Annual Report 2018–19

Tabled: 29 August 2019

5 Leading by example


Our objectives

Our directions What success looks like

Model exemplary performance in everything we do

Simplify our business

Embrace new technology

Better intelligence to drive decisions

Workforce productivity has increased

Our internal practices set the benchmark for public sector entities and other audit offices

VAGO's credibility depends on us being, and being seen to be, independent, competent and publicly accountable for our operations. To make this possible we need to lead by example.

The more we simplify our business, the more efficient we become and the more time we can dedicate to our audits. This year we have continued to streamline and automate core business processes. We implemented new technological solutions and improved our information security practices. Our improvements to human resources and payroll systems will save staff time and increase our productivity.

We continued to establish business intelligence systems that will give us simple and timely access to performance information. Our focus on fraud and corruption and improving our communications set an example for the broader public sector.

5.1 Technology updates

As in other recent years, we focused this year on updating our technology to address process issues, increase productivity and simplify operations. As mentioned in Section 2.2, we needed this capability improvement for specific projects, such as the financial audit dashboard, but there have also been several IT projects affecting the entire organisation.

To enable a more collaborative environment and allow our staff to work remotely, we have moved to using Microsoft Teams across the organisation. This change, as well as other improvements to our network, have made file sharing easier and allowed us to make the most of our investment in Microsoft Office 365.

This is one way we are harnessing new technologies and new ways of working to improve our capabilities, which is the intention of our refreshed IT strategy. The two-year strategy is shaped by industry insights and technology trends and reflects our future requirements.

We are now working with Azure, Microsoft's public cloud computing platform. It provides a range of cloud services, including those for computing, analytics, storage and networking. We use this service as Microsoft invests far more in information security than state government agencies can. Microsoft's cybersecurity budget exceeds USD 1 billion annually and our approach enables us to benefit from this investment.

This year we upgraded our human resources and payroll systems. Our old systems operated independently, which required multiple interfaces and the duplication of data. We replaced these programs with a cloud-based, integrated and easy-to-use system called SuccessFactors.

The new program has greater data capability and is a more flexible and configurable system. It will speed our payroll run, improve our data accuracy and integrity, improve our performance development process and be easier for staff to use. This was a key project for simplifying our business and is another good example of how we are using new IT solutions.

Another way that we are making the most of our new technologies is by gathering information that better informs our decision-making. We have a new project portfolio tool to prioritise investment and monitor progress, and managers are now able to access real-time information about their team's productivity.

5.2 Data protection

One of our major projects this year was reviewing our data protection practices and establishing an IT security framework.

We assessed all our information assets and classified them by considering the potential compromise to confidentiality, integrity and availability. We developed an information management framework to establish, implement and maintain information security controls. We ensure that only authorised people access information through approved processes, consistent with the Victorian Protective Data Security Standards and Australian Auditing Standards.

We have aligned our information security approach to the Australian Government Secure Cloud Strategy, 2017. This strategy recognises that appropriately certified cloud providers are significantly better placed than internal teams to implement and monitor security controls and achieve compliance.

We are increasing our compliance with the Victorian Protective Data Security Framework and also use the Australian Government's Protective Security Policy Framework and Information Security Manual.

Consistent with this guidance we focus on information security across the following domains:

security governance

ICT security

information security

personnel security

physical security

With the introduction of the revised Audit Act 1994, the Auditor-General now has greater discretion to share information with a broader range of persons and bodies, including ministers, public bodies, statutory office holders, law enforcement agencies and prosecutorial bodies. We can also share information with other Australian Auditors-General when it is in the public interest, excluding Cabinet‑in-Confidence or commercially sensitive information.

Our new IT security framework will allow us to ensure that the information we gather is securely stored and responsibly shared. Part of this is ensuring that our staff engage in safe online behaviour. In March we ran a month‑long cybersecurity campaign to educate staff about phishing and other cybersecurity threats.

This year we have also enforced the application of protective markings to all VAGO documents, which is a method of classifying the sensitivity of information. This is required of all Victorian Government agencies under the Privacy and Data Protection Act 2014.

5.3 Clear communication

In an increasingly digital environment, the way people engage with information is changing. As an organisation that works in the public interest, we aim for all members of the public to be able to access our work, and easily comprehend our findings and recommendations.

