Assurance, Audit & Investigation Methodology

People. Systems. Controls.

Working together to support organisational performance.

At Secura Consulting, we believe effective risk management, assurance, investigation and organisational improvement begins with understanding what an organisation is trying to achieve.

Every organisation exists to deliver outcomes. Whether producing goods, delivering services, executing projects, maintaining infrastructure, supporting communities or managing complex operations, success depends upon the interaction of people, systems and controls.

Our methodology is built around understanding that relationship.

Rather than focusing solely on compliance, incidents or individual events, we seek to understand how organisations achieve success, what could prevent success, and how confidence can be established that critical controls are operating as intended.

This approach has been influenced by operational experience gained across military, law enforcement, investigations, emergency management, security, mining, heavy industry and organisational leadership, together with concepts drawn from risk management, assurance, governance, organisational learning, human factors and systems thinking.

While every engagement is different, our approach generally follows a consistent process.

UNDERSTAND THE OBJECTIVE

Every review begins by understanding the outcome the organisation is seeking to achieve.

Before discussing hazards, risks, controls or compliance requirements, we seek to understand:

  • What is the organisation trying to achieve?

  • What does success look like?

  • What are the critical activities supporting that objective?

  • What are the potential consequences of failure?

Understanding objectives provides context for everything that follows.

Without a clear understanding of the objective, risk assessments, audits and investigations can become exercises in compliance rather than meaningful evaluations of organisational performance.

IDENTIFY OBLIGATIONS, EXPECTATIONS AND CONTROLS

Once objectives are understood, we identify the obligations, standards and expectations that apply.

These may include:

  • Legislation and regulations

  • Codes of practice • Industry standards

  • Management system requirements

  • Internal policies and procedures

  • Contractual obligations

  • Recognised and emerging good practice

We also seek to understand the controls that have been established to support success and manage risk.

Controls may be physical, procedural, administrative, behavioural, technological or organisational in nature.

At this stage we are not simply asking whether controls exist.

We are seeking to understand how the organisation believes success is achieved and how risk is intended to be managed.

ESTABLISH OPERATIONAL REALITY

Organisations often possess documented systems, procedures, risk registers and governance arrangements.

Equally important is understanding how work is actually performed.

This may involve:

  • Workplace observations

  • Interviews and consultation

  • Site inspections

  • Operational reviews

  • Document reviews

  • Data analysis

  • Verification activities

Experience has shown there can sometimes be differences between documented expectations and operational reality.

Understanding how work is actually performed helps identify strengths, vulnerabilities, assumptions and opportunities for improvement.

We place significant value on establishing facts before forming conclusions.

FOLLOW THE EVIDENCE

Secura Consulting adopts an evidence-based approach.

Findings are developed through the collection, review and assessment of relevant information.

Evidence may include:

  • Records and documentation

  • Interviews

  • Observations

  • Data and performance information

  • Site inspections

  • Physical verification of controls

  • Technical information

  • Investigation material

Conclusions are supported by evidence wherever possible.

This approach helps ensure findings are objective, transparent and capable of withstanding scrutiny.

ASSESS PEOPLE, SYSTEMS AND CONTROLS

The Secura Consulting framework is built around three interconnected elements:

People
The leaders, workers, contractors and subject matter experts who perform the work, make decisions and respond to changing conditions.

Systems
The governance arrangements, processes, procedures, standards, resources and management systems that support organisational activities.

Controls
The barriers, safeguards, verification activities and recovery measures that help organisations achieve objectives and manage risk.

Success and failure rarely arise from a single factor.

More commonly they emerge from the interaction of people, systems and controls operating within a particular environment.

Our reviews seek to understand the effectiveness of each element and how they interact.

ASSESS BOTH COMPLIANCE AND EFFECTIVENESS

Compliance remains important. However, the existence of a policy, procedure, training package or control does not necessarily mean risk is being effectively managed.

For this reason, Secura Consulting assesses both:

Compliance
Are obligations, requirements and expectations being met?

Effectiveness
Are the people, systems and controls achieving the outcomes they were designed to achieve?

This distinction provides a more meaningful understanding of organisational performance and control effectiveness.

PROVIDE ASSURANCE

Assurance is fundamentally about confidence.

  • Confidence that obligations are understood.

  • Confidence that risks are being managed.

  • Confidence that controls are functioning as intended.

  • Confidence that leaders can make informed decisions.

Depending on the engagement, assurance activities may involve:

  • Audits

  • Compliance reviews

  • Critical control verification

  • Governance reviews

  • Investigations

  • Independent assessments

  • Operational reviews

The objective is not simply to identify deficiencies.

The objective is to provide a clear understanding of what is working well, what requires attention and where opportunities for improvement exist.

SUPPORT IMPROVEMENT

Recommendations only create value when they lead to meaningful improvement.

Where requested, Secura Consulting can assist organisations to:

  • Strengthen controls

  • Improve governance arrangements

  • Develop practical systems and processes

  • Verify corrective actions

  • Improve organisational capability

  • Support implementation activities

Our focus is on practical, sustainable improvements that support organisational objectives and can be maintained over time.

EVIDENCE-BASED AND STANDARDS-INFORMED

Secura Consulting adopts a structured and evidence-based approach to assurance, audit, investigation and review activities.

Depending on the nature of the engagement, methodologies may be informed by recognised legislation, regulations, standards, codes of practice and accepted professional guidance, including:

Assurance, Audit and Governance

  • Australian Auditing and Assurance Standards (ASAE)

  • ASAE 3000 – Assurance Engagements

  • ASAE 3100 – Compliance Engagements

  • Global Internal Audit Standards

  • ISO 19011 – Guidelines for Auditing Management Systems

Risk Management and Governance

  • ISO 31000 – Risk Management

  • COSO Enterprise Risk Management Framework

  • Institute of Internal Auditors (IIA) guidance

  • Three Lines Model

Health, Safety and Wellbeing

  • ISO 45001 – Occupational Health and Safety Management Systems

  • ISO 45003 – Psychological Health and Safety at Work

  • Applicable Work Health and Safety legislation

  • Workers Compensation and Return to Work legislation

  • Regulator guidance and approved Codes of Practice

Quality and Management Systems

  • ISO 9001 – Quality Management Systems

  • Organisational governance and management system requirements

  • Industry-specific quality standards where applicable

Emergency Management and Resilience

  • AS 3745 – Planning for Emergencies in Facilities

  • AS 4083 – Planning for Emergencies – Health Care Facilities

  • ISO 22320 – Emergency Management

  • ISO 22301 – Business Continuity Management Systems

  • Relevant emergency management doctrine and guidance

Security and Investigations

  • Australian Government Investigation Standards (AGIS)

  • Procedural fairness and natural justice principles

  • Protective Security Policy Framework (PSPF)

  • Security Risk Management Body of Knowledge (SRMBOK)

  • Relevant security and investigative methodologies

Industry and Operational Standards

  • Industry-specific standards

  • Critical Control Management guidance

  • Regulator guidance material

  • Client requirements and contractual obligations

  • Recognised and emerging good practice

The specific frameworks applied will vary depending on the nature, scope and objectives of each engagement.

OUR OBJECTIVE

Our objective is not simply to identify non-conformances, produce reports or satisfy compliance requirements.

Our objective is to help organisations understand what matters most, strengthen critical controls, build capability and provide confidence that people, systems and controls are working together to support organisational performance.

People. Systems. Controls. Working together to support organisational performance.

Last updated: May 2026.