Michelle R.
passport photo

Internal controls are the people, systems, and processes that ensure an entity can achieve its objectives, prepare reliable financial reports, and comply with applicable laws. Management is responsible for implementing cost-effective internal controls that respond to the risk it has assessed in these areas.

As part of our audits, we assess whether entities’ management has designed controls effectively for financial reporting and compliance with prescribed requirements. Where it is efficient for us to do so, we may test the operating effectiveness of the controls and rely on them to reduce our overall testing. Through our audit, we may also observe areas where management could improve the efficiency and/or effectiveness of its controls.

Our new assessment tool is now available

We have developed a new assessment tool for internal controls which will help us better communicate with our clients about the strength of their controls and areas they need to improve on. It will allow entities to highlight areas for targeted improvement, and it will also inform where we may consider performing a deep dive assessment.

The new annual internal control assessment tool is now available on our website for entities to use.

What’s changed?

From 2021–22, we are phasing out our previous ‘traffic light’ processes and rolling out this new assessment approach across various clients. We are individually contacting the entities in scope for this financial year to discuss what this means for them and how we can best work together.

We are also progressively trialling deep dive assessment tools with some clients, and expect to use the grants management, procure-to-pay, and change management assessment tools with public sector entities this year.

We intend to report to parliament on the learnings and better practice from all of these assessments in 2022–23, and share the insights we gather over time with all our clients. We will of course continue to report on deficiencies in internal controls directly to management, with this new assessment tool complementing our current reporting.

What’s the maturity scale? 

This new assessment tool is scalable to an entity’s size and complexity. It is principle based, meaning entities can respond to factors that influence its practices, for example, machinery-of-government changes, an internal restructure, a major system implementation, or changes to the delivery of a program.

We have aligned the tool with our financial audit processes. These processes focus on common controls across government entities and are consistent with the principles included in the Financial and Performance Management Standard 2019.

The maturity scale we prepared uses a matrix approach, with 11 internal control areas described across four levels of maturity. The levels lead to a desired positioning for maturity.

Internal control areas

See our detailed fact sheet for more information.

We welcome your feedback

We welcome your feedback on our new assessment tool to help us keep improving our approach. Please discuss our new tool or provide your feedback to your QAO engagement leader or send any further questions or feedback to

Related article