This report outlines the ANAO’s assessment of the internal controls of major agencies, including governance arrangements, information systems and control procedures. The findings summarised in this report are the results of the interim phase of the financial statement audits of 23 major General Government Sector agencies that represent some 95 per cent of total General Government Sector revenues and expenses.



1. The Auditor-General Act 1997 establishes the mandate for the Auditor‑General to undertake financial statement audits of all Australian Government entities including those of government agencies, statutory authorities and Government business enterprises.

2. The preparation of audited financial statements in compliance with the Finance Minister’s Orders1 is a key element of the financial management and accountability regime applicable to Australian Government entities. It is generally accepted in both the private and public sectors that a good indicator of the effectiveness of an entity’s financial management is the timely finalisation of its annual financial statements, accompanied by an unmodified audit opinion. Australian Government entities, in cooperation with the Australian National Audit Office (ANAO), devote considerable effort to achieving such an outcome.

3. Financial statement audits are an independent examination of entities’ financial statements and the results of the examination are presented in an auditor’s report. This report expresses the auditor’s opinion on whether the financial statements as a whole and the information contained therein fairly present each entity’s financial position and the results of its operations and cash flows. The accounting treatments and disclosures reflected in the financial statements by the entity are assessed against relevant accounting standards and legislative reporting requirements.

4. Under section 57 of the Financial Management and Accountability Act 1997 (FMA Act), the Auditor-General is required to report each year to the relevant Minister on whether the financial statements of agencies2 have been prepared in accordance with the Finance Minister’s Orders (FMOs) and whether they give a true and fair view of the matters required by those Orders.

5. To assist agencies to manage their responsibilities, the ANAO periodically publishes better practice guides on a range of aspects of public administration. To date, the ANAO has published two Better Practice Guides: Implementing Better Practice Grants Administration; and Administering Regulation: Achieving the right balance during 2013–14. A guide on Public Sector Governance: Strengthening performance through good governance is expected to be published in the near future. Better Practice Guides are well received by agencies and contribute to agencies maintaining the maturity of their internal control systems and enhancing their performance.

6. The interim phase of the audit of agencies, the focus of this report, encompasses a review of governance arrangements related to agencies’ financial reporting responsibilities, and an examination of relevant internal controls, including information technology system controls. The ANAO’s examination of these areas is designed to assess the reliance that can be placed on agencies’ internal controls to produce complete and accurate information for financial reporting purposes.

7. The audit findings in this report have been reported to the management of each agency and to the responsible Minister(s).

Developments in financial reporting and auditing frameworks

8. As a result of changes flowing from new accounting standards released by the Australian Accounting and Assurance Board (AASB) in 2013–14, most government agencies will be required, from 2014–15, to report their performance against budget, and explain any major variances from budget estimates. Agencies will also be required to explain, in more detail, how they calculated the reported fair values of their assets and liabilities.

9. In addition, the AASB’s has introduced an optional Reduced Disclosure Regime. This regime allows, with the approval of the relevant regulator, certain entities to reduce the length of their financial report by omitting specified note disclosures. The Finance Minister is the regulator for Australian Government entities and has not endorsed the adoption of the reduced disclosure regime at this time.

10. In terms of changes to the auditing standards, the Australian Auditing and Assurance Standards Board issued a substantially revised ASA 610 Using the Work of Internal Auditors in November 2013. The revised standard that applies to reporting periods commencing on or after 1 January 2014, includes an express prohibition on using internal audit to perform audit procedures under the direction, supervision and review by the external auditor.

Summary of audit results

Internal control in agencies3

11. A central element of the ANAO’s financial statement audit methodology, and the focus of the interim phase of ANAO audits, is a sound understanding of an agency’s responsibilities and internal controls. This understanding informs our audit approach, including the reliance we may place on agency systems to produce financial statements that are free from material misstatement. To do this, the ANAO uses the framework contained in the ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment. The key elements of internal control, as discussed in ASA 315, are the control environment; the risk assessment process; the information system, including the related business processes relevant to financial reporting and communication; control activities; and monitoring of controls.

Control environment

12. The ANAO assesses whether an agency’s control environment includes measures that contribute positively to sound corporate governance in the context of the preparation of an agency’s financial statements. These measures should be designed to mitigate identified risks of material misstatement in the financial statements, and reflect the specific governance requirements of each agency.

13. The ANAO observed that agencies have in place mature financial control environments designed to provide a sound basis for the effective preparation of the agency’s financial statements. Audit committees, in particular, continue to have a positive influence on the effectiveness of agencies’ control environments particularly in the areas of risk assessment, legislative compliance and financial system controls.

Risk assessment process

14. An understanding of an agency’s risk assessment processes is an essential element of the ANAO’s financial statement audits. Agencies are expected to manage the key risks specific to their environment and the interim audit phase includes a review of controls relating to risks that may have a material impact on agencies’ financial statements. Generally, the ANAO found that agencies have established formal risk assessment processes, reviewed by audit committees or a separate committee with specific responsibilities for risk.

15. An important element of the risk assessment process common to all agencies is fraud control management. All major agencies have fraud control plans prepared in accordance with the Commonwealth Fraud Control Guidelines and have formal processes for updating, reviewing and monitoring of fraud control strategies.

Information system

16. Information technology facilitates the way in which Australian Government agencies operate, and supports the business processes that deliver services to the Australian community.

17. Consistent with past practice, during the 2013–14 interim audits, the ANAO assessed the design and operation of key IT controls to determine the effectiveness of these controls and their impact on reducing risks affecting the integrity of financial information presented in agencies’ financial statements.

