Transparency report 2023–24

The Queensland Audit Office (QAO) is accountable to the Queensland Parliament as its independent auditor of all public sector and local government entities. We provide financial and performance audits, and report results and insights to parliament.

Our fifth transparency report covers our audit quality program for the year ended 30 June 2024. We choose to provide this report to:

• explain our quality program and results
• show how we seek to improve our audit and assurance practices
• describe our system of quality management.

The content is guided by the Corporations Act 2001 where we have considered the requirements applicable to auditors of listed entities, to apply to the public sector. 

Snapshot

Our quality results and what we learnt

Our audit quality program monitors all financial audits, performance audits, and assurance reviews. The results support our conclusion that our system of quality management is functioning effectively.

Our 2023–24 quality program

	We reviewed one audit from each of our engagement leaders (senior staff responsible for audits) and a selection delivered by the partners from our audit service providers (ASPs). Our reviewers are experienced auditors who are independent from the audit being reviewed.
	We undertook 30 closed file (post-audit) and 13 open file quality reviews, and a further 15 closed file reviews that focused on how well 7 of our new analytical tools and templates were being used. We also reviewed 13 of our ASPs’ systems of quality management.
	28 of 30 files had satisfactory results, with 2 ASP files not meeting expected quality standards. In our open file reviews of financial audits, 32 out of 34 targeted performance measures were met by a majority of files.  We assessed that the ASP firms we reviewed had satisfactory systems of quality management in place. We made recommendations to some firms to improve policies, procedures, and oversight of audits. We concluded that the weaknesses were not pervasive to our system of quality management.
	We work with our audit teams to identify and address the root causes of material prior-period errors and any significant findings from our quality program. This includes providing training for individuals or relevant levels, changing staff composition on an audit, improving audit guidance, and sharing quality results with audit teams to address common themes.

Our quality reviews informed us that, while we have improved, we can still improve in the following areas:

• ensuring appropriate supervision of audit teams and timely review of their work 
• planning and executing our test program for IT general controls in a timely manner
• ensuring we perform tests of controls and tests of detail in accordance with our methodology
• appropriately testing significant judgements and assumptions in high-risk balances
• documenting how information obtained from our clients is complete and accurate for our testing.

Our quality frameworks

The external 2023 strategic review of QAO highlighted that our internal systems of quality management are sound. We continue to build year on year by refining our training, on-the-job learning frameworks, methodology, and guidance. We value skills and capability, and promote them with strong leadership and clear frameworks. While engagement leaders are responsible for quality on their audits, all staff contribute to ensuring audit quality remains high. Our engagement quality reviewers, Quality Management Group, and the independent members of our Audit and Risk Management Committee and Audit Quality Sub-Committee provide support and oversight. 

Statement on the effectiveness of our system of quality management 

I have evaluated our system of quality management, and the results provide me with reasonable assurance to conclude that:

• our system of quality management functioned effectively in 2023–24
• in accordance with ASQM 1 Quality Management for Firms that Perform Audits or Reviews of Financial Reports and Other Financial Information, or Other Assurance or Related Services Engagements, our quality management objectives, as described in this transparency report, are being achieved.

The audits we deliver are supported by an effective internal quality management system. 

This report describes the quality management framework and the controls that enable our staff and audit service providers to perform audits in accordance with the Auditor-General Auditing Standards. Our staff are required to adopt the standards issued by the Australian Auditing and Assurance Standards Board to the extent they are consistent with the requirements of the Auditor-General Act 2009. 

Rachel Vagg
Auditor-General

September 2024

Our quality reviews

We are committed to delivering audit quality and our annual quality review program informs us about:

• the quality of the audit engagements our staff and audit service providers (ASPs) undertake
• the nature and cause of common findings
• where our audit quality does not meet expectations
• learning and development programs and approaches
• support material and guidance provided to auditors
• how we resource our work.

While we have substantially implemented the actions identified in last year’s transparency report, we know we can always do better.

Our annual quality assurance plan identifies the engagement files selected for review and our focus areas. Our Quality Management Group and Audit Quality Sub-Committee endorse the plan, and the Auditor-General approves it. The file selection process is a matter of judgement, with an emphasis on:

• higher-risk or more complex engagements, or those where quality issues have recently occurred 
• coverage of QAO engagement leaders and a selection of engaged partners from our ASPs. All engaged partners from ASPs are part of a rolling 3-year program of review.

We review more financial audit files than performance audit files to reflect the volume and size of our financial audit program. Due to our selection criteria, it is not appropriate to extrapolate the results across audits.

Scope of our quality reviews

Our quality reviews assess whether the audits followed our methodology and were undertaken in accordance with the relevant standards. The independent quality assurance reviewer determines whether the engagement team obtained and documented a sufficient and appropriate level of audit evidence to support its judgements, conclusions, and the audit opinion, guided by:

• the Auditor-General Auditing Standards (which incorporate the Australian auditing and assurance standards)
• other relevant statutory and regulatory frameworks that govern QAO and our clients
• QAO’s audit methodology, policies, and procedures.

The reviewer does not examine all audit workpapers in an engagement file. Specific areas of an engagement file they may review include:

• areas with significant (higher) risk of material misstatement, including key audit matters (if applicable), and areas of audit focus that engagement leaders report in their external audit plans
• areas of focus established in the annual quality assurance plan, which may include material classes of transactions, balances, and disclosures; specific types of audit procedures (such as substantive analytical procedures, tests of control, or tests of detail); and other areas covered in recent training
• evidence to support adequate, effective, and timely engagement leader and engagement manager input, and review of key judgements and significant matters.

