Introduction

1. This report presents the results of the interim phase of the ANAO’s 2024–25 financial statements audits. The results include the ANAO’s assessment of the effectiveness of internal controls in 27 of the largest Australian Government sector entities.

2. The assessments included in this report are as at 31 March 2025 and the entity names, responsibilities and portfolio allocations used in this report reflect the Administrative Arrangements Orders (AAOs) in place as at that date. Revised AAOs were made on 13 May 2025.

Interim audit results

3. At the completion of the interim audits for the 27 entities included in this report, the key elements of internal control were assessed as operating effectively for 13 entities. For the remaining 14 entities, the key elements of internal control were operating effectively to support the preparation of financial statements that are free from material misstatement, except for particular finding/s outlined in Chapter 4 of this report.

4. In three entities where significant audit findings were identified these findings reduced the level of confidence and assurance that could be placed on key elements of internal control. These significant audit findings related to compliance and quality assurance frameworks, and legislative breaches. These entities were the Department of Health and Aged Care, the Department of Social Services, and Services Australia (refer to paragraphs 2.10 to 2.11 and Chapter 4).

Interim audit findings

5. A total of 118 findings were reported to the entities included in this report at the conclusion of 2024–25 interim audits, comprising: 4 significant, 31 moderate, and 83 minor.

6. Seventy-eight per cent of audit findings reported at the 2024–25 interim phase were findings that were first raised in earlier financial years. Entities should take action to address outstanding audit findings in a manner which is timely and commensurate with the level of risk identified (refer to paragraphs 2.18 to 2.21).

7. Sixty-five per cent of all findings related to the IT control environment (2023–24: 65 per cent), including the removal of user access on termination, assignment of user access and monitoring of privileged user activities. The number of findings identified by the ANAO indicate that there remains substantial room for improvement across the sector to enhance governance processes supporting the design, implementation and operating effectiveness of IT security controls.

8. Eight significant or moderate audits findings were reduced to minor audit findings to reflect action taken by entities to reduce the associated risk. One significant finding and five moderate findings were reassessed to minor findings.

9. Maturing financial reporting processes across the Australian Government sector continue to be observed through the ANAO’s financial statements audits. Effective audit committees, internal governance arrangements and financial reporting functions support the effective preparation of annual financial statements, providing accountability and transparency over the financial management of those entities.

Introduction

1.1 The ANAO prepares two reports annually that provide insights at a point in time to the financial statements risks, governance arrangements and internal control frameworks of Australian Government entities, drawing on information collected during our audits. This report is the first of the two reports for the 2024–25 financial statements audits. It focuses on the results of the interim financial statements audits, including an assessment of entities’ key internal controls.

Entities included in this report

1.2 This report examines 27 of the largest Australian Government entities, across the General Government Sector (GGS)¹, Public Non-Financial Corporation (PNFC)² sector and Public Financial Corporation (PFC)³ sector. Collectively, these 27 entities contribute to 95 per cent of the Australian Government’s assets, liabilities, income and expenditure, and deliver diverse and essential services to the Australian community.

1.3 The assessments included in this report are as at 31 March 2025 and the entity names, responsibilities and portfolio allocations used in this report reflect the Administrative Arrangements Orders (AAOs) in place as at that date.⁴ Revised AAOs were made on 13 May 2025.⁵ Table 1.1 details the 27 entities⁶ included in this report.

Table 1.1: Entities included in this report, reflecting the AAOs in place at 31 March 2025

Source: Department of Finance, PGPA Act Flipchart and List, Finance, March 2025, available from https://www.finance.gov.au/government/managing-commonwealth-resources/structure-australian-government-public-sector/pgpa-act-flipchart-and-list [accessed 31 March 2025].

ANAO Financial Statements Audits

1.4 The Auditor-General Act 1997 establishes the mandate for the Auditor-General to undertake financial statement audits of all Australian Government entities.

1.5 The ANAO conducts its financial statements audits in four phases: planning, interim, final and completion. Figure 1.1 outlines the key elements of each phase.

Figure 1.1: ANAO financial statements audit process

Source: ANAO data.

1.6 This report focuses on the results of the interim audit phase of 27 entities including an assessment of key internal controls supporting the preparation of 2024–25 financial statements. The assessment includes a review of the governance arrangements related to entities’ financial reporting responsibilities and the design and implementation of key internal controls relating to significant business processes.

Engagement Risk

1.7 The ANAO assesses engagement risk for each audited entity on an annual basis. Engagement risk includes the risks of material misstatement relating to a financial statements audit engagement, and other professional risks such as reputational and litigation risks. The determination of engagement risk provides a basis to assess whether additional quality management responses, in accordance with the Auditing Standards, are required.

1.8 Seven of the 27 entities included in this report have been assessed as having a high engagement risk for 2024–25 (2023–24: seven entities).

Key Areas of Financial Statements Risk

1.9 The ANAO’s risk assessment process identifies key areas that have the potential to materially impact an entity’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance audits and an understanding of the entity’s environment and governance arrangements, including its financial reporting regime and system of internal control.

1.10 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of an entity’s financial statements.

Audit Findings

1.11 Audit findings are raised in response to the identification of a potential business or financial risk posed to an entity. Weaknesses in internal controls increase the possibility that a material misstatement of an entity’s financial statements will not be prevented or detected in a timely manner. The ANAO rates audit findings according to the potential business or financial management risk posed to the entity. The rating scale is presented in Table 1.2.

Table 1.2: Findings rating scale

Source: ANAO reporting policy.

Background

2.1 The ANAO prepares two reports annually that provide insights at a point in time to the financial statements risks, governance arrangements and internal control frameworks of Commonwealth entities, drawing on information collected during our audits.

2.2 This report is the first of the two reports and focuses on the results of the interim audits, including an assessment of entities’ key internal controls, supporting the 2024–25 financial statements audits. This report examines 27 entities, including: all departments of state; the Department of Parliamentary Services; and other Commonwealth entities that significantly contribute to the revenues, expenses, assets and liabilities within the Australian Government Consolidated Financial Statements.

2.3 The assessments and the entity names, responsibilities and portfolio allocations used in this report reflect the Administrative Arrangements Orders (AAOs) in place as at 31 March 2025.⁷ Revised AAOs were made on 13 May 2025.⁸

2.4 Deficiencies identified during the interim audits that pose a significant or moderate risk to entities’ ability to prepare financial statements free from material misstatements are presented in this report. Entities’ actions that have fully or partially addressed a significant or moderate risk audit finding and other observations of good practices supporting the preparation of financial statements are also highlighted.

Snapshot

2.5 For the 27 entities included in this report, the ANAO has identified the following.

Figure 2.1: Key matters identified in this report

Source: ANAO analysis.

Audit findings

2.6 Audit findings are raised when the ANAO identifies business or financial risks affecting an entity. Often these risks arise from deficiencies within an entity’s internal control processes or frameworks.

2.7 Audit findings identified by the ANAO reflect the ANAO’s risk-based audit approach and are in response to an entity’s operating environment, which can change over time. The ANAO’s rating scale is presented in Chapter 1 at Table 1.3.

2.8 Figure 2.2 shows a summary of all significant, moderate, minor and legislative findings identified by the ANAO at the completion of the interim audit phase for the period 2020–21 to 2024–25. For the 2020–21 and 2021–22 reporting periods this covered 25 entities. The 2022–23, 2023–24 and 2024–25 reporting periods covers 27 entities. A total of 118 findings are being reported by the ANAO at the 2024–25 interim audit phase (2023–24: 93).

Figure 2.2: Aggregate audit findings 2020–21 to 2024–25

Source: Compilation of ANAO interim audit findings.

2.9 Figure 2.3 shows unresolved findings by category at the conclusion of the 2024–25 interim audit.

Figure 2.3: Percentage of audit findings by category at the completion of 2024–25 interim audits

Source: ANAO data.

Significant audit findings

2.10 Significant audit findings indicate issues that pose a significant business or financial management risk to the entity or are instances of significant non-compliance with legislation. This includes issues that could result in a material misstatement of the entity’s financial statements.

2.11 There were four unresolved significant audit findings at the conclusion of the 2024–25 interim audit phase for the entities included in this report (see Table 2.1). Details of these significant audit findings are included in Chapter 4.

Table 2.1: Unresolved significant audit findings

Source: ANAO data.

IT control environment

2.12 IT control environment findings continue to represent the highest proportion of all findings identified by the ANAO in financial statements audits. Findings related to the IT control environment represent 66 per cent of total findings identified during the completion of the 2024–25 interim audits.

2.13 IT control environment findings relate mostly to IT security. IT security is concerned with protecting an entity’s information assets from internal and external threats and includes controls to prevent or detect unauthorised access to systems, programs and data.

2.14 Further information on IT control environment findings and observations identified by the ANAO are included in Chapter 3.

Accounting and control of non-financial assets

2.15 Australian Government entities manage a unique suite of non-financial assets which includes the Australian Government’s holdings of land and buildings, plant, equipment and infrastructure, heritage and cultural assets, investment properties and intangibles.

2.16 The entities included in this report manage approximately 95 per cent ($285.1 billion)⁹ of the Australian Government’s non-financial assets, including specialised military equipment, water entitlements, communications, electricity and transport infrastructure, and computer software.

2.17 At the conclusion of the 2024–25 interim audits, the ANAO is observing that the management of non-financial assets is an emerging issue across the sector. Nine per cent of findings identified by the ANAO relate to the accounting and control of non-financial assets, reflecting the ANAO’s risk-based audit approach and response to an entity’s operating environment.

Unresolved findings

2.18 Unresolved audit findings are those findings that have been identified by the ANAO in previous audits and are yet to be resolved. When reporting an audit finding to an entity the ANAO details the implications, risk and recommendations to the entity for resolution.

2.19 Each audit finding reported is classified by the level of risk that may be posed to the entity, or the entity’s financial statements, if unaddressed. As a result, entities should take action to address unresolved audit findings, and the weakness in internal control identified, in a timely manner which is commensurate with the level of risk identified.

2.20 Seventy-eight per cent of audit findings (92 findings) reported at the 2024–25 interim phase were findings unresolved from prior audits.

2.21 Figure 2.4 provides an analysis of the period in which the 92 unresolved audit findings were first identified by ANAO. Of the unresolved findings three per cent were first identified in 2020–21, ten per cent in 2021–22, 26 per cent in 2022–23, and 61 per cent in 2023–24.

Figure 2.4: Number of unresolved audit findings by period first identified by the ANAO

Source: ANAO data.

Audit findings partially resolved, or the risk rating reduced

2.22 The ANAO may reassess the associated risk rating attributed to an audit finding when significant progress has been made to address the risks identified, and the reassessed risk rating better represents the overall risk to an entity.

2.23 During the 2024–25 interim audit, the ANAO reassessed eight significant or moderate audit findings by reducing the associated risk rating (see Table 2.2). One significant finding and five moderate findings were reassessed to minor findings. One significant finding was reassessed to a moderate finding, and another significant finding was reassessed and split into two moderate findings.

2.24 Eighteen minor audit findings were fully resolved. The ANAO considers audit findings to be resolved when entities effectively address the risks identified.

Table 2.2: Significant and moderate findings partially resolved, or the rating reduced

Source: ANAO 2024–25 interim audit results.

2.25 Details on audit findings for all entities included in this report is included in Chapter 4.

Other observations

2.26 Across the Australian Government sector, the ANAO continues to observe a maturing of financial reporting processes that support the effective preparation of annual financial statements. In particular:

• Effective audit committees support the preparation of reliable financial reports, the effective and efficient operation of internal controls and the follow-up of unresolved audit findings. Some audit committees are further supported by a sub-committee dedicated to risk, performance or financial statements.
• Comprehensive registers for issues, risks and legislative compliance support managing emerging risks and internal governance arrangements, including reporting to agency audit committees.
• Financial reporting position papers and workpapers that document management’s considerations and judgements, particularly for valuations and accounting estimates. These have been effective when consulted during the planning and interim audit phases.

Summary of results

3.1 The Information Technology (IT) control environment is an essential part of the performance and integrity of Australian Government entities. IT controls are important to maintain effective operation of the IT environment throughout each financial reporting period.

3.2 Findings related to the IT control environment have continued to represent the majority of audit findings in ANAO interim audits, with 77 total IT control findings in 2024–25 or 65 per cent of total findings. Figure 3.1 illustrates the trends in interim audit findings relating to entities’ overall IT control environments from 2020–21 to 2024–25.

Figure 3.1: IT control environment interim findings 2020–21 to 2024–25

Source: ANAO data.

