Patrick F.
Corporate image of Patrick Flemming

An audit and an external review may differ in their approaches and levels of assurance, but there are parallels we can draw on how best to prepare and how to ensure maximum value. This blog shares some tips from our planning for the 2023 strategic review of the Queensland Audit Office (QAO). The review process gave us insights on what worked well, and importantly, it reminded us of our own clients’ experiences when we are conducting an audit.

Some background

External reviews are an important part of QAO’s governance framework. They are crucial to Queensland’s system of government as they give parliament and the community confidence in the services they receive. As one of the state’s integrity bodies, QAO is independent of government so we must embrace transparency and all opportunities to be held publicly accountable for our own performance.

The Auditor-General Act 2009 (the Act) provides the mandate for our role. The Act includes that an independent review of our organisation be conducted every 5 years (from the date the government responds to the prior strategic review report).

In May 2023, Her Excellency the Governor of Queensland appointed the 2023 strategic reviewers. The final report was tabled in parliament on 15 February 2024.

So, what did we do?

In a nutshell, we planned early, and we planned well.

We recognise we are fortunate in knowing approximately what year a strategic review may occur. We also had the terms of reference from previous years as a guide as to what the reviewers may examine. The Act declares that a strategic review will look at the economy, effectiveness, and efficiency of our functions – quite a broad scope.

Ahead of the potential review time, we carefully considered what information the reviewers may seek and who in our office was responsible for collating it. And how, as a small organisation, these individuals could do so as part of their day-to-day job.

A QAO contact officer (as part of their normal duties) provided consistent liaison for the reviewers, and we gave this person internal authority for seeking information from across the business.

System-wise, a central repository on our intranet housed documents and data for the reviewers to securely access. We logged who in QAO was tasked to provide information, the deadline, and who the senior, responsible staff member was for ensuring timely delivery. We gave each staff member an estimated number of hours that we thought each task would take so no one overinvested in the work, and we tracked the actual time tasks took.

Internally, a monthly update to our Executive Management Group kept it informed of our preparations and across the timely delivery of information the reviewers requested. This also enabled QAO to address any risks or barriers to us sourcing what was needed per deadlines. We also regularly updated our independent Audit and Risk Management Committee (ARMC).

Proactive and adaptable communication with our internal and external stakeholders was paramount. The review happened while QAO was undergoing a period of change, with important amendments being made to our legislation to strengthen our independence. We were well-placed to manage multiple, differing project communications by leveraging foundational external and internal engagement plans.

Regular engagement with our staff reinforced our commitment to keeping them informed. For parliament and our audit clients, we gave updates at our various external events, via our website, at formal briefings, and through direct correspondence.

The review recommendations

We welcome the recommendations made to us and take them seriously. We are invested in ensuring our services are valued, trusted, and relevant to the ever-changing environment we operate in.

Overall, the review found that: ‘QAO’s functions are performed economically, effectively and efficiently. Queensland gets good value from its investment in the QAO.’

We immediately conducted risk assessments on each recommendation to prioritise which ones we would implement first. We set time targets for action and closure, and allocated accountable staff.

For all organisations, an effective audit committee has an important role in monitoring the implementation of recommendations. QAO’s ARMC comprises fully independent members who look at QAO’s risk, control, and fiscal responsibilities. We shared the review recommendations with the ARMC and we will report to it quarterly. QAO’s internal audit function conducts independent and risk-based assurance activities over our operations. It will validate our actions on implementing and closing-out the review recommendations or any outstanding issues.

The Cost of Living and Economics Committee is QAO’s relevant parliamentary committee. We will write to it every 6 months on our progress in actioning the recommendations, and offer in-person briefings. We will also share our progress with all stakeholders, including the Queensland community, in our annual report.

What we learned

The review reinforced our belief that scoping an audit topic thoroughly and sharing it early with the entities we may audit is crucial. It gives them time to plan what resources and information they need, and gain maximum value from our findings and insights. We endeavor to do this via our forward work plan – our 3-year program of our upcoming audits. As a small organisation ourselves (around 190 employees), we appreciate the cost an external audit or review can have for an entity.

The information we gathered and neatly catalogued for the reviewers is useful for our business in the long term. We will continue with some of the data collection and internal reporting dashboards we created for the review.

Tips for others

  • Plan what information you may need to provide, where you will house it, and the staff you need it from. This allows your staff to ‘chip away’ at the work, as opposed to managing a large burden of work in a short time frame.
  • Use your management reporting processes and systems well. Leverage off the activities and tools you already have underway to inform those charged with governance on your progress, risks, and potential outcomes.
  • Allocate a point of contact with sufficient seniority and who is familiar with how your organisation operates to oversee the process. Give them authority to seek information quickly from staff.
  • Register your recommendations with your audit and risk management committee and internal audit so they can help you monitor, oversee implementation, or validate your actions. This enhances accountability and transparency for your entity.
  • Assess each recommendation and clearly determine a priority, time frame, and accountable officer for implementation. Track your progress.
  • Ensure your people understand the purpose and value of the review. Remember, they may not have as deep an understanding of how reviews work and why they occur.

The report on the 2023 strategic review, and other external reviews, is available on our website: