Update from Graham Webb PSM

In advance of the preparation of the QAO Local Government Financial Audit Report to Parliament each year the Office reviews the outcomes of the various council audits by external auditors. Of intense interest always is the range of questions and queries posed with councils by their auditors which involve matters still unresolved or not improving from year to year. These matters tend to receive special mention in the Auditor-General’s annual reports to Parliament with an overview of performance of Queensland’s 77 Local Governments and Council related entities.

Recent Parliamentary reports indicate that there are still a number of key and concerning areas where local governments are not making progress in satisfying QAO standards.

The Auditor-General acknowledges that entities (including local governments) are keeping better track of QAO recommendations and have mature processes for monitoring implementation. However, the reports also identify situations where local governments are not always adequately managing their risks.

From examples provided in the reports submitted in 2022, some local governments, CEO’s, Internal Auditors and Audit Committees, have and will continue to be challenged by the following risk and financial management issues:

  • Since the COVID 19 pandemic, cyber threats have intensified in frequency and sophistication. Strong controls over who has access to computer and Information systems and the information in them are extremely important. One critical element in managing the risk of a cyber incident is to provide adequate training to staff on cyber threats and educate them on the impact such incidents have on Council operations. The QAO recommends Councils develop and implement mandatory cyber security awareness training for all staff. At the time of the last report to Parliament, 20 councils (26%) had not provided training to their staff.


  • On common internal control deficiencies, 47 councils (64%) have at least one significant deficiency that needs to be addressed. Many of these deficiencies are the same as those identified in previous years recommendations.


  • 22 councils (30%) do not have adequate processes in place to identify and manage risk, including not having a risk management framework; a complete risk register that captures the risks they are exposed to; adequate and tested business continuity and disaster recovery plans; or not completed a fraud risk assessment or adequately assessed their risk of fraud.


  • The local government sector spends approximately $8 billion annually in procuring from various suppliers and service providers. The QAO considers procurement and contract management practices are still weak, with common weaknesses in legislative non-compliance. Examples given include not having strong procurement policies; not obtaining sufficient tenders/quotes; absence of contract agreements; adequate checks of vendor information or recording and maintaining contract registers. The QAO reports that 29 ( 39%) councils had weak practices, and of these 19 (25%) councils had not addressed these weaknesses for more than 12 months.


There is an important role for Audit Committees and their Chairs in monitoring and following up on concerns and recommendations arising from their council’s annual audit report. Timely resolution of issues raised should be a priority for the Audit Committee agenda.

Need advice on what makes an Audit Committee effective? Give Graham Webb a call – Ph: 0417 191 698

Join our newsletter

We won’t spam you, you will receive regular updates on relevant topics. 

  • This field is for validation purposes and should be left unchanged.