This report is the first of the two reports and focuses on the results of the interim audits, including an assessment of entities’ key internal controls, supporting the 2021–22 financial statements audits. This report examines 25 entities, including all departments of state and a number of major Australian government entities. The majority of entities included in the report are selected on the basis of their contribution to the income, expenses, assets and liabilities of the 2020–21 Consolidated Financial Statements.

Executive summary

1. The ANAO prepares two reports annually that provide insights at a point in time to the financial statements risks, governance arrangements and internal control frameworks of Commonwealth entities, drawing on information collected during our audits. These reports explain how entities’ internal control frameworks are critical to executing an efficient and effective audit and underpin an entity’s capacity to transparently discharge its duties and obligations under the Public Governance, Performance and Accountability Act 2013 (PGPA Act). Deficiencies identified during ANAO audits, posing a significant or moderate risk to entities’ ability to prepare financial statements free from material misstatements, are reported.

2. This report is the first of the two reports and focuses on the results of the interim audits, including an assessment of entities’ key internal controls, supporting the 2021–22 financial statements audits. This report examines 25 entities, including all departments of state and a number of major Australian government entities. The majority of entities included in the report are selected on the basis of their contribution to the income, expenses, assets and liabilities of the 2020–21 Consolidated Financial Statements (CFS).

Understanding the entity

3. The interim audit phase includes an assessment of the effectiveness of each entity’s internal controls as they relate to the risk of misstatement in the financial statements. At the completion of interim audits for the 25 entities included in this report, the key elements of internal control were assessed as operating effectively for 18 entities. For five entities, except for particular finding/s outlined in chapter 3, the key elements of internal control are operating effectively to support the preparation of financial statements that are free from material misstatement. For the remaining two entities, the findings reported reduced the level of confidence that can be placed on the key elements of internal control supporting the preparation of the financial statements free from material misstatement.

Audit committees

4. The Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) sets out reporting requirements for entities in relation to their audit committees. In February 2020, changes were made to the PGPA Rule that introduced requirements for specific audit committee information to be included in entity annual reports for reporting periods beginning 1 July 2019. Analysis of 2020–21 entity annual reports identified improved compliance with the mandatory reporting requirements of the PGPA Rule relating to the disclosure of audit committee members’ names; member qualifications, skills and experience; member attendance at meetings; and member remuneration. There has been a decrease in compliance relating to the disclosure of a direct address to the audit committee charter.

5. The PGPA Rule was further amended with regard to the composition of audit committee membership from 1 July 2021. This included requirements where an entity could not have an official of the entity as a member and for non-corporate Commonwealth entities, the majority of members must be persons who are not officials of any Commonwealth entity. Analysis of these new audit committee membership requirements noted one non-corporate Commonwealth entity and one corporate Commonwealth entity that had officials of the entity as audit committee members after 1 July 2021. There was one non-corporate Commonwealth entity where the majority of members were officials of Commonwealth entities.

6. As part of the analysis, the ANAO noted seven non-corporate Commonwealth entities where audit committees did not have the minimum required number of members for a period of time between 1 July 2021 and 25 March 2022.

Safeguarding financial information from cyber threats

7. The Protective Security Policy Framework (PSPF) contains the Essential Eight mitigation strategies and recommends controls intended to strengthen cyber resilience and the capacity of Government to mitigate cyber threats. Review of entities’ current implementation and compliance with these strategies found that there have been noted improvements in reported maturity levels since the 2020–21 assessment.

Summary of audit findings

8. A total of 62 findings were reported to the entities included in this report at the end of the interim audits, comprising one significant, 14 moderate, 45 minor and two legislative findings. This is a small overall increase in the number of findings reported with an increase in significant, moderate and legislative findings from the prior year interim phase. There has been a decrease in the total number of minor findings compared to the 2020–21 interim audit results.

9. Fifty-eight per cent of all findings relate to the management of IT controls, particularly the management of user terminations, logging and monitoring of privileged users, and password management.

Reporting and auditing frameworks

Summary of developments

10. From 1 July 2021, a new standard AASB 1060 General Purpose Financial Statements – Simplified Disclosures for For-Profit and Not-for-Profit Tier 2 entities applied. The changes to disclosures for Tier 2 Commonwealth entities was minimal, with the recognition and measurement requirements in other Australia Accounting Standards (AAS) retained.

11. In continued support of a more flexible and agile audit approach, the ANAO continues to employ remote access where the entities consent to this arrangement, or where it is more efficient to do so.

Department of Social Services operations of Community Grants Hub

12. ANAO completed an analysis of the Department of Social Services’ (DSS) Community Grants Hub (CGH) data, to assess the grants administration compliance with the selected legislative requirements and consistency with selected business processes for grant activities administered between 1 July 2016 and 31 December 2021.

13. Where data was available, the ANAO analysis concluded there was a high level of compliance with the selected legislative requirements and a high level of consistency with the selected standard business processes of the CGH.

Cost of this report

14. The cost to the ANAO of producing this report is approximately $320,000.

1. Interim audit results and other matters

Chapter coverage

This chapter provides:

  • an overview of the ANAO’s audit approach to financial statements audits;
  • a summary of observations regarding the internal control environments of the 25 entities included in this report;
  • observations relating to audit committee reporting and membership against the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) requirements; and the safeguarding of financial information from cyber threats; and
  • a summary of audit findings identified at the conclusion of the interim audit.
Conclusion

Key to the ANAO’s audit process is an assessment of entities’ internal control frameworks as they apply to financial reporting. An effective internal control framework provides the ANAO with a level of assurance that entities are able to prepare financial statements that are free from material misstatement. At the completion of our interim audits, for the 25 entities included in this report, we noted that key elements of internal control are operating effectively for 18 entities. For five entities, except for particular finding/s outlined in chapter 3, the key elements of internal control are operating effectively to support the preparation of financial statements that are free from material misstatement. For the remaining two entities, the findings reported reduced the level of confidence that can be placed on the key elements of internal control supporting the preparation of the financial statements free from material misstatement. The ANAO reported that there were a number of areas where improvements are required for these entities.

Analysis of 2020–21 annual reports identified improved compliance with the mandatory reporting requirements of the PGPA Rule relating to the disclosure of audit committee members’ names; member qualifications, skills and experience; member attendance at meetings; and member remuneration. There has been a decrease in compliance relating to the disclosure of a direct address to the audit committee charter.

Analysis of new audit committee membership requirements effective 1 July 2021 noted one non-corporate Commonwealth entity and one corporate Commonwealth entity that had officials of the entity as audit committee members after 1 July 2021. There was one non-corporate Commonwealth entity where the majority of members were officials of Commonwealth entities.

As part of the analysis, the ANAO noted seven non-corporate Commonwealth entities where audit committees did not have the minimum required number of members for a period of time between 1 July 2021 and 25 March 2022.

The Protective Security Policy Framework (PSPF) contains the Essential Eight mitigation strategies and recommends controls intended to strengthen cyber resilience and the capacity of Government to mitigate cyber threats. Review of entities’ current implementation and compliance with these strategies found that there have been noted improvements in reported maturity levels since the 2020–21 assessment.

A total of 62 findings were reported to the entities included in this report as a result of interim audits, comprising of one significant, 14 moderate, 45 minor findings and two legislative breaches. This is a small overall increase in the number of findings reported and an increase in significant, moderate and legislative findings from the prior year interim phase. There has been a decrease in the total number of minor findings compared to the 2020–21 interim audit results which reported nil significant, 9 moderate, 51 minor findings and nil legislative breaches.

Fifty-eight per cent of total findings are in the IT control environment category, particularly the management of user terminations, logging and monitoring of privileged users, and password management. These areas continue to warrant further attention by entity management.

Introduction

1.1 The ANAO publishes an Annual Audit Work Program (AAWP) which reflects the ANAO’s strategy and deliverables for the forward year. The purpose of the AAWP is to inform the Parliament, the public and government sector entities of the ANAO’s planned audit coverage for Australian Government entities by way of financial statements audits, performance audits, performance statements audits and other assurance activities.

1.2 The financial statements audit coverage, as outlined in the AAWP, includes presenting two reports to the Parliament addressing the outcomes of the financial statements audits of Australian Government entities and the Consolidated Financial Statements of the Australian Government (CFS). These reports provide Parliament with an independent examination of the financial accounting and reporting of Commonwealth public sector entities.

1.3 This report focuses on the results of the interim audits of 25 entities including an assessment of key internal controls supporting the 2021–22 financial statements. The assessment includes a review of the governance arrangements related to entities’ financial reporting responsibilities and the design and implementation of key internal controls relating to significant business processes. Where the auditor plans to rely upon key controls for assurance that financial statements are free from material misstatement, the controls are tested for operating effectiveness. Testing of controls during the interim audit phase allows the ANAO to form a conclusion on the operating effectiveness of those controls for the period up to the date of testing. During the final phase of the 2021–22 financial statements audit, the ANAO completes testing over the operating effectiveness of those controls it intends to rely upon, and also controls not assessed at interim. The second report presents the final results of the financial statements audits of the CFS and all Australian Government entities.

1.4 The entities included in this report are those entities that contribute significantly to the three sectors of the CFS: the General Government Sector (GGS), Public Non-Financial Corporation (PFNC) sector and Public Financial Corporation (PFC) sector. A listing of these entities is provided in Appendix 1.

1.5 The ANAO conducts its financial statements audits in four phases: planning, interim, final and completion. Figure 1.1 outlines the key elements of each phase.

Figure 1.1: ANAO financial statements audit process

Source: ANAO data.

1.6 A central element of the ANAO’s financial statements audit methodology, and the focus of the planning phase of ANAO audits, is a sound understanding of an entity’s environment and internal controls relevant to assessing the risk of material misstatement in the financial statements. This understanding informs the ANAO’s audit approach, including the reliance that may be placed on entity systems to produce financial statements that are free from material misstatement.

1.7 In accordance with generally accepted auditing practice, the ANAO accepts a low level of risk that an audit will fail to detect the financial statements are materially misstated. This low level of risk is accepted because it is too costly to perform an audit that is predicated on no level of risk. An understanding of the entity, its environment and its controls, helps the ANAO design the required work and respond to risks that bear on financial reporting. The key areas of financial statements risks identified through this planning approach are discussed in chapter 3 for each entity included in this report.

1.8 A key component of understanding the entity and its environment is to understand the governance arrangements established by its accountable authority.1 Accountable authorities of all Commonwealth entities and companies subject to the Public Governance, Performance and Accountability Act 2013 (PGPA Act) are required to govern their entity in a way that promotes the proper use and management of public resources, the achievement of the purposes of the entity and the entity’s financial sustainability.

1.9 The development and implementation of effective corporate governance arrangements and internal controls should be designed to meet the individual circumstances of each entity. These processes also assist in the orderly and efficient conduct of the entity’s business and compliance with applicable legislative requirements, including the preparation of annual financial statements that present fairly the entity’s financial position, financial performance and cash flows.

Understanding the entity

1.10 The ANAO uses the framework in the Australian Auditing Standards (ASA) 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment to consider the impact of different elements of an entity’s internal controls that support the preparation of financial statements. This approach provides a basis for designing and implementing the audit work program that reflects the ANAO’s assessment of the risk of material misstatement. Deficiencies in the internal control framework increase the requirement of the ANAO to perform additional audit work in the final audit phase. Figure 1.2 outlines these elements.

Figure 1.2: Elements of entity internal controls

Source: ASA 315 Identifying and assessing the risk of material misstatement through understanding the entity and its environment, paragraph A59.

1.11 This chapter discusses each of these elements and outlines observations based on the ANAO’s review of aspects of each entity’s internal controls, relevant to the risk of material misstatement to the financial statements, including the detailed results of the interim audits.

1.12 At the completion of the interim audits for the 25 entities included in this report, the ANAO noted that key elements of internal control were operating effectively for 18 entities. For the remaining seven entities, five2 were assessed as having internal controls that were operating effectively except for a particular finding which will be outlined in chapter three. For two entities3 the assessment of the operating effectiveness of their internal controls indicated a reduced level of confidence can be placed due to either having a significant finding or number of moderate findings.

1.13 The key elements of internal control for the full financial year will be assessed in conjunction with additional audit testing during the 2021–22 final audits.

Control environment

1.14 The PGPA Act sets out the requirements to establish and maintain systems relating to risk and control. Division 2, section 16 of the PGPA Act states that:

The accountable authority of a Commonwealth entity must establish and maintain:

a) an appropriate system of risk oversight and management for the entity; and

b) an appropriate system of internal control for the entity.

including by implementing measures directed at ensuring officials of the entity comply with finance law. 4,5

1.15 An effective control environment is underpinned by a fit-for-purpose governance structure. Indicators of an effective governance structure include whether management has established frameworks and processes that promote positive attitudes, awareness and actions concerning the entity’s internal controls and their importance in the entity. The main elements reviewed included: governance structures relevant to the preparation of the financial statements; audit committee and assurance arrangements; systems of authorisation; and processes for recording financial transactions.

1.16 All entities included in this report have established audit committees consisting of a majority of members which were assessed by the entity to be independent. All entities have an audit committee charter that is consistent with their obligations under subsection 17(2) of the PGPA Rule. Each entity has appointed an independent audit committee chair.

1.17 All entities have established executive management committees and/or sub-committees that meet at least monthly, which support financial decision making at the strategic and operational levels.6 Consideration of financial reporting was included on the agendas of all 25 entities’ executive and audit committees. The financial information provided to the entities’ executives was supplemented by non-financial operational information.

1.18 Clear lines of accountability and reporting are important in establishing a strong internal control environment for the purposes of preparing the financial statements. The involvement of those charged with governance is an important element of these structures. Just as important is ensuring that staff at all levels understand their own role in the control framework. This can be achieved through the issuance of accountable authority instructions and delegation instruments. All entities have established accountable authority instructions and delegations reflecting current business arrangements.

Risk assessment processes

1.19 Section 16 of the PGPA Act sets out an accountable authority’s responsibilities in regard to the establishment of appropriate risk oversight and management in an entity. An understanding of an entity’s process to identify and manage risk is essential to an effective and efficient financial statements audit. A review of this process is done to assist the ANAO to understand how entities identify and manage risks relating to financial statements and assess the risk of material misstatement to an entity’s financial statements.

1.20 All entities included in this report have a process to develop and update risk management plans at the organisational and strategic risk levels. In addition, each entity has developed processes for the identification and notification of risks relevant to financial statements preparation either as part of the overall risk management plan, or through a targeted risk identification exercise. The monitoring of risks, and the entities’ implementation of risk management strategies, was typically assigned to either an executive committee and/or the audit committee.

Monitoring of controls

1.21 Entities undertake many types of activities as part of their monitoring of control processes, including external reviews, self-assessment processes, post-implementation reviews and internal audits. The level of review of these activities by the ANAO is determined through a risk assessment approach that takes into consideration the nature, extent and timing of each activity and the activities’ application to the preparation of the financial statements. All entities included in this report have an ongoing process for monitoring and evaluating internal controls.

Internal Audit

1.22 As part of the financial statements audit coverage, internal audit is reviewed to gain an understanding of its role and activities in the entity. Where an internal audit function has been established it can play an important role in providing assurance to the accountable authority that the internal control framework is operating effectively. Entities are encouraged to identify opportunities to leverage internal audit coverage as a means of providing increased assurance to accountable authorities to support their opinion on the entity’s financial statements. All entities included in this report have established an effective internal audit function.

1.23 The extent to which the work of internal audit may be able to be used, in a constructive and complementary manner, varies between entities and is more likely to occur where internal audit work is focused on financial controls and legislative compliance. The ANAO is expecting to rely upon the work of internal audit for three entities in the current year.7 If the ANAO is anticipating to use the work of internal audit, in accordance with ASA 610 Using the Work of Internal Auditors, the ANAO is required to assess whether the internal audit function has: appropriate organisational status; relevant policies and procedures to support their objectivity; an appropriate level of competence; and whether they apply a systematic and disciplined approach in the execution of their work including quality control.

1.24 When it is determined that the work of internal audit can be used to support an effective audit approach, additional work is performed to confirm its adequacy to support the external audit. This will include confirmation that the scope of the work is appropriate, that there is sufficient evidence to support the conclusions drawn and selected re-performance of internal audit’s testing.

1.25 For the entities included in this report it was observed that internal audit coverage is based on an internal audit plan that is aligned with entities’ risk management plans and includes combinations of audits that address assurance, compliance, performance improvements and IT systems reviews. In addition, suggested topics from management, audit committees and external influences, such as the ANAO’s planned performance and financial statement coverage, are factors considered in the development of internal audit work plans.

Audit committees

Annual reporting requirements

1.26 The PGPA Act requires audit committees to be established for all Commonwealth entities and Commonwealth companies.8 An audit committee is a fundamental principle of good governance9 and provides advice and assurance to the entity’s accountable authority. The audit committee plays a key role in assisting the accountable authority to fulfil its governance, risk management and oversight responsibilities through the provision of assurance and advice.

1.27 In February 2020, changes were made to the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) that introduced requirements for specific audit committee information to be included in entity annual reports for reporting periods beginning 1 July 2019.10 In addition, a new requirement was introduced relating to the independence of the audit committee members for reporting periods beginning 1 July 2021.11

1.28 Section 17 of the PGPA Rule sets out the minimum requirements relating to the functions and membership of the audit committee of a Commonwealth entity. The key requirements of the PGPA Rule include:

  • a written charter, set by the accountable authority, determining the functions of the audit committee for the entity. The functions must include reviewing the appropriateness of the accountable authority’s financial reporting; performance reporting; system of risk oversight and management; and system of internal control for the entity; and
  • the membership of the committee to include at least three persons with appropriate qualifications, knowledge, skills or experience to assist the committee to perform its functions. Additionally, from 1 July 2021 audit committee members of non-corporate Commonwealth entities must be persons who are not officials of the entity, and a majority of the members must be persons who are not officials of any Commonwealth entity. All members of Commonwealth corporate entities and companies must not be employees of the entity.

1.29 The reporting requirements applied to annual reports for reporting periods beginning on or after 1 July 2019 are that they must include the following information:

  • a direct electronic address of the charter determining the functions of the audit committee for the entity;
  • the name of each member of the audit committee during the period;
  • the qualifications, knowledge, skills or experience of those members;
  • information about each of those member’s attendance at meetings of the audit committee during the period; and
  • the remuneration of each of those members.

1.30 As reported in Auditor-General Report No. 40 2020–21 Interim Report on Key Financial Controls of Major Entities, the ANAO reviewed the 2019–20 annual reports of Commonwealth entities subject to the reporting requirements of the PGPA Rule. As part of the 2021–22 Interim Report on Key Financial Controls of Major Entities, the ANAO has reviewed the 2020–2021 annual reports of 181 entities subject to the reporting requirements of the PGPA Rule.12 The review was undertaken in the current year to determine whether there has been any improvement in reporting against these requirements. As part of the analysis, the ANAO reviewed annual reports for 93 non-corporate Commonwealth entities, 70 corporate Commonwealth entities and 18 Commonwealth companies.

1.31 As the PGPA Rule requires entities to publish annual reports on the digital annual reporting tool, the 2020–21 annual reports as published on the Transparency Portal were reviewed.13 Where the annual report was not published on the Transparency Portal or the annual report on Transparency Portal does not address the relevant requirements for all members, the ANAO has assessed this to be non-compliant.

1.32 The current year review demonstrates improved compliance with PGPA Rule requirements relating to the disclosure of audit committee member names; member qualifications, skills and experience; member attendance at meetings; and member remuneration. There has been no improvement in compliance relating to the disclosure of a direct address to the audit committee charter.

Disclosure of audit committee charters

1.33 The PGPA Rule requires entities to provide a direct electronic address of the charter determining the functions of the audit committee in the annual report. Finance guidance states that the address needs to allow the entity’s charter to be publicly available14. For the purposes of this analysis, the ANAO has considered a direct address to be a link that opens either the audit committee charter or the webpage where the charter is available on the entity’s website. Table 1.1 provides details on the number of entities that did not include a direct electronic address to the audit committee charter in both the current and previous year.

Table 1.1: Direct electronic link to audit committee charter not included in entity annual reports

Type of entity

Not included in 2020–21 annual reports

Not included in 2019–20 annual reports

Non-corporate Commonwealth entities

17

14

Corporate Commonwealth entities

20

21

Commonwealth companies

10

10

Total

47

45

     

Source: ANAO analysis of 2019–20 and 2020–21 annual reports of Commonwealth entities.

1.34 Seventeen of 93 non-corporate Commonwealth entities did not include a direct link to the audit committee charter. Six of these entities were material to the 2020–21 Australian Government Consolidated Financial Statements (CFS). These entities were: the Australian Prudential Regulation Authority; Australian Signals Directorate; Bureau of Meteorology; National Archives of Australia; National Capital Authority; and Services Australia.15 Four of the 17 entities that did not include a direct link to the audit committee charter also did not include a link to the charter in the 2019–20 annual report.16

1.35 Twenty of 70 corporate Commonwealth entities did not include a direct link to the audit committee charter. Seven of these entities were material to the CFS and include: Airservices Australia; Australian War Memorial; Clean Energy Finance Corporation; Export Finance Australia; Indigenous Land and Sea Corporation; National Gallery of Australia; and National Housing Finance and Investment Corporation.17 Seven of the 20 entities that did not include a direct link to the audit committee charter also did not include a link in the 2019–20 annual reports.18

1.36 Ten of the 18 Commonwealth companies did not report a direct link to the audit committee charter in their annual report. Three of these entities were material to the CFS. The entities were: ASC Pty Ltd; Australian Naval Infrastructure Pty Ltd; and NBN Co Limited.19 Seven of the ten entities that did not include a direct link to the audit committee charter also did not include a link in the 2019–20 annual reports.20

1.37 Where entities did not include a direct link to the audit committee charter, the ANAO searched the relevant entities’ websites to identify if the audit committee charter had been published. Five corporate Commonwealth entities21 and three Commonwealth companies22 did not have an audit committee charter available on their websites. The ANAO has confirmed as part of the financial statements audit that all entities have an audit committee charter which meets the requirements of the PGPA Rule.

Disclosure of audit committee members’ name

1.38 The PGPA Rule requires entities to disclose the name of each member of the audit committee during the reporting period. Where an entity was subject to machinery of government changes within the reporting period, all members from both the abolished and newly established entities are required to be reported. 23

1.39 Table 1.2 summarises the number of entities that did not include the name of each audit committee member in the entity annual report.

Table 1.2: Audit committee member name disclosures not included in entity annual reports

Entity type

Not included in 2020–21 Annual Reports

Not included in 2019–20 Annual Reports

Non-corporate Commonwealth entities

1

2

Corporate Commonwealth entities

Commonwealth companies

2

Total not included

1

4

     

Source: ANAO analysis of 2019–20 and 2020–21 annual reports of Commonwealth entities.

1.40 One non-corporate Commonwealth entity did not include the 2020–21 annual report on the Transparency Portal.24 This entity did not include the names of all audit committee members in the previous year. All corporate Commonwealth entities and Commonwealth companies included the names of all audit committee members in the 2020–21 financial year.

Disclosure of qualifications, knowledge, skills or experience of each audit committee member

1.41 Entities are required to provide information on the qualifications, knowledge, skills and experience of each member of the audit committee. The PGPA Rule does not include details of the specific disclosure required, however this disclosure provides the opportunity for entities to demonstrate that the audit committee has the appropriate qualifications, knowledge, skills and experience to fulfil the legal requirements of the audit committee.25 Table 1.3 details the number of entities that have not included audit committee members’ qualifications, knowledge, skills and/or experience.

Table 1.3: Qualifications, knowledge, skills or experience of each member

Entity type

Not included in 2020–21 Annual Reports

Not included in 2019–20 Annual Reports

Non-corporate Commonwealth entities

2

2

Corporate Commonwealth entities

1

5

Commonwealth companies

1

4

Total not included

4

11

     

Source: ANAO analysis of 2019–20 and 2020–21 annual reports of Commonwealth entities.

1.42 Two of the 93 non-corporate Commonwealth entities did not include the skills and experience of all audit committee members.26 One of these entities did not include details in the previous year.27 One of the 70 corporate Commonwealth entities28 and one of the 18 Commonwealth companies29 did not disclose the skills and experience of all audit committee members in 2020–21.

Disclosure of attendance at audit committee meetings

1.43 Entities are required to report information relating to each member’s attendance at audit committee meetings during the reporting period. Table 1.4 summarises the number of entities that did not include this information.

Table 1.4: Details of member attendance at audit committee meetings

Type of entity

Not included in 2020–21 Annual Reports

Not included in 2019–20 Annual Reports

Non-corporate Commonwealth entities

3

4

Corporate Commonwealth entities

1

2

Commonwealth companies

2

4

Total

6

10

     

Source: ANAO analysis of 2019–20 and 2020–21 annual reports of Commonwealth entities.

1.44 There were three non-corporate Commonwealth entities that did not include audit committee meeting attendance information.30 There was one non-material corporate Commonwealth entity that did not include audit committee meeting attendance information.31 There were two non-material Commonwealth companies that did not include audit committee meeting attendance for members.32 There were three entities that did not include attendance information in both 2019–20 and 2020–21 annual reports.33

Disclosure of remuneration of audit committee members

1.45 The remuneration of each member of the audit committee must be disclosed in the annual report. Audit committee remuneration must be disclosed and separately identifiable from any amounts received for other roles performed, such as being on an entities’ Board. The Department of Finance (Finance) provided further guidance that where audit committee members are not remunerated, a nil figure should be disclosed.34

1.46 Corporate Commonwealth entities and Commonwealth companies often have audit committee members that are directors of the Board. The remuneration of the board members is required to be disclosed in annual reports. The ANAO noted that most Corporate Commonwealth entities and Commonwealth companies separately disclosed audit committee remuneration. For the purposes of this analysis, where there was no specific disclosure relating to the audit committee remuneration, the entity has been assessed as not reporting against the PGPA Rule. Table 1.5 outlines the reporting on audit committee member remuneration.

Table 1.5: Audit committee member remuneration

Type of entity

Not included in 2020–21 Annual Reports

Not included in 2019–20 Annual Reports

Non-corporate Commonwealth entities

4

5

Corporate Commonwealth entities

5

26

Commonwealth companies

4

10

Total

13

41

     

Source: ANAO analysis of 2019–20 and 2020–21 annual reports of Commonwealth entities.

1.47 There were four non-corporate Commonwealth entities that did not report remuneration for one or more of their members.35 There were five corporate Commonwealth entities that did not disclose specific member remuneration for one or more of their members and two were material to the CFS. These entities were: Australian Reinsurance Pool Corporation and National Housing Finance and Investment Corporation.36 There were four non-material Commonwealth companies that did not report on remuneration specific to the audit committee.37 There were five entities that did not include audit committee specific remuneration in both 2019–20 and 2020–21 financial years.38

Audit committee membership requirements

1.48 The amendments made to the PGPA Rule in February 2020 included changes to the member composition of an audit committee. The new members’ composition requirements for all Commonwealth entities apply for audit committees after 1 July 2021 and include:

  • for a non-corporate Commonwealth entity, all of the members of the audit committee must be persons who are not officials of the entity; and a majority of the members must be persons who are not officials of any Commonwealth entity;39 and
  • for a corporate Commonwealth entity and Commonwealth companies, all of the members of the audit committee must be persons who are not employees of the entity.40

1.49 Additionally, the PGPA Rule excludes the following persons from being members of the audit committee:41

  • the accountable authority or, if the accountable authority has more than one member, the head (however described) of the accountable authority;
  • the Chief Finance Officer (however described) of the entity; and
  • the Chief Executive Officer (however described) of the entity.

1.50 The ANAO reviewed the membership of audit committees from 1 July 2021 to 25 March 2022 for 18342 entities subject to the PGPA Rule. Where an entity had less than three members, or the PGPA Rule requirements relating to the composition of membership had not been met, for any period during this time, the ANAO has assessed the entity as non-compliant. Table 1.6 provides details of entities’ compliance with member composition requirements that were effective from 1 July 2021.

Table 1.6: Audit committee membership composition

Type of entity

Non-compliant

Compliant

Non-corporate Commonwealth entities

2

92

Corporate Commonwealth entities

1

70

Commonwealth companies

18

Total

3

180

     

Source: ANAO audit committee membership analysis

1.51 There was one non-corporate Commonwealth entity43 and one corporate Commonwealth entity44 that had officials of the entity as audit committee members after 1 July 2021. The corporate Commonwealth entity held audit committee meetings during this time. None of the 183 entities assessed had the accountable authority, accountable authority head, Chief Financial Officer or Chief Executive Officer as a member of the entity audit committee.

1.52 There was one non-corporate Commonwealth entity45 where the majority of members were officials of Commonwealth entities. This entity held meetings during this time.

1.53 The PGPA Rule also requires that audit committees consist of at least three persons. Table 1.7 provides details of the number of entities where audit committee membership did not comply with the requirements.

Table 1.7: Audit committee membership numbers

Type of entity

Non-compliant

Compliant

Non-corporate Commonwealth entities

7

87

Corporate Commonwealth entities

71

Commonwealth companies

18

Total

7

176

     

Source: ANAO audit committee membership analysis.

1.54 There were seven non-corporate Commonwealth entities that were identified as having less than the required three members for any period of time between 1 July 2021 and 25 March 2022.46 Two entities held audit committee meetings during these periods.47

Safeguarding information from cyber threats

1.55 The Protective Security Policy Framework (PSPF) requires non-corporate Commonwealth entities to consider and implement the Australian Signals Directorate’s (ASD) Essential Eight mitigation strategies (Essential Eight).48 The initial requirements were defined in 2013 and are now specified in PSPF Policy 10, ‘Safeguarding information from cyber threats’ (Policy 10).49 The Essential Eight is considered the baseline for cyber resilience within the Australian Government and provides advice on measures that entities can implement to mitigate cyber threats.50

1.56 Policy 10 requires each non-corporate Commonwealth entity to:

  • implement the following Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents:51
    • application control;52
    • patching applications;53
    • configure Microsoft Office macro settings;54
    • user application hardening;55
    • restricting administrative privileges;56
    • patching operating systems;553
    • multi-factor authentication;57 and
    • regular backups.58
  • consider which of the remaining mitigation Strategies from the Strategies to Mitigate Cyber Security Incidents59 need to be implemented to protect the entity.60

1.57 Since 2013, the ANAO has conducted a series of performance audits focused on assessing entities’ implementation of the PSPF cyber security requirements. These performance audits continue to identify low levels of compliance with mandatory PSPF cyber security requirements and concerns in annual self-assessments by entities. The ANAO has reported its concern that there is little evidence through the series of audits that the regulatory framework had driven sufficient improvement in entities mitigating their cyber security risks since 2013.

1.58 Australia’s Cyber Security Strategy 202061 outlines a range of initiatives to uplift Australia’s cyber security, including to harden government IT systems. The Hardening Australian Government IT initiative is led by the Digital Transformation Agency and supported by the ASD, the Department of Home Affairs and the Attorney-General’s Department.

1.59 The program involves the development of a new operating model to address the varying levels of cyber security maturity across Commonwealth entities. While this program aims to strengthen Government’s cyber security posture across Commonwealth entities, it is still under development.

1.60 The 2022–23 Portfolio Budget Statements specifies a $9,900.0 million investment in ASD over the next decade in new national cyber and intelligence capabilities. This will be a project called REDSPICE (Resilience, Effects, Defence, Space, Intelligence, Cyber, and Enablers). Project REDSPICE is planned to increase ASD’s offensive and defensive cyber capabilities, including creating 1,900 new ASD positions.

1.61 In 2021–22, the ANAO performed a review of the 2020–21 Policy 10 annual self-assessment as part of its assurance audit program for financial statements. This review focused on the protection of information relevant to the preparation of financial statements, specifically the financial management information system (FMIS) and human resource management information systems (HRMIS). The review was performed on 19 of the 2062 entities included in this report, which are required to report annually against the Policy 10 requirements.63 The review was undertaken to assess the evidence supporting the self-assessment and reporting, and to identify cyber security risks that may impact on the preparation of financial statements. The review was based on the May 2020 Policy 10 requirements as these are the requirements that entities reported against in their 2020–21 self-assessments. The review consisted of analysis of policy and procedural documentation, testing of some Essential Eight mitigation strategies specific to the FMIS and HRMIS and meetings with entity personnel.

1.62 The ANAO noted improvements in reported64 maturity levels since the 2020–21 assessment, particularly with ‘Application Control’ and ‘Multi-factor Authentication’. Figure 1.3 shows the reported maturity levels for each Essential Eight mitigation strategy between in 2019–20 and 2021–22. The Essential Eight mitigation strategies within the shaded area of Figure 1.3 represent the mitigation strategies that were mandatory during the 2020–21 reporting period.

Figure 1.3: Reported compliance with the PSPF Policy 10 requirements

Source: ANAO data

1.63 Three entities reported improvements in Essential Eight maturity levels across several of the Essential Eight mitigation strategies. The number of entities reporting improvements is has not changed since the 2020–21 assessment. These three entities had established regular maturity assessments of Essential Eight mitigation strategies and prioritised the implementation of PSPF Policy 10 requirements, including the implementation of other mitigation strategies.

1.64 Two entities reported lower maturity since last year’s assessment. The lower maturity resulted from changes in the security environment.

