Internal audit services

⁠⁠⁠Provide internal audit services to the Audit Office of NSW over a three-year period, including an annual program of internal audits, advisory and support activities.

Project goals

This is an RFI to register your interest to participate in a future Request for Quote (RFQ). A full proposal is not required at this stage.

The Audit Office of NSW is seeking to appoint a suitably qualified and experienced internal audit service provider capable of delivering, over a three-year period, an annual program of internal audits plus advisory and support services. These services are a key component of the AONSW's co-sourced internal audit function, led by an in-house CAE that reports functionally to the ARC.

The purpose of the internal audit function is to provide independent, objective assurance and advisory services designed to add value and improve the AONSW's operations. The vision is to be ‘A trusted source of insight and assurance to management and those charged with governance about our system of internal control, programs and operations, which in turn supports the AONSW's accountability for its use of public resources.’

Our internal audit function operates in accordance with TPP 20:08 Internal Audit & Risk Management, and relevant requirements and standards of the Institute for Internal Auditors (IIA).

The three-year engagement to provide internal audit services may be extended for an additional two years.

Scope

The scope is to deliver the annual program of internal audits, plus advisory and support services, to ensure the AONSW’s internal audit function fulfils its function and complies with relevant policy and standards.

The CAE maintains a 3-year risk-based internal audit program. This involves about 4 engagements p.a. (one designed to meet the requirements ISO27001 certification), plus periodic reviews of the status of recommendations. Areas of focus include risk management, financial controls, operational compliance, quality and performance improvement, public sector governance, information management and cyber security. The internal audit calendar year runs from Sept–Aug.

Providers will be expected to attend ARC meetings and provide advice or input on core aspects of the internal audit function. These include advice or input on strategic and annual audit planning, assurance mapping, and maintaining the internal audit charter and manual, and the quality assurance and improvement program. Providers are also required to cooperate with any internal performance measurement and external quality reviews of the internal audit function. The previous external review was completed in Feb 2023.

In turn, the Audit Office requires that internal audit services providers conform with and attest to the relevant requirements and standards of the IIA, as well as our Statement of Business Ethics and independence requirements. CAI and CISA certifications will be well-regarded.

Additional details/instructions

This is an RFI to register your interest to participate in a future Request for Quote (RFQ). A full proposal is not required at this stage.

The Audit Office will review the responses to this RFI and invite shortlisted firms/individuals to participate in a future RFQ. The formal RFQ is expected to be released in May 2026.

Note that the internal audit service provider will not be permitted to provide any other advisory services or additional work to the Audit Office, outside the approved annual internal audit plan (for the duration of the contract) unless an independence declaration is made and approved by the Auditor-General based on advice from the Chief Audit Executive, with endorsement by the Audit and Risk Committee Chair. Such approval will include management plans for declared conflicts, if any. For the avoidance of doubt, this does not exclude Audit Office’ Audit Service Providers (ASPs) from expressing their interest in and being considered for this opportunity.