This report presents the results of the interim phase of the 2004-2005 financial statement audits. The audits have encompassed a review of governance arrangements related to entities' financial management responsibilities, and an examination of internal control, including information technology system controls for all portfolio departments and other major General Government Sector entities as at 31 March 2005. An examination of such issues is designed to assess the reliance that can be placed on internal controls to produce complete and accurate information for financial reporting purposes. All ANAO findings have been reported to entities and summary reports provided to the relevant Minister(s).

Summary

Introduction

Under section 57 of the Financial Management and Accountability Act 1997 (FMA Act) and under clause 3, part 2 of Schedule 1 of the Commonwealth Authorities and Companies Act 1997 (CAC Act), the Auditor-General is required to report each year to the relevant Minister, on whether the financial statements of public sector entities have been prepared in accordance with the Finance Minister's Orders (FMOs) and whether they give a true and fair view of the matters required by those Orders.

This report presents the results of the interim phase of the 2004–2005 financial statement audits. The audits have encompassed a review of governance arrangements related to entities' financial management responsibilities, and an examination of internal control, including information technology system controls for all portfolio departments and other major General Government Sector (GGS) entities as at 31 March 2005. An examination of such issues is designed to assess the reliance that can be placed on internal controls to produce complete and accurate information for financial reporting purposes. All ANAO findings have been reported to entities and summary reports provided to the relevant Minister(s).

The final phase of most audits will be completed in the April to August 2005 period. Consistent with past ANAO practice, a second report will be tabled in Parliament in December 2005 following completion of the financial statement audits of entities for 2004–2005. The ANAO will also report, at that time, on any additional operational and financial management issues arising out of the final audits and their relationship to internal controls.

This year's report also considers a number of strategic issues which are important in the continuing evolution of better practice financial management practices in the GGS (Chapter 1).

The results of the audit have been arranged into three groups:

  • observations relating to the entities' control environment (Chapter 2); 
  • audit findings relating to the audit of information technology systems focussing on information security, business continuity management and SAP financial management information application controls (Chapter 3); and 
  • issues arising from the audit of control activities over significant business and accounting processes. (Provided in summary form in Chapter 4 and by Portfolio in Chapter 5).

Control environment

As part of the financial statement audit, the ANAO assesses whether an entity's control environment comprises measures that contribute positively to sound corporate governance. These measures should mitigate identified risks and reflect the specific governance requirements of each entity.

The ANAO has observed that the large majority of entities have established key elements of a control environment that is designed to provide a sound basis for effective financial management. However, the ANAO has noted that there is still some inconsistent application and execution of better practice approaches, especially in respect of fraud and legal compliance.

Information technology systems controls

The Australian Government has a significant and growing investment in information technology to enhance public administration and programme delivery. The Government in 2002–2003 spent an estimated $4.21 billion on operating and capital expenditure in this area.

New technologies have introduced increased complexity, greater speed, interconnectivity and dependence on information systems within the IT environment. Implementation of technology provides the scope for improved productivity and better service delivery, but it also can involve substantial costs and increased risks.

During the course of the interim phase of the 2004–2005 financial statement audits, the ANAO focused on the way entities managed information security and business continuity management. In general, most entities have implemented sound governance in relation to information security management. However, a significant number of entities have yet to adopt comprehensive and tested business continuity management practices. Going forward, entities will need to maintain focus on information security and business continuity due to the continued move towards e Government and the adoption of new technologies.

In addition, the interim phase of the audit has identified that many entities that use the SAP financial management information system are not taking maximum benefit of internal application controls and are placing heavy reliance on weak external controls. These entities need to strengthen user access and security administration functions.

Control activities

The results of the interim phase in relation to entities covered in this report indicate that the effectiveness of control activities over business and accounting processes have generally been maintained at a reasonable level. Although the total numbers of significant audit findings, excluding the Department of Defence, decreased in 2004–2005, the audit findings suggest that entities need to pay attention to the controls underpinning their financial management frameworks, particularly in the areas of IT, FMIS, purchasing and payment of accounts, and policies and procedures. On the other hand, the audit noted fewer control weaknesses in relation to accounting and reporting processes at the operational level.

The large number of control weaknesses relating to IT systems controls, such as the management of user and systems access, IT security and change controls, indicates that increased management attention is needed to provide assurance that entities have appropriate IT systems controls in place.

The audit findings in relation to such areas as the financial statement preparation process, purchasing, payment of accounts and financial policies and procedures, further emphasises that entities must continue to give attention to fundamental elements of their internal control.

Detailed audit findings

The ANAO rates its findings according to a risk scale. Audit findings which pose a significant business or financial risk to the entity and which must be addressed as a matter of urgency, are rated as ‘A'. Findings that pose a moderate business or financial risk are rated as ‘B'. These should be addressed within the next 12 months. Findings that are procedural in nature, or reflect relatively minor administrative shortcomings, are rated as ‘C'. The timing of action on these findings is at the discretion of the entity.

Most of the entities had areas that require attention, particularly in relation to financial management framework and IT controls, where performance has been variable. This is demonstrated by the following analysis.

  • The number of entities with ‘A' category audit issues increased to three in 2004–2005, up from one in 2003–2004. 
  • The total number of ‘A' category audit issues increased to nine in 2004–2005 from one in 2003–2004. 
  • The number of entities with no category ‘A' or ‘B' audit issues was six in 2004–2005, up from three in 2003–2004. 
  • The total number of ‘B' category audit issues across all entities, decreased from 87 in
    2003–2004 to 64 in 2004–2005, due largely to improved performance by the Health Insurance Commission (HIC).
  • Twelve entities reported an improvement in the number of ‘B' category audit issues; eight entities showed a deterioration in their position, with two entities remaining in the same position.

A summary of ‘A' and ‘B' category audit findings by entity is outlined in Appendix 7.

This analysis does not include the results of the interim phase of the audits of the Department of Defence or the Department of Human Services (DHS), as these audits were still in progress at the time of preparation of this report. Commentaries on the Defence and DHS audits are included in Chapter 5.

Report timing

The purpose and timing of this report specifically recognises the increased responsibility being placed on entities to maintain effective controls as part of good corporate governance. The ANAO continues to be committed to the timely reporting of significant matters to assist the Parliament in its oversight of the financial aspects of public administration.

Related documents: