The Office of Local Government (OLG) NSW has released an updated ‘Guidelines for Risk Management and Internal Audit Framework for Local Councils in NSW’. These guidelines, published in August 2021, are based on a previous discussion paper issued in 2019, which had over 150 submissions from key stakeholders in the local government sector.
Key issues raised by regional NSW Councils and internal audit practitioners in the original paper appear to have been taken on board, with a number of significant changes and clarifications in the proposed guidelines. Resources, including templates, examples, checklists and tools, will also be provided for ARIC procedures, risk management and the internal audit function.
The key changes to the OLG guidelines are summarised below:
Audit, Risk and Improvement Committees (ARIC)
- Implement an ARIC by June 2022;
- New tiered ARIC model for metropolitan, regional and rural/remote councils;
- The committee mix now allows for non-voting councillor members.
- Further clarity of the ARIC’s scope and level of assurance, while allowing for flexibility in the committee’s role;
- Reduced ARIC costs and reduced external review requirements; and
- ARIC member terms coincide with council terms and allow for longer maximum terms, with potential exemptions from term limits where smaller councils can’t find new ARIC members.
Risk Management
- More ‘principles-based’ approach and clarification on how risk management requirements apply to councils, and the role of internal audit and ARICs in a risk management framework;
- New ability for shared arrangements for county councils and joint organisations to reduce costs; and
- More flexibility in implementation and workforce resourcing, and more accountability by the council to the governing body and ARIC for risk management.
Internal Audit
- More ‘principles-based’ approach and clarification of dual reporting line to the ARIC and the general manager;
- More flexibility to implement the internal audit function within the council’s existing organisational structure and attract internal audit staff based on the tiered model. Changes include:
- Allowing for in-house and outsourced internal audit functions
- Specific role title for the head of the internal audit function removed
- The internal audit function can report to a staff member other than the general manager
- Eligibility criteria for internal audit staff changed to the requirement that they be able to fulfil their role
- Ability to combine the head of internal audit function role with any other role in the council, provided safeguards are met; and
- Shared arrangements were simplified, and the performance review process was streamlined to reduce costs.
Strongest framework’ for minimising financial risk
Minister for Local Government, Shelley Hancock, stated the Guidelines for Risk Management and Internal Audit for Local Councils in NSW provide “the strongest framework in Australia for minimising financial risk and preventing fraud and corruption in the sector.”
“The state’s 128 local councils would be required to establish a risk management framework and internal audit function to help improve overall organisation, performance and operations,” Mrs Hancock said.
Under the reforms, every council in NSW will be required to appoint and operate an Audit, Risk and Improvement Committee made up of independent experts by June 2022 to ensure continuous improvement in governance and financial management, as well as accountability and transparency to local communities.
“These measures will help councils make better decisions and use of their resources and improve the delivery of infrastructure, facilities and services communities need and expect,” she said.
Mrs Hancock said the guidelines include a tiered model for Audit, Risk and Improvement Committees to ‘reflect the different needs of metropolitan, regional and rural councils according to resourcing, risk profile, population and location.”
“The framework is based on the worldwide ‘three lines of defence’ model where independent experts provide advice, management takes action to properly manage risk, and staff work every day to identify and address risks,” Mrs Hancock said.
“Seventy per cent of NSW councils already conduct some form of risk management, and 103 councils have an internal audit function. These guidelines will ensure consistency across the state in accordance with international standards and NSW Government practice, tailored to the unique structure and needs of local government,” she said.
The implementation timeline of these changes is as follows:
- All councils must appoint an ARIC from 4 June 2022.
- All councils have until 2024 to establish their risk management framework and internal audit function – attestation commenced in 2024.
- Councils have until 2027 to ensure ARIC membership complies with the OLG guidelines, allowing councils to transition into the new membership requirements as and when membership of existing ARICs expires – attestation commences in 2027.
Navigating active compliance under the OLG guidelines
As the OLG guidelines continue to embed across councils, the focus has shifted from initial implementation to active compliance and optimisation. Most councils are now operating within an established risk management framework, with expectations centred on how effectively these systems function in practice.
This marks a transition from setup to maturity. Councils are no longer assessed on whether frameworks exist but on whether they are delivering measurable value. Governing bodies and executive teams are expected to demonstrate that risk management supports decision-making, improves operational outcomes and responds to evolving pressures across the sector.
Strengthening ARIC effectiveness and governance structures
While internal audit and risk frameworks are now active, attention is increasingly turning to the structure and effectiveness of Audit, Risk and Improvement Committees. The OLG guidelines place strong emphasis on independence, capability and appropriate representation within these committees.
Key areas of focus include:
- Ensuring a balanced mix of financial, legal and operational expertise
- Reviewing independence to avoid conflicts of interest
- Aligning committee capabilities with the council’s size, complexity and risk profile
- Maintaining clear oversight of the risk management framework and internal audit function
Councils that regularly review their ARIC composition and governance approach are better positioned to meet compliance expectations and maintain effective oversight.
Expanding the scope of the NSW local government audit
The scope of the NSW local government audit continues to evolve, with greater emphasis on non-financial risks and broader governance responsibilities. Internal audit functions are increasingly expected to assess areas beyond traditional financial controls.
Two key areas of growing importance include:
Cyber security governance
Councils are under increasing pressure to manage cyber risks associated with digital service delivery and data management. Internal audit plays a critical role in independently assessing whether controls are effective and aligned with relevant policies and standards, including the NSW Cyber Security Policy and the Essential Eight framework.
Climate and sustainability risk
Maximising value through shared audit models
- Improve access to experienced audit professionals
- Support consistency in audit methodology
- Enable benchmarking across participating councils
- Identify common risks and control gaps earlier
As outlined in the internal audit for local government ARIC frameworks, these approaches are becoming an effective way to strengthen governance without significantly increasing costs.
Maintaining audit readiness and continuous improvement
A key expectation under the OLG guidelines is the ability to demonstrate that systems are operating effectively over time. This requires strong documentation, clear reporting and consistent follow-through on identified risks.
Councils should focus on:
- Maintaining up-to-date and dynamic risk registers
- Ensuring audit findings are actioned and tracked
- Aligning internal audit plans with high-impact risk areas
- Supporting transparency between management, ARICs and governing bodies
Practical steps, such as those outlined in how to make your accounts as clean as possible, can help improve audit readiness and reduce friction during external reviews.
Strengthen your approach to fraud risk
If you’re considering implementing or strengthening your ARIC, risk management framework or internal audit functions, you may consider partnering with an external specialist who can take on or assist with these soon-to-be-mandated requirements.
With decades of direct NSW Local Government experience across all functions of Council, combined with many years of internal audit experience, the dedicated Internal Audit Team at National Audits Group is well placed to provide expert assistance to your council. As approved Local Government Procurement (LGP218) suppliers, we can be directly appointed, avoiding the time and cost of a formal tender process. Call our team on 1300 734 707 to find out more.
Disclaimer: This article provides general information on the OLG guidelines, risk management practices and NSW local government audit requirements. It does not constitute professional advice. Readers should seek independent advice to ensure compliance with relevant legislation and regulatory obligations.