3.3 In the 2024–25 interim audits, no significant findings were identified relating to the IT control environment. Prior year significant findings relating to Australian Taxation Office (ATO), Department of Defence, and Services Australia were downgraded during the 2024–25 interim audit phase following the ANAO’s assessment of the action taken by these entities to address the identified issues.

3.4 Twenty-one moderate findings relating to the IT control environment were reported in 2024–25. Consistent with previous years, the majority of control deficiencies identified related to IT security. Figure 3.2 provides an overview of the categorisation of moderate-level audit findings relating to the IT control environment, and key themes relating to IT security findings.

Figure 3.2: Categorisation of moderate-level 2024–25 interim audit findings for IT control environments

Source: ANAO data.

3.5 Table 3.1 lists all entities with moderate audit findings relating to the IT control environment at the conclusion of the 2024–25 interim audits. Further information as to the entities with moderate audit findings is provided in Chapter 4.

Table 3.1: Moderate IT control environment findings by entity as at interim 2024–25

Source: ANAO data.

3.6 Additionally, the 2024–25 interim audits saw an increase (of 17, or 44 per cent) in reported minor findings relating to the IT control environment compared to the 2023–24 interim audits. Figure 3.3 illustrates that, consistent with trends in moderate findings, the majority (64 per cent) of minor findings related to IT security. IT security findings also represented the most numerous category of minor findings.

Figure 3.3: Categorisation of minor-level 2024–25 interim audit findings for IT control environments

Source: ANAO data.

3.7 The operation of the majority of IT controls continued to support the preparation of financial statements that are free from material misstatement. Consistent with observations made by the ANAO in previous years, IT security continues to be an area requiring improvement, particularly in regard to monitoring and managing the risk of inappropriate access to systems and data.

Key Themes and Issues

3.8 In the 2024–25 interim audits, a number of key themes in findings were identified. Themes in common with prior audit cycles are:

1. IT Security and IT Change Management, discussed in paragraphs 3.11 and 3.19 respectively; and
2. Backup and recovery, which relates to entities’ ability to restore data and recover from critical incidents when needed. Backup and recovery findings were raised at a minor level for four entities, consistent with trends in 2023–24.

3.9 New themes identified in 2024–25 are:

1. IT Governance, discussed further in paragraph 3.22; and
2. Batch processing, which relates to controls around how large volumes of financial transactions are processed in scheduled tasks. Four batch processing findings were raised with two entities, regarding inappropriate access to the scheduling of batch jobs, and timely resolution of batch job errors.

3.10 Further information on entity findings is available in Chapter 4.

IT Security

3.11 IT security controls are primarily designed to protect entities’ assets from unauthorised access (both internal and external). In the context of financial statements audit, IT security controls considered relate to financially significant systems and data only.

3.12 At the conclusion of the 2024–25 interim audit phase 52 IT control environment findings (68 per cent) related to IT security. This represents an increase from 2023–24, primarily driven by additional minor findings. Significant findings reduced compared to the prior year, with a significant IT security finding at the Department of Defence (Defence) downgraded as a result of action taken by Defence including the reconciliation of data on terminated staff, internal audit activity and the implementation of new user access controls. An additional significant finding at Services Australia has been downgraded following Services Australia’s implementation of multiple initiatives, including updates to policies, testing to confirm adherence to policies, staff training, updates to disaster recovery plans and changes to governance committees.¹⁰

3.13 Figure 3.4 illustrates trends in IT security findings over the past five interim audit phases.

Figure 3.4: IT security interim findings 2020–21 to 2024–25

Source: ANAO data.

3.14 Moderate IT security interim findings were concentrated in six entities, shown in Table 3.2. Additional detail regarding findings for individual entities is provided in Chapter 4.

Table 3.2: Moderate IT security findings by entity as at interim 2024–25

Source: ANAO data.

Key Issues — IT security

3.15 Weaknesses in IT security controls have the potential to compromise an entity’s ability to maintain business operations and maintain the integrity and confidentiality of sensitive data. As entity environments grow more complex through the adoption of emerging technologies, effective IT security control frameworks will be critical to ensuring that IT control environments remain trustworthy and secure.

Safeguarding data from cyber threats

3.16 Within the Australian Government, the Protective Security Policy Framework (PSPF)¹¹ and Information Security Manual (ISM)¹² establish policy requirements and provide guidance on strategies to protect information and systems from evolving cyber threats.

3.17 The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies to help protect against cyber threats, with the strategies that ASD considers to be most effective referred to as the ‘Essential Eight’. The Essential Eight outlines a maturity framework for individual mitigation strategies, with requirements for entities at each maturity level. These requirements evolve over time in response to changes in the cyber threat landscape. The PSPF requires that non-corporate Commonwealth entities implement the Essential Eight mitigation strategies to the standard of Maturity Level Two, and that these entities conduct an annual self-assessment of their compliance with policy requirements.¹³

3.18 Figure 3.5 summarises self-reported compliance with Maturity Level Two of the Essential Eight mitigation strategies (as at October 2024). Self-assessed compliance increased across four strategies and four strategies saw decreases in the number of entities reporting the required maturity. Decreases in reported maturity can occur for a number of reasons, including changes in the entity environment, changes in the approach taken by entities to self-assess, and changes in the maturity level requirements.¹⁴

Figure 3.5: Reported compliance with Essential Eight mitigation strategies for the period 2021–22 to 2024–25

Source: ANAO analysis of entity self-assessment.

3.19 Of the 22 entities that are required to comply, five (23 per cent) reported full compliance across all Essential Eight Mitigation Strategies. Of the 17 entities (77 per cent) that did not report full compliance across all Essential Eight mitigation strategies, 15 were lead security entities. A lead security entity supports portfolio entities to achieve and maintain protective security through advice and guidance on government security.¹⁵ Three lead security entities reported full compliance across all Essential Eight Mitigation Strategies.

IT Change Management

3.20 IT change management refers to how entities assure themselves that changes to key systems are tested and authorised. Change management has been a continuing theme from previous audit cycles, with 12 findings observed in the 2024–25 interim audits and 10 findings observed in 2023–24, including a significant finding relating to the ATO. Figure 3.6 illustrates trends in change management findings across recent audit cycles.

Figure 3.6: IT change management interim findings 2020–21 to 2024–25

Source: ANAO data.

3.21 In 2024–25, the ATO’s significant finding was downgraded to two moderate findings, following a strengthening of relevant controls and partial implementation of automated deployment tools. Table 3.3 shows those entities with moderate findings relating to change management at the conclusion of the 2024–25 interim audits.

Table 3.3: Moderate IT change management findings by entity as at interim 2024–25

Source: ANAO data.

Key Issues — IT Change Management

3.22 Effective change management controls maintain the integrity of key IT systems. In the absence of an effective change management framework, untested and unauthorised changes may be made to key business systems, limiting the ability to senior management to assure themselves that these systems are operating as intended.

IT Governance

3.23 IT governance concerns the processes by which entities ensure their IT operations are aligned with business objectives. In 2024–25, the ANAO raised seven findings (two moderate, five minor) related to IT governance. Those entities receiving moderate findings are listed in Table 3.4 below.

Table 3.4: Moderate IT governance findings by entity as at interim 2024–25

Source: ANAO data.

3.24 Of these seven findings, six related to the processes by which entities assured themselves of the effectiveness of the controls of third-party IT services on which they rely. Increasingly, entities are relying on services such as cloud environments to support their operations, and in these instances third parties may provide reports that attest to the integrity of their cyber security and other controls. The six entities with findings were found to have received these reports but not adequately reviewed them or otherwise sought appropriate assurance. Accordingly, there was a risk that had those third-parties advised of control deficiencies that might have impacted the relevant entities, those entities would have remained unaware.

Key Issues — IT Governance

3.25 When the provision of digital services is outsourced to external providers, accountability for the good or service and associated delivery outcomes (including managing security risks) remains with the entity. As entities incorporate increasingly advanced emerging technologies into their operations and leverage a variety of delivery models to optimise costs, the importance of effective governance and oversight arrangements becomes increasingly critical in ensuring the integrity of IT operations.

4.1 Department of Agriculture, Forestry and Fisheries

4.1.1 The Department of Agriculture, Forestry and Fisheries (DAFF) is responsible for developing and implementing policies and initiatives to promote more sustainable, productive, internationally competitive and profitable Australian agricultural, food and fibre industries; safeguarding Australia’s animal and plant health status to maintain overseas markets and protect the economy and environment from exotic pests and diseases.

Engagement risk rating

4.1.2 The engagement risk for DAFF’s 2024–25 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• multiple pieces of legislation governing DAFF’s import and export functions, affecting DAFF’s departmental revenue;
• the self-assessment regime for administered levies collected from primary producers and agents; and
• judgement required by management to determine significant financial statements balances.

Interim audit results

4.1.3 At the 2024–25 interim audit phase, the ANAO has not identified any findings that pose a significant or moderate business or financial risk to DAFF. Two minor findings were identified.

Key financial balances and areas of financial statements risk

4.1.4 Figures 4.1.1 and 4.1.2 show the key financial statements items reported by DAFF and the key areas of financial statements risk.

Figure 4.1.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DAFF’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Figure 4.1.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DAFF’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Conclusion

4.1.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DAFF will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.2 Attorney-General’s Department

4.2.1 The Attorney-General’s Department (AGD) supports the Attorney-General through the provision of expert advice and services on a range of law, justice, integrity, and national security issues.¹⁶

Engagement risk rating

4.2.2 The engagement risk for AGD’s 2024–25 financial statements audit has been assessed as low. Key factors contributing to this rating include:

• no significant changes to the structure and operations of AGD; and
• low complexity of transactions and balances in AGD’s financial statements.

Interim audit results

4.2.3 At the 2024–25 interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to AGD. One minor finding was identified.

Key financial balances and areas of financial statements risk

4.2.4 Figures 4.2.1 and 4.2.2 show the key financial statements items reported by AGD and the key areas of financial statements risk.

Figure 4.2.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and AGD’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Figure 4.2.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and AGD’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Conclusion

4.2.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that AGD will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.3 Department of Climate Change, Energy, the Environment and Water

4.3.1 The Department of Climate Change, Energy, the Environment and Water (DCCEEW) is responsible for developing and implementing policies and initiatives to protect Australia’s environment, biodiversity and heritage; helping Australia respond to and address climate change; and managing Australia’s water and energy resources.

Engagement risk rating

4.3.2 The engagement risk for DCCEEW’s 2024–25 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• DCCEEW’s broad strategic direction across several diverse functions that have a high level of public interest and Parliamentary scrutiny;
• the complexity of some financial statements balances which require increased management judgement, are reliant on external advice, and impact the Australian Government’s consolidated financial statements;
• shared services arrangements with other Commonwealth entities that support key financial statements balances; and
• a financial reporting function, internal control environment and governance arrangements that have matured since DCCEEW was established on 1 July 2022.

Interim audit results

4.3.3 At the 2024–25 interim audit phase, one finding that poses a moderate business or financial risk to DCCEEW and three minor findings remain unresolved.

4.3.4 During the 2024–25 final audit the ANAO will undertake further procedures and assess action taken by DCCEEW to address the weaknesses identified.

Audit findings

Table 4.3.1: Status of audit findings raised by the ANAO

Source: ANAO 2024–25 interim audit results.

Unresolved moderate audit finding

TechOne privileged user activity monitoring

4.3.5 Maintaining and supporting IT systems requires some user accounts, both at the network and the application level, to have extensive access rights (privileged access). Privileged user accounts can be used to circumvent security controls to make direct changes, either to system settings or systems data, or to access files and accounts used by others.

4.3.6 During the 2023–24 interim audit, the ANAO identified weaknesses in the effectiveness of DCCEEW’s monitoring of privileged user activities within the TechOne Financial Management Information System (FMIS).

4.3.7 The ANAO recommended that DCCEEW update the privileged user access monitoring policy to regularise these reviews, including the requirement to retain evidence to support that the reviews had been appropriately undertaken in accordance with the policy.

4.3.8 During the 2024–25 interim audit, the ANAO confirmed that DCCEEW is working with TechOne to develop reporting on privileged users to address this recommendation. Once reporting is developed, DCCEEW has advised the ANAO that it will formalise a privileged user monitoring policy.

4.3.9 The ANAO will continue to assess progress against this audit finding and consider ongoing implications to the financial statements as DCCEEW continues to progress addressing this audit finding.

Key financial balances and areas of financial statements risk

4.3.10 Figures 4.3.1 and 4.3.2 below show the key financial statements items reported by DCCEEW and the key areas of financial statements risk.

Figure 4.3.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DCCEEW’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Figure 4.3.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DCCEWW’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Conclusion

4.3.11 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DCCEEW will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.4 Snowy Hydro Limited

4.4.1 Snowy Hydro Limited (Snowy Hydro) is a government business enterprise responsible for energy generation activities to supply the National Electricity Market as well as operating as a retail energy provider through the Red Energy and Lumo Energy brands.

