Transparency Report 2025

Overview

The Auditor-General is an independent officer of the Victorian Parliament under the Constitution Act 1975.

VAGO is a special body as defined in section 6 of the Public Administration Act 2004 (PAA). This limits how the PAA applies to VAGO, including VAGO not being bound by certain government policies made under the PAA.

The Audit Act:

• establishes VAGO and its responsibilities
• outlines the Auditor-General’s mandate for performing financial and performance engagements of all Victorian public sector entities
• gives the Auditor-General the power to employ Victorian Public Service staff
• requires us to apply the Australian Auditing and Assurance Standards, which are issued by the Auditing and Assurance Standards Board.

Overview

Our strategic management group and operational management group are governing bodies that support our SQM. They establish, support and monitor our engagement quality and compliance with:

• the Australian Auditing and Assurance Standards
• relevant ethical requirements
• other applicable legal and regulatory requirements.

The Audit and Risk Committee is also part of VAGO’s governance framework. Its focus is overall governance and risk.

Strategic management group

Our strategic management group includes the:

• Auditor-General
• Deputy Auditor-General
• Assistant Auditors-General of our financial audit (FA) and parliamentary reports and services (PRS) divisions
• director of strategy, governance and risk. 

The strategic management group: 

• creates and monitors VAGO’s strategy
• promotes good governance   
• manages performance outcomes and sustainability
• makes sure VAGO has strong executive leadership.

We discuss the strategic management group's responsibilities for promoting audit quality in Section 3.3.

Operational management group

Our operational management group includes the:

• Auditor-General
• Deputy Auditor-General
• Assistant Auditors-General of our FA and PRS divisions
• director of strategy, governance and risk
• chief information officer
• chief financial officer
• chief people officer
• director of data, AI, systems assurance and audit technology.

The operational management group: 

•  monitors VAGO’s performance 
• manages risks 
• makes sure VAGO complies with policies and regulations
• drives continuous improvement in our operations.

Audit and Risk Committee

The Auditor-General appoints our Audit and Risk Committee. It has at least 3 and at most 5 independent members (including the chairperson) who are not VAGO staff.

The Audit and Risk Committee gives independent support and advice to help the Auditor General carry out their responsibilities outlined in the Financial Management Act 1994. This includes independently reviewing and assessing the effectiveness of VAGO's systems and controls for financial management, performance and sustainability, including risk management.

Every year, the Audit and Risk Committee gives the Auditor-General: 

• a report summarising what it examined during the year and their outcomes 
• an assessment of its performance during the past year.

The Standing Directions 2018 Under the Financial Management Act 1994 outline the Audit and Risk Committee's responsibilities, which are further defined in its own charter.

SQM leadership roles 

The Auditor-General, strategic management group, audit quality director and financial reporting advisory director have specific responsibilities and accountabilities for governance over our SQM.

Operational implementation, monitoring and compliance of our SQM sits primarily with divisional AAGs, directors and senior practice managers.

We also have a technical panel and an audit report modification panel for our financial audits. These panels review significant accounting and audit matters arising from our financial audits.

All our auditors are responsible for delivering quality outcomes in the work they perform. 

Figure 1 shows the roles, groups and committees involved with our SQM.

Performance engagements

Our PRS division does performance engagements to assess if government agencies, programs and services:

• effectively meet their objectives
• use resources economically and efficiently
• comply with legislation. 

We can audit community sector and for-profit organisations that provide government services. We can also audit how recipients use government grants.

Performance engagements provide reasonable or limited assurance about activities that agencies, programs and services are doing well. They also identify opportunities for improvement. 

We report the results of these engagements to Parliament.

Financial engagements

Our FA division does financial engagements to provide public sector entities with:

• audit opinions on public sector entities' financial reports and performance statements
• an audit opinion on the Annual Financial Report of the State of Victoria
• a review report on the general government sector's estimated financial statements 
• other assurance activities such as audit opinions on grant acquittals submitted by entities to funding bodies.

Our audit opinions provide reasonable assurance that entities’:

• financial reports fairly present their financial positions, cashflows and operational results for the year
• performance statements and grant acquittals are reliable.

This means Parliament and the community can confidently use these reports to make informed decisions. We also provide reports to Parliament on the results of these audits, including:

• the Auditor-General's report on the Annual Financial Report of the State of Victoria
• sector-based analysis of audit reports.

For information about the difference between performance audits and assurance reviews, read Our assurance services fact sheet.

The Auditor-General

The Auditor-General is responsible for:

• our SQM and audit quality, in line with:
  • ASQM 1 Quality Management for Firms that Perform Audits or Reviews of Financial Reports and Other Financial Information, or Other Assurance or Related Services Engagements (ASQM 1)
  • ASQM 2 Engagement Quality Reviews (ASQM 2) 
  • ASA 220 Quality Management for an Audit of a Financial Report and Other Historical Financial Information (ASA 220)
• issuing a financial audit opinion, in line with part 3 of the Audit Act and ASA 700 Forming an Opinion and Reporting on a Financial Report (ASA 700)
• issuing an assurance report on a performance engagement, in line with section 56(1) of the Audit Act and ASAE 3500 Performance Engagements (ASAE 3500).

We discuss the Auditor-General's responsibility for our SQM further in Section 3.3.

Engagement teams

A VAGO engagement team includes staff who do audit, assurance or other activities on an engagement. 

For financial audits, audit service providers (ASP) are also part of our engagement teams. Figure 2 outlines the roles and responsibilities in our engagement teams.

An engagement team excludes:

• a subject matter expert
• the engagement quality reviewer (EQR). 

Engagement leaders and signing officers

By law, the Auditor-General is the engagement partner (or engagement leader, lead assurance practitioner or signing officer) and auditor for all financial and performance engagements. As the Auditor-General cannot practically do this alone, section 8 of the Audit Act allows them to delegate certain roles and responsibilities.

The Auditor-General’s ability to delegate powers and functions is a key point of difference between VAGO and private audit firms. Private audit firms follow their own quality policies (as well as professional standards) to delegate responsibilities. While the firm’s engagement partner is still legally responsible for the audit, they can delegate many tasks.

In large, global audits, private firms often split the roles of engagement leader and signing officer. They do this to manage the complexity of international work, meet different regulatory rules and bring in the right expertise. The engagement leader runs the audit day to day and coordinates teams in different countries. The signing partner, usually a senior partner, reviews the final work and signs off on the audit opinion, making sure it follows the firm’s rules and professional standards.

