Annual Report 2017–18

Tabled: 20 September 2018

Appendix D. Audit and risk management

Audit and Risk Committee Chair's report for the year ended 30 June 2018

The Audit and Risk Committee is appointed by the Auditor-General to provide independent advice to assist him in the discharge of his responsibilities for the management of VAGO's risk, control and compliance framework, and the external accountability responsibilities as prescribed in the Financial Management Act 1994, the Audit Act 1994 and other relevant legislation and prescribed requirements.

All committee members are independent, non-executive members who are appointed by the Auditor-General for a term of three years and are eligible for reappointment subject to a formal review of the member's performance by the Auditor-General. The Audit and Risk Committee has appropriate financial and industry expertise. All members are financially literate and have an appropriate understanding of the operation of VAGO.

Sara Watts has been chair of the Audit and Risk Committee since 1 January 2014. The members of the Audit and Risk Committee for the year ended 30 June 2018, their qualifications and attendance at meetings, are set out below.

Committee member

Meetings attended

Meetings held

Sara Watts (Chair) BSc, MBA, FAICD, FCPA Non-executive director



Lyn Baker BA, MBA, GAICD Non-executive director and consultant



Joydeep Hor LLM, LLB(Hons), BA, FCIPD, FAHRI Managing Principal, People + Culture Strategies, Sydney



The responsibilities of the Audit and Risk Committee are defined in its charter which is approved by the Auditor-General.

The responsibilities of the committee include:

  • to review the external auditors' proposed approach, conduct and the outcomes of the audit process
  • to review, assess and recommend to the Auditor-General the adoption of the annual financial report
  • to determine the scope of the internal audit function and review its effectiveness
  • to review VAGO's approach to risk identification and management
  • to consider VAGO's approach to compliance with relevant legislation, regulations and guidelines.

In fulfilling its responsibilities at each meeting, the Audit and Risk Committee has received operational management reports, risk management reports and briefings from the Auditor-General on his activities and issues affecting VAGO. During the course of the year, the Audit and Risk Committee has considered:

  • the closing report from the external financial auditor for the year ended 30 June 2017, which identified no significant issues
  • status updates and review reports from the internal auditor, which include management's response to matters raised by internal audit, together with subsequent follow up
  • VAGO's risk management reports and risk registers
  • systems of control for conflicts of interest and gifts, benefits and hospitality and the monitoring of those systems
  • policies and procedures in place for the development of VAGO's annual plan and budget and resource planning
  • whether VAGO has appropriate policies and practices in place to review and implement, where appropriate, recommendations from external reviews, including Parliamentary committee inquiries
  • the effectiveness of the internal audit program.

At the time of signing this report, the annual financial report for the year ended 30 June 2018 had been considered and recommended for adoption by the Auditor-General.

The Audit and Risk Committee has met in camera with the external financial auditors, the Auditor-General and the internal auditor. The committee has also carried out a monitoring function during the period.

In closing, the committee wishes to acknowledge the significant and positive contribution made by Lyn Baker during her term on the committee.

Sara Watts' signature.

Sara Watts (Chair)
9 August 2018

Risk management

We refreshed our strategic risk register in early 2017–18. We have 10 identified enterprise risks.



External events or changes undermine VAGO's role and powers in Victoria's integrity system and diminish our impact


Failure of practice and project management delays or denies fulfilment of our strategic, annual and business plans, or leads to a serious breach of the Audit Act 1994, Financial Management Act 1994 or Public Administration Act 2004


Failure to capitalise on new technologies and efficiencies in work practices


Failure to influence public service accountability and performance


Unauthorised disclosure and/or breach of information security


Final audit product is poor quality


Failure to design processes that provide sufficient and appropriate assurance in financial and performance audit


Control environment does not support the management of conflicts of interest, fraud and corruption, compliance and sound financials


Misalignment of staff and leadership with VAGO values


Ineffective sourcing and development of high-quality human capital—staff and contractors

We maintain effective risk governance that includes appropriate internal management structure and oversight arrangements. Each risk has been assigned to a member of our Strategic Management Group who monitor and, where appropriate, amend the register and the ratings in light of any external or internal changes to the organisation. The register is also considered by our Audit and Risk Committee at each of their meetings.

Attestation of compliance with Ministerial Standing Direction 5.1.4

I, Andrew Greaves, certify that the Victorian Auditor-General's Office has complied with the applicable Standing Directions of the Minister for Finance under the Financial Management Act 1994 and Instructions.

Signature of the Auditor-General.png

Andrew Greaves
Victorian Auditor-General's Office

20 September 2018

Internal audit

PricewaterhouseCoopers was appointed as our internal auditor in July 2015. The internal auditor reports to our Audit and Risk Committee and the Auditor‑General. The following reviews were carried out in 2017–18:

  • penetration testing
  • internal financial controls
  • fraud and corruption controls.

The internal auditor also attended each meeting of our Audit and Risk Committee where reports were being considered, and provided a report on the status of the internal audit program, as required.

Back to Top