1.65 Although some reported improvements were observed, the ANAO found the reported maturity levels for most entities were still significantly below the Policy 10 requirements. Of the 19 entities assessed, two had self-assessed as achieving a Managing maturity level. These entities were able to demonstrate evidence to support their self-assessments as required by the PSPF.

1.66 The lowest level of compliance continues to be with the ‘Patching Applications’ and ‘User Application Hardening’ controls. Although most entities had plans to improve ‘Patching Applications’ and ‘User Application Hardening’ controls by July 2020, as at June 2021 entities were still not achieving a Managing maturity level. The number of applications in entities’ systems and identifying all applicable hardening controls for specific applications continues to be the key issue with implementing this mitigation strategy. Some entities have also stated that the ‘Patching Applications’ requirements are not achievable and have chosen to implement other mitigation strategies to address the related cyber threats.

1.67 ‘Restricting macros’ was reported to be difficult as users continue to rely heavily on macros to perform business activities. Entities continue to differ in their maturity of addressing the associated risks, with some entities reporting difficulties with monitoring the use of macros in their environments. The reported improvements in this year’s assessment have been attributed to some entities completing their cyber security implementations of Macro controls.

1.68 For ‘Multi-Factor Authentication’ to be assessed at the Managing maturity level, multi-factor authentication needed to be used to authenticate all users when accessing sensitive data. Most have focused on achieving the Developing maturity level and are relying on other mitigation strategies to address the associated risks. Entities continue to prioritise multi-factor controls for remote access and privileged users, rather than all users.

1.69 Most entities conducted their self-assessment at a system or environment level and did not specifically assess the controls required to minimise cyber risks to their FMIS or HRMIS applications. Entities who access FMIS and HRMIS applications as part of Software-as-a-Service (SaaS) arrangements reported relying on system accreditation processes to assess relevant vendor cyber security controls. Entities viewed the risk to financial information as equivalent to the risks to its overall environment. The entities prioritised the protection of the environment which hosts the FMIS and HRMIS applications.

1.70 The ANAO found that the number of assessed entities that reported an Ad-hoc or Developing maturity level had not significantly changed since last year’s assessment. Only two of the entities reviewed reported meeting the required Policy 10 maturity level. The number of entities that reported as meeting the Managing maturity level has not changed since the 2020–21 assessment.

1.71 The PSPF cyber security requirements have been in place since 2013, with the March 2022 update mandating the implementation of all Essential Eight mitigation strategies. Entities’ inability to meet previous requirements indicates a weakness in implementing and maintaining strong cyber security controls over time.

1.72 Previous ANAO audits of entity compliance with PSPF cyber security requirements have not found a significant improvement over time. The work undertaken as part of this review indicates that this pattern continues, with limited improvements.

1.73 The Joint Committee of Public Accounts and Audit (JCPAA) Report 485 Cyber Resilience (2020)65, Auditor-General Report No.53 2017–18 Cyber Resilience66 and Auditor-General Report No.32 2020–21 Cyber Security Strategies of Non-Corporate Commonwealth Entities67 recommended strengthening of arrangements for verifying self-assessment results and accountability for the implementation of mandatory cyber security requirements.

1.74 While entities’ compliance with PSPF cyber security requirements remains low, there continues to be the risk of compromise to information relevant to the preparation of financial statements.

Interim audit results

1.75 Audit findings are raised in response to the identification of a potential business or financial risk posed to an entity. Often these risks arise from deficiencies within an entity’s internal control processes or frameworks. Weaknesses in internal controls increase the possibility that a material misstatement of an entity’s financial statements will not be prevented or detected in a timely manner. The ANAO rates audit findings according to the potential business or financial management risk posed to the entity. The rating scale is presented in Table 1.8 below.

Table 1.8: Findings rating scale

 

 

Significant (A)

Issues that pose a significant business or financial management risk to the entity. These include issues that could result in a material misstatement of the entity’s financial statements.

Moderate (B)

Issues that pose a moderate business or financial management risk to the entity. These may include prior year issues that have not been satisfactorily addressed.

Minor (C)

Issues that pose a low business or financial management risk to the entity. These may include accounting issues that, if not addressed, could pose a moderate risk in the future.

Significant legislative breach (L1)

Instances of significant potential or actual breaches of the Constitution; and instances of significant non-compliance with the entity’s enabling legislation, legislation that the entity is responsible for administering, and the PGPA Act.

Other non-compliance with legislation (L2)

Other instances of non-compliance with legislation the entity is required to comply with.

Non-compliance with subordinate legislation (L3)

Instances of non-compliance with subordinate legislation, such as the PGPA Rule.

     

Source: ANAO reporting policy.

1.76 A summary of findings identified at the end of the interim phase is presented in Table 1.9 below. The table includes all findings reported to the 25 entities included in this report.

Table 1.9: Audit findings by category for the 2021–22 interim period

Category

Significant

Moderate

Minor

Main areas of weakness

IT control environment

10

26

  • security management, particularly management of user access and monitoring of privileged users.

Compliance and quality assurance frameworks

1

3

  • appropriate quality assurance processes; and
  • risk management frameworks.

Accounting and control of non-financial assets

1

2

2

  • processes supporting the valuation and impairment of assets; and
  • management and monitoring of assets including, inventory management, identification, disposals and impairment of assets.

Revenue, receivables and cash management

1

  • timeliness and completeness of reconciliations.

Human resources financial processes

2

  • monitoring of controls over payroll processing and reporting; and
  • review processes supporting employee commencements and terminations.

Purchases and payables management

1

5

  • timeliness and completeness of reconciliations; and
  • contract management.

Financial statements preparation

1

  • quality and timeliness of the preparation underlying financial statements

Other audit findings

5

  • management and implementation of service agreements; and
  • incomplete policies and procedures.

Legislative breaches

2

  • breach of section 23 of the PGPA Act; and
  • breaches of the Remuneration Tribunal Act 1973

Total

1

16

45

62

         

Source: Compilation of ANAO 2021–22 interim audit findings.

1.77 A summary of all significant, moderate, minor and legislative findings reported at the conclusion of the interim audit phase across the past five financial years is presented in Figure 1.4 below.

Figure 1.4: Trend in aggregate interim audit findings 2017–18 to 2021–22

Source: ANAO findings analysis.

Information technology control environment

1.78 The review of information systems and related controls is an integral part of an entity’s control environment. This section summarises the results from interim tests of the operating effectiveness of general IT controls for each of the entities included in this report.

1.79 Figure 1.5 demonstrates the trends in interim audit findings related to entities’ overall IT control environments from 2017–18 to 2021–22. At the time of this report, testing of the operating effectiveness of IT controls was still in progress for three entities.68

Figure 1.5: IT control environment interim audit findings 2017–18 to 2021–22

Source: ANAO data.

1.80 Findings related to entities’ IT control environments represent 58 per cent of total findings reported during the 2021–22 interim period. IT control environment findings continue to represent the highest proportion of all findings. There were 10 moderate findings reported in the 2021–22 interim audit compared to five moderate findings reported in 2020–21. Further details relating to the moderate findings are detailed in chapter 3 for the Departments of: Defence; Infrastructure, Transport, Regional Development and Communications; Social Services; Veterans’ Affairs; and the National Disability Insurance Agency.

1.81 The information systems control environment findings reported at the conclusion of the 2021–22 interim audits for entities included in this report have been grouped as follows:

  • IT security;
  • IT change management; and
  • disaster recovery arrangements.
IT security

1.82 IT security is concerned with protecting an entity’s information assets from internal and external threats. It includes controls to prevent or detect unauthorised access to systems, programs and data. In the context of the financial statements audit, the focus is on the financially significant systems and data only. The Protective Security Policy Framework69 (PSPF) sets out the government protective security policy and the Australian Cyber Security Centre’s Information Security Manual70 (ISM) provides guidance on strategies for protecting information and systems from cyber threats.

1.83 The key controls areas that address risks relating to IT security and that are assessed as part of the interim audit are:

  • IT security governance;
  • general and privileged user access; and
  • monitoring and reporting.

1.84 Figure 1.6 illustrates the trends in findings observed in entities’ IT security arrangements between 2017–18 and 2021–22.

Figure 1.6: IT security interim audit findings 2017–18 to 2021–22

Note: The comparative numbers in this figure have been updated to include findings previously categorised as IT application controls which related to IT security.

Source: ANAO data.

1.85 The IT security findings represent 83 per cent of all IT-related findings reported in 2021–22. Nine moderate findings were reported in the 2021–22 interim audit. Further details of the moderate findings are detailed in chapter 3.71

1.86 A review of all IT security findings identified issues in the following areas:

  • logging and monitoring of privileged user activity;
  • user access management, including approving new user access and performing regular user access reviews;
  • removal of user access when it is no longer required;
  • password configuration; and
  • restricting access to financial and business data, and security configurations.

1.87 Users with administrative access privileges, commonly referred to as privileged users, are able to make significant changes to IT systems’ configuration and operation, bypass critical security settings and access sensitive information. As part of reviewing IT security arrangements, different groups of privileged users were examined, including:

  • application administrators, sometimes referred to as super users;
  • database administrators;
  • system administrators; and
  • network or domain administrators.

1.88 To reduce the risks associated with this access, the ISM specifies that privileged user access be appropriately restricted and when provided, that the access is logged, regularly reviewed and monitored. One moderate and seven minor findings related to the logging and monitoring of privileged user access. The moderate finding was first reported to the Department of Veterans’ Affairs in 2020–21. It relates to the adequacy of the control framework and implementation of monitoring controls. The seven minor findings related to issues with the design of controls, such as the scope of access being monitored and the independence of those monitoring activities. In some instances, monitoring had not been performed in accordance with the entities’ policies and procedures. The risk of inappropriate changes to financially significant systems and data arising from these findings is partially mitigated through alternate controls.

1.89 All users with access to financial systems may have the ability to change financial information, and therefore access should only be granted where it is required for the performance of the role; and should be reviewed whenever the role changes. Four moderate and three minor findings related to granting and reviewing user access. Three moderate findings reported to the Department of Veterans’ Affairs related to managing access security configurations and user access reviews not being performed in accordance with the entity’s policies and procedures across several systems. The fourth moderate finding was reported to the Department of Defence and related to management of access to sensitive business data. The three minor findings were related to managing access to payment files and the timeliness of user access reviews.

1.90 Entities must remove or suspend user access on the same day that a user no longer has a legitimate business requirement for its use.72 Terminating a user account when the user no longer has a requirement to access it, such as upon departure from an entity, can prevent unauthorised use. There were four moderate findings in this area and an additional five minor findings. The four moderate findings related to weaknesses in monitoring controls and access being performed by users who no longer required such access. The four moderate findings were reported to the Department of Infrastructure, Transport, Regional Development and Communications, Department of Social Services, Department of Veterans’ Affairs and the National Disability Insurance Agency. The four minor findings related to access not being removed when it was no longer required.

1.91 The ISM provides guidance on the password requirements for Australian Government systems. In October 2019 the ACSC updated this guidance to specify passphrase requirements for instances where multi-factor authentication73 is not supported; passphrases used for single-factor authentication should be at least four random words with a minimum of 14 characters with complexity74. Inadequate password controls increase the likelihood of unauthorised access to systems and data. The ANAO observed that most entities were in the process of implementing the requirement or had completed an appropriate security risk assessment. There were six minor findings in this area.

1.92 The weaknesses identified within this category increase the risk of unauthorised access to systems and data, or data leakage. Entities should review their management of these areas in light of the recommendations of the ISM and the risks to their operational environment.

IT change management

1.93 IT change management provides a disciplined approach to making changes to the IT environment. It includes controls to prevent unauthorised changes being introduced, and to reduce the likelihood that normal business operations are interrupted with the implementation of authorised changes.

1.94 The trends in findings identified in entities’ IT change management controls between 2017–18 and 2021–22 are illustrated in Figure 1.7.

Figure 1.7: IT change management interim audit findings 2017–18 to 2021–22

Source: ANAO data.

1.95 Changes to entities’ IT environments were managed using standardised processes, usually based on the ITIL Framework.75 While still low when compared to IT security, the number of findings in this area still highlights the importance of maintaining and monitoring performance of change management processes.

1.96 One moderate finding and four minor findings related to weaknesses in the operation of the change management processes were reported as a result of the interim audits. The moderate finding related to weaknesses in the management of system interfaces at the Department of Veterans’ Affairs. The four minor findings related to restricting developer access to production systems and data, and management of batch processing and reporting data.

1.97 One third of the entities included in this report have advised that they are undertaking new systems implementations and/or data migration activities in 2021–22. Weaknesses in change management elevates the risk of unauthorised or untested changes to systems during these activities. These weaknesses may also affect the availability or reliability of the overall IT environment. Entities should monitor the operating effectiveness of their IT control environments to mitigate risks.

Disaster recovery arrangements

1.98 Disaster recovery is concerned with the resumption of the IT environment including systems and data following an interruption to services. It relies on:

  • effective back-up and recovery arrangements, to allow data to be recovered from current versions of key IT systems; and
  • disaster recovery planning, including the development, maintenance and testing of a disaster recovery plan to enable IT systems to be recovered in line with defined business requirements.

1.99 The ANAO assesses entities’ disaster recovery arrangements in view of the potential for a disruptive event to impact on financial reporting. The trend for findings identified in entities’ disaster recover arrangements between 2017–18 and 2021–22 is illustrated in Figure 1.8.

Figure 1.8: Disaster recovery interim audit findings 2017–18 to 2021–22

Source: ANAO data

1.100 In all cases where general IT controls testing has been completed, ANAO found that entities undertook regular backups of financially significant data. All entities but one had disaster recovery plans in place which were regularly tested. One minor finding was raised in the 2020–21 audit that remains unresolved. This increases the risk that, in the event of a significant disruption, systems and data will not be recovered within an acceptable timeframe.

1.101 Overall, the majority of IT controls continued to provide reasonable assurance about the operation of controls relied on to support the preparation of financial statements that are free from material misstatement. Consistent with observations in previous years, IT Security, particularly with regard to management of user access, continues to be an area requiring improvement to address the risk of inappropriate access to systems and data.

Compliance and quality assurance frameworks

1.102 Entities rely on internal and external systems, parties and information in decision-making processes. The implementation of effective compliance and quality frameworks and processes provides assurance over the completeness and accuracy of information and is integral to the preparation of financial statements that are free from material misstatement.

Figure 1.9: Compliance and quality assurance framework interim findings 2017–18 to 2021–22

Source: ANAO analysis of data provided by entities.

1.103 One moderate audit finding remains unresolved at the conclusion of the 2021–22 interim audit. This finding was reported to the Australian Taxation Office and relates to weaknesses in General Interest Charge (GIC) and Failure to Lodge (FTL) remissions. The finding was first reported in 2020–21.

1.104 The number of minor audit findings reported during the 2021–22 interim audit phase has decreased from the prior year. The findings relate to quality assurance processes and developing and implementing risk management frameworks. One minor finding remains unresolved from 2018–19 and two have remained unresolved from 2019–20.

Accounting and control of non-financial assets

1.105 Entities control a diverse range of non-financial assets on behalf of the Commonwealth, including land and buildings, specialist military equipment, leasehold improvements, infrastructure, plant and equipment, inventories and internally developed software.

Figure 1.10: Accounting and control of non-financial assets interim audit findings 2017–18 to 2021–22

Source: ANAO data.

1.106 The significant finding which was first reported to the Department of Defence in 2020–21 remains unresolved. The finding relates to the valuation of Specialised Military Equipment (SME). A moderate finding first reported to the Department of Defence in 2020–21 also remains outstanding and relates to the SME valuation methodology. The second unresolved moderate finding relates to the Department of Health’s recording and management of the National Medical Stockpile. This finding was first reported in 2019–20.

1.107 Of the two minor unresolved findings, one was first raised in 2020–21 and the second has remaining unresolved from 2018–19. The findings relate to the identification, disposal, and impairment of assets and leases.

Revenue, receivables and cash management

1.108 Revenue and receivables consist of Parliamentary appropriations, taxation revenue, customs and excise duties and administered levies. Commonwealth entities also generate revenue from the sale of goods and services and a range of other sources. Cash management involves the collection and receipt of public monies and the management of official bank accounts.

Figure 1.11: Revenue, receivables and cash management interim audit findings 2017–18 to 2021–22

Source: ANAO data.

1.109 The one unresolved minor finding was first reported in 2020–21 and relates to weaknesses in the timeliness and completeness of bank reconciliations.

Human resource financial processes

1.110 Human resources encompass the day-to-day management and administration of employee entitlements and payroll functions. Employee benefits expenditure represents a significant departmental expenditure item for most entities. Employee entitlement liabilities involve estimates and judgements in inputs. It is important for entities to establish robust controls in these areas to support complete and accurate payment and recording of transactions.

Figure 1.12: Human resources financial processes interim audit findings 2017–18 to 2021–22

Source: ANAO data.

1.111 The two minor findings were first raised in 2020–21. They relate to weaknesses identified over monitoring of controls for payroll processing and reporting; and the maintenance of employee records.

Purchases and payables management

1.112 Purchases and payables management covers controls and processes that provide management assurance that payments processed by the entity are complete and accurate. This may include the implementation of appropriate systems of approval or controls designed to ensure that payments processed through the financial management information system are appropriate.

Figure 1.13: Purchases and payables management interim audit findings 2017–18 to 2021–22

Source: ANAO data.

1.113 The moderate finding was first reported in 2020–21 and relates to weaknesses in the governance of ADF health services at the Department of Defence. Two of the five minor audit findings were raised in 2021–22 and relate to weaknesses in the timeliness of reconciliation processes and contract management. Two minor audit findings remain unresolved from 2020–21 and one finding remains unresolved from 2019–20. These relate to weaknesses in controls over bank accounts, vendor management and procurement functions.

Financial statements preparation

1.114 Financial statements are an important means of demonstrating how Commonwealth entities, both at an individual and whole-of-government level, meet their financial management responsibilities. In order to provide relevant and reliable financial information to the users, entities should prepare quality financial statements in a timely manner to support entities in meeting legislative reporting obligations. Effective project management underpins successful financial statements preparation processes. Findings in this category are not expected to be resolved until the final audit phase.

Figure 1.14: Financial statements preparation interim audit findings 2017–18 to 2021–22

Source: ANAO data.

1.115 The one minor finding was first reported during the 2020–21 final audit and relates to the fraud assessment underpinning the preparation of the financial statements.

Other audit findings

1.116 Other audit findings typically include items relating to the: management and implementation of service level agreements or memoranda of understanding; and updating or maintaining key governance documentation.

Figure 1.15: Other interim audit findings 2017–18 to 2021–22

Source: ANAO data.

1.117 There was one minor finding raised in 2021–22 relating to the eligibility assessment of grant programs. Four minor findings remain unresolved from prior periods. These findings relate to weaknesses identified in accounting for leases; clearing account monitoring; completeness of reconciliations and conflict of interest declarations. Three findings were first reported in 2020–21 and one finding was first reported in 2019–20.

Legislative compliance

1.118 The ANAO also reports on entity compliance with relevant legislation. This includes reporting on compliance with key legislation including the Constitution, entity enabling legislation; legislation an entity is responsible for administering, the PGPA Act, or subordinate legislation including the PGPA Rules.

Figure 1.16: Legislative breaches 2017–18 to 2021–22

Source: ANAO data.

1.119 There were two legislative breaches reported to entities in 2021–22. These breaches related to section 23 of the PGPA Rule and breaches of the Remuneration Tribunal Act 1973.

2. Reporting and auditing frameworks

Chapter coverage

This chapter outlines recent and future changes to the public sector reporting framework and the Australian auditing framework relating to the auditor’s report on financial statements.

Summary of developments

From 1 July 2021, a new standard AASB 1060 General Purpose Financial Statements – Simplified Disclosures for For-Profit and Not-for-Profit Tier 2 entities applied. The changes to disclosures for Tier 2 Commonwealth entities was minimal, with the recognition and measurement requirements in other Australia Accounting Standards (AAS) retained.

The revised Australian Auditing Standard ASA 315 Identifying and Assessing the Risks of Material Misstatement is effective for audits of financial statements for periods beginning on or after 15 December 2021. The revision to the standard places greater emphasis on the nature and extent of the auditor’s risk assessment procedures, and the audit response to these.

In continued support of a more flexible and agile audit approach, the ANAO continues to employ remote access where the entities consent to this arrangement, or where it is more efficient to do so.

This chapter includes a summary of the ANAO’s quality assurance framework. The quality assurance framework is designed to provide the Auditor-General with reasonable assurance that the ANAO complies with its policies and procedures, applicable legal and regulatory requirements, and that reports issued by the ANAO are appropriate in the circumstances. The quality assurance framework emphasises that quality audits are reliant on the strength of the ANAO’s independence and quality control processes.

Introduction

2.1 The Australian Government’s financial reporting framework is based, in large part, on standards made independently by the Australian Accounting Standards Board (AASB). The framework is designed to support decision-making by, and accountability to, the Parliament.

2.2 The AASB bases its accounting standards on the International Financial Reporting Standards (IFRS) issued by the International Accounting Standards Board. As IFRS are designed primarily for use by private sector and for-profit organisations, the AASB amends the IFRS to reflect significant transactions and events that are particularly prevalent in the public sector and not-for-profit private sector. In doing so, it takes into account standards issued by the International Public Sector Accounting Standards Board.

2.3 The Minister for Finance prescribes additional financial reporting requirements for Commonwealth entities. These are contained in the Public Governance, Performance and Accountability (Financial Reporting) Rule 2015 (the FRR). The FRR is made under the Public Governance, Performance and Accountability Act 2013 (the PGPA Act).

2.4 The audits of the financial statements of Australian Government entities are conducted in accordance with the ANAO Auditing Standards, which are made by the Auditor-General under section 24 of the Auditor-General Act 1997. The ANAO Auditing Standards for financial statement audits incorporate, by reference, the auditing standards made by the Australian Auditing and Assurance Standards Board (AUASB). The AUASB bases its standards on those made by the International Auditing and Assurance Standards Board, an independent standard setting board of the International Federation of Accountants.

2.5 The ANAO Auditing Standards were reissued in February 2021. The main change from the ANAO Auditing Standards made in February 2018 was allowing for the Auditor-General to elect, wholly or in part, to conduct a performance audit under Division 2 of Part 4 of the Act as a compliance engagement under ASAE 3100 Compliance Engagements (ASAE 3100).

2.6 For performance audits under Division 2 of Part 4 or Division 2 of Part 7 of the Act, the ANAO Auditing Standards incorporate ASAE 3100 for audits designated as performance engagements, except paragraph 56 relating to the assurance report content. Instead, the ANAO Auditing Standards have incorporated the reporting requirements specified by the International Standard of Supreme Audit Institutions ISSAI 4000 Standard for Compliance Auditing (ISSAI 4000). These reporting requirements are consistent with the practice of the ANAO in reporting conclusions, findings and recommendations in performance audit reports.

2.7 Auditing of performance statements under the PGPA Act is a function of the Auditor-General under section 15 of the Auditor-General Act. Section 40 of the PGPA Act allows the Minister for Finance or the responsible Minister to request the Auditor-General to conduct an audit of the performance statements of a Commonwealth entity. Where the Auditor-General conducts such an audit, the auditor’s report is provided to the requesting Minister who is required to table the report in the Parliament as soon as practicable after receipt.

2.8 In conducting audits of performance statements, the ANAO applies ASAE 3000 Assurance Engagements Other than Audits or Reviews of Historical Financial Information (ASAE 3000) and also considers the output from the International Auditing and Assurance Standards Board (IAASB) non-authoritative guidance on Extended External Reporting (EER) Assurance published in April 202176.

2.9 The financial reporting and auditing frameworks that applied in 2021–22 are illustrated in Appendix 2 and Appendix 3 of this report.

Changes to the Australian public sector reporting framework

Changes in the environment

2.10 With lock downs lifted and travel restrictions eased, ANAO staff have now been able to physically access most entities’ premises, which has removed the barriers to conducting audits that arose at the onset of the COVID-19 pandemic. However, the ANAO continues to employ remote access where entities consent to this arrangement, and where it is more effective and efficient to do so. This is in support of a more agile and flexible approach to conducting audits.

2.11 The Australian Cyber Security Centre (ACSC) stated that cyber threats will continue to increase as technology is further utilised to support Australians, government and business activities.77 As the regulatory framework has not driven sufficient improvement in cyber security across government entities, information security will remain a particular focus of ANAO’s audit work for 2021–22.

Auditing under the performance framework

2.12 The PGPA Act provides the basis for the Commonwealth performance framework. Commonwealth entities are required to publish planned financial and non-financial performance information with the aim of providing more transparent and meaningful information to the Parliament and the public. Following a series of three performance audits from 2016–17 to 2018–19, the ANAO commenced a program of pilot assurance audits of annual performance statements for the years ended 30 June 2020 and 2021.

2.13 The pilot was used to trial and refine an appropriate audit methodology for performance statements audits and the same three entities were involved for both years78. The methodology uses audit criteria based on the requirements of the Commonwealth’s performance reporting framework as set out in the PGPA Act and Rule.

2.14 As required by the performance framework, the assurance reports for the entities audited in 2020–21 were provided to the Minister for Finance in December 2021 and subsequently tabled in Parliament on 7 April 2022. The ANAO also tabled a report in April 2022 summarising the key observations from the 2020–21 pilot audit program.

2.15 For the year ended 30 June 2022, the ANAO has commenced implementation of its performance statements audit program. Consistent with the funding appropriated to the ANAO for performance statements audits in the 2021–22 Budget, six performance statements audits are being conducted in 2021–22. This includes the same three entities from the pilots with the addition of the Department of Agriculture, Water and the Environment, the Department of Education, Skills and Employment and the Department of the Treasury. The number of audits will increase progressively, rising to 10 audits for 2022–2023 and up to 24 audits per year from 2025–26.

Changes to auditing standards

2.16 In February 2020, the AUASB issued the revised Australian auditing standard ASA 315 Identifying and Assessing the Risks of Material Misstatement which addresses the auditor’s responsibility to identify and assess the risks of material misstatement in the financial report. The extant standard applies for audits of financial statements for the period ended 30 June 2022. The new standard is effective for financial reporting periods commencing on or after 15 December 2021.

2.17 The revised standard responds to changes in the financial reporting environment including more complex financial reporting frameworks, technology being used to a greater extent, and entities and their governance structures becoming more complex. The standard also clarifies and enhances requirements to support a more robust risk assessment process, which will result in a more focused response to identified risks.

2.18 The standard places emphasis on the need for auditors to significantly enhance their understanding of the entity’s: (i) use of information technology; and (ii) governance, business model and financial reporting framework. Consequently, it is likely that entities will need to share more detailed information and provide access to a broader range of management in relation to those matters.

Changes to accounting standards

2.19 A new standard AASB 1060 General Purpose Financial Statements — Simplified Disclosures for For-Profit and Not-for-Profit Tier 2 entities (AASB 1060) applied from 1 July 2021. AASB 1060 replaced the Reduced Disclosure Requirements (RDR) disclosures and provided Simplified Disclosure Requirements (SDR) for general purpose financial statements (GPFS) Tier 2 entities.

2.20 Commonwealth Tier 2 entities are required to apply AASB 1060 subject to the specific requirements of the FRR. Changes to the disclosures were minimal for Tier 2 Commonwealth entities with the recognition and measurement requirements in other AASs retained. Specific changes to the FRR because of the adoption of AASB 1060 included the following.

  • A requirement for all entities (Tier 1 and Tier 279) to apply Tier 1 disclosures when applying AASB 16 Leases (AASB 16). The simplified disclosures relating to leases in AASB 1060 do not apply to Tier 2 entities.
  • A requirement for all entities to disclose revenue recognised from contracts with customers and impairment losses on receivables arising from contracts with customers. This disclosure requirement was removed by AASB 1060 but has been reintroduced by the FRR for Tier 2 entities.
  • The removal of specific listed Tier 1 reporting requirements for the Department of Agriculture, Water and the Environment.
  • Clarification of the methodologies for estimating long service leave (LSL) liability. Entities with 1,000 or less employees must use the:
    • LSL shorthand method; or
    • an actuarial assessment; or
    • a detailed calculation basis (for example, employee by employee).
  • A requirement for entities, when undertaking a regulatory charging activity80, to disclose a list of regulatory charging activities.
  • The clarification of appropriation disclosure requirements.
    • Annual appropriations:
      • disclose only current year appropriations increased by PGPA Act section 74 receipts; and
      • footnote disclosure for all current year appropriations that have been withheld under s51 of the PGPA Act and quarantined for administrative reasons.
    • Unspent annual appropriations:
      • disclose amount and explanation of all prior year departmental and administered appropriations withheld under s51 or administrative quarantine, by appropriation act; and
      • disclose total adjustments made to all prior years unspent departmental and administered appropriations under s74 of the PGPA Act, and departmental and administered appropriations under s75 of the PGPA Act.

Quality Assurance Framework and Reporting

ANAO Quality Assurance Framework

2.21 The quality of ANAO audit work is reliant on the strength of its independence and quality control processes. The ANAO defines audit quality as the provision of timely, accurate and relevant audits, performed independently in accordance with the Auditor-General Act, ANAO auditing standards and methodologies, which are valued by the Parliament. Delivering quality audits results in improved public sector performance through accountability and transparency.

2.22 The ANAO Quality Assurance Framework and Plan 2021–22 is published on the ANAO website and articulates the system of quality control that the ANAO has established to support the delivery of high-quality audit work and enables the Auditor-General to have confidence in the opinions and conclusions in the reports prepared for the Parliament.

2.23 The ANAO quality assurance framework complies with the requirements of Auditing Standard ASQC 1 – Quality Control for Firms that Perform Audits and Reviews of Financial Reports and Other Financial Information, Other Assurance Engagements and Related Services Engagements. The AUASB has issued three revised Australian Quality Management Standards that become effective on 15 December 2022:

  • ASQM 1 – Quality Management for Firms that Perform Audits or Reviews of Financial Reports and Other Financial Information, or Other Assurance or Related Services Engagements;
  • ASQM 2 – Engagement Quality Reviews; and
  • ASA 220 – Quality Management for an Audit of a Financial Report and Other Historical Information.

2.24 The revised standards introduce a quality management approach that is focused on proactively identifying and responding to risks of quality. The standards include enhanced requirements and focus on governance and leadership, monitoring and remediation. The ANAO has commenced a project to implement the revised standards and make enhancements to the ANAO Quality Assurance Framework to ensure that it responds to the quality risks that arise in audits of public sector entities.

2.25 The ANAO engages the Australian Securities and Investments Commission (ASIC) to conduct an annual review of the ANAO quality assurance framework and financial statements audit files, in a similar way to the review work conducted by ASIC on external auditors in the private sector. This review provides additional external oversight and scrutiny over the ANAO quality assurance framework and ensures that it is in compliance with auditing standards. The reports from the ASIC annual review are published on the ANAO internet. In 2020–21, the scope of the review completed by ASIC included a review of the policies and approvals in place regarding other services conducted by contracted firms. ASIC provided the ANAO with one good practice recommendation to ensure that the documentation regarding approvals of other services sufficiently captures the evaluation and conclusion reached.

Ethics, independence and integrity

2.26 Ethical requirements, with a focus on independence are core to the quality framework. The fundamental principles of professional ethics as set out in APES 110 Code of Ethics for Professional Accountants (including Independence Standards) are integrity; objectivity; professional competence and due care; confidentiality; and professional behaviour. The ANAO maintains a continued focus on independence through the application of ANAO independence policies that manages threats to independence in the conduct of the ANAO’s work. The ANAO Integrity Framework sets out the ANAO’s integrity control system, supporting our organisation’s integrity. The framework encompasses the ANAO Integrity Statement, which describes five key principles of integrity that staff at the ANAO uphold — independence, honesty, accountability, openness and courage.

Quality control and consultation processes

2.27 In the conduct of their work ANAO auditors apply a robust methodology to drive consistent quality and compliance with the ANAO Auditing Standards. The ANAO audit methodology incorporates policies regarding direction, supervision and review, consultation on significant technical and ethical issues, engagement quality control review of high-risk audits and documentation of audit evidence and work performed.

ANAO Quality Reporting

2.28 The Audit Quality Report 2020–21 demonstrates the ANAO assessment of the implementation and operating effectiveness of the elements of the ANAO Quality Assurance Framework. The report provides transparency in respect of the processes, policies, and procedures that support each element of the ANAO Quality Assurance Framework, and reports audit quality indicators measuring ANAO performance against target benchmarks. The report also includes the achievement of the quality assurance strategy and deliverables set out in the Quality Assurance Framework and Plan, including the results of internal and external quality assurance reviews.

3. Results of the interim audit phase by entity

Chapter coverage

This chapter summarises the results of the interim audits for the 2021–22 financial statements of the 25 entities included in this report. The entities included in this report are all departments of state, the Department of Parliamentary Services and other Commonwealth entities that significantly contribute to the income, expenses, assets and liabilities within the 2020–21 Consolidated Financial Statements (CFS) of the Australian Government. The National Indigenous Australians Agency is also included in this report given the role it plays working across government with indigenous communities and stakeholders.

Audit results

There were one significant and 14 moderate findings reported to the entities covered by this report at the completion of the 2021–22 interim phase compared with no significant and nine moderate findings reported at the interim phase in 2020–21.

