1. This report presents the results of the interim phase of the ANAO’s financial statements audit. The results include the ANAO’s assessment of the effectiveness of internal controls in 27 of the largest Australian Government sector entities.

2. At the completion of the interim audits for the 27 entities included in this report, the key elements of internal control were assessed as operating effectively for 13 entities. For the remaining 14 entities, the key elements of internal control were operating effectively to support the preparation of financial statements that are free from material misstatement, except for particular finding/s outlined in Chapter 4 of this report.

Interim audit findings

3. Across the entities included in this report there were three significant findings reported across three entities. Each of these findings relate to significant legislative breaches due to incorrect or inconsistent application of legislation in the delivery of programs and payments. These entities were the Department of Social Services, the Department of Health, Disability and Ageing, and Services Australia (see Table 2.1 and Chapter 4).

4. A total of 86 findings were reported to entities at the conclusion of the 2025–26 interim audit phase, comprising: three significant legislative breaches, 25 moderate (including one other legislative breach), and 58 minor findings. This is a decrease in total findings compared to the 2024–25 interim audit period, which reported a total of 118 findings, comprising of: four significant findings (two significant findings and two significant legislative breaches), 31 moderate and 83 minor findings.

5. Information technology (IT) control findings continue to be the most significant area of audit findings. 71 per cent of all findings related to the IT controls environment (2024–25: 65 per cent). It is essential entities have controls and governance arrangements in place that are working effectively. This increases in importance as the sector expands its reliance on IT for core administrative processes and adopts emerging technologies such as artificial intelligence (AI). The ANAO continues to monitor use of AI across the sector and respond to changes through its audit work program.

6. At the conclusion of the 2025–26 interim audit phase, 23 findings raised in prior years were resolved. This includes one significant finding, one other legislative finding and 21 minor findings. This is an increase from the 2024–25 interim audit phase, which saw 18 minor findings fully resolved.

1.1 The ANAO independently provides assurance to the Parliament and the public that government entities’ financial statements are prepared in accordance with relevant Australian accounting standards and the financial reporting framework.

1.2 The ANAO prepares two reports annually that provide insights at a point in time to the financial statements’ risks, governance arrangements and internal control frameworks of Australian Government entities, drawing on information collected during our audits. This report is the first of the two reports and focuses on the results of the ANAO’s interim phase of the 2025–26 financial statements audits. It also provides an update on financial statements audits that were not completed in time for inclusion in Auditor-General Report No. 17 2025–26 on the results of 2024–25 financial statements audits (Chapter 5).¹

Entities included in this report

1.3 This report examines 27 of the largest Australian Government entities, across the General Government Sector (GGS)², Public Non-Financial Corporation (PFNC)³ sector and Public Financial Corporation (PFC)⁴ sector. The 27 entities included in this report are listed in Appendix 1.

1.4 Collectively, these entities contribute to at least 94 per cent of the Australian Government’s assets, liabilities, income and expenditure, and deliver diverse and essential services to the Australian community. The collective size of liabilities, assets, expenses and income of these agencies for the year ended 30 June 2025 is set out in Table 1.1.

Table 1.1: Liabilities, assets, expenses and income for the 27 largest Australian Government entities

Source: ANAO analysis of entity financial information.

1.5 The Auditor-General Act 1997 (Auditor-General Act) establishes the mandate for the Auditor-General to undertake financial statement audits of all Australian Government entities.⁵ The ANAO conducts its financial statements audits in four phases: planning, interim, final and completion. Figure 1.1 describes the key elements of each phase.

Figure 1.1: ANAO financial statements audit process

Source: ANAO financial statements audit process.

Engagement risk

1.6 The ANAO assesses engagement risk for each audited entity on an annual basis. Engagement risk includes the risks of material misstatement relating to a financial statements audit engagement, and other professional risks such as reputational and litigation risks. The assessment of engagement risk provides the basis for determining whether additional quality management responses are required, in accordance with the auditing standards. Factors that may inform engagement risk ratings include complexity of an entity’s operations and financial statements and the results of previous audit engagements.

1.7 Seven of the 27 entities included in this report have been assessed as having a high engagement risk for 2025–26 (2024–25: seven entities).⁶ See Appendix 1.