Engagement risk rating

4.4.2 The engagement risk for Snowy Hydro’s 2024–25 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• the value of and complexity of delivery of the long-term infrastructure developments relating to the Snowy 2.0 and Hunter Power projects;
• Snowy Hydro’s dynamic and complex operating and regulatory environment and level of competition for customers for the supply of electricity; and
• the complexity of and judgement required in determining the fair value of the energy derivatives portfolio.

Interim audit results

4.4.3 At the 2024–25 interim audit phase, one finding that poses a moderate business or financial risk to Snowy Hydro remains unresolved.

4.4.4 During the 2024–25 final audit the ANAO will undertake further procedures and assess action taken by Snowy Hydro to address the weaknesses identified.

Audit findings

Table 4.4.1: Status of audit findings raised by the ANAO

Source: ANAO 2024–25 interim audit results.

Unresolved moderate audit finding

IT general controls for the financial management information system

4.4.5 Snowy Hydro’s financial management information system (FMIS) is provided under a cloud computing arrangement. Snowy Hydro’s service provider is largely responsible under contract for system administration activities, including designing and implementing appropriate IT general controls supporting user access management, including for privileged users, and change management processes. Under the terms of the contract, the service provider is required to provide assurance to Snowy Hydro, via a Service Organisation Control (SOC) report prepared by an independent auditor, that these controls are designed, implemented and operating effectively.

4.4.6 In 2023–24, the service provider provided a qualified SOC report which identified several weaknesses in the operating effectiveness of IT general controls for the FMIS, particularly in relation to the timely termination and monitoring of user access, including privileged users. Inadequate security measures for timely removal of user access increases the risk of unauthorised access to sensitive information. Additionally, Snowy Hydro did not have a formalised process to review and respond to the SOC report in a timely manner.

4.4.7 The ANAO recommended that Snowy Hydro establish a formal control for the periodic review of SOC reports from all critical service providers and perform mitigating procedures over any deficiencies noted.

4.4.8 At the time of preparing this report, the interim audit of Snowy Hydro was in progress. The ANAO will assess progress against the risks identified at the 2024–25 final audit.

Key financial balances and areas of financial statements risk

4.4.9 Figure 4.4.1 below shows the key financial statements items reported by Snowy Hydro and the key areas of financial statements risk.

Figure 4.4.1: Key financial balances and areas of financial statements risk

Source: ANAO analysis and Snowy Hydro’s 2023–24 audited financial statements.

Conclusion

4.4.10 At the interim audit phase, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Snowy Hydro will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.5 Department of Defence

4.5.1 The Department of Defence (Defence) is responsible for protecting and advancing Australia’s strategic interests through the promotion of security and stability, the provision of military capabilities to defend Australia and its national interests, and the provision of support for the Australian community and civilian authorities as directed by the Australian Government.

Engagement risk rating

4.5.2 The engagement risk for Defence’s 2024–25 financial statements audit has been assessed as high. Key factors contributing to this rating include:

• the nature, scale and complexity of Defence’s operations and strategic environment;
• a high level of public interest and Parliamentary scrutiny of Defence’s activities;
• the complexity and uniqueness of some financial statements balances, such as specialist military equipment (SME), that require increased management judgement and are subject to high levels of estimation uncertainty;
• the implementation of an Enterprise Resource Planning (ERP) system replacing the functionality of numerous Defence IT systems.

Interim audit results

4.5.3 At the 2024–25 interim audit phase, the ANAO has not identified any findings that pose a significant or moderate business or financial risk to Defence. One previously reported audit finding posing a significant business or financial risk was downgraded to a minor audit finding during the ANAO’s 2024–25 interim audit.

Audit findings

Table 4.5.1: Status of audit findings raised by the ANAO

Note a: The significant audit finding relating to the removal of system access for Defence personnel and contractors was identified during the 2021–22 audit. The audit finding has been reclassified to a minor audit finding.

Source: ANAO 2024–25 interim audit results.

Resolved significant audit finding

Removal of system access for Defence personnel and contractors

4.5.4 During previous financial statements audits, the ANAO identified weaknesses in Defence’s IT control environment which resulted in former Defence employees and contractors retaining access to Defence’s ICT systems after their exit from Defence.

4.5.5 The absence of effective of controls over the removal or monitoring of user access post-termination increases the risk of inappropriate activity occurring in systems that have significant and sensitive data holdings.

4.5.6 In response to this audit finding, Defence established a dedicated project team, developed a user data reconciliation environment and engaged internal audit to address the risks identified by the ANAO. The ANAO undertook additional audit procedures to verify the design, implementation and operating effectiveness of those procedures and has assessed that Defence has addressed the ANAO’s recommendation regarding the termination of systems access for former employees and contractors.

4.5.7 The audit finding was downgraded to a minor audit finding as Defence implements further procedures to strengthen the management of user access to key systems, specifically, the implementation of role-based position access.

4.5.8 During the 2024–25 final audit the ANAO will undertake further procedures and assess action taken by Defence to address the audit finding.

Key financial balances and areas of financial statements risk

4.5.9 Figures 4.5.1 and 4.5.2 show the key financial statements items reported by Defence and the key areas of financial statements risk.

Figure 4.5.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Defence’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statement.

Figure 4.5.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Defence’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statement.

Conclusion

4.5.10 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Defence will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.6 Department of Veterans’ Affairs

4.6.1 The Department of Veterans’ Affairs (DVA) is responsible for developing and implementing programs to assist the veteran and ex-service communities. This includes granting pensions, allowances and other benefits, and providing treatment under the Veterans’ Entitlements Act 1986; the administration of benefits and arrangements under the Military Rehabilitation and Compensation Act 2004; determining and managing claims relating to defence service under the Safety, Rehabilitation and Compensation (Defence-related Claims) Act 1988; administering the Defence Service Homes Act 1918, the War Graves Act 1980; and conducting commemorative programs to acknowledge the service and sacrifice of Australian servicemen and women.

Engagement risk rating

4.6.2 The engagement risk for DVA’s 2024–25 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• the complexity of personal benefit and healthcare claims, the IT systems used to process these claims, and the associated legislation which is administered by DVA;
• the significance of the backlog of claims and the changes to claims processing at DVA as a result of the Royal Commission into Defence and Veteran suicide; and
• the complexity of the calculation of key financial balances including the provision for military compensation.

Interim audit results

4.6.3 At the 2024–25 interim audit phase, five findings posing a moderate business or financial risk to DVA and five minor findings remain unresolved. One minor finding was resolved.

4.6.4 The ANAO will focus on the action taken by DVA in response to these findings as part of the 2024–25 final audit.

Audit findings

Table 4.6.1: Status of audit findings raised by the ANAO

Source: ANAO 2024–25 interim audit results.

Unresolved moderate audit findings

Security Governance — Monitoring Implementation of Controls

4.6.5 During previous financial statements audits, the ANAO identified that DVA’s information technology governance and monitoring processes were not fully effective to address identified business risks. The ANAO recommended an effective governance and assurance framework be developed over security governance to ensure controls were implemented and operating effectively.

4.6.6 During 2023–24, DVA advised the ANAO that it is planning to implement an assurance framework that addresses IT governance encompassing DVA’s own and outsourced arrangements. The assurance framework will set out the cadence of reporting on the effectiveness of IT controls to the DVA Security Committee. This assurance framework is expected to be finalised and presented to the DVA Security Committee for endorsement in 2025–26.

Process Direct security risk management

4.6.7 In previous audits, the ANAO identified weaknesses relating to the management of security risks as part of an upgrade to the claims processing ICT system Process Direct, implemented in November 2020.

4.6.8 DVA affirmed that the accreditation of Process Direct was finalised in August 2021 and all required security documentation developed. The ANAO’s inspection of the accreditation documents, including the Process Direct System Security Plan, identified that two of the three self-identified risks remained untreated. DVA acknowledged that the untreated risks were accepted when the interim approval to operate was issued.

4.6.9 During 2023–24, DVA approved an updated Interim Authority to Operate for Process Direct which included a risk assessment and a targeted risk remediation plan. The risk assessment highlighted three unmitigated high risks relating to Process Direct. During the 2024–25 interim audit, the ANAO noted that remediation work had been completed for two of the three risks, and that DVA is in the process of remediating the final unmitigated risk.

Monitoring of Privileged Activity, Process Direct & ISH

4.6.10 Process Direct and ISH are ICT systems utilised by DVA for processing claims. The ANAO identified weaknesses in DVA’s monitoring of privileged user activity for both systems and raised individual findings for each.

4.6.11 Users with administrative privileges, commonly referred to as privileged users, are able to make significant changes to IT systems’ configuration and operation, bypass critical security settings and access sensitive information. To reduce the risks associated with this access, the Information Security Manual requires that privileged user access be appropriately restricted and when provided, that the access is logged, regularly reviewed and monitored.

4.6.12 DVA was not able to demonstrate activities performed to monitor privileged user transactions or activities in the Process Direct & ISH claim processing IT systems. DVA advised the ANAO that the entity relied on the activities undertaken by Services Australia under the Shared Services Agreement which exists between the two entities. While Services Australia produces a report on user activity which covers all IT platforms (including Process Direct and ISH) and provides the report to DVA, Services Australia does not undertake any monitoring activities on DVA’s behalf.

4.6.13 The ANAO recommended that DVA implement a process to monitor the activities of privileged users in Process Direct and ISH. DVA are working with Services Australia to develop an appropriate monitoring process.

Bank reconciliations — identification of reconciling items — relating to DVA’s cash management processes

4.6.14 During the 2023–24 interim audit, the ANAO raised a minor finding on bank reconciliations due to the process not being able to identify reconciling amounts on a timely basis. During the 2023–24 final audit, the weaknesses identified by the ANAO had not been rectified. The ANAO’s review of the 30 June 2024 bank reconciliation performed by DVA identified $714.5 million in unpresented payments and $586.7 million in un-receipted deposits.

4.6.15 The ANAO’s analysis of these reconciling amounts identified a $64.2 million adjustment required to the balance of cash and cash equivalents reported by DVA at 30 June 2024. This adjustment was due to a timing difference, which would have otherwise been identified by DVA if the weaknesses identified by the ANAO relating to bank reconciliations and reconciling items were addressed by DVA as recommended.

4.6.16 During the 2024–25 interim audit, the ANAO noted that DVA had undertaken procedures to remediate the risks identified by the ANAO, including the preparation of quarterly bank reconciliations and the provision of an audit finding closure pack to the ANAO. The ANAO will assess the design, implementation and operating effectiveness of those procedures during the 2024–25 final audit phase.

Key financial balances and areas of financial statements risk

4.6.17 Figures 4.6.1 and 4.6.2 show the key financial statements items reported by DVA and the key areas of financial statements risk.

Figure 4.6.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DVA’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statement.

Figure 4.6.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DVA’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statement.

Conclusion

4.6.18 At the completion of the interim audit, the ANAO has reported several areas where improvements are required. These audit findings reduce the level of confidence that can be placed on the key elements of internal control that support the preparation of the financial statements that are free from material misstatement.

4.6.19 Action against the audit findings identified will be assessed by the ANAO, in conjunction with additional audit procedures, during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.7 Department of Education

4.7.1 The Department of Education (Education) contributes to Australia’s economic prosperity and social wellbeing by creating opportunities and driving better outcomes through access to quality education. Investment in early childhood, schools, youth and higher education creates the foundation for a resilient and equitable society. The department aims to deliver an education system that is inclusive, accessible, and affordable for all Australians.

Engagement risk rating

4.7.2 The engagement risk for Education’s 2024–25 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• Education’s role in administering programs across Australia’s education system, including the Higher Education Loan Program (HELP) and the Higher Education Superannuation Program (HESP);
• a complex IT environment used for making payments to schools, universities, and other education providers; and
• the complexity of some financial statements balances, such as the valuation of loans under HELP, and valuation of the HESP provision, that require management judgement and involve estimation uncertainty.

Interim audit results

4.7.3 At the interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to Education. One minor finding was identified, and one minor finding was resolved.

Key financial balances and areas of financial statements risk

4.7.4 Figures 4.7.1 and 4.7.2 below show the key financial statements items reported by Education and the key areas of financial statements risk.

Figure 4.7.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Education’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Figure 4.7.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Education’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Conclusion

4.7.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Education will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.8 Department of Employment and Workplace Relations

4.8.1 The Department of Employment and Workplace Relations (DEWR) is responsible for ensuring Australians can experience the social wellbeing and economic benefits that training, and employment provide. DEWR is also responsible for workplace relations and work health and safety, rehabilitation and compensation.