At the completion of the interim audits, the ANAO reported to 18 entities that key elements of internal control were operating effectively to provide reasonable assurance that the entities are able to prepare financial statements that are free of material misstatement. For a further 5 entities, the ANAO reported that, except for particular finding/s outlined in this chapter, key elements of internal control were operating effectively to provide reasonable assurance that the entities are able to prepare financial statements that are free from material misstatement. For the two remaining entities, the findings reported reduced the level of confidence that can be placed on the key elements of internal control supporting the preparation of the financial statements free from material misstatement. The ANAO reported that there were a number of areas where improvements are required for these entities.

Introduction

3.0.1 The ANAO’s assessment of the overall risk of material misstatement of the financial statements is based on professional judgement relating to the entity’s particular circumstances. The financial statements audit planning process involves joint procedures with the performance audit and performance statements audit groups. The process takes into account an entity’s environment and governance arrangements, its system of internal control, and prior year financial and performance audit findings. These planning processes inform the identification of areas of key risk that have the potential to impact on the integrity of the financial statements.

3.0.2  The interim phase of the audit focuses on the steps taken by entities to manage these risks, including their systems of internal control. This chapter reflects entity funding arrangements existing at 30 April 2022 and outlines the following information for each of the reported entities:

  • the entity’s primary role as reflected in its Portfolio Budget Statements;
  • 2021–22 appropriation funding and key financial statements items;
  • the ANAO’s assessment of the overall risk of material misstatement of the financial statements, which informs the audit processes to be undertaken;
  • key areas of financial statements risk including where the ANAO has identified Key Audit Matters (KAM); and
  • the status of significant and moderate audit findings at the completion of the interim audit, and the conclusion relating to audit coverage to date.

3.0.3 The entities included in this report include all departments of state, the Department of Parliamentary Services and other Commonwealth entities that significantly contribute to the revenues, expenses, assets and liabilities within the 2020–21 CFS. The National Indigenous Australians Agency is also included in this report given the role it plays working across government with indigenous communities and stakeholders.

3.0.4 Where a performance audit was tabled during 2021–22 that was relevant to the financial management or administration of an entity, consideration is given to the impact of observations on the audit approach. Further details are included under the entity headings below.81

Analysis of entities’ contribution to 2020–21 CFS

3.0.5 An analysis of the percentage contribution of entities in this report, to 2020–21 CFS is presented below. Figure 3.0.1 presents the results of nine entities that contribute greater than 10 per cent of either the income, expenses, assets or liabilities of the CFS. The remaining entities are presented in Figure 3.0.2 and contribute less than 10 per cent of all categories.

Figure 3.0.1: Entities contributing greater than 10 per cent to the Australian Government’s 2020–21 Consolidated Financial Statements

Source: ANAO analysis of CFS and entities’ financial statements for the year ended 30 June 2021.

Figure 3.0.2: Entities contributing less than 10 per cent to the Australian Government’s 2020–21 Consolidated Financial Statements

Source: ANAO analysis of CFS and entities’ financial statements for the year ended 30 June 2021.

Results of financial statements audits

3.0.6 Table 3.0.1 presents a summary of new and unresolved significant and moderate findings82 at the conclusion of the 2021–22 interim83 audits and the 2020–21 interim and final audits.

Table 3.0.1: Significant and moderate findings by entity

 

Interim 2020–21

Final 2020–21

Interim 2021–22

Entity

New findingsa

Unresolved findings

New findingsa

Unresolved findings

New findingsa

Unresolved findings

Department of Defence

1

1

3

1

4

Department of Veterans’ Affairs

6

6

Department of Health

2

1

1

Department of Infrastructure, Transport, Regional Development and Communications

1

Department of Parliamentary Services

1

Department of Social Services

2

1

1

Services Australia

1

1

National Disability Insurance Agency

1

1

1

1

Australian Taxation Office

2

1

Total

4

5

12

5

1

14

             

Note a: Minor findings identified previously but upgraded to a moderate or significant finding are considered new for the purposes of this table.

Source: 2020–21 and 2021–22 ANAO audit correspondence.

3.1 Department of Agriculture, Water and the Environment

Overview

3.1.1 The Agriculture, Water and the Environment portfolio is responsible for advising the government and implementing programs on the environment, heritage, meteorological services, climate change adaptation strategy and science, water resources, rural adjustment and drought issues, plant and animal biosecurity, Antarctica, and Australia’s agricultural, fisheries, food and forestry industries.

3.1.2 The Department of Agriculture, Water and the Environment (DAWE) is the lead entity in the portfolio, and is responsible for conserving, protecting and sustainably managing Australia’s biodiversity, ecosystems, environment and heritage; advancing Australia’s interests in the Antarctic region; developing and implementing policies and programs to promote more sustainable, productive, internationally competitive and profitable Australian agricultural, food and fibre industries; safeguarding Australia’s animal and plant health status; and improving the health of rivers and freshwater ecosystems and water use efficiency.

3.1.3 Figure 3.1.1 and Figure 3.1.2 below show the 2021–22 departmental and administered financial statements items reported by DAWE and the key areas of financial statements risk.

Figure 3.1.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and DAWE’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.1.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and DAWE’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.1.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DAWE’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DAWE’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of DAWE, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.1.5 Annual appropriation funding of $1,263.1 million (departmental) and $1,821.6 million (administered) was provided to DAWE in 2021–22 to support the achievement of the entity’s outcomes.84 DAWE was also budgeted to receive special appropriation funding of $1,069.1 million.85

3.1.6 Table 3.1.1 and Table 3.1.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.1.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total expenses

1,793.6

2,952.6

Employee benefits

757.6

Suppliers

844.9

384.4

Depreciation and amortisation

161.0

7.8

Levy disbursement and Commonwealth contributions

925.8

Personal benefits

113.0

Write-down and impairment of assets

0.9

23.6

Finance costs

22.0

Grants

6.9

1,192.7

Borrowing costs

89.1

Payment to corporate entities

216.2

Other

0.3

Total own-source income

474.1

831.1

Sale of goods and rendering of services

439.7

13.3

Other taxes

599.6

Interest

78.0

Gains

1.6

Other

32.8

140.2

Net (cost of)/contribution to services

(1,319.5)

(2,121.5)

     

Source: DAWE’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.1.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total assets

2,123.2

11,110.2

Cash and cash equivalents

42.4

1,834.9

Trade and other receivables

393.5

3,168.0

Land and buildings

609.9

0.6

Property and equipment

719.4

532.2

Water assets and Intangibles

253.1

4,023.9

Heritage and cultural

72.5

1.0

Inventories

9.9

11.0

Investments

15.5

1,470.2

Other

7.0

68.4

Total liabilities

1,384.6

298.5

Grants

181.6

Suppliers payable

75.4

76.8

Other payables

38.0

2.7

Interest bearing liabilities

351.6

Employee provisions

252.2

Other provisions

667.4

37.4

Net assets/(liabilities)

738.6

10,811.7

     

Note: DAWE’s estimated actual average staffing level for 2021–22 is 6,306.

Source: DAWE’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.1.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of DAWE financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.1.3.

Table 3.1.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Departmental

other provisions

$667.4 million

Valuation of the Antarctic restoration provision

KAM

Higher

  • nature of the Australian Government’s obligations under the Madrid Protocol to maintain and remediate impact of operations in Antarctica;
  • complex mathematical model with a number of inputs and data sources; and
  • the provision is subject to increased judgement and estimation, particularly relating to discount rates, escalation factors, asset replacement costs, dismantling costs and useful lives.

Administered

loans receivable

(a component of trade and other receivables)

$3.2 billion

Valuation of loans to state and territory Governments and farm businesses

KAM

Higher

  • complexity in the accounting treatment for loans deemed concessional in nature, including judgements in estimating the market rate that would otherwise apply to the loan;
  • the level of estimation involved in determining expected credit losses for loans at balance date due to assumptions relating to the security held against each loan, likelihood of enforcement of the security, impact of industry trading conditions and commodity pricing; and
  • significance of the reliance on third parties, including state and territory governments or the Regional Investment Corporation, for the management of loans to farm businesses. The third party is responsible for entering into loan agreements with eligible farm businesses, the approval of recipients, and the ongoing monitoring and maintenance of the loans.

Administered

water entitlements (a component of water assets and intangibles)

$4.0 billion

Valuation of water entitlements assets

KAM

Higher

  • significant judgement in the estimation of the value and impairment that is impacted by factors including the maturity and assessment of the water market; and
  • reliance on third parties for the provision of information to support the valuation.

Departmental

revenue from contracts with customers

$439.7 million

 

Accuracy and completeness of own- source revenue relating to import and export functions

KAM

 

Moderate

  • complex and large volume and value of revenue streams including differing charging methods, service provisions, legislative and cost recovery arrangements;
  • decentralised approach to service provision and revenue collection;
  • reliance on the services provided by the Department of Home Affairs for the collection and capture of revenue arising from import declarations; and
  • complexity and number of IT systems used to record and collect import and export revenue.

Administered

levies and charges

(a component of other tax revenue)

$599.6 million

Accuracy and completeness of primary industry levies and charges revenue

KAM

Moderate

  • reliance on self-assessment by industry participants to calculate the revenue to be collected by DAWE, particularly the estimation of the level of agricultural production on which levies are calculated; and
  • the complexity of the IT environment used to calculate and collect levies and charges.
       

Source: ANAO 2021–22 risk assessment, and DAWE’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.1.8 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. Auditor-General Report No.9 Regional Land Partnerships was tabled during 2021–22 and relevant to the financial management or administration of DAWE. The recommendations from this report were considered in designing audit procedures in relation to administered grants and supplier expenses.

3.1.9 At the conclusion of the interim audit, no significant or moderate findings have been identified during the performance statements audit that would have an impact on the financial statements audit.

Audit results

3.1.10 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to departmental revenue from contracts with customers, administered levies and administered loans. In addition, interim coverage of IT general controls, administered grants, non-financial assets and employee benefits expenses has been performed.

3.1.11 Audit procedures relating to other provisions, water entitlements and administered loans will be undertaken as part of the planned 2021–22 final audit.

3.1.12 To date, our audit coverage has not identified any new significant or moderate audit findings. There were no unresolved significant or moderate audit findings at the conclusion of the 2020–21 audit.

Conclusion

3.1.13 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that DAWE will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.2 Attorney-General’s Department

Overview

3.2.1 The Attorney-General’s Department (AGD) supports the Attorney-General and Minister for Industrial Relations as well as the Assistant Minister to the Attorney-General. The role of the department is to contribute towards a just and secure society by maintaining and improving Australia’s law, justice, security and integrity frameworks, and to facilitate jobs growth through policies and programs that promote fair, productive and safe workplaces.

3.2.2 AGD has a shared services arrangement with the Department of Social Services for the provision of grant administration services. AGD remains accountable for compliance with all accounting, legal and administrative requirements.

3.2.3 Figure 3.2.1 and Figure 3.2.2 below show the 2021–22 departmental and administered financial statements items reported by AGD and the key areas of financial statements risk.

Figure 3.2.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and AGD’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.2.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and AGD’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.2.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on AGD’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of AGD’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of AGD, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.2.5 Annual appropriation funding of $273.9 million (departmental) and $531.3 million (administered) was provided to AGD in 2021–22 to support the achievement of the entity’s outcomes.86 AGD was also budgeted to receive special appropriation funding of $283.9 million.87

3.2.6 Table 3.2.1 and Table 3.2.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.2.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total expenses

410.3

827.4

Employee benefits

260.9

26.0

Suppliers

92.0

175.5

Subsidies

153.4

Personal benefits

78.2

Depreciation and amortisation

52.8

6.7

Grants

360.6

Payments to corporate entities

26.5

Other

4.6

0.5

Total own-source income

153.1

188.1

Sale of goods and rendering of services

152.6

1.9

Levies

145.2

Other

0.5

41.0

Net (cost of)/contribution to services

(257.2)

(639.3)

     

Source: AGD’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.2.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total assets

584.2

834.5

Cash and cash equivalents

9.0

2.6

Trade and other receivables

190.5

17.7

Other investments

785.9

Land and buildings

304.4

17.7

Property, plant and equipment

34.8

2.4

Intangibles

38.6

Other

6.9

8.2

Total liabilities

425.7

2,237.0

Suppliers

10.5

12.6

Subsidiaries

10.9

Personal benefits

0.8

Other payables

31.3

2,190.0

Leases

296.7

18.4

Employee provisions

86.5

4.3

Other provisions

0.7

Net assets/(liabilities)

158.5

(1,402.5)

     

Note: AGD’s estimated average staffing level for 2021–22 is 1,829.

Source: AGD’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.2.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of AGD’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.2.3.

Table 3.2.3: Key areas of financial statements risk

Relevant financial statement line item

Key area

Audit risk rating

Factors contributing to risk assessment

Departmental

rendering of services

$152.6 million

goods and services receivables (a component of trade and other receivables)

$190.5 million

Accuracy of the Australian Government Solicitor’s (AGS) revenue, and the accuracy and completeness of AGS trade receivables, from rendering of services

Moderate

  • the value and timing of revenue recognition is determined with reference to time recorded on various AGS matters, the completion and recovery of matters and the valuation of work-in- progress at year-end is subject to management judgement.

Administered

personal benefits expenses

$78.2 million

personal benefits liabilities

$0.8 million

Accuracy and occurrence of administered personal benefits expenses relating to the Fair Entitlements Guarantee (FEG) scheme

Moderate

  • complex legislative requirements relating to claims eligibility, calculation of benefit amounts and subsequent payments; and
  • the significance of the value of debts and liabilities that are recognised relating to the Fair Entitlements Guarantee (FEG) scheme.
       

Source: ANAO 2021–22 risk assessment, and AGD’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.2.8 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. No performance audits have been tabled to date in 2021–22 relevant to the financial management or administration of AGD.

Audit results

3.2.9 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: departmental revenue; FEG scheme expenses; supplier expenses; human resources; management of appropriations and special accounts; and cash management activities.

3.2.10 The ANAO’s planned interim audit procedures included IT general and application controls for the AGD’s financial management information system, SAP. At the conclusion of the interim audit fieldwork, ANAO has not completed testing relating to: SAP IT general controls; access authorisation; change management; and application controls.

3.2.11 Audit procedures relating to: the valuation of non-financial assets including administered investments; and financial statements close processes including the consolidation of the AGS will be undertaken as part of the planned 2021–22 final audit.

3.2.12 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.2.13 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that AGD will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.3 Department of Defence

Overview

3.3.1 The Department of Defence (Defence) is responsible for protecting and advancing Australia’s strategic interests through the promotion of security and stability; the provision of military capabilities to defend Australia and its national interests; and the provision of support for the Australian community and civilian authorities as directed by the government.

3.3.2 Figure 3.3.1 and Figure 3.3.2 below show the 2021–22 departmental and administered financial statements items reported by Defence and the key areas of financial statements risk.

Figure 3.3.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Defence’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.3.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and Defence’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.3.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Defence’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Defence’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Defence, the ANAO has assessed the risk of a material misstatement as high.

Key financial statements items

3.3.4 Annual appropriation funding of $44,842.7 million (departmental) was provided to Defence in 2021–22 to support the achievement of the entity’s outcomes.88 Defence was also budgeted to receive special appropriation funding of $3,136.1 million.89

3.3.5 Table 3.3.1 and Table 3.3.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.3.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total expenses

38,023.1

10,580.6

Employee benefits

12,804.3

Suppliers

17,823.0

Depreciation and amortisation

6,096.7

Write-down and impairment of assets

1,114.6

Military superannuation benefits

10,455.0

Other

184.5

125.6

Total own-source income

1,473.9

1,224.7

Sale of goods and rendering of services

330.9

Other revenue

254.4

Reversals of previous asset write-downs

509.6

Military superannuation contributions

1,116.0

Other

379.0

108.7

Net cost of services

36,549.2

9,355.9

     

Source: Defence’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.3.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total assets

125,911.4

3,309.5

Cash and cash equivalents

285.9

152.8

Trade and other receivables

78.8

113.8

Tax assets

380.0

Appropriation receivable

1,199.9

Other receivables

306.1

Investments accounted for using the equity method

2,845.5

Specialist military equipment

80,151.1

Intangibles

1,401.8

Land and buildings

22,402.9

Infrastructure, plant and equipment

8,561.9

Heritage and cultural

438.4

Inventories

8,197.2

Prepayments

2,269.0

197.4

Other

238.4

Total liabilities

12,381.3

104,845.9

Suppliers

4,190.5

Other payables

390.5

188.8

Leases

2,941.5

Employee provisions

3,418.2

104,657.1

Restoration, decontamination and decommissioning provisions

1,144.0

Other

296.6

Net assets/(liabilities)

113,530.1

(101,536.4)

     

Note: Defence’s estimated average staffing level for 2021–22 is 75,863.

Source: Defence’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.3.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Defence financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.3.3.

Table 3.3.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Departmental

specialist military equipment (SME)

$80.2 billion

Accuracy and valuation of SME

KAM (valuation)

Higher

  • the high degree of judgement applied by management to measure SME at fair value due to the highly specialised nature of these assets;a
  • the subjectivity in the valuation assessment due to the difficulty in obtaining the replacement costs of assets with a similar capability in the absence of an active market, the selection and application of appropriate indices, the determination and assessment of appropriate useful lives, and the identification of indicators of impairment; and
  • the complexity and high degree of judgement in the cost attribution model that allocates accumulated capitalised costs on large scale acquisition projects between individual platform assets, associated spares and inventory.b

Administered

employee provisions

$104.7 billion

Accuracy, valuation and disclosure of employee provisions

KAM (valuation)

Higher

  • the measurement of the provision being complex, requiring significant professional judgement in the selection of key long-term assumptions (including such matters as salary growth and discount rates, pension indexation rate, pension take-up rate and invalidity retirements) to which the valuation of these plans is highly sensitive; and
  • detailed disclosure requirements for the presentation and disclosure of defined benefit plans.

Departmental

inventory

(including explosive ordnance, fuel and general stores inventory)

$8.2 billion

Existence and completeness of inventory balances

KAM

Moderate

  • variety and number of inventory items which are managed differently across a large number of geographically dispersed locations and through a number of IT systems.

Departmental

general assets

$32.8 billion

Accuracy and valuation of general assets

KAM (valuation)

Moderate

  • high degree of management judgement required in respect of classifying project costs as capital or expense and the selection of valuation methods to measure fair value;
  • the valuation of Defence’s land, buildings, infrastructure, plant and equipment and heritage and cultural assets being dependent on assumptions that require significant management judgement. These include capitalisation rates, current replacement costs, discount rates, and conditions of the assets. Where observable market data is not available, the valuation is subject to a higher level of judgement; and
  • the subjectivity in determining appropriate useful lives and the assessment of the financial impact of indicators of impairment.
       

Note a: A moderate audit finding has been reported in respect of the application and documentation of judgements applied in determining the fair value of specialist military equipment.

Note b: A significant audit finding has been reported in respect of the cost attribution model that allocates accumulated capital costs between individual platforms assets, associated spares and inventory.

Source: ANAO 2021–22 risk assessment, and Defence’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.3.7 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. The following performance audit reports were tabled during 2021–22 relevant to the financial management or administration of Defence:

  • Auditor-General Report No.1 Defence’s Administration of Enabling Services – Enterprise Resource Planning Program: Tranche 1;
  • Auditor-General Report No.4 Defence’s Contract Administration – Defence Industry Security Program;
  • Auditor-General Report No.13 Major Projects Report; and
  • Auditor-General Report No.15 Department of Defence’s Procurement of Six Evolved Cape Class Patrol Boats.

3.3.8 Auditor-General Report No.13 2021–22 (Auditor-General Report No.13) included observations relevant to the valuation of SME. The report noted that Defence was unable to provide the staff cost component of projects and that its systems are not capable of calculating the cost of project staff over time. Additionally, Auditor-General Report No.13 included observations associated with the use of spreadsheets as a primary form of record for risk management. The observations reported were consistent with weaknesses reported at paragraph 3.3.15 in relation to the valuation of SME using the cost attribution model.

3.3.9 Auditor-General Report No.13 also included observations relevant to the impairment of assets under construction. No significant changes were made to the designed audit procedures for the financial statements audit.

3.3.10 The observations of the remaining reports were considered in designing audit procedures to address areas considered to pose a lower risk of material misstatement. No significant changes were made to the designed audit procedures for the financial statements audit.

Audit results

3.3.11 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: IT general controls over the financial management information system and human resources information management system. Testing of the operating effectiveness of the controls implemented to confirm the existence and completeness of inventory has been completed. Additionally, the ANAO has assessed Defence’s progress on addressing the significant and moderate audit findings discussed below.

3.3.12 Audit procedures relating to 30 June 2022 balances for SME, general assets and administered employee provisions will be performed as part of the 2021–22 final audit. The ANAO will also assess Defence’s progress in addressing audit findings up to and during the final audit.

3.3.13 The following table summarises the status of audit findings as at the end of the 2021–22 interim audit as reported by the ANAO.

Table 3.3.4: Status of audit findings raised by the ANAO

Category

Closing position (at the end of the 2020–21 final audit)

New findings (2021–22 interim audit)

Resolved findings (2021–22 interim audit)

Closing position (at the end of the 2021–22 interim audit)

A

1

1

B

3

3

Total

4

4

         
Unresolved significant audit finding
Valuation of SME using the cost attribution model

3.3.14 To support its primary outcomes, Defence undertakes a number of high value equipment acquisition projects. These projects are complex and span multiple financial years. Judgement is applied to allocate capitalised costs between individual platform assets, associated spares and inventory.

3.3.15 Defence uses a cost attribution model (referred to by Defence as the Asset Valuation Model) to capture costs against applicable projects for SME assets under construction. The model uses a methodology to allocate project costs across the deliverables associated with the project. The Asset Valuation Model (AVM) is maintained in an excel spreadsheet and captures costs across the life cycle of the project, against multiple contracts and variations, many of which are recorded in a foreign currency. The AVM captures both budget and actual costs. The ANAO identified internal control weaknesses in the methodology used by Defence to allocate costs relating to assets under construction. These included:

  • limited policies and procedures outlining the approach to developing, maintaining, and recording transactions against the cost attribution model;
  • the use of excel spreadsheets to record the AVM transactions, which have no evidenced controls or protection to prevent the accidental editing or deletion of data; and
  • limited quality assurance mechanisms that could be relied upon to provide assurance over the asset allocations derived from the AVMs.

3.3.16 In addition, the ANAO noted that Defence does not capture employee-related costs as part of its asset under construction projects. There are currently no systems or processes to identify the time spent by officers on specific projects. Analysis of project employee costs estimated an understatement of asset capitalisations by $67.5 million in 2020–21.

3.3.17 Assets under construction are recorded at cost. The weaknesses noted increase the risk that the valuation of SME and the associated depreciation expense is misstated in the financial statements.

3.3.18 The ANAO recommended that Defence:

  • consider the development of an IT solution to transition project management from excel spreadsheets or consider ways to implement controls to reduce the risks associated with unintended or unauthorised changes to the spreadsheets;
  • develop guidelines, policies and procedures to assist project managers with the development, maintenance and recording of transactions associated with the cost attribution model. The guidelines should also aim to increase consistency across projects, where appropriate;
  • implement quality assurance processes to provide assurance for financial reporting purposes;
  • develop and implement a year-end close process to ensure that projects are up to date and complete for reporting as at 30 June. This should include examining the appropriateness of using budget figures to adjust asset roll-out costs; and
  • consider implementing a time recording system to capture employee costs associated with each project. Costs should be capitalised to projects in accordance with AASB 116 Property, Plant and Equipment.

3.3.19 The ANAO has assessed the progress made by Defence to address the weaknesses as part of the interim audit.

3.3.20 Defence has considered the development and implementation of an IT solution to transition projects out of excel spreadsheets into a system with better version control, consistent with the JCPAA’s September 2018 recommendation. Defence has advised that it will commence assessing the feasibility of implementing a system-based solution to manage project finances.

3.3.21 The development and implementation of guidelines, policies and procedures was in progress at the conclusion of the interim audit. Quality assurance processes have also been designed and will be implemented to confirm the asset under construction balances at 30 June 2022.

Unresolved moderate audit findings
Weaknesses around the governance of Australian Defence Force (ADF) health services

3.3.22 The provision of health services to ADF members is managed under a contract with an external service provider. The contract commenced on 1 July 2019 and includes two broad categories of charges covering off-base and on-base services. Defence undertakes a review of the fees and charges associated with off-base services to provide assurance that the invoiced amounts are accurate and valid.

3.3.23 As part of the 2020–21 audit, the ANAO identified weaknesses associated with the processes implemented by Defence to confirm the accuracy and validity of the service provider’s monthly invoices. The ANAO recommended that Defence:

  • examine and strengthen the design of processes to provide assurance over the accuracy and validity of the health service payments;
  • extend assurance activities to include on-base services; and
  • complete assurance activities in a timely manner and escalate issue to an appropriate level of management to ensure that issues can be dealt with promptly and recoveries initiated where required.

3.3.24 Defence has made progress to address the weaknesses reported. Remediation activities have included strengthening the design of processes and extending assurance activities to include off-base services. Defence has advised the remediation activities in relation to the tiered pricing structure are in progress.

SME valuation methodology

3.3.25 Defence manages SME assets to maintain its defence capability requirements and undertakes a fair value assessment of these assets in accordance with Australian Accounting Standard AASB 13 Fair Value Measurement. The ANAO assessed whether the selection of the method for determining fair value was appropriate for each class of SME and whether the key assumptions used in the valuation methodology were reasonable and appropriately supported.

3.3.26 The ANAO identified instances where the judgements supporting the valuation estimates were inconsistently applied or were not supported by a documented rationale. The ANAO also identified instances where the indexes used in the year-end valuations were not the 30 June index rates.

3.3.27 The ANAO also identified the following:

  • Defence had not considered whether capabilities of similar assets could be adjusted to arrive at the asset’s current replacement cost when applying the comparator approach;
  • Defence had not assessed the appropriateness of using adjusted market inputs when an asset had been constructed over an extended period of time;
  • an assessment of the continued appropriateness of the application of indices for a particular asset had not been performed; and
  • procedures to retrospectively assess whether estimates made in prior years were appropriate had not been implemented.

3.3.28 Weaknesses in the valuation methodology increase the risk of a material misstatement in the financial statements.

3.3.29 The ANAO recommended that Defence:

  • ensure documentation to support the valuation is comprehensive and demonstrates management’s assessment of estimation uncertainty; the consideration of alternative methodologies and assumptions;
  • undertake a retrospective review to confirm the reliability of estimates made in prior years;
  • consider engaging an external expert to review the valuation methodology and key assumptions designed to support the judgement that assets are held at fair value;
  • assess the continued appropriateness of cost as an input of fair value where assets are capitalised across multiple financial years; and
  • document the assessment performed to confirm the carrying amount of assets not subject to the current year comparator valuation approach are not materially different to fair value.

3.3.30 Defence agreed with the recommendation and has commenced the implementation of remediation activities. An expert has been engaged to undertake the valuation of SME assets. Defence has advised that the scope of work to be performed by the expert will include:

  • the consideration of alternative valuation methodologies and assumptions;
  • the execution of retrospective reviews to confirm the reliability of estimates made in prior years; and
  • assessment of the cost as an input of fair value where assets are capitalised across a number of years.

3.3.31 The ANAO will continue to assess management’s progress in implementing the remediation activities as part of the final audit.

Management of privacy data

3.3.32 Management of personally identifiable data is a responsibility of all Australian Government entities subject to the Privacy Act 1988. Under the Act, various supplementary directions such as the Australian Government Agencies Privacy Code (the Code) and the Australian Privacy Principles (APP) define an entity’s responsibility around the collection, use, storage and disclosure of personal information.

3.3.33 Defence has implemented a privacy policy which has been designed to inform individuals about the way Defence collects, stores, uses and discloses personal information. This policy also provides guidance to access, or seek correction of, personal information held by Defence.

3.3.34 In reviewing the privacy framework at Defence, the ANAO observed that:

  • significant programs related to the management of personally identifiable information are outdated or scheduled for reviews that have not yet occurred;
  • privacy impact assessments are not stored in an accessible format and are not searchable to discover known risks and impacts;
  • there is no consistent data dictionary or data governance applied to allow for the discovery of specific data types across disparate applications and networks;
  • information on historical data breaches is inconsistent across Defence, with no central repository or register to report against strategic risks; and
  • compliance activities to ensure Defence is meeting the requirements are either not able to be performed or are not performed in a timely manner.

3.3.35 Defence was unable to provide evidence and assurance that personally identifiable information was being managed appropriately. The ANAO also identified that Defence has limited ability to discover systems that contain information that would be classified as personally identifiable information, as well as no systematic method for tracking changes, access or distribution of personally identifiable information.

3.3.36 The weaknesses observed increase the risk that privacy data may be accessed or modified by those without authorisation to do so, and discovery of this inappropriate activity may not be timely or accurate.

3.3.37 The ANAO has recommended that Defence:

  • review its data governance framework and address control weaknesses surrounding the collection, use, storage and disclosure of personal information;
  • establish a digital repository to index or record the locations, types of data, systems and other critical information relating to the management of personally identifiable information; and
  • report regularly against compliance and application of the Privacy Policy as well as key indicators from the Code and APPs.

3.3.38 Defence advised that it will be instituting a number of remediation actions as part of the inaugural Defence Data Strategy 2021–23. The ANAO will review the implementation of the actions related to privacy data as part of the 2021–22 final audit.

Conclusion

3.3.39 At the completion of the interim audit, the ANAO has reported a number of areas where improvements are required. The audit findings outlined above reduce the level of confidence that can be placed on the key elements of internal control that support the preparation of the financial statements that are free from material misstatement. During the 2021–22 final audit the ANAO will undertake further procedures and assess action taken by Defence to address the weaknesses identified.

3.4 Department of Veterans’ Affairs

Overview

3.4.1 The Department of Veterans’ Affairs (DVA) is the primary service delivery entity with responsibility for implementing programs to assist the veteran and ex-service communities, including repatriation, rehabilitation and compensation, and war graves.

3.4.2 DVA is responsible for developing and implementing programs to assist the veteran and ex-service communities. This includes granting pensions, allowances and other benefits, and providing treatment under the Veterans’ Entitlements Act 1986; determining and managing claims relating to defence service under the Safety, Rehabilitation and Compensation (Defence-related Claims) Act 1988; the administration of benefits and arrangements under the Military Rehabilitation and Compensation Act 2004; administering the Defence Service Homes Act 1918 and the War Graves Act 1980; and conducting commemorative programs to acknowledge the service and sacrifice of Australian servicemen and women.

3.4.3 Figure 3.4.1 and Figure 3.4.2 below show the 2021–22 departmental and administered financial statements items reported by DVA and the key areas of financial statements risk.

Figure 3.4.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and DVA’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.4.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and DVA’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.4.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DVA’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DVA’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of DVA, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.4.5 Annual appropriation funding of $425.2 million (departmental) and $151.7 million (administered) was provided to DVA in 2021–22 to support the achievement of the entity’s outcomes.90 DVA was also budgeted to receive special appropriation funding of $10,476.4 million.91

3.4.6 Table 3.4.1 and Table 3.4.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.4.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total expenses

488.8

12,589.3

Employee benefits

218.3

11.3

Grants

28.7

Suppliers

182.1

Depreciation and amortisation

47.7

2.9

Personal benefits

6,953.0

Healthcare payments

5,476.4

Payments to corporate entities

46.1

Other

40.7

70.9

Total own-source income

57.0

18.4

Net premium revenue

45.6

Rendering of services

6.7

Other

4.7

18.4

Net (cost of)/contribution to services

(431.8)

(12,570.9)

     

Source: DVA’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.4.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total assets

332.2

1,870.1

Cash and cash equivalents

8.8

33.4

Investments

50.2

1,685.9

Appropriation receivables

57.1

Trade and other receivables

45.0

82.4

Intangibles

55.5

Land and buildings

110.8

Other

4.8

68.4

Total liabilities

269.7

48,289.4

Suppliers

44.5

Personal benefits

63.5

Grants

5.0

Other payables

39.3

59.0

Leases

82.5

Employee provisions

68.5

3.4

Personal benefits provisions

25,667.0

Healthcare and other provisions

22,491.6

Other provision

34.9

Net assets/(liabilities)

62.5

(46,419.3)

     

Note: DVA’s estimated average staffing level for 2021–22 is 2,062.

Source: DVA’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.4.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of DVA financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.4.3.

Table 3.4.3: Key areas of financial statements risk

Relevant financial statements line item

Key area

Audit risk rating

Factors contributing to risk assessment

Administered

personal benefit and healthcare provisions

$48.2 billion

Valuation of personal benefits and healthcare (military compensation) provisions

KAM

Higher

  • judgements involved in determining the assumptions and calculations underpinning the actuarial assessment of the military compensation provision, including assumptions relating to future trends in medical costs, permanent incapacity, and inflation rates;
  • increasing value of the provision as an unfunded liability; and
  • completeness of data used to derive the valuation.

Administered

personal benefits expense

$7.0 billion

health care expenses

$5.5 billion

Accuracy of personal benefits and healthcare payments

Higher

  • complexity of overseeing and maintaining a large number of IT business systems which are supported by the shared services provider, Services Australia;
  • complexity of legislation applicable to individual claims;
  • reliance on accurate and complete veteran provided information; and
  • reliance on a risk-based quality assurance program to identify errors and initiate debt recovery arrangements in individual claims.
       

