Interim Phase of the Audit of Financial Statements of General Government Sector Entities for the Year Ending 30 June 2006
The focus of this report is on the year end results of the financial statement audits of all general purpose reporting entities for the 2005–06 financial year. Financial management issues (where relevant) arising out of the audits and their relationship to internal control structures are also included in this report.
Financial statement audit coverage
An important part of the ANAO's audit methodology of an entity's financial statements, and the focus of the interim phase of the audit, is a sound understanding of an entity's internal controls. To do this, the ANAO uses the framework contained in the Australian Auditing Standard AUS 402 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. The key elements, as detailed in AUS 402, are the control environment, risk management process, information systems controls, control activities and monitoring of controls.
The ANAO assesses whether an entity's control environment comprises measures that contribute positively to sound corporate governance. These measures should mitigate identified risks and reflect the specific governance requirements of each entity.
The ANAO has observed that the large majority of entities have established key elements of a control environment that is designed to provide a sound basis for effective financial management. In particular, there is an increasing awareness of audit committees in understanding entities' operations. However, the ANAO has noted there are issues with legacy systems and/or new systems implementation. There were also still some inconsistent application and execution of better practice approaches, especially in respect of compliance with the financial framework and with service entity arrangements between Australian Government entities.
Risk management process
An understanding of an entity's risk management process is essential to an effective and efficient audit. Important elements of the risk management process common to most entities are business continuity and fraud control management. The ANAO identified that there was still some inconsistent application and execution of sound practice approaches for business continuity and fraud control management. A significant number of entities should invest in more comprehensive and tested business continuity management plans.
Information system controls
Considerable ongoing investment in information technology (IT) by Australian Government entities is continuing to alter the nature of public administration and service delivery. In adopting and making use of emerging technologies, this investment is contributing to transformation of business processes and improved client service.
The financial statement reporting process within most entities is facilitated by IT. Together with the widespread and increasing use of technology, the need for entities to establish and maintain an effective IT control environment, as a part of their corporate governance arrangements, has never been greater.
During the interim phase of the 2005–06 financial statement audits, the ANAO assessed the effectiveness of controls that affect the availability, confidentiality and integrity of information and information systems supporting the financial statement reporting process. Particular areas of attention included: IT governance, IT security, and (where applicable to an entity) the SAP financial management information systems.
The ANAO found that IT governance is a well established discipline in the majority of entities assessed. Opportunities continue to exist for the improvement of overall governance arrangements, through the integration of IT risk management activities into corporate risk management practices.
The ANAO has observed a positive improvement in the implementation of IT security management arrangements within entities. However, entities will need to maintain focus on information security due to the continued move towards e–Government, the adoption of new technologies and the increasing reliance on technology.
Further, the ANAO found that many entities that use SAP were not taking full benefit of internal application controls or had not configured such controls effectively. These entities should strengthen user access and security administration functions.
Overall, the audits found that most entities need to strengthen their respective IT control environments in order to both mitigate the risks associated with the increasing use and dependence on technology, and provide ongoing assurance over the reliability of reported financial information. Specific areas identified for improvement include the need for more attention to security management arrangements and improved application management.
The results of the interim phase in relation to entities covered in this report indicate that the effectiveness of control activities over business and accounting processes generally have been maintained at a reasonable level in the majority of entities. The total number of significant audit findings increased in 2005–06 (the Department of Defence and the Defence Materiel Organisation audits have still not been finalised), and entities need to pay attention to the controls underpinning their financial management frameworks, particularly in the areas of information systems controls, reconciliations, revenue and debt management, employment and related entitlements processing, payment processing, asset processing, and management and documentation of policies and procedures.
The large number of control weaknesses relating to information systems controls, such as the management of user and systems access, IT security and change controls, indicates that increased management attention is required to provide assurance that entities have appropriate information systems controls in place.
