Interim Phase of the Audit of Financial Statements of General Government Sector Agencies for the Year ending 30 June 2008
This report presents the results of the interim phase of the 2007-08 financial statement audits of all portfolio departments and other major General Government Sector (GGS) agencies that collectively represent some 95 per cent of total GGS revenues and expenses. The results of the final audits of these departments and agencies will be included in a second report to be tabled in the Parliament in December 2008 following completion of the financial statement audits of all entities for 2007-08.
Under section 57 of the Financial Management and Accountability Act 1997 (FMA Act) and under clause 3, part 2 of Schedule 1 of the Commonwealth Authorities and Companies Act 1997 (CAC Act), the Auditor-General is required to report each year to the relevant Minister, on whether the financial statements of public sector entities have been prepared in accordance with the Finance Minister's Orders (FMOs) and whether they give a true and fair view of the matters required by those Orders.
Our interim audits of agencies encompass a review of governance arrangements related to agencies' financial reporting responsibilities, and an examination of relevant internal controls, including information technology system controls. An examination of such issues is designed to assess the reliance that can be placed on internal controls to produce complete and accurate information for financial reporting purposes.
This report presents the results of the interim phase of the 2007–08 financial statement audits of all portfolio departments and other major General Government Sector (GGS) agencies that collectively represent some 95 per cent of total GGS revenues and expenses. The agencies covered by this report are listed at Appendix 1.
All ANAO findings have been reported to agency management and summary reports provided to the relevant Minister(s). In addition, our audit processes provide for audit issues identified to be formally reported to agency Chief Executives and their respective Audit Committees.
Chapter 1 of this report discusses a number of recent developments in the accounting and auditing frameworks designed to improve the overall quality and comparability of entity financial reports for 2007–08 and subsequent years.
Observations relating to various elements of agencies' internal controls (including the control environment, the risk assessment process, control activities and monitoring of controls) are discussed in summary form in Chapter 2.
Chapter 3 discusses the Machinery of Government (MOG) changes resulting from the Administrative Arrangements Orders (AAOs) of 3 December 2007 and 25 January 2008 that have had a significant effect on a number of agencies during 2007–08.
Findings relating to the audit of Information Technology (IT) systems focusing on the IT control environment, IT security, systems delivery and application controls in financial management information systems and human resource management information systems are discussed in summary form in Chapter 4.
Chapter 5 outlines, for each agency, details of business operations; governance arrangements relevant to an agency's financial statements; factors impacting on an agency's financial reporting risks; estimated key financial figures and average staffing levels for 2007–08, and significant and moderate risk issues identified from our audit coverage.
Financial statement audit coverage
A central element of the ANAO's financial statement audit methodology, and the focus of the interim phase of our audits, is a sound understanding of an agency's internal controls. To do this, the ANAO uses the framework contained in the Australian Auditing Standards ASA 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. The key elements of internal control, as discussed in ASA 315, are the control environment; the risk assessment process; information systems, including the related business processes, relevant to financial reporting, and communication; control activities and monitoring of controls.
The final phase of most audits will be completed in the period July to September 2008. Consistent with past practice, a second report will be tabled in the Parliament in December 2008 following completion of the financial statement audits of all entities for 2007–08. The ANAO will also report, at that time, on any additional control issues arising from the final audits.
The ANAO assesses whether an agency's control environment comprises measures that contribute positively to sound corporate governance in the context of the preparation of an agency's financial statements. These measures should be designed to mitigate identified risks of material misstatement in the financial statements, and reflect the specific governance requirements of each agency.
Consistent with past findings, the ANAO observed that agencies have established key elements of a financial control environment designed to provide a sound basis for the effective preparation of the agency's financial statements. Audit Committees, in particular, continue to have a positive influence on the effectiveness of agencies' control environment particularly in the areas of risk assessment, legislative compliance and financial system controls. Consistent with the results of our 2006–07 audits, no instances of non-compliance with key elements of the financial framework have been identified in our interim audits. The Certificate of Compliance process, introduced in 2006–07, has resulted in an ongoing focus on wider compliance issues.
