Most Australian SME owners audit the parts of the business they enjoy — sales pipeline, customer retention, product margins. The back-office gets audited only when something goes wrong: a Fair Work investigation, a payroll error, a cybersecurity incident, a tax surprise. By then the audit is reactive and expensive. A 90-minute structured back-office audit, done once a year on a calm day, costs an owner almost nothing and reliably surfaces three to five issues that would otherwise have ambushed the business in the following twelve months.
Why the back-office never gets audited
Three reasons the back-office is the part of the business owners most consistently neglect to audit:
It isn't urgent until it is. Sales not coming in is urgent today. The Modern Award classification being slightly off has no consequence today, until one day it's a $40k Fair Work claim. Owners triage by urgency, not by latent risk.
It's nobody's natural job. The bookkeeper does the bookkeeping. The IT provider does the IT. No single person looks across the whole back-office. The cross-cutting view that an audit requires has no natural owner.
It's tedious. Auditing supplier contracts, reconciling cybersecurity controls, reviewing Award classifications, and stress-testing cash flow forecasts are not anyone's favourite Saturday. The work is intellectually unrewarding and emotionally low-stakes — right up until the day it isn't.
The audit gets done by exception, not by routine. The cost of running on exception is the unpredictability — most of the year is fine; one or two months a year are a disaster the audit would have prevented.
What the once-a-year audit is
It's a structured 90-minute review the owner does — or convenes — on a defined date each year (most usefully early in the financial year, when last year's data is fresh and the new year's decisions are still ahead).
It covers seven domains, asks roughly five questions per domain, and produces a list of issues ranked by risk. It does not require any external consultant to run. It does require honest answers.
The output is a one-page risk register with three to five items that need attention in the coming year. Done well, the audit is the single highest-ROI activity in the owner's calendar — a 90-minute investment that routinely surfaces issues that would otherwise have cost five-figure or six-figure amounts to resolve later.
The seven domains, with the questions for each
Domain 1 — Payroll and Award compliance
- Which Modern Awards cover the workforce, and when was each classification last reviewed against the role's actual duties?
- Are penalty rates, allowances, and overtime calculations being applied correctly across every staff member's pattern of work?
- What's the date of the last full payroll audit (someone other than the person who runs payroll re-checking a sample of pay runs)?
- What's the exposure on long service leave, annual leave accruals, and any unpaid superannuation?
- Has the payroll tax position been re-checked against current state thresholds in every state where staff or contractors are based?
A clean answer to all five takes most businesses about an hour to assemble and is the single best evidence base for sleeping well. A muddled answer to any of the five is the leading indicator of a future Fair Work or ATO problem.
Domain 2 — Financial reporting and cash flow
- What was the average number of business days between month-end and the closed monthly management report over the last 12 months?
- Does a 13-week rolling cash flow forecast exist, and when was it last reconciled to actual cash on hand?
- Of the major financial decisions made in the last 12 months (hiring, capital purchases, supplier changes), how many were modelled financially before the decision vs decided by gut and reconciled afterwards?
- What's the variance between budgeted and actual operating expenses for the year, and is each material variance explained?
- How quickly could the business answer the question "what's our cash runway if revenue drops 30% next quarter?"
The honest answers usually reveal a reporting cadence that's slower than the decision cadence — the trailing indicator of a finance function under-resourced for the size of the business.
Domain 3 — HR and employment
- Are all current employment contracts on the current version of the template, with correct Award reference, classification, and clauses?
- What's the count of casual employees who have been employed for 12+ months and might be eligible for casual conversion, and what's the policy for handling that conversation?
- How many performance conversations were documented in the last 12 months vs how many issues were managed informally?
- What's the status of the psychosocial hazards risk assessment required under the WHS regulations?
- If a staff member raised a Fair Work complaint tomorrow, who would lead the response and what documentation exists to support the business's position?
Most owners discover at audit that they have two or three open exposures here that nobody had flagged because no single person owns the cross-cutting HR view.
Domain 4 — IT and cybersecurity
- Is multi-factor authentication enforced on all email and business-critical systems, including third-party SaaS?
- When was the last successful test-restore of a backup (not just "we have backups" — when did someone actually restore data from one and confirm it worked)?
- Is the business patching to current vendor recommendations, and is there a list of devices that aren't compliant?
- Has the Essential Eight maturity assessment been done in the last 12 months, and at what level is the business?
- If a ransomware incident hit the business tomorrow, what's the documented response plan and who's responsible for executing it in the first hour?
Cybersecurity is the audit domain where the gap between what the business thinks is in place and what's actually in place is consistently the widest. The questions force the gap into view.
Domain 5 — Tax and statutory compliance
- Are all BAS lodgements current, and what's the relationship status with the ATO?
- Has tax-effective structuring been reviewed in the last 24 months, given changes in business size and circumstances?
- Are FBT, super guarantee, payroll tax, and workers compensation premiums calculated and paid on time and against the correct base?
- Are there any outstanding ATO notices, audits, or correspondence that haven't been actioned?
- What's the position on R&D incentive claims, instant asset write-off, and any other concessions the business may be entitled to?