Engagement risk rating

4.8.2 The engagement risk for DEWR’s 2024–25 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• DEWR’s administration and regulation of a complex legislative framework that underpins various significant payments; and
• financial statements balances, such as the valuation of the Vocational Student Loans, and Australian Apprenticeship Support Loans, which require significant management judgement and are subject to estimation uncertainty.

Interim audit results

4.8.3 At the 2024–25 interim audit phase, one audit finding that poses a moderate business or financial risk to DEWR has been identified and two minor findings remain unresolved.

4.8.4 The ANAO will focus on the action taken by DEWR in response to these findings as part of the 2024–25 final audit.

Audit findings

Table 4.8.1: Status of audit findings raised by the ANAO

Source: ANAO 2024–25 interim audit results.

New moderate audit finding

Governance of legal and other matters

4.8.5 During the 2023–24 audit, the ANAO made requests for information relating to known or suspected instances of non-compliance with laws and regulations including legal matters, whose effects should be considered in the preparation of DEWR’s financial statements.

4.8.6 DEWR’s 2023–24 Management Assurance Certificate survey included a question on legislative non-compliance. DEWR reported to its Accountable Authority and its Audit and Risk Committee that there were no significant matters identified from the results of the 2023–24 Management Assurance Certificate survey.

4.8.7 On 26 February 2025, the Secretary advised the Senate Education and Employment Committee and published on DEWR’s website, details of decisions made under the Social Security Administration Act 1999, which may not have been valid. Around the same time DEWR advised the ANAO of the matter. The Social Security Administration Act 1999, in so far as it relates to mutual obligations requirements and compliance for some social security payments, are administered by DEWR. The Secretary explained IT systems and decision-making processes were not operating in alignment with the legal framework.

4.8.8 Across the legal and business areas of DEWR, SES officials were aware of the potential legislative validity issues at the time of the Accountable Authority and Chief Financial Officer signing the financial statements and written representations. However, there was no documented consideration of this matter through the Management Assurance Certificate survey, nor communication to the ANAO in response to enquiries made.

4.8.9 As the responses in the 2023–24 Management Assurance Certificate were incomplete, there is a risk that legal and other matters are not sufficiently considered for financial reporting purposes, including supporting the written representations made by the Accountable Authority and Chief Financial Officer for the financial statements audit.

4.8.10 The ANAO recommends that DEWR should reinforce the importance of the centralised Management Assurance Certificate process and SES officers’ responsibilities in terms of reporting complete and accurate financial information, effectiveness of existing controls, and identification of any legal and financial non-compliance. The results of the Management Assurance Certificate survey should support timely communication of any potential or systemic legal matters. This includes responding to the ANAO’s enquiries and supporting the written representations signed as part of the preparation of the annual financial statements.

Key financial balances and areas of financial statements risk

4.8.11 Figures 4.8.1 and 4.8.2 show the key financial statements items reported by DEWR and the key areas of financial statements risk.

Figure 4.8.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DEWR’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Figure 4.8.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DEWR’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Conclusion

4.8.12 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DEWR will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.9 Department of Finance

4.9.1 The Department of Finance (Finance) is responsible for supporting the government’s budget process and oversight of public sector resource management, and for governance and accountability frameworks, as well as the production of the Australian Government’s consolidated financial statements. Financial also provides shared services through the Service Delivery Office.

Engagement risk rating

4.9.2 The engagement risk for Finance’s 2024–25 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• the complexity of some financial statements balances which require increased management judgement and involve estimation uncertainty; and
• the significance of Finance’s administered financial statements to the Australian Government’s consolidated financial statements.

Interim audit results

4.9.3 At the 2024–25 interim audit phase, the ANAO has not identified any findings that pose a significant or moderate business or financial risk to Finance. One minor finding remains unresolved.

Key financial balances and areas of financial statements risk

4.9.4 Figures 4.9.1 and 4.9.2 below show the key financial statements items reported by Finance and the key areas of financial statements risk.

Figure 4.9.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Finance’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Figure 4.9.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Finance’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Conclusion

4.9.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Finance will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.10 Future Fund Management Agency

4.10.1 The Future Fund Board of Guardians, supported by the Future Fund Management Agency (together the Future Fund), is responsible for investing the assets of the Future Fund under the Future Fund Act 2006, and other investment funds, managed on behalf of the Department of Finance.

Engagement risk rating

4.10.2 The engagement risk for the Future Fund’s 2024–25 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• significant judgements required by management to value the investments of the Future Fund for financial reporting purposes, which are subject to estimation uncertainty;
• the significance of the Future Fund’s investment portfolio to the Australian Government’s financial position; and
• the reliance on external parties, particularly the valuation undertaken by the investment custodian.

Interim audit results

4.10.3 At the 2024–25 interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to the Future Fund.

Key financial balances and areas of financial statements risk

4.10.4 Figures 4.10.1 and 4.10.2 below show the key financial statements items reported by the Future Fund and the key areas of financial statements risk.

Figure 4.10.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and the Future Fund’s 2024–25 Portfolio Budget Statements.

Figure 4.10.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and the Future Fund’s 2024–25 Portfolio Budget Statements.

Conclusion

4.10.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that the Future Fund will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.11 Department of Foreign Affairs and Trade

4.11.1 The Department of Foreign Affairs and Trade (DFAT) is responsible for the administration of Australia’s foreign, trade, international development and international security policies.

Engagement risk rating

4.11.2 The engagement risk for DFAT’s 2024–25 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• the complexity of DFAT’s business operations arising from a decentralised control framework;
• the degree of professional judgement and estimation required to determine the fair value of land and buildings recognised in the financial statements; and
• the degree of reliance on third parties for the provision of services associated with the delivery and maintenance of the overseas property portfolio and provision of international development assistance.

Interim audit results

4.11.3 At the 2024-25 interim audit phase, one finding that poses a moderate business or financial risk to DFAT and one minor finding remain unresolved. One minor finding was identified.

4.11.4 During the 2024-25 final audit the ANAO will undertake further procedures and assess action taken by DFAT to address the weaknesses identified.

Audit findings

Table 4.11.1: Status of audit findings raised by the ANAO

Source: ANAO 2024–25 interim audit results.

Unresolved moderate audit finding

Governance over compliance with corporate policies

4.11.5 DFAT’s operations are highly decentralised, where development and management of corporate policies typically rests with a centralised team, while accountability for the application of the respective corporate policies is dispersed widely across DFAT, including the international post network.

4.11.6 During the 2023–24 audit, the ANAO identified a number of instances of non-compliance with corporate policies across a range of corporate functions, including procurement, human resources, monitoring of gifts and benefits and administration of international development assistance. The breadth, nature and number of instances of non-compliance with corporate policies indicate that there is a systemic breakdown in the control environment within DFAT to effectively monitor compliance with corporate policies and to drive improvements in compliance rates over time.

4.11.7 At the time of the 2024–25 interim audit, DFAT was working on implementing measures in response to the risks identified. This includes initiatives to enhance DFAT’s compliance culture.

4.11.8 The ANAO will assess progress against the risks identified as part of the 2024–25 final audit.

3.26 Key financial balances and areas of financial statements risk

4.11.9 Figures 4.11.1 and 4.11.2 below show the key financial statements items reported by DFAT and the key areas of financial statements risk.

Figure 4.11.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DFAT’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statement.

Figure 4.11.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DFAT’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statement.

Conclusion

4.11.10 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DFAT will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.12 Department of Health and Aged Care

4.12.1 The Department of Health and Aged Care (DoHAC) is responsible for achieving the Australian Government’s health and ageing policy priorities through evidence-based policy, program administration, research, regulatory activities, and partnerships with other government entities, consumers and stakeholders.¹⁷

Engagement risk rating

4.12.2 The engagement risk for DoHAC’s 2024–25 financial statements audit has been assessed as high. Key factors contributing to this rating include:

• the complexity of the environment in which DoHAC operates, with a public health system jointly administered by the Australian Government, and state and territory governments;
• the broad range and complex environment in which health and aged care is regulated;
• the diversity and complexity of programs administered by DoHAC; and
• the high number of enterprise level risks that have implications on the financial statements.

Interim audit results

4.12.3 At the 2024–25 interim audit phase, one audit finding that poses a moderate business or financial risk to DoHAC was identified. One audit finding that poses a significant business or financial risk to DoHAC remains unresolved. Three moderate audit findings were reduced to minor audit findings, and six minor audit findings remain unresolved.

4.12.4 During the 2024–25 final audit the ANAO will undertake further procedures and assess action taken by DoHAC to address the weaknesses identified.

Audit findings

Table 4.12.1: Status of audit findings raised by the ANAO

Note a: The moderate audit issues relating to ‘Inventory management’, ‘Compliance activities over PBS advanced payments’ and ‘Asset management’ has been downgraded to minor audit findings.

Source: ANAO 2024–25 interim audit results.

Unresolved significant audit finding

Legal conformance

4.12.5 During the 2023–24 audit, the ANAO reviewed the risk assessments performed by DoHAC over its Administered legislation. DoHAC did not have a centralised process to assess whether the risk assessments were consistently undertaken.

4.12.6 The ANAO was advised that program areas are responsible for undertaking the risk assessment for their administered legislation in accordance with DoHAC’s risk management framework. The program areas rated their legislation in different ways.

4.12.7 Legislation that was associated with breaches of section 83 of the Constitution was not assessed as high risk, despite known legislative compliance issues.

4.12.8 Legislation which had given rise to potential non-compliance identified during the 2023–24 financial year has not been assessed as high risk and therefore DoHAC had not undertaken further work to ensure payments to recipients are compliant with legislative requirements.

4.12.9 While designed to provide better governance of legislative compliance risk, processes established by DoHAC are not operating as intended as evidenced by the number of legal issues affecting the timely completion and finalisation of the 2023–24 financial statement process. This increases the risk of a material misstatement in the financial statements.

4.12.10 During the 2024–25 interim audit, the ANAO identified that guidance on legal conformance and risk assessments which were developed in 2023–24 has been updated to incorporate lessons learned, and to improve consistency of risk assessments across program areas.

4.12.11 The ANAO will continue to assess progress against this audit finding during the 2024–25 final audit.

New moderate audit finding

Network Terminations

4.12.12 User access management is fundamental to the effective operation of IT systems. Revoking user access to a system in a timely manner is necessary to ensure that all access to IT systems is authorised.

4.12.13 The ANAO identified that the DoHAC does not have sufficient controls in place to identify and perform timely investigations over access by users post cessation of their employment or contract. This lack of an effective monitoring process reduces DoHAC’s ability to rely on the system and underlying data.

4.12.14 The ANAO recommends implementation of an effective post termination monitoring process that identifies post termination access, investigates users’ activities and rectifies/mitigates the associated risk with these activities. This process should be documented, performed consistently, and include a reporting mechanism so that management is aware of any risks identified.

Key financial statements items and areas of financial statements risk

4.12.15 Figures 4.12.1 and 4.12.2 below show the key financial statements items reported by DoHAC and the key areas of financial statements risk.

Figure 4.12.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DoHAC’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statement.

Figure 4.12.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DoHAC’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statement.

Conclusion

4.12.16 At the completion of the interim audit, and except for the findings outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DoHAC will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.13 Department of Home Affairs

4.13.1 The Department of Home Affairs (Home Affairs) coordinates policy and operations for Australia’s national and transport security, cyber security, immigration, border security, multicultural affairs, counter-terrorism and customs-related functions.¹⁸

Engagement risk rating

4.13.2 The engagement risk for Home Affairs’ 2024–25 financial statements audit has been assessed as high. Key factors contributing to this rating include:

• the nature of Home Affairs’ geographically dispersed operating environment, including the management of people and goods across Australia’s borders;
• the management of high value contracts and payments for service delivery, including detention centres and regional processing centres, and the development and construction of IT and other assets; and
• the high value of customs revenue collected, and the reliance on IT systems in the collection of revenue, and management of programs.

Interim audit results

4.13.3 At the 2024–25 interim audit phase, the ANAO has not identified any findings that pose a significant or moderate business or financial risk to Home Affairs. One moderate finding was revised to a minor finding, and one minor finding remains unresolved.

Key areas of financial statements risk

4.13.4 Figures 4.13.1 and 4.13.2 below show the key financial statements items reported by Home Affairs and the key areas of financial statements risk.

Figure 4.13.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Home Affair’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Figure 4.13.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Home Affair’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Conclusion

4.13.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Home Affairs will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.14 Department of Industry, Science and Resources

4.14.1 The Department of Industry, Science and Resources (Industry) is responsible for supporting a productive, resilient, and sustainable economy that is enriched by science and technology. It does this by growing innovative and competitive businesses, industries and regions, and supporting a strong resources sector.