Key areas of financial statements risk

1.8 The ANAO’s risk assessment process identifies key areas that have the potential to materially impact an entity’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, the results of recent ANAO performance and performance statements audits and an understanding of the entity’s environment and governance arrangements, including its financial reporting regime and system of internal control. Key areas of financial statements risk across the sector include: where significant judgements and estimates are required; accuracy of payments and compliance monitoring; legal governance; grants administration; management of asset and inventory and use of complex information technology (IT) systems or changes to IT systems. Further details of the key areas of financial statements risk relevant to each entity are included in Chapter 4.

1.9 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of an entity’s financial statements (see Chapter 3).

Audit findings

1.10 Audit findings are raised in response to the identification of a potential business or financial risk posed to an entity. Weaknesses in internal controls increase the possibility that a material misstatement of an entity’s financial statements will not be prevented or detected in a timely manner. The ANAO rates audit findings according to the potential business or financial management risk posed to the entity. The rating scale is presented in Table 1.2.

Table 1.2: Findings rating scale

Source: ANAO findings rating scale.

Snapshot

2.1 For the 27 entities included in this report, at the conclusion of the 2025–26 interim audit phase, the ANAO has identified the following.

Audit findings

2.2 At the conclusion of the 2025–26 interim audit phase, the ANAO identified a total of 10 new findings — one significant legislative breach (Category L1), two moderate (Category B) and seven minor (Category C). The significant legislative breaches related to incorrect or inconsistent application of legislation in the delivery of programs and payments. The moderate and minor findings primarily related to information technology (IT) control environment.

2.3 Seventy-six findings (two significant legislative breaches, 23 moderate and 51 minor) remain unresolved or had their risk rating reassessed from prior years. The overall number of findings has reduced compared with the 2024–25 interim audit phase. Figure 2.1 presents a summary of the number of significant, moderate and minor findings and legislative breaches identified by the ANAO at the completion of the interim audit phase for the period 2021–22 to 2025–26. Figure 2.2 shows unresolved findings by category at the conclusion of the 2025–26 interim audit.

Figure 2.1: Aggregate audit findings 2020–21 to 2025–26 at the completion of each interim audit phase

Note: The minor findings include Category L3 breaches, moderate findings include Category L2 breaches and significant findings include Category L1 breaches.

Source: ANAO analysis of interim audit results.

Figure 2.2: Percentage of audit findings by category at the completion of the 2025–26 interim audit phase

Source: ANAO analysis of 2025–26 interim audit results.

Significant audit findings

2.4 Significant audit findings indicate issues that pose a significant business or financial management risk to the entity or are instances of significant non-compliance with legislation. Significant audit findings could result in a material misstatement of the entity’s financial statements.

2.5 At the conclusion of the 2025–26 interim audit phase, three findings related to significant non-compliance with legislation were reported. No significant (Category A) findings that could pose a significant business or financial risk were reported for the 27 entities in this report.

Legislative non-compliance

2.6 Legislative compliance is a fundamental requirement that entities must abide by, both in managing programs and services and also in ensuring that commitments and spending of money is authorised in accordance with the relevant legislation. Significant legislative non-compliance findings include potential or actual breaches of the Australian Constitution, an entity’s enabling legislation, legislation the entity is responsible for administering, and the Public Governance, Performance and Accountability Act 2013.

2.7 At the conclusion of the 2025–26 interim audit phase, the ANAO identified four findings relating to legislative non-compliance in the 27 entities in this report.

• Three significant legislative breaches (Category L1) relating to breaches in the administration of different enabling legislation across a number of programs and potential breaches of section 83 of the Australian Constitution.
• One other legislative breach (Category L2) relating to the incorrect application of legislation administered by the Australian Taxation Office (ATO).

2.8 Details of the significant findings are set out in Table 2.1 and paragraphs 2.9 to 2.11.

Table 2.1: Significant audit findings at the conclusion of the 2025–26 interim audit phase

Source: ANAO analysis of 2025–26 interim audit results.

Department of Social Services

2.9 DSS administers key social security and child support legislation, with Services Australia delivering payments and services managed through formal service delivery arrangements. DSS has strengthened its detection, governance and legal risk management and is internally tracking 93 legislative non-compliance issues. DSS has resolved some issues through legislative change. However, there are ongoing instances where payments are not being fully administered in line with legislation, including matters that have been known for several years. Examples include urgent payments under social security law and automation of advance payments where it is not permitted by the legislation. The ANAO recommends DSS further strengthens assurance over service delivery compliance and focuses on timely, accountable and effective remediation of legislative non-compliance. See paragraph 4.22.10 to 4.22.18.