This year, we also reviewed the implementation of our internally developed analytical solutions. We introduced 7 tools and reviewed compliance over an additional 15 files. Our reviews focused on whether the audit team should have used the tool, and if they used it appropriately and effectively.

Closed file (post-audit) quality reviews from the prior audit year

100 per cent of in-house engagement leaders and a selection of engagement partners from our ASPs receive quality reviews each year. Quality reviews focus on whether the engagement team obtained and documented a sufficient and appropriate level of audit evidence to support the audit opinion. Our 2023–24 program included reviews of 30 completed financial and performance audit engagements from 2022–23 (2022–23: 27 from 2021–22). This includes 14 financial audits performed by our ASPs (2022–23: 12).

Figure 1A summarises the results of our closed file reviews, which relate to audits performed in the prior year. Criteria for satisfactory and unsatisfactory ratings are explained in Appendix D. Overall, quality results improved from last year.

Common findings from the 2023–24 program

• Lack of documentation around control activities and inherent risk assessment for significant risk areas.
• Incomplete or untimely review over significant planning documents.
• Not identifying self-review threats and putting appropriate safeguards in place. For example, engagement leaders completing and reviewing audit work.
• Insufficient understanding of key controls for significant classes of transactions and account balances, including work performed by service organisations.
• Lack of understanding of fraud risks, resulting in insufficient documentation to rebut fraud risk in revenue.
• Lack of work to confirm information provided by the entity is complete and accurate for audit testing.

Actions we are taking to improve audit quality in 2024–25 Assess the effectiveness of our new community resource model in freeing up senior staff to provide better coaching and mentoring and more timely review. Update our training materials, better practice files, and templates to address common weaknesses we identified in the quality assurance program.  Introduce more e-learning courses about technical accounting and audit concepts to support learning on demand.

Open file quality reviews in the current audit year

All in-house engagement leaders and ASPs with previous significant audit quality weaknesses have a current year engagement file reviewed while that audit is in progress. This provides the audit team with real-time feedback about what aspects of the audit approach and documentation it needs to consider and address before it finishes that audit. In 2023–24, we conducted open file reviews on 13 financial audit engagements (2022–23: 15).

Our program for open file reviews differs each year, as we respond to changes in our audit methods and templates and consider emerging audit issues. We generally do not review the same file each year. This means that a comparison between years may not be meaningful.

Figure 1B shows the results of our reviews. In 2023–24, we had a decrease in the number of performance measures with low compliance; however, these will still be a focus point for training and guidance material.

Common strengths we identified in the 2023–24 program

Engagement teams were effective in:

• holding timely team mobilisation meetings, discussing the right topics, and documenting the outcomes
• concisely documenting system descriptions/flowcharts
• identifying relevant public sector-specific risk areas relevant to their audits and developing risk response programs; for example, teams identified risks with capital projects, fraud, and value-for-money assessments in procurement, contractors, and consultants
• determining an appropriate audit approach for controls over key information technology (IT) systems.

Common opportunities to improve audit quality Engagement teams could improve their audits by: where a control approach is adopted, better designing tests for key controls for relevant assertions at risk ensuring timely design of and execution of IT general controls testing improving documentation of how estimation uncertainty is addressed for account balances with high inherent risk relating to estimation calculating group materiality and component materiality in accordance with our methodology, or using our templates to ensure consistency in approach.

What are we doing to improve and maintain audit quality?

Quality assurance findings inform our improvement actions We undertake root cause analysis for all significant quality issues, including prior period errors. These results, and the results of our quality reviews, inform us about areas we need to invest in to support and improve the skills of our audit staff. Our 2024–25 training program will focus on: better practice examples of using standardised workpapers and new audit tools the decision-making process for areas requiring judgement, such as responding to fraud risk assessing the accuracy and completeness of information provided by the client applying our sampling policy correctly and using our sampling tools how our in-house teams can better support our ASP teams. Our assessment of changes we made to our resourcing model in 2023–24 will inform how we support senior staff to provide better coaching and more timely review of work performed by junior staff.

Monitoring our indicators of audit quality Several measures indicate levels of audit quality and provide us with insights to help us adjust our practices and provide targeted training at the right time to the right people. The Australasian Council of Auditors-General (ACAG) includes measures in its annual benchmarking survey, which provide comparable information for audit offices across Australia. We use an established set of 11 measures to better monitor our performance and drive overall improvement in audit quality. Seven of these are derived from the ACAG survey. These audit quality indicators are shown in Appendix F. We monitor the measures throughout the audit year, either monthly, quarterly, or yearly.

Performing annual formal evaluations of our quality management system In last year’s transparency report, we discussed the findings from the first evaluation of our system of quality management conducted in accordance with the new quality management standard (ASQM 1). We have made progress in addressing improvement areas. While we still focus on high-risk areas, this year we rotated the moderate-risk areas on which we focused. Our evaluation is discussed in Chapter 3.

Reviewing our audit service providers’ systems of quality management

We assess how our ASPs ensure they comply with the quality management standards expected of audit firms in Australia. We performed these reviews in accordance with Auditing standard ASQM 1, which sets standards for a firm’s system of quality management.

In 2023–24, we undertook detailed reviews into 4 firms’ systems of quality management as part of a rolling monitoring program. We undertook high-level reviews of 9 other firms that perform audits on our behalf. The larger number of high-level reviews was part of our initial response to the new ASQM 1 standard.

We concluded that all firms we reviewed had designed satisfactory systems of quality management.