18. The majority of IT controls continued to be well maintained by the majority of agencies during 2013–14. This includes IT controls in relation to change management, IT security governance and monitoring and FMIS and HRMIS master file maintenance. There has, however, been an increase in in the number of agencies where improvements were warranted in the management of privileged and other user access to key financial business systems. Further, while business continuity and disaster recovery plans were generally well designed and testing of these arrangements had been undertaken, changes in organisational and system arrangements that are occurring in the Australian Public Sector will require agencies to be alert to the need to review, and as necessary revise, these plans.

Control activities

19. The results of the 2013–14 interim audit phase indicated that, overall, control activities relating to financial and accounting processes have continued to be maintained at an effective level, although there has been a small increase in the total number of audit findings compared with 2012–13. Control issues identified by the audits related to areas such as: IT general and application controls, particularly the management of privileged and other user access to key financial business systems, the timely capitalisation of assets to enable the accurate calculation of depreciation, the maintenance of complete and accurate asset registers and consistency of impairment assessments. A total of 135 category A, B, C and L1 findings4 were identified in the 2013–14 interim audit phase, with the majority of these findings posing a low business or financial management risk, a small increase compared with the 124 findings identified in 2012–13.

20. The ANAO continues to include an assessment of compliance in relation to annual appropriations, special appropriations, special accounts and the investment of public moneys in its financial statement audits, as a result of interest shown by the Joint Committee of Public Accounts and Audit in past years. The 2013–14 interim audits continued to identify a high level of compliance in these areas, although actual or potential breaches of section 83 of the Constitution5 continue to be identified by a number of agencies. At the time of the 2013–14 interim audits, risk assessments by a number of agencies in relation to potential section 83 breaches were in progress. This matter is discussed at paragraphs 3.30 to 3.43 of chapter 3 of this report.

Monitoring of controls

21. Entities’ arrangements for the monitoring of controls include quality assurance arrangements, internal and external reviews, control self-assessment processes, and internal audit. In particular, all agencies have in place arrangements to enable chief executives to provide an annual Certificate of Compliance6.

Agency audit findings

22. There was a small increase in the number of moderate (category B) findings in 2013–14 compared to 2012–13. Nevertheless, agency control regimes overall continue to be stable and well maintained and agencies have generally addressed prior year audit findings in a timely manner. The Machinery of Government changes that took place in September 2013 have required some agencies to review their governance and operating arrangements, resulting in some delays in the completion of planned audit coverage as part of the 2013–14 interim audit phase. A sustained effort will be required by the agencies concerned and the ANAO to ensure that the 2013–14 financial statements are prepared and audited in a timely manner.

23. However, as noted above, audits continue to identify control weaknesses in a number of areas such as: IT general and application controls, particularly the management of privileged and other user access to key financial business systems, the timely capitalisation of assets to enable the accurate calculation of depreciation, the maintenance of complete and accurate asset registers and consistency of impairment assessments.

24. Generally, agencies have been positive and timely in their response to ANAO audit findings.

25. The following summary outlines the trend in category A, B and L1 audit findings between 2012–13 and 2013–14 reported at the completion of the interim audit phase. There were:

  • no category A findings reported in 2013–14, the same position as 2012–13;
  • twenty-six category B audit findings across agencies in 2013–14. This is an increase from 23 findings reported in 2012–13;
  • increases in the number of category B audit findings in eight agencies; four showed a decrease; two remained constant; and nine agencies had no category B findings in either 2012–13 or 2013–14; and
  • fifteen category L1 findings reported in 2013–14 compared to 11 in 2012–13.

26. A summary of category A, B and L1 audit findings by agency is provided in Table 5.1 in chapter 5 of this report.

Future audit coverage

27. In completing the audits of agencies’ 2013–14 financial statements, the ANAO will complete its assessment of the effectiveness of internal controls and areas of audit focus in each agency. The summary results of this work will be reported by the ANAO in December 2014.


[1] The Finance Minister’s Orders (FMOs) made by the Minister for Finance set out the requirements for the preparation of financial statements of all reporting entities covered by the Financial Management and Accountability Act 1997 and the Commonwealth Authorities and Companies Act 1997. (Note: these Acts are to be replaced by the Public Governance, Performance and Accountability Act 2013 from 2014–15).

[2] The term ‘agencies’ refers to all organisations subject to the Financial Management and Accountability Act 1997 (FMA Act). As the organisations covered by this report are ‘agencies’, this term is used predominantly in the report.

[3] The observations, audit findings and conclusions outlined in this report relate to the audit coverage of the 23 major General Government Sector agencies covered by this report. These agencies are listed at Appendix 1.

[4] Category A findings are significant audit issues. Category B findings are moderate audit issues, Category C findings are minor audit issues and category L1 findings are instances of actual or potential breaches of the Constitution, and instances of non-compliance with other key legislative requirements. These categories are explained in paragraph 5.7 in chapter 5 of this report.

[5] Section 83 of the Constitution provides that no money shall be drawn from the Treasury of the Commonwealth except under an appropriation made by the law. The effect of section 83 is that all spending by the Executive Government from the Consolidated Revenue Fund must be in accordance with an authority given by the Parliament.

[6] Agency chief executives are required to certify on an annual basis their agency’s compliance with components of the Government’s financial management framework. Further details of this process are outlined at paragraphs 3.23 and 3.24 of chapter 3 of this report.