Department of Health, Disability and Ageing

2.10 Health has primary responsibility for administering health and aged care legislation. Health reported potential section 83 breaches in 13 areas in its 2024–25 financial statements. By the end of the 2025–26 interim audit the ANAO was aware of potential breaches across 15 areas, with some resolved during the year. While remediation efforts are underway, Health needs a sustained focus to strengthen governance, accountability, and oversight to reduce future breaches and support ongoing compliance. See paragraph 4.13.12 to 4.13.16.

Services Australia

2.11 Services Australia is the Australian Government’s primary payment and service delivery provider. The ANAO has previously identified legislative breaches in programs such as child support, aged care, private health insurance and compensation recovery that highlights significant legal and compliance risks in its service delivery. While Services Australia has made progress, including better identification of potential non-compliance, establishing a Legal Compliance and Remediation Program, and resolving some issues through legislative amendments, significant compliance risks remain. See paragraph 4.11.13 to 4.11.14.

Identification and resolution of legislative non-compliance

2.12 The Australian Government administers complex, high-volume payment programs that provide financial support to Australians. The eligibility criteria for these payments, and the determination of entitlement amounts, may be reliant on information directly provided by payment recipients. If information is not accurate, or timely, the payment made may be incorrect. Incorrect payments under these programs may constitute a breach of Section 83 of the Australian Constitution if they were not made in line with the appropriation that governs the payment.

2.13 The Department of Finance (Finance) provides guidance to the sector on identifying breaches.⁷ A breach of section 83 of the Australian Constitution occurs when money is paid from the Consolidated Revenue Fund without valid appropriation or inconsistently with an appropriation made by law. There is no materiality threshold for such breaches. In March 2026, Finance updated its guidance to the sector, and breaches and potential breaches of section 83 are no longer disclosed in entities’ financial statements and are to be disclosed in the annual report. Section 83 matters remain subject to ANAO audit.⁸

2.14 Over the last one to two years the ANAO has observed entities are more comprehensively examining legal matters and legislative compliance in their program delivery. This has led to better identification of potential non-compliance and implementation of tracking mechanisms, for example registers and reporting to governance committees. With the increase in identification of legislative non-compliance, entities should seek to implement a plan to address the areas of non-compliance in a timely and appropriate manner. As relevant, entities should also look to strengthen the controls over complex payment programs, particularly where policy and service delivery is managed by different entities. New payment programs should be designed to enable full compliance with relevant legislative requirements.

2.15 The ANAO will continue to monitor matters of legislative non-compliance and will report on this area in the 2025–26 end-of-year report.

Information technology control environment

2.16 IT control environment findings continue to represent the highest proportion of all findings identified by the ANAO in financial statements audits. At the conclusion of the 2025–26 interim audit phase, there were 61 findings reported relating to the IT control environment, representing 71 per cent of all findings reported.

2.17 IT control findings relate mostly to IT security, which comprised 64 per cent of all IT control environment findings. IT security is concerned with protecting an entity’s information assets from internal and external threats and includes controls to prevent or detect unauthorised access to systems, programs and data. Further information on IT control environment findings, and other observations identified by the ANAO are included in Chapter 3.

Unresolved findings

2.18 Unresolved audit findings are those findings which have been identified by the ANAO in prior years which are yet to be resolved. Entities should take action to address unresolved audit findings, and the weakness in internal control identified, in a timely manner which is commensurate with the level of risk identified by the ANAO.

2.19 Eighty-five per cent of audit findings (73 findings) reported at the 2025–26 interim audit phase were findings unresolved from prior years. Figure 2.3 provides an analysis of the period in which the 73 unresolved audit findings were first identified by ANAO. Of the unresolved findings two per cent were first identified in 2020–21, six per cent in 2021–22, 13 per cent in 2022–23, and 26 per cent in 2023–24 and 38 per cent in 2024-25.

Figure 2.3: Number of unresolved audit findings by period first identified by the ANAO

Note: The minor findings include Category L3 breaches, moderate findings include Category L2 breaches and significant findings include Category L1 breaches.

The data does not include findings where the risk rating has been reassessed by the ANAO.

Source: ANAO analysis of 2025–26 interim audit results.

Resolved findings

2.20 The ANAO considers audit findings to be resolved when entities effectively address the risks identified. During the 2025–26 interim audit phase, the following significant and moderate findings were resolved since the 2024–25 final audit phase.