Fees for our financial audit work

We collect fees from public sector entities for our financial audits and other auditing services, such as grant acquittals and performance statement audits. 

We set our fees in line with section 13 of the Audit Act to recover the reasonable costs of our financial audit services. Our ASPs occasionally deliver non-audit services to public sector entities, but only where those services do not compromise their independence. We do not receive any other revenue from the entities we audit.

Figure 3: Revenue from financial audit fees

^(a)Financial audit fee revenue only. Audit opinion output appropriations in our 2024–25 Annual Report of $37,145,000 additionally include a cost of living allowance from Parliament of $713,500. ^(b)Total financial audit fees were significantly higher in 2023–24 compared to 2023–24 due to an increase in production hours from 96,700 to 109,000, an increase in recoverable audit service provider costs from $17.5 million to $19.9 million, plus audit fees were increased by 4 per cent in line with the Australian Bureau of Statistics' wage price index.
Source: VAGO.

Other revenue

We receive funding to conduct services on behalf of the Parliament of Victoria. This includes:

• performance engagements and assurance reviews of public sector entities 
• results of financial audit parliamentary reports
• strategic audit planning for our PRS program.

Figure 4: Annual funding for parliamentary reports and services

^(a)Annual funding for parliamentary reports and services only. PRS engagement and review output appropriations in our 2024–25 Annual Report of $20,410,000 additionally include a cost of living allowance from Parliament of $713,500.
Source: VAGO.

Auditor-General and executives' remuneration

The Governor of Victoria formally determines the Auditor-General’s remuneration on ministerial advice through the Executive Council.

Our executives are employed on fixed-term contracts under the PAA. They are remunerated within the bands set by the Victorian Independent Remuneration Tribunal. Our executives are not entitled to performance-related bonuses.

We disclose the Auditor-General, the strategic management group and our executives’ remuneration in our annual report.

Workforce composition and remuneration

Our workforce comprises a mix of employees, contractors, consultants and ASPs, engaged under different employment and commercial arrangements.

Employees are engaged under the PAA. Non-executive employees are covered by the Victorian Public Service Enterprise Agreement 2024, while executives are employed and remunerated as noted in the section above. Executives are not covered by the Enterprise Agreement.

Contractors and consultants are not employees under the PAA. They may be engaged through labour hire firms or directly under other contractual arrangements, including specialist professional services contracts. Where labour hire arrangements apply, fees are agreed through the relevant contractual mechanism, including whole of government or VAGO specific procurement arrangements.

We select ASPs through a rigorous qualification process that considers:

• strength of data protection and governance practices

audit quality, assessed against ASQM 1 standards

• expertise and experience of key personnel
• capacity to deliver high-quality audit services
• use of innovative approaches, including data analytics and technology
• cultural alignment with VAGO’s values and methodology.

We award audit engagements through a competitive panel process based on the quality, efficiency and value for money of ASPs’ proposals.

ASPs’ fees are governed by the terms and conditions of a panel contract and our supporting ASP instructions. We make payments after each phase of an audit engagement is completed and we have accepted key deliverables.

Investing in our professional practice

We established a professional practice and development branch in the PRS division in 2023. The branch has helped us significantly improve our performance engagement methodology. 

Performance engagement methodology 

We established our new performance engagement methodology at the end of 2024. This included designing and delivering:

• 4 manuals for our engagement delivery
• 10 guidance documents to align our work with the Australian Auditing and Assurance Standards and key audit principles 
• 10 procedures for specific tasks 
• revised templates and tools (including a risk assessment plan to improve our understanding of an engagement and our approach to conduct).

These updates will support our staff and improve our engagement process from planning to reporting. 

Future work

The professional practice and development branch will lead further work to:

• better use our digital channels and platforms
• deliver a learning pathway for our performance engagement methodology 
• make sure our methodology is current and reflects better practice, including guidance on the EQR’s role and other responsibilities in the engagement team.   

Caseware

In 2024–25 we continued to transition our in-house audits to our new cloud-based management platform, Caseware.

Legacy tools have been a significant challenge for our financial audit teams, so we launched a project to replace our audit software. Caseware has the modern features expected by auditors and 84 per cent of in-house audits are now using it. The rest will transition in 2025–26.

The project’s next phase will rollout Caseware to our ASP engagements in 2026–27. This will further improve the value of our audits.

Empower 2.0

In July 2024, we launched Empower 2.0, which is an advanced version of our previous analytics platform. In 2024–25, Empower has:

• supported audits of 54 entities 
• managed around 23 billion records 
• hosted around 14,500 report views by financial auditors. 

Empower offers better data protection, performance and user experience. It gives auditors direct access to raw data, interactive visualisations and practical tools to simplify how we plan and conduct audits. 

Our key focus in 2024–25 was to automate how we extract data from source systems. 

In 2025–26 we are exploring how auditors can use Empower to test general IT controls and information processing controls. This includes having pre-built data visualisations and AI agents to help with repetitive tasks. 

This will allow auditors to work more efficiently and effectively. They can focus more on high-value activities that require professional judgement and critical thinking, which can lead to greater job satisfaction and a stronger sense of purpose in their work. Exposing our staff to modern tools also contributes to upskilling and professional growth.

Methodology updates and training

Our FA division is improving how we use our methodology and software to:

• boost staff capabilities
• conduct audits using data analytics
• deliver efficient, risk-based audits.

There has been significant effort invested in Caseware support materials, such as the document library, guidelines, procedures learning content to support Caseware business rules. Significant effort has also been invested in updating our EPIC financial audit methodology, which is discussed in more detail in section 3.7.

ASPs

Each year, we review our ASP instructions, procedures and policies. 

Our FA division continues to focus on ASP oversight and management, focusing on initiatives to improve how they: 

• collaborate with our ASPs
• oversee their work
• manage their performance.

ASP engagement, oversight and monitoring are discussed in detail in Section 3.7.

Overview

We launched capability frameworks in 2023–24 to support our staff in their daily work. In 2024–25 we started including them in our professional development plan process for audit staff to support their professional development.

Enhancing FA capability

Financial Audit have developed an audit capability framework, learning and development curriculum and succession pathways to assist us:

• build our employees’ capability in their existing roles
• develop new and emerging capability requirements
• support potential career progression within the organisation.

PRS learning framework project

The PRS learning framework aims to develop a specialised professional practice pathway for performance audit. 

It will include 18 online learning modules to support PRS staff across all phases of an engagement. The modules will support and onboard new staff, as well as be a standalone learning resource for ‘point in time’ learning such as workshops. 