A review of accounting for appropriations in the periods following the AAOs of 3 December 2007 and 25 January 2008 will be finalised during the 2007–08 final audits of affected agencies.
Risk assessment process
An understanding of an agency's risk assessment framework is an essential element of the ANAO's financial statement audits. Agencies are expected to manage the key risks specific to their environment and our interim audits include a review of controls relating to risks that may have a material impact on agencies' financial statements. The ANAO found that the majority of agencies have a risk assessment process and the results are generally reviewed by audit committees.
Important elements of the risk assessment process common to all agencies are business continuity and fraud control management. Our audits noted that most agencies now have Business Continuity and Disaster Recovery Plans in place. However, a number of agencies needed to give further attention to periodically testing these plans, and updating them as necessary. All agencies have in place fraud control plans prepared in accordance with the Commonwealth Fraud Control Guidelines, or were in the process of developing them as part of implementing the MOG changes. A small number of agencies needed to improve aspects of their fraud control arrangements.
The very substantial ongoing investment in information technology (IT) by Australian Government agencies continues to impact on the nature of public sector administration and service delivery. By continuing to adopt and make use of emerging technologies, this investment is contributing to the ongoing transformation of business processes, wider access to government services and improved client service. The financial statement reporting process within agencies is also facilitated by IT. While technology and related improvements continue to represent agencies with major business opportunities, they also involve new or enhanced risks that need to be effectively managed.
During the interim phase of the 2007–08 financial statement audits, the ANAO again assessed the effectiveness of controls that affect the availability and integrity of information and information systems supporting the financial statement reporting process.
The ANAO found that all agencies had governance arrangements in place that encompassed the oversight and management of their information systems and IT change processes. However, our audits continue to identify a range of IT control weaknesses in some agencies relating to security and management controls in both FMIS and HRMIS systems, the management of release management processes, and the updating and testing of Business Continuity and Disaster Recovery Plans.
The results of the 2007–08 interim audit phase indicated that, overall, control activities relating to financial and accounting processes have been maintained at an effective level. The total number of significant audit findings has decreased, continuing the trend over recent years. However, our interim audits identified control issues relating to areas such as the conduct of key reconciliations and the timely follow up of any discrepancies, controls over the processing of transactions in agencies' FMIS and HMRIS, and the management and exercise of delegations in a number of agencies.
Monitoring of controls
Many activities undertaken by an agency contribute to their regime of monitoring controls. These include quality assurance arrangements, internal and external reviews, control self-assessment processes, and internal audit. The ANAO noted that control self-assessment arrangements, first introduced to assist agencies meet their responsibilities to provide a Certificate of Compliance in respect of 2006–07, has become an integral part of agencies' control regimes. Internal audit was also continuing to have a key role in some agencies in assisting in the Certificate of Compliance process.
Summary of audit reports
The ANAO rates its findings according to a risk scale. Audit findings that pose a significant risk to the entity and that should be addressed as a matter of urgency, are rated as ‘A'. Findings that pose a moderate risk are rated as ‘B'; these should be addressed by entities within the next 12 months. Findings that are procedural in nature, or reflect relatively minor administrative shortcomings, are rated as ‘C'.
Most agencies had areas of their financial control environment that required attention although our interim audits found there had been an overall improvement in agencies' financial and related controls. This is reflected in a reduction in the number of significant (Category A) and moderate risk (Category B) findings.
A summary of the trend in Category A and B audit findings between 2006–07 and 2007–08 is outlined below:
- there was four agencies with Category A audit findings in 2007–08 and three agencies in 2006–07;
- the total number of Category A audit findings in 2007–08 is ten compared with 24 in 2006–07;
- the total number of Category B audit findings across all agencies decreased from 97 in 2006–07 to 84 in 2007–08; and
- there was a decrease in the number of Category B audit findings in eight agencies; five showed an increase and the number of Category B audit findings in three agencies remained the same as in 2006–07.
A summary of Category A and B audit findings by agency is provided in Chapter 5.