Engagement risk rating

4.14.2 The engagement risk for Industry’s 2024–25 financial statements has been assessed as moderate. Key factors contributing to this rating include:

• the size and complexity of Industry’s operations;
• a mature financial reporting function, internal control environment and governance arrangements; and
• the complexity of some financial statement balances, such as the Ranger Rehabilitation and the Northern Endeavour Decommissioning provisions, that require management judgement and involve estimation uncertainty.

Interim audit results

4.14.3 At the 2024–25 interim audit phase, one finding that poses a moderate business or financial risk to Industry and two minor findings remain unresolved.

4.14.4 During the 2024–25 final audit the ANAO will undertake further procedures and assess action taken by Industry to address the weaknesses identified.

Audit findings

Table 4.14.1: Status of audit findings raised by the ANAO

Source: ANAO 2024–25 interim audit results.

Unresolved moderate audit finding

Management of Work-in-Progress

4.14.5 In accordance with AASB 116 Property, Plant and Equipment, Industry capitalises costs if they are of a capital nature and records them in a Work-In-Progress account in the general ledger. Where costs on projects do not meet the criteria for capitalisation these are expensed in the year incurred as an operating expense. At the completion of a project, the asset is commissioned and depreciated in line with the asset’s useful life.

4.14.6 During the 2023–24 audit, the ANAO identified transactions that had been capitalised which did not meet the criteria for capitalisation. Further, the ANAO identified assets that were in-use, but not commissioned until a later date, and so depreciation had not occurred in-line with the asset’s useful life.

4.14.7 During the 2024–25 interim audit, the ANAO identified instances where the approval to capitalise costs had not been documented, and instances of misclassification where operating expenses have been treated as a capital expenditure.

4.14.8 Industry has engaged subject matter experts to support remediation of this finding and the ANAO will assess Industry’s response to the finding as part of the 2024–25 final audit.

Key financial balances and areas of financial statements risk

4.14.9 Figures 4.14.1 and 4.14.2 below show the key financial statements items reported by Industry and the key areas of financial statements risk.

Figure 4.14.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Industry’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statement.

Figure 4.14.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Industry’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statement.

Conclusion

4.14.10 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Industry will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.15 Department of Infrastructure, Transport, Regional Development, Communications and the Arts

4.15.1 The Department of Infrastructure, Transport, Regional Development, Communications and the Arts (Infrastructure) is responsible for improving infrastructure across Australia through funding coordination of transport and other infrastructure; providing an efficient, sustainable, competitive and safe transport system for all transport users; strengthening the sustainability, capacity and diversity of regional economies; providing advice on population policy; implementing the national policy on cities; and promoting an innovative and competitive communications sector.

4.15.2 Infrastructure also promotes participation in and access to Australia’s arts and culture through developing and supporting cultural expression and supports governance arrangements in the Australian territories.¹⁹

Engagement risk rating

4.15.3 The engagement risk for Infrastructure’s 2024–25 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• the complexity of some financial statements balances, such as the valuation of the Australian Government’s investments in NBN Co Limited, WSA Co Limited and Australian Postal Corporation, which require increased management judgement and are subject to estimation uncertainty; and
• the administration of grant programs and subsidies across a range of outcomes, representing a significant portion of Infrastructure’s administered expenditure.

Audit findings

4.15.4 At the 2024–25 interim audit phase, one audit finding that poses a moderate business or financial risk to Infrastructure remains unresolved.

4.15.5 The ANAO will focus on the action taken by Infrastructure in response to this finding as part of the 2024–25 final audit.

Table 4.15.1: Status of audit findings raised by the ANAO

Source: ANAO 2024–25 interim audit results.

Unresolved moderate audit findings

Asset Management — relating to Infrastructure’s accounting and control of non-financial assets.

4.15.6 Infrastructure administers a high number of non-financial assets, across the Australian mainland and Australian external territories. During the 2023–24 financial statements audit, the ANAO identified weaknesses in Infrastructure’s management of non-financial assets, including:

• an absence of adequate controls surrounding the stocktake of non-financial assets;
• an inability to identify some assets via physical inspection due to level of information recorded in the asset register;
• projects which were recorded as under construction, however on review, the ANAO noted that they had been completed or were in use and should have transferred to the asset register and commenced depreciation;
• assets with indicators of impairment that had not been assessed for impairment; and
• Infrastructure’s inconsistent application of its internal asset management policy.

4.15.7 The weaknesses identified by the ANAO indicate that there is an increased risk that non-financial asset balances in the financial statements are not complete or accurate. The ANAO recommended Infrastructure review and update its existing Asset Accounting Policy to address the issues.

4.15.8 During the 2024–25 interim audit, the ANAO reviewed Infrastructure’s stocktake plan and noted improvements in the design of controls over the stocktake process for 2024–25. During the 2024–25 final audit the ANAO will undertake further procedures and assess action taken by Infrastructure to address the weaknesses identified.

Key financial balances and areas of financial statements risk

4.15.9 Figures 4.15.1 and 4.15.2 below show the key financial statements items reported by Infrastructure and the key areas of financial statements risk.

Figure 4.15.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Infrastructure’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Figure 4.15.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Infrastructure’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Conclusion

4.15.10 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Infrastructure will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.16 Australian Postal Corporation

4.16.1 The Australian Postal Corporation (Australia Post) is a Government Business Enterprise incorporated under the Australian Postal Corporation Act 1989. Australia Post is responsible for supplying postal services to Australia, including the distribution of letters and parcels in Australia and internationally.

Engagement risk rating

4.16.2 The engagement risk for the 2024–25 financial statements has been assessed as moderate. Key factors contributing to this rating include:

• the complexity of Australia Post’s operations and ongoing reform agenda;
• various revenue streams, and the significance of own-source revenue to Australia Post’s operating result.

Interim audit results

4.16.3 At the 2024–25 interim audit phase, the ANAO has not identified any findings that pose a significant or moderate business or financial risk to Australia Post. Three minor audit findings were resolved during the 2024–25 interim audit.

Key financial balances and areas of financial statements risk

4.16.4 Figure 4.16.1 below shows the key financial statements items reported by Australia Post and the key areas of financial statements risk.

Figure 4.16.1: Key financial balances and areas of financial statements risk

Source: ANAO analysis and Australia Post’s 2023–24 audited financial statements.

Conclusion

4.16.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Australia Post will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.17 NBN Co Limited

4.17.1 NBN Co Limited (NBN Co) is a Government Business Enterprise incorporated under the Corporations Act 2001. The primary objective of NBN Co is to provide wholesale services to internet service providers.

Engagement risk rating

4.17.2 The engagement risk for NBN Co’s 2024–25 financial statements audit has been assessed as high. Key factors contributing to this rating include:

• NBN Co’s financial position as a highly leveraged organisation with exposure to external debt markets;
• the regulated nature of the industry in which NBN Co operates; and
• ongoing network upgrades, and the risk of technological change to NBN Co’s business.

Interim audit results

4.17.3 At the interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to NBN Co. One moderate finding relating to terminated user access was reduced to a minor finding, four minor findings were identified, and three minor findings were resolved.

Audit findings

Table 4.17.1: Status of audit findings raised by the ANAO

Note a: One moderate audit finding relating to terminated user access was revised to a minor audit finding during the 2024–25 interim audit phase.

Source: ANAO 2024–25 interim audit results.

Resolved moderate audit finding

Terminated User Access — relating to NBN Co’s IT Control Environment

4.17.4 During the 2022–23 audit, the ANAO identified weaknesses in controls relating to terminated users being removed from NBN Co’s IT networks in a timely manner and reported a minor audit finding. User accounts should be removed upon termination date as they no longer have a legitimate requirement to access NBN Co’s IT networks.

4.17.5 While NBN Co had commenced implementation of additional controls in response to this finding, during the 2023–24 audit, the ANAO identified users who had accessed the IT network after their termination date. As a result, the ANAO revised the audit finding to a moderate audit finding. Inadequate security measures for timely removal of access from former personnel increase the risk of unauthorised access to sensitive information.

4.17.6 During the 2024–25 interim audit phase, the ANAO identified that NBN Co has made significant progress in remediating the audit finding. NBN Co has designed an effective control, and conducted analysis from 1 July 2024 confirming there had been no unauthorised access to NBN Co’s network by a user after their termination date.

4.17.7 The ANAO will assess the operating effectiveness of NBN Co’s control against the risks identified during the 2024–25 final audit. Noting the progress made by NBN Co, this audit finding has been revised to a minor audit finding.

Key financial balances and areas of financial statements risk

4.17.8 Figure 4.17.1 below shows the key financial statements items reported by NBN Co and the key areas of financial statements risk.

Figure 4.17.1: Key financial balances and areas of financial statements risk

Source: ANAO analysis and NBN Co’s 2023–24 audited financial statements.

Conclusion

4.17.9 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that NBN Co will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.18 Department of the Prime Minister and Cabinet

4.18.1 The Department of the Prime Minister and Cabinet (PM&C) is responsible for providing advice to the Prime Minister, the Cabinet, portfolio ministers, and assistant ministers to improve the lives of all Australians, including through coordination of government activities, effective policy advice and development, and program delivery.

Engagement risk rating

4.18.2 The engagement risk for the 2024–25 financial statements has been assessed as low. Key factors contributing to this rating include:

• accounting for investments in corporate Commonwealth entities and companies; and
• shared services provided to the National Indigenous Australians Agency and other entities.

Interim audit results

4.18.3 At the 2024–25 interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to PM&C.

Key areas of financial statements risk

4.18.4 Figures 4.18.1 and 4.18.2 below show the key financial statement items reported by PM&C and the key areas of financial statements risk.

Figure 4.18.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and PM&C’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Figure 4.18.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and PM&C’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Conclusion

4.18.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that PM&C will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.19 National Indigenous Australians Agency

4.19.1 The National Indigenous Australians Agency (NIAA) was established on 1 July 2019 by an executive order of the Governor-General. The primary functions of the NIAA are to:

• lead and coordinate Australian Government policy development, program design and implementation, and service delivery for Aboriginal and Torres Strait Islander peoples;
• provide advice to the Prime Minister and the Minister for Indigenous Australians on Australian Government priorities for Aboriginal and Torres Strait Islander peoples;
• lead and coordinate the development and implementation of Australia’s Closing the Gap targets in partnership with Indigenous Australians; and
• lead Australian Government activities to promote reconciliation.

Engagement risk rating

4.19.2 The engagement risk for the NIAA’s 2024–25 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• the decentralised nature of processing and monitoring of grant programs and operations across Australia; and
• NIAA’s administration of the Community Development Program (CDP).

Interim audit results

4.19.3 At the 2024–25 interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to NIAA.

Key areas of financial statements risk

4.19.4 Figures 4.19.1 and 4.19.2 below show the key financial statements items reported by NIAA and the key areas of financial statements risk.

Figure 4.19.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and NIAA’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Figure 4.19.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and NIAA’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Conclusion

4.19.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that NIAA will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.20 Department of Social Services

4.20.1 The Department of Social Services (DSS) is responsible for social security, families and communities, disability and carers, and housing. DSS works in partnership with other government and non-government organisations on a range of policies, programs and services focused on improving the wellbeing of people and families in Australia.²⁰

Engagement risk rating

4.20.2 The engagement risk for DSS’ 2024–25 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• high level of public interest, and Parliamentary scrutiny of, DSS’ activities in administering social welfare programs for the Australian community;
• improving governance and oversight resulting from reviews such as the Royal Commission into the Robodebt scheme;
• the range and complexity of DSS’ operations, including a complex and outsourced IT environment;
• reliance on third parties to provide information that determine social welfare and grant payments; and
• significant judgements and assumptions made in the estimation process around the valuation of personal benefit provisions and receivables for financial reporting purposes.

Interim audit results

4.20.3 At the 2024–25 interim audit phase, one instance of non-compliance with legislation that DSS is responsible for administering, and three findings that pose a moderate business or financial risk to DSS remain unresolved. Four minor findings remain unresolved, and one minor finding was resolved.

4.20.4 During the 2024–25 final audit the ANAO will undertake further procedures and assess action taken by DSS to address the weaknesses identified.

Audit findings

Table 4.20.1: Status of audit findings raised by the ANAO

Source: ANAO 2024–25 interim audit results.

Significant legislative breach

Income Apportionment

4.20.5 During the 2022–23 audit, the ANAO became aware of legal matters being managed by DSS associated with the ‘income apportionment’ matter that was the subject of an own-motion investigation by the Office of the Commonwealth Ombudsman (the Commonwealth Ombudsman).