We will complete the PRS learning framework in 2025–26. 

Current focus and next steps

To continue strengthening our staff capability, we will: 

• combine existing frameworks into a unified, organisation-wide approach that supports consistency and clarity
• explore skills growth and make sure skills remain central to our capability strategy
• expand learning resources for human/enduring skills and make sure all staff can access development opportunities. 

This will help us deliver a more connected, future-ready workforce in line with our strategic plan.

Our SQM and ASQM 1

ASQM 1 is the main standard that outlines quality requirements for audits. 

We have designed, implemented and operate our SQM in line with ASQM 1 requirements. It has policies and procedures to address risks to our quality objectives. 

We also evaluate our SQM each year through our monitoring and remediation process to:

• assesses the SQM’s effectiveness
• identify risks
• plan any changes to our SQM.

Figure 5 outlines the 6 ASQM 1 quality management objectives in our risk assessment, monitoring and remediation processes.

Figure 5: ASQM 1 quality management objectives within our risk assessment and evaluation processes

Source: VAGO.

Quality risk

A risk qualifies as a quality risk when it has a reasonable possibility of both:

• occurring
• adversely affecting us achieving one or more quality objectives.

Risk assessment and risk response

We identify quality risks through our risk assessment process. We do this by:

• considering the Australasian Council of Auditors-General’s work on quality risks 
• consulting with our strategic management group to assess our risk factors, quality risks and risk responses. 

Our SQM outlines the policies, processes and procedures we use to respond to audit quality risks. 

We evaluate our risk responses every year to assess how effectively they address audit quality risks. We discuss this further in Section 5.

The Auditor General's responsibility

ASQM 1 requires the chief executive officer (or equivalent) to have ultimate responsibility and accountability for an entity's SQM. 

The Auditor-General is responsible for our SQM and its performance. But all our staff have a role in audit quality. 

Figure 6 shows the roles and groups that oversee our SQM.

Figure 6: Governance arrangements supporting audit quality 

Source: VAGO.

Roles and responsibilities

Our audit quality director is operationally responsible for our:

• SQM
• monitoring and remediation processes.

They are also:

• a key subject matter expert, providing support and advice to our auditors on complex auditing matters 
• a member of our: 
  • audit report modification panel
  • technical panel.

The audit quality director reports directly to the Auditor-General and is independent of our FA and PRS divisions.

Our financial reporting advisory director is operationally responsible for providing support and advice to our financial auditors on complex accounting and financial reporting matters. They are also a member of our technical panel.

Roles and responsibilities

The Assistant Auditors-Generals of FA and PRS are operationally responsible for monitoring how their divisions meet independence requirements.

The engagement leader and signing officers are responsible for assessing independence throughout each audit process. They identify and evaluate potential threats throughout PRS and FA engagements, recording them on the audit file and notifying human resources for central tracking of independence. 

We discuss VAGO’s independence requirements in further detail in Section 3.4.

Roles and responsibilities

Our strategic management group promotes audit quality by:

• embedding quality in our values, culture, ethical standards and strategic objectives
• managing and overseeing strategic project performance
• monitoring audit quality by internally evaluating our SQM every year and reporting the results in our annual transparency reports
• assessing the effectiveness of our risk management.

Our operational management group promotes audit quality by:

• making sure we comply with our policies and procedures
• monitoring performance against our organisational objectives, including audit quality objectives.

Independence declarations

Our conflict of interest policy and employee declaration procedure require our staff to complete an independence declaration: 

• when they join VAGO 
• if their circumstances change
• each year before 30 September. 

We also require all engagement team members, including internal and external subject matter experts, to confirm and declare their independence before each engagement and if their circumstances change.

We require our ASPs and external subject matter experts to confirm their independence in writing at tendering stage and at their appointment as a VAGO ASP or external subject matter expert. 

Our ASPs also confirm their independence in writing at the start and end of each financial audit engagement. We require them to have an appropriate system to maintain their independence in line with the auditing, professional and ethical standards.

If a conflict of interest happens, our human resources team notifies the Assistant Auditor-General of FA or PRS (as appropriate). They will approve any actions needed to reduce threats to our independence. 

We review compliance with our conflict of interest policy and independence declaration procedure annually. Our FA signing officers and engagement leaders also monitor independence throughout each audit engagement on an ongoing basis. 

In 2024–25 all VAGO staff completed their independence declarations. There were 2 breaches of our conflict of interest policy where we could not identify the mitigating action taken by PRS staff. This occurred during a change in leadership. The nature of the conflicts declared are low risk in both cases. One relates to former employment and the other relates to personal relationships with people in government agencies who are not decision-making positions. In each case, the two PRS staff members do not work on engagements with the agencies involved. For 2025–26 we have introduced a new process for managing conflict of interest declarations that ensure this cannot happen again, which is now the responsibility of our strategy, governance and risk team. The new process involves:

• a streamlined declaration process to make it easier for staff to proactively declare conflicts 
• more guidance on identifying and managing conflicts and how to put appropriate controls in place for managing conflicts 
• giving direct supervisors a more responsibility and support in managing conflicts in line with the best practice guidance 
• significantly more oversight on the declarations made. There have been no other breaches since we started producing transparency reports in 2019–20.

Ethical requirements training

We make sure our staff understand and comply with our ethical requirements. 

When we onboard new staff we provide mandatory and assessment-based ethics training modules. Staff must complete these modules each year as part of our annual compliance program, which our strategic management group monitors. 

In 2024–25 all FA and PRS staff completed the annual mandatory compliance training (and since we started producing transparency reports in 2019–20).

Our compulsory ethics training modules cover:

• fraud, corruption and conflicts of interest
• independence and regulatory obligations 
• privacy, secrecy and confidentiality
• appropriate behaviour
• public interest disclosures.

Gifts, benefits and hospitality

Our gifts, benefits and hospitality policy states that it is not appropriate for our staff to offer or receive gifts, benefits or hospitality that could reasonably be perceived to affect our independence or impartiality. 

We have guides and examples to make sure our staff know: 

• when they should reject a gift
• how to give and receive gifts for business purposes
• how to record items on our gifts, benefits and hospitality register. 

Our fraud, corruption and conflict of interest training also addresses these requirements. 

As required by the Standing Directions 2018 Under the Financial Management Act 1994, we publish our gifts, benefits and hospitality policy and register on our website.