Acquitting the commitments we made last year

Figure 1C provides an acquittal of the commitments we made in our 2022–23 transparency report.

The Australian Standard on Quality Management (ASQM 1) requires audit firms to design, implement, operate, and regularly evaluate their system of quality management. A compliant system of quality management addresses the 8 components shown in Figure 2A.

This chapter describes these components of our system of quality management; Chapter 3 evaluates its effectiveness. 

Our risk assessment process

Our approach

In accordance with ASQM 1, we apply a risk-based approach in designing, implementing, and operating the components of our system of quality management, including:

1. establishing quality objectives specified by ASQM 1
2. assessing whether we need to establish any additional objectives to achieve the aims of our system of quality management; our evaluations have not identified the need to establish additional quality objectives
3. identifying and assessing risks to achieving the quality objectives (‘quality risks’). We review these risks regularly throughout the year. In mid-2023, we reviewed our strategic risk register and operational risk register. We refined our risks to provide greater focus on what matters to QAO
4. designing and implementing responses to address the quality risks, including controls or treatments in place to prevent occurrences and/or minimise consequences if a risk occurs.

In applying this approach, we consider:

• the nature and circumstances of our role as Queensland’s independent public sector auditor
• the nature and circumstances of the engagements we perform.

Our culture

We promote a culture of quality, risk awareness, and consultation. Risk discussions are a standing agenda item at monthly Executive Management Group (EMG) meetings and quarterly Audit and Risk Management Committee meetings. Each quarter, we review our risks to determine if they still exist and have the same risk rating, if we have captured all relevant risks, and if we need to adjust our approach to managing them.

Our culture of knowledge sharing means that risk discussions happen in each of our regular auditor community meetings, across our Audit Practice team, and through regular engagement leader briefings to the EMG.

To reduce audit quality risk, we promote a culture of learning from our quality findings. We summarise the common themes from our quality reviews and discuss them with our audit teams and audit service providers (ASPs). We update our methodologies, toolsets, and training materials annually, after considering the themes and any further root cause analysis. Experienced staff, who are independent of the engagement, perform the quality reviews.

The performance measures against which our staff are monitored include audit quality. We evaluate all audit staff annually for demonstrating a strong commitment to audit quality and risk management, excellence in client service, development of junior staff, and contribution to broader audit quality initiatives.

Governance and leadership

The Auditor-General Act 2009 states that the Auditor-General is responsible for all audit work undertaken by, or on behalf off, the Queensland Audit Office (QAO). The EMG, comprising the Auditor-General and Assistant Auditors-General (AAGs), assumes operational responsibility for our system of quality management. Individual AAGs are assigned responsibilities for different aspects of our system of quality management.

Our quality management structure is outlined in Figure 2B.

Governance and oversight bodies

Several committees have risk and quality responsibilities for overseeing and influencing our quality outcomes. Our annual report lists the names of external members and the frequency and attendance of committee meetings. The annual report is available on our website: www.qao.qld.gov.au/about-us/our-annual-report-transparency-report.

The Audit and Risk Management Committee (ARMC) is an independent advisory committee to the Auditor-General, comprising 3 external members, 2 of whom have extensive audit experience in major audit practices. The ARMC provides effective oversight of risk, control, compliance frameworks, and fiscal responsibilities underpinning our corporate governance. As per the annual plan, it met 4 times in 2023–‍24. 

The Audit Quality Sub-Committee of the ARMC provides external advice, guidance, and challenge regarding our audit quality activities. The sub-committee has 3 external members, 2 of whom are also members of the ARMC. All members have extensive experience in audit and audit quality practices. The sub-committee has access to all relevant information about the application of our audit quality framework and the processes that underpin it, including our quality assurance program. The sub-committee gives objective feedback and advice on how we can continue to improve the quality of our audits.

The Quality Management Group (QMG) consists of 3 AAGs. The group meets quarterly to oversee completion of the quality assurance plan, consider quality findings, advise on any disputed findings, and determine appropriate action plans. The QMG also deliberates quality management practices at the engagement level.

Complex financial accounting and audit issues are considered by the Technical Issues Panel. This panel includes members of the EMG and is supported by the Senior Director–Audit Practice and the Director–Technical. Members discuss issues before approval by the Assistant Auditor-General–Audit Practice. We consider actions arising from the panel’s views in our quality program and incorporate them into our training programs.

The Modified Opinions Panel reviews proposed audit modifications, emphases of matter, and new key audit matters. The panel also assesses complex material prior period errors reported in client financial statements. Its assessment includes reviewing a root cause analysis of why the prior period error occurred. This panel consists of all Client Services AAGs and the Assistant Auditor-General–Audit Practice, and is supported by the Senior Director–Audit Practice. Modifications raised on significant public sector entities are escalated to the Auditor-General for approval.

Further information about our commitment to audit quality is outlined in Appendix A.

Leadership responsibilities for quality

The EMG is responsible for improvements to the quality assurance framework. The Assistant 
Auditor-General–Audit Practice is responsible for implementing enhancements to our quality management framework and monitoring against policies and procedures. 

Strong leadership and management are critical to audit quality. The EMG sets the tone for this and communicates our commitment to quality. It promotes an internal culture of integrity, independence, and professionalism, and recognises that quality is essential in performing engagements and issuing appropriate reports. 

As audit engagement leaders, senior directors and directors are accountable and responsible for individual audit file quality. We appoint staff to these roles based on their audit experience and demonstrated audit ability. They are required to show they understand our policies, procedures, and appropriate quality management. We regularly assess and evaluate the competencies of senior directors and directors, in line with our performance management framework.