4.20.6 In August 2023, the Commonwealth Ombudsman released a report on an own-motion investigation into Services Australia and DSS’ response to the question of the lawfulness of income apportionment before 7 December 2020.

4.20.7 Services Australia and DSS undertook to implement the recommendations made by the Commonwealth Ombudsman. The general instructions developed by DSS to provide guidance on how decision-makers should recalculate potential debts need further development, and both entities are still determining how much of the known and potential debts are affected.

4.20.8 At the conclusion of the 2024–25 interim audit DSS is continuing work to address this matter. The ANAO will assess DSS’ progress as part of the 2024–25 final audit phase.

Unresolved moderate audit findings

SAP terminations monitoring and reporting

4.20.9 During previous audits, the ANAO identified weakness in controls relating to SAP user access terminations and instances of users logging into SAP after their termination date where DSS could not provide evidence of the actions taken or recorded for the investigation as part of the terminations review process.

4.20.10 DSS implemented a monthly and quarterly reporting component to address the identified risks. In 2023–24, the ANAO identified that the internally generated reports used as part of these controls may not be complete, accurate or fit for purpose.

4.20.11 At the completion of the 2024–25 interim phase, DSS advised the ANAO that termination investigation and monitoring including reporting has been implemented and that DSS is exploring options to help to ensure termination reports are accurate and complete.

4.20.12 The remediation actions will be assessed by the ANAO as part of the 2024–25 final audit phase.

DES assurance programs

4.20.13 During the 2022–23 audit, the ANAO identified that there were significant timing delays in presenting the quarterly assurance reports in respect of the Disability Employment Services (DES) programs. This was reported as a minor audit finding.

4.20.14 During the 2023–24 audit, the finding was increased to moderate due to the limited progress in addressing the recommendations made by the ANAO, the importance of the related control and existence of both financial and business risks relating to grants to a vulnerable group.

4.20.15 At the conclusion of the 2024–25 interim phase, the finding remains unresolved and there have been delays in finalising assurance reports for 2023–24.

4.20.16 The processes implemented by DSS for the reminder of the financial year, including the status of completion and endorsement of the Q3 report at the year end, will be assessed by the ANAO as part of the 2024–25 final audit phase.

SAP privileged user monitoring

4.20.17 Maintaining and supporting IT systems requires some user accounts, both at the network and the application level, to have extensive access rights (privileged access). Privileged user accounts can be used to circumvent security controls to make direct changes, either to system settings or systems data, or to access files and accounts used by others.

4.20.18 During the 2023–24 audit, the ANAO identified that the monitoring undertaken did not verify that the activities which are being performed by privileged users are appropriate. This is a weakness in the monitoring of privileged user activities within the financial and human resources management information systems. This increases the risk that inappropriate or inaccurate activities undertaken by these privileged users are not identified.

4.20.19 The ANAO recommended that DSS regularly review and annually certify the currency of:

• a comprehensive risk assessment for privileged access;
• risk management strategies for identified risks; and
• results of risk strategy measures; and assessment and appropriate management of any residual risks.

4.20.20 During the 2024–25 interim audit phase, DSS advised the ANAO that it has finalised the risk assessment for privileged user access in SAP, including corresponding risk treatments and that it had reviewed a sample of transactions attributed to privileged users and found appropriate evidence supporting the use and review of these accounts.

4.20.21 The ANAO will review DSS’ progress in addressing this finding as part of the 2024–25 final audit phase.

Key financial balances and areas of financial statements risk

4.20.22 Figures 4.20.1 and 4.20.2 below show the key financial statements items reported by DSS and the key areas of financial statements risk.

Figure 4.20.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DSS’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statement.

Figure 4.20.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DSS’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statement.

Conclusion

4.20.23 At the completion of the interim audit, the ANAO has reported several areas where improvements are required. These audit findings reduce the level of confidence that can be placed on the key elements of internal control that support the preparation of the financial statements that are free from material misstatement.

4.20.24 Action against the audit findings identified will be assessed by the ANAO, in conjunction with additional audit procedures, during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.21 National Disability Insurance Agency

4.21.1 The National Disability Insurance Agency (NDIA) was established under the National Disability Insurance Scheme Act 2013 (NDIS Act). The NDIA has responsibility for delivering the National Disability Insurance Scheme (the Scheme). The Scheme is designed to: provide individual control and choice in the delivery of reasonable and necessary care and support; to improve the independence, social and economic participation of eligible people with a disability, their families and carers; and provide associated referral services and activities.

Engagement risk rating

4.21.2 The engagement risk for the NDIA’s 2024–25 financial statements audit has been assessed as high. Key factors contributing to this rating include:

• high level of public interest, and Parliamentary scrutiny of, the NDIA’s activities in implementing the Scheme;
• complexity of decisions made by the NDIA for participants of the Scheme, and the level of maturity of the NDIA’s compliance activities for access to the Scheme;
• administration of the Scheme is supported by a complex and partially outsourced IT environment;
• changes in key management positions, particularly those officers charged with governance; and
• the significant number of recommendations relating to internal controls and management of fraud risks made by the ANAO in Auditor-General Report No. 43 of 2022–23 Effectiveness of the National Disability Insurance Agency’s management of assistance with daily life support, including the failure to fully implement seven prior ANAO audit recommendations.

Interim audit results

4.21.3 At the 2024–25 interim audit phase, four findings that pose a moderate business or financial risk to the NDIA remain unresolved. One moderate finding has been reduced to a minor finding, and seven minor findings remain unresolved.

4.21.4 During the 2024–25 final audit the ANAO will undertake further procedures and assess action taken by NDIA to address the weaknesses identified.

Audit findings

Table 4.21.1: Status of audit findings raised by the ANAO

Note a: The moderate audit finding relating to business assurance over plan approvals has been downgraded to a minor audit finding.

Source: ANAO 2024–25 interim audit results.

Unresolved moderate audit findings

Privileged user access monitoring — SAP CRM

4.21.5 The NDIA utilises Services Australia as its infrastructure provider for the SAP CRM IT system. SAP CRM is used for essential business functions such as payment delivery. Maintaining and supporting IT systems requires some user accounts to have extensive access rights (privileged access). Privileged user accounts have the potential to modify system configurations or controls and perform inappropriate or fraudulent activities with a financial impact.

4.21.6 The ANAO identified weaknesses in the effectiveness of Services Australia’s logging and monitoring of privileged user activities. The ANAO recommended that the NDIA assess the risk of existing processes, and document and implement processes to address the identified control weakness.

4.21.7 Since 2023–24, the NDIA has been working with Services Australia to improve monitoring of privileged users in SAP CRM.

4.21.8 At the completion of the 2024–25 interim phase, the NDIA is developing a schedule for the ongoing compliance monitoring which will be assessed by the ANAO as part of the 2024–25 final audit phase.

Privileged user activity monitoring — PACE

4.21.9 During the interim phase of the 2022–23 audit, the ANAO found that the NDIA did not have a formal process to review privileged user activity in the PACE system. The ANAO recommended that the NDIA should assess whether the real-time alert system meets the underlying business risks relating to privileged user access and implement a formal process to document the outcomes of alerts raised.

4.21.10 During the 2023–24 audit, the NDIA advised the ANAO that it had remediated this weakness by implementing a formal monitoring process over privileged user activity. During testing of the new process, the ANAO identified that the review did not include activity by all privileged users; the appropriateness of each activity performed; and there was no evidence of management oversight of the review.

4.21.11 At the completion of the 2024–25 interim phase, the NDIA has provided a closure pack describing its new weekly monitoring process to detect inappropriate activity. The design, implementation and operating effectiveness of this process will be assessed by the ANAO as part of the 2024–25 final audit phase.

Timeliness of IT user terminations

4.21.12 During the 2020–21 audit, the ANAO’s testing of user access found weaknesses in user access terminations processes. User accounts should be removed upon termination date as they no longer have a legitimate requirement to access the NDIA’s network.

4.21.13 The NDIA moved to a new ICT operating environment and created a new process to address this finding during 2022–23, however there were weaknesses with the reporting used to detect potentially inappropriate activity.

4.21.14 During the 2023–24 audit, the NDIA advised the ANAO that it had remediated the weaknesses previously identified with reporting. During the final audit phase, the ANAO identified that this process did not cover SAP CRM activities, and that the NDIA did not have formal change management processes to manage the code used to detect post-termination activity. The absence of change management process limits the NDIA’s ability to assure itself that the code being used has been approved, tested, is fit for purpose, and has not been inappropriately modified.

4.21.15 At the completion of the 2024–25 interim audit phase, the ANAO continued to observe weaknesses surrounding the completeness and accuracy of the investigation conducted by Services Australia on the NDIA’s behalf, including the documentation of these investigations.

4.21.16 The NDIA’s progress in addressing the finding will be assessed by the ANAO as part of the 2024–25 final audit phase.

Governance of legal matters and legal advice

4.21.17 During the 2023–24 audit, the ANAO made requests for information relating to known or suspected instances of non-compliance with laws and regulations including legal matters, whose effects should be considered in the preparation of the NDIA’s financial statements.

4.21.18 In 2022–23, the NDIA received legal advice on the operation of the NDIS Act in relation to debt management processes. During 2023–24, the ANAO identified weaknesses in the financial statements preparation processes with respect to the consideration of this legal advice, including the immaturity of systems and processes for determining the financial statements impact of the legal advice, and weaknesses in quality assurance processes over data extracted for related financial statements disclosures.

4.21.19 The ANAO recommended that the NDIA design, document and implement processes to ensure legal and other matters are considered and communicated to the ANAO when preparing financial statements, when reviewing historical information against the principles outlined in the legal advice and have appropriate quality assurance processes over extraction of information for financial statements disclosures.

4.21.20 At the 2024–25 interim audit phase, in response to the risks identified:

• the NDIA has advised the ANAO that it will review its annual financial statements planning process to consider whether it can be strengthened;
• a detailed review of current and historical debts is underway, with remediation to commence once decisions are made on all participant and provider debts;
• a consultant has been engaged by NDIA to review the debt management process; and
• the NDIA has developed a framework document that outlines quality assurance processes over the extraction of information for financial statements disclosures.

4.21.21 The ANAO will review the NDIA’s progress in addressing the risks identified during the 2024–25 final audit phase.

Key financial balances and areas of financial statements risk

4.21.22 Figure 4.21.1 below shows the key financial statements items reported by the NDIA and the key areas of financial statements risk.

Figure 4.21.1: Key financial balances and areas of financial statements risk

Source: ANAO analysis and NIDA’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Conclusion

4.21.23 At the completion of the interim audit, the ANAO has reported several areas where improvements are required. These audit findings reduce the level of confidence that can be placed on the key elements of internal control that support the preparation of the financial statements that are free from material misstatement.

4.21.24 Action against the audit findings identified will be assessed by the ANAO, in conjunction with additional audit procedures, during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.22 Services Australia

4.22.1 Services Australia is the Australian Government’s primary payment and service delivery provider. Services Australia delivers a range of payments and services to support individuals, families and communities, as well as providers and businesses. These include income support payments and services, aged care payments, Medicare payments and services, child support services, and a range of ICT functionalities for Australian Government departments and agencies.

Engagement risk rating

4.22.2 The engagement risk for Services Australia’s 2024–25 financial statements audit has been assessed as high. Key factors contributing to this rating include:

• the role of Services Australia in the delivery of the Australian Government’s social welfare and health benefits programs;
• heightened public interest and parliamentary scrutiny in Services Australia’s operations; and
• significant audit findings identified by the ANAO, and multiple unresolved moderate and low audit findings.

Interim audit results

4.22.3 At the 2024–25 interim audit phase, one audit finding that poses a significant business or financial risk to Services Australia, one instance of non-compliance with legislation that Services Australia is responsible for administering, and six findings that pose a moderate business or financial risk to Services Australia remain unresolved. One significant audit finding was revised to a moderate audit finding and seventeen minor findings remain unresolved.

4.22.4 During the 2024–25 final audit the ANAO will undertake further procedures and assess action taken by Services Australia to address the weaknesses identified.

Audit findings

Table 4.22.1: Status of audit findings raised by the ANAO

Note a: One significant audit finding relating to IT Governance was downgraded to a moderate audit finding during the 2024–25 interim audit.

Source: ANAO 2024–25 interim audit results.