Source: ANAO 2021–22 risk assessment, and DVA’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.4.8 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. No performance audits have been tabled to date in 2021–22 relevant to the financial management or administration of DVA.

Audit results

3.4.9 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: cash; appropriations; supplier expenses; employee benefits and administered personal benefit and health care payments.

3.4.10 Audit procedures relating to: the testing of IT general and application controls; accuracy of administered personal benefit and health care payments including payments to public and private hospitals; and review of the valuation of the personal benefits and health care (military compensation) provision will be undertaken as part of the planned 2021–22 final audit.

3.4.11 The following table summarises the status of audit findings as at the end of the 2021–22 interim audit as reported by the ANAO.

Table 3.4.4: Status of audit findings raised by the ANAO

Category

Closing position (at the end of the 2020–21 final audit)

New findings (2021–22 interim audit)

Resolved findings (2021–22 interim audit)

Closing position (at the end of the 2021–22 interim audit)

B

6

6

Total

6

6

         
Unresolved moderate audit findings
Process Direct Implementation

3.4.12 In November 2020, income and student support payment processing functions were transferred to the Process Direct system from old systems. The move to Process Direct was a component of the Veteran Centric Reform program.

3.4.13 ANAO identified weaknesses relating to security and data migration processes associated with the implementation of this upgrade. There was no authorisation to operate the system as required by the Protective Security Policy Framework and no system encryption was in place. At the end of the 2020–21 audit, DVA advised the ANAO that Process Direct had been appropriately certified with all required security documentation in August 2021 and that a review of cybersecurity governance, including the development and strengthening of appropriate security policies would occur in 2021–22. DVA noted the work was expected to be completed in June 2022.

3.4.14 During the interim audit, DVA provided the ANAO with a high-level action plan outlining the work planned to address this issue. Discussions held between DVA and the ANAO confirmed the approach outlined to address the issue appears reasonable. The progress of this work will be reviewed during the final audit phase

Monitoring of high-risk activity in IT systems

3.4.15 DVA reviews all activities in IT systems that are classified as high risk or a potential indicator of fraud. A software tool identifies this activity for review. As part of audit work undertaken, the ANAO identified that the software tool was no longer able to correctly identify high risk activity for review after a major IT change was implemented in November 2020.

3.4.16 As part of audit work undertaken during the 2020–21 audit, the ANAO identified that after a major IT change was implemented, the tool in place to monitor high-risk activity in IT systems was no longer able to correctly identify high risk activity for review. DVA subsequently made changes to ensure that the software tool could correctly identify high risk activity and retrospectively reviewed all activity that had occurred from November 2020 to July 2021.

3.4.17 During the interim audit, DVA provided the ANAO with a high-level action plan outlining the work planned to address this issue. Discussions held between DVA and the ANAO confirmed the approach outlined to address the issue appears reasonable. The progress of this work will be reviewed during the final audit phase.

User terminations

3.4.18 During the 2020–21 audit, the ANAO identified weaknesses in DVA’s controls relating to terminated users. There were no processes in place to identify users who had access to systems, applications and/or data repositories after cessation of employment or contract. Consequently, there was also no process to monitor activities undertaken by any users after access should have been removed.

3.4.19 The ANAO identified weaknesses in DVA’s controls relating to terminated users. There were no processes in place to identify users who had access to systems, applications and/or data repositories after cessation of employment or contract. Consequently, there was also no process to monitor activities undertaken by any users after access should have been removed.

3.4.20 During the interim audit, DVA provided the ANAO with a high-level action plan outlining the work planned to address this issue. Discussions held between DVA and the ANAO confirmed the approach outlined to address the issue appears reasonable. The progress of this work will be reviewed during the final audit phase.

User revalidations

3.4.21 A key aspect of system user management that protects systems and applications from exploitation is a regular user revalidation process that confirms only legitimate users have access to DVA systems and applications. ANAO noted that DVA does not have a user revalidation process in place for seven systems that support the financial statements. During the 2020–21 audit the ANAO identified that DVA did not have a process in place to revalidate user access for seven systems that support the financial statements.

3.4.22 During the interim audit, DVA provided the ANAO with a high-level action plan outlining the work planned to address this issue. Discussions were held with DVA and the ANAO confirmed the approach outlined to address the issue appears reasonable. The progress of this work will be reviewed during the final audit phase.

QUASARS claim populations

3.4.23 QUASARS is a system used by DVA to select and perform quality assurance testing of decisions and payments made in relation to Income Support and Rehabilitation and Compensation. The results of quality assurance testing are used as a basis for DVA to quantify the potential error rate in personal benefit and health care payments.

3.4.24 The ANAO identified that there were no processes in place to ensure the completeness and accuracy of data extracted from business systems and uploaded into QUASARS. In addition, there were no documented instructions that outline the information required in each report extracted.

3.4.25 During the interim audit, DVA provided the ANAO with a high-level action plan outlining the work planned to address this issue. Discussions held between DVA and the ANAO confirmed the approach outlined to address the issue appears reasonable. The progress of this work will be reviewed during the final audit phase.

Financial delegations

3.4.26 Financial delegations are a key part of DVA’s internal control framework and ensure appropriately skilled personnel perform key functions. As part of the 2020–21 final audit, the ANAO identified that changes to delegations approved by the Secretary in February 2021 had not been implemented in DVA’s financial management information system (FMIS) until July 2021. DVA advised the ANAO that it had developed a process to ensure future changes to delegation limits were updated in a timely manner.

3.4.27 As part of the interim audit, the ANAO reviewed DVA’s new process. Additional information was also provided by DVA that identified it may not be possible to replicate in the IT systems, the specific level of delegations reflected in the approved delegation document. This would mean there is no system application control available. DVA is currently working with Services Australia to investigate this. The ANAO will review the progress on this finding during the final audit phase.

Conclusion

3.4.28 At the completion of the interim audit, the ANAO has reported a number of areas where improvements are required. The audit findings outlined above reduce the level of confidence that can be placed on the key elements of internal control that support the preparation of the financial statements that are free from material misstatement. During the 2021–22 final audit the ANAO will undertake further procedures and assess action taken by DVA to address the weaknesses identified.

3.5 Department of Education, Skills and Employment

Overview

3.5.1 The Department of Education, Skills and Employment (DESE) is the lead entity in the portfolio and is responsible for ensuring Australians can experience the social wellbeing and economic benefits that quality education, skills and employment provide.

3.5.2 The department continues to support the formulation and delivery of targeted education, skills and employment initiatives through the next phase of the Government’s economic recovery plan through supporting Australians into jobs by investing in skills and higher education and helping job seekers to reconnect with employment. The department also supports the provision of essential services on which Australians rely, including early childhood education and care, schooling, skills and training, higher education, and employment services.

3.5.3 A Government decision on 10 November 2021 endorsed the transfer of responsibility for Seasonal Worker Programme (SWP) and Pacific Labour Scheme (PLS) from the Education Skills and Employment portfolio into a new single program—the Pacific Australia Labour Mobility (PALM) scheme to be administered by the Department of Foreign Affairs and Trade (DFAT).

3.5.4 Figure 3.5.1 and Figure 3.5.2 below show the 2021–22 departmental and administered financial statements items reported by DESE and the key areas of financial statements risk.

Figure 3.5.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and DESE’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.5.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and DESE’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.5.5 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DESE’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DESE’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of DESE, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.5.6 Annual appropriation funding of $1,072.1 million (departmental) and $8,103.3 million (administered) was provided to DESE in 2021–22 to support the achievement of the entity’s outcomes.92 DESE was also budgeted to receive special appropriation funding of $53,606.2 million.93

3.5.7 Table 3.5.1 and Table 3.5.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.5.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total expenses

1,050.9

55,621.5

Employee benefits

475.3

Suppliers

419.0

2,716.0

Subsidies

4,325.0

Personal benefits

9,854.9

Grants

36,413.7

Write-downs and impairments of assets

2,180.3

Depreciation and amortisation

150.2

0.1

Finance costs

6.4

131.5

Total own-source income

42.8

2,779.8

Sale of goods and rendering of services

32.1

Other taxes

0.2

Interest

1,895.9

Gains

760.8

Other

10.7

122.9

Net (cost of)/contribution to services

(1,008.1)

(52,841.7)

     

Source: DESE’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.5.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total assets

1,206.9

61,195.1

Cash and cash equivalents

1.1

93.3

Trade and other receivables

418.6

57,327.1

Other investments

2,901.3

Other financial assets

5.2

872.4

Land and buildings

346.1

Property, plant and equipment

67.1

Intangibles

339.5

Other

29.3

1.0

Total liabilities

587.4

6,994.5

Suppliers

70.1

204.3

Other payables

0.8

4.1

Leases

342.8

1.2

Personal benefits

81.3

Grants

19.4

Personal benefits provision

508.0

Provision for grants

6,113.4

Employee provisions

173.7

Subsidies

62.8

Net assets/(liabilities)

619.5

54,200.6

     

Note: DESE’s estimated average staffing level for 2021–22 is 3,651

Source: DESE’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.5.8 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of DESE financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.5.3.

Table 3.5.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Administered

Higher Education Loan Program (HELP) receivable

(a component of trade and other receivables $57.3 billion)

write–down and impairment of assets

(a component of write-down and impairment of assets balance of $2.2 billion)

HELP loans fair value losses

(a component of write-down and impairment of assets balance of $2.2 billion)

The valuation of the outstanding HELP loan receivable

KAM

Higher

  • the balances of outstanding loans and impairment are derived from complex actuarial estimates and the estimate contains a degree of estimation uncertainty;
  • the complexity involved in estimating future income of individuals that need to repay HELP debts, the timing of expected repayments and the amount of the loan not expected to be recovered; and
  • payment data is reliant on sources external to DESE such as: the Australian Taxation Office; universities; and other third parties.

Administered

Higher Education Superannuation Program (HESP) receivable

(a component of trade and other receivables $57.3 billion)

The valuation of the HESP provision and receivable

KAM

Higher

  • the valuation of the HESP liability is subject to an actuarial estimation process and is highly sensitive to movements in discount factors and bond rates; and
  • the valuation is complex and depends on the accurate provision of source data by universities.

Administered personal benefit expenses

$9.8 billion

liabilities

personal benefits payable

$81.3 million

personal benefits provision

$508.0 million

Accuracy and valuation of ‘assistance to families with children’ payments

KAM

Higher

  • complex legislation and administration arrangements that apply to child care personal benefits;
  • accounting and disclosure of year- end balances which are contingent on the lodgement of recipients’ income tax returns;
  • payments are reliant on self- assessed information provided by child care service providers and claimants; and
  • the IT environment is highly dependent on external information systems which are administered by the Department of Social Services and Services Australia.

Administered

all financial statements items

Completeness and accuracy of financial statements balances impacted by the complexity and range of IT systems used to maintain information and process payments

Moderate

  • large and complex IT environment with business applications processing a high volume of transactions;
  • many IT systems are bespoke or heavily customised by DESE; and
  • reliance on customised reports to prepare financial statements balances.
       

Source: ANAO 2021–22 risk assessment, and DESE’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.5.9 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. Auditor-General Report No.8 Use and Administration of Wage Subsidies was tabled during 2021–22 and relevant to the financial management or administration of DESE. The recommendation from this report was considered in designing audit procedures for the current year.

Audit results

3.5.10 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: cash; appropriations; special accounts; non-financial assets; supplier expenses; and Commonwealth grants, Block grants, and schools’ recurrent funding payments. Audit coverage also included an assessment of the IT general controls over the financial management information system.

3.5.11 The 2021–22 final planned audit procedures will include testing of IT application controls on key business systems, and review and assessment of the year-end loan balances.94 In addition audit procedures relating to: child care subsidy payments; administered grants payments to schools and universities; administered investments and compliance programs95 will be performed.

3.5.12 The assessment of IT controls over services provided to DESE by the Department of Finance’s Service Delivery Office, including monitoring controls in place at DESE relating to these processes, is in progress.

3.5.13 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.5.14 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that DESE will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.6 Department of Finance

Overview

3.6.1 The Department of Finance (Finance) is responsible for supporting the government’s budget process and the development and implementation of the government’s regulatory frameworks for public sector resource management, governance and accountability. In addition, Finance is responsible for the preparation of the consolidated financial statements of the Australian Government, which includes the whole-of-government and the general government sector financial statements and the Australian Government’s financial outcome. The department also provides shared services through the Service Delivery Office.

3.6.2 Figure 3.6.1 and Figure 3.6.2 below show the 2021–22 departmental and administered financial statements items reported by Finance and the key areas of financial statements risk.

Figure 3.6.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Finance’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.6.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and Finance’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.6.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Finance’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Finance’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Finance, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.6.4 Annual appropriation funding of $1,040.1 million (departmental) and $410.0 million (administered) was provided to Finance in 2021–22 to support the achievement of the entity’s outcomes.96 Finance was also budgeted to receive special appropriation funding of $8,080.9 million.97

3.6.5 Table 3.6.1 and Table 3.6.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.6.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total expenses

636.6

11,907.6

Employee benefits

173.4

399.8

Suppliers

184.1

131.6

Depreciation and amortisation

53.9

62.4

Insurance claims

189.4

Superannuation

8,378.9

Distributions from investment funds

2,801.9

Other

35.8

133.0

Total own-source income

341.3

2,480.5

Contracts with customers

75.6

2.3

Insurance premiums

165.5

Superannuation contributions

1,084.5

Interest and dividends

515.2

Gains on sale of investments

865.4

Rental Income

78.3

Other

21.9

13.1

Net (cost of)/contribution to services

(295.3)

(9,427.1)

     

Source: Finance’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.6.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total assets

5,260.5

51,813.8

Cash and cash equivalents

1,308.3

425.5

Trade and other receivables

72.1

209.3

Land and buildings (including investment properties)

3,756.5

260.3

Property, plant and equipment

15.3

97.8

Intangibles

94.6

0.1

Investments

50,774.3

Other

13.7

46.5

Total liabilities

1,810.5

147,572.2

Suppliers

37.5

15.5

Outstanding insurance claims

1,132.5

Employee provisions

66.2

296.8

Return of equity

73.2

Superannuation provisions

146,382.2

Leases

447.8

242.1

Other

53.3

635.6

Net assets/(liabilities)

3,450.0

(95,758.4)

     

Note: Finance’s estimated average staffing level for 2021–22 is 1,283.

Source: Finance’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.6.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Finance’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.6.3.

Table 3.6.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Departmental

insurance provision

$1.1 billion

Valuation of the outstanding claims liability under the Australian Government’s self- managed general insurance fund

KAM

Higher

  • complex calculation that involves significant judgement over key assumptions including claim ratios, expected frequency of claims, severity of claims and discount rates

Administered

superannuation provision

$146.4 billion

Valuation of the non- defence superannuation provision

KAM

Higher

  • complex calculation requiring significant judgement in the selection of long-term assumptions, including economic assumptions and demographics of the schemes’ members

Departmental

land and buildings (including investment properties)

$3.8 billion

Valuation of properties KAM

Moderate

  • the valuations being dependent on assumptions that require judgement relating to fair market rents, discount rates, condition and use of the properties.
       

Source: ANAO 2021–22 risk assessment, and Finance’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Audit results

3.6.7 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to cash, appropriation, financial management and human resources. Audit procedures relating to valuation of the superannuation provision, insurance provision and properties will be undertaken as part of the planned 2021–22 final audit.

3.6.8 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.6.9 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Finance will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.7 Future Fund Management Agency

Overview

3.7.1 The Future Fund Board of Guardians, supported by the Future Fund Management Agency (together the Future Fund), is responsible for investing the assets of the Future Fund under the Future Fund Act 2006, and other investment funds, managed on behalf of the Department of Finance, as a means to provide financing sources for substantial future investments in the Australian economy. Legislation under which the investments are made include: the Disability Care Australia Fund Act 2013; the Medical Research Future Fund Act 2015; the Aboriginal and Torres Strait Islander Land and Sea Future Fund Act 2018; the Emergency Response Fund Act 2019; and the Future Drought Fund Act 2019.

3.7.2 Figure 3.7.1 and Figure 3.7.2 below show the 2021–22 departmental and administered financial statements items reported by Future Fund and the key areas of financial statements risk.

Figure 3.7.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and the Future Fund’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.7.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and the Future Fund’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.7.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Future Fund’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Future Fund’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Future Fund, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.7.4 Future Fund does not receive any annual appropriation funding. The Future Fund is self-funded and does not rely on appropriations for its operations.

3.7.5 Table 3.7.1 and Table 3.7.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.7.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total expenses

151.1

493.8

Employee benefits

67.1

1.0

Suppliers

72.6

492.8

Depreciation and amortisation

11.2

Other expenses

0.2

Total own-source income

151.1

11,832.0

Interest and dividends

151.0

6,093.0

Other gains

0.1

5,739.0

Net (cost of)/contribution to services

11,338.2

     

Source: The Future Fund’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.7.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total assets

95.7

210,694.8

Cash and cash equivalents

0.4

21.9

Trade and other receivables

30.1

3,438.9

Other financial assets

5.2

Non-financial assets

60.1

Investments

207,234.0

Total liabilities

95.7

2,597.1

Employee provisions

12.9

Suppliers payable

7.7

241.7

Leases

51.7

Other

23.4

2,355,4

Net assets/(liabilities)

208,097.7

     

Note: The Future Fund’s estimated average staffing level for 2021–22 is 350.

Source: The Future Fund’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements

Key areas of financial statements risk

3.7.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Future Fund’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.7.3.

Table 3.7.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Administered

investments – collective investments

(a component of other investments $207.2 billion)

Valuation of private market investments

KAM

Higher

  • the size of the investments and the inherent subjectivity and significant judgements and estimates required where market data is not available to determine the fair value of these investments.

Administered

investments

(a component of other investments $207.2 billion)

Valuation of public market investments

Moderate

  • the size of the investments and the reliance on the valuation undertaken by the custodian.
       

Source: ANAO 2021–22 risk assessment, and the Future Fund’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements

Audit results

3.7.7 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to the management of investments; monitoring of service providers; and operational expenses incurred by the Future Fund.

3.7.8 The valuation of investments, including the assessment of controls that reside within the outsourced custodian, will be completed as part of the planned 2021–22 final audit.

3.7.9 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.7.10 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Future Fund will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.8 Department of Foreign Affairs and Trade

Overview

3.8.1 The Department of Foreign Affairs and Trade (DFAT) supports Australia’s foreign, trade and investment, development and international security policy priorities. DFAT is the lead agency managing Australia’s international presence and will lead efforts to maximise Australia’s security and prosperity through implementation of the 2017 Foreign Policy White Paper.

3.8.2 Figure 3.8.1 and Figure 3.8.2 below show the 2021–22 departmental and administered financial statements items reported by DFAT and the key areas of financial statements risk.

Figure 3.8.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and DFAT’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.8.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and DFAT’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.8.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DFAT’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DFAT’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of DFAT, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.8.4 Annual appropriation funding of $1,980.5 million (departmental) and $4,097.5 million (administered) was provided to DFAT in 2021–22 to support the achievement of the entity’s outcomes.98 DFAT was also budgeted to receive special appropriation funding of $330.9 million.99

3.8.5 Table 3.8.1 and Table 3.8.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.8.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total expenses

2,050.2

4,233.2

Employee benefits

983.4

Suppliers

720.4

Depreciation and amortisation

328.1

0.5

International Development Assistance (IDA)

3,502.7

Multilateral replenishments

7.8

Other Contributions

525.7

Other

18.3

196.5

Total own-source income

171.6

468.5

Sale of goods and rendering of services

112.2

Fees and charges

393.0

Other

59.4

75.5

Net (cost of)/contribution to services

(1,878.6)

(3,764.7)

     

Source: DFAT’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.8.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total assets

6,070.0

3,433.9

Cash and cash equivalents

382.6

23.3

Trade and other receivables

548.1

71.5

Multilateral Investments

2,560.3

Land and buildings

4,520.8

Property, plant and equipment

355.6

Other

262.9

778.8

Total liabilities

1,596.7

1,842.6

Suppliers payable

123.4

Multilateral replenishments payable

1,519.7

Other payables

85.4

225.1

Leases

1,091.8

Employee provisions

257.4

81.5

Other provisions

38.7

16.3

Net assets/(liabilities)

4,473.3

1,591.3

     

Note: DFAT’s estimated average staffing level for 2021–22 is 5,990.

Source: DFAT’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.8.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of DFAT’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.8.3.

Table 3.8.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Departmental

land and buildings

$4.5 billion

Valuation of the overseas property portfolio

KAM

Higher

  • subject to complex estimation and judgements affected by market conditions at overseas locations and foreign exchange movements;
  • range of valuation methodologies applied; and
  • reliance on third party contractual arrangements for the management of overseas property.

Administered

international development assistance

$3.5 billion

Completeness and accuracy of international development assistance

KAM

Moderate

  • assistance provided underpinned by a broad range of agreements. These agreements cover a variety of geographical areas with various counterparties including international organisations, emergency and humanitarian programs, contributions to non-government organisations and volunteer programs.
       

Source: ANAO 2021–22 risk assessment, and DFAT’s 2021–22 estimated actual for the year ended 30 June 2022.

Audit results

3.8.7 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: payroll processing and IT general controls in the financial management information system; the human resource management information system; and the two International Aid information systems.

3.8.8 Audit procedures relating to: valuation of land and buildings; departmental revenue; supplier expenses; and employee benefits (including financial information processed through international post locations) will be undertaken as part of the planned 2021–22 final audit.

3.8.9 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.8.10 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that DFAT will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.9 Department of Health

Overview

3.9.1 The Department of Health is responsible for achieving the Australian Government’s health and ageing policy priorities through evidence-based policy, program administration, research, regulatory activities, and partnerships with other government entities, consumers and stakeholders.

3.9.2 Figure 3.9.1 and Figure 3.9.2 below show the 2021–22 departmental and administered financial statements items reported by Health and the key areas of financial statements risk.

Figure 3.9.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Health’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.9.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and Health’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.9.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Health’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Health’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Health, the ANAO has assessed the risk of a material misstatement as high.

Key financial statements items

3.9.4 Annual appropriation funding of $1,168.1 million (departmental) and $23,529.7 million (administered) was provided to Health in 2021–22 to support the achievement of the entity’s outcomes.100 Health was also budgeted to receive special appropriation funding of $32,315.0 million.101

3.9.5 Table 3.9.1 and Table 3.9.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.9.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total expenses

1,325.1

99,483.6

Employee benefits

670.5

Suppliers

495.1

6,482.0

Subsidies

15,111.1

Depreciation and amortisation

149.3

1.7

Personal benefits

64,247.1

Grants

13,000.6

Payments to corporate Commonwealth entities

599.3

Interest on right of use assets

5.9

Other

4.3

41.8

Total own-source income

228.6

50,180.2

Sale of goods and rendering of services

221.0

Other revenue & gains

7.6

511.1

Recoveries

4,305.5

Interest

15.1

Other taxes

25.6

Special account transfers

45,322.9

Other

Net cost of services

1,096.50

49,303.4

     

Source: Health’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.9.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total assets

1,112.8

6,452.2

Receivables

98.1

1,052.0

Cash and cash equivalents

135.4

1,911.4

Investments

641.3

Inventories

1,776.7

Land and buildings

549.6

Property, plant and equipment

7.4

4.9

Intangibles

278.1

Other

44.2

Prepayments

1,065.9

Total liabilities

877.8

4,387.4

Personal benefits payable

2,085.1

Subsidies payable

90.1

Suppliers payable

74.5

190.8

Grants payable

176.1

Other payables

31.2

Personal benefits provision

1,337.3

Subsidies provision

508.0

Leases-Interest bearing

550.9

Employee payable

15.3

Employee provisions

195.4

Other

10.5

Net assets

235.0

2,064.8

     

Note: Health’s estimated average staffing level for 2021–22 is 4,884.

Source: Health’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.9.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Health’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.9.3.

Table 3.9.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Administered

subsidies

$15.1 billion

 

Accuracy of aged care subsidies

KAM

Higher

  • the subsidy paid is based on the assessment of residents’ ongoing care needs performed by the residential aged care provider; and
  • payments are calculated by multiple, complex information technology systems and are underpinned by complex regulatory requirements.

Administered

personal benefits

$64.2 billion

Accuracy of personal benefit health care entitlements

KAM

Higher

  • payments are based on information provided by the benefit recipients and may be significantly impacted by delays in recipients providing correct or updated information and/or provision of incorrect information resulting in invalid payments.

Administered

inventory

$1.8 billion

prepayments

$1.1 billion

Completeness and existence of inventories

KAM

Higher

  • nature, size and complexity of the inventory transactions.

Administered

personal benefits provisions

$1.3 billion

personal benefit payables

$2.1 billion

Valuation of personal benefits provisions and payables

KAM

Higher

  • the uncertainty associated with claim experience and patterns for outstanding claims for medical services and pharmaceuticals and pharmaceutical services.

Administered

subsidies provision

$0.5 billion

subsidies payable

$0.1 billion

Valuation of subsidy provisions and payables

KAM

 

Moderate

  • the significant professional judgement applied in the selection and application of key assumptions related to the nature of claim, claim patterns and experience.

Administered

recoveries

$4.3 billion

Completeness and accuracy of pharmaceutical benefit scheme drug recoveries

Moderate

  • the diversity of the risk sharing arrangements entered into with pharmaceutical companies; and
  • the risk sharing arrangements differ in respect to the entitlements for recovery and the calculation of the amount recoverable.

Administered

grants

$13.0 billion

Accuracy and occurrence of grants expenses

Moderate

  • diversity of the grant programs administered by Health with differing eligibility and reporting requirements.
       

Source: ANAO 2021–22 risk assessment, and Health’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements

3.9.7 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. The following performance audit reports were tabled during 2021–22 relevant to the financial management or administration of Health:

  • Auditor-General Report No.3 Department of Health’s Management of Financial Assistance under the Medical Research Future Fund;
  • Auditor-General Report No.5 Improving Immunisation Coverage; and
  • Auditor-General Report No.12 Management of International Travel Restrictions during COVID-19.

3.9.8 Auditor-General Report No.3 2021–22 included observations relevant to the administration of grants outlined above in Table 3.9.3. Health agreed with the recommendation to report grants in the same way that grant opportunities are classified in the grant opportunity guidelines and reported on GrantConnect. No significant changes were made to the designed audit procedures for the financial statements audit.

3.9.9 The observations of Auditor-General Report No.5 2021–22 and Auditor-General Report No.12 2021–22 were considered in designing audit procedures to address areas considered to pose a lower risk of material misstatement. The results of the reports were considered in designing our audit procedures. No significant changes were made to the designed audit procedures for the financial statements audit.

Audit results

3.9.10 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: IT security and change management in the financial management information system and human resource management information system; the accuracy of aged care subsidies; and the accuracy of personal benefit health care entitlements. Detailed testing has also been performed in relation to the pharmaceutical benefit scheme drug recoveries and grants expenses.

3.9.11 Other key areas of audit focus, including the valuation of personal benefit provisions and the subsidy provisions and payables and the completeness and existence of inventories will be performed as part of the 2021–22 final audit.

3.9.12 The following table summarises the status of audit findings as at the end of the 2021–22 interim audit as reported by the ANAO.

Table 3.9.4: Status of audit findings raised by the ANAO

Category

Closing position (at the end of the 2020–21 final audit)

New findings (2021–22 interim audit)

Resolved findings (2021–22 interim audit)

Closing position (at the end of the 2021–22 interim audit)

B

1

1

Total

1

1

         
Unresolved moderate audit finding
National Medical Stockpile (NMS)—recording and management

3.9.13 During the 2019–20 audit, the ANAO’s testing identified weaknesses in Health’s recording and management of the NMS. These included:

  • the inventory management system supporting the NMS not being fit for purpose;
  • the absence of reconciliations between the Health FMIS and inventory records and financial reporting by product and location for the last quarter of the financial year;
  • a number of errors in the manually entered excel inventory register; and
  • lack of frequency in stock taking processes, delays in provisions of stock take methodology and timely resolution of stock take variation.

3.9.14 During 2020–21, there were delays in implementing a fit for purpose inventory management system, resulting in the continued reliance on the manual inventory register. This resulted in continued weaknesses associated with regular reconciliation between key source reports, stock take validation reporting and the extent of quality assurance processes over the excel solution.

3.9.15 As part of the 2021–22 interim audit, the ANAO has assessed Health’s progress in addressing the weaknesses identified.

3.9.16 Health continues to implement the inventory management system (IMS) using a phased approached. Health have designed and implemented reconciliations to confirm that the balances are recorded in the financial information system aligning to the logistical provider records. Health have advised that the stocktake methodology was being prepared at the conclusion of the interim audit.

3.9.17 The ANAO will continue to monitor the department’s progress in implementing the IMS as part of the final audit phase. The ANAO will also focus of the processes implemented by management to confirm the completeness and accuracy of data supporting the transition to the inventory management system.

3.9.18 The ANAO will continue to test the operating effectiveness of the reconciliations implemented to confirm the completeness of information recorded in the financial management information system. Audit procedures related to the testing of the design and implementation of the stocktake methodology will also be completed as part of the final audit.

Conclusion

3.9.19 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Health will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2021–22 final audit.

3.10 Department of Home Affairs

Overview

3.10.1 The Department of Home Affairs (Home Affairs) coordinates policy and operations for Australia’s national and transport security, federal law enforcement, criminal justice, cybersecurity, border, immigration, multicultural affairs, emergency management and trade-related functions.

3.10.2 Figure 3.10.1 and Figure 3.10.2 below show the 2021–22 departmental and administered financial statements items reported by Home Affairs and the key areas of financial statements risk.

Figure 3.10.1:  Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Home Affairs’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.10.2:  Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and Home Affairs’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.10.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Home Affairs’ financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Home Affairs’ environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Home Affairs, the ANAO has assessed the risk of a material misstatement as high.

Key financial statements items

3.10.4 Annual appropriation funding of $3,271.2 million (departmental) and $2,478.1 million (administered) was provided to Home Affairs in 2021–22 to support the achievement of the entity’s outcomes.102 Home Affairs was also budgeted to receive special appropriation funding of $820.7 million.103

3.10.5 Table 3.10.1 and Table 3.10.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.10.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total expenses

3,367.3

2,692.7

Employee benefits

1,592.7

Suppliers

1,091.5

2,216.1

Depreciation and amortisation

635.7

105.5

Personal benefits

156.0

Grants

204.1

Other

47.4

11.0

Total own-source income

233.3

19,387.1

Sale of goods and rendering of services

214.8

96.8

Customs duty

16,979.4

Other taxes

2,247.5

Other

18.5

63.4

Net (cost of)/contribution to services

(3,134.0)

16,694.4

     

Source: Home Affairs’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.10.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total assets

5,420.7

1,142.3

Cash and cash equivalents

14.8

79.2

Trade and other receivables

593.8

30.3

Taxation receivables

186.0

Land and buildings

2,357.7

667.4

Property, plant and equipment

1,885.8

171.3

Intangibles

489.3

1.3

Other

79.3

0.2

Assets held for sale

6.6

Total liabilities

4,305.9

451.7

Employee provisions

557.7

Payables

239.4

435.1

Leases

3,451.3

7.1

Other

57.5

9.5

Net assets/(liabilities)

1,114.8

690.6

     

Note: Home Affairs’ estimated average staffing level for 2021–22 is 13,612.

Source: Home Affairs’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.10.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Home Affairs’ financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.10.3.

Table 3.10.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Administered

customs duty revenue

$17.0 billion

taxation receivable – customs duty

$186.0 million

 

Completeness and accuracy of customs duty collections and refunds

KAM

Higher

  • reliance on information provided by third parties in a self-assessment regime and volume of transactions that contribute to customs duty revenue;
  • complexity in regard to the broader tariff classification scheme specifically related to products and origin; and
  • complexity of the information technology (IT) environment used to manage customs duty due to multiple systems across multiple entities.

Administered

visa application charges

$2.2 billion

 

Completeness and accuracy of the collection of visa revenue

KAM

Higher

  • decentralised approach to the collection of visa revenue which occurs in a number of locations domestically and internationally, using a number of payment mechanisms and IT systems.

Administered

services rendered – detention (component of supplier expenses)

$2.2 billion

 

Accuracy of detention and regional processing centres expenses

KAM

Higher

  • complexity of contracts associated with managing the detention and regional processing centres; and
  • the variability of the costs associated with administering the detention and regional processing network, as the level of expenses is dependent on the rate of arrival and detention of these people.

Departmental

employee benefits expense

$1.6 billion

employee provisions

$557.7 million

 

Completeness and accuracy of employee entitlements

 

Moderate

  • disbursement of staff across multiple locations, and variable staff entitlements including a range of allowances subject to a number of conditions.

Departmental and administered

multiple financial statements line items

Completeness and accuracy of financial information associated with overseas posts

Moderate

  • decentralised and remote nature of operations; and
  • reliance on third party arrangements through service level agreements with the Department of Foreign Affairs and Trade, and the Australian Trade and Investment Commission (Austrade).

Administered

non-financial assets relating to detention and regional processing centres (component of non-financial assets and excluding computer software and prepayments)

$838.7 million

Valuation of detention and regional processing centres

Moderate

  • complexity of valuations performed in a range of markets given the geographically dispersed land, buildings and equipment including assets located overseas.
       

