This is a paper from PROTIVITI which examines some of the great work we did with the Internal Audit function at Australia Post. A great group of people and great company to work with.

1. INTERNAL AUDITING Profiles of Internal Audit Functions
IN AUSTRALIA at Leading Companies
VOLUME II
Business Risk Technology Risk Internal Audit

2. Delivering Audit Services Across the
Organisation at Australia Post
Dave Mallard
Group Manager for Corporate Audit Services
The three core business areas of division is heavily operational and
Australia Post are letters; retail and involves the largest number of employees.
agency services; and parcels and logistics. The third division is Post Logistics,
Services are delivered by three key which is the most comprehensive provider
operational divisions, support functions, of parcels and logistics services within
and other subsidiaries and joint venture the Asia–Pacific region. Australia Post has
companies. several alliances, including an
The first division is the international logistics business —
customer–facing commercial division, Sai Cheng Logistics International —
which includes a retail network. This as a joint venture with China Post.
division, for example, provides one-stop Dave Mallard, the group manager for
shopping for home and office supplies, corporate audit services for Australia Post
including office stationery, phone for the past eight years, oversees a team
products, Postpak packaging products and of 18 auditors who are supplemented by
greeting cards, banking and bill payment outsource providers, particularly on
services and identify verification. With assurance audits. Mallard reports to the
more than 4,500 outlets across the managing director of Australia Post, with
country, this segment generates most of a strong reporting line to the board audit
the revenue for the organisation. and risk committee. He meets with the
The second is the mail and networks audit committee five times per year, in
division, which is primarily focused on addition to private sessions, and presents
the operations of mail and parcel delivery summary audit reports at those meetings.
in Australia and internationally. This key Three executive managers are loosely
responsible for the corporation’s three
business divisions, and report to Mallard;
“...We look for people with however, the team leverages talents
across the board and integrates
competencies and knowledge by
emotional intelligence, and a propensity for encouraging auditors to work on different
types of audits, an approach that also
greatly benefits audit clients.
interacting productively and positively...” As each divisional audit manager is
responsible for making sure that audit
2 / Protiviti / Internal Auditing in Australia

3. action plans are met, Mallard and his Audit scope objectives. These services are often
team are considering developing and The audit scope encompasses the conducted “pre-implementation” but
implementing a web-based tool to provide examination and evaluation of the do not involve the development or
more fluid access in a timely manner to adequacy, effectiveness and efficiency implementation of operational procedures
all relevant audit information, including of the systems of internal control at or processes. Advisory reviews typically
issues and follow-ups from audit projects. Australia Post. Internal audit reviews focus on strategic and operational
cover all activities of the corporation, activities, internal control assessments,
Corporate audit mission together with controlled entities and their project “health” checks and pre- and
According to its charter, the mission commercial activities. These reviews post-implementation reviews.
of corporate audit services at Australia involve all operations – financial and non- “We use risk-based auditing
Post is to provide the board, managing financial, manual or computerised. methodologies to develop and implement
director, management and other key The scope of audit engagements is an audit plan,” Mallard says. “This
stakeholders with a high-quality, cost- aligned with the primary risks of the includes facilitating risk assessment
effective and value-added assurance and corporation. Mallard’s team evaluates the workshops across the corporation,
consulting service to help the corporation adequacy and effectiveness of the control in conjunction with management.”
meet its objectives. The vision of the environment encompassing governance,
corporate audit services group is to be an operations and information systems to Finding the right people
outstanding team with a passion for effectively mitigate key risks. The services According to Mallard, there is an
excellence, adding value and facilitating provided by the corporate audit team are important balance to be achieved in
change through dynamic people who learn broadly categorised into the two building the most effective audit team.
and develop as future leaders in Australia following groups: “You have to blend the career auditors
Post. Assurance services: This encompasses with those who want to spend time in
Mallard, as group manager for risk and control reviews focus on the audit and then move into the business,”
corporate audit services, directs a broad, management and mitigation of key risks he says. “One way of doing this is to
comprehensive program of internal within an operational or financial process. allocate a certain number of positions
auditing. His team is authorised full and These reviews provide assurance that risks for bringing people in for a short while,
unrestricted access to all functions, are being effectively and efficiently giving them risk management and internal
property, personnel, records, accounts, mitigated. Risk and control reviews control experience, and then transitioning
files and other documentation. Mallard typically focus on process, compliance them out into the business where they
also has full access to the managing with policies, due diligence reviews and can enact corporate governance and risk
director, the Board Audit and Risk fraud investigations. management improvement.”
Committee (BARC), and the chairman Advisory services: These reviews Facilitating churn while establishing
of the board. focus on the assessment of projects or stability is a difficult balance to strike.
operational processes against desired “Having come to Post from the private
sector, I found that the organisation was
more complex and challenging to manage
– but we thrive on cooperation and
Australia Post communication,” Mallard says.
The Australian Postal Corporation is part of the fabric of “Relationship skills and people skills are
the most important components in
Australian life. Australia Post is a self-funding business that uses
getting things done. We look for people
its assets and resources to earn profit, which are reinvested in with emotional intelligence, and a
propensity for interacting productively
the business and/or returned as dividends to the Australian
and positively with others. In the end,
Government. Australia Post has 35,000 staff, operates 4,500 it’s all about the people.”
retail outlets, delivers mail to more than 10 million Australian
addresses and serves more than a million customers every day.
Internal Auditing in Australia / Protiviti / 3

