Control Structures as part of the Audit of Financial Statements of Major Australian Government Entities for the Year Ending 30 June 2004
This report updates the ANAO's assessment of audit findings relating to major entity internal control structures, including governance arrangements, information systems and control procedures through to March 2004. The findings summarised in this report arise from the interim phase of the financial statement audits of major Australian Government entities for 2003/2004. Examinations of such findings are designed to assess the reliance that can be placed on control structures to produce complete, accurate and valid information for financial reporting purposes.
This report updates the ANAO's assessment of audit findings relating to major entity internal control structures, including governance arrangements, information systems and control procedures through to March 2004. The findings summarised in this report arise from the interim phase of the financial statement audits of major Australian Government entities for 2003–2004. Examinations of such findings are designed to assess the reliance that can be placed on control structures to produce complete, accurate and valid information for financial reporting purposes.
This year's report also considers a number of strategic reforms which will potentially have a significant influence over the continuing evolution of better practice financial management practices in the public sector (Chapter 1). Issues affecting the Australian Government Public Sector (AGPS) include:
- robust corporate governance;
- joined-up Government arrangements;
- asset and liability management issues;
- departmental and administered transactions;
- adoption of Australian equivalents to International Financial Reporting Standards and harmonisation with International Auditing Standards;
- convergence of Australian Generally Accepted Accounting Principles and Government Finance Statistics; and
- increasingly compressed reporting timetables for Australian Government entities as a result of the Department of Finance and Administration's Budget Estimates Framework Review.
A second report will be issued in December 2004 following completion of the financial statement audits of entities. The ANAO will also report, at that time, on any additional operational and financial management issues arising out of the final audits and their relationship to internal control structures, including risk management and fraud control.
This report also provides a summary of the financial, accounting and Information Technology (IT) control processes adopted by entities. It includes an update on the broader corporate governance issues that impact on financial management and reporting.
Audit findings have been classified into three groups:
- those concerned with entities' internal control environment;
- their information technology systems; and
- their specific control procedures over significant business and accounting processes.
These are summarised below.
Internal control environment
As part of the financial statement audit process, the ANAO assesses whether an entity's internal control environment comprises measures that contribute positively to sound corporate governance. The measures should mitigate identified risks and reflect the specific governance requirements of each entity. For financial reporting purposes, the latter will normally include:
- a senior executive group which meets regularly;
- an audit committee which comprises appropriately skilled external members and meets on a regular basis;
- an effective internal audit function;
- a current corporate plan, business risk assessment and management plan, and fraud control plan;
- clearly specified systems of authorisation, recording and procedures;
- sound organisational business practices;
- financial and accounting skills commensurate with responsibilities; and
- a timely financial reporting regime.
This year's report indicates that the AGPS is still in a ‘consolidation phase' in these respects which is required to enhance entity stewardship.
Progress against key financial performance elements indicates that entities need to improve their understanding of performance, not only from a financial perspective but also from a whole of organisation standpoint. Integral to this understanding are the revenue allocation and cost attribution models that need to be considered, together with the impact of expenditure decisions and their relationship to key organisational operations. Given the quantums of expenditure incurred with programs and liability management issues, critical financial data analysis and familiarisation will be an essential success factor for AGPS senior management, in the discharge of its stewardship role.
Information technology systems
The Australian Government has a significant and growing investment in information and communication technology (ICT). The continued focus on ICT as a key enabler has contributed to information technology (IT) and supporting systems becoming critical components of important business processes within government entities. In addition, new technologies have also introduced increased complexity, speed, interconnectivity and dependence on information systems within the IT environment, which can involve substantial costs and risks, but also improved productivity.
In general, improvements have been made over the year for both the information security and business continuity management practices. Most entities attained a Defined Process rating for their information security management practices. Although there were some entities below the baseline, there were also a number of entities above the baseline. Going forward, most entities should investigate improving their practices with a view to obtaining a Managed and Measurable rating for information security management, where this is justified. The extent to which entities move towards this rating will depend on the nature of the entities' operations and the importance of information security management in service delivery. While mindful of Government requirements for security, a risk versus cost of control approach should be adopted as part of this process.
A significant number of entities still have business continuity management practices below the Defined Process rating, the minimum baseline. These entities will need to improve the maturity of their practices in order to ensure the continued availability of service delivery and business information.
The overall maturity of practices did vary between the selected larger, and all other, entities for information security and business continuity management. The achievement of specific information security and business continuity management maturity indicators also varied between these groups.
In relation to SAP, the most used financial management information system, satisfactory results were obtained in the area of SAP configuration. However, for half the entities reviewed, a lack of documentation of SAP security polices and procedures was identified. Most entities also had weaknesses in relation to security administration and table logging. In relation to the accounts payable function, further improvement is required over payment processing, particularly in the area of vendor creation and segregation of functions. For some entities, these weaknesses have necessitated the implementation of compensating manual controls to mitigate any risks.
Over the next couple of years, there will be a number of emerging issues and challenges facing the ICT environment that will have an impact on IT governance and the maturity of an entity's IT processes. Of particular note, is the increasing demand to provide more integrated and interactive information and services in order to improve the performance and management of government services. This has necessitated a move towards e-Government to provide more responsive, comprehensive and integrated government operations and service delivery.