To highlight our key messages, we have introduced more infographics and other vitalisations into our reports. These can be useful for clarifying complex information and turning it into something more easily understood. Conversely, these diagrams can also show where systems are particularly complicated.

This example from our Child and Youth Mental Health report illustrates the complexity of the oversight and performance monitoring system for child and youth mental health services.

We increased the graphic elements in our presentations, both those for parliamentarians and those available to the public on our website.


This year we also investigated new approaches to digital communication to plan for the future. We have researched better practice examples to make our work more accessible and engaging. While we are required to produce a printed report for tabling in parliament, we know that most people access our reports online and we aim for them to be easy to navigate and share. Our most popular report this year was viewed more than 3 500 times and our most popular video was viewed more than 1 000 times.

Top 10 most viewed videos in 201819


Top 10 most viewed reports on our website in 201819

Melbourne Metro Tunnel Project—Phase 1: Early Works


Access to Mental Health Services

School Councils in Government Schools


Results of 2017–18 Audits: Local Government

Access to Mental Health Services


School Councils in Government Schools

Recovering and Reprocessing Resources from Waste


Delivering Local Government Services

Delivering Local Government Services


Child and Youth Mental Health

Managing Rehabilitation Services in Youth Detention


Auditor-General's Report on the Annual Financial Report of the State of Victoria: 2017–18

Outcomes of Investing in Regional Victoria


Recovering and Reprocessing Resources from Waste

Results of 2017–18 Audits: Local Government


Outcomes of Investing in Regional Victoria

Child and Youth Mental Health


Reporting on Local Government Performance

Contract Management Capability in DHHS: Service Agreements


Local Government Insurance Risks

For this Annual Report we developed more dynamic, interactive elements for our website as we start to test some of our ideas and the technologies available.

We have also considered accessibility to our information on our website, assessed our level of compliance with the Web Content Accessibility Guidelines 2.0 and explored options to improve our compliance with this standard.

5.4 Governance initiatives

VAGO is enhancing its governance and compliance systems and improving policies and procedures registers. We have also ensured we are meeting our obligations under the Financial Compliance Management Framework and the Victorian Protective Data Security Framework.

We have had several new initiatives across the organisation to develop our governance maturity and improve corporate knowledge of risk and compliance.

We developed a new project portfolio with enhanced internal reporting and controls as well as the ability to better track project costs.

We continued to develop our business intelligence systems by automating data extraction and improving our data visualisation, making our systems more user friendly.

We continued our ongoing review of policies and procedures including targeted updates required by the Audit Amendment Act 2019.

We updated our gifts, benefits and hospitality policy and our independence policy.

We created a new coercive powers policy and associated procedure, as well as a new information gathering policy and procedure to respond to the changes to the Audit Act 1994.

Improving our risk management systems has been a key activity. VAGO refreshed its risk profile and implemented updated controls. VAGO also developed a risk appetite statement, consulting with risk owners for input. We added a 'risk outlook' for each VAGO enterprise risk to improve the risk management report.

As one of Victoria's integrity agencies, VAGO is committed to proper use of public money, information and property, and safeguarding our own integrity and reputation. This year we finalised our new Fraud and Corruption Control Plan. The plan addresses internal and external fraud and corruption risks and shows how we manage these risks and the associated controls, including steps to minimise and manage the risk of fraud and detection and discovery systems.

VAGO has a regular training and development program on our policies and procedures to support our governance and compliance frameworks.

5.5 Assuring our audit quality

To provide the best value to Victorians through our insights we must ensure that we maintain our high standards. We aim to set the benchmark for other audit offices, and we believe our audit quality processes demonstrate exemplary practices.

This diagram shows our financial audit quality assurance and continuous improvement processes.

Quality processes for financial audits


This diagram shows our rigorous framework of similar processes for our performance audits.

Quality processes for performance audits


Note: The below is an accessible version of the above diagrams.

This diagram shows our rigorous framework of similar processes for our performance audits.