Monitoring of controls
There are many activities undertaken by an entity that are a part of an entity's monitoring of controls process including information from communication with external parties, external reviews, control self assessment processes and an effective internal audit function. The ANAO noted that generally internal audit was providing an effective service to entities' executive management by assisting them in carrying out their governance activities.
A small number of entities have established a Control Self Assessment (CSA) process to validate their internal controls. The ANAO is supportive of wider adoption of this process.
Detailed audit results
The ANAO rates its findings according to a risk scale. Audit findings that pose a significant risk to the entity and that must be addressed as a matter of urgency, are rated as ‘A'. Findings that pose a moderate risk are rated as ‘B'. These should be addressed by entities within the next 12 months. Findings that are procedural in nature, or reflect relatively minor administrative shortcomings, are rated as ‘C'. The timing of action on these findings is at the discretion of the entity.
Most of the entities had areas that require attention, particularly in relation to financial management framework and IT controls, where performance has been variable. This is demonstrated by the following analysis:
- The number of entities with ‘A' category audit issues in both 2005–06, and 2004–05 is three.
- The total number of ‘A' category audit issues is nine in both 2005–06 and 2004–05.
- The number of entities with no category ‘A' or ‘B' audit issues was seven in 2005–06, up from six in 2004–05.
- The total number of ‘B' category audit issues across all entities, increased from 59 in 2004–05 to 67 in 2005–06, due largely to a small deterioration in performance by a number of entities and the fact that no findings were reported last year for the Department of Human Services as the interim audit was not completed when the report was being prepared.
- five entities reported an improvement in the number of ‘B' category audit issues, seven entities showed a deterioration in their position, and eight entities remained in the same position.
A summary of ‘A' and ‘B' category audit findings by entity is outlined in Chapter 4.
This analysis does not include the results of the interim phase of the audits of the Department of Defence and the Defence Materiel Organisation, as the interim audit of these entities was still in progress at the time of preparation of this report. Commentary on these audits is included in Chapter 4.
Under section 57 of the Financial Management and Accountability Act 1997 (FMA Act) and under clause 3, part 2 of Schedule 1 of the Commonwealth Authorities and Companies Act 1997 (CAC Act), the Auditor–General is required to report each year to the relevant Minister, on whether the financial statements of public sector entities have been prepared in accordance with the Finance Minister's Orders (FMOs) and whether they give a true and fair view of the matters required by those Orders.
This report presents the results of the interim phase of the 2005–06 financial statement audits. The audits have encompassed a review of governance arrangements related to entities' financial management responsibilities, and an examination of internal control, including information technology system controls for all portfolio departments and other major General Government Sector (GGS) entities that represent 95 per cent of total GGS revenues and expenses. An examination of such issues is designed to assess the reliance that can be placed on internal controls to produce complete and accurate information for financial reporting purposes. All ANAO findings have been reported to entities and summary reports provided to the relevant Minister(s). In addition, each audit issue identified in this report has been formally reported to the Chief Executives (CE) and their respective audit committees.
The final phase of most audits will be completed in the April to August 2006 period. Consistent with past ANAO practice, a second report will be tabled in Parliament in December 2006 following completion of the financial statement audits of entities for 2005–06. The ANAO will also report, at that time, on any additional operational and financial management issues arising from the final audits.
This year's report also considers a number of strategic issues that are designed to improve the quality and comparability of entity financial reports for 2005–06 and subsequent years (Chapter 1).
The results of the interim phase of the 2005–06 financial statement audits reflect two broad categories of audit findings:
- observations relating to various components of entities' internal control (including the control environment, risk management processes, control activities and monitoring of controls), and accounting issues arising from the interim phase of the audit of control activities over significant business and accounting processes (provided in summary form in Chapter 2 and by Portfolio in Chapter 4); and
- audit findings relating to the audit of information technology systems focusing on information security and SAP1 financial management information application controls (provided in summary form in Chapter 3 and by Portfolio in Chapter 4).
1 SAP is an integrated software solution that provides support for a wide range of business functions, including financial and human resource management.