Recently, an inquiry by the JCPAA 1 identified weaknesses in the areas of physical security over IT equipment, and highlighted the need to develop and implement practicable standards for the protection of information against access by unauthorised persons, or for unauthorised purposes. Of particular concern to the JCPAA, was the security of information held by providers of tendered services. The Committee recommended the development and implementation of standards to address this issue.
The ANAO will continue to focus on information security and business continuity management. While entities have generally improved the maturity of their practices, further progress needs to be made for most entities to reach a maturity level that is considered appropriate. The security and contract management issues, recently identified by the JCPAA, highlight the need for entities to further improve their information security arrangements. This is even more critical with the move towards e-Government.
Over the next year, the ANAO will be undertaking further data analysis of entities' FMIS systems covering general ledger, purchase to pay cycle, asset accounting, as well as reviewing system configuration. A suite of data analysis tools is being developed to focus on SAP. This could eventually be expanded to include other FMIS and HR systems, depending on audit procedures and resource availability.
An entity's system of internal control includes the procedures established to provide reasonable assurance that operational and administrative objectives and goals are achieved. Internal control procedures, within significant operational and accounting processes and financial systems, are examined as part of the audit of an entity's financial statements. In most entities, key areas covered in the interim phase of the audit will include:
- appropriations and other revenues;
- payment of expenses;
- employment and related costs;
- cash management; and
- asset management.
We have also included discussion on managements' control framework over accounting estimates and service entity arrangements in Chapter 4.
The ANAO has observed a similar position to that of last year with the control frameworks covering the routine accounting processes. Notwithstanding this finding, issues of significance have been identified for a number of entities.
Control frameworks over service entity arrangements are still developing in a small number of entities.
Entity focus on reviewing significant accounting estimates could be improved with greater assurance to all stakeholders.
Many Australian Government entities have significant in-house software developments capitalised in their balance sheets. In previous reports, the ANAO has commented on the issues surrounding the appropriate distinction between capitalised and operating expenditures in relation to internally developed software. This will be an ongoing area of ANAO focus, as the distinction forms a key principle in the pending Standard AASB 138 Intangible Assets. The criteria for the capitalisation of internally developed software are outlined in this pending Standard and Finance Brief 17 Adoption of International Accounting Standards.
The ANAO will continue to review the above issues in order to assess improvements over the coming year.
The ANAO rates its findings according to a risk scale. Audit findings, which pose a significant business, or financial risk, to the entity and which must be addressed as a matter of urgency, are rated as ‘A'. Findings that pose a moderate business or financial risk are rated as ‘B'. These should be addressed within the next 12 months. Findings that are procedural in nature, or reflect relatively minor administrative shortcomings, are rated as ‘C'. Action on these findings is at the discretion of the entity.
Overall, the results of the interim audits of entities reviewed in this report indicate that the effectiveness of control procedures over business and accounting processes have generally been maintained at a reasonable level with only moderated variation. This is demonstrated by:
- the number of entities with ‘A' category audit issues remain at just one in 2003–2004 and 2002–2003;
- the total number of ‘B' category audit issues across all entities increased from 68 in 2002–2003 to 98 in 2003–2004;
- seven entities reported an improvement in the number of ‘B' category audit issues; 10 entities showed a deterioration in their position, with five entities remaining in the same position; and
- the number of entities with no category ‘A' or ‘B' audit issues remained at three in 2002–2003 and 2003–2004.
The Department of Defence has been excluded from the overall analysis of audit activity. At the time of publication, the resolution of issues in Defence remains uncertain.
A summary of ‘A' and ‘B' category audit findings by entity is outlined in Table 2 of Appendix 1.
Prospective issues to be addressed
The results of interim audits to date indicate that most entities have achieved a position where the fundamental processes relating to financial statement reporting are substantially in place. However, it is again clear this year that a small number of entities are yet to implement key elements of ‘better practice' and still face considerable challenges in this regard, particularly the Department of Defence and the Australian Taxation Office.
The purpose and timing of this report specifically recognises the increased responsibility being placed on entities to maintain an effective control structure as part of good corporate governance. The ANAO continues to be committed to the timely reporting of significant matters to assist the Parliament in its oversight of the financial aspects of public administration. The ANAO expects to report the results of the final audits to the Parliament in December 2004, as noted earlier.
Structure of the report
Chapter 1 presents an overview of important issues facing entities and the Australian Government in relation to financial management policies, procedures, and reporting. These issues are likely to have an important impact in the future on the control structures and financial management practices of the AGPS.
Chapter 2 provides a summary of major issues relating to the internal control environments of Australian Government entities examined.
Chapter 3 provides a summary of the major issues relating to the audit of information systems focussing on the control issues associated with the planning, management and operation of the IT environment, with particular focus on information security and business continuity management practices.
Chapter 4 provides a summary of the controls over financial systems and processes from a financial statement audit perspective, for each of the Australian Government entities examined.
Chapter 5 outlines the results of internal control structure, business and accounting processes and systems examinations, for each of the Australian Government entities covered, as part of the audits of their financial statements.
1 JCPAA, Report 399, 2004 Inquiry into the Management and Integrity of Electronic Information in the Commonwealth, Canberra, March.