Source: ANAO 2021–22 risk assessment, and Home Affairs’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Audit results

3.10.7 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: collection of customs duty revenue and visa application revenue; the management of the onshore immigration detention centres and overseas regional processing centres; and accounting for employee entitlements.

3.10.8 Interim audit coverage has also included an assessment of IT general controls, including security and change management processes relevant to the financial management information system and human resources management information system.

3.10.9 Audit procedures relating to: reporting of overseas transactions; IT application controls; and testing the processes identified above for the remainder of the financial year will be undertaken as part of the planned 2021–22 final audit.

3.10.10 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.10.11 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Home Affairs will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.11 Department of Industry, Science, Energy and Resources

Overview

3.11.1 The Department of Industry, Science, Energy and Resources (Industry) is responsible for: supporting science and commercialisation; growing business investment and improving business capability; developing northern Australia; streamlining regulation; developing and implementing a national response to climate change; improving Australia’s energy supply, efficiency, quality, performance and productivity; and facilitating the growth of small and family business.

3.11.2 Industry offers a grants hub and shared services centre which provides other Commonwealth entities with administrative support including grants administration and payments processing; human resources and financial transactions processing and the provision of management information systems supporting these processes.

3.11.3 Figure 3.11.1 and Figure 3.11.2 below show the 2021–22 departmental and administered financial statements items reported by Industry and the key areas of financial statements risk.

Figure 3.11.1:  Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Industry’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.11.2:  Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and Industry’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.11.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Industry’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Industry’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Industry, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.11.5 Annual appropriation funding of $717.6 million (departmental) and $3,216.8 million (administered) was provided to Industry in 2021–22 to support the achievement of the entity’s outcomes.104 Industry was also budgeted to receive special appropriation funding of $342.6 million.105

3.11.6 Table 3.11.1 and Table 3.11.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.11.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total expenses

833.2

4,097.6

Employee benefits

418.9

8.0

Suppliers

327.2

740.7

Depreciation and amortisation

76.4

2.3

Write-down and impairment of assets

1.4

Grants

7.3

Grants and subsidies

1,601.0

Payments to corporate Commonwealth entities

1,744.1

Finance costs

3.4

0.1

Other

0.1

Total own-source income

100.2

1,553.6

Royalties

1,323.6

Sale of goods and rendering of services

87.3

Other

12.9

230.0

Net (cost of)/contribution to services

(733.0)

(2,544.0)

     

Source: Industry’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.11.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total assets

672.6

27,825.1

Cash and cash equivalents

28.8

5,945.0

Investments

21,533.0

Trade and other receivables

89.5

226.3

Land and buildings

363.7

5.0

Property, plant and equipment

41.9

Other

148.7

115.7

Total liabilities

471.2

578.1

Leases

275.6

4.1

Suppliers

54.8

30.5

Employee provisions

127.0

2.2

Grants payable

0.7

61.9

Other

13.8

479.4

Net assets/(liabilities)

201.4

27,247.0

     

Note: Industry’s estimated average staffing level for 2021–22 is 3,184

Source: Industry’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.11.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Industry’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.11.3.

Table 3.11.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Departmental

own-source income

$99.6 million

Completeness and accuracy of Industry’s other revenue streams

Higher

  • numerous types of revenue streams with a reliance on manual calculations to quantify some revenue amounts; and
  • cash based transactions.

Administered

investments

(a component of other investments)

$11.0 billion

Valuation of the Australian Government’s investment in Snowy Hydro Ltd

KAM

Higher

  • complex estimation and significant judgement relating to forecasts of future cash flows as the investment is unique and not readily traded in the open market.

Administered

royalties revenue

$1,323.6 million

 

Completeness and accuracy of offshore petroleum and uranium royalties

KAM

Higher

  • reliance on data reporting and administrative functions performed by third parties, including state and foreign governments and other federal government agencies; and
  • calculations are dependent on information provided by taxpayers in a self-assessment regime.

Administered

grants expense

(a component of grants and subsidies $1,601.0 million)

grants payable

$61.9 million

Accuracy, occurrence and completeness of grant payments

Moderate

  • significant number of individual grant programs which operate under separate grant agreements and are subject to different eligibility criteria; and
  • reliance on third party acquittals to confirm validity of grant payments.

Administered

Ranger rehabilitation provision

$477.9 million

Valuation of the Ranger Rehabilitation Security and accuracy of cost of rehabilitation works

Moderate

  • complexity, estimation and significant judgement relating to the forecast and timing of future rehabilitation costs; and
  • reliance on data provided by third parties.
       

Source: ANAO 2021–22 risk assessment, and Industry’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Audit results

3.11.8 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to employee and supplier expenditure; appropriations and special accounts; and asset and cash management. The interim audit coverage has also included assessments of controls relating to selected departmental and administered revenue streams, grant payments and IT general and applications controls for key financial systems.

3.11.9 Audit procedures relating to the completeness and accuracy of royalties, and valuation of the administered investments, including Snowy Hydro Limited, and the Ranger rehabilitation provision will be undertaken as part of the planned 2021–22 final audit.

3.11.10 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.11.11 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Industry will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.12 Snowy Hydro Limited

Overview

3.12.1 Snowy Hydro Limited (Snowy Hydro) is a government business enterprise. The primary business includes energy generation activities to supply the National Electricity Market (NEM) and operating as a retail energy provider to over 1.1 million customers through the Red Energy and Lumo Energy brands. Snowy Hydro’s energy generation capacity of 5,500 megawatts supplies New South Wales, Victoria and South Australia, primarily through the generating capacity of the Snowy Mountains hydroelectric scheme.

3.12.2 Snowy Hydro is currently progressing Snowy 2.0, a pumped hydro project that will add 2,000 megawatts of on-demand generation and approximately 350,000 megawatt hours of large-scale storage to the NEM. In 2021–22 Snowy Hydro commenced construction of a 660 megawatt open cycle gas turbine power station at Kurri Kurri, New South Wales, known as the Hunter Power Project. The project obtained approval from the NSW Government in December 2021 and environmental approval from the Australian Government in February 2022.

3.12.3 Figure 3.12.1 below shows the 2020–21 financial statements items reported by Snowy Hydro and the key areas of financial statements risk.

Figure 3.12.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Snowy Hydro’s audited financial statements for the year end 30 June 2021.

3.12.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Snowy Hydro’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Snowy Hydro’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Snowy Hydro, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.12.5 Snowy Hydro does not receive any annual appropriation funding. The operational functions of Snowy Hydro are primarily funded through own source income. The primary income sources for Snowy Hydro are retail revenue which arises from the supply of electricity and gas to customers through the Red and Lumo energy brands and wholesale revenue arising from the generation and supply of electricity to the NEM. Snowy Hydro is accessing a mix of private debt funding and equity injections from the Australian Government to fund the construction and delivery of the Snowy 2.0 and Hunter Power projects.

3.12.6 Table 3.12.1 and Table 3.12.2 below provide a summary of the key 2020–21 audited financial statements items.

Table 3.12.1: Key expenses and total own-sourced income

Expenses and own-source income

Actual

($m) 2020–21

Total expenses

2,312.3

Direct costs of revenue

1,680.4

Changes in the fair value of financial instruments

1.5

Depreciation and amortisation

150.8

Employee benefits

222.7

Impairment loss on trade receivables

30.5

Net finance costs

40.0

Other

186.4

Total income

2,689.9

Revenue

2,674.7

Other income

15.2

Profit before income tax

377.6

Income tax expense

112.5

Profit after income tax

265.1

   

Source: Snowy Hydro’s 2020–21 audited financial statements.

Table 3.12.2: Key assets and liabilities

Assets and liabilities

Actual

($m) 2020–21

Total assets

5,927.2

Cash and cash equivalents

190.2

Trade and other receivables

461.9

Other financial assets

128.9

Deferred tax assets

271.6

Property, plant and equipment

3,883.2

Goodwill and other intangible assets

511.8

Other

479.6

Total liabilities

3,405.2

Trade and other payables

384.4

Interest bearing liabilities

2,295.8

Other financial liabilities

535.3

Other

189.7

Net assets/(liabilities)

2,522.0

   

Note: Snowy Hydro’s staffing level at 30 June 2021 was 1,743 including non-ongoing contractors as reported in the 2020–21 annual report.

Source: Snowy Hydro’s 2020–21 audited financial statements.

Key areas of financial statements risk

3.12.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Snowy Hydro’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.12.3.

Table 3.12.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Other financial assets

$128.9 million

other financial liabilities

$535.3 million

decrease in the fair value of financial instruments

$1.5 million

increase in other comprehensive income

$119.6 million

Valuation of financial instruments

KAM

Higher

  • increased level of management judgement required to determine fair value of derivative contracts which are underpinned by complex data models to calculate financial instrument values;
  • valuation process requires the use of observable and unobservable inputs to calculate fair value. The nature and uniqueness of some energy market derivatives recognised by Snowy Hydro requires an increased level of judgement to determine unobservable valuation model inputs; and
  • the valuation of financial instruments is sensitive to inputs such as electricity prices, electricity supply volumes and market data such as interest and exchange rates.

Property, plant and equipment

(a component of $2.0 billion construction in progress)

Capitalisation of work in progress for Snowy 2.0

KAM

Higher

  • Snowy 2.0 is a complex infrastructure project delivered over a number of financial periods; and
  • judgement applied by Snowy Hydro in determining which costs associated with project establishment and delivery, meet the relevant technical requirements for capitalisation.

Trade receivables

$529.9 million

(includes unbilled receivable of $260.0 million)

allowance for doubtful debts

$68.0 million

Completeness and accuracy of the impairment of retail debtors

KAM

Higher

  • level of judgement applied by management in determining the estimate of expected lifetime credit loss on trade and other receivables. Management is required to consider the economic impact of external events in making these judgements which increased estimation uncertainty.

Environmental certificate assets

$85.4 million

Valuation of renewable energy certificates

Moderate

  • increased level of judgement applied by Snowy Hydro in determining the appropriate accounting treatment for renewable energy certificates and their valuation at balance date.

Unbilled revenue receivable

$260.0 million

 

Valuation and existence of unbilled retail revenue

Moderate

  • estimation required due to services provided not yet billed arising from timing of electricity meter reads for customers and the date of preparing the financial statements; and
  • estimation process involves increased management judgement underpinned by a complex data model with a number of inputs, significant number of customers and data sources.

Capitalised customer acquisition costs

(a component of goodwill and other intangible assets)

$88.1 million

amortisation

$38.8 million

Valuation of customer acquisition costs

Moderate

  • level of management judgement applied in determining which costs outlaid to acquire retail customers meet relevant technical requirements for capitalisation; and
  • complexity of estimation process and judgement applied to determine an appropriate amortisation rate reflective of the expected time a customer will continue to procure services from Snowy Hydro.

Intangible assets – goodwill

$383.2 million

Valuation and impairment of non-financial assets

Moderate

  • the impairment estimation process is complex and judgmental due to the nature of the impairment model which requires assumptions to be made related to future cash flows and discount rates.

Property, plant and equipment

(a component of $2.0 billion construction in progress)

Capitalisation of work in progress for the Hunter Power project

Moderate

  • judgement applied by Snowy Hydro in determining which costs associated with project e establishment and delivery, meet the relevant technical requirements for capitalisation.

Interest bearing liabilities

$2.3 billion

Debt facility and covenant compliance

Moderate

  • Snowy Hydro is accessing a mix of private debt funding and equity injections from the Australian Government to fund the construction and delivery of the Snowy 2.0 and Hunter Power projects.
       

Source: ANAO 2021–22 risk assessment, and Snowy Hydro’s audited financial report for the year ended 30 June 2021.

3.12.8 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. No performance audits have been tabled to date in 2021–22 relevant to the financial management or administration of Snowy Hydro.

Audit results

3.12.9 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: retail and generation billing revenue and receivables; purchases to pay; treasury; renewable energy certificates; financial reporting; and payroll.

3.12.10 Audit procedures relating to IT general and application controls, assessment of controls relating to non-financial assets and substantive testing on all material financial statements line items will be undertaken as part of the planned 2021–22 final audit. This will include audit procedures to test material accounting estimates made by Snowy Hydro, relating to the key areas of financial risk: valuation of financial instruments; capitalisation of customer acquisition costs; unbilled electricity revenue receivable; renewable energy certificates; goodwill; and impairment of trade and other receivables.

3.12.11 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.12.12 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Snowy Hydro will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.13 Department of Infrastructure, Transport, Regional Development and Communications

Overview

3.13.1 The Department of Infrastructure, Transport, Regional Development and Communications (Infrastructure) is responsible for improving infrastructure across Australia through funding coordination of transport and other infrastructure; providing an efficient, sustainable, competitive and safe transport system for all transport users; strengthening the sustainability, capacity and diversity of regional economies; providing advice on population policy; implementing the national policy on cities; and promoting an innovative and competitive communications sector. The department also promotes participation in and access to Australia’s arts and culture through developing and supporting cultural expression and supports governance arrangements in the Australian territories.

3.13.2 In addition to these ongoing responsibilities the department continues to deliver economic stimulus to the aviation and creative arts sectors and to regional Australian communities as a result of the COVID-19 pandemic.

3.13.3 The Northern Australia Infrastructure Facility (NAIF) was transferred from the Department of Industry, Science, Energy and Resources to the Department of Infrastructure, Transport, Regional Development and Communications on 2 July 2021. The purpose of NAIF is to encourage growth in Northern Australia through being a financing partner.

3.13.4 Figure 3.13.1 and Figure 3.13.2 below show the 2021–22 departmental and administered financial statements items reported by Infrastructure and the key areas of financial statements risk.

Figure 3.13.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Infrastructure’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.13.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and Infrastructure’s 2021–22estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.13.5 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Infrastructure’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Infrastructure’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Infrastructure, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.13.6 Annual appropriation funding of $426.4 million (departmental) and $7,430.4 million (administered) was provided to Infrastructure in 2021–22 to support the achievement of the entity’s outcomes.106 Infrastructure was also budgeted to receive special appropriation funding of $4,219.3 million.107

3.13.7 Table 3.13.1 and Table 3.13.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.13.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–2022

Total expenses

444.8

12,685.9

Employee benefits

241.9

16.6

Suppliers

157.5

694.4

Depreciation and amortisation

36.6

52.6

Grants

6.3

7,625.6

Subsidies

1,804.2

Payments to corporate Commonwealth entities

2,116.6

Write down and impairment of assets

6.6

Other

2.5

369.3

Total own-source income

11.8

832.6

Sale of goods and rendering of services

3.7

17.8

Rental income

5.9

4.1

Fees and fines

154.4

Interest

470.9

Other taxes

42.1

Other

2.2

143.3

Net (cost of)/contribution to services

(433.0)

(11,853.3)

     

Source: Infrastructure’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.13.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total assets

392.0

49,040.2

Cash and cash equivalents

11.2

42.0

Trade and other receivables

146.5

10,206.1

Other financial assets

1.5

83.8

Other investments

37,868.7

Land and buildings

113.2

203.8

Property, plant and equipment

13.8

451.0

Other

105.8

184.7

Total liabilities

210.7

1,770.7

Suppliers

31.1

362.7

Subsidies

80.3

Grants

93.8

Interest Bearing Liabilities (Leases)

97.2

Employee provisions

78.1

4.4

Other

4.3

1,229.5

Net assets/(liabilities)

181.3

47,269.5

     

Note: Infrastructure’s estimated average staffing level for 2021–22 is 1,708.

Source: Infrastructure’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.13.8 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Infrastructure’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.13.3.

Table 3.13.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Administered

investments

$37.9 billion

 

Valuation of investments

KAM

Higher

  • complex discounted cash flow models that require significant judgements in the selection of assumptions and inputs, including estimated future cash flows, weighted average cost of capital, terminal values and discount rates that are based on primarily unobservable data;
  • the increased uncertainty in the valuation due to the economic impacts of COVID-19, particularly on the revenue generating activities of each entity, specifically Airservices Australia given the exposure of revenues to international travel and Australia Post due to the exposure to increased parcel volumes and e-commerce activity; and
  • the significance of the balance of administered investments to the financial statements.

Administered

advances and loans

$10.2 billion

receivables

loan interest revenue

$470.9 million

Recognition and valuation of loans and advances

KAM

Moderate

  • level of management judgement involved in calculating expected credit losses including the recoverability of the loans at balance date, particularly determining whether any deterioration in credit quality of loan recipients has occurred; and
  • complexity of the valuation and required calculations for loan balances which have concessional terms, including the level of estimation required to determine the appropriate market rate for the concessional component of new loans.

Administered

grants expense

$7.6 billion

grants payable

$93.8 million

Occurrence of grant expenses

Moderate

  • complex and financially significant programs subject to detailed legislative conditions; and
  • level of subjectivity and judgement applied in determining whether a recipient meets eligibility and funding milestone requirements.
       

Source: ANAO 2021–22 risk assessment, and Infrastructure’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Audit results

3.13.9 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: cash and cash equivalents; accounting for non-financial assets; appropriations and special accounts; grant expenses; subsidies (including aviation COVID-19 support programs); supplier expenses; administered revenue and employee payroll. Interim audit coverage has also included an assessment of IT general controls including security and change management processes relevant to the financial management information systems and human resources management information system.

3.13.10 Audit procedures relating to: the valuation of administered investments; accuracy of subsidy claims for the Tasmanian Freight Equalisation Scheme and Regional Broadband Scheme; valuation of other assets including non-financial assets and loans and advances will be undertaken as part of the planned 2021–22 final audit.

3.13.11 The following table summarises the status of audit findings as at the end of the 2021–22 interim audit as reported by the ANAO.

Table 3.13.4: Status of audit findings raised by the ANAO

Category

Closing position (at the end of the 2020–21 final audit)

New findings (2021–22 interim audit)

Resolved findings (2021–22 interim audit)

Closing position (at the end of the 2021–22 interim audit)

B

1

1

Total

1

1

         
New moderate audit finding
User Access Removal

3.13.12 Infrastructure did not have sufficient controls in place to identify and investigate in a timely manner access by users post cessation of their employment or contract. Infrastructure has advised that previous access post cessation has been investigated and that no issues were identified. Infrastructure has confirmed that processes will be developed to identify and investigate any access by users post cessation in a timely manner. The ANAO will review the action taken by Infrastructure as part of the final phase of the audit.

Conclusion

3.13.13 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Infrastructure will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2021–22 final audit.

3.14 Australian Postal Corporation

Overview

3.14.1 The Australian Postal Corporation (Australia Post) is a government business enterprise responsible for supplying postal services to Australia, including the distribution of letters and parcels in Australia and internationally.

3.14.2 Figure 3.14.1 below shows the 2020–21 financial statements items reported by Australia Post and the key areas of financial statements risk.

Figure 3.14.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Australia Post’s audited financial statements for the year end 30 June 2021.

3.14.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Australia Post’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Australia Post’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Australia Post, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.14.4 Australia Post does not receive any annual appropriation funding. The operational functions of Australia Post are funded from the following sources: parcel services; mail services; retail; agency and other services. Australia Post pays a dividend to the Commonwealth from its profit after income tax.

3.14.5 Table 3.14.1 and Table 3.14.2 below provide a summary of the key 2020–21 financial statements items reported by Australia Post.

Table 3.14.1: Key expenses and total income

Expenses and income

Actual

($m) 2020–21

Total expenses

8,173.0

Employee benefits

3,314.8

Suppliers

4,200.8

Depreciation and amortisation

516.7

Other

140.7

Total income

8,273.7

Goods and services

8,208.1

Other

65.6

Profit before income tax

100.7

Income tax expense

31.1

Profit after income tax

69.6

   

Source: Australia Post’s 2020–21 audited financial statements.

Table 3.14.2: Key assets and liabilities

Assets and liabilities

Actual

($m) 2020–21

Total assets

7,064.9

Cash and cash equivalents

653.1

Trade and other receivables

770.5

Property, plant and equipment

1,909.3

Intangible assets

714.6

Investment property

157.8

Net superannuation asset

931.2

Deferred tax assets

668.4

Right of use assets

1,026.9

Other

233.1

Total liabilities

4,577.0

Trade and other payables

1,152.7

Employee provisions

1,067.4

Interest bearing liabilities

463.4

Deferred tax liabilities

660.1

Lease Liabilities

1,134.0

Other

99.4

Net assets

2,487.9

   

Note: Australia Post’s 2020–21 staffing level at 30 June 2021 was 34,734 as reported in the 2020–21 annual report.

Source: Australia Post’s 2020–21 audited financial statements.

Key areas of financial statements risk

3.14.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Australia Post’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.14.3.

Table 3.14.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Goods and services income

$8.2 billion

unearned delivery revenue

(a component of trade and other payables)

$127.1 million

Valuation of unearned revenue liability

KAM

Higher

judgement is applied by management in estimating the amount of postage products sold which are still unused at balance sheet date; and

complexity in estimating the expected timing and amount of future utilisation of those unused postage products.

Intangible assets goodwill

(a component of intangible assets)

$507.8 million

Valuation of goodwill

KAM

Higher

the estimation process is complex and involves the exercise of significant judgement in relation to the selection of assumptions such as the discount rate and cash flow forecasts.

Net superannuation asset

$931.2 million

Valuation of the net superannuation asset

KAM

Higher

the valuation is sensitive to movements in the long-term assumptions; and

judgement is applied by management in relation to the selection of long-term assumptions such as salary growth, discount and inflation rates.

       

Source: ANAO 2021–22 risk assessment, and Australia Post’s audited financial statements for the year ended 30 June 2021.

Audit results

3.14.7 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: cash and cash equivalents; trade receivables; and property, plant and equipment. Interim coverage also included an assessment of the IT general controls and IT application controls of key systems supporting the financial statements. In addition, an assessment of the effectiveness of non-system controls relating to sales revenue, employee expenses and trade and other payables has also been completed.

3.14.8 Audit procedures relating to all key areas of audit focus, including the valuation of unearned revenue liability, the valuation of the net superannuation asset and the valuation of goodwill, will be completed as part of the 2021–22 final audit.

3.14.9 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.14.10 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Australia Post will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.15 NBN Co Limited

Overview

3.15.1 The primary objective of NBN Co Limited (NBN Co) is to provide wholesale services to internet service providers. NBN Co is a government business enterprise incorporated under the Corporations Act 2001.

3.15.2 Figure 3.15.1 below shows the 2020–21 financial statements items reported by NBN Co and the key areas of financial statements risk.

Figure 3.15.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and NBN Co’s audited financial statements for the year end 30 June 2021.

3.15.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on NBN Co’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of NBN Co’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of NBN Co, the ANAO has assessed the risk of a material misstatement as high.

Key financial statements items

3.15.4 NBN Co does not receive any annual appropriation funding. The ongoing operational functions of NBN Co are funded from the following sources: telecommunications revenue, borrowings from the Australian Government, bank facilities and capital debts market.

3.15.5 Table 3.15.1 and Table 3.15.2 below provide a summary of the key 2020–21 financial statements items.

Table 3.15.1: Key expenses and total own-sourced income

Expenses and own-source income

Actual

($m)

2020–21

Total expenses

8,491.0

Subscriber costs

1,226.0

Depreciation and amortisation

3,596.0

Employee benefits

829.0

Direct network costs

666.0

Net finance costs

1,621

Other

553.0

Total own-source income

4,653.0

Revenue

4,629.0

Other income

24.0

Loss before income tax

(3,838.0)

Income tax benefit

1.0

Other comprehensive loss

(3.0)

Loss after income tax

(3,840.0)

   

Source: NBN Co’s 2020–21 audited financial statements.

Table 3.15.2: Key assets and liabilities

Assets and liabilities

Actual

($m)

2020–21

Total assets

35,738.0

Cash and cash equivalents

1.0

Trade and other receivables

450.0

Property, plant and equipment

33,130.0

Intangible assets

1,943.0

Other

214.0

Total liabilities

37,478.0

Trade and other payables

1,651.0

Derivative financial liabilities

16.0

Borrowings

23,818.0

Other

1,174.0

Lease liabilities

10,819.0

Net liabilities

(1,740.0)

   

Note: NBN Co’s staffing level at 30 June 2021 was 4,951 as reported in the 2020–21 annual report.

Source: NBN Co’s 2020–21 audited financial statements.

Key areas of financial statements risk

3.15.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of NBN Co’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.15.3.

Table 3.15.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Telecommunications revenue

$4.4 billion

Accounting for and reporting telecommunications revenue

KAM (accuracy and completeness of telecommunications revenue)

Higher

complexity of revenue recognition from the ongoing rollout of the network and the number of IT systems used to record and manage information.

Property, plant and equipment

$33.1 billion

intangibles

$1.9 billion

depreciation and amortisation expense

$3.6 billion

 

Accuracy and completeness of depreciation and amortisation.

KAM

Higher

valuation of non-financial assets, including network assets, is subject to a high degree of judgement and complexity; and

significant judgement and the use of complex manual models in the calculation of depreciation and amortisation.

Derivative financial assets

$136.0 million

derivative financial liabilities

$16.0 million

 

Valuation; presentation and disclosure of borrowings, related party borrowings and derivatives

KAM

Higher

the volume, quantum and complexity of the derivative arrangements entered into;

the complexity in the fair valuation, accounting and disclosure of the financial instruments and borrowings due to the assumptions involved.

Network assets

$32.8 billion

lease liabilities

$10.8 billion

Accounting treatment of rights and obligations under significant contractual arrangements.

Higher

significance and complexity of the lease arrangements. Any changes to the nature of these arrangements could have a material impact on the associated balances.

       

Source: ANAO 2021–22 risk assessment, and NBN’s audited financial statements for the year ended 30 June 2021.

Audit results

3.15.7 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: revenue and receivables; purchases and payables; payroll; inventory; treasury, including derivatives and borrowings; non-financial assets, including lease management; accounting for the Telstra and Optus agreements; and IT general and application controls.

3.15.8 Audit procedures relating to key processes and financial statements line items, including IT general and application controls, where appropriate, will be undertaken as part of the planned 2021–22 final audit. In addition, the ANAO will perform audit procedures to assess the valuation of network assets.

3.15.9 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.15.10 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that NBN Co will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.16 Department of Parliamentary Services

Overview

3.16.1 The Department of Parliamentary Services (DPS) is responsible for supporting the Parliament through the provision of a range of services including library, Hansard, broadcasting, communications, and building security and maintenance.

3.16.2 Figure 3.16.1 and Figure 3.16.2 below show the 2021–22 departmental and administered financial statements items reported by DPS and the key areas of financial statements risk.

Figure 3.16.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and DPS’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.16.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and DPS’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.16.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DPS financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DPS’ environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of DPS, the ANAO has assessed the risk of a material misstatement as low.

Key financial statements items

3.16.4 Annual appropriation funding of $177.0 million (departmental) and $49.2 million (administered) was provided to DPS in 2021–22 to support the achievement of the entity’s outcomes.108

3.16.5 Table 3.16.1 and Table 3.16.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.16.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total expenses

190.8

59.2

Employee benefits

111.9

Suppliers

57.1

8.9

Depreciation and amortisation

21.8

50.3

Total own-source income

10.4

Sale of goods and rendering of services

14.0

Other

(3.6)

Net (cost of)/contribution to services

(180.4)

(59.2)

     

Source: DPS’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.16.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total assets

129.7

2,748.6

Taxation receivables

0.6

Cash and cash equivalents

0.9

0.4

Trade and other receivables

28.8

Land and buildings

2.7

2,574.4

Property, plant and equipment

41.1

38.4

Intangibles

51.1

8.7

Heritage and cultural

125.6

Inventories

0.4

Other non-financial assets

4.7

0.5

Total liabilities

39.4

3.7

Suppliers

5.6

3.3

Other payables

2.8

0.4

Leases

2.8

Employee provisions

28.2

Net assets/(liabilities)

90.3

2,744.9

     

Note: DPS’ estimated average staffing level for 2021–22 is 961.

Source: DPS’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.16.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of DPS’ financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.16.3.

Table 3.16.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Administered

non-financial assets (excluding intangibles)

$2.7 billion

Valuation of non- financial assets

KAM

Higher

the valuation is complex due to the unique nature of each building component that comprises Parliament House; and

significant judgement is exercised in making the estimation, which is based on current replacement cost and useful life.

       

Source: ANAO 2021–22 risk assessment, and DPS’ estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Audit results

3.16.7 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: cash; asset management; payroll processing and revenue. In addition, the ANAO has undertaken testing of IT general controls over the financial management and human resource management information systems.

3.16.8 Audit procedures relating to all material financial statements line items, including the valuation of non-financial assets will be undertaken as part of the planned 2021–22 final audit.

3.16.9 The following table summarises the status of audit findings as at the end of the 2021–22 interim audit as reported by the ANAO.

Table 3.16.4: Status of audit findings raised by the ANAO

Category

Closing position (at the end of the 2020–21 final audit)

New findings (2021–22 interim audit)

Resolved findings (2021–22 interim audit)

Closing position (at the end of the 2021–22 interim audit)

B

1

1a

Total

1

1

         

Note a: The moderate finding has been downgraded to a minor finding.

Resolved moderate audit finding
Removal of IT access for former employees

3.16.10 During 2020–21, the ANAO’s testing identified weaknesses in DPS’ security controls relating to a number of users not being terminated from the system when their employment ceased.

3.16.11 During the 2021–22 interim phase, the ANAO has reviewed the process being implemented by DPS to detect and remove users from the system when their employment ceases. It has been concluded that sufficient controls have now been implemented by DPS to reduce the risk that users continue to have access to systems post their terminations. Recognising the improvement in processes, the finding has been downgraded to a minor finding.

Conclusion

3.16.12 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that DPS will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.17 Department of the Prime Minister and Cabinet

Overview

3.17.1 The Prime Minister and Cabinet portfolio is responsible for providing support and policy advice to the Prime Minister, the Cabinet and ministers on public and government administration matters, including policy development and whole-of-government coordination, and providing services to Indigenous Australians.

3.17.2 The Department of the Prime Minister and Cabinet (PM&C) is the lead entity in the portfolio. The department’s key purposes are to support the Prime Minister as the head of the Australian Government and the Cabinet, and to provide advice on major domestic policy and international national security matters.

3.17.3 Figure 3.17.1 and Figure 3.17.2 below show the 2021–22 departmental and administered financial statements items reported by PM&C and the key areas of financial statements risk.

Figure 3.17.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and PM&C’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.17.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and PM&C’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.17.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on PM&C’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of PM&C’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of PM&C, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.17.5 Annual appropriation funding of $236.8 million (departmental) and $42.3 million (administered) was provided to PM&C in 2021–22 to support the achievement of the entity’s outcomes.109 PM&C was also budgeted to receive special appropriation funding of $10,000.110

3.17.6 Table 3.17.1 and Table 3.17.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.17.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total expenses

301.0

170.7

Employee benefits

143.5

1.7

Suppliers

108.8

6.7

Depreciation and amortisation

17.4

0.6

Grants

28.7

32.1

Payments to corporate entities

129.4

Other

2.6

0.2

Total own-source income

41.9

Sale of goods and rendering of services

40.1

Interest

Other

1.8

Net (cost of)/contribution to services

(259.1)

(170.7)

     

Source: PM&C’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.17.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total assets

254.1

3,027.2

Cash and cash equivalents

1.9

Trade and other receivables

75.5

2.0

Land and buildings

128.4

55.6

Property, plant and equipment

18.4

0.9

Administered investments in other Commonwealth entities

2,968.6

Other

29.9

0.1

Total liabilities

162.0

16.0

Suppliers

9.1

0.2

Leases

106.4

0.6

Employee provisions

44.7

0.6

Other

1.8

14.6

Net assets/(liabilities)

92.1

3,011.2

     

Note: PM&C’s estimated average staffing level for 2021–22 is 1,147.

Source: PM&C’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.17.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of PM&C’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.17.3.

Table 3.17.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Administered

investments in Commonwealth entities

$2,968.6 million

Valuation of investments

KAM

Moderate

  • judgment is required in the selection of valuation techniques and underlying assumptions applied by PM&C to determine fair value for investments in Commonwealth entities, including estimating future revenue streams and discount rates.
       

Source: ANAO 2021–22 risk assessment, and PM&C’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Audit results

3.17.8 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: IT general controls and testing of leave processing, grants, bank accounts, payments to suppliers, revenue receipts, asset additions, accounts payable and receivable, credit cards and payroll.

3.17.9 Audit procedures relating to IT application controls, administered investments, employee benefits and provisions, stocktakes and asset revaluations will be undertaken as part of the planned 2021–22 final audit.

3.17.10 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.17.11 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that PM&C will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.18 National Indigenous Australians Agency

Overview

3.18.1 The National Indigenous Australians Agency (NIAA) was established on 1 July 2019 by an executive order of the Governor-General. The primary functions of the NIAA are to:

  • lead and co-ordinate Commonwealth policy development, program design and implementation, and service delivery for Aboriginal and Torres Strait Islander peoples:
  • provide advice to the Prime Minister and Minister for Indigenous Australians on whole-of-Government priorities for Aboriginal and Torres Strait Islander peoples;
  • lead and coordinate the development and implementation of Australia’s Closing the Gap targets in partnership with Indigenous Australians; and
  • lead Commonwealth activities to promote reconciliation.