4. Strategic goals Performance Measurements risk management. If that is adopted
In the long term, Mallard is focused Performance standards for the it would impinge on audit in that we
on becoming more strongly oriented and corporate audit services team are grouped already play a key role in facilitating
aligned with corporate strategy. “Our into three areas: controls documentation,” says Mallard.
group must leverage its ability to analyse • review management and work “This would in effect expand the already
our data stores related to the business performance sizable project that we undertake
and identify important trends and risk • audit effectiveness and service annually and the organisation would
indicators. We have an opportunity to delivery spend more time in pulling together an
increase the value we deliver by providing • talent management and competency additional suite of documents to support
additional advisory services to business development sign off. In terms of resource limitations,
unit heads. We can do this by making the “Within those three areas we have a I have not decided whether or not this is
most of the information we are range of performance standards at both a productive step or if it is a bit over
collecting.” the group and individual level,” Mallard the top.”
Recently the team undertook a says. “At a macro level we have a
Stakeholder Diagnostic Survey, a lengthy stakeholder feedback process in which A real-time advisory function
and broad-based exercise designed to find feedback is ranked. Reaching out to Today, Mallard says that the corporate
out what is important to internal audit stakeholders on a continual basis is part audit services team is more focused on
stakeholders. Mallard’s group contacted of our 360 feedback effort.” risk, control and corporate governance
approximately 65 stakeholders, including Australia Post seeks to comply with than at any time in the history of
the board, managing director, executive all private sector corporate governance Australia Post, playing an essential role in
committee, middle management and the guidelines, in as much as they can be influencing change. “This reflects what is
audit team itself. The goal was to explore adopted by a government business happening in the industry, and not just at
what was important to stakeholder enterprise. The board has mandated that the senior management level but across
groups, track perceptions of effectiveness the corporation observe the Australia the organisation,” he says. “Auditors now
in service delivery and identify any Stock Exchange (ASX) corporate perform a more central and relevant role.
potential gaps with audit work. governance best practice guidelines, With our principle-based approach, we are
The annual audit plan is risk-based providing sign-offs on risk management at the forefront of corporate strategy and
and integrated with the Enterprise Risk and internal controls. As a means of change.”
Management Framework. “In terms of our supporting those efforts, the audit team
audit plan objectives, we also look at facilitates business unit self assessments
change programs and strategic on key financial reporting controls across
initiatives,” Mallard says. “We consult the organisation. This information is
with business unit management and the cascaded up until the managing director,
risk management committee, as well as CFO and board sign off.
other stakeholders, to determine what to “There is a draft that the ASX has
focus on in the 12-month and three-year released proposing an expansion of the
timeframes.” sign off in all areas of an organisation’s
4 / Protiviti / Internal Auditing in Australia

5. Challenges for the future of Mallard’s
corporate audit team are two-fold. “We
will always conduct traditional audits on
risk, control and governance, but we need
to look forward as well as look back,”
he says. “The goal is to be a real-time
advisory function. To do this we must get
the blend right between the real-time
auditing and the more traditional –
and just as valuable – assurance and
compliance work. We have to leverage our
systems and data stores, and adopt risk
management principles to engage
management in a more timely and
relevant way than ever before.”
“...Auditors now perform a more central and relevant role.
With our principle-based approach, we are at the forefront of
corporate strategy and change...”
Internal Auditing in Australia / Protiviti / 5