Rotation policies

To avoid actual and perceived threats to our independence caused by our staff becoming familiar with staff from the entities we audit, we rotate the following engagement team members on or before the following periods:

• engagement leader – at least every 7 years
• EQR – at least every 7 years
• team leader – at least every 5 years.

The Assistant Auditors-General of FA and PRS are responsible for rotating senior members of our engagement teams. Both divisions monitor the rotation of senior team members through their annual resourcing allocations. We have the same rotation requirements for our FA ASPs. 

We also maintain registers to:

• track how long our auditors have worked in each sector and on each audited entity
• assess the amount of time senior team members have spent on each engagement.

In 2024–25 there was one breach of our financial audit rotation policy. We authorised a director to work on an eighth-year audit of an entity because of an unplanned director resignation. We outlined the breach and proposed remediation actions in a memo to the Auditor-General. The Auditor-General approved the actions, which we managed accordingly. Given our current resourcing plan, we do not expect this to happen again. There were no other breaches of our FA rotation policy in 2024–25.

There have been no breaches of our PRS audit rotation policy since we started producing transparency reports in 2019–20. 

Audit Act mandate

The Audit Act:

• requires the Auditor-General to audit the financial statements of each public body in Victoria
• gives the Auditor-General the mandate to undertake performance engagements of Victorian public sector entities and of their objectives, operations and activities.

As we do our audits, certain ASQM 1, ASAE 3000 and ASA 220 requirements that relate to accepting and continuing engagements do not apply to us. 

For continuing engagements, the engagement leader confirms that the engagement is still within our mandate each year.

For performance engagements: 

• the Audit Act requires us to consult with the Public Accounts and Estimates Committee (PAEC) on our performance audit specifications
• ASAE 3500 requires us to communicate the engagement terms to the entity at the start of each performance engagement, as detailed in our methodology procedures.

Non-mandated engagements

We may do financial audits by arrangement under section 23 of the Audit Act. It requires public bodies to get ministerial approval before asking us to provide other auditing services. The Auditor General approves these requests. 

Under section 24 of the Audit Act, we may enter into a public purpose audit arrangement with an entity that is not a public body if the: 

• engagement is in the public interest
• entity exists for a public purpose.

We may be asked to do non-mandated engagements that meet the Audit Act's requirements. In these cases, we have acceptance and continuance policies and procedures that address our non mandated engagement audit quality objectives. 

To maintain our independence and objectivity, we do not allow our ASPs to provide non assurance services to an audit entity during their contracted period without the Auditor General’s prior written approval.

Dispensed audits

Section 10(2) of the Audit Act allows the Auditor-General to dispense of an audit or financial report. To our knowledge there were no dispensed audits from 2020–21 to 2024–25.

Engagement teams

We outline engagement team members' roles and responsibilities in our engagement methodologies and audit policies. We provide training to make sure teams understand these requirements. We also have supervision, review, performance management and monitoring processes to make sure staff fulfil their responsibilities.

Our ASP contracts and instructions have information on ASPs’ roles and responsibilities.

Supervision and review policies and procedures

We have policies and procedures for supervision and review responsibilities. They state that more experienced engagement team members must review less-experienced engagement team members’ work. 

For all engagements, the engagement leader is responsible for making sure these reviews are done in line with our policies and procedures.

We also have oversight procedures, contract management processes and annual performance assessments to monitor the quality of ASPs, as outlined in Section 3.7.

Financial engagement consultations

During financial engagements, we require engagement leaders to consult our financial reporting and advisory team or audit quality team on:

• significant accounting and auditing issues
• difficult or contentious matters. 

Our consultation policy outlines principles for assessing matters that need consultation. We have protocols and online forms to guide consultations and we keep a register of consultations. 

Our financial reporting advisory team and audit quality team include audit and accounting subject matter experts. We encourage our auditors to consult these subject matter experts where appropriate. Engagement teams record consultation outcomes in their engagement files. Our technical panel meets monthly to consider significant and contentious accounting and auditing related matters.

Performance engagement consultations

During performance engagements, we require engagement leaders to consult with their EQR, the Auditor General and the Assistant Auditor-General, PRS about any internal differences of opinion. 

As part of our acquittal process, we document the conclusions we reach before finalising the engagement documentation and corresponding report. The Auditor-General makes the ultimate decision.

Differences of opinion

If there is a difference of opinion between a subject matter expert and an engagement team, the engagement leader must refer the matter to the relevant Assistant Auditor-General and, if needed, the Auditor-General. 

If there is a difference of opinion between an EQR and an engagement leader, the relevant Assistant Auditor-General and/or staff from the audit quality team will help to resolve it. In line with our EQR policy, the engagement leader must refer unresolved differences of opinion to the Auditor-General for discussion and resolution.

Financial audit EQR

We appoint an EQR to all high-risk engagements. For moderate-risk engagements, we annually assess the need for an EQR. We provide our engagement teams with tools to do this assessment. 

The extent of an EQR’s review depends on the engagement’s risk and complexity. It always covers: 

• independence
• materiality
• significant risks and judgements. 

We do not issue an audit report until the EQR has completed their review and the engagement team has satisfactorily resolved all their significant questions. 

The EQR’s involvement in an engagement does not reduce the signing officer or engagement leader’s responsibilities. All documentation showing the EQR’s involvement in an engagement, including discussions with the engagement leader where conclusions were reached, is saved in the engagement file.

We consult with our ASPs to decide whether an EQR is needed for an engagement they are undertaking. If an EQR is required, the ASP is responsible for allocating a second independent partner as the EQR. An ASP must adhere to its own firm’s EQR policy and procedures for completing the engagement quality review.

Performance engagement EQR

We appoint an EQR to all PRS reasonable assurance engagements. We generally do not appoint an EQR on limited assurance engagements but can if needed. 

The EQR must complete and document their review and the engagement team must satisfactorily resolve all their significant questions before the Auditor-General can issue the report.

In 2024–25 there was seven breaches of our EQR policy. An EQR reviewed an engagement where the engagement leader was the EQR for their concurrent engagement, which our policy does not allow. This happened because of a restructure in our PRS division. 

We outlined the breach and proposed remediation actions in a memo to the Auditor-General. The Auditor-General approved the actions, which we managed accordingly. Given our current resourcing plan, we do not expect this to happen again.

Documentation protocols

The Audit Act restricts our auditors from sharing or inappropriately using any information gathered during an engagement. 

We have policies and procedures to maintain the confidentiality, safe custody, integrity, accessibility and recoverability of our engagement information in line with ASQM 1 and relevant legislation.

