AEO Surveillance Audit FAQ's


  1. What is a surveillance audit?
  2. When does an AEO undergo the first AEO surveillance audit?
  3. How frequently will an AEO need to undergo a surveillance audit?
  4. ​When will an AEO be advised of a surveillance audit?
  5. What is a Special Audit?
  6. Action Management

This diagram shows a SWIM lane process map representing the auditing process landscape for Authorised Engineering Organisations.

1. What is a surveillance audit?

Audits are a systematic, independent and documented verification process of objectively obtaining and evaluating audit evidence to determine whether specified criteria are met (AS/NZS ISO 19011:2014).  The ASA undertakes risk-based surveillance audits of AEOs to measure the level of compliance with authorisation requirements including demonstrated evidence of active deployment of an AEO's systems in an organisational and/or project environment. 

Underpinning the surveillance process are:

  • a competent systems auditor performing the role of team leader
  • engaging competent SMEs, as required, as part of the audit team
  • adopting a consultative risk-based approach to developing targeted audit scope – utilising information from previous assessments, audits or other sources
  • undertaking the audit in line with the agreed audit plan
  • completing the audit report in the agreed timeframe
  • following up with the AEO to ensure that agreed actions are addressed and closed


​2. When does an AEO undergo the first AEO surveillance audit?

The first surveillance audit is scheduled around 12 months after being granted AEO status and establishes a critical baseline of performance against that during the assessment phase. It establishes how their systems and processes are measured and rated at a deployment level. 


3. How frequently will an AEO need to undergo a surveillance audit?

The Manager Audit & Compliance, ASA, develops a program of surveillance audits on all AEOs that is updated regularly. 

After the first surveillance audit, a risk-based approach is adopted by ASA with all AEOs to ensure areas which present higher risks to TfNSW are identified and targeted as a priority during ongoing surveillance activities, including outstanding action items.

The frequency of surveillance is based on a range of risk considerations, which also contribute to scope development:

  • maturity levels and findings from the initial authorisation assessment
  • any outstanding actions from the initial assessment
  • previous surveillance audits findings and any outstanding actions
  • scope of services and disciplines offered by the AEO
  • TfNSW contracts awarded to the AEO
  • risks associated with the particular AEO services, especially safety risks.

The output of ongoing surveillance is used to adjust maturity classification levels, if required, and the frequency, depth and focus of subsequent surveillance audits.


4. When will an AEO be advised of a surveillance audit?

Each ASA systems auditor is assigned a number of AEOs to manage for surveillance purposes.  They will forward notification to the AEO about 3 months in advance of the proposed audit date. 

The notice of intent to audit will include a questionnaire for the AEO to complete and return to the ASA. The responses in the questionnaire both confirm and assist the ASA in developing targeted risk-based audit scope.

The ASA is aware that AEOs typically experience a range of third party activities that may impact on their business. Therefore we engage with the AEO during the planning phase to enable the most effective and efficient arrangements to accommodate the surveillance audit and reduce the impact on business activities.


5. What is a Special Audit?

A Special Audit is initiated at short notice on an AEO where a prompt investigative response is required to an identified risk. A serious incident or systemic issue involving an AEO may trigger a Special Audit which is conducted outside of the regular surveillance audit program.  The decision to proceed with a Special Audit is made after review of information or evidence made available to the ASA and discussions with the AEO.

The ASA may also be engaged to conduct a Special Audit on an operator maintainer AEO against specific rail services contract requirements, including asset integrity.

A competent auditor is assigned the role of audit team leader and necessary SMEs are engaged to be part of the audit team.  The defined terms of reference or scope will set out the parameters of the Special Audit, the timeframe in which it needs to be completed and any special conditions.


6. Action Management

It is a condition of being granted AEO status that each organisation addresses agreed actions appropriately within agreed timeframes and that they comply with any conditions imposed by the ASA as part of their authorisation. These details are set out in the letter of authorisation issued by the ASA. 

An action management plan is generated after the final audit report is released, using an approved ASA template. The action management plan provides for inclusion of actions, controls and due dates proposed by the AEO in response to audit findings.

It is incumbent upon the AEO to address, as a priority, higher level action items which present the greatest risk (i.e. serious/major non-conformances) and proposed action responses must meet the intent of report findings.

The ASA systems auditor will liaise regularly with the AEO until actions are progressively closed-out based on evidence provided.