Résumé: Roger Lines

As a retired director of internal audit and risk, I aim to keep active with occasional audits, governance projects, or with broader support for governance functions. Within internal audit, I can offer the most value for audits bridging IT and business, and for novel audit topics.

Career achievements and capabilities Detailed position history Qualifications and memberships Interests Referees (names redacted)

Career achievements and capabilities

Internal audits, and Chief Audit Executive functions

  • Managed internal audit service contracts, developed annual audit plans, scoped audit engagements. Produced a high level of value from the audit budget, no overruns, satisfied the audit committee. The organisation was technology intensive, and I managed the audit program for ICT along with business and operations. (2008‑2015)
  • Supported the audit committee by monitoring audit recommendations, introducing management assurance reporting, and committee secretariat functions. By sustaining a firm discipline in audit recommendations, energised the internal audit function and the culture of controls and accountability. The committee was happy with the service I managed. The organisation was happy that I was demonstrating its confidence and transparency to the audit committee through the committee papers.
  • Architected and set up audited controls reporting to client organisations, with joint statements from management and auditors, conforming to standards ASAE 3402 and GS 007 (2008–2015). This program was quickly seen as essential to assure stakeholders otherwise lacking confidence in the organisation, and it was sustained for multiple years.

Risk Management

  • Made risk management happen productively when it was needed. Supported strategic and divisional risk management for senior executives, and risk for middle managers. Developed methods for risk management in annual business plans and projects. Met deadlines for mandatory assessments of enterprise fraud and security risk, impressed the audit committee with the fraud risk assessment. (2013–2016)
  • Monitored risk treatments for core operations against assurance objectives, including information technology controls. Maintenance of controls was verified by independent auditors, resulting in general reliance by external auditors. (2008‑2015)
  • Developed general solutions for common problems in public sector risk management and validated them against ISO 31000, HB 436 and the Commonwealth Risk Management Policy:
  • How to make risk management a genuine basis of decisions and behaviours, rather than a prescribed process to maintain compliant documents, by finding assurance demand.

    How to understand and use risk appetite and tolerances to accept, change or avoid risks.

    Integrating distributed and dissimilar risk assessments for an enterprise view of risk, using the shared objectives affected by uncertainty as the common language.

  • The CRMA qualification demonstrates capacity to evaluate enterprise risk management as an independent auditor.
  • Business Continuity (2009–2015)

    • Established governance, structures, and reporting processes for business continuity. Supported development of functional and location continuity plans. This reform started from a near-zero baseline and public criticism from the Australian National Audit Office [Report No. 17 2009–10 4.295 vs. Report No. 22 2010–11 5.428], and put the organisation near the top of its peer group for business continuity management in Comcover benchmarking, an achievement marked with Australia Day medals in 2011. The business continuity capabilities were maintained and further improved over the remaining life of ComSuper to 2015.


    • Team leadership, performance management for auditors and governance specialists, recruitment etc.
    • Australia Day Achievement Award (medal) 2014 for ‘demonstrating organisation values, demonstrating outstanding leadership behaviours, making an outstanding organisation contribution’. Only one such award was made in that year in that organisation.
    • Maintained teamwork across different governance disciplines.

    Supporting skills

    • Reports, committee papers, and formal documents: commissioning, writing, editing, managing.
    • Desktop technology such as Microsoft Word, Excel, and Access. Built mid-size end-user Access databases for tracking enterprise audit recommendations and for the controls reporting program, and very large Excel workbooks for national audits.
    • Statistical sampling for audits and compliance work (e.g. two-stage dollar unit sampling, confidence intervals).
    • High-level committee secretariat support.
    • Information and network security, including public key cryptography (PKI) concepts.

    Detailed position history

    Since February 2021

    October 2016—January 2021

    • Active retirement, focused on developing a free professional support site Clear Lines on Audit and Risk, with parallel sharing and validation on LinkedIn. My output didn’t reach an audience important enough to make a difference, but it led me to learn a lot about the risk management standards, and about varying real-world approaches to risk management.
    • Maintained continuing professional development, specifically expanding skills in cybersecurity. All four listed professional certifications are current and designated ‘active’ based on compliance with continuing professional development requirements.

    The web site and LinkedIn articles capture some of the details of my audit philosophies and some original contributions to risk management practice, such as integrating de-centralised risk management, for recognising risk appetite, and for representing levels of risk acceptability (as a productive replacement for ‘levels of risk’).

    August 2015—September 2016: Manager Risk and Assurance, Department of Foreign Affairs and Trade

    • Contract role (Talent International) embedded in IT Division (450 staff, $100M budget). Supported the Information Management (IT) Division for risk management and engagements with auditors. The risk management role included documenting business plans and risk registers for the CIO’s executive team. The audit role included facilitating auditor contacts with operational areas, advising management on responses to audit recommendations, and monitoring the implementation of audit recommendations on behalf of the Divisional Executive.

    Management were happy with the service, and the contract was extended repeatedly to September 2016. At that point there were APS employees well placed to take over the roles.

    January 2008—June 2015: Director Audit and Risk, ComSuper

    • Delivered comprehensive assurance to the audit committee and external stakeholders, including information technology assurance. Saved audit resources and improved overall assurance to the audit committee using the ‘three lines of defence’ model. Implemented progressive improvements in audit and assurance planning, achieved effective risk and assurance mapping from 2011‑12.
    • Architected and set up audited controls reporting to client organisations.
    • Managed a mixed-source internal audit function. Audit planning, audit committee support, and management liaison were in-sourced. Individual audit assignments were outsourced.
    • Led business continuity and risk management for the enterprise. Established better-practice governance, structures, and reporting processes for business continuity, starting from nothing.
    • Led a small team of professionals in audit, risk, and business continuity.

    ComSuper was an Australian Public Service agency delivering financial services (superannuation scheme administration) for public servants and defence personnel. I elected for voluntary redundancy offered as a result of ComSuper merging into the Commonwealth Superannuation Corporation.

    1982—2007 mostly internal audits, with elements of information (cyber) security, risk management, and large-scale compliance audits.

    Qualifications and memberships

    Institute of Internal Auditors [IIA] www.iia.org.au  (Australia) and theiia.org (International)

    • Certified Internal Auditor [CIA] and Professional Member of the Institute of Internal Auditors [PMIIA] from October 2012. William S. Smith award for outstanding performance in the CIA examinations 2012.
    • Certified in Risk Management Assurance [CRMA] with the IIA from January 2014. This qualification shows capacity to provide independent evaluation of organisational risk management.
    • IIA Internal Audit Quality training in 2016.

    ISACA (information systems audit, control, governance) www.isaca.org


    • Graduate Certificate in Performance Auditing and Evaluation, University of Canberra (2006)
    • Master of Electronic Commerce (2004). Completion was based on a research thesis Achieving Honesty in Internet Claims and Declarations, involving fraud control in online services at the Health Insurance Commission, Centrelink, ATO, etc. Part time distance learning at Deakin University, while working full time.
    • Two Bachelor degrees from the 1970s.