Engagement teams must maintain the confidentiality of their work papers and the information they collect during an engagement.

All Victorian Government agencies must add protective markings to documents under the Privacy and Data Protection Act 2014. We use Microsoft 365 security and sensitivity labels on all documents and emails. They include ’official’, ’sensitive’, ’protected’ and ‘secret’. The classification levels are based on the potential damage to the government’s operations, an organisation or a person if confidentiality was compromised. We secure and store all documents in line with our protective marking procedure.

File lockdown and retention

We require our engagement teams to assemble and lock down their engagement files within: 

• 60 days after we issue a financial audit report 
• 15 days from the tabling date for performance engagement reports. 

Caseware also has a feature to automatically lock down engagement files 90 days after we issue the financial audit report. We keep all engagement files for at least 7 years from the date of an audit report. We also require our ASPs to keep engagement files for this period. We regularly monitor compliance with our engagement file lockdown policy.

Recruitment, promotion and compensation

To achieve our quality audit objectives, we recruit high-calibre talent and have a culture of continuous improvement and accountability. We encourage innovation, collaboration, stakeholder engagement and sharing knowledge. 

Recruitment to every VAGO position is a transparent, merit-based process. Our human resources policies and procedures recruit and promote staff with the competence, capabilities and commitment to the ethical principles needed to perform our engagements to a high standard. 

Our recruitment assessment criteria include: 

• qualifications
• experience
• a range of behavioural and operational attributes
• reference and security checks. 

We recognise that diverse and inclusive workforces:

• are more capable of meeting evolving organisational needs
• provide different ways of looking at work issues 
• drive higher innovation and productivity.

We compensate our employees in line with the Victorian Public Service Enterprise Agreement 2024. Salary progression depends on satisfactory performance and high performers (except executives) can achieve a bonus each year. Employees do not receive other forms of incentive-based remuneration.

We manage our senior executive employees’ performance in line with our executive employment contracts and the VPS executive employment handbook. Our process reflects the principles outlined in our employee performance policy and associated procedures.

Performance appraisals

Our employee performance policies and procedures help us develop and monitor our employees’ capabilities and competence. This involves self-assessments, manager assessments and a measurement process. 

At the start of our annual performance cycle, each employee sets goals and record them in development plans. Goals are aligned with our strategic objectives. Employees record their learning and progress against their goals throughout the year. 

Managers hold regular meetings with employees to discuss their expectations, performance feedback, workloads and upcoming priorities. This process also includes audit quality criteria.

Employees also do self-assessments against the capability frameworks to identify their current capability levels. Managers assess their team members against these frameworks. These assessments support meaningful goal setting and development planning.

Each employee has a formal midyear and end-of-year evaluation with their manager. These sessions also involve discussions about career goals.

These meetings and evaluations help employees identify their learning and development goals. Targeted support and remedial action are provided for underperforming employees.

We encourage our employees to actively support each other and pursue their own professional development goals.

Learning and development

Our staff’s ongoing development is essential to audit quality. We support our staff to adopt new and emerging technical, analytical and human skills and capabilities. We: 

• provide structured learning for all new staff and run a graduate induction program
• provide on-the-job training and coaching with training sessions, e-learning modules and guidance materials
• share information about accounting and auditing standards and methodologies to build our auditors' technical capability. Technical training includes:
  • modules on our audit methodology and tools
  • updates or changes to professional standards
  • our regulatory environment and ethical requirements 
• run workshops and seminars to increase our staff’s capability and knowledge
• refer to our staff’s annual learning and development goals when we design our training programs.

We are changing our learning and development approach. We are evolving our '70/20/10' model (70 per cent on the-job, 20 per cent exposure and shadowing, 10 per cent formal learning) to be complemented by the 3Es (experience, exposure and education). This enables continuous improvement of our existing approach, under a refreshed concept, to reflect that auditor learning occurs primarily while performing engagements, supported by learning from the colleagues and formal training. This gives staff more flexibility to learn in ways that best suit their roles and career goals.

We support our staff to learn new technical, analytical and essential people skills. We treat coaching, supervision and reviews as ongoing processes and feed them into our annual performance program. We monitor completion of our mandatory training modules, including our annual compliance program.

All our financial auditors have a Chartered Accountants Australia and New Zealand membership or a Certified Practising Accountant Australia membership, are progressing towards one of these memberships, or have a similar international equivalent that our job descriptions allow. These staff maintain the minimum professional training requirements for these memberships. 

Our PRS staff have extensive experience in data analytics and policy development.

Assigning staff to engagements

It is important that engagement teams have the capacity and capability to respond to each engagement’s specific risks and requirements. To support this, we have policies, procedures, and use:

• resourcing strategies
• suitable subject matter experts
• appropriate recruitment practices
• professional development criteria.

We set up engagement teams to make sure we have the technical capability and experience to do each engagement. We assign an engagement leader with the appropriate competence, capabilities and authority to perform the role.

Our resourcing strategy considers a mix of in-house staff and external subject matter experts. We allocate resources to audits based on:

• the budget prepared for each engagement
• the capabilities required to address each audit’s risk level.

For financial audits, we also engage ASPs to deliver quality outcomes. Our Victorian Public Service level allocation policy for financial audit engagements sets the minimum Victorian Public Service classification required for each audit engagement role. This is based on factors such as the nature of the engagement (for example material entities, non-material entities or ASP engagements) and the level of audit risk.

Data science and data analytics

We have dedicated teams to support our audit engagements. Our data analytics team supports the FA division. Our data science team supports the FA and PRS divisions. They help our auditors to:

• translate audit objectives into questions that can be addressed using data analytics
• process, sample and check source data
• use data for evidence during annual planning 
• test tools 
• communicate and visualise data analytics results.

Our data teams also support auditors by providing training and other forms of knowledge and skill transfer. For example, they train:

• performance auditors to apply statistical analysis skills and use tools such as Python and Microsoft Power BI
• financial auditors to use our data analytics platform, Empower.

Our data science team uses publicly available data and data owned by government agencies to do their analyses. 

Empower 2.0

Our data analytics platform, Empower, gives our auditors access to data and prebuilt visualisations. They use Empower 2.0 to: 

• access and analyse data to support audit planning and execution
• do risk assessments to: 
  • better understand classes of transactions 
  • develop an appropriate risk-based audit approach 
• identify higher-risk data entries that require further testing 
• perform audit procedures that involve selecting and evaluating a statistical sample
• re-perform rule-based audit procedures, which auditors previously had to complete manually
• help them match financial records to their audit entities’ financial statements
• present impactful audit findings and offer richer insights.