A clean tax compliance file is the table-stakes audit output. A messy one is the single biggest source of unforced-error cost in the SME population.
Domain 6 — Suppliers and contracts
- What's the current list of all back-office service providers, with monthly cost, contract end date, and notice period for each?
- Which contracts auto-renew, and are any of them within their notice window in the next 90 days?
- What's the total annual back-office service cost, and how does it compare to last year and the year before?
- Which providers have given the business their best work in the last 12 months, and which have been a source of friction?
- If the business needed to replace any one provider tomorrow, how long would the transition take and what's the documented handover process?
This is the domain that produces the loudest "I didn't realise we were paying that much" moments at audit. The total back-office spend is often 30-50% higher than the owner had been carrying in their head.
Domain 7 — Data, systems, and documentation
- Where is the master list of all SaaS tools the business uses, including who has admin access to each?
- What's the status of the company knowledge base — is there one, is it current, and would a new starter be able to use it?
- Are the financial system (Xero or equivalent), CRM, and HR system speaking to each other cleanly, or are there double-entries and mismatches?
- What's the policy for offboarding a staff member's access to all systems, and when was it last tested?
- If the owner was unreachable for 6 weeks, what would break first and how would the business know it had broken?
The seventh domain is the one most owners haven't thought about as a domain. It's where the operational fragility hides.
The output: a one-page risk register
After running the questions across all seven domains, the output is a single-page risk register listing the issues uncovered, ranked by severity.
A typical 25-staff Australian SME audit produces something like:
| # | Domain | Issue | Estimated risk / cost | Action |
|---|---|---|---|---|
| 1 | Payroll | Two Award classifications haven't been reviewed in 3 years | $20-40k Fair Work exposure | Get classification review done by August |
| 2 | IT | Last backup restore test was 18 months ago | Unknown — likely high | Schedule restore test this quarter |
| 3 | HR | 4 casuals over 12-month threshold, no conversion conversation | $15k+ potential claims | Initiate conversion discussions Q2 |
| 4 | Suppliers | Bookkeeping invoice grown 35% in 2 years; no review | $8-12k/yr potential saving | Renegotiate or RFP at next contract end |
| 5 | Tax | Super guarantee paid correctly but late twice in FY26 | ATO penalty exposure | Move SG to direct debit |
Five items. Each has an estimated cost. Each has an action with a due date. The total exposure on the page is usually $50k-$200k. The total time to action all five is usually 20-40 hours over the following 12 months.
That's the audit's value: 90 minutes converted into a year's worth of focused operational attention on the things most likely to bite.
When to do it
The most useful date is 4-6 weeks into the new financial year:
- Last year's numbers are final
- The new year's planning is still being shaped
- The major audit findings can feed into operational priorities for the year ahead
If that window's missed, the second-best date is the start of the calendar year (January, before the year accelerates), or any defined date the owner will actually stick to. The worst date is "when I have time" — that date never arrives.
Who runs it
Three options:
- The owner alone. Cheapest but emotionally hardest — the questions are uncomfortable to answer honestly when there's no external observer. Most owners discover they need someone else in the room.
- The owner with the bookkeeper / finance person. Better — provides accountability and a second set of eyes. Limitation: the bookkeeper isn't trained on six of the seven domains, so the answers in non-finance domains are still self-graded.
- The owner with an integrated advisor or Trusted Advisor. Best — provides cross-domain expertise, asks the unforgiving follow-up question on each answer, and helps prioritise the action list against the realities of the year ahead. This is structurally what a Trusted Advisor relationship exists for.
For businesses without an integrated advisor, the audit is still genuinely worth doing alone or with the finance person — even a self-administered version surfaces most of what matters. The integrated version just produces the cleaner risk register and the more realistic action plan.
The audit as cultural artefact
Beyond the immediate risk register, the once-a-year audit produces a cultural effect inside the business: it normalises looking at the back-office honestly. The team learns that the audit is happening. The bookkeeper, the IT provider, and the payroll person know that questions will be asked. The quality of the work delivered between audits rises because everyone expects the review.
Most businesses that have run the audit annually for three years find that the third year produces a shorter and less alarming risk register than the first — the routine itself has changed the work.
What to do next
The most useful next step is to commit to a date in the next 90 days and run the audit. The questions in this article are enough to do a credible first version. If the answers reveal that the back-office architecture itself is fragile (multiple providers, no single accountable view, cross-functional questions falling between the cracks), the next conversation is structural.
- Business Health Check — a five-minute diagnostic that previews what a full audit would reveal in the architecture domains.
- Trusted Advisor conversation — 20 minutes; useful if the self-audit revealed three or more open issues across different domains, which is the signature of a back-office that's outgrown its current architecture.
The businesses that do the audit annually look fundamentally different in five years from the businesses that don't. The difference isn't intelligence or industry — it's the routine attention to the parts of the business that don't naturally demand it.
About the author
Nick Lucock
Chief Executive Officer, Valont
Nick leads Valont's day-to-day operations across Finance, People, Operations and Growth. He writes about how the work actually gets done — the processes, systems, and tools that keep Australian SMEs compliant and growing.
LinkedIn →