• A significant (Category A) finding relating to Medicare Compensation Recovery Scheme at Services Australia. The ANAO identified weaknesses in Services Australia’s compliance frameworks relating to the timeliness of assessment of Medicare Compensation Recovery cases, increasing the risk of legislative non-compliance occurring. In response, Services Australia improved timeliness of assessments to be within required timeframes in a nearly all cases, which resolved the finding. The ANAO continues to monitor Services Australia’s compliance with legislative requirements, including through the Category L1 finding set out in Table 2.1 and paragraph 2.11; and
• A legislative finding (Category L2) relating to income apportionment at DSS. The ANAO identified legislative non-compliance in DSS’ calculation of customer income across payment periods (income apportionment).⁹ This increased the risk of incorrect social security payments and inaccurate debts against customers. This breach has been resolved through the passing of legislative amendments. The ANAO continues to monitor DSS’ arrangements for managing legislative compliance across its programs and payments, including through the Category L1 finding set out in Table 2.1.

2.21 Across all other entities, a further 21 minor audit findings raised in prior years were resolved. To resolve these findings the ANAO has observed that entities had strengthened internal controls and monitoring to better manage IT access, improved IT governance arrangements and enhanced compliance with relevant policies and procedures.

2.22 Further findings may be resolved as the ANAO continues testing controls and processes during the 2025–26 final audit phase, the results of which will be reported by the ANAO at year end.

Audit findings partially resolved or risk rating reassessed

2.23 The ANAO reassesses risk ratings attributed to an audit finding when significant progress has been made to address the risks identified or the existing risk has increased. During the 2025–26 interim audit phase, the ANAO updated three audit findings by reassessing the associated risk rating from the 2024–25 final audit phase. Two moderate findings were reassessed to minor risk, and one minor finding was reassessed as moderate risk. See Table 2.2.

Table 2.2: Audit findings reassessed in the 2025–26 interim audit phase

Source: ANAO analysis of 2025–26 interim audit results.

Other observations

2.24 At the conclusion of the 2025–26 interim audit phase, the ANAO observed a reduction in findings relating to the accounting and control of non-financial assets. At the conclusion of the 2025–26 interim audit phase four findings remain unresolved, compared to 11 findings reported at the conclusion of 2024–25 interim audit phase.

Summary of results

3.1 Information technology (IT) general controls support the effective operation of information processing controls and maintain integrity of data within an IT system. An IT application control is a built-in system check applied to specific processes to safeguard the integrity of business transactions.¹⁰

3.2 IT control environment findings represent the majority of audit findings at the conclusion of the 2025–26 interim audit phase, with 61 IT control environment findings (71 per cent of total financial statements audit findings). Figure 3.1 illustrates trends in IT audit findings reported during the interim audit phase from 2021–22 to 2025–26. The 2025–26 interim audit phase had a decrease of 16 reported findings (21 per cent) relating to the IT control environment compared to the 2024–25 interim audit phase.

Figure 3.1: IT control environment interim audit phase findings 2021–22 to 2025–26

Source: ANAO data.

3.3 In the 2025–26 interim audit phase, no significant (Category A) findings were reported relating to the IT control environment.

3.4 There were 20 moderate (Category B) findings relating to the IT control environment reported as at the 2025–26 interim audit phase. Consistent with prior years, IT security remains a key theme, with 15 moderate findings (75 per cent) relating to IT security. Figure 3.2 provides a breakdown by category for moderate-level audit findings related to the IT control environment.

Figure 3.2: Categorisation of moderate-level 2025–26 interim audit phase findings for IT control environments

Source: ANAO data.

3.5 Table 3.1 lists entities with unresolved moderate findings related to the IT control environment at the conclusion of 2025–26 interim audit phase. Further entity–specific information is provided in Chapter 4.

Table 3.1: Moderate IT control environment findings by entity

Source: ANAO 2025–26 interim audit phase results.

3.6 Figure 3.3 illustrates that 24 of 41 (59 per cent) minor IT control environment audit findings related to IT security. IT security is the most represented category across moderate and minor findings.

Figure 3.3: Categorisation of minor-level 2025–26 interim audit phase findings for IT control environments

Source: ANAO data.

3.7 IT security remains an area requiring improvement regarding providing, reviewing and monitoring user access to manage the risk of inappropriate access to systems and data.

Key themes and issues

3.8 In the 2025–26 interim audit phase, the following themes, which are consistent with those identified in prior years, were identified across IT control environment findings.