We have a data champion group that provides training and support to our financial auditors to apply our data analytics approach.

Systems assurance

Our systems assurance team supports engagement teams when they need IT audit subject matter experts on their engagements. They can help with:

• general IT controls testing
• automated information processing controls testing 
• learning and development 
• testing system interfaces and other procedures that respond to risks arising from use of IT.

At times, our systems assurance team supports the financial auditors when the organisation we are auditing does not have strong enough IT controls. For example, they may check how a report is set up to make sure it works correctly. They also help with audit work that requires specialised IT knowledge, such as reviewing computer programs that were used in detailed testing of financial information.

In 2024–25, we resourced our systems assurance team using in-house staff and staff from one professional services firm.

Our FA methodology

We have a risk-based EPIC methodology, which complies with the Australian Auditing Standards and includes audit policies, guidance, processes and procedures for the public sector across 4 major processes. Figure 7 describes these processes.

EPIC incorporates information systems, auditing planning, risk assessments and conclusions for an integrated audit approach. 

It gives auditors the opportunity to better document and demonstrate how they reached a conclusion and if the audited entity has the controls to address any risks the audit identified.

We continually monitor and refresh our EPIC methodology.

Our performance engagement methodology

Our engagement file is where we document our engagement. It consists of the: 

• Audit Methodology Procedure Lotus Notes database
• Microsoft Teams site and associated SharePoint site
• final published PowerBI dashboards. 

Our performance engagement methodology includes policies, manuals, guidance, procedures and tools to cover all 4 phases of an engagement. They are:

• design the engagement
• plan the engagement
• implement the plan
• conclude and report. 

As outlined in Section 2.1, our PRS division recently created a new engagement methodology. It has aligned its Audit Methodology Procedure Lotus Notes database to support these changes for the 2025–26 cycle. We are doing further work to improve our database and join up the systems our engagement teams use.

Audit quality and financial reporting advisory teams

Our staff’s auditing, accounting and financial reporting skills are essential to the quality of our engagements. 

Our audit quality and financial reporting advisory teams support engagement teams by providing:

• training on:
  • our audit methodology and tools
  • how to apply the Australian Accounting Standards and Australian Auditing and Assurance Standards in a public sector context
• technical consultation on complex accounting, auditing and financial matters. 

Our PRS division delivers a regular training to support performance audit capability. This includes:

• ‘community of practice’ sessions to develop skills and share knowledge
• tutorial sessions to learn more about the Victorian public sector. 

PRS staff also attend Australasian Council of Auditors-General training sessions about conducting and managing performance audits.

ASP employment and oversight

We engage ASPs to help deliver our annual financial audits. Our procurement process for ASPs assesses their capability, ethical requirements and quality control system. 

The ASP engagement leader is responsible for the quality of their audits. VAGO signing officers remain responsible for the audit opinions we issue.

An FA sector director decides the level of ASP oversight needed for each audit and assigns an ASP review officer. Their decision on level of oversight and choice of ASP is influenced by the:

• ASP engagement leader’s assessment of the financial report level risks associated with the engagement
• signing officer’s agreement with the ASP engagement leader’s risk assessment
• ASP review officer's completion of our ASP oversight assessment tool.

ASP engagement and oversight

When doing audits on our behalf, our ASPs: 

• use their firm’s audit methodology 
• must comply with Australian Auditing Standards and our ASP instructions
• provide evidence of work completed to help us oversee their work.

During an ASP engagement, the ASP review officer is responsible for either: 

• completing the oversight audit procedures outlined in our ASP oversight guidance procedure
• assisting the signing officer to do this. 

Where the level of ASP oversight is intensive, the sector director or delegated signing officer will complete the required audit procedures.

Monitoring our ASPs

Through our annual engagement quality inspection program (EQIP), we do post-engagement quality inspections of our ASP’s work every 3 years. We discuss this in Section 3.9.

The Australian Securities and Investments Commission (ASIC) may also inspect our ASPs. We discuss this in Section 4.3.

We also assess our ASPs on an ongoing basis under our ASP performance management framework, which monitors the performance of the ASP firms as a whole and the performance of individual ASP engagement leader personnel. 

We assess ASP engagement leader:

• audit capability and capacity
• the quality of their key deliverables
• relationships with audited entities and with VAGO
• the innovation in their audit approach.

Each nominated ASP engagement leader is scored from one to 5 (ranging from unsatisfactory to exceptional) against each of the above criteria to arrive at an average score for the firm and for individual engagement leaders. These results are reported annually by the Assistant Auditor-General of FA to the operational management group with recommended actions where performance challenges exist. A low score can result a range of actions against an ASP including additional VAGO oversight, placing them on a performance improvement plan, restricting the audit engagements we award to them or terminating their agreement with VAGO.

Information system responsibilities

Our policies and methodologies outline responsibilities to identify and capture data. 

Our IT business support team maintains and manages our information systems, including:

• how we capture, store, and dispose of records in our records management system
• managing record control and security
• training staff on our security and data retention policies.

Collaboration and information sharing

We have a collaborative environment where auditors share their knowledge, experience and technical expertise to improve the quality of our engagements. 

We encourage collaboration and information sharing within the boundaries of the Audit Act and other regulatory requirements. 

We have policies and procedures that maintain the confidentiality, safe custody, integrity, accessibility and retrievability of engagement documentation in line with:

• ASQM 1
• the Public Records Act 1973
• the Privacy and Data Protection Act 2014
• the Australian and international standards for information management:
  • ISO 15489-1:2016: Information and documentation – Records management
  • ISO 16175-1:2020: Information and documentation – Processes and functional requirements for software for managing records
  • ISO 23081 Series: Metadata for records.

We do regular systems audits against these policies. Where needed, we flag incidents or inconsistencies to our strategic management group for action. Our IT team also monitor our data systems to make sure no important data is destroyed without authorisation.

Overview

We encourage collaboration between our business divisions and our financial and performance auditors and engagement teams. 

Communicating the importance of quality

In line with ASQM 1, we keep our staff informed about the importance of audit quality. To provide visible leadership, promote our culture and audit quality, and improve communication across VAGO, we:

• require all staff to do SQM training 
• hold regular stand-up briefings for all staff, hosted by a strategic management group member, where staff can also ask questions 
• post regular announcements on Microsoft Teams to inform staff about new or revised policies and processes related to our SQM
• hold technical update sessions 
• provide feedback to auditors on the results of our monitoring and remediation processes
• rotate participation of our senior staff in monthly operational management group meetings 
• report staff survey results to the strategic management group
• hold divisional forums, offsite days, sector team days and team meetings
• have an EPIC advisory committee
• have a data analytics champions group
• have a staff consultation committee. 

