FAQs - Office of Governance and Corporate Administration

How long will an audit take?

The length of time the audit will take depends on the type of audit and the size of the area being audited. Full scope audits will usually take several months from start to finish, whereas smaller “healthchecks” may take a few weeks. Internal Audit will also spend a lot of the audit time on preparation, analysis and documenting the results so will not be sitting looking over your shoulder for the whole time.

What do I need to do when I am being audited?

The Internal Audit team will keep you right on the specific requirements as you go through your audit, however there are a few guidelines which will apply to all audits. Firstly, relax! We are not trying to catch you out, just trying to understand where there may be challenges and inefficiencies with the controls in place in your area. Secondly, it helps if you share your concerns about the processes, if we share those concerns we can give you advice on how to fix them and if not we can put your mind at rest. Finally, if we ask for documentation for an audit it really helps for it to be referenced back to what we requested. Otherwise if we end up receiving all the documents at once it can be a challenge to understand what relates to which item and we can end up contacting you again to explain it.

Can I ask Internal Audit for help outside of formal audits?

Absolutely! We can provide advice on any internal control matters and provide you with information and suggestions as required. You just have to bear in mind, we will not ‘tell’ you what do or help with the implementation as then it would impair our independence and objectivity if we are auditing the area in the future. It is standard Internal Audit practice that we cannot review controls we have implemented.

What do Internal Audit look for during an audit?

This can depend on the specifics of the audit, however as standard we will be looking at the design and operational effectiveness of the key controls to mitigate risks in your area. We are not usually specifically looking for fraud when performing audits, instead we are checking that there are adequate controls in place to reduce the risk of fraud. If controls are weak, we may do further work to determine if there are indicators of fraud.

What are internal controls?

Internal controls are the day to day processes in place to safeguard assets, check reliability and accuracy of data, promote operation efficiency and encourage adherence to policies and procedures. They may be preventative or detective and operated manually or automatically. The soundest controls are those that are automated and preventative however it is not always practical for these to be implemented. Sound internal controls also take into account the cost of operating the control, it is no use to spend hundreds of dollars mitigating a risk that would only cost $50 if it eventuates.

Who audits the auditors?

We do! However we also arrange for an external review of Internal Audit to be conducted once every five years. In the interim period we use a self-assessment tool provided by the Institute of Internal Auditors and ask individuals who have recently been audited to provide us with feedback on how we can improve.