As a retired director of internal audit, I aim to keep active with occasional audits, or with broader support for the audit function. I can offer the most value for audits bridging IT and business, and for novel audit topics.
Available for professional and supporting roles in Canberra at modest hourly rates, as needed, with no expectation of regular income.
Download this Résumé in PDF
Career achievements and capabilities
Internal audits, and Chief Audit Executive functions
- Managed internal audit service contracts, developed annual audit plans, scoped audit engagements. Produced a high level of value from the audit budget, no overruns, satisfied the audit committee. (2008‑2015)
- Supported the audit committee by monitoring audit recommendations, introducing management assurance reporting, and committee secretariat functions. By sustaining a firm discipline in audit recommendations, energised the internal audit function and the culture of controls and accountability. The committee was happy with the service I managed. The organisation was happy that I was demonstrating its confidence and transparency to the audit committee through the committee papers.
- Architected and set up audited controls reporting to client organisations, with joint statements from management and auditors, conforming to standards ASAE 3402 and GS 007 (2008–2015). This program was quickly seen as essential to assure stakeholders otherwise lacking confidence in the organisation, and it was sustained for multiple years.
- Made risk management happen productively when it was needed. Developed methods for risk management in annual business plans and projects. Met deadlines for mandatory assessments of enterprise fraud and security risk, impressed the audit committee with the fraud risk assessment. (2013–2016)
- Monitored risk treatments for core operations against assurance objectives, including information technology controls. Maintenance of controls was verified independently (and efficiently) by internal auditors, with general reliance by external auditors. (2008‑2015)
- Able to assess existing risk frameworks, implement reforms, and build risk frameworks and risk management strategies from scratch.
Business Continuity (2009–2015)
- Established governance, structures, and reporting processes for business continuity. Supported development of functional and location continuity plans. This reform started from a near-zero baseline and public criticism from the Australian National Audit Office [Report No. 17 2009–10 4.295 vs. Report No. 22 2010–11 5.428], but put the organisation near the top of its peer group for business continuity management (per Comcover benchmarking), an achievement marked with Australia Day medals in 2011. The business continuity capabilities were maintained and further improved over the remaining life of ComSuper (to 2015).
- Team leadership, performance management for auditors and governance specialists, recruitment etc.
- Australia Day Achievement Award (medal) 2014 for ‘demonstrating organisation values, demonstrating outstanding leadership behaviours, making an outstanding organisation contribution’. Only one such award was made in that year in that organisation.
- Focused on maintaining teamwork across different governance disciplines.
- Reports, committee papers, and formal documents: writing, editing, managing.
- Desktop technology such as Microsoft Word, Excel, and Access. Built mid-size end-user Access databases for tracking enterprise audit recommendations and for the controls reporting program, and very large Excel workbooks for national audits.
- Statistical sampling for audits and compliance work (e.g. two-stage dollar unit sampling).
- High-level committee secretariat support.
- Information and network security, including public key cryptography (PKI) concepts.
Detailed position history
Since October 2016
- Active retirement, focused on developing a free professional support site Clear Lines on Audit and Risk, with parallel sharing and validation on LinkedIn. My output didn’t reach an audience important enough to make a difference, but it led me to learn a lot about the risk management standards and varying real-world approaches to risk management.
- Maintained continuing professional development, specifically expanding skills in cybersecurity. All four listed professional certifications are current and designated ‘active’ based on compliance with continuing professional development requirements.
The web site and LinkedIn articles capture some of the details of my audit philosophies and some original contributions to risk management practice, such as integrating de-centralised risk management, for recognising risk appetite, and for representing levels of risk acceptability (as a productive replacement for ‘levels of risk’, which are generally unproductive).
August 2015-September 2016: Manager Risk and Assurance, Department of Foreign Affairs and Trade
- Contract role (Talent International) embedded in IT Division (450 staff, $100M budget). Supported the Information Management (IT) Division for risk management and engagements with auditors. The risk management role included documenting business plans and risk registers for the CIO’s executive team. The audit role included facilitating auditor contacts with operational areas, advising management on responses to audit recommendations, and monitoring the implementation of audit recommendations.
Management were happy with the service, and the contract was extended repeatedly to September 2016. At that point there were APS employees well placed to take over the roles. The Division was well equipped to upgrade risk management for projects and for business as usual.
January 2008‑June 2015: Director Audit and Risk, ComSuper
- Delivered comprehensive assurance to the audit committee and external stakeholders. Saved audit resources and improved overall assurance to the audit committee using the ‘three lines of defence’ model. Implemented progressive improvements in audit and assurance planning, achieved effective risk and assurance mapping from 2011‑12. In 2012‑13 developed and implemented a highly targeted assurance approach for IT projects.
- Managed a mixed-source internal audit function. Audit planning, audit committee support, and management liaison were in-sourced. Individual audit assignments were outsourced.
ComSuper was an Australian Public Service agency delivering financial services (superannuation scheme administration) for public servants and defence personnel. I elected for voluntary redundancy as a result of a merge with the Commonwealth Superannuation Corporation.
1982-2007 mostly internal audits, with elements of information (cyber) security, risk management, and large-scale compliance audits.
Qualifications and memberships
Institute of Internal Auditors www.iia.org.au (Australia) and theiia.org (International)
- Certified Internal Auditor [CIA] and Professional Member of the Institute of Internal Auditors [PMIIA] from October 2012. William S. Smith award for outstanding performance in the CIA examinations 2012.
- Certified in Risk Management Assurance [CRMA] with the IIA from January 2014. This qualification shows capacity to provide independent evaluation of organisational risk management.
- IIA Internal Audit Quality training in 2016.
ISACA (information systems audit, control, governance) www.isaca.org
- Certified Information Systems Auditor [CISA] with ISACA. Outstanding Achievement Award as world runner-up in the 1992 CISA examination.
- Certified in Risk and Information Systems Control [CRISC] with ISACA, 2015.
- Cybersecurity (CSX) Fundamentals 2015, COBIT Foundations 2016.
- Graduate Certificate in Performance Auditing and Evaluation, University of Canberra (2006)
- Master of Electronic Commerce (2004). Completion was based on a research thesis Achieving Honesty in Internet Claims and Declarations, involving fraud control in online services at the Health Insurance Commission, Centrelink, ATO, DIMIA, etc. Part time distance learning at Deakin University, while working full time.
- Two Bachelor degrees from the 1970s.
- Web site Clear Lines on Audit and Risk clearlinesaudit.com.au. Some recent articles specifically support this résumé, Audit recommendation tracking, What is ‘controls reporting’? and In governance, do only what matters.
- LinkedIn articles such as Centralised or de-centralised risk management in your enterprise? (1020 views) Risk impact scale vs. achievement of objectives (843 views) and Risk consequences as the final effect on objectives (735 views).
- One article in PM Magazine (June 2019), Risk management in projects: the real reason. (PM Magazine is essentially a compilation of selected articles from LinkedIn.)
- Public speaking skills: Senior member of Rostrum ACT, formally accredited as a public speaking coach. Experienced with group presentations, running meetings and workshops. Holder of multiple senior positions within Rostrum ACT.
- Mr X, Manager Governance, National Capital Authority. Mr X was my manager as Chief Governance Officer for ComSuper 2008‑2015, and also at the Department of Education, Science and Training 2006‑2007.
- Mr Y, Assistant Secretary, Department of Education, Skills and Employment. Mr Y was an Audit and Risk Committee member and frequent auditee executive at ComSuper 2008‑2015.