We also include questions about our audit quality in stakeholder and staff surveys. We analyse survey results and take action as appropriate. We actively engage with our staff during this process.

Staff consultation committee

The office has a staff consultation committee facilitating direct communication between staff and senior executives. This committee incorporates representatives from all VAGO’s business divisions of intended mixed seniority. The committee’s objectives, principles and structure are outlined in its terms of reference. 

Overview

We communicate with external parties including audited entities, ASPs, Parliament and the public.

Communication with audited entities and Parliament

Our auditors engage with key management personnel and governance committees during our engagements. 

Entity audit committees are a main point of contact for information. We attend relevant audit committee meetings to share deliverables for our engagements. 

Our audit methodologies make sure we communicate with our audited entities and Parliament in line with the Audit Act and relevant auditing and assurance standards. 

We consult with our audited entities when preparing our annual plan and engagement deliverables. We seek comments from PAEC on our draft annual plan and each engagement’s strategy. 

We table our annual plan, annual report and audit reports in Parliament. Before doing so, we invite relevant ministers to a briefing on the engagement.

Communication with ASPs

We communicate with our ASPs through: 

• our ASP instructions
• the ASP portal
• sector-specific workshops to discuss emerging matters or contentious audit and financial reporting issues within sectors impacting audits
• quarterly 'ASP Live' online events to provide updates on progress against key deliverables, processes, audit quality matters and VAGO news. 
• annual ASP engagement leader workshop to connect ASPs to VAGO’s areas of strategic focus work through progress or changes affecting the audit delivery model
• the ASP performance management framework
• annual quote rounds for each upcoming audit season
• biannual confirmations of their SQM framework, data protection and governance, and local jobs first
• email on specific matter and to send relevant updates.

We outline our quality requirements for ASPs in contract agreements and ASP instructions. We provide all relevant policies, procedures and templates to our ASPs in our ASP portal. We communicate changes in these requirements as they occur.

Communication with the public

To fulfil our role promoting confidence in the public sector, our communications with the public are critically important. We must be transparent and accountable.

We include the results of our financial audits and performance engagements in reports, which we table in Parliament. We make these reports and their related summary videos publicly accessible via our website. We have a communications plan for each parliamentary report to help reach the public through social media.

To make sure our work is easily understood, we produce products that are: 

• accessible
• useful to the public
• written clearly in plain language. 

To promote transparency, and in line with our legislative obligations, we annually report on our performance, strategies and plans for the year ahead and beyond. These corporate publications are publicly accessible via our website and include information we consider to be of public interest. 

We also describe the various aspects of oversight that we are subject to in our assurance services, and use of public resources. We communicate this information on the how we are accountable page of our website.

External general enquiries

We receive general correspondence from parliamentarians, public sector representatives, councillors and the public. We respond according to our format and timeline guidelines.

As per our media policy, we do not: 

• pursue media coverage
• comment on our work outside of what we say in our tabled reports, official website and social media channels.

We discuss communications for complaints and allegations in Section 3.9.

Monitoring and remediation process

Our monitoring and remediation process provides: 

• relevant, reliable and timely information about the design, implementation and operation of our SQM
• a basis to identify deficiencies
• actions to respond to identified deficiencies in a timely way, to support the continuous improvement of our SQM and engagement quality
• guidance to identify, communicate, evaluate and report any breaches of relevant ethical requirements and respond in a timely way.

Post-engagement quality inspections

We have designed the annual EQIP for our financial and performance engagements in line with ASQM 1 requirements. The EQIP evaluates: 

• all engagement leaders over a 3-year cycle, including ASP engagement leaders
• a selection of financial and performance engagements
• engagements with certain risk criteria, such as a prior unsatisfactory file rating.

The EQIP focuses on continuous improvement. We assess the quality of our engagements against the Australian Auditing and Assurance Standards’ requirements and audit methodology.

We then prepare reports with an overall quality rating of each engagement and observations from the inspection. Figure 8 describes the ratings. We give these reports to the relevant engagement leader and use them to: 

• address issues where needed
• identify root causes 
• implement learnings for future engagements. 

We evaluate the results of our EQIP and prepare a report and action plan for the Auditor-General. This report also outlines the significance and pervasiveness of any issues across our engagements. 

The operational management group and Audit and Risk Committee monitor our progress in implementing any agreed actions.

EQIP results for performance engagements

Our 2024–25 EQIP covers 3 performance engagements, which accounts for 50 per cent of our performance engagement leaders.

We have addressed these recommendations by refreshing our performance engagement methodology and associated training. 

Figure 9 shows the engagement file ratings we reviewed from 2021–22 to 2023–24. In 2022–23, PAEC did not provide a file rating for its recommendations. We explain them in Appendix C.

EQIP results for financial engagement 

Our 2024–25 EQIP covers 16 financial engagements, which accounts for 29 per cent of our financial engagement leaders. It resulted in 6 remedial actions. 

Figure 10 shows the ratings for the engagement files we reviewed from 2020–21 to 2024–25.

Remedial actions from our financial EQIP include:

• developing tools to support our engagement teams
• updating our procedures 
• providing training and guidance to our engagement teams to improve how they apply our audit methodology and policies. 

The engagement leaders responsible for material departure ratings are subject to further inspection. 

We monitor progress for remedial actions and provide updates to our operational management group and Audit and Risk Committee. Our 2024–25 EQIP will evaluate the effectiveness of our 2023–24 remedial actions.

Internal audit

In line with the Standing Directions 2018 Under the Financial Management Act 1994, we have internal auditors who report to our Audit and Risk Committee. 

Our internal audit charter outlines the authority, independence, role, responsibilities, performance expectations and relationships of our internal auditors. 

The objective of our internal audit function is to provide innovative, responsive, effective and value-added internal audits that assist us and our Audit and Risk Committee to: 

• control risks
• monitor compliance with policies and procedures 
• improve the efficiency and effectiveness of our quality control system.

Our internal auditors develop a 3-year rolling internal audit plan that is approved by our Audit and Risk Committee. 

These audits assess the quality and performance of specific functions in our office. Audit quality is one of the topics listed in the plan for this year. 