3.18.2 Figure 3.18.1 and Figure 3.18.2 below show the 2021–22 departmental and administered financial statements items reported by NIAA and the key areas of financial statements risk.

Figure 3.18.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and NIAA’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.18.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and NIAA’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.18.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on NIAA’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of NIAA’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of NIAA, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.18.4 Annual appropriation funding of $292.7 million (departmental) and $1,487.1 million (administered) was provided to NIAA in 2021–22 to support the achievement of the entity’s outcomes.111 NIAA was also budgeted to receive special appropriation funding of $73.7 million.112

3.18.5 Table 3.18.1 and Table 3.18.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.18.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total expenses

301.3

2,022.0

Employee benefits

166.9

0.2

Suppliers

102.4

57.6

Depreciation and amortisation

30.3

0.3

Grants

1,615.8

Payments associated with land councils

241.9

Payments to Indigenous Land and Sea Corporation

55.8

Other

1.7

50.4

Total own-source income

9.7

72.8

Sale of goods and rendering of services

7.4

Interest revenue

4.5

Indigenous Land and Sea Corporation funding special account

55.8

Other

2.3

12.5

Net (cost of)/contribution to services

(291.6)

(1,949.2)

     

Source: NIAA’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.18.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total assets

283.0

1,477.1

Cash and cash equivalents

41.9

Trade and other receivables

83.8

18.4

Land and buildings (including investment properties)

165.5

11.2

Property, plant and equipment

10.0

Intangibles

21.5

Prepayments

2.2

0.2

Term deposits

1,405.4

Total liabilities

182.7

39.2

Suppliers

10.5

4.5

Employee provisions

54.2

Lease liabilities

106.3

0.4

Grants payable

31.1

Other

11.7

3.2

Net assets/(liabilities)

100.3

1,437.9

     

Note: NIAA’s estimated average staffing level for 2021–22 is 1,169.

Source: NIAA’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.18.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of NIAA’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.18.3.

Table 3.18.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Administered

grants management

(a component of grants expenses)

$1,185.0 million

Performance of grantees in meeting grant conditions

KAM

Higher

  • significant number and value of grants paid;
  • complexity of grants management in remote areas across Australia; and
  • payments rely on several IT systems operated by different Australian Government entities.

Departmental

shared services

(a component of supplier expenses)

$40.0 million

Reliance on third parties for transaction processing

Moderate

  • reliance on third parties for services including payroll and financial transaction processing for which NIAA is accountable.

Administered

compliance program for Community Development Program (CDP) providers

(a component of grants expenses)

$430.0 million

Compliance by CDP providers

Moderate

  • reliance on data submitted by providers; and
  • incorrect claims identified in the 2019–20 financial statements audit.

Administered

accounting for the Stolen Generation Redress scheme

(a component of other expenses)

$27.4 million

Calculation of liability for payment to members of the Stolen Generation

Moderate

  • initial year of the implementation of the scheme in 2021–22; and
  • judgement involved in estimating the liability amount, including the numbers of eligible claimants.
       

Source: ANAO 2021–22 risk assessment, and NIAA’s budgeted financial statements for the year ended 30 June 2022.

Audit results

3.18.7 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: IT general controls; cash at bank; accounts payable, credit card purchases; and reconciliations between the NIAA financial system and systems operated by third party service providers.

3.18.8 Audit procedures, including IT application controls, relating to: grants, CDP compliance, non-financial assets, payroll, and the Stolen Generation Redress scheme will be undertaken as part of the planned 2021–22 final audit.

3.18.9 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.18.10 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that NIAA will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.19 Department of Social Services

Overview

3.19.1 The Social Services portfolio is responsible for achieving the Australian Government’s social policy outcomes and delivering social security priorities through policy advice, program administration and research. The Department of Social Services (DSS) is the lead entity in the portfolio and has four core areas of responsibility: social security, families and communities, disability and carers, and housing.

3.19.2 In addition to DSS, the portfolio also includes Australian Hearing Services, National Disability Insurance Scheme (NDIS) Launch Transition Agency (the National Disability Insurance Agency), the Australian Institute of Family Studies and the NDIS Quality and Safeguards Commission. The entities within the Social Services portfolio administer services and programs with other government entities, non-government organisations, program participants and other stakeholders.

3.19.3 In the 2021–22 Portfolio Budget Statements (PBS) for the Social Services portfolio — excluding Services Australia— the aggregated budgeted expenses for 2021–22 total $175.74 billion. The PBS contain budgets for those entities in the general government sector (GGS) that receive appropriations directly or indirectly through the annual appropriation acts.

3.19.4 DSS represents the largest proportion of the portfolio’s expenses, and administered expenses are the most material component, representing 84 per cent of the portfolio’s expenses.

3.19.5 Figure 3.19.1 and Figure 3.19.2 below show the 2021–22 departmental and administered financial statements items reported by DSS and the key areas of financial statements risk.

Figure 3.19.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and DSS’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

.

Figure 3.19.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and DSS’ estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.19.6 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DSS’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DSS’ environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of DSS, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.19.7 Annual appropriation funding of $430.6 million (departmental) and $21,130.5 million (administered) was provided to DSS in 2021–22 to support the achievement of the entity’s outcomes.113 DSS was also budgeted to receive special appropriation funding of $124,529.8 million.114

3.19.8 Table 3.19.1 and Table 3.19.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.19.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total expenses

527.0

146,921.6

Employee benefits

306.5

Suppliers

175.2

219.4

Depreciation and amortisation

37.2

Personal benefits

124,298.2

Grants

2,754.4

Subsidies

100.9

Payments in corporate entities

19,436.4

Other

8.1

112.3

Total own-source income

83.9

418.8

Sale of goods and rendering of services

22.7

341.7

Other

61.2

77.1

Net (cost of)/contribution to services

(443.1)

(146,502.8)

     

Source: DSS’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.19.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total assets

631.4

5,769.0

Cash and cash equivalents

4.7

14.1

Trade and other receivables

88.2

5,132.9

Land and buildings

534.7

Property, plant and equipment

1.6

Investments

622.0

Other

2.2

Total liabilities

636.5

6,586.2

Employee provisions

93.1

Suppliers

11.4

17.4

Personal benefits payable

2,264.3

Personal benefits provision

4,170.7

Subsidies

67.5

Leases

521.4

Grants

61.9

Other

10.6

4.4

Net assets/(liabilities)

(5.1)

(817.2)

     

Note: DSS’ estimated average staffing level for 2021–22 is 2,044.

Source: DSS’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.19.9 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of DSS’ financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.19.3.

Table 3.19.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Administered

personal benefits expenses

$124.3 billion

Accuracy and occurrence of personal benefits expenses

KAM

Higher

  • the high volume and varying complexity of personal benefit payments processed by Services Australia on complex IT systems; and
  • the reliance on the correct disclosure of personal circumstance information by a large number of recipients across diverse social economic groups.

Administered

personal benefits provisions

$4.2 billion

personal benefits receivables

(a component of receivables)

$5.1 billion

Valuation of personal benefits

provisions, personal benefits receivables and contingencies

KAM

Higher

  • the significant judgements and assumptions made in the estimation models for the valuation of personal benefit provisions and receivables;
  • the accuracy and completeness of the source data used by the actuary in developing the estimation of the provisions and receivables; and
  • the potential impacts of COVID-19 on the actuarial valuations.

Administered

grant expenses

$2.8 billion

Accuracy and occurrence of grants expenses

KAM

Moderate

  • the large number of grant programs with differing legislative and policy requirements, which makes the management of grant processes complex.
       

Source: ANAO 2021–22 risk assessment, and DSS’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.19.10 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. Auditor-General Report No 17: Australian Government Advertising: May 2019-October 2021 was tabled during 2021–22 and included a recommendation relating to the effectiveness of DSS’ implementation of framework requirements for the selected advertising campaigns. No changes were made to the financial statements audit approach as a result of this recommendation.

3.19.11 Auditor-General Report No 21: Operation of Grants Hubs was also tabled in 2021–22 and included recommendations for DSS that related to the agreement of a methodology to capture and report performance information and the establishment of a whole-of-government grants administration and payments dataset. This was to include the implementation of arrangements to assure the quality of the data.

3.19.12 Given the issues identified in the performance audit relating to data quality and the moderate risk rating given to the accuracy and occurrence of grants expenses, the financial statements audit team has amended the audit approach to consider the results of the Community Grants Hub data analysis. Refer to chapter four for details regarding the operations of the Community Grants Hub audit.

Audit results

3.19.13 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to financial management, human resources information, grant management systems, and compliance and assurance processes relating to personal benefits and disability services. Audit procedures have also been completed for the processes relating to: grants; cash; appropriations; special accounts; asset management; payroll processing; supplier expenses; departmental revenue and payments made on behalf of other entities

3.19.14 Audit procedures relating to the assessment of the valuation of personal benefits asset and liability balances will be undertaken as part of the planned 2021–22 final audit.

3.19.15 The following table summarises the status of audit findings as at the end of the 2021–22 interim audit as reported by the ANAO.

Table 3.19.4: Status of audit findings raised by the ANAO

Category

Closing position (at the end of the 2020–21 final audit)

New findings (during of the 2021–22 interim audit)

Resolved findings (at the time of 2021–22 interim audit)

Closing position (at the end of the 2021–22 interim audit)

B

1

1

Total

1

1

         
Unresolved moderate audit finding
SAP terminations

3.19.16 During the 2020–21 audit the ANAO identified exceptions where user access had not been removed in a timely manner. The ANAO recommended that DSS implement processes to ensure user access is terminated on a timely basis and undertake a detailed review of all logs related to unauthorised access confirming that no inappropriate transactions or data has been accessed.

3.19.17 The ANAO’s interim testing found that DSS has put in place a process with Services Australia to identify users who had system access post-termination due to late processing of their departure. DSS is refining the processes to review these users’ accounts to determine what activities were performed post-termination, if any. The ANAO will continue to monitor the progress of this issue during the final audit.

Conclusion

3.19.18 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DSS will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2021–22 final audit.

3.20 National Disability Insurance Agency

Overview

3.20.1 The National Disability Insurance Agency (NDIA) was established under the National Disability Insurance Scheme Act 2013. The NDIA is responsible for delivering the National Disability Insurance Scheme (NDIS). The NDIS is designed to provide individual control and choice in the delivery of reasonable and necessary supports to improve the independence, social and economic participation of eligible people with disability, their families and carers; and associated referral services and activities.

3.20.2 NDIA has established arrangements with Service Australia for facilitating the information technology platforms for provider and participant payments, supplier payments and payroll processing under a service agreement.

3.20.3 Figure 3.20.1 below shows the 2021–22 departmental financial statements items reported by NDIA and the key areas of financial statements risk.

Figure 3.20.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and NDIA’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.20.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on NDIA’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of NDIA’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of NDIA, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.20.5 Annual funding of $30,494.4 million is estimated to be provided to NDIA in 2021–22 to support the achievement of NDIA’s outcomes. The funding comprises $1,263.4 million appropriations115 from the Commonwealth government for operating costs, $28,196.0 million from Commonwealth, state and territory governments for participant costs, and $1,035.0 million services provided in-kind to participants from state and territory governments.

3.20.6 Table 3.20.1 and Table 3.20.2 below provide a summary of the key 2021–22 departmental estimated financial statements items.

Table 3.20.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Total expenses

30,972.4

Employee benefits

446.1

Suppliers

1,147.5

Depreciation and amortisation

72.3

Participant plan expenses

29,303.7

Other

2.8

Total own-source income

29,232.0

Sale of goods and rendering of services

28,188.0

Other

1,044.0

Net (cost of)/contribution to services

(1,740.4)

   

Source: NDIA’s 2021–22 estimated actual as reported in the Portfolio Budget Statements 2022–23.

Table 3.20.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Total assets

3,280.0

Cash and cash equivalents

1,808.5

Trade and other receivables

55.7

Non-financial assets

270.7

Other financial assets

1,145.1

Total liabilities

2,749.7

Suppliers

157.6

Other payables

663.1

Leases

170.1

Participant provisions

1,658.9

Employee provisions

92.4

Other

7.6

Net assets/(liabilities)

530.3

   

Note: NDIA’s estimated average staffing level for 2021–22 is 4,500.

Source: NDIA’s 2021–22 estimated actual as reported in the Portfolio Budget Statements 2022–23.

Key areas of financial statements risk

3.20.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of NDIA’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.20.3.

Table 3.20.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Departmental

participant plan expenses

$29.2 billion

 

Accuracy and occurrence of participant plan expenses

KAM

Higher

complexity around the decisions as to the appropriate level of support and therefore the associated expenses, and high volume of transactions; and

continued growth in participant numbers entering the NDIS.

Departmental

participant plan provision

$1.6 billion

 

Valuation of participant plan provision

KAM

Higher

significant judgement and assumptions required in the actuarial estimate of outstanding claims at year-end including the timing and amount of cashflow due to the complexity of estimating payment patterns.

Departmental

contributions in-kind from state and territory governments revenue

$1.0 billion

 

Completeness, occurrence and accuracy of contributions of in- kind services from state and territory governments

KAM

Higher

reliance on third party data from state and territory governments;

in-kind revenue may be misstated if services provided directly to eligible participants by states and territories are not appropriately reported to the NDIA in line with bilateral agreements; and

participant expenses may be overstated if the available cash budgets within participant plans are not reduced to reflect the participant’s access to in-kind services.

       

Source: ANAO 2021–22 risk assessment, and NDIA’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements

Audit results

3.20.8 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: financial management, human resources information, provider and participant payment systems; compliance and business assurance processes relating to scheme access; and plan approval and claims processing. Audit procedures have also been completed for the processes relating to provider and participant claims, cash, supplier expenses, leases and revenue.

3.20.9 Audit procedures relating to valuation of provider and participant provisions and in-kind provisions will be undertaken as part of the planned 2021–22 final audit.

3.20.10 The following table summarises the status of audit findings as at the end of the 2021–22 interim audit as reported by the ANAO.

Table 3.20.4: Status of audit findings raised by the ANAO

Category

Closing position (at the end of the 2020–21 final audit)

New findings (2021–22 interim audit)

Resolved findings (2021–22 interim audit)

Closing position (at the end of the 2021–22 interim audit)

B

1

1

Total

1

1

         
Unresolved moderate audit finding
Timeliness of IT user access terminations

3.20.11 During the IT general control testing undertaken for the 2020–21 financial statements audit, the ANAO noted that entity’s human resource system does not record the terminations of the NDIA employees and contractors in a timely manner. The ANAO recommended that NDIA implement processes to ensure user access is terminated on a timely basis and undertake a detailed review of all logs related to unauthorised access confirming that no inappropriate transactions or data has been accessed. Management has advised the ANAO that progress has been made to address the audit finding. The ANAO is in the process of examining the remediation activities undertaken as part of the 2021–22 audit

Conclusion

3.20.12 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that NDIA will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2021–22 final audit.

3.21 Services Australia

Overview

3.21.1 Services Australia has responsibility for delivering a range of payments and services to support individuals, families and communities, as well as providers and businesses. These include income support payments and services, aged care payments, Medicare payments and services, and child support services.

3.21.2 In 2021–22 Services Australia continues to support the Australian Government’s response to the COVID-19 pandemic through a range of measures including the COVID-19 disaster and pandemic leave payments, the continuation of the Telehealth function of the Medicare Benefits Scheme and the vaccine rollout.

3.21.3 Figure 3.21.1 and Figure 3.21.2 below show the 2021–22 departmental and administered financial statements items reported by Services Australia and the key areas of financial statements risk.

Figure 3.21.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Services Australia’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.21.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and Services Australia’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.21.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Services Australia’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Services Australia’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Services Australia, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.21.5 Annual appropriation funding of $5,593.2 million (departmental) and $1.7 million (administered) was provided to Services Australia in 2021–22 to support the achievement of the entity’s outcomes.116 Services Australia was also budgeted to receive special appropriation funding of $0.6 million relating to refunds under the Public Governance, Performance and Accountability Act 2013 (PGPA Act).117

3.21.6 Table 3.21.1 and Table 3.21.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.21.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total expenses

6,175.1

1,847.1

Employee benefits

3,301.4

Suppliers

2,080.5

Depreciation and amortisation

767.8

Child support maintenance

1,796.1

Write-down and impairment of assets

51.0

Other

25.4

Total own-source income

273.3

1,924.2

Rendering of services

259.3

Rental Income

11.9

Child support maintenance revenue

1,851.5

Other

2.1

72.7

Net (cost of)/contribution to services

(5,901.8)

77.1

     

Source: Services Australia’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.21.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total assets

4,838.8

1,551.6

Cash

20.6

223.3

Trade and other receivables

1,313.9

14.8

Land and buildings

2,070.1

Property and equipment

432.1

Software

844.8

Other non-financial assets

157.3

Child support receivables

1,313.5

Total liabilities

3,008.7

1,517.2

Suppliers

206.3

Lease

1,891.8

Other payables and provisions

48.0

Child support and other payables

35.3

Employee payables and provisions

862.6

Recovery of compensation

160.1

Child support payments received in advance

26.0

Child support provisions

1,295.8

Net assets/(liabilities)

1,830.1

34.4

     

Note: Services Australia’s estimated average staffing level for 2021–22 is 28,869.

Source: Services Australia’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.21.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Services Australia financial statements. Services Australia has a highly complex IT environment made up of numerous systems hosted across different IT platforms. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.21.3.

Table 3.21.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Departmental

right-of-use assets

(a component of land and buildings)

$1.9 billion

lease liabilities

$1.9 billion

Valuation of right-of-use assets

KAM

 

Moderate

  • judgements associated with right-of-use valuations, particularly the treatment of lease options as well as the assurance processes for identifying and recognising changes in individual lease contracts, particularly modifications, new or terminated leases.

Departmental

intangible assets

$0.8 billion

Valuation of intangible assets

KAM

Moderate

  • significant judgements involved in considering the indicators of impairment to estimate the value of intangible assets; and
  • judgements involved in estimating the capitalisation of the staff and other costs attributed to developing the software applications.

Administered

child support receivables

$1.3 billion

Valuation of child support receivables that are yet to be paid by non-custodial parents at the end of the financial year.

KAM

Moderate

  • significant judgements and assumptions around the collection rates of child support obligations are applied in determining the valuation of child support receivables and require the involvement of an actuary. These judgements rely on the quality of the underlying data used in the estimation process; and
  • a large volume of child support financial transactions are processed using bespoke IT application under the complex Child Support (Registration and Collection) Act 1988. This complexity increases the judgements and estimates associated with the child support receivable valuation.
       

Source: ANAO 2021–22 risk assessment, and Services Australia’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements

Audit results

3.21.8 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to areas of audit focus and IT controls over security and change management of financial management and human resource management systems.

3.21.9 Audit procedures relating to: controls over social services and health related payments made by Services Australia on behalf of other Commonwealth entities, including associated compliance and assurance activities will be undertaken as part of the planned 2021–22 final audit. In addition, the ANAO’s final audit coverage will include valuation of child support debts, employee provisions and non-financial assets, particularly intangibles.

3.21.10 The following table summarises the status of audit findings as at the end of the 2021–22 interim audit as reported by the ANAO.

Table 3.21.4: Status of audit findings raised by the ANAO

Category

Closing position (at the end of the 2020–21 final audit)

New findings (2021–22 interim audit)

Resolved findings (2021–22 interim audit)

Closing position (at the end of the 2021–22 interim audit)

B

1

1

Total

1

1

         
Resolved moderate audit finding
IT Security Governance

3.21.11 Services Australia has a complex IT environment made up of a suite of systems hosted across different IT platforms such as mid-range and mainframe to support business objectives. The overall effectiveness of the IT control environment forms a significant component of the overall integrity and reliability of financial transactions, which links closely with Services Australia’s strategic risks. In the 2019–20 audit, the ANAO identified weaknesses in the implementation and operation of the governance and monitoring processes that support Services Australia’s information security framework.

3.21.12 In 2019–20, the ANAO recommended that governance and monitoring processes be strengthened to include the review and reporting of adherence to Services Australia’s Cyber Security Information Security Manual. The ANAO’s view was that broader governance and management processes that support Services Australia’s IT general control framework highlighted an ongoing risk to the agency in maintaining security governance. During the interim audit phase, the ANAO confirmed that these processes had been implemented and as a result the finding has been resolved.

Conclusion

3.21.13 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Services Australia will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.22 Department of the Treasury

Overview

3.22.1 The Department of the Treasury (Treasury) is responsible for the development, delivery and implementation of economic analysis and authoritative policy advice on issues such as the economy, the budget, taxation, financial systems, foreign investment, retirement income, superannuation, small business and international economic policy. The Treasury also works with state and territory governments on key policy areas and manages federal financial relations.

3.22.2 Figure 3.22.1 and Figure 3.22.2 below show the 2021–22 departmental and administered financial statements items reported by Treasury and the key areas of financial statements risk.

Figure 3.22.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Treasury’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.22.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and Treasury’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.22.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Treasury’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Treasury’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Treasury, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.22.4 Annual appropriation funding of $338.5 million (departmental) and $303.9 million (administered) was provided to Treasury in 2021–22 to support the achievement of the entity’s outcomes.118 Treasury was also budgeted to receive special appropriation funding of $100,876.6 million.119

3.22.5 Table 3.22.1 and Table 3.22.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.22.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total expenses

351.9

185,124.0

Employee benefits

210.9

Suppliers

123.6

60.8

Grants

1.0

137,838.6

Depreciation and amortisation

14.5

Payments to the Medicare Guarantee Fund

44,867.9

Finance costs

1.9

327.8

Other

2,028.9

Total own-source income

15.2

3,484.9

Sale of goods and services

10.3

593.3

Interest

61.4

COAG revenue from government entities

2,229.6

Other gains

425.0

Other

4.9

175.6

Net (cost of)/contribution to services

(336.7)

(181,639.1)

     

Source: Treasury’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.22.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total assets

273.5

54,050.2

Cash and cash equivalents

0.8

974.1

Trade and other receivables

88.4

2,224.6

Land and buildings

144.4

Property, plant and equipment

15.4

Intangibles

18.1

Investments

50,851.5

Other

6.4

Total liabilities

214.9

32,099.6

Suppliers

9.1

Other payables

5.3

1,393.9

Leases

131.0

Employee provisions

64.0

Grants payable

3,359.1

Loans

9,419.9

Interest bearing liabilities

17,886.7

Other provisions

5.5

40.0

Net assets/(liabilities)

58.6

21,950.6

     

Note: Treasury’s estimated average staffing level for 2021–22 is 1,360.

Source: Treasury’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.22.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Treasury’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.22.3.

Table 3.22.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Administered

other provisions

(a component of grants payable)

$2.9 billion

 

Completeness and valuation of the Disaster Recovery Funding Arrangements (DRFA) and the Natural Disaster Relief and Recovery Arrangements (NDRRA) provision

KAM

Higher

  • reliance on information provided by state and territory governments to estimate the provision; and
  • complexities in judgements relating to the timing of future payments and the estimation of future costs to restore infrastructure to its condition at the time of the natural disaster.

Administered

grants expense

$137.8 billion

 

Accuracy and completeness of payments to states and territories under the Federal Financial Relations Act 2009

KAM

Moderate

  • the large range and value of grants paid with complex eligibility criteria; and
  • reliance on other government entities to provide information to support payments and confirm the eligibility criteria have been met.
       

Source: ANAO 2021–22 risk assessment, and Treasury’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements

3.22.7 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. No performance audits have been tabled to date in 2021–22 relevant to the financial management or administration of Treasury.

Audit results

3.22.8 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to grant payments, non-financial assets and supplier expenses. Audit coverage also include an assessment of the IT general controls over the financial management information system and the human resources information system.

3.22.9 Audit procedures relating to: valuation of provisions and additional testing over grant payments will be undertaken as part of the planned 2021–22 final audit.

3.22.10 The following table summarises the status of audit findings as at the end of the 2021–22 interim audit as reported by the ANAO.

Table 3.22.4: Status of audit findings raised by the ANAO

Category

Closing position (at the end of the 2020–21 final audit)

New findings (2021–22 interim audit)

Resolved findings (2021–22 interim audit)

Closing position (at the end of the 2021–22 interim audit)

L1

1

1

Total

1

1

         
Resolved audit finding
Potential section 83 breaches

3.22.11 During the previous financial year, there were several instances of potential non-compliance with section 83 of the Constitution for National Partnership Payments issued in accordance with the Financial Federal Relations Act 2009. National Partnership Payments include a number of programs where the underlying management is within the relevant agency responsible for policy and program administration, with all payments processed by Treasury. It was identified that there were a number of payments processed in 2019–20 and 2020–21 which did not have appropriate ministerial authorisation, totalling $85.5 million.

3.22.12 These payments were made on the basis that the administering entity made representation to Treasury that the payment was appropriately authorised. Subsequent investigations noted the appropriate authorisation was not held, as the administering entity had not received ministerial authorisation to approve the payment as required by clause 35 of the Schedule D of the Intergovernmental Agreement on Federal Financial Relations.

3.22.13 Treasury has undertaken steps to ensure appropriate authorisation is held at the time of the payments being made, including retention of authorisations as part of the payment process in order to prevent potential section 83 breaches for similar transactions. The finding has been resolved.

Conclusion

3.22.14 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Treasury will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.23 Australian Office of Financial Management

Overview

3.23.1 The Australian Office of Financial Management (AOFM) is responsible for the management of Australian Government debt and certain financial assets. It issues Treasury Bonds, Treasury Indexed Bonds and Treasury Notes, manages the government’s cash balances and invests in high quality financial assets.

3.23.2 Figure 3.23.1 and Figure 3.23.2 below show the 2021–22 departmental and administered financial statements items reported by AOFM and the key areas of financial statements risk.

Figure 3.23.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and AOFM’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.23.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and AOFM’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.23.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on AOFM’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of AOFM’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of AOFM, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.23.4 Annual appropriation funding of $16.9 million (departmental) was provided to AOFM in 2021–22 to support the achievement of the entity’s outcomes.120 AOFM was also budgeted to receive special appropriation funding of $191,010.8 million.121

3.23.5 Table 3.23.1 and Table 3.23.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.23.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total expenses

15.6

18,497.5

Employee benefits

8.3

Suppliers

6.7

Depreciation and amortisation

0.5

Finance costs

0.1

18,474.8

Write-down and impairment of assets

3.7

Other

19.0

Total own-source income

0.3

134.0

Interest revenue

134.0

Other

0.3

Net (cost of)/contribution to services

(15.3)

(18,363.5)

     

Source: AOFM’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.23.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total assets

37.2

82,545.6

Cash and cash equivalents

0.1

79,926.0

Trade and other receivables

30.2

Loans to state and territory governments

1,333.6

Structured finance securities

1,280.8

Accrued interest on cash management account

5.2

Non-financial assets

6.9

Total liabilities

8.4

929,092.9

Suppliers

0.8

Personal benefits

0.1

Employee provisions

2.9

Leases

4.1

Australian Government securities

929,091.1

Other

0.5

1.8

Net assets/(liabilities)

28.8

(846,547.3)

     

Note: AOFM’s estimated average staffing level for 2021–22 is 44.

Source: AOFM’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.23.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of AOFM’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.23.3.

Table 3.23.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Administered

Australian Government securities

$929.1 billion

Valuation and disclosure of Australian Government securities

KAM

Moderate

  • fair value movements have a material impact on the financial statements due to the significant value of the liability and significant volume of instruments issued;
  • the fair value is subject to price changes in local and global money and capital markets; and
  • complex financial statements disclosure requirements for financial liabilities measured at fair value through profit and loss.
       

Source: ANAO 2021–22 risk assessment, and AOFM’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Audit results

3.23.7 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: cash and cash equivalents; supplier expenses; issuance and management of Australian Government Securities.

3.23.8 Audit procedures relating to the valuation of Australian Government securities will be undertaken as part of the planned 2021–22 final audit.

3.23.9 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2021–22 audit also did not identify any significant or moderate audit findings.

Conclusion

3.23.10 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that AOFM will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.24 Australian Taxation Office

Overview

3.24.1 The Australian Taxation Office’s (ATO’s) core areas of responsibility are managing and shaping tax, excise and superannuation systems that fund services for Australians, together with the provision of support to the Tax Practitioners Board, the Australian Business Registry Services and the Australian Charities and Not-for-profits Commission.

3.24.2 Figure 3.24.1 and Figure 3.24.2 below show the 2021–22 departmental and administered financial statements items reported by ATO and the key areas of financial statements risk.

Figure 3.24.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and ATO’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.24.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and ATO’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.24.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on ATO’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of ATO’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of ATO, the ANAO has assessed the risk of a material misstatement as high.

Key financial statements items

3.24.4 Annual appropriation funding of $3,987.3 million (departmental) and $8.6 million (administered) was provided to ATO in 2021–22 to support the achievement of the entity’s outcomes.122 ATO was also budgeted to receive special appropriation funding of $12,297.2 million.123

3.24.5 Table 3.24.1 and Table 3.24.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.24.1: Key expenses and total own-sourced income

Expenses and own-source income

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total expenses

4,063.1

19,305.3

Employee benefits

2,179.0

Suppliers

1,470.2

Depreciation and amortisation

403.5

Subsidies

10,314.3

Personal benefits

848.6

Penalty and Interest charge remission

1,435.0

Write-down and impairment of assets

5,994.0

Interest

70.0

Other

10.4

8.6

Superannuation guarantee charge

612.0

Unclaimed superannuation monies interest

22.8

Total own-source income

123.3

504,225.8

Sale of goods and rendering of services

92.9

Income tax

399,733.8

Indirect tax

100,870.0

Other taxes

3,140.2

Unclaimed superannuation Monies

466.6

Rental income

15.2

Other

15.2

15.2

Net (cost of)/contribution to services

(3,939.8)

484,920.5

     

Source: ATO’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.24.2: Key assets and liabilities

Assets and liabilities

Departmental estimated actual ($m) 2021–22

Administered estimated actual ($m) 2021–22

Total assets

2,288.4

49,333.8

Cash and cash equivalents

49.1

468.5

Trade and other receivables

598.8

Non-financial assets

1,640.5

Taxation receivables

34,148.9

Accrued revenues

14,336.6

Other

379.8

Total liabilities

1,990.7

10,176.6

Suppliers

257.1

Employees

Other payables

5.0

2.7

Employee provisions

780.7

Subsidies payable & provision

51.0

4,250.0

Taxation refunds due payable

1,195.6

Superannuation guarantee charge payable and provision

840.2

Superannuation holding account payable

76.0

Personal benefits payable and provision

1,077.7

Income taxation and indirect taxation refund provision

2,092.7

Other provisions

15.9

641.7

Leases

881.0

Net assets/(liabilities)

297.7

39,157.2

     

Note: ATO’s estimated average staffing level for 2021–22 is 18,349.

Source: ATO’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.24.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of ATO’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.24.3.

Table 3.24.3: Key areas of financial statements risk

Relevant financial statements item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Administered

taxation revenue

$503.7 billion

expenses

$19.3 billion

 

Accuracy of taxation revenue

KAM

accuracy of expenses

Higher

  • complexity and judgement involved in the reliable estimation of taxation revenue due to uncertain timing of tax return assessments, payments and forecasting of likely taxation revenue outcomes;
  • significant judgement when selecting the appropriate base and method for revenue recognition;
  • completeness, relevance and accuracy of source data used in developing taxation revenue estimates; and
  • estimation involves consideration of historical taxpayer behaviours together with assumptions about economic factors such as future wage growth, and gross domestic product.

Administered

taxation receivables

$34.1 billion

 

Valuation of taxation receivables and provisions for refunds

KAM

Higher

  • complex methodologies and assumptions underpinning the calculation and assessment of the recoverability of taxation receivables, and the calculation of the provision for refunds;
  • estimate methodologies are based on assumptions including taxpayer compliance and lodgement history, the existence of dispute over a receivable and the taxpayers’ capacity to pay. Models use historical data to predict future taxpayer behaviour; and
  • completeness, relevance and accuracy of source data used in estimating balances.

Administered

taxation revenue

$503.7 billion

 

Completeness of taxation revenue and the ATO’s compliance and risk management processes relating to the collection of taxation revenue.

Higher

  • reliance on information provided by taxpayers in a self- assessment and voluntary compliance regime for a significant value of revenue transactions;
  • the effectiveness of the design and implementation of the compliance risk management regime that reduces the risk that inappropriate taxation returns may not be detected and corrected by the ATO, which makes the deterrence of tax evasion more effective; and
  • judgements associated with the risk management approach to compliance activities.

Administered

all financial statements items

Accuracy and completeness of balances due to ATO’s complex IT business systems and associated processing of taxpayer returns and statements

Higher

  • large and complex IT environment with several hundred business applications processing a high volume of transactions through many IT systems that are bespoke or heavily customised to the ATO; and
  • reliance on bespoke reports to extract large volume and complex data from IT systems for the calculation of balances used in the preparation of the financial statements.

Administered

all financial statements items

Completeness and accuracy of data required for financial reporting purposes due to complex manual processes for compilation of data.

Moderate

  • manual calculation of complex information in spreadsheets increases the risk of miscalculation due to data linkages and human error.
       