We appoint engagement quality reviewers (EQRs) to all high-risk or complex financial audits, assurance reviews, and performance audits. They perform their reviews in accordance with Australian auditing and assurance standards.  

Our ASPs have established quality frameworks that ensure they comply with professional requirements and our quality expectations. We regularly review the application of their frameworks. Professional bodies and regulators also assess their quality frameworks and audit files. QAO has oversight of the work our ASPs perform, engaging with ASPs to monitor audit progression, stakeholder relationships, and emerging audit issues.

Relevant ethical requirements

We regularly communicate our expectations about audit quality, independence, objectivity, and professional scepticism at our team meetings, community meetings, and through our internal policies. We discuss these matters with our ASPs formally via our twice-yearly workshops. Our expectations of our ASPs are also managed through our contracts, our contract managers, and our firm quality assurance reviews.

Our culture is expressed by our 4 core values, which set our expectations for performance and behaviour. These values enable us to achieve our vision for better public services through the delivery of audits. We regularly reflect on our culture and ensure our staff are living our values. The values are part of our performance discussions at the individual and team level, regardless of whether the team is in-house or an ASP.

	Collaborating to achieve shared outcomes Listening to understand, and communicating clearly and openly Being balanced, objective and purposeful
	Appreciating and caring for others Sharing our knowledge and skills Recognising achievement
	Seeking and sharing better ways of doing things Embracing innovation and being progressive Encouraging and motivating others
	Taking responsibility and being accountable Ensuring our work is quality driven and acting with integrity Being action oriented and achieving results

The 2 professional bodies, Chartered Accountants Australia and New Zealand (CA ANZ) and CPA Australia, both increased the minimum training requirements related to ethical practices for their members. We have modified our training programs to ensure all our staff, regardless of their membership status, meet these requirements.

Our independence practices

The Auditor-General Act 2009 promotes the independence of the Auditor-General. This is demonstrated in both the conduct and reporting of our audits. Our Act and the independence of the Auditor-General were further strengthened in December 2023 when 2 key amendments took effect that:

• provide for QAO staff to be employed under the Auditor-General Act 2009, not Queensland’s Public Sector Act 2022
• require the parliamentary committee to approve changes in basic fee rates instead of the Treasurer. 

While employment conditions remain the same, these changes improve our independence as they separate QAO from the executive government and direction by the Public Sector Commission.

In February 2024, parliament passed the Integrity and Other Legislation Amendment Act 2024, which further amended the Auditor-General Act 2009. Key amendments included increasing the involvement of our parliamentary oversight committee in:

• appointing the Auditor-General (and terms and conditions of appointment)
• approving additional budget funding for QAO
• appointing strategic reviewers and determining their terms of reference of our 5-yearly review of QAO
• appointing the external auditor of QAO.

Other amendments included:

• clarifying the Auditor-General’s mandate for auditing public sector trusts
• providing for QAO’s annual report to be tabled by the chair of the parliamentary committee rather than the Premier.

Most of these amendments will take effect in the 2024–25 financial year.

Independence standards

As an audit practice, we apply standards requiring independence, as issued by the Australian Auditing and Assurance Standards Board and the Accounting Professional and Ethical Standards Board. These standards require auditors to establish policies and procedures designed to provide reasonable assurance that QAO maintains independence where required by relevant ethical requirements, laws, and regulations. It applies to QAO personnel and to others who are subject to independence requirements. These expectations are outlined in the Auditor-General Auditing Standards, which we revised and tabled in parliament in February 2023.

Our policies and procedures enable us to:

• communicate our independence requirements to our staff (including our ASPs)
• identify threats to independence, evaluate whether the identified threats are at an acceptable level, and, if not, address them – by eliminating the circumstances that create the threats and applying safeguards to reduce threats to an acceptable level
• ensure we are notified of breaches of independence requirements and take appropriate actions to resolve those breaches
• obtain annual written confirmation of compliance with policies and procedures on independence from all personnel who are required to be independent by relevant ethical requirements and applicable legal and regulatory requirements. 

Independence practices

Our commitment to independence is reinforced through comprehensive independence policies, procedures, and monitoring. 

The Auditor-General and Deputy Auditor-General are required to provide a declaration of interests to the Speaker of the Queensland Parliament.

All staff are required to demonstrate objectivity, integrity, and professional behaviour. We have independence policies and procedures to ensure compliance with professional standards, regulations, and ethical conduct.

The engagement leader is responsible for ensuring all staff involved in an audit engagement demonstrate independence of mind and independence of appearance throughout the audit. We monitor and consider familiarity threats when assigning QAO staff to audits.

Rotation of key audit staff helps to provide a fresh perspective and reduces familiarity and self-interest threats to independence. We maintain a database that tracks auditor involvement on engagements to facilitate succession planning, monitor compliance with rotation requirements, and provide a seamless experience for our clients.

Where an actual or potential conflict of interest is identified, the engagement leader must propose how QAO will manage the issue. The Assistant Auditor-General–Audit Practice reviews and endorses proposals, and they are monitored by the QMG. The Integrity Commissioner is consulted where required.

QAO maintains a register that records any gifts or benefits received as part of official duties. This is published online to avoid any perception of conflicts of interest or inappropriate influence. 

