July 2022 Post Audit Activity – - PowerPoint Presentation

1. July 2022Post Audit Activity – Management Action Follow-Up

2. Audit Engagement Closure Process – Deliverables & TimelineNote:To meet commitments for reporting to the Audit & Risk Committee, responsible action owner will be followed up to ensure management actions have been effectively implemented to address audit recommendations.A formal approval process and escalation pathways for approvals established for changes to action due dates from implementation dates originally proposed by management. * To gain access to the Protecht MARS system, please complete the User Access Form and submit to the Chief Risk Office for review. The agreed audit actions are logged and tracked through a quarterly follow-up process using Protecht - Management Action Response System (MARS).This occurs at the end of each quarter. Management/ action owners are required to document the status of open audit actions and attach supporting evidence in MARS* for audit to perform desktop review.Status update and evidence will be reviewed by audit using the information submitted in MARS by the management/action owners. This is to ensure action plans have been implemented as intended. Extensions or substantial changes to actions will be as per approved escalation and approval processes using a change briefing.Follow-up results are summarised and report provided to the DoE Executives and ARC.Follow-upAgreed Action Status AnalysisReportingManagement Action Follow UpPost Audit FeedbackTo help us improve our service, you will be contacted to discuss how we performed during the audit.Your feedback will be summarised in a report and periodically reported to the Audit and Risk Committee.

3. Open audit actions will be followed-up in keeping with Internal Audit Standards specified in the International Professional Practices Framework (IPPF) for internal audit. This process supports accountability and governance over the implementation of audit actions and supports transparent management of risks and issues within identified tolerances. On a quarterly basis, implementation status of audit actions are reported to the DoE Executives and the Audit and Risk Committee (ARC)*.Management/action owners are required to document status updates for each open action in MARS accompanied with evidence within the specified time frame during the follow-up cycle and request for Audit Review via the MARS workflow. Internal audit will perform desktop review of actions undertaken and sight evidence via MARS . In exceptional circumstances, internal audit may follow-up individual items more frequently if required. Due date extensions or substantial changes to actions will be as per approved escalation and approval processes using a change briefing. If a due date is extended more than once, the approved change brief will be tabled at the ARC.For Internal Audit actions, business units are to prepare a change briefing for due date extensions and follow escalation pathways (Refer to Tables 1 and 2 on slide 5 & 6). Original agreed date can not be updated in MARS without an approved Change Brief. Once the extension is approved by the relevant approver, the business unit forwards the Change Brief to the Chief Audit Executive and Manager Audit Operations. The due date will be amended in the system (MARS) by the Internal Audit team. For External Audit actions, business units are to prepare a change briefing for due date extensions and seek approval from the relevant Deputy Secretary. Once the approval for extension is obtained, the business unit forwards the Change Brief to the Chief Risk Office to amend the due date in the system (MARS). Please refer to the Audit Extension process map on slide 4.Management Action Follow-up Process in Detail3Note: * implementation status of agreed internal audit, Audit Office and regulators recommendations are reported.This updated follow-up process does not apply to the School Audit Program which is a cyclical program running throughout the year.

4. 4Audit Extension Process map

5. 5TABLE 1 – Criteria for approvals for due date extensions/other significant changes CriteriaLow or Medium FindingsHigh or Very High Findings Section A – Number of Revisions / Period overdue<2 revisionsor< 3 months overdueChief Audit Executive approval required (Director Audit is CAE)The request must be submitted via a change briefing with sufficient evidence and commentary on rationale. A Change Briefing Template can be found in Trim Ref. DOC21/1189394 or the IA intranet Page. The Chief Audit Executive will consider and approve or decline any revision of target remediation dates after relevant discussions with management.Deputy Secretary approval>2 revisionor>3 months overdueDeputy Secretary approvalIf the number of extensions exceeds four or the open action the extension is being sought for is more than six months overdue, then the CAE at their discretion, may escalate the matter to the Secretary for approval. Secretary approvalSection B - Extension Period SoughtLow/Medium rated findings: If the required extension is for a period:<= 6 months – CAE approval is required> 6 months – Deputy Secretary approval is requiredHigh/Extreme rated findings – if the required extension period is > 3 then Secretary approval is requiredNotes: The process for obtaining approval for changes is outlined in Table 2 on slide 6.Guidance on items to be covered in a change briefing provided in slide 7.Please contact audit if clarification is required.Change requests for due dates or other major changes to action content must follow the escalation pathways belowwhen criteria from either Section A OR Section B are met.

6. 6TABLE 2- Process for Deputy Secretary and Secretary Approval for ChangesApproval Delegation for ChangesHigh or Very High FindingsDeputy SecretaryApprovalThe status update to Internal Audit must include a change briefing approved by the relevant Deputy Secretary and appropriate additional evidence. On receipt of the briefing, if required the Chief Audit Executive may discuss with the relevant Deputy Secretary additional information before internal audit records are updated.Secretary ApprovalA change briefing must be submitted to the Secretary via the Deputy Secretary, copy to the Chief Audit Executive and may occur during or before a follow-up process. If a signed approval from the Secretary is not available within the follow-up period (normally 2-3 weeks), the briefing submitted must be attached as evidence. Internal Audit will note this as submitted but will not update the status until evidence of formal approval by the Secretary is provided to the Chief Audit Executive. This should occur within the specified period before Executive papers are prepared. If approvals are received after that time frame, the updates will be made for the following quarter’s follow-up reporting.

7. Information on the audit report the change request relates to: The title of the audit report The date the final report was issuedInformation on the open actions the request for change relates to:Findings and agreed actions detailsAction owner and original due date details. If changes have occurred in due dates, please indicate this and provide the current revised due date. (If available, include the number of time changed) Nature of change requested and rationale for the request:Nature of change - Change to due date, Action owner transfer, Change to content of agreed action Reasons why this is necessaryCommentary on confidence on being able to achieve new milestones (if date change)How the risk is being managed in the interim:What risk was to be addressed by the action which this change relates toHow the risk is being managed in the interim Guidance on what to include in a Change Briefing7