Unresolved significant legislative breach

Significant legislative matters in Services Australia’s program delivery

4.22.5 Services Australia delivers social welfare and health programs and payments. Understanding of, and compliance with, legislation, is a key component underlying Services Australia’s delivery of these programs. During 2023–24, the ANAO became aware of breaches of legislation with respect to the: child support program; aged care program; and private health insurance rebate. These breaches included:

• the use of pre-issue income, instead of taxable income in calculating child support assessments and amounts recoverable from or payable to individuals in contravention of the Child Support (Assessment) Act 1989;
• a quarterly review process used by Services Australia to validate a care recipient’s maximum subsidy entitlement in arrears was inconsistent with the relevant provisions of the Aged Care Act 1997; and
• payments made under the Private Health Insurance Act 2007 without a decision as to the correctness or reasonableness of the claimed amount which may be inconsistent with the legislation.

4.22.6 These issues highlight significant legal concerns with Services Australia’s delivery of key programs on behalf of the Australian Government and policy agencies.

4.22.7 Services Australia is making progress towards addressing the risks identified, however the compliance matters identified are yet to be resolved.

Unresolved significant audit finding

Medicare Compensation Recovery Scheme

4.22.8 Services Australia is responsible for the administration of the Medicare Compensation Recovery Scheme (MCRS) on behalf of the Department of Health and Aged Care (DoHAC). In accordance with the Health and Other Services (Compensation) Act 1995 (the Act) receipt of a Medicare health benefit or subsidy, and receipt of compensation greater than $5,000, for the same illness, triggers a requirement to repay the health benefit and subsidy to the Australian Government.

4.22.9 During the 2023–24 audit, the ANAO identified that over 50 per cent of cases were not assessed by Services Australia within the statutory timeframes, contrary to specific requirements in the Act to process claims within timeframes or to make decisions to not pursue recovery. The Act requires that Services Australia must issue notices prior to statutory time periods expiring and has no discretion to not pursue recovery. The ANAO identified that Services Australia did not take sufficient steps during 2023–24 to address these known issues.

4.22.10 Services Australia’s non-compliance with the Act resulted in:

• non-collection of revenue from ‘advance payments’ that would have otherwise been owed to the Australian Government. Medicare benefits for treatments for which compensation was received may have been retained; and
• the identification of a prior period error in Services Australia’s 2023–24 financial statements, relating to the recognition and treatment of revenue and receivables associated with the MCRS program.

4.22.11 The ANAO recommended that Services Australia finalise MCRS assessments within legislated timeframes, report to its Audit and Risk Committee on progress addressing the issues and develop a policy that would require staff to consult with Services Australia’s legal team and affected policy agencies before making decisions with significant potential impacts on program administration.

Unresolved moderate audit findings

4.22.12 Seven moderate audit findings remain unresolved at the conclusion of the 2024–25 interim audit. Each moderate audit finding relates to Services Australia’s IT control framework and they are summarised below.

• IT Governance — first identified in 2022–23 as a significant audit finding in relation to the increasing number of issues in IT governance within Services Australia. In particular, the ANAO identified weaknesses in IT controls in the implementation of the large-scale IT roll-out for residential aged care and the re-emergence of many individual control issues affecting change and access management and business operations.
  • This audit finding was downgraded to a moderate audit finding during the 2024–25 interim audit, recognising Services Australia’s progress in addressing the ANAO’s recommendations, including the implementation of policy compliance testing across key ICT systems, updating Disaster Recovery Plans, the establishment of oversight committees, and other work. The ANAO will continue to review Services Australia’s ongoing implementation of these activities.
• FMIS and HRMIS Privileged User Management — first identified as a minor audit finding in 2020–21 and upgraded to a moderate audit finding in 2022–23. This finding relates to the ineffective logging and monitoring of user accounts with access to high-risk, financially significant transactions in the SAP enterprise resource planning system. Services Australia has provided the ANAO with evidence of progress against this audit finding which the ANAO will review as part of the 2024–25 final audit phase.
• Medicare Benefits Schedule (MBS) Restriction Lifts — the MBS Item Fee File system (the IFF System) is maintained by Services Australia to calculate the benefit payable on MBS claims. Within the IFF System, there are business rules and restrictions to ensure claims are automatically approved or pended for review by a service officer in accordance with the conditions applicable to each MBS item.
  • During the 2023–24 audit, the ANAO was advised that a process had been in place to lift restrictions on certain items when limitations in the IFF System would otherwise cause a valid claim to be rejected.
  • The ANAO identified that invalid MBS claims may be processed using override codes while restriction lifts are active and that policy agencies may be unaware of the frequency or impact of changes to the control environment for MBS claims. Additionally, the ANAO identified that restriction lifts may be activated without appropriate approval as the IFF System’s logging criteria would not capture all restriction lifts to detect an inappropriate restriction lift.
  • There is a risk that invalid MBS claims may be processed by a service officer using an override code while a restriction lift is active.
• Monitoring of super users (Medicare, Child Support and Health) — first identified as a minor audit finding in 2020–21 and upgraded to a moderate audit finding in 2022–23. This finding relates to the ineffective monitoring of user accounts with extensive access rights (privileged users) within the Medicare, Child Support and Health mainframes.
• Monitoring of super users (Centrelink) — first identified in 2022–23, this finding relates to the ineffective monitoring of user accounts with extensive access rights (privileged users) within the Centrelink mainframe.
• Medicare mainframe passwords and user access management — first identified as separate minor audit findings and upgraded in 2023–24 to a moderate audit finding, given the related risks arising from the identified issues.
  • This finding relates to weaknesses identified by the ANAO in relation to passwords and user access management for the Medicare Mainframe system, including users retaining access to the Mainframe when there was no longer a valid business reason to do so, access management processes that were inconsistent with Services Australia’s User Access for ICT Systems Policy, and other weaknesses.
  • Services Australia has implemented some procedures to address this finding, however the ANAO’s recommendation has not yet been implemented in full.
• New residential aged care system access management — first identified in 2022–23, this finding relates to weaknesses identified by the ANAO in the design and operating effectiveness of controls supporting privileged and other user access associated with the new residential aged care system — PACE.
  • Services Australia has commenced activities to design and implement appropriate controls in response to the ANAO’s recommendation in relation to this audit finding.

Key financial balances and areas of financial statements risk

4.22.13 Figures 4.22.1 and 4.22.2 below show the key financial statements items reported by Services Australia and the key areas of financial statements risk.

Figure 4.22.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Services Australia’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Figure 4.22.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Services Australia’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Conclusion

4.22.14 At the completion of the interim audit, the ANAO has reported several areas where improvements are required. These audit findings reduce the level of confidence that can be placed on the key elements of internal control that support the preparation of the financial statements that are free from material misstatement.

4.22.15 Action against the audit findings identified will be assessed by the ANAO, in conjunction with additional audit procedures, during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.23 Department of the Treasury

4.23.1 The Department of the Treasury (Treasury) provides policy advice, analysis and the delivery of economic policies and programs, including legislation, administrative payments and regulatory functions, which support the effective management of the Australian economy.²¹

Engagement risk rating

4.23.2 The engagement risk for Treasury’s 2024–25 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• the complexity of some financial statements balances, such as the Disaster Recovery Funding Arrangement provision, that requires management judgement and involves estimation uncertainty; and
• the significance of the payments made by Treasury under the Federal Financial Relations framework.

Interim audit results

4.23.3 At the 2024–25 interim audit phase, one finding that poses a moderate business or financial risk to Treasury and one minor finding remain unresolved.

4.23.4 During the 2024–25 final audit the ANAO will undertake further procedures and assess action taken by Treasury to address the weaknesses identified.

Audit findings

Table 4.23.1: Status of audit findings raised by the ANAO

Source: ANAO 2024–25 interim audit results.

Unresolved moderate audit finding

Estimation process for Disaster Relief Funding Arrangements

4.23.5 The Disaster Recovery Funding Arrangement (DRFA) provision represents the Treasury’s best estimate of future payments expected to be made to states and territories in respect of financial assistance for declared disaster events. The provision is based on estimates from states and territories on their assessment of costs incurred or expected to be incurred for declared disaster (natural) events.

4.23.6 In 2023–24, the provision increased significantly due to the revaluation of prior year estimates. Most of the increase related to flood events in 2022 which were considered extreme weather events with significant estimates attached to the reconstruction.

4.23.7 The complexity and volume of disaster events have caused delays in estimating the appropriate costs and delaying the estimation process. As a result, the ANAO identified a risk that the estimate of the provision may be subject to volatility and have potential to be over or underestimated.

4.23.8 During 2024–25 Treasury has commissioned the Australian Government Actuary (AGA) to model a multiplier for provisions based on several factors relevant to the provision. The ANAO received an update on work planned to inform the provision and will continue to assess Treasury’s actions to address the risks identified during the 2024–25 final audit phase.

Key financial statements items and areas of financial statements risk

4.23.9 Figures 4.23.1 and 4.23.2 below show the key financial statements items reported by Treasury and the key areas of financial statements risk.

Figure 4.23.1:  Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Treasury’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Figure 4.23.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Treasury’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Conclusion

4.23.10 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Treasury will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.24 Australian Office of Financial Management

4.24.1 The Australian Office of Financial Management (AOFM) is responsible for managing Australian Government debt and financial assets. AOFM issues Treasury Bonds, Treasury Indexed Bonds and Treasury Notes, manages the government’s cash balances and invests in high quality financial assets under the Australian Business Securitisation Fund and the Structured Finance Support Fund.

Engagement risk rating

4.24.2 The engagement risk for AOFM’s 2024–25 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• complexity of AOFM’s operations, particularly the management of the Australian Government’s debt portfolio.

Interim audit results

4.24.3 At the 2024–25 interim audit phase, the ANAO has not identified any findings that pose a significant or moderate business or financial risk to AOFM.

Key financial balances and areas of financial statements risk

4.24.4 Figures 4.24.1 and 4.24.2 below show the key financial statements items reported by AOFM and the key areas of financial statements risk.

Figure 4.24.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and AOFM’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Figure 4.24.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and AOFM’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Conclusion

4.24.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that AOFM will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.25 Australian Taxation Office

4.25.1 The Australian Taxation Office (ATO) is Australia’s principal revenue collection entity and is part of the Treasury Portfolio. The ATO’s role is to administer Australia’s tax system, significant aspects of Australia’s superannuation system and business registry services, together with the provision of support to the Tax Practitioners Board and the Australian Charities and Not-for-profits Commission.

Engagement risk rating

4.25.2 The engagement risk for the 2024–25 financial statements has been assessed as high. Key factors contributing to this rating include:

• the level of ongoing scrutiny of the ATO’s operations by Parliament and members of the public, given ATO’s role as Australia’s principal revenue collection agency, administering the legislation governing tax and significant aspects of Australia’s superannuation system;
• dependence on sophisticated and interfaced IT systems and business applications for financial reporting; and
• the considerable level of judgement required and significant application of estimation and allocation processes to determine key financial balances.

Interim audit results

4.25.3 At the 2024–25 interim audit phase, one significant audit finding was reduced to two moderate audit findings. Three minor audit findings were identified, two minor audit findings remain unresolved and one minor audit finding was resolved.

4.25.4 During the 2024–25 final audit phase the ANAO will undertake further procedures and assess action taken by ATO to address the weaknesses identified.

Audit findings

Table 4.25.1: Status of audit findings raised by the ANAO

Note a: The significant audit finding relating to Enterprise Change Management was identified during the 2022–23 audit. This audit finding was revised to two new moderate audit findings during the 2024–25 interim audit phase.

Source: ANAO 2024–25 interim audit results.

New moderate audit findings

4.25.5 In 2024–25, the significant finding relating to Enterprise Change Management was revised to two moderate (B Category) findings following a strengthening of relevant controls and partial implementation of automated deployment tools.

Change Management — Business Data System

4.25.6 During the 2024–25 interim audit, the ANAO identified weaknesses associated with IT change management for ATO’s business data system, the Enterprise Data Warehouse (EDW). The EDW is still transitioning into the new IT change control solution implemented by the ATO to provide additional controls assurance over segregation of duties with respect to development and migration activities. This means that controls over segregation of duties are detective only and not enforced preventative controls.

4.25.7 As part of the review of ATO’s transition to the new IT change control solution, the ANAO identified weaknesses in the design and implementation of privileged logging and monitoring controls for privileged user accounts. Maintaining and supporting IT systems requires some user accounts to have extensive access rights (privileged access). Privileged user accounts have the potential to modify system configurations or controls and perform inappropriate or fraudulent activities with a financial impact.

4.25.8 The issues pose a risk that unauthorised changes negatively impact the ATO’s business operations and will require the ANAO to undertake additional testing to obtain assurance over the reliability of data and reports generated from the system to support financial statements balances. The ANAO recommended that the EDW is fully transitioned into the new IT change control solution and that policy and control requirements are established for the management of all privileged user accounts.

