I have been pleasantly surprised about the breadth of knowledge I have gained in a year.

Brief career history

QAO is my first full-time job, and first time working in a corporate setting. I studied a Bachelor of Information Technology, majoring in Networking and Security, at the University of Southern Queensland in Toowoomba. During my third year I attended the Big Meet careers expo, where I met some staff from QAO. I decided to apply for a role in the graduate program as I believed audit would be a good way to gain exposure to a variety of systems. My application was successful, and I joined the IS Audit team in February 2025. 

I have worked on a lot during my relatively short time with QAO. I’ve had the opportunity to work with various entities, including departments, universities, local governments, and water and power entities. During my time with these clients, I have seen a range of IT systems, like Active Directory and Entra, SQL databases, and Windows and Unix/Linux Operating Systems, and have had the opportunity to perform on-site visits with clients. 

I also had the opportunity to contribute to the team’s first ever information systems report to parliament, that helps to inform parliament, the public sector, and Queenslanders on the strengths and weaknesses of the Queensland Government’s information systems. 

What do you do on a day-to-day basis as a Graduate IS Risk Auditor?

A day in the life for me starts between 7 and 8 am, when I get into work, make myself a cup of tea, and check my to-do list for the day. Then, it’s time to get underway! I tend to come in earlier in the mornings, as I like to start early and finish early – this suits my schedule and provides great work-life balance.

My responsibilities mostly fall into 2 categories: fieldwork and client contact. 

Fieldwork is the actual testing we do and involves analysing evidence clients have provided against a series of tests. The results of these tests represent our rating of the client and form the basis of the report we provide them with. 

Client contact, on the other hand, encompasses liaising with our clients to receive evidence, answer clarifications, and obtain management responses for our final report. This includes sending emails, booking meetings, and developing meeting agendas to ensure they run smoothly. 

Once a week, the IS team meets to discuss matters of importance and make team-wide decisions, such as how to structure a client report. In addition, during the graduate year, my grad cohort met once a month for ‘Grad forums’ led by the Learning and Development team. These forums help everyone keep in touch and share insights into projects and work happening across the business and in their teams.

Something I have found much more interesting than I initially expected is the cyclical nature of audit. Different entities have different year ends, so our work is scheduled around which clients need to be audited, and in what order, so the year runs as smoothly as possible. 

Additionally, I have been pleasantly surprised about the breadth of knowledge I have gained in a year. As you perform your fieldwork, you will almost certainly come across things that are unexpected or don’t look quite right. This forces you to undertake some research to understand what exactly is going on. It makes the work feel like a puzzle at times, but it serves to make you much more knowledgeable. 

As you perform your fieldwork, you will almost certainly come across things that are unexpected or don’t look quite right. This forces you to undertake some research to understand what exactly is going on. It makes the work feel like a puzzle at times, but it serves to make you much more knowledgeable.

What has been the best experience so far? 

The best experience of my career so far has been working on the Information Systems team’s first report to parliament. As a team, we had to problem solve exactly how to write and structure the report and our messaging. Then, I was responsible for data collection, which saw me summarise all the findings the IS team had raised over the past couple of years. Finally, I was involved in some data validation (by reperforming calculations) and even got to have a say in how we should design the graphs. Getting to see all the team’s work summarised into this public-facing document was a fascinating experience. 

What’s one piece of advice that you would give to a new grad?

Over my graduate year I have learnt 3 valuable lessons. 

First: ask questions. The more questions you can ask, the more you will learn. 

Second: time management is key. This role can be fast paced, so having a system in place to keep on top of everything is a must. 

Third, and most important: write stuff down. Having well-written and accessible notes means the vast knowledge you gain in the graduate year will be better retained and stick with you the rest of your career.