Source: ANAO 2021–22 risk assessment, and ATO’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.24.7 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. The following performance audit report was tabled during 2021–22 relevant to the financial management or administration of ATO:

  • Auditor-General Report No.10 Administration of the Research and Development Tax Incentive

3.24.8 The report concluded that the ATO’s administration of the Research and Development Tax Incentive program was largely effective in regard to undertaking communication, claims processing and compliance approach with weaknesses identified in the joint compliance approach. The observations were considered in designing audit procedures for the 2021–22 financial statements audit.

Audit results

3.24.9 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to the ATO’s business operations which incorporated ATO’s key financial administration systems and its key revenue collection processes.

3.24.10 Audit procedures relating to the ANAO’s interim audit coverage included an assessment of ATO’s IT general controls. The assessment included: logical security, change and release management and controls in the ATO’s financial management information system, human resource management information system; and other key administered and departmental financial systems. Audit coverage is currently in progress on the processes relating to: cash; appropriations; special accounts; asset management; payroll processing; suppliers’ expenses; taxes124; excise; super guarantee charge; penalties and interest and settlements.

3.24.11 The ANAO will finalise the assessment of the complex manual processes for financial reporting, coverage over the ATO’s external compliance program, administered estimates and receivables and impairment as part of the 2021–22 final audit. The ANAO will also conduct further testing on the effective operation of the ATO’s IT application controls during the 2021–22 final audit.

3.24.12 The following table summarises the status of audit findings as at the end of the 2021–22 interim audit as reported by the ANAO.

Table 3.24.4: Status of audit findings raised by the ANAO

Category

Closing position (at the end of the 2020–21 final audit)

New findings (2021–22 interim audit)

Resolved findings (2021–22 interim audit)

Closing position (at the end of the 2021–22 interim audit)

B

2

1

1

Total

2

1

1

         
Unresolved moderate audit finding
General Interest Charge (GIC) and Failure to Lodge (FTL) Remissions

3.24.13 In 2020–21, the ANAO identified that rapidly implemented changes to the ATO’s business-as-usual interest and penalty remission arrangements announced as part of administrative support measures for taxpayers impacted by the COVID-19 pandemic, were not all subject to risk informed decision-making processes and there were gaps in the governance framework.

3.24.14 The ANAO recommended that governance frameworks and implementation processes be strengthened to include review of administrative processes for remission of interest and penalties. The ANAO also recommended the ATO review the existing governance mechanisms over penalties and interest remission arrangements to assess if they are fit for purpose or require modification. ATO agreed with the recommendations.

3.24.15 During the 2021–22 interim audit, the ATO has provided the ANAO with evidence to support that four of the five recommendations have been progressed. The ATO has undertaken a review of the GIC and FTL remission decision-making framework and established a working group of key stakeholders. Through consultations, an analysis has identified the need for modifications to existing practice notes and frameworks. An updated policy on large scale decisions outside of business-as-usual procedures has been endorsed and disseminated to all impacted stakeholders. Internal Audit will also include a follow-up review in 2022–23 in the program of work. The ANAO’s testing and evaluation of the implementation of the recommendations has commenced and will be concluded in the final audit. Hence the finding remains unresolved at the conclusion of the interim audit.

Resolved moderate audit finding
User access terminations not performed in a timely manner

3.24.16 In 2020–21, the ANAO’s interim testing of user access identified that ATO had not adequately implemented a system of controls which identifies users who retain access to ATO’s systems or investigates ATO system activity after their formal separation date. User accounts should be disabled on their termination date as they no longer have a legitimate requirement to access ATO’s network. The ANAO identified several instances where users continued to access systems following separation from ATO and evidence of login activity within financial systems post termination was noted, however there was no financial statements impact.

3.24.17 The ANAO recommended that ATO implement a system of controls to identify and follow-up users who retain access to ATO systems after formal separation and follow-up and investigate all instances of activity of users who no longer have a legitimate business requirement to access sensitive ATO systems.

3.24.18 At final in 2020–21, the ANAO observed that the ATO’s process for identifying potential terminated users logging on after termination had improved, however deficiencies in the processes were identified during the testing performed by the ANAO. The ATO agreed that it needed to further refine the follow up processes. ANAO also observed several instances across both payroll and contractor staff where separation dates were incorrectly recorded which could lead to under or over payments relating to staff and inhibit any investigations relating to inappropriate conduct.

3.24.19 During the 2021–22 interim audit, the follow-up testing performed by the ANAO noted that the ATO has implemented a detailed user terminations exceptions process which actively identifies, monitors and resolves users who retain access to ATO’s systems after their formal separation dates. The ANAO has reviewed these processes and sample tested individual users and concluded that the system-based terminations issues have been resolved and this finding has been closed at the conclusion of the interim audit.

Conclusion

3.24.20 At the completion of the interim audit, and except for the findings outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that ATO will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2021–22 final audit.

3.25 Reserve Bank of Australia

Overview

3.25.1 The objectives of the Reserve Bank of Australia (RBA) are to determine and implement monetary policy that contribute to the stability of the currency and maintain full employment, work to maintain a strong financial system and efficient payments system, and issue the nation’s banknotes. As well as being a policymaking body, the RBA provides selected banking services to a range of Australian Government entities and to a number of overseas central banks and official institutions. The RBA is also responsible for the management of Australia’s gold and foreign exchange reserves.

3.25.2 Figure 3.25.1 below shows the 2020–21 financial statements items reported by RBA and the key areas of financial statements risk.

Figure 3.25.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and RBA’s financial statements for the year end 30 June 2021.

3.25.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on RBA’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of RBA’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of RBA, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.25.4 RBA does not receive any annual appropriation funding. The operational functions of RBA are funded from the following sources: net interest income earnings; and fees and commission income.

3.25.5 Table 3.25.1 and Table 3.25.2 below provide a summary of the key 2021–22 departmental estimated financial statements items.

Table 3.25.1: Key expenses and total own-sourced income

Expenses and own-source income

Actual

($m)

2020–21

Total expenses

9,130.0

Net loss on securities and foreign exchange

8,489.0

General administrative

483.0

Other

158.0

Total own-source income

4,798.0

Net interest income

4,285.0

Fees and commission

460.0

Other

53.0

Net profit/(loss)

(4,332.0)

   

Source: RBA’s 2020–21 audited financial statements.

Table 3.25.2: Key assets and liabilities

Assets and liabilities

Actual

($m)

2020–21

Total assets

539,897.0

Cash and cash equivalents

721.0

Australian dollar investments

474,974.0

Foreign currency investments

56,710.0

Gold

6,022.0

Property, plant and equipment

754.0

Other

716.0

Total liabilities

516,892.0

Deposits

415,576.0

Distribution payable to the Commonwealth

2,671.0

Australian banknotes on issue

95,485.0

Other

3,160.0

Net assets/(liabilities)

23,005.0

   

Note: RBA staffing level at 30 June 2021 was 1,380 as reported in the 2020–21 annual report.

Source: RBA’s 2020–21 audited financial statements.

Key areas of financial statements risk

3.25.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of RBA’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.25.3.

Table 3.25.3: Key areas of financial statements risk

Relevant financial statement item

Key area of risk

Audit risk rating

Factors contributing to the risk assessment

Australian dollar investments

$475.0 billion

foreign currency investments

$56.7 billion

net gains/(losses) on securities and foreign exchange

($8.5 billion)

 

Valuation of Australian dollar securities and foreign currency investments

KAM

Higher

  • complexity in determining the fair value of a range of investments and securities; and
  • significant financial impact from any fluctuations in the value of the Australian dollar.

Australian banknotes on issue

$95.5 billion

 

Accuracy of the liability for the Australian banknotes

KAM

Higher

  • the accuracy of the liability for Australian banknotes on issue is reliant on the assumption that legal tender status is retained by all Australian banknotes on issue; and
  • the significance to the economy of the production, supply and security of banknotes.
       

Source: ANAO 2021–22 risk assessment, and RBA’s audited financial statements for the year ended 30 June 2021.

Audit results

3.25.7 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: the initiation, authorisation, settlement and recording of Australian dollar investments and foreign currency investments; the return and issuance of Australian banknotes on issue; and IT general controls.

3.25.8 Audit procedures relating to: the effectiveness of key controls for the remaining areas of audit focus will be undertaken as part of the planned 2021–22 final audit.

3.25.9 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.25.10 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that RBA will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

4. Department of Social Services operations of Community Grants Hub

Chapter coverage

This chapter outlines the ANAO analysis of the Department of Social Services’ (DSS) Community Grants Hub (CGH) data that was not able to be concluded as part of the performance audit on Operations of Grants Hubs.

The purpose of the analysis is to assess the grants administration compliance with the selected legislative requirements and consistency with selected business processes for grant activities administered between 1 July 2016 and 31 December 2021.

Conclusion

Where data was available, the ANAO analysis concluded there was a high level of compliance with the selected legislative requirements and a high level of consistency with the selected standard business processes of the CGH.

The ANAO analysis identified that reporting of some grant activities did not comply with mandatory reporting to GrantConnect125 required by the Commonwealth Grants Rules and Guidelines 2017126 (CGRG) and the Resource Management Guides (RMG) 421.127

The ANAO analysis further identified data quality issues, in particular for grant activities started prior to 2021–22. The CGH business process or system did not prevent such errors from occurring.

Data issues identified in the CGH represent a business risk to DSS, in providing services to CGH users. While there is evidence of improvement with CGH data in recent years, there remains opportunities for the CGH to improve data quality. To address this risk, the ANAO recommended the Department of Finance and the hubs, including CGH, establish a whole-of-government grants administration and payments dataset and implement arrangements to assure the quality of the data.

Introduction

4.1 The ANAO undertook a performance audit on Operation of Grants Hubs to assess whether the Streamlining Government Grants Administrations (SGGA) Program improved the effective and efficient delivery of grants administration. The report was tabled on 31 March 2022.128 The performance audit examined the Business Grants Hub (BGH) administered by the Department of Industry, Science, Energy and Resources (Industry) and the Community Grants Hub (CGH) administered by the Department of Social Services (DSS).

4.2 The hubs provide standardised business processes for their users. The performance audit concluded that ‘the build and operation of the grants hubs were partly effective. While consistency and effectiveness in grants administration was somewhat improved, there were deficiencies in relation to usage of the hubs for the full grants lifecycle, collaboration between the hubs and client entities, and data management’.129

4.3 One of the recommendations from the performance audit was that ‘to assist in the achievement of the intended benefits of the SGGA Program, Department of Finance (Finance) and the hubs establish a whole-of government grants administration and payments dataset and implement arrangements to assure the quality of the data’, which was agreed by Finance, Industry and DSS.130

4.4 Due to data quality issues found in data extracts from DSS, the planned analysis of the CGH’s compliance with legislative requirements and consistency with selected business processes was unable to be completed for inclusion in the performance audit report.131

4.5 The ANAO rated the accuracy and occurrence of grants expenses as a moderate risk area in relation to the financial statements audit. Given the issues identified in the performance audit relating to data quality, the financial statements audit approach for 2021–22 has been amended to consider the results of the CGH data analysis and further examine CGH compliance with selected legislative requirements and business processes.132

Background

4.6 The CGH has an established service offering to support the delivery of consistent grant processes across the portfolios it supports. The CGH provides services across the entire grants lifecycle, and its business model allows flexibility within the grants lifecycle for users to pick and choose services to suit their grant programs and policy outcomes. The grants managed by the CGH are diverse with different levels of complexities.

4.7 The CGH is the Commonwealth’s largest shared service provider for grants administration. Since its inception on 1 July 2016, the CGH has delivered grants on behalf of the department and nine other policy agencies. The CGH managed 882 grant programs and $44.3 billion in funding between 1 July 2016 and 31 December 2021. Details are provided in Table 4.1 below.

Table 4.1: CGH executed grant activities by policy agency, 1 July 2016 to 31 December 2021

Policy agency

Number of grant programs

Number of grant activities

Total grant activity agreement value (excluding GST)a

Department of Health

414

20,405

$31,858,050,640

Department of Social Services

210

16,417

$8,171,758,870

Attorney–General’s Department

27

612

$2,064,562,479

Department of Agriculture, Water and the Environment

145

2069

$1,135,972,756

Department of Home Affairs

26

920

$399,048,068

Department of Education, Skills and Employment

34

1652

$396,658,271

Natural Heritage Trust

5

462

$137,144,905

Department of Veterans’ Affairs

15

3155

$82,403,672

Department of the Prime Minister and Cabinet

4

113

$77,020,482

National Indigenous Australians Agency

2

1

$62,500

Total

882

45,806

$44,322,682,643

       

Note a: This is the amount of funding the service provider was agreed to be provided to deliver associated grant activity under the terms of the Funding Agreement including any executed variations, excluding GST and Social and Community Services (SACS) wage supplementation funding. The data is captured as ‘Activity Base Agreement Value Ex GST’ in Activity dataset.

Source: ANAO analysis of CGH data.

Audit approach

4.8 The 2021–22 financial statements audit of DSS included an extended analysis of standard reporting of CGH data for executed grant activities from 1 July 2016, when the CGH commenced operations, to 31 December 2021. There was a total of 66,559 grant applications, and 45,806 executed grant activities (current and completed) worth $44.3 billion over this period. The scope of the data analysis included the Select, Establish and Manage phases of the CGH grants life cycle.133

4.9 The legislative requirements are the same for the CGH and the BGH, while there are some differences in business processes between the CGH and the BGH for grant life cycle management. The ANAO analysis assessed the CGH compliance with selected legislative requirements and consistency with standard business processes.

4.10 In undertaking the audit, the ANAO:

  • examined documentation collected from DSS relating to the business rules and business processes of the CGH;
  • examined relevant sections of the PGPA Act and Rules, the Commonwealth Grants Rules and Guidelines 2017 (CGRGs) and Finance guidance material;
  • undertook walkthroughs of the CGH processes and discussed with DSS staff to verify and confirm ANAO’s understanding of business rules and identified exceptions; and
  • analysed standard reporting data of the CGH extracted by DSS and GrantConnect data extracted by Finance.

Data quality issues

4.11 The ANAO analysis was based on current business rules of the CGH and identified some exceptions to these business rules. DSS advised that the CGH had undergone changes over the last six years within both its operating model and system enhancements as the CGH transitioned agencies’ grant management to a single process.134

4.12 The ANAO analysis identified a number of data quality issues which indicated that the internal controls and system did not detect or prevent data errors from occurring. The majority of data quality issues related to grant activities relating to periods prior to 2021–22. When errors are identified, the CGH provides information to allow users to undertake investigation of the grant activities and reasons for the errors.

4.13 The ANAO analysis identified that some grant programs did not have complete information captured in the CGH standard reporting data provided to the ANAO. It was identified that some critical dates for assessing grant activity lifecycle management were captured in audit logs only.135 In addition, DSS advised that a client of the Hub does not always request DSS to undertake all phases of the grants lifecycle. DSS advised that some grant management processes were captured manually or off the system, and the data was not always entered in the CGH in a timely manner, or at all. Most of these manual records were related to grant applications received in 2018.

4.14 The ANAO analysis further identified that there was insufficient information included in the CGH standard reporting data to test some business processes for grant activity lifecycle management. For example, the standard reporting data did not include information about workflow status changes, which would have facilitated review of the process related to applicant’s eligibility assessment or review of the process related to recommending a funding decision.

4.15 CGH data is complex and requires linkage across different datasets for appropriate assessment of grant lifecycle management. The ANAO analysis identified that some datasets linkages were only possible in recent years. DSS advised that as the CGH moved from the transition phase to the business-as-usual phase, there had been system improvements over time to capture data that was not previously recorded or improve the linkage across different grant lifecycle phases.

Compliance with legislative requirements

4.16 The ANAO testing concluded that the relevant controls were operating satisfactorily for selected legislative requirements highlighted in Table 4.2.

Table 4.2: ANAO audit testing results for compliance with selected legislative requirements

Legislative requirement

ANAO audit testing

Make a relevant commitment, enter into an agreement and administer an agreement

Only an appropriate delegate can make the final decision whether to approve an application for funding and authorise a payment to be made (section 23 and section 110(1)(a) of the PGPA Act, and paragraph 36 of RMG 400).

ANAO audit testing concluded relevant controls were operating satisfactorily, and no exceptions were identified in 2019–20, 2020–21 and 2021–22.

Power to administer an arrangement

Total grant amount paid must not exceed total approved grant amount in the grant agreement (section 23 of the PGPA Act and paragraph 36 of RMG 400).

 

ANAO audit testing concluded relevant controls were operating satisfactorily in 2019–20, 2020–21 and 2021–22.

ANAO gained reasonable assurance in relation to grants rights and obligations, occurrence, accuracy, and classification, and the expenses balance, and did not identify exceptions.

Power to administer an arrangement

Payments are in accordance with executed agreements. The right amount is going to the right person at the right time (section 23 of the PGPA Act and paragraph 36 of RMG 400).

 

ANAO audit testing concluded relevant controls were operating satisfactorily in 2019–20, 2020–21 and 2021–22.

ANAO gained reasonable assurance in relation to grants rights and obligations, occurrence, accuracy, and classification, and the expenses balance, and did not identify exceptions.

   

Note: There was an exception noted in 2019–20 by ANAO testing, which involved the identification of an inappropriate delegate signing a grant agreement, as part of the 2019–20 interim financial statements control testing. This exception did not reoccur in testing in subsequent financial years.
The 2021–22 ANAO testing covered up to 31 December 2021.
This result was based on an examination of CGH documentation.

Source: ANAO testing results.

4.17 The ANAO analysis of CGH data also identified there was a high level of compliance with the selected legislative requirements. Table 4.3 shows the analysis results of CGH data for compliance with the selected legislative requirements.

4.18 The CGRGs required from 31 December 2017 that an entity must report on GrantConnect information on individual grants no later than 21 calendar days after the grant agreement takes effect. The CGH started to capture the executed date for grant activities from 14 July 2018. The ANAO analysis identified that 18 per cent of these grant activities were published on GrantConnect later than the required 21 calendar days after the grant activity had been executed. 136

4.19 As of 1 July 2020, the grant opportunity identification number (GO ID) is required to be published on GrantConnect as part of the grant award report. Exceptions to reporting the GO ID include where grants are provided on a one–off or ad hoc basis, where an exemption is provided by the Minister for Finance, or where the Minister makes a decision not to publish grant guidelines. The ANAO analysis identified that two per cent of these grant activities did not have a proper GO ID recorded. As these grant activities were indicated in CGH data to be from open competitive and restrictive competitive funding rounds, they were not compliant with the reporting requirements related to GO ID.137

Table 4.3: Analysis of CGH data for compliance with selected legislative requirements

Legislative requirement

ANAO analysis

Commitments of relevant money

A grant payment cannot be made under an arrangement until an arrangement has been entered into by the accountable authority (or an appropriate delegate) on behalf of the entity (subsection 23(1) of the PGPA Act).

99.99 per cent of assessed grant activities were consistent with the legislative requirement, with the earliest payment date recorded occurring after the recorded Ministerial/Delegate approval date.a

The 0.01 per cent of assessed grant activities that were not consistent with the legislative requirements accounted for $3,736,980 in agreement value, excluding GST.

Transparency of grants awarded from a grant opportunity

As of 1 July 2020, the grant opportunity identification number (GO ID) is required to be published as part of the grant award report (paragraph 24 of RMG 421). Exceptions to reporting the GO ID include where grants are provided on a one–off or ad hoc basis, where an exemption is provided by the Minister for Finance, or where the Minister makes a decision not to publish grant guidelines.

98 per cent of assessed grant activities were consistent with the legislative requirement, with the recorded GO ID for the funding round associated with the grant activity matching with the published grant award on GrantConnect.b

The two per cent of assessed grant activities that were not consistent with the legislative requirements accounted for $33,562,539 in agreement value, excluding GST. These grant activities were indicated in CGH data to be from open competitive and restrictive competitive funding rounds. There was no information available in the CGH data to indicate whether an exemption was provided for these grant activities.c

Reporting grants awarded

From 31 December 2017, an entity must report on GrantConnect, information on individual grants no later than 21 calendar days after the grant agreement for the grant takes effect (paragraph 5.3 of the CGRGs). The date of effect will depend on the particular arrangement. It can be the date on which a grant agreement is signed or a specified starting date.

RMG 421 paragraph 23 states that where there is no grant agreement, officials may decide and document why they have chosen a specific date of effect or start date and may relate to the date of the first invoice or payment.

This analysis tested all grant activities started after 14 July 2018 when this information became available in the CGH to support the mandatory reporting to GrantConnect.

82 per cent of assessed grant activities were consistent with the legislative requirement, with grant activities being published onto GrantConnect no later than 21 calendar days after the grant activity has been executed.

The 18 per cent of assessed grant activities that were not consistent with the legislative requirements accounted for $7,222,134,670 in agreement value, excluding GST.

Confidentiality provisions

An entity must identify, and when reporting a grant award on GrantConnect must include information identifying, whether a grant agreement contains any confidentiality provisions and provide the reasons for those provisions (paragraph 5.5 of the CGRGs, and paragraph 28 of RMG 421).

In grant agreements there are two broad types of confidentiality-related clauses used: general clauses referencing confidentiality in legislation, and special confidentiality provisions which protect the confidentiality of all or part of the grant agreement; or information obtained or generated in relation to the grant project (paragraph 27 of RMG 421).

The grant activities were all consistent with this legislative requirement because they all have confidentiality provisions for contracts and output recorded in the associated Program Schedule. Of those that had an associated GrantAward notice on GrantConnect, the confidentiality provisions recorded on GrantConnect are aligned with the associated Program Schedule.

Information regarding the reason for the confidentiality provisions was not captured in the standard reporting from CGH.

   

Note a: Grant activities that did not have any payments recorded against them were either created as an ‘inflight’ record where initial payments were released before the grant activity was on–boarded for Hub Manage services or were ‘fee–for–service’ type grant activities where payments were made on a claims basis. Information that identifies these types of grant activities was not available in the standard reporting provided by DSS.

Note b: Grant activities that did not have any funding round recorded against them were either created as an ‘inflight’, ad–hoc grant or were grants that bypassed the Selection process. Information that identifies these types of grant activities was not available in the standard reporting provided by DSS.
DSS advised the ability to link the grant activities to the applications was implemented in 2018. Prior to this, there was no on-system link between the Activity and the Selection process.

Note c: There were also instances of data quality issues noted where GO IDs were either not provided for the relevant Funding Round or were not a valid GO ID (lacked the standard GO prefix).

Source: ANAO Analysis of CGH Data and GrantConnect data.

Consistency with selected business processes

4.20 The ANAO testing concluded that the relevant controls were operating satisfactorily for the selected business processes detailed in Table 4.4.

Table 4.4: ANAO testing results for consistency with selected business processes

Lifecycle Phase

Business process

ANAO testing

Select

No single officer should recommend an application for funding and approve the application for funding.

The ANAO financial statements audit testing concluded that the relevant controls around segregation of duty for the approval of grants were operating satisfactorily in 2019–20, 2020–21 and 2021–22 (interim period), and no exceptions were identified.

Establish

A grant agreement cannot be accepted (executed) before it is issued.

The ANAO testing concluded that the relevant controls were operating satisfactorily in 2019–20, 2020–21 and 2021–22, and no exceptions were identified.

Establish & Manage

Purchase orders are only issued for successful applicants (grantees), who have accepted an agreement, and this is accurately recorded in the grants management ICT system. A grant agreement cannot progress to the manage phase or have a payment made without a purchase order.

Establish & Manage

A risk rating assessment (of the grantee and their project) is required to occur when establishing an agreement, and a risk rating review and update is to occur when reviewing progress reports.

An audit is most likely to occur where grantees pose a high risk or are part of moderate and complex programs. An audit cannot occur until an agreement is executed.

The ANAO testing concluded that the relevant controls around risk assessment of grants and organisations were operating satisfactorily in 2019–20, 2020–21 and 2021–22, and no exceptions were identified.

     

Note: There was an exception noted in 2019–20 ANAO testing, which involved the identification of an inappropriate delegate signing a grant agreement, as part of the 2019–20 interim financial statements control testing. This exception did not reoccur in testing in subsequent financial years.
The 2021–22 ANAO testing covered up to 31 December 2021.
This result was based on an examination of CGH documentation.

Source: ANAO financial statements audit testing.

4.21 The ANAO analysis of CGH data also identified there was a high level of consistency with the selected business processes when data is available. Table 4.5 shows the analysis results of CGH data for consistency with the selected business processes.

4.22 There have been limitations of CGH data analysis by the ANAO due to data availability. DSS advised that this reflects the CGH moving from the transition phase to the business-as-usual phase.

4.23 Appropriate assessment of some business processes was only feasible when data could be linked across the grant management lifecycle. DSS advised that during 2018 the Department increased the functionality of data linkages between a grant application and a grant activity, which automatically creates an Activity from an Application record. Prior to this, there was no on-system link between the Activity and the Selection process.

4.24 For some business processes, critical dates for assessing grant activity lifecycle management were not included in the standard reporting data provided to the ANAO. DSS advised that some of this information was captured in the system but was not readily available in the standard reporting data and there were challenges in providing such information. Due to data availability constraints, some of the planned testing could not be performed (refer paragraph 4.14).

4.25 The ANAO analysis identified the following issues that are inconsistent with the CGH business process. DSS advised that they were due to data quality/processing errors, not affecting the outcome of the payments.

  • Based on the data provided, ninety-eight grant activities appeared to have initial payments made before the grant activity was executed. One instance was observed for grant activities commenced in 2021–22.
  • Based on the data provided, two hundred and forty-one grant activities appeared to be executed before funding was approved. Five instances were observed for grant activities commenced in 2021–22.
  • Based on the data provided, four hundred and eighty-seven grant activities had the decision to fund dated before an application was received.

4.26 Most of the data linkage issues identified by the ANAO analysis were related to grant activities started prior to 2021–22. DSS advised that as the grants hub has moved from the transition phase to the business as usual phase, the data shows the proportion of whole of life processes being managed by the CGH.

4.27 For grant activities commenced in 2021–22, 78 per cent could be linked to the Selection phase in comparison to 30 per cent in prior years. DSS advised that for 2021–22, this percentage is aligned with their expectation because not all CGH grant activities included a Selection phase.

Table 4.5: Analysis of CGH data for consistency with selected business processes and workflows

Lifecycle phase

Business process

ANAO analysis

Select

Application received prior to grant assessment decision

 

From the grant activities that can be linked to the Selection phase, 97 per cent had the decision to fund dated on or after an application was received. 8,869 (50 per cent) grant activities were approved within 120 calendar days after receiving the applications.

From the grant activities that can be linked to the Selection phase, 3 per cent had the decision to fund dated before an application was received, with a total agreement funding value of $17 million. DSS advised that this is a data quality issue.

Select

Applicant assessed as eligible before a merit assessment, if required, occurs

CGH Grant Round Eligibility and Compliance Process/Check Standard Operating Procedure (SOP) states that Eligibility and Compliance process occurs after the closure of a grant round, and before progressing to the assessment phase.

There was insufficient information included in the standard reporting of CGH data to assess this business process.

Based on the available data, ANAO observed some inconsistencies between eligibility/compliance process results and funding decisions. Of applications that had a status indicating they were to be funded, 0.6 per cent were assessed as not eligible, and 0.2 per cent were assessed not compliant. DSS advised that the standard reporting did not capture all the relevant information. For example, this data does not reflect the other eligibility and compliance processes in the Select phase (e.g. Selection Advisory Panel eligibility).

Select

A recommendation must be made prior to a decision to fund an application.

There was insufficient information included in the standard reporting of the CGH data to assess this business process. DSS advised that this is due to recommendations to fund are captured outside of the CGH system and is available on DSS’ records management system.

Select

Where the delegate rejects the recommendation, this may indicate that there are concerns about the quality of eligibility and merit assessments

99.98 per cent of the recommended grant activities were accepted by the delegates to provide the funding.a

One instance was identified with $0 of agreement value recorded against the grant activity, yet there were payments ($35,000) issued. DSS advised this was a data entry error where the agreement value was entered into the wrong CGH data field.

Select

A recommendation must be made prior to a decision on the amount to fund an application.

There was insufficient information included in the standard reporting of the CGH data to assess if a recommendation was made prior to a decision to fund grant applications. DSS advised that this is due to recommendations to fund are captured outside of the CGH system and is available on DSS’ records management system.

Select

A change in the recommended amount may indicate there are concerns about the quality of eligibility and merit assessments.

 

ANAO analysis identified that the delegate accepted the recommended value for 99.2 per cent of the grant activities.

From the assessed grant activities where delegates accepted the recommendations to fund, 0.47 per cent grant activities had their funding amount increased from the recommended value by 25 per cent or more.

From the assessed grant activities where delegates accept the recommendation to fund, 0.36 per cent had their funding value decreased from the recommended value by 25 percent or more.

Select

A record is made of whether an applicant fully, partially or does not meet the selection criteria to support Ministerial briefings.

Standard operating procedures state that the Eligibility and Compliance process occurs after the closure of a grant round, and before progressing to the assessment phase.

DSS advised that the system is not configured to identify whether the responses fully, partially or does not meet the selection criteria. Instead, a scoring matrix is used to rank applications.

There was insufficient information included in the standard reporting of the CGH data to assess this business process fully.

From the population for grant applications, 99.8 per cent of them have gone through eligibility and compliance tests, and 76 per cent had the final appraisal score recorded in the system.b

Where the eligibility and compliance tests were not captured by the CGH, DSS advised that these records related to paper-based forms or applications which had to be entered manually into the CGH.

Select & Establish

A grant agreement cannot be entered into prior to the delegate’s approval of which applications will receive funding. A grant agreement cannot start prior to delegate approval and an agreement is executed.

From the grant activities with the executed dates recorded, 99 per cent of grant activities did not execute prior to delegate approval.

From the grant activities with the executed dates, 1 per cent were executed before funding approval, with a total funding agreement value of $240 million. DSS advised that 92 per cent of these exceptions related to data quality issues, or transitional arrangements while the other 8 per cent reflected inflight on-board grants where the execution was completed by the client agency prior to it being managed by the CGH.

Establish

Grant agreements cannot end before the start date.

 

From the assessed grant activities that can be linked to a funding agreement, 99.7 per cent of them recorded a valid agreement commencement date and agreement completion date. For grant activities where valid agreements dates are recorded, they all (100 per cent) had their agreement completion date on or after the agreement commencement date.

From the assessed grant activities that can be linked to a funding agreement, 0.3 per cent of them have both their agreement approval date and agreement completion date not recorded in the system. They account for a total funding agreement value of $309 million.

Select, Establish & Manage

Grants payment transaction dates cannot occur before the agreement execution date.

 

99.7 per cent were executed on or before the earliest payments, and 87 per cent of them made the first payments within 30 calendar days after the grant execution.

0.3 per cent made their first payment before the grants were executed, with a total agreement funding value of $181 million. DSS advised that this was a data quality issue where the payment had correctly been released, and the execution date was incorrectly recorded or updated.

Manage

A grant applicant must make a request for a variation to a grant agreement before it is assessed by CGH. Following an assessment CGH will decide to approve or not approve the variation.

 

Activity variations were sought for 48 per cent of the grant activities. ANAO analysis identified that, 99.97 per cent of the variations recorded in CGH had variation approval dates recorded against them. For these variations, they were all (100 per cent) approved on or after they were created/requested.

Financial variations were sought for 40 per cent of the grant activities. Among these grant activities, 88 per cent sought an overall increase in the funding, while 6 per cent had an overall decrease in the funding value and 6 per cent recoded an overall no change in the funding value.

Manage

When accepting a grant agreement, the grantee agrees to reporting obligations including to provide reports in accordance with due dates established in agreements.

 

From the assessed milestone reports, 1.7 per cent of them haven’t been received. DSS advised that milestones which have not been received appear to reflect general data quality issues, though there is likely to be justified reasoning for the delays.

For milestone reports that had been received, 52 per cent of them were received before the due date. The remaining 48 per cent were received after the due date. Where the reports were received after the due date, 50 per cent were received within 30 days after the due date.

ANAO observed some erroneous dates were data entry issues and the system controls did not prevent their entry or flag that the entry was likely to be an error.c

Manage

A review of a progress report cannot occur before a report is received. Grant payments may be contingent on progress reports.

DSS advised to use the ‘Performance Report’ milestone for progress reports.

DSS advised that the review start date is an administrative field and does not reflect when the review commenced. There was insufficient information included in the standard reporting of the CGH for this assessment.

Based on the available information, the CGH conducted 12,647 reviews of the performance report during the time period for 3436 grant activities.

     

Note a: ANAO analysis is based on the following assumption: where there is a valid recommended value made against a grant activity, a valid agreement value (i.e., funding agreement value is greater than $0) is recorded. The difference of the $ value is tested separately.

Note b: DSS advised that not all applications will have a final appraisal score, as the CGH does not complete the full assessment process for all funding rounds in the system.

Note c: One instance was observed where the report was received approximately 200 years prior to the due date. One instance was observed where the report was received more than 90 years after the expected date. The implausibility of this timing is further evidence that the data is erroneous.

Source: ANAO analysis of CGH data

Conclusion

4.28 While there is evidence of improvement in the completeness and accuracy of CGH data in recent years, there remains a number of uncorrected data issues DSS advised this represents the opportunity for the CGH to improve the data quality going forward. Data issues identified in the CGH represent an increased business risk to DSS, in providing services to CGH users.

