions and ask for explanations (where is that written, where is that information coming from) and seek to understand how everything is linked back to the regulatory guidelines.
Blended internal audit program
To develop and maintain a self-assessment internal audit program, you need to provide training to your RTO staff on internal controls and risk assessment. If you are unsure about anything read the regulatory guidelines, interpret (what does that look like?) and if unsure seek expert advice. To ensure you develop a blended internal audit program involve a professional compliance business and use their experts to develop the internal audit activities that will be performed in order to achieve overall compliance status for your RTO and an enhanced risk-control environment.