Browse our range of reports and publications including performance and financial statement audit reports, assurance review reports, information reports and annual reports.
Audit Committee Chairs Forum — Friday 3 December 2021
An Audit Committee Chairs Forum was held on Friday, 3 December 2021. It was both an in-person and virtual event.
The text on this page is the communique from the forum.
End of Year Financial Statements Reporting
- 241 of 244 Auditor’s Reports issued. 89% of auditor’s reports issued within three months of year-end, up from 78% last year. Total audit findings across all categories for the 20-21 audit cycle was 165, an increase since last year. There were two significant (Category A findings) and 14 instances of significant legislative breaches. Significant legislative breaches were reported to Parliament and related to:
- Instances of significant potential or actual breaches of the Constitution; and
- Instances of significant non-compliance with the entity’s enabling legislation, legislation that the entity is responsible for administering, and the PGPA Act.
- There were nine new moderate legislative breaches reported during 2020–21. Seven of the nine findings related to remuneration of Key Management Personnel (KMP). The increase in the number of breaches reported is the outcome of additional focus placed on KMP reporting as a result of prior year audit findings.
- 87.1% (2019-20: 78%) of moderate findings related to:
- IT controls – management of user access and privileged users;
- Compliance and quality assurance frameworks supporting program payments; and
- Management of non-fictional assets.
- With respect to the quality of financial statement preparation, eight entities had findings relating to the weaknesses in processes supporting financial statement preparation.
- Timeliness in financial statements preparation improved compared to last year. Delivery of financial statements in line with the agreed timeframes was achieved by 73% per cent of entities (2019-20: 64 per cent).
- Cyber security remains a strategic priority for the Australian Government. With respect to removal of user access:
- ISM Security Control 0430 specifies that access is removed or suspended on the same day personnel no longer have a legitimate requirement for access.
- Analysis of 18 entities selected based on their contribution to the income, expenses, assets and liabilities of the 2020–21 CFS; requirement to annually report against the PSPF; and IT risk and complexity.
- Eight of 18 entities did not adequately implement Security Control 0430
- The main contributing factor to failures in removal of access was the delay in notifications of the requirement to remove the access, such as when personnel change duties, leave the organisation or a contract is ceased.
- The ANAO identified some key lessons to note for financial audits, including: ensuring digital remote access has appropriate cyber security risk mitigation strategies and change management in place; implementation of new approaches to reporting on cyber risks as well as cyber compliance across audit products; providing appropriate training for staff in data extracting, transformation and loading to ensure the completion and accuracy of data analysis.
Performance Statements Overview
- As of 1 July 2021, the ANAO created the Performance Statement Audit Services Group (PSASG), a new business group responsible for auditing the performance statements of government entities.
- This year PSASG will be commencing audits on six entities. These are:
- Attorney-General’s Department
- Department of Social Services
- Department of Veterans Affairs
- Department of Agriculture, Water, and the Environment
- Department of Education, Skills and Employment
- The Treasury
- Draft engagement letters will be sent out to the audited entities next week for comment, prior to issuing final letters.
- All audits to be completed by the end of September 2022 in line with the Financial Statement audits.
- Although maturing, the success of the pilot program and the improvements made between year one and two are promising.
- Internal training has commenced for staff members to familiarise themselves with the Performance Statements audit methodology.
- From 2022, the plan is to issue an integrated audit strategy (performance and financial statements audits).
- An End of Year Report is currently in development which will provide a comprehensive overview of the two-year pilot program with the intention to table the report in Parliament early next year.
Performance Audit Update
- Some entities have been questioning ANAO access powers. This is an on-going concern. Audit Committee Chairs encourage to help educate within entities.
- Performance audit is continuing to work on rapid implementation programs including COVID-19 topics.
- Audits have been conducted on implementation of ANAO and Parliamentary committee recommendations.
- The entities audited have systems in place to monitor internal audit and ANAO audit recommendations.
- Improvements could be made in systems to monitor implementation of parliamentary recommendations.
- Records management continues to be an issue. Transparency, accountability, and informed decision-making is supported by the making and keeping of records. This includes the creation of good quality information that contains sufficient detail to meet current business needs and that can be efficiently found and understood by others in the future.
- Articulating risk tolerance early in the implementation phase of new measures provides a sound basis on which to support effective risk management, including the best use of entity resources.
- Establishing probity measures in procurements, including when the Commonwealth Procurement Rules are not applied, provides assurance that procurements were conducted ethically. It is advisable to appoint a probity advisor early in high value, complex or unusual procurements.
- The ANAO performance audit on the Department of Defence’s Administration of Enabling Services – Enterprise Resource Planning Program contains lessons relating to the management of conflicts of interest and the appropriate onboarding and management of contractors. It highlights potential reputational risks for entities.
Cyber Threats and IT Controls Panel Discussion and Q&A
- The ANAO (Jane Meade GED PSRG) facilitated a panel discussion on cyber threats and information technology controls to highlight its importance to Audit Committee Chairs.
- Panellists included Lesa Craswell (SED ANAO), John Sheridan (CIO Department of Finance), Brad Medland (CFO, Department of Infrastructure) and Elizabeth Montano (former CEO AUSTRAC).
- Key messages from the panel discussion included:
- Entities should be mindful of the relationship between business and IT. Issues arise when these areas are treated as separate functions within an entity rather than seeing IT as an enabling service.
- Entities should consider conducting a root cause analysis to address an issue’s the risk to the entity and meet their risk and business need rather than implementing temporary solutions to close out issues.
- For entities in shared services arrangements, there is role of Audit Committees to ensure entities are across the controls that sit within shared services hubs and what assurances they are getting that feed into their risk management and internal controls.
- Ensuring security around systems and varsity around controls remain an integral part of the CFO role. Identified weaknesses should be raised and proactively addressed as soon as possible.
- Entities are encouraged to include CIOs in day-to-day work operations as they also play an important role in an organisation’s management of controls.
Performance Statement and Financial Statements Insights
- Two Audit Committee Chairs presented the results of a survey on performance statements of 11 Audit Committee Chairs and 9 Chief Financial Officers relating to financial statements.
- The results of a survey relating to financial statements were shared including developments in better practices, success factors, dependencies, assurances, guidance, support, resourcing and the relationships between audit committees and sub-committees.
- The results of the survey relating to performance statements included a number of issues and varying levels of entity preparedness, entity resources, understanding of executive, readiness for audit and adequacy of guidance.