Audit and assurance engagements – audit service providers

The independence and integrity of audit firms and their personnel are key considerations in the selection of our ASPs. We review their independence before contracting them to undertake audits on our behalf, and review their independence yearly. We also do not allow our ASPs to provide non-audit services to their QAO clients without prior written approval from the Auditor-General or Assistant  Auditor‑General–Audit Practice. Before granting the approval, we consider:

• the independence requirements of the Accounting Professional and Ethical Standards Board’s ethics standard APES 110
• whether it is likely the Auditor-General would undertake an assurance audit related to the non‑assurance service
• the perception of a lack of audit independence if we grant approval for the non-assurance service. 

We approved one request from an ASP to undertake non-assurance services on a QAO client in 2023–‍24. 

Acceptance and continuance of client relationships and specific engagements

We manage all engagements in accordance with a comprehensive framework of policies, procedures, and guidance. 

The Auditor-General Act 2009 mandates that the Auditor-General undertakes financial audits of all Queensland public sector entities, including local governments and controlled entities. 

We do not have the right to decline these clients or discontinue these client relationships. We have developed approaches to manage this risk. These include the following options:

• assigning an EQR
• restructuring the engagement team to ensure a better match of skills and experience
• outsourcing the audit or aspects of the audit if specialist skills are required
• revising the audit program to address particular risks in the audit.

We have established a staff rotation policy to manage threats to undertaking a continuous audit. The Auditor-General’s term is appointed to a fixed 7-year term and they cannot work in the public sector for 2 years after their term expires. These rotation policies primarily address the threat of familiarity but also help minimise other threats to delivering an independent audit. 

Forward work plan

Each year, we develop a 3-year forward work plan that considers the strategic risks facing public sector entities and local governments. We identify the strategic risks by:

• scanning the environment in which public sector entities and local governments operate
• understanding the challenges in public sector administration
• consulting widely with stakeholders to identify and understand their concerns
• examining entities’ operations and performance
• analysing the results of our annual financial audits
• analysing the requests for audits we receive from members of the public, elected representatives, public sector employees, and other integrity offices.

We focus on what we consider matters to parliament and the public sector. The Auditor-General cannot be directed on which audits to undertake or prioritise.

Through our plan, we provide transparency to parliament on the work we intend to perform and why we consider it important. We also explain changes to our forward work plan to demonstrate independence in our decision-making.

Engagement performance

We have prepared audit methodologies to guide the work we undertake in financial audits, assurance reviews, and performance audits. 

We are developing a methodology for our non-performance audit reports to parliament (that is, our reports on the results of our financial audits and our insights reports). This will be finalised by December 2024. The methodology will formalise our existing practices around maintaining quality, documenting the evidence our reports rely on, and documenting our independence considerations. 

Our risk-based audit methodologies have been developed and maintained to ensure compliance with the Auditor-General Auditing Standards (which comply with Australian auditing standards). They require us to develop an understanding of each client’s business and risks and apply this to the design and execution of our audits. We adapt our audit methodologies to developments in professional standards and to findings from quality reviews. Our quality reviews evaluate how well we have applied our methodologies.

Documenting our audits

We document our audits electronically using standardised templates, which each audit team customises to address its risks, complexity, and approach. The templates enable planning, performance, and documentation. They enable review of our work in accordance with auditing standards and professional, regulatory, and legal obligations. They also ensure we structure our audits to comply with the Auditor-General Auditing Standards and our methodology and guidance. We have prepared better practice files to guide staff in the expected level of audit documentation.

Delivering audits efficiently and effectively

In 2023–24, we completed our project to redesign the way we develop new analytical tools for auditors. This is now embedded in our business-as-usual approach to innovating our audit delivery. The project has now moved to how we transform and store data and the continued building of new analytical tools.

These tools aim to use clients’ data in a smarter way to allow audit teams to be more targeted and quicker in their work, while maintaining audit quality. This year, our quality assurance team assessed the consistent use, effectiveness, and quality of 7 of these analytical tools across 15 audits. We found that all audit teams were using the tools as expected.

Audit service providers

The audit methodology and quality assurance systems our ASPs adopt for QAO-contracted audits must benchmark favourably with QAO’s system of quality management. We assess these when we register a new firm and as part of our regular firm reviews. We did not approve new firms in 2023–24. Our reviews of our ASPs’ systems of quality management did not find material weakness. We made some recommendations to a small number of ASPs to update and align policies with ASQM 1 and implement more robust file back-up procedures.

Investigations

We investigate matters that other integrity agencies, elected officials, and the community refer to us. We have policies and detailed procedures to ensure consistency in undertaking these investigations. We have dedicated staff who address these requests and work with our audit teams to achieve efficiency. Our fact sheet on Requests for audits explains how we undertake these investigations.

Resources

To deliver high-quality audits, we must appoint and train people who can apply their experience, values, and professional judgement to support the conclusions in our audit reports.

We maintain a competent workforce, able to deliver outstanding service and quality to our clients.

To do this, we have developed a detailed understanding of the skills and capabilities that individuals require at certain points in their careers, and a structured approach to learning and development.

Skill and competency expectations

Our policy requires that sufficient personnel with the technical competence necessary for the work are appointed to each engagement. 

Audit teams incorporate specialist skills based on the audit risks and complexity. The teams are led by an engagement leader, who is responsible for the delivery of our audits.

Engagement leaders determine the necessary extent of direction, supervision, and review of junior staff in accordance with the Australian auditing standards, our policies, and guidance materials.

All financial audit managers and engagement leaders are required to have CPA/CA ANZ qualifications. We encourage and support all financial, performance, and information systems auditors to complete postgraduate study, and we offer them paid study time and financial assistance towards course fees and membership fees. Our information systems auditors are either qualified as Certified Information Systems Auditors or Certified Information Systems Security Professionals, or are committed to working towards these certifications. We also encourage our engagement leaders and AAGs to complete the Australian Institute of Company Directors’ company directors course. 