Establish and plan the audit, including risk assessment, independence assessments and agreeing with the audited agency to the terms of engagement

EQCR point

Engagement quality control reviewer (EQCR)
Depending on the risk and complexity of the audit, selected audits will have an EQCR appointed. The role of the EQCR is not to be a member of the audit engagement team, but to offer an objective evaluation and review of the significant judgements made by the team, to ensure the quality of the conclusions being reached.

Audit strategy issued to the audited agency

Interim audit activity

EQCR point

AAFR point

Active audit file reviews (AAFR) and post-audit and assurance quality reviews (PAAQR)
AAFRs are performend on a selection of active files. PAFRs are performed on a selection of completed audit files. These reviews assess the quality of the engagement against the requirements of applicable audit standards. They are performed by engagement quality reviewers who are objective and independent of the audit. As well as ensuring the quality of our audits, these reviews are used to measure our performance against one of our Budget Paper No. 3 reporting measures.

Interim management letter issued to the audited agency

Year-end audit activity

EQCR point

Conclude the audit

EQCR point

Closing report issued to the audited agency

Audit opinions issued on signed financial statements and, for some agencies and councils, performance statements also.

Final management letter issued to the audited agency

PAAQR point

Some financial audit quality assurance processes do not occur at specific times during an audit, and may not occur for all audits:

Technical panel

Audit report modification panel

The technical panel, which consists of the Auditor-General, the Assistant Auditor-General of Financial Audit, the Director, Audit Quality and the Director, Financial Reporting Advisory, maintains and considers a register of significant accounting matters. The register of significant matters and the panel provide a forum for discussing and considering technical issues facing the public sector and audit teams.

A modified audit opinion is one that includes, for example, an emphasis of matter paragraph, a qualification or a disclaimer. The audit report modification panel considers and recommends whether these modifications should be made to the Auditor-General. The panel includes the Assistant Auditor-General of Financial Audit and independent members of the technical team. Issuing a modified opinion requires the approval of the Auditor-General.

Technical consultation

Client surveys

In our technical team we employ subject-matter experts. At any time during an audit, if the audit team requires impartial advice on an audit or financial reporting matter, they can consult our technical subject-matter experts.

Each year we survey our clients, alternating between chief financial officers and audit committee chairs, to measure our performance against their expectations. The results of this year’s surveys are discussed on page 26.

This diagram illustrates our rigorous framework of similar processes for our performance audits.


Audit initiation

AAG/AG point

Assistant Auditor-General (AAG) and Auditor-General (AG) approval
At key milestone points in a performance audit, both the Assistant Auditor-General of the performance audit team and the Auditor-General review the progress of the audit. This provides additional quality assurance and ensures that the Auditor-General has opportunities to review all the audits underway.

Audit planning

EQCR point

Engagement quality control reviewer (EQCR)
An EQCR is a senior staff member, independent of the audit team, who conducts an objective evaluation of the audit.
The EQCR reviews audit planning, briefing and reporting documents, to ensure the team has gathered sufficient, appropriate evidence to support their findings and conclusions. The EQCR considers all significant matters, including risks identified, significant judgements made by the audit team, and the conclusions reached in the audit report.
The EQCR also ensures that the AAG and AG are advised of any significant unresolved differences of opinion with the audit team.

AAG/AG point

Audit conduct

EQCR point

AAG/AG point

End of conduct brief sent out to agencies for consultation

EQCR point

AAG/AG point

Provisional draft of Parliamentary report sent out to agencies for consultation

EQCR point

AAG/AG point

Proposed draft of Parliamentary report sent out to agencies for consultation

EQCR point

AAG/AG point

Preparation of final Parliamentary report

Report tabled

Client surveys
Within three months of a performance audit report tabling in Parliament, we survey the agencies who were part of the audit. This survey asks about the audit process (for example, the professionalism of VAGO audit staff), reporting (for example, that the agency felt they had adequate chances to comment on the findings and issues), and value (for example, that the audit is focused in the right area).
The results of this year’s surveys are discussed on page 25.

Post audit and assurance quality reviews
A selection of performance audits is independently assessed against criteria that have been agreed by the Australasian Council of Auditors-General on a four-year cyclical basis. The assessment provides an opinion on whether there have been departures from professional and regulatory standards. A program of reviews for all engagement leaders is scheduled in 2019–20.

Back to Top