Michelle R.
passport photo

Internal controls are the people, systems, and processes that ensure an entity can achieve its objectives, prepare reliable financial reports, and comply with applicable laws. Management is responsible for implementing cost-effective internal controls that respond to the risk it has assessed in these areas.

How do we currently assess and report on internal controls?

As part of our audits, we assess whether entities’ management has designed controls effectively for financial reporting and compliance with prescribed requirements. Where it is efficient for us to do so, we may test the operating effectiveness of the controls and rely on them to reduce our overall testing.

In doing this, we may identify internal controls that are not effective and report these issues to management—this process will not change.

What is changing?

Through our audit, we may also observe areas where management could improve the efficiency and/or effectiveness of its controls. We are developing assessment tools that will help us better communicate with our clients about the strength of their internal controls, and the areas they can improve. We will start to phase out our previous traffic light processes from 2021–22 as we roll out our assessment tools across different sectors of government.

We have aligned our assessment tools with our financial audit processes. They focus on common controls across government entities and are consistent with the principles included in the Financial and Performance Management Standard 2019.

We have prepared an annual assessment tool for understanding where entities sit on a maturity scale for efficient and effective internal controls. It uses a matrix approach, with eleven internal control areas described across four levels of maturity (consistent with our financial statement preparation maturity model). The annual assessment should allow entities to highlight internal control areas for targeted improvement, and where we may consider performing a deep dive assessment.

The eleven internal control areas and the four levels of maturity are below.

We are changing the way we report on internal controls_11 control areas table


The assessment tools are scalable to an entity’s size and complexity, and are principle based, so they respond to factors that influence an entity’s practices.

When are we changing?

We are currently trialling the annual assessment tool with a small number of departments and consulting with department chief financial officers and heads of internal audit. We will then publish it on our website and use it with other public sector entities from 2021–22.

Our deep dive assessment tools are also being progressively trialled. We expect to use the grants management, procure-to-pay and change management assessment tools at public sector entities in 2021–22. We intend to report to parliament on learnings and better practice from these assessments in 2022–23.

We will continue to report on deficiencies in internal controls. These assessment tools complement our reporting on internal control deficiencies.

We welcome your feedback

As we trial and release our new assessment tools, we welcome your feedback to help us keep improving our tools. Please discuss our assessment tools with your QAO engagement leader and send any further questions or feedback to

Related article