Financial audit engagement leaders hold qualifications, skills, and experience equivalent to the Australian Securities and Investments Commission’s (ASIC’s) requirements to be a registered company auditor. The ASPs we engage are registered company auditors.

Training outcomes

We assess our staff for technical competence, work experience, and training throughout their engagements. Their capabilities, competence, development, and performance evaluations are managed in accordance with QAO technical competency frameworks and policies.

This audit year, we improved our guidance for how staff should undertake and capture their on-the-job learning and provided training for coaches. 

We have developed more training that is just-in-time and self-paced. This is reducing the volume of learning we ask staff to complete in our dedicated training periods, and increasing the ability of staff to retain the knowledge and apply it to their work. The technical and non-technical courses reflect the competency frameworks and are intended to:

• provide staff with the right skills at the right time to deliver quality outcomes for clients – and provide rewarding career experiences for our people
• keep staff at the forefront of new developments in the accounting, auditing, and regulatory environment
• embed quality and risk appetite within our culture and leadership.

Staff training

This year, the Australasian Council of Auditors-General commenced capturing on-the-job training, developing training material, time spent delivering training, and study leave hours when calculating the volume of training and professional development staff received.

We provided an average of 129 hours of training and professional development per auditor.

On-the-job training is a large part of ensuring auditors have the appropriate skills to undertake their work. Staff are encouraged to complete targeted training for identified gaps.

In 2023–24, we provided 20,025 hours of training and professional development to auditors (re-casted 2022–23: 13,277 hours). This averages to 129 hours per auditor (re-casted 2022–23: 89 hours per auditor) on a full-time equivalent (FTE) basis.

The higher hours per auditor in 2023–24 reflect this greater investment in on-the-job training, more staff undertaking postgraduate studies, and training of new staff.

We have refreshed our platform for documenting performance conversations, allowing us to better document on-the-job performance, competencies, development needs, and achievements. 

We expect our audit professionals to maintain their professional memberships and participate in a minimum of 20 hours of continuing professional development (CPD) annually, and 120 hours in every 3‑year period. Our ASPs are members of professional bodies and have the same CPD expectations. Since 2018, QAO has partnered with CPA Australia in its Recognised Employer Program, joining a select group of organisations that provide employees with the highest standard in professional development and support.

The training is based on the technical competencies required for each audit role and encompasses: 

• current changes to either auditing or accounting standards
• specific areas of audit focus identified from internal or external sources 
• internal quality assurance program observations 
• using data analytics tools and tailoring them to client operations
• audit methodology or transformation initiatives.

Graduate and junior audit support

We have a comprehensive graduate program that builds technical and soft skills. Our graduates receive hands-on experience and extensive training. Mentors are assigned to support each graduate, and we hold monthly graduate forums to ensure that professional development occurs in their critical first year. 

In March 2024, we extended the graduate program to cover the auditors’ second and third years, piloting the program with our graduates from 2022 and 2023. The extended program provides a higher level of support beyond the graduate year, as junior auditors build their skills and experiences through career development advice, networking, learning from each other, and focusing on audit diversity.

Experience

We match the experience and skills of our engagement leaders to our clients’ industries and associated risks. We also aim to give staff new experiences to complement their existing skill sets and assist with succession planning. 

We identify people with the right skills and experience to deliver our quality commitments. Our resourcing team forecasts our people requirements and ensures we have sufficient resources available. We run a yearly graduate recruitment program and offer a mid-year and end-of-year intake. We also run targeted recruitment campaigns for staff with different levels of experience, supplemented by a continuous recruitment approach. This aims to recruit talented staff when they are available.

We monitor our audit and assurance staff profile, ensuring we have sufficient senior staff involved in audits, as illustrated in the staff headcount table below and reflected in related audit quality indicators in Appendix F.

Using audit service providers to deliver audits

We use ASPs to deliver a component of our work. ASPs delivered 45 per cent of our audits in 2023–24. We engage ASPs to support the delivery of audits, leverage their regional knowledge, and access specialist resources. We do not use our ASPs to undertake departmental audits.

Our ASPs are engaged under competitive tender processes. We assess the experience and skills of engagement partners and key team members and assess their suitability to conduct audits on our behalf.

We prequalify ASPs to confirm they have the required experience and qualifications, manage our risk to audit quality, and manage our obligations under APES 110 and ASQM 1.

To be eligible to undertake audits on our behalf, we require ASPs to:

• be registered company auditors (RCA) with ASIC
• be a current member of CPA Australia or CA ANZ
• be authorised to sign financial statements on behalf of their firm
• be part of a firm with at least one other RCA and a system of quality management that complies with ASQM 1
• be part of a firm that has recent public sector financial audit experience (within the last 2 years)
• have passed a criminal history check
• be part of a firm that complies with the Queensland Government supplier code of conduct and ethical supplier threshold policy.

Our ASPs are required to adhere to the confidentiality provisions applicable to all authorised auditors under the Auditor-General Act 2009. This prevents them from using or disclosing information they obtain in our audits to third parties, including within their firms, except where required by law. 

A QAO senior director or director and manager work closely with each ASP to manage the audit delivery. They review client correspondence, engage on significant risk matters, and oversee the delivery of the audit in accordance with the audit plan. The QAO staff also engage with the client to share sector-wide knowledge. The QAO director signs the independent audit report, and is ultimately responsible for the quality of the audit in accordance with ASA 220 Quality Management for an Audit of a Financial Report and Other Historical Financial Information.

