Assurance, Audit & Investigation Methodology
People. Systems. Controls.
Working together to support organisational performance.
At Secura Consulting, we believe effective risk management, assurance, investigation and organisational improvement begins with understanding what an organisation is trying to achieve.
Every organisation exists to deliver outcomes. Whether producing goods, delivering services, executing projects, maintaining infrastructure, supporting communities or managing complex operations, success depends upon the interaction of people, systems and controls.
Our methodology is built around understanding that relationship.
Rather than focusing solely on compliance, incidents or individual events, we seek to understand how organisations achieve success, what could prevent success, and how confidence can be established that critical controls are operating as intended.
This approach has been influenced by operational experience gained across military, law enforcement, investigations, emergency management, security, mining, heavy industry and organisational leadership, together with concepts drawn from risk management, assurance, governance, organisational learning, human factors and systems thinking.
While every engagement is different, our approach generally follows a consistent process.
UNDERSTAND THE OBJECTIVE
Every review begins by understanding the outcome the organisation is seeking to achieve.
Before discussing hazards, risks, controls or compliance requirements, we seek to understand:
What is the organisation trying to achieve?
What does success look like?
What are the critical activities supporting that objective?
What are the potential consequences of failure?
Understanding objectives provides context for everything that follows.
Without a clear understanding of the objective, risk assessments, audits and investigations can become exercises in compliance rather than meaningful evaluations of organisational performance.
IDENTIFY OBLIGATIONS, EXPECTATIONS AND CONTROLS
Once objectives are understood, we identify the obligations, standards and expectations that apply.
These may include:
Legislation and regulations
Codes of practice • Industry standards
Management system requirements
Internal policies and procedures
Contractual obligations
Recognised and emerging good practice
We also seek to understand the controls that have been established to support success and manage risk.
Controls may be physical, procedural, administrative, behavioural, technological or organisational in nature.
At this stage we are not simply asking whether controls exist.
We are seeking to understand how the organisation believes success is achieved and how risk is intended to be managed.
ESTABLISH OPERATIONAL REALITY
Organisations often possess documented systems, procedures, risk registers and governance arrangements.
Equally important is understanding how work is actually performed.
This may involve:
Workplace observations
Interviews and consultation
Site inspections
Operational reviews
Document reviews
Data analysis
Verification activities
Experience has shown there can sometimes be differences between documented expectations and operational reality.
Understanding how work is actually performed helps identify strengths, vulnerabilities, assumptions and opportunities for improvement.
We place significant value on establishing facts before forming conclusions.
FOLLOW THE EVIDENCE
Secura Consulting adopts an evidence-based approach.
Findings are developed through the collection, review and assessment of relevant information.
Evidence may include:
Records and documentation
Interviews
Observations
Data and performance information
Site inspections
Physical verification of controls
Technical information
Investigation material
Conclusions are supported by evidence wherever possible.
This approach helps ensure findings are objective, transparent and capable of withstanding scrutiny.
ASSESS PEOPLE, SYSTEMS AND CONTROLS
The Secura Consulting framework is built around three interconnected elements:
People
The leaders, workers, contractors and subject matter experts who perform the work, make decisions and respond to changing conditions.
Systems
The governance arrangements, processes, procedures, standards, resources and management systems that support organisational activities.
Controls
The barriers, safeguards, verification activities and recovery measures that help organisations achieve objectives and manage risk.
Success and failure rarely arise from a single factor.
More commonly they emerge from the interaction of people, systems and controls operating within a particular environment.
Our reviews seek to understand the effectiveness of each element and how they interact.
ASSESS BOTH COMPLIANCE AND EFFECTIVENESS
Compliance remains important. However, the existence of a policy, procedure, training package or control does not necessarily mean risk is being effectively managed.
For this reason, Secura Consulting assesses both:
Compliance
Are obligations, requirements and expectations being met?
Effectiveness
Are the people, systems and controls achieving the outcomes they were designed to achieve?
This distinction provides a more meaningful understanding of organisational performance and control effectiveness.
PROVIDE ASSURANCE
Assurance is fundamentally about confidence.
Confidence that obligations are understood.
Confidence that risks are being managed.
Confidence that controls are functioning as intended.
Confidence that leaders can make informed decisions.
Depending on the engagement, assurance activities may involve:
Audits
Compliance reviews
Critical control verification
Governance reviews
Investigations
Independent assessments
Operational reviews
The objective is not simply to identify deficiencies.
The objective is to provide a clear understanding of what is working well, what requires attention and where opportunities for improvement exist.
SUPPORT IMPROVEMENT
Recommendations only create value when they lead to meaningful improvement.
Where requested, Secura Consulting can assist organisations to:
Strengthen controls
Improve governance arrangements
Develop practical systems and processes
Verify corrective actions
Improve organisational capability
Support implementation activities
Our focus is on practical, sustainable improvements that support organisational objectives and can be maintained over time.
EVIDENCE-BASED AND STANDARDS-INFORMED
Secura Consulting adopts a structured and evidence-based approach to assurance, audit, investigation and review activities.
Depending on the nature of the engagement, methodologies may be informed by recognised legislation, regulations, standards, codes of practice and accepted professional guidance, including:
Assurance, Audit and Governance
Australian Auditing and Assurance Standards (ASAE)
ASAE 3000 – Assurance Engagements
ASAE 3100 – Compliance Engagements
Global Internal Audit Standards
ISO 19011 – Guidelines for Auditing Management Systems
Risk Management and Governance
ISO 31000 – Risk Management
COSO Enterprise Risk Management Framework
Institute of Internal Auditors (IIA) guidance
Three Lines Model
Health, Safety and Wellbeing
ISO 45001 – Occupational Health and Safety Management Systems
ISO 45003 – Psychological Health and Safety at Work
Applicable Work Health and Safety legislation
Workers Compensation and Return to Work legislation
Regulator guidance and approved Codes of Practice
Quality and Management Systems
ISO 9001 – Quality Management Systems
Organisational governance and management system requirements
Industry-specific quality standards where applicable
Emergency Management and Resilience
AS 3745 – Planning for Emergencies in Facilities
AS 4083 – Planning for Emergencies – Health Care Facilities
ISO 22320 – Emergency Management
ISO 22301 – Business Continuity Management Systems
Relevant emergency management doctrine and guidance
Security and Investigations
Australian Government Investigation Standards (AGIS)
Procedural fairness and natural justice principles
Protective Security Policy Framework (PSPF)
Security Risk Management Body of Knowledge (SRMBOK)
Relevant security and investigative methodologies
Industry and Operational Standards
Industry-specific standards
Critical Control Management guidance
Regulator guidance material
Client requirements and contractual obligations
Recognised and emerging good practice
The specific frameworks applied will vary depending on the nature, scope and objectives of each engagement.
OUR OBJECTIVE
Our objective is not simply to identify non-conformances, produce reports or satisfy compliance requirements.
Our objective is to help organisations understand what matters most, strengthen critical controls, build capability and provide confidence that people, systems and controls are working together to support organisational performance.
People. Systems. Controls. Working together to support organisational performance.
Last updated: May 2026.