4.29 To address this risk, the ANAO recommended the Department of Finance and the hubs, including CGH, establish a whole-of-government grants administration and payments dataset and implement arrangements to assure the quality of the data, which was agreed by Finance, Industry and DSS.138

4.30 In view of the observations of this audit, the ANAO will continue to monitor how DSS manages these risks in operating the CGH to ensure its compliance with legislative requirements, the CGRG grant guidelines, and consistency with standard business processes.

Appendices

Appendix 1 Listing of entities by Portfolio

1. The following entities have been considered in this report, selected on the basis of their contribution to the income, expenses, assets and liabilities within the consolidated financial statements, and includes all departments of state and a number of major Australian government entities. The National Indigenous Australians Agency is also included in this report given the role it plays working across government with indigenous communities and stakeholders.

2. The entities are presented in order of portfolio.

  • Department of Agriculture, Water and the Environment
  • Attorney-General’s Department
  • Department of Defence
    • Department of Veterans’ Affairs
  • Department of Education, Skills and Employment
  • Department of Finance
    • Future Fund Management Agency and the Board of Guardians
  • Department of Foreign Affairs and Trade
  • Department of Health
  • Department of Home Affairs
  • Department of Industry, Science, Energy and Resources
    • Snowy Hydro Limited
  • Department of Infrastructure, Transport, Regional Development and Communications
    • Australian Postal Corporation
    • NBN Co Limited
  • Department of Parliamentary Services
  • Department of the Prime Minister and Cabinet
    • National Indigenous Australians Agency
  • Department of Social Services
    • Services Australia
    • National Disability Insurance Agency139
  • Department of the Treasury
    • Australian Office of Financial Management
    • Australian Taxation Office
    • Reserve Bank of Australia

Appendix 2 The financial reporting and auditing standards frameworks for 2021−22

1. The figure below depicts the standard setting framework for financial reporting and auditing, in the Australian Government context.

Figure A.1: Australian Government standard setting framework

Appendix 3 The financial reporting and auditing framework for 2021–22 financial statements

1. Key elements of the Australian Government’s financial reporting framework are outlined in the diagram below. An overview of the financial reporting requirements for the various types of Australian Government entities covered by the framework and the audit approach for the financial statements of these entities is also described below.

Figure A.2: Australian Government financial reporting framework

Source: ANAO compilation.

Australian Government reporting entities

Commonwealth Government of Australia

2. Section 48 of the PGPA Act requires the Minister for Finance to prepare annual consolidated financial statements for the Commonwealth Government of Australia. These financial statements are general purpose financial statements consolidating the financial activities and financial position of Commonwealth entities and other entities controlled by the Commonwealth Government.

3. The PGPA Act prescribes the Australian Accounting Standards (AASs), and any other requirements prescribed by the rules, as the applicable financial reporting framework for the consolidated financial statements.

Commonwealth entities

4. Section 10 of the PGPA Act defines a Commonwealth entity as a department of state, a Parliamentary department, a listed entity or a body corporate of the Commonwealth other than a Commonwealth company. Section 11 of the PGPA Act determines that there are two types of Commonwealth entities: a non-corporate Commonwealth entity, which is a Commonwealth entity that is not a body corporate140; and a corporate Commonwealth entity, which is a Commonwealth entity that is a body corporate and legally separate from the Commonwealth.

5. Section 42 of the PGPA Act requires the accountable authority of a Commonwealth entity to prepare annual financial statements that comply with the AASs and any other requirements prescribed by the rules.

6. Resource Management Guide 125: The Commonwealth Entities Financial Statements Guide applies to all Commonwealth reporting entities responsible for preparing financial statements under the Public Governance, Performance and Accountability (Financial Reporting) Rule 2015. The guide includes definitions of terms that have been used in this report.

Non-corporate Commonwealth entities

7. Non-corporate Commonwealth entities, comprising departments of state, Parliamentary departments and listed entities, are subject to the provisions of the PGPA Act. In some cases they also operate under their own enabling legislation.

8. The PGPA Act prescribes the AASs and PGPA Financial Reporting Rule (FRR) as the applicable financial reporting framework for non-corporate Commonwealth entities.

Corporate Commonwealth entities and subsidiaries

9. Corporate Commonwealth entities are bodies corporate that hold money on their own account and have been created to perform specific functions. Corporate Commonwealth entities operate under their own enabling legislation and must comply with the relevant provisions of the PGPA Act.

10. The PGPA Act prescribes the AASs and FRR as the applicable financial reporting framework for corporate Commonwealth entities. The financial reporting framework applicable to subsidiaries of corporate Commonwealth entities depends on the nature of the subsidiary.

Commonwealth companies and subsidiaries

11. Commonwealth companies are companies that are controlled by the Australian Government through majority share holdings or voting rights, or via control over the composition of the company’s board. Commonwealth companies operate and prepare financial statements under the Corporations Act 2001 (Corporations Act).

12. The applicable financial reporting framework for Commonwealth companies is the Corporations Act, including the AASs and the Corporations Regulations.

13. The financial reporting framework applicable to subsidiaries of Commonwealth companies depends on the nature of the subsidiary.

Other bodies

14. The ANAO also audits the financial statements of other bodies under Commonwealth legislation other than the PGPA Act, including the ‘by arrangement’ provisions in section 20 of the Auditor-General Act 1997. Examples of these other bodies include statutory bodies not established as Commonwealth entities and trusts. The financial reporting framework applicable to these other bodies depends on legislation or other rules that govern that entity.

Audit of Australian Government entity financial statements

Audit scope

15. The accountable authority of a Commonwealth entity is responsible for the preparation and fair presentation of the financial statements and for maintaining records, internal controls, procedures and processes that support the preparation of those statements.

16. The Directors of a Commonwealth company, or a company that is a subsidiary of either a Commonwealth entity or a Commonwealth company, are responsible for the preparation of financial statements that give a true and fair view and for maintaining records, internal controls, procedures and processes that support the preparation of that report.

17. The ANAO’s independent audits of financial statements are undertaken to form an opinion whether they are free from material misstatement and present fairly in accordance with applicable accounting standards and legislation. These audits are conducted in accordance with the ANAO Auditing Standards, which incorporate the Australian Auditing Standards and provide reasonable assurance.

18. Audit procedures include an examination of the entity’s records and its internal control, information systems, control procedures and statutory disclosure requirements. Evidence supporting the amounts and other information in the statements is examined on a test basis, and accounting policies and significant accounting estimates are evaluated.

19. The entity’s internal control relevant to the entity’s preparation and fair presentation of the financial statements or reports is considered in order to design audit procedures that are appropriate in the circumstances. In some audits, audit procedures concentrate primarily on substantiating the amounts appearing in the financial statements and do not include detailed testing of systems and internal controls.

20. The primary responsibility for the prevention and detection of fraud and error rests with both those charged with the governance and the management of an entity. The auditor is not responsible for the prevention or detection of fraud and error.

The auditor’s report on financial statements

21. The ANAO auditor’s report on the financial statements includes a statement of the auditor’s opinion as to whether the financial statements present fairly the entity’s financial position, the results of its operations and its cash flows in accordance with the applicable financial reporting framework.

22. If the auditor is not of that opinion, the auditor’s opinion is modified, with the reasons being indicated.

23. The auditor’s report on the financial statements may also include an ‘emphasis of matter,’ ‘other matter’ or ‘material uncertainty related to going concern’ paragraph. A report on other legal and regulatory requirements may accompany the auditor’s report on the financial statements. The inclusion of these paragraphs does not modify the auditor’s opinion.

Form of auditor’s opinion

24. An auditor’s opinion is described as ‘unmodified’ when the auditor concludes that the financial statements are prepared, in all material respects, in accordance with the applicable financial reporting framework.

25. An auditor’s opinion may be ‘modified’ in one of three ways.

  • A ‘qualified opinion’ is expressed when the auditor, having obtained sufficient appropriate audit evidence, concludes that misstatements, individually or in aggregate, are material but not pervasive to the financial statements. A ‘qualified opinion’ is also expressed when the auditor, having been unable to obtain sufficient appropriate audit evidence, concludes that the possible effects on the financial statements of undetected misstatements could be material but not pervasive.
  • A ‘disclaimer of opinion’ is expressed when the auditor, having been unable to obtain sufficient appropriate audit evidence on which to base the opinion, concludes that the possible effects on the financial statements of undetected misstatements could be both material and pervasive. A ‘disclaimer of opinion’ is also expressed when the auditor, having been able to obtain sufficient appropriate audit evidence regarding individual uncertainties, concludes that the potential interaction of the uncertainties and their possible cumulative effect on the financial report cannot be determined.
  • An ‘adverse opinion’ is expressed when the auditor, having obtained sufficient appropriate audit evidence, concludes that misstatements individually or in aggregate, are both material and pervasive to the financial statements.
Emphasis of matter

26. An ‘emphasis of matter’ paragraph is included in the auditor’s report when the auditor considers it necessary to draw to users’ attention a matter presented in the financial statements that, in the auditor’s judgement, is of such importance that it is fundamental to the users’ understanding of the financial statements. The circumstances in which an emphasis of matter is used include:

  • when financial statements and the auditor’s report have been issued and a fact is discovered that leads to revised financial statements and a new auditor’s report being prepared; and
  • when financial statements have been prepared in accordance with a special purpose framework, and as a result the financial statements may not be suitable for another purpose.
Other matter

27. The auditor’s report on the financial statements may also include a reference to an ‘other matter’. This allows the auditor to communicate a matter other than a matter that is presented or disclosed in the financial statements that, in the auditor’s judgement, is relevant to users’ understanding of the audit, the auditor’s responsibilities or the auditor’s report.

Material uncertainty related to going concern

28. The auditor’s report on the financial statements will also include a reference to a ‘material uncertainty related to going concern’ when there are possible or actual events or conditions that may cast significant doubt on an entity’s ability to continue as a going concern and the financial statements include adequate disclosure about the uncertainty and management’s plans to deal with the uncertainty.

Report on other legal and regulatory requirements

29. The auditor’s report on the financial statements may also include a report on other legal and regulatory requirements. This report covers matters that the Auditor-General is required by law to report on in conjunction with the financial statements audit.

Footnotes

1 There is a range of different governance structures within Commonwealth entities depending on particular legal status or enabling legislation. The term ‘accountable authority’, as defined in the PGPA Act, is used in this report to describe the person or body responsible for an entity’s governance.

2 The Australian Taxation Office, National Disability Insurance Agency and the departments of: Health; Infrastructure, Transport, Regional Development and Communications; and Social Services.

3 The departments of Defence and Veterans’ Affairs.

4 The PGPA Act Section 13 defines officials of Commonwealth entities.

5 In accordance with section 8 of the PGPA Act, finance law means the PGPA Act or PGPA Rules, any instrument made under the PGPA Act or Appropriation Acts.

6 The ANAO has not audited the effectiveness of the executive management structures.

7 Future Fund Management Agency and Board of Guardians, NBN Co Limited and the Reserve Bank of Australia.

8 Sections 45 and 92 of the Public Governance, Performance and Accountability Act 2013.

9 ASX Corporate Governance Council, Corporate Governance Principles and Recommendations, 4th edition, available from https://www.asx.com.au/documents/asx-compliance/cgc-principles-and-recommendations-fourth-edn.pdf [accessed 30 April 2022].

10 Public Governance, Performance and Accountability Amendment (2020 Measures No. 1) Rules 2020 (legislation.gov.au).

12 There were 187 entities subject to the reporting requirements of the PGPA Rule for 2020–21. Six entities were not reviewed and include the Australian National Audit Office as it is not reported on in the financial statements-related audit reports presented to Parliament and Australian Secret Intelligence Service, Australian Security Intelligence Organisation and Office of National Intelligence as the entities do not disclose information in line with Section 105D of the PGPA Act. Also excluded were the Australian National University as the 2020 annual report had not yet been tabled and the Inspector-General of Taxation which had not tabled their 2021 annual report as at 30 April 2022.

13 Publications on Transparency Portal are accessed at https://www.transparency.gov.au/publications. Assessments were based on information reported to 20 April 2022.

15 The non-material non-corporate Commonwealth entities that did not include a direct link to the audit committee charter included: Aged Care Quality and Safety Commission, Australian Trade and Investment Commission, Commonwealth Grants Commission, Fair Work Ombudsman and Registered Organisations Commission, National Health Funding Body, North Queensland Water Infrastructure Authority, Office of Parliamentary Counsel, Parliamentary Budget Office, Royal Australian Mint, Safe Work Australia, and Seacare Authority.

16 The non-corporate Commonwealth entities that did not include a direct link to the audit committee charter in both 2019–20 and 2020–21 annual reports were the Commonwealth Grants Commission, National Health Funding Body, North Queensland Water Infrastructure Authority and Office of Parliamentary Counsel.

17 The non-material corporate Commonwealth entities that did not include a direct link to the audit committee charter were: the Australian Digital Health Agency, Australian Sports Commission, Central Land Council, Food Standards Australia New Zealand, National Film and Sound Archive of Australia, National Museum of Australia, Northern Australia Infrastructure Facility, Old Parliament House, Regional Investment Corporation, Royal Australian Navy Central Canteens Board, Tiwi Land Council, Wine Australia and Wreck Bay Aboriginal Community Council.

18 The corporate Commonwealth entities that did not include a direct link to the audit committee charter in both 2019–20 and 2020–21 annual reports were Food Standards Australia New Zealand, Indigenous Land and Sea Corporation, National Gallery of Australia, Northern Australia Infrastructure Facility, Regional Investment Corporation, Royal Australian Navy Central Canteens Board and Wine Australia.

19 The non-material Commonwealth companies were Australian Sports Foundation Limited, Australian Strategic Policy Institute Ltd, Bundanon Trust, Financial Adviser Standards and Ethics Authority, National Australia Day Council, Outback Stores Pty Ltd and Royal Australian Air Force Welfare Recreational Company.

20 The Commonwealth companies that did not include a direct link to the audit committee charter in both 2019–20 and 2020–21 were the ASC Pty Ltd, Australian Sports Foundation Limited, Australian Strategic Policy Institute Ltd, Bundanon Trust, Financial Adviser Standards and Ethics Authority Ltd, National Australia Day Council, and NBN Co. Limited.

21 The five corporate Commonwealth entities that did not have an audit committee charter available on their websites were the Australian War Memorial, Central Land Council, Indigenous Land and Sea Corporation, Northern Australia Infrastructure Facility, and Wreck Bay Aboriginal Community Council.

22 The Commonwealth companies that did not have an audit committee charter available on their websites were Australian Strategic Policy Institute Ltd, Bundanon Trust, and Financial Adviser Standards and Ethics Authority Ltd (FASEA). FASEA ceased operations in December 2021 and no longer maintains a website.

23 The newly established/merged agency has an obligation to report the audit committee disclosure requirements and is responsible for obtaining information from the merged/abolished agency. https://www.finance.gov.au/audit-committee-disclosure-requirements-annual-reporting [accessed 30 April 2022].

24 The non-corporate Commonwealth entity that did not disclose its annual report on Transparency Portal was the North Queensland Water Infrastructure Authority.

26 The non-corporate Commonwealth entities that did not report audit committee skills and experience details for all members were the National Health Funding Body and the North Queensland Water Infrastructure Authority.

27 The non-corporate Commonwealth entity that did not report audit committee skills, and experience details in both 2019–20 and 2020–21 annual reports is North Queensland Water Infrastructure Authority.

28 The corporate Commonwealth entity that did not disclose the skills and experience details was Wreck Bay Aboriginal Community Council.

29 The Commonwealth company that did not disclose the skills and experience details was Bundanon Trust.

30 The non-corporate Commonwealth entities were Australian Institute of Family Studies, the North Queensland Water Infrastructure Authority and Safe Work Australia.

31 The corporate Commonwealth entity that did not include meeting attendance information is Wreck Bay Aboriginal Community Council.

32 The Commonwealth companies are Australian Strategic Policy Institute Ltd and Bundanon Trust.

33 The entities that did not include attendance information in both 2019–20 and 2020–21 were the Australian Strategic Policy Institute Limited, Bundanon Trust and North Queensland Water Infrastructure Authority.

35 The non-corporate Commonwealth entities were the Office of the Official Secretary to the Governor-General, North Queensland Water Infrastructure Authority, Professional Services Review and Safe Work Australia.

36 The non-material corporate Commonwealth entities that did not include audit committee specific remuneration were Cotton Research and Development Corporation, National Museum of Australia and Wreck Bay Aboriginal Community Council.

37 The Commonwealth companies that did not disclose specific information relating to audit committee remuneration included the Australian Sports Foundation Limited, Bundanon Trust, Financial Adviser Standards and Ethics Authority Ltd and National Australia Day Council.

38 The entities that did not include audit committee specific remuneration for both 2019–20 and 2020–21 annual reports were Cotton Research and Development Corporation, Financial Advisor Standards and Ethics Authority Ltd, National Australia Day Council, National Museum of Australia and North Queensland Water Infrastructure Authority.

39 PGPA Rule, subsection 17(4).

40 PGPA Rule, subsections (4AA) and 28(1)

41 PGPA Rule, subsection 17(5).

42 There are 187 entities subject to the reporting requirements of the PGPA Rule for 2021–22. Four entities were excluded from the analysis and include the Australian National Audit Office as it is not reported on in the financial statements-related audit reports presented to Parliament, Australian Secret Intelligence Service, Australian Security Intelligence Organisation and Office of National Intelligence as the entities do not disclose information in line with Section 105D of the PGPA Act.

43 The non-corporate Commonwealth entity that had an official of the entity as an audit committee member after 1 July 2021 was the Clean Energy Regulator.

44 The corporate Commonwealth entity that had an official of the entity as an audit committee member after 1 July 2021 was Anindilyakwa Land Council.

45 The non-corporate Commonwealth entity that did not have a majority of members being persons who are not officials of any Commonwealth entity was the Commonwealth Grants Commission.

46 The seven entities were Administrative Appeals Tribunal, Asbestos Safety and Eradication Agency, Australian Centre for International Agricultural Research, National Mental Health Commission, Professional Services Review, Tertiary Education Quality and Standards Agency, and Workplace Gender Equality Agency.

47 The two entities that held meetings were Asbestos Safety and Eradication Agency and Australian Centre for Agricultural Research.

48 Entities are recommended by the Australian Cyber Security Centre to implement eight essential mitigation strategies as a baseline. This baseline, known as the Essential Eight, makes it much harder for adversaries to compromise systems.

49 Attorney-General’s Department, 10 Safeguarding information from cyber threats [Internet], Attorney-General’s Department, AU, 2022, available from https://www.protectivesecurity.gov.au/information/safeguarding-information-from-cyber-threats/Pages/default.aspx [accessed 27 April 2022].

50 The Essential Eight strategies were mandated on 15 March 2022.

51 ASD, Strategies to Mitigate Cyber Security Incidents, AU, 2017, available from https://www.cyber.gov.au/acsc/view-all-content/publications/strategies-mitigate-cyber-security-incidents [accessed 27 April 2022].

52 The purpose of application control is to protect systems and networks from security vulnerabilities in existing applications and prevent unauthorised applications from running on ICT systems.

53 To protect ICT systems from known vulnerabilities, the patching applications and operating system strategies require entities to deploy security patches as soon as possible after being identified by vendors, independent third parties, system managers or users.

54 Effectively configured Microsoft Office macro settings address adversaries’ attempts to create macros that can deny users’ access to sensitive or classified information.

55 When applications are frequently updated and appropriate security settings applied, it is more difficult for adversaries to exploit any security vulnerabilities they may discover. Disabling unneeded features in Microsoft Office and configuring web browsers to block Flash, Internet advertisements and Java further reduces the risk of malicious content being introduced to entities’ ICT environments.

56 Misuse of privileged access can lead to significant security compromises, such as the unauthorised disclosure of information, systems or processes becoming unavailable, or financial impropriety. The restricting administrative privileges strategy includes a requirement for administrative privileges to be regularly reviewed and restricted only to users who need them and are duly authorised.

57 Multi-factor authentication requires users to provide at least two independent methods to gain access to an ICT system. These may include:

  • something a user knows, such as a password;
  • something a user has, such a physical token or software-based certificate; and
  • something unique to the user, such as their fingerprint.

58 Backups should be protected to ensure that information can be accessed following a cyber security incident.

59 ASD, Strategies to Mitigate Cyber Security Incidents, AU, 2017, available from https://www.cyber.gov.au/acsc/view-all-content/publications/strategies-mitigate-cyber-security-incidents [accessed 27 April 2022].

60 The ACSC has developed a prioritised list of mitigation strategies that are to be considered in addition to the Essential Eight.

61 Department of Home Affairs, Australia’s Cyber Security Strategy 2020, AU, 2020, available from https://www.homeaffairs.gov.au/cyber-security-subsite/files/cyber-security-strategy-2020.pdf [accessed 4 May 2022].

62 At the time of compilation, verification of data provided by the Australian Office of Financial Management was still ongoing. Due to this timing, the Australian Office of Financial Management has been excluded from the analysis.

63 Five entities in this report are corporate Commonwealth entities or Commonwealth companies and are not required to report on compliance with the PSPF. These entities are: Australian Postal Corporation; National Disability Insurance Agency; NBN Co Limited; the Reserve Bank of Australia; and Snowy Hydro Limited.

64 Analysis performed on non-corporate Commonwealth entity self-assessments provided to AGD.

65 Joint Committee of Public Accounts and Audit, Report 485, Cyber Resilience, available from https://parlinfo.aph.gov.au/parlInfo/download/committees/reportjnt/024465/toc_pdf/Report485CyberResilience.pdf;fileType=application%2Fpdf [accessed on 27 April 2022].

66 Australian National Audit Office, Reports No.53, Cyber Resilience, available from https://www.anao.gov.au/work/performance-audit/cyber-resilience-2017-18 [accessed on 27 April 2022]

67 Australian National Audit Office, Report No.32, Cyber Security Strategies of Non-Corporate Commonwealth Entities, available from https://www.anao.gov.au/work/performance-audit/cyber-security-strategies-non-corporate-commonwealth-entities [accessed 27 April 2022].

68 At time of compilation, testing of some IT controls for Attorney-General’s Department; Department of Veterans’ Affairs; and Snowy Hydro Limited were still ongoing. Findings raised as a result of the interim audit have been reflected in this report.

69 Attorney General’s Department (AGD), Protective Security Policy Framework, AGD, Canberra, 2022.

70 Australian Signals Directorate, Information Security Manual, Australian Cyber Security Centre, Canberra 2022.

71 Further details regarding the moderate findings can be found in chapter 3 for the departments of: Defence; Infrastructure, Transport, Regional Development and Communications; Social Services; Veterans’ Affairs; and the National Disability Insurance Agency.

72 Australian Signals Directorate, Information Security Manual, Australian Cyber Security Centre, Canberra 2022, p. 33.

73 Multi-factor authentication uses two or more authentication factors to confirm a user’s identity. This may include: something a user knows, such as a password; something a user has, such as a Universal 2nd factor security key, physical one-time password token or smartcard and something a user is, such as a fingerprint or their facial geometry

74 Australian Signals Directorate, Information Security Manual, Australian Cyber Security Centre, Canberra 2022, p. 86.

75 ITIL is a framework for designing, implementing, delivering and managing IT services. It was originally developed in the 1990s with the support of the UK Government and has been widely adopted by public and private sector entities world-wide.

76 This release was supported in Australia by the release of the AUASB Bulletin Extended External Reporting (EER) Assurance Guidance in August 2021.

77 Australian Cyber Security Centre, ACSC Annual Cyber Threat Report 2020–21, available from https://www.cyber.gov.au/acsc/view-all-content/reports-and-statistics/ac...–21

78 Performance Statements Audits were completed for: the Attorney-General’s Department, the Department of Social Security and the Department of Veterans’ Affairs.

79 As outlined in AASB 1053 Application of Tiers of Australian Accounting Standards, Australian Accounting Standards consist of two Tiers of reporting requirements for preparing general purpose financial statements. Tier 1 incorporates International Financial Reporting Standards (IFRSs) issued by the International Accounting Standards Board (IASB) and include requirements that are specific to Australian entities. Tier 2 comprises the recognition and measurement requirements of Tier 1 (including consolidation and the equity method of accounting) but substantially reduced disclosure requirements.

80 Regulatory charging activities are those activities where the government has agreed that a regulatory function is to be charged for on a full or partial cost recovery basis.

81 Performance audits have been included in this report where they have tabled prior to 30 April 2022.

82 The ANAO’s rating scale for findings can be found in Chapter 1 at Table 1.8.

83 As at 30 April 2022.

84Appropriation Act (No.1) 2021–2022, Appropriation Act (No.2) 2021–2022, Appropriation Act (No.3) 2021–2022 and Appropriation Act (No.4) 2021–2022.

85 Part 1: Estimated actual 2021–22, Special Appropriations Table, Agency Resourcing, Budget Paper No.4, 2022–2023.

86Appropriation Act (No.1) 2021–2022, Appropriation Act (No.2) 2021–2022 and Appropriation Act (No.3) 2021–2022.

87 Part 1: Estimated actual 2021–22, Special Appropriations Table, Agency Resourcing, Budget Paper No.4, 2022–2023.

88Appropriation Act (No.1) 2021–2022, Appropriation Act (No.2) 2021–2022 and Appropriation Act (No.3) 2021–2022.

89 Part 1: Estimated actual 2021–22, Special Appropriations Table, Agency Resourcing, Budget Paper No.4, 2022–2023.

90Appropriation Act (No.1) 2021–2022, Appropriation Act (No.2) 2021–2022 and Appropriation Act (No.3) 2021–2022.

91 Part 1: Estimated actual 2021–22, Special Appropriations Table, Agency Resourcing, Budget Paper No.4, 2022–2023.

92Appropriation Act (No.1) 2021–2022, Appropriation Act (No.2) 2021–2022, and Appropriation Act (No.3) 2021–2022.

93 Part 1: Estimated actual 2021–22, Special Appropriations Table, Agency Resourcing, Budget Paper No.4, 2022–2023.

94 Loan balances to be reviewed and assessed include HELP, Vocational Student loans, Trade Support loans and HESP.

95 Audit procedures will be performed over the Jobactive, child care and apprenticeship compliance programs.

96Appropriation Act (No. 1) 2021–2022; Appropriation Act (No.2) 2021–2022; Appropriation Act (No.3) 2021–2022; and Appropriation Act (No.4) 2021–2022. This appropriation funding does not include Advances to the Finance Minister in 2021–22.

97 Part 1: Estimated actual 2021–22, Special Appropriations Table, Agency Resourcing, Budget Paper No.4, 2022–2023.

98Appropriation Act (No.1) 2021–2022, Appropriation Act (No.2) 2021–2022 and Appropriation Act (No.3) 2021–2022.

99 Part 1: Estimated actual 2021–22, Special Appropriations Table, Agency Resourcing, Budget Paper No.4, 2022–2023.

100Appropriation Act (No.1) 2021–2022, Appropriation Act (No.2) 2021–2022, Appropriation (Coronavirus Response) Act (No.1) 2021–2022, Appropriation (Coronavirus Response) Act (No.2) 2021–2022, Appropriation Act (No.3) 2021–2022 and Appropriation Act (No.4) 2021–2022.

101 Part 1: Estimated actual 2021–22, Special Appropriations Table, Agency Resourcing, Budget Paper No.4, 2022–2023.

102Appropriation Act (No.1) 2021–2022, Appropriation Act (No.2) 2021–2022, Appropriation Act (No.3) 2021–2022, Appropriation Act (No.4) 2021–2022.

103 Part 1: Estimated actual 2021–22, Special Appropriations Table, Agency Resourcing, Budget Paper No.4, 2022–2023.

104Appropriation Act (No.1) 2021–2022, Appropriation Act (No.2) 2021–2022, Appropriation Act (No.3) 2021–2022 and Appropriation Act (No.4) 2021–2022.

105 Part 1: Estimated actual 2021–22, Special Appropriations Table, Agency Resourcing, Budget Paper No.4, 2022–2023.

106Appropriation Act (No.1) 2021–2022, Appropriation Act (No.2) 2021–2022, Appropriation Act (No.3) 2021–2022, and Appropriation Act (No.4), 2021–2022.

107 Part 1: Estimated actual 2021–22, Special Appropriations Table, Agency Resourcing, Budget Paper No.4, 2022–2023.

108Appropriation (Parliamentary Departments) Act (No.1) 2021–2022.

109Appropriation Act (No.1) 2021–2022, and Appropriation Act (No.3) 2021–2022.

110 Part 1: Estimated actual 2021–22, Special Appropriations Table, Agency Resourcing, Budget Paper No.4, 2022–2023.

111Appropriation Act (No.1) 2021–2022, Appropriation Act (No.2) 2021–2022 and Appropriation Act (No.3) 2021–2022.

112 Part 1: Estimated actual 2021–22, Special Appropriations Table, Agency Resourcing, Budget Paper No.4, 2022–2023.

113Appropriation Act (No.1) 2021–2022 and Appropriation Act (No.3) 2021–2022.

114 Part 1: Estimated actual 2021–22, Special Appropriations Table, Agency Resourcing, Budget Paper No.4, 2022–2023

115Appropriation Act (No.1) 2021–2022 and Appropriation Act (No.3) 2021–2022.

116Appropriation Act (No.1) 2021–2022, Appropriation Act (No.2) 2021–2022, Appropriation Act (No.3) 2021–2022 and Appropriation Act (No.4) 2021–2022.

117 Part 1: Estimated actual 2021–22, Special Appropriations Table, Agency Resourcing, Budget Paper No.4, 2022–2023.

118Appropriation Act (No.1) 2021–2022, Appropriation Act (No.2) 2021–2022 and Appropriation Act (No.3) 2021–2022.

119 Part 1: Estimated actual 2021–22, Special Appropriations Table, Agency Resourcing, Budget Paper No.4, 2022–2023.

120Appropriation Act (No.1) 2021–2022.

121 Part 1: Estimated actual 2021–22, Special Appropriations Table, Agency Resourcing, Budget Paper No.4, 2022–2023.

122Appropriation Act (No.1) 2021–2022, Appropriation Act (No.2) 2021–2022, Appropriation Act (No.3) 2021–2022 and Appropriation Act (No.4) 2021–2022.

123 Part 1: Estimated actual 2021–22, Special Appropriations Table, Agency Resourcing, Budget Paper No.4, 2022–2023.

124 Tax audit work includes income tax, fringe benefits tax, petroleum resource rent tax and goods and services tax.

125 GrantConnect is the Australian Government’s grants information system. It provides centralised publication of forecast and current Australian Government grant opportunities and grants awarded. GrantConnect [Internet], Finance, available from https://www.grants.gov.au/ [accessed April 2022].

126 Eighteen per cent of grant activities were not published to GrantConnect within 21 calendar days. From 31 December 2017 an entity must report, on GrantConnect, information on individual grants no later than twenty-one calendar days after the grant agreement for the grant takes effect. CGRGs, paragraph 5.3. Finance, 2017 [Internet], available from https://www.legislation.gov.au/Details/F2017L01097/Html/Text#_ftnref49 [accessed April 2022].

127 Two per cent of grant activities did not have the recorded Grant Opportunity ID for the funding round associated with the grant activity matching with the published grant award on GrantConnect. See Department of Finance, Publishing and reporting Grants and GrantConnect (RMG 421), updated December 2020, [Internet], available from https://www.finance.gov.au/publications/resource-management-guides/publishing-and-reporting-grants-and-grantconnect-rmg-421 [accessed April 2022].

128 Auditor-General Report No.21 2021–22 Operations of Grants Hub.

129 Auditor-General Report No.21 2021–22 Operations of Grants Hub, p. 7.

130 Auditor-General Report No.21 2021–22 Operations of Grants Hub, p. 10.

131 Auditor-General Report No.21 2021–22 Operations of Grants Hub, p. 69.

132 Ibid.

133 Select: Advertise the grant round and select the grant recipients. Establish: Create, populate, and vary grant agreements; and negotiate and execute grant agreements or contracts. Manage: Manage funding recipient performance; and ensure the grant agreement and program outcomes are met.

134 DSS undertook a project to transition the user agencies’ grants administration functions into the CGH. With the transition, a business decision was made that a number of contradictory business processes between the CGH and user agencies were maintained to ensure consistency with historical management of the funding agreement. This is evident in the Establish and Manage tests conducted by the ANAO.

135 The information captured in audit logs is not in a format that can be readily used for reporting purposes.

136 From 31 December 2017 an entity must report, on GrantConnect, information on individual grants no later than twenty-one calendar days after the grant agreement for the grant takes effect. CGRGs, paragraph 5.3. Finance, CGRGs [Internet], Finance, 2017, available from https://www.legislation.gov.au/ [accessed April 2022].

137 See Department of Finance, Publishing and reporting Grants and GrantConnect (RMG 421), updated December 2020.

138 Recommendation 3 of Auditor-General Report No.21 2021–22 Operations of Grants Hub, p. 10.

139 National Disability Insurance Scheme Launch Transition Agency was renamed the National Disability Insurance Agency effective 8 April 2022, as a result of The National Disability Insurance Scheme Amendment (Participant Service Guarantee and Other Measures) Act 2022.

140 Three entities have a body corporate status but are prescribed as non-corporate Commonwealth entities. These are the Australian Competition and Consumer Commission; the Australian Prudential Regulation Authority; and the Australian Securities and Investments Commission.