At the conclusion of the audit year, we provide feedback from our clients to each of our ASPs about the audit process and engagement. We also provide them with our observations on the audit quality. We agree an action plan with our ASPs to improve performance where it is needed and discuss how to continue doing the things that work. As a group, we discuss the aggregate client survey feedback with all of our ASPs to help improve performance. 

We survey our ASP engagement partners and engagement managers to gather feedback about their experiences of working with QAO. This 360 degree feedback helps us to help our ASPs deliver quality audits.

Information and communication

Communicating effectively within the Queensland Audit Office

‘Engage’ is one of our 4 core values, and effective communication across our business is fundamental to delivering our vision of better public services. 

We have established procedures and practices to identify, capture, process, maintain, and communicate information throughout QAO. These procedures are supported by IT applications that provide accurate, complete, and timely information that supports decisions regarding QAO’s system of quality management.

We have 4 primary means of sharing information face-to-face across QAO:

1. Our new community groups are the primary way for staff to share knowledge and experiences, and solve problems together. Community group members collaborate informally and in structured meetings. These meetings also share strategic messages. 
2. Graduates, junior auditors, engagement managers, and engagement leaders come together in cohort meetings. These meetings provide safe spaces for staff at the same level to share knowledge and experiences, receive coaching, tackle issues relevant to their role, and discuss how to implement strategic decisions.
3. Auditors working within industries meet to discuss planning approaches, testing outcomes, and ways to develop responses to deliver the final phase of their audits. Our ASPs are invited to these meetings and encouraged to participate.
4. Quarterly all-staff seminars share information of strategic importance to QAO and provide a way for staff to ask questions of the EMG.

Audit teams use digital communication channels to informally share information and solve problems. This is an effective means of communication when our audit teams are travelling across Queensland.

Digital records are maintained for all audit-related matters, using electronic audit software that allows engagement teams to share information with each other, with the EQR, and with those providing consultation. We have one source of truth for documenting our audits. Auditors are required to transfer all audit evidence and analysis from working sites into the audit file as evidence that it is completed and reviewed. This step is required before the file is closed. This year, we aimed to close audit files 14 days from when we signed the independent auditor’s report, which is significantly less than the maximum 60 days outlined in ASQM 1.

Communicating effectively with stakeholders 

Engaging with our stakeholders enables us to better align our business and audit practices with our stakeholders’ needs and expectations, helping to drive long-term benefits for QAO and the public sector. We have many stakeholders, but we primarily define them through who we serve:

• parliament
• state and local government entities.

We recognise that effective communication between audit teams, client management teams, audit committees, and boards is critical to excellence in reporting. Our communication covers the scope of audits, any threats to independence or objectivity, risk assessments, significant findings, and judgements. Our reports are structured to communicate clear and concise messages and allow readers to quickly understand key findings.

We regularly report the progress of audits and our findings to those charged with governance, including management and audit committees. We do this through informal meetings and through formal presentations of our external audit plans, progress updates, and management letters explaining our findings. 

Those charged with governance can provide a positive influence on the quality of an audit by demonstrating an active interest in the auditor's work and acting when they do not consider that appropriate quality has been provided.

We invite the chairs of audit committees to a twice-yearly briefing where we explain the strategic priorities of the office and discuss common findings from our audits.

We report publicly to parliament on the results of all our audits and on the most significant audit issues we identify. Our reporting includes providing parliament with an update on how entities are progressing with implementing our recommendations. This helps to highlight whether control weaknesses still exist or performance gaps are not fully resolved.

The monitoring and remediation process

Our system of quality management identifies our quality objectives and assesses threats and risks to achieving them. It includes key controls and any additional controls being implemented to reduce the risk to an acceptable level.

We have a senior manager dedicated to managing QAO’s risk process. The risk manager meets quarterly with our risk owners to ensure the risk register is complete, risks are accurately documented, and controls continue to operate effectively. The risk register includes strategic and operational risks across our audits and the operations of QAO.

The senior manager reports to the EMG quarterly and to each ARMC meeting on:

• changes in risk
• risk treatments
• where risks fall outside our appetite or tolerances.

Where the residual risk falls outside our appetite or tolerance, the EMG discusses mitigating actions, including a remediation plan.

Separately, the Senior Director–Audit Practice provides a status update on the progress of the quality assurance plan to the monthly EMG, quarterly QMG, and 6-monthly Audit Quality Sub-Committee (AQSC) meetings. The QMG actively oversees the quality function and meets quarterly, and as needed, to review quality findings.

Improvement opportunities

We report improvement opportunities identified from the quality assurance reviews to the EMG, QMG, ARMC, and AQSC at the completion of each review cycle.

We report more frequently on the root cause analysis for material policy breaches, material prior period errors in financial statements, and unsatisfactory quality assurance reviews. The reporting includes proposed remediation, issues identified during the root cause analysis, and responses to new and changing risks.

The themes of the open review and closed review programs and root cause analysis (where appropriate), together with improvement recommendations, are shared with all audit staff. Teams are required to acquit in their audit files how they have addressed the findings and recommendations.

Review team, milestones, and duration of audit quality program

The Assistant Auditor-General–Audit Practice is accountable for the quality review program, quality assurance, and active oversight of policies and procedures relating to quality assurance. They work closely with Client Services AAGs to share knowledge and provide advice on improvement opportunities arising from quality assurance activities. Client Services AAGs are accountable for the effectiveness of training programs and delivering on QAO’s learning and development plan. They also oversee the delivery of all audit services to our clients.

