Annual Report 2018–19

Tabled: 29 August 2019

Appendix D. Audit and risk management

Audit and Risk Committee Chair's report for the year ended 30 June 2019

The Audit and Risk Committee is appointed by the Auditor-General to provide independent advice to assist him in the discharge of his responsibilities for the management of VAGO's risk, control and compliance framework, and the external accountability responsibilities as prescribed in the Financial Management Act 1994, the Audit Act 1994 and other relevant legislation and prescribed requirements.

All committee members are independent, non-executive members who are appointed by the Auditor-General for a term of three years and are eligible for reappointment subject to a formal review of the member's performance by the Auditor-General. All members have appropriate financial and industry expertise and an appropriate understanding of the operation of VAGO.

Lynne O'Brien has been Chair of the Audit and Risk Committee since 1 January 2019. The members of the Audit and Risk Committee for the year ended 30 June 2019 and their attendance at meetings are set out below.

Committee member

Meetings attended

Meetings held

Lynne O'Brien



Julie Fahey (term commenced 1 January 2019)



Peter Niblett



Sara Watts (term ended 31 December 2018)



Joydeep Hor (term ended 31 December 2018)



The responsibilities of the committee are defined in its charter, which is approved by the Auditor-General and delivers on the responsibilities set out in the Standing Directions under the Financial Management Act 1994.

The main responsibilities of the committee are to:

  • review and report independently on the financial statements and all other financial information published by VAGO
  • assist in reviewing the effectiveness of VAGO's internal control environment covering:
    • effectiveness and efficiency of operations
    • reliability of financial reporting, and
    • compliance with applicable laws and regulations
  • determine the scope of the internal audit function and ensure its resources are adequate and used effectively, including coordination with the external auditors
  • maintain effective communication with external auditors
  • consider recommendations made by internal and external auditors and review the implementation of actions to resolve issues raised
  • oversee the effective operation of the risk management framework.

In fulfilling its responsibilities, the Audit and Risk Committee has received operational management reports, risk management reports and briefings from the Auditor-General on issues affecting VAGO. During the course of the year, the Audit and Risk Committee has considered:

  • the closing report from the external financial auditor for the year ended 30 June 2018, which identified no significant issues
  • status updates and reports from the internal auditor, which include management's response to matters raised by internal audit, together with subsequent follow up
  • VAGO's risk management reports and risk register
  • systems of control for gifts, benefits and hospitality, and
  • policies and procedures in place for the development of VAGO's annual plan and budget and resource planning.

At the time of signing this report, the annual financial report for the year ended 30 June 2019 had been considered and recommended for adoption by the Auditor-General.

The Audit and Risk Committee has met in camera with the external financial auditors, the Auditor-General and the internal auditor. The internal audit function was provided by PricewaterhouseCoopers in 2018–19.


Lynne O'Brien (Chair) 16 August 2019

Risk management

Our risk management framework is developed in line with the Victorian Government Risk Management Framework, the Standing Directions 2018 under the Financial Management Act 1994, and the Australian/New Zealand Risk Management Standard (AS/NZS ISO 31000:2018).

We maintain effective risk governance through appropriate internal management structure and oversight arrangements. Each enterprise risk is assigned to a member of the Strategic Management Group who is responsible for ensuring the risk is effectively managed. The enterprise risk register is also considered by our Audit and Risk Committee at each of its meetings.

During 2018–19, we:

  • finalised our risk management framework, including creating a formal risk appetite statement and updating our risk management policy and procedure
  • reassessed our enterprise risks in line with our Strategic Plan 2017–2021 and changes to our legislative and regulatory obligations
  • worked more closely with our audit and corporate services areas to help them better understand their risk environment and embed a strong risk culture
  • continued to undertake an in-depth monthly focus on risks, both current and emerging.

VAGO's enterprise risks remain unchanged from last year.



External events or changes undermine VAGO's role and powers in Victoria's integrity system and diminish our impact


Failure of practice and project management delays or denies fulfilment of our strategic, annual and business plans, or leads to a serious breach of the Audit Act 1994, Financial Management Act 1994 or Public Administration Act 2004


Failure to capitalise on new technologies and efficiencies in work practices


Failure to influence public service accountability and performance


Unauthorised disclosure and/or breach of information security


Final audit product is poor quality


Failure to design processes that provide sufficient and appropriate assurance in financial and performance audit


Control environment does not support the management of conflicts of interest, fraud and corruption, compliance and sound financials


Misalignment of staff and leadership with VAGO values


Ineffective sourcing and development of high-quality human capital—staff and contractors

Victorian Auditor-General's Office Financial Management Compliance Attestation Statement

I, Andrew Greaves, certify that the Victorian Auditor-General's Office has complied with the applicable Standing Directions 2018 under the Financial Management Act 1994 and Instructions.


Andrew Greaves
Victorian Auditor-General's Office

28 August 2019

Internal audit

PricewaterhouseCoopers was appointed as our internal auditor in July 2015. The internal auditor reports to our Audit and Risk Committee and the Auditor‑General. The following audits were carried out in 2018–19:

  • fraud and corruption controls
  • IT security
  • financial audit delivery model
  • financial audit quality management
  • payroll.

The internal auditor also attended each meeting of our Audit and Risk Committee where reports were being considered and provided a report on the status of the internal audit program, as required.

Back to Top