Change Management — Business Reporting System

4.25.9 During the 2024–25 interim audit, the ANAO identified weaknesses associated with IT change management for ATO’s business reporting system, Cognos. Cognos has not transitioned into the new IT change control solution implemented by the ATO to provide additional controls assurance over segregation of duties with respect to development and migration activities. As a result, the required segregation of duties were not in operation for the interim audit phase.

4.25.10 The issues pose a risk that unauthorised changes negatively impact the ATO’s business operations and will require the ANAO to undertake additional testing to obtain assurance over the reliability of data and reports generated from the system to support financial statements balances. The ANAO recommended that ATO formalise policy and control requirements for the management of data and report generation processes within Cognos.

Unresolved moderate audit findings

Uneconomic to pursue debt and re-raises

4.25.11 During the 2021–22 audit, the ANAO identified issues in the ATO’s treatment of debts considered to be uneconomical to pursue (‘non-pursued debt’). Excluding non-pursued debts from offsetting was not consistent with Part IIB of the Taxation Administration Act 1953 (Tax Act). Issues identified included:

• the timeframe where the automatic re-raise functionality was switched off that resulted in the ATO not re-raising debts that had previously been identified as uneconomical to pursue where the taxpayer became entitled to a credit; and
• the use of exclusionary criteria that had the effect of preventing a re-raise on a taxpayer’s account for non-pursued debt.

4.25.12 In both of these cases there was a potential effect of a taxpayer being able to receive a full credit despite having a debt owed to the Commonwealth.

4.25.13 At the completion of the 2023–24 audit, the ATO had updated its policies to conform with relevant legislation for debt offsetting and implemented updates to IT systems to remove all selected exclusionary criteria relating to non-pursued debts not currently subject to an approved deferral by the Commissioner of Taxation (Commissioner). One exclusionary criterion remains in place for debts raised prior to 1 January 2017 that has not been removed and is subject to a temporary deferral of recovery by the Commissioner.

4.25.14 The 2024–25 Budget included a measure under which the Australian Government will seek to amend the tax law to give the Commissioner discretion to not use a taxpayer’s refund to offset old tax debts, where the Commissioner had put that old tax debt on hold prior to 1 January 2017. This discretion is intended to apply to individuals, small businesses and not-for-profits, and will maintain the Commissioner’s current administrative approach. At the conclusion of the interim audit, legislation required to give effect to this measure was still in-progress and as a result this finding remains unresolved.

Resolved significant audit finding

Enterprise change management

4.25.15 IT change management provides a disciplined approach to making changes to the IT environment. Change Management processes include controls to prevent unauthorised changes being made, and to reduce the likelihood that normal business operations are interrupted, or data integrity is corrupted through the implementation of unauthorised changes.

4.25.16 During the 2022–23 audit, the ANAO identified weaknesses associated with the ATO’s enterprise change management for key IT systems supporting the preparation of ATO’s financial statements. The ATO’s change management policy and operational procedures did not consistently define the types of changes that required segregation of duties between developers and migrators. As a result, the required segregation of duties were not in operation for the financial year. The ATO was also unable to demonstrate that its IT service management system contained a complete and accurate list of changes made to the systems assessed by the ANAO as in scope for the financial statements audit. Accordingly, the ATO was unable to demonstrate that these changes were appropriately authorised and managed in all instances.

4.25.17 This issue remained unresolved through the 2023–24 audit and posed a risk that unauthorised changes negatively impact the ATO’s business operations, requiring the ANAO to undertake additional testing to obtain assurance over the reliability of reports generated to support financial statements balances.

4.25.18 In response to the audit finding, the ATO has implemented a series of changes to policy and procedural documentation as well as enhancements to the ATO’s change management recording system. As a result, the enterprise change management category A-finding has been reassessed to reflect the remediation work implemented by ATO to strengthen change management practices and processes. At the conclusion of the interim phase, the ANAO continues to identity weaknesses with change management controls for business reporting and data systems. Individual moderate risk findings have been reported for these issues.

Key financial balances and areas of financial statements risk

4.25.19 Figures 4.25.1 and 4.25.2 below show the key financial statements items reported by ATO and the key areas of financial statements risk.

Figure 4.25.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and ATO’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statement.

Figure 4.25.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and ATO’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statement.

Conclusion

4.25.20 At the completion of the interim audit, and except for the findings outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that ATO will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.26 Reserve Bank of Australia

4.26.1 The Reserve Bank of Australia (RBA) is responsible for determining and implementing monetary policy that seeks to contribute to the stability of the currency and maintain full employment, works to maintain a strong financial system and efficient payments system and issues Australia’s banknotes.

4.26.2 As well as being a policymaking body, the RBA provides selected banking services to a range of Australian Government entities and to a number of overseas central banks and official institutions. The RBA is also responsible for the management of Australia’s gold and foreign exchange reserves.

Engagement risk rating

4.26.3 The engagement risk for RBA’s 2024–25 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• the high level of public interest and accountability for the RBA’s operations as the central bank of Australia and in conducting monetary policy;
• the value, complexity and level of judgement required to manage a significant portfolio of investments and other financial assets and liabilities that support monetary policy outcomes; and
• the reliance by the public and Australian financial institutions on the RBA to manage and provide key banking and settlements infrastructure as well as issuing Australia’s banknotes.

Interim audit results

4.26.4 At the 2024–25 interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to the RBA. Four minor audit findings were identified, four minor findings remain unresolved, and one minor audit finding was resolved.

Key financial statements items and areas of financial statements risk

4.26.5 Figure 4.26.1 below shows the key financial statement items reported by the RBA and the key areas of financial statements risk.

Figure 4.26.1: Key financial balances and areas of financial statements risk

Source: ANAO analysis and RBA’s 2024–25 revised budget as reported in the 2024–25 Portfolio Additional Estimates Statements.

Conclusion

4.26.6 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that the RBA will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

4.27 Department of Parliamentary Services

4.27.1 The Department of Parliamentary Services (DPS) is responsible for supporting the Parliament through the provision of a range of services, including library, research, Hansard, broadcasting, telecommunications, central computing, food and beverages, and building security and maintenance.

Engagement risk rating

4.27.2 The engagement risk for DPS’s 2024–25 financial statements audit has been assessed as low. Key factors contributing to this rating include:

• non-complex transactions and balances in DPS’s financial statements; and
• mature financial statements preparation process and internal control environment.

Interim audit results

4.27.3 At the 2024–25 interim audit phase, one finding that poses a moderate business or financial risk to DPS remains unresolved. This finding is summarised below.

Audit findings

Table 4.27.1: Status of audit findings raised by the ANAO

Source: ANAO 2024–25 interim audit results.

Unresolved moderate audit finding

Network User Terminations

4.27.4 User access management is fundamental to the effective operation of the IT systems. Revoking user access to a system in a timely manner is necessary to ensure that all access to IT systems, financially sensitive or otherwise is authorised.

4.27.5 During the 2023–24 audit, the ANAO identified that contractor termination dates could not be readily verified due to the absence of exit forms for such terminations. DPS was unable to provide alternative evidence for the respective contractor terminations and there were no compensating controls relating to contractor terminations.

4.27.6 During 2024–25 DPS has made a significant effort to improve contractor offboarding processes. To obtain assurance over the completeness and accuracy of contractor termination dates in SAP HR the ANAO will conduct audit testing over contractor termination dates as part of the 2024–25 final audit phase.

Key financial statements items and areas of financial statements risk

4.27.7 Figures 4.27.1 and 4.27.2 below show the key financial statement items reported by DPS and the key areas of financial statements risk.

Figure 4.27.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DPS’s 2024–25 Portfolio Budget Statements.

Figure 4.27.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DPS’s 2024–25 Portfolio Budget Statements.

Conclusion

4.27.8 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DPS will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2024–25 final audit and reported in the ANAO’s Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, expected to table in December 2025.

Audit results

5.1 As detailed in Auditor-General Report No. 22 2024–25 Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2024, there were six entities for which the 2023–24 financial statements audit had not been finalised by the ANAO as at 9 December 2024. Those audits are outlined in Table 5.1.

Table 5.1: Audits not finalised at 9 December 2024

Source: ANAO 2023–4 audit results.

IBA Retail Asset Management Pty Ltd.

5.2 IBA Retail Asset Management Pty Ltd. (IRAM) is a wholly-owned subsidiary of Indigenous Business Australia (IBA) — a corporate Commonwealth entity. IRAM provides professional retail management of Indigenous-owned retail assets across Australia, such as supermarkets and roadhouses.

5.3 The conclusion of the 2023–24 audit of IRAM was delayed due to the impact of weaknesses in IRAM’s financial statements preparation process, which resulted in a prior period error and the correction of IRAM’s comparative financial statements. An audit finding was identified by the ANAO in relation to this.

Audit findings

Financial statements preparation process

5.4 One minor audit finding was identified by the ANAO during the 2023–24 audit. This finding related to weaknesses in IRAM’s financial statements preparation process, increasing the time required for the preparation and audit of IRAM’s 2023–24 annual financial statements.

Ikara Wilpena Enterprises Pty Ltd

5.5 Ikara Wilpena Enterprises Pty Ltd (IWE) is a subsidiary of Indigenous Business Australia (IBA) a corporate Commonwealth entity. IWE provided tourism activities, services and products in the Flinders Ranges, South Australia. In May 2024, IWE entered into a Sales and Business Agreement to sell its business and the majority of its assets. IWE is a non-operating entity following the satisfactory completion of conditions required for settlement of the sale agreement in October 2024.

Ikara Wilpena Holdings Trust

5.6 Ikara Wilpena Holdings Trust (the Trust) is a subsidiary of Indigenous Business Australia (IBA) a corporate Commonwealth entity. The Trust was established to hold commercial investment property, and IBA is Trustee of the Trust.

5.7 The audits of IWE and the Trust are expected to be completed in late May 2025 and moderate audit findings around the financial reporting process, and financial statement preparation process have been reported to management.

National ICT Australia Limited

5.8 National ICT Australia Ltd (NICTA) is a subsidiary of the Commonwealth Scientific and Industrial Research Organisation (CSIRO) — a corporate Commonwealth entity. NICTA is a registered charity and Australia’s ICT Research Centre of Excellence. NICTA’s purpose is to develop technologies that generate economic, social and environmental benefits for Australia.

5.9 In November 2024, the NICTA Board resolved to commence the process of voluntary deregistration for NICTA and its subsidiary entities. Final deregistration is expected to take place in late 2025.

5.10 The conclusion of the 2023–24 audit was delayed until there was certainty as to the Board’s resolution of voluntary deregistration of the entity, which had associated accounting implications. Accordingly, NICTA’s 2023–24 financial statements were prepared on a non-going concern basis, and the ANAO’s auditor’s report contained an Emphasis of Matter paragraph, drawing users’ attention to the relevant disclosures in the financial statements regarding the basis of accounting.

5.11 There were no findings identified by the ANAO from the 2022–23 or 2023–24 financial statements audits.

Royal Australian Navy Central Canteens Board

5.12 The Royal Australian Navy Central Canteens Board (RANCCB) is established as a corporate Commonwealth entity which supports Navy members by providing a range of food and beverage options, where profits are returned through social enterprise programs.

5.13 The conclusion of the 2023–24 audit was delayed due to material errors identified in the 2023–24 financial statements requiring retrospective correction in current and prior financial years. The ANAO’s auditor’s report contained an emphasis of matter paragraph, drawing users’ attention to the correction of prior period errors in RANCCB’s financial statements.

5.14 Further, the ANAO’s auditor’s report contained a qualification, with respect to the current year impact of prior period audit qualifications affecting the comparability of RANCCB’s financial position and performance at 30 June 2024. The ANAO’s 2023–24 auditor’s report was qualified mainly due to the effect of qualifications on the 2021–22 and 2022–23 audits of RANCCB, with respect to the ANAO being unable to obtain sufficient and appropriate audit evidence over RANCCB’s inventory balance at 30 June 2022 and the associated effect this had on RANCCB’s 2022–23 and 2023–24 financial statements. Further detail is set out in paragraph 4.9 of Auditor-General Report No. 42 2023–24 Interim Report on Key Financial Controls of Major Entities.

Audit findings

5.15 At the conclusion of the 2023–24 audit, two minor findings were resolved, and one minor finding remained unresolved.

Win with Navy Ltd

5.16 Win With Navy (WWN) Ltd is a company limited by guarantee and a wholly owned subsidiary of RANCCB, incorporated in 2021 to enable the continuance of the Win With Navy raffle in the jurisdiction of Queensland.

5.17 In March 2025, the WWN Board resolved to appoint a liquidator and wind up the company.

5.18 The conclusion of the 2023–24 audit has been delayed until there is certainty as to the requirements to conduct an audit given the appointment of a liquidator and the winding up of the company.