We primarily use specialist contractors to deliver the quality review program. This helps us maintain the independence of the review function. Internal senior managers and directors who do not have audit engagements, or have very few engagements, assist in reviewing our ASPs’ files. These staff work across our technical and learning and development teams.

We develop an annual quality plan that establishes the files selected for:

• open and closed reviews
• areas for deeper analysis
• the timing of quality reviews
• assignment of EQRs
• reporting milestones.

Each internal engagement leader is subject to one open and one closed file review each year. Our criteria for quality review ratings are explained in Appendix D. In summary, files are rated as either:

• Satisfactory with no or minor findings.
• Satisfactory with findings that are more than minor but less that materially deficit. This means we raised some quality issues, but the engagement leader still had sufficient appropriate audit evidence to support their audit opinion.
• Unsatisfactory. This means that there was a systemic lack of supervision and review by the engagement leader, and/or the engagement leader did not have sufficient appropriate audit evidence to support their audit opinion.

This year we implemented a policy whereby if an engagement leader has received 2 ratings of satisfactory with no or minor findings, they do not have a closed review in the third year. This year, all engagement leaders had a closed file review.

We review our ASP engagement partners on a 3-year rotating basis. This approach reflects that our ASPs are also subject to quality reviews by their professional bodies, ASIC, and their in-house program. We request copies of all quality assurance reviews performed over our ASP engagement partners.

We aim to complete our reviews in time for teams to undertake recommended improvement actions in their current year audit files.

Remediation actions

Engagement leaders actively engage in the quality assurance process. They provide feedback and responses to questions we raise during the cold review process to ensure audit quality findings are fair and balanced. The engagement leader and QA reviewer discuss appropriate remediation action. This may include undertaking further audit work or change in practice going forward. A root cause analysis is undertaken for all unsatisfactory files.

If an audit file is rated as unsatisfactory, we undertake a follow-up targeted hot review prior to the subsequent independent audit report being signed. This ensures that the deficiencies identified in the cold review have been appropriately addressed. We also will schedule a further cold review over an audit undertaken by the same engagement leader to ensure that the audit quality issues are not systemic across their audits.

Monitoring audit quality across our audits

Monitoring audit quality is an important aspect of identifying emerging risks and opportunities, ensuring standards are being adhered to, and ensuring staff are performing well.

We monitor a range of audit quality indicators that span our culture and values, independence, recruitment, employee performance assessment, audit allocation process, quality assurance, timely reporting, and interaction with stakeholders. We monitor both quantitative and qualitative measures, which are reviewed annually for continuing relevance. The measures are listed in Appendix F.

Our Technical Issues Panel and Modified Opinions Panel provide in-depth and expert analysis of complex financial accounting and audit issues, reporting of key audit matters, and proposed audit qualifications. These groups meet throughout the audit year as required.

Managing audit quality on our audits

Managers and directors are provided with access to dashboards that help them identify independence matters and risks to completing their audit in time and on budget.

Our audit approach requires us to plan, supervise, and manage our audits so the work performed provides reasonable assurance they comply with our policies and methodologies. The engagement leader is responsible for:

• the overall management of staff and the audit process
• engagement quality throughout the audit
• ensuring EQRs are promptly briefed on significant matters.

Engagement leaders are required to review all high-risk areas of their audits and to ensure the audit manager or on-site team leader has performed a timely review of all other audit working papers. We have a range of business intelligence reporting that helps engagement leaders to monitor the timely completion of audit phases.

Our open file review program assesses the planning outcomes of each engagement leader’s higher-risk audits. We rotate which audits are reviewed to ensure good coverage. The program is focused on ensuring the audit planning is in accordance with the Auditor-General Auditing Standards and whether appropriate risk response plans have been developed for public sector-specific matters.

The Auditor-General is assigned overall responsibility and accountability for Queensland Audit Office’s (QAO’s) system of quality management.

The Australian Standard on Quality Management (ASQM 1) requires the Auditor-General to evaluate, on behalf of QAO, its system of quality management. The evaluation is to be undertaken at a point in time and performed at least annually.

This is supported by the Executive Management Group’s (EMG’s) assessment of the effectiveness of the internal quality control system.

The evaluation was undertaken as at 30 June 2024. It involved:

• reviewing our governance structure, policies, procedures, and guidelines for consistency and compliance with ASQM 1
• assessing the completeness and accuracy of our quality objectives, the risk to achieving them, and our risk treatments (controls)
• testing, on a sample basis, the effectiveness of our controls that address the identified risks.

We found that, while our system of quality management is robust, we could improve how we:

• execute and conclude on root cause analysis for material prior period errors. In response, we are providing more staff the training they need to undertake root cause analysis and improving the content of the training course
• link the root causes of unsatisfactory audits undertaken by our audit service providers (ASPs) with our assessment of the ASPs’ systems of quality management. In response, our quality assurance programs will be revised to better assess ASP firms’ real-time monitoring of audit quality
• better document the risk assessment of our quality review activities in our policies and procedures. In response, we are updating our policies and procedures to reflect the actions we were already undertaking.

We expect to address these over the coming year.

While we rated 2 audits undertaken by our audit service providers as unsatisfactory, overall the audit quality assurance program is effective in identifying audits at risk of quality issues, highlighting quality issues within files, developing remediation plans, and identifying areas for training. The learnings are shared across the business and included in training programs.

Therefore, we concluded we have reasonable assurance that:

• the objectives of the system of quality management are being achieved
• the internal system of quality management is effective.