We use the information from our surveys, reviews and internal audit processes to:

• address any issues that arise from these audits
• identify trends and common themes
• develop improvement projects and strategies
• monitor the effectiveness of our current improvement projects.

Complaints and allegations

We have various channels for entities and staff to make complaints and allegations about:

• noncompliance with professional, regulatory or legal requirements
• noncompliance with our own SQM. 

The complaints page on our website provides information about our complaints process and how to submit a complaint about an audit engagement. 

Anyone can provide feedback or make a complaint or allegation about suspected fraud or corruption by a VAGO staff member or ASP. We can also receive complaints through direct communication with our engagement teams.

Figure 11: Types of complaints and reporting processes

Source: VAGO.

We do not tolerate fraud or corruption and take all allegations of suspected fraud or corruption seriously and respond fully. We assess, investigate, respond and resolve complaints as required. 

If a complainant is dissatisfied with how we have handled a complaint, they have the right to ask us to reconsider by contacting the Deputy Auditor-General.

If they are still dissatisfied, depending on their concern, they can escalate the complaint to the:

• chair of PAEC
• Integrity Oversight Victoria
• Independent Broad-based Anti-corruption Commission
• Victorian Ombudsman.

We received 4 complaints in 2024–25: 

• 3 relating to the timeliness of financial audits
• one relating to a consultation done as part of a performance engagement.

We received 2 complaints in 2023–24.

Overview

PAEC has responsibilities relating to the Auditor-General and VAGO. The Constitution Act 1975, the Parliamentary Committees Act 2003 and the Audit Act outline PAEC’s responsibilities to: 

• recommend who to appoint as the Auditor-General 
• appoint external auditors to do an independent performance audit every 4 years
• appoint external auditors to do a financial audit of our financial and performance statements every year.

We have responsibilities to consult PAEC: 

• on our annual budget and annual plan 
• when we develop objectives and scope for performance engagements, based on set criteria 
• by providing quarterly reports on our assurance reviews.

Independent performance audit

The Audit Act requires VAGO to be independently audited at least every 4 years. The audit’s aim is to assess if we are: 

• achieving our objectives effectively, economically and efficiently
• complying with all relevant Acts.

Our latest independent performance audit was in 2023–24. PAEC appointed MartinJenkins to do the audit and its report was tabled in Parliament on 30 July 2024. The report was positive overall and found several strengths, including our:

• policies and processes for defining and ensuring independence 
• contribution to an effective and efficient public service
• staff’s professionalism
• contemporary methodology, tools and techniques
• focus on quality and continuous improvement
• focus on staff wellbeing and development.

The audit made 19 recommendations in total all of which we accepted (10 recommendations in full, 2 in part and 7 in principle). Appendix C shows the status of these recommendations, including our proposed actions and progress towards implementing them. We provide regular updates about our progress to the operational management group and the Audit and Risk Committee.

Three of the accepted recommendations relate to the quality of our performance engagements and 2 relate to both our financial audits and performance engagements.

Overview

Integrity Oversight Victoria (formerly the Victorian Inspectorate) is a key oversight body in Victoria’s integrity system and reports directly to Parliament. The Integrity Oversight Victoria Act 2011 (formerly the Victorian Inspectorate Act 2011) gives Integrity Oversight Victoria the power to scrutinise our activities. 

Integrity Oversight Victoria makes sure we comply with our information-gathering powers and duties, as outlined in the Audit Act. These powers allow us to:

• require individuals and body corporates to give us information and documents and meet with us
• use and inspect documents or other items 
• enter and inspect premises. 

Integrity Oversight Victoria can receive and investigate complaints about how we use these powers and the way we do our engagements. We also have a self-reporting tool to tell Integrity Oversight Victoria if we have exercised our powers. 

In 2024–25 we did not use these powers and Integrity Oversight Victoria did not: 

• receive any complaints about VAGO
• review any of our activities.

Overview

ASIC’s audit surveillance program aims to promote high-quality external audits of financial reports and raise the standard of conduct in the auditing profession. 

The program focuses on audit quality and compliance with the: 

• Corporations Act 2001
• Australian Auditing Standards 
• Accounting Professional and Ethical Standards Board’s requirements. 

Most of our audits are outside ASIC's Corporations Act 2001 regulatory mandate. ASIC has not included any of our public sector Corporations Act 2001 entities in its inspection program but has the power to do so. 

ASIC may inspect our ASPs’ audit work. We require our ASPs to notify us of the results of ASIC’s inspection and any actions taken. 

We consider the results of ASIC’s audit surveillance program when: 

• planning our annual financial audit engagement inspection program
• analysing the results of our engagement inspection program, root cause analysis and any remedial action taken.

Assignments

The Auditor-General: 

• oversees our SQM evaluation 
• concludes if our SQM provides reasonable assurance that we are meeting our quality objectives, based on advice and recommendations from the audit quality director.

The audit quality director has operational responsibility for our SQM and reports directly to the Auditor-General.

The staff performing the evaluation have the required authority, competencies and capabilities and are given enough time to perform the evaluation effectively.

Our iterative process

In 2022–23, we transitioned our existing quality control framework to a newly developed SQM to align with the new and revised requirements of ASQM 1, ASQM 2 and ASA 220.

For our first annual evaluation using this system we used the:

• results of our monitoring and remediation process 
• information from earlier monitoring activities 
• results of internal and external oversight of VAGO. 

We operate our SQM in a continual and iterative manner and are responsive to changes in the nature and circumstances of our engagements. Figure 12 show the 3 ways we evaluate our SQM. 

Figure 12: How we evaluate our SQM

Source: VAGO.

During an evaluation, we consider: 

• any deficiencies identified 
• their severity and pervasiveness
• remedial actions taken to address them. 

We then communicate this information to:

• the relevant engagement teams to consider and address
• staff working in our SQM or governance, in line with our policies and procedures.

There are opportunities to improve our SQM and how we implement it. We describe this in Section 2.

Internal audit assessment

In 2023–24, we had our SQM independently assessed to assess its design and operational effectiveness. 

The review found that we have a comprehensive framework for managing audit quality. The framework has governance structures, risk assessment processes and ongoing monitoring mechanisms that help us comply with professional standards. 

The review found our SQM provides a strong foundation to support audit quality. It has:

• clear leadership accountability
• documented methodologies across the key business areas
• established processes for engagement quality review and oversight.

Evaluation conclusion

The Auditor-General commissioned an annual evaluation of our SQM, which was completed on 22 December 2025. The evaluation provided reasonable assurance that we are achieving our SQM objectives.