• IT Security (See paragraph 3.10 to 3.14)
• IT Governance (See paragraph 3.15 to 3.17)
• IT Change Management (See paragraph 3.18 to 3.21)

3.9 Further information on entity findings is available in Chapter 4.

IT security

3.10 IT security controls are designed to protect entities’ information and systems from unauthorised access. In the context of financial statements audit, IT security controls are only considered for financially significant systems and data.

3.11 At the conclusion of the 2025–26 interim audit phase, there were 39 IT security findings which represents 64 per cent of all IT control environment findings. This is a decrease from 52 findings from the 2024–25 interim audit phase, primarily due to entities implementing recommendations from ANAO findings. Figure 3.4 illustrates trends in IT security findings over the past five interim audit phases.

Figure 3.4: IT security findings between 2021–22 to 2025–26

Source: ANAO data.

3.12 Eight entities had unresolved moderate findings related to IT security at the conclusion of the 2025–26 interim audit phase, shown in Table 3.2 below. Additional detail regarding each finding can be found in Chapter 4 for each entity.

Table 3.2: Moderate IT security findings by entity

Source: ANAO 2025–26 interim audit phase results.

Key issues – IT security

3.13 IT security is a fundamental component of the IT control environment. Weaknesses in IT security controls have the potential to compromise an entity’s ability to maintain business operations and maintain the integrity and confidentiality of sensitive data. As entity environments grow more complex through the adoption of emerging technologies, including artificial intelligence (AI), effective IT security control frameworks remain essential to ensure IT control environments remain trustworthy and secure.

IT governance

3.14 IT governance relates to the processes by which entities ensure that IT operations and projects are aligned with business operations and requirements. At the conclusion of the 2025–26 interim audit phase, there were four IT governance findings (three moderate and one minor) representing seven per cent of total IT control environment findings. This is a decrease from the 2024–25 interim audit phase, where there were seven IT governance findings (two moderate and five minor), however the number of moderate findings has increased from two to three.

3.15 Entities that had unresolved moderate findings relating to IT governance at the conclusion of the 2025–26 interim audit phase are listed in Table 3.3 below.

Table 3.3: Moderate IT governance findings by entity

Source: ANAO 2025–26 interim audit phase results.

3.16 Three of the four findings related to processes by which entities assure themselves of the effectiveness of the controls of third-party IT services on which they rely. Entities are continuing to rely on services provided by third-parties to support their operations, with findings related to inadequate review or implementation of risk mitigations following receipt of assurance reports. This creates a risk that entities do not identify or adequately address control deficiencies in third-party environments.

Key issues – IT governance

3.17 Effective IT governance arrangements allow entities to manage risk in their IT environment. Where any operation is outsourced to third parties, entities remain accountable for the good or service. As entities incorporate increasingly advanced emerging technologies into their operations and leverage a variety of delivery models to optimise costs, the importance of effective governance and oversight arrangements becomes increasingly critical in ensuring the integrity of IT operations.

IT change management

3.18 IT change management refers to how entities gain assurance that all changes made in systems are tested and authorised. At the conclusion of 2025–26 interim audit phase, there were nine change management findings representing 15 per cent of all IT control environment findings. This represents a decrease from 12 findings reported in the 2024–25 interim audit phase

3.19 Figure 3.5 illustrates trends in change management findings over the past five interim audit phases.

Figure 3.5: IT change management findings for interim audit phases between 2021–22 and 2025–26

Source: ANAO data.

3.20 Entities that had unresolved moderate findings related to IT change management at the conclusion of the 2025–26 interim audit phase are listed in Table 3.4 below.

Table 3.4: Moderate IT change management findings by entity

Source: ANAO 2025–26 interim audit phase results.

Key issues – IT change management

3.21 Effective change management controls maintain the integrity of key IT systems. In the absence of an effective change management framework, untested and unauthorised changes may be made to key business systems, limiting the ability of management to assure itself that these systems are operating as intended.

Safeguarding information from cyber threats

3.22 Within the Australian Government, the Protective Security Policy Framework (PSPF)¹¹ and Information Security Manual (ISM)¹² establish policy requirements and provide guidance on strategies to protect information and systems from evolving cyber threats.

3.23 The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies to help protect against cyber threats; with the strategies that ASD considers to be most effective referred to as the Essential Eight. The Essential Eight outlines a maturity framework for individual mitigation strategies, with requirements for entities at each maturity level. These requirements evolve over time in response to changes in the cyber threat landscape. The PSPF requires that non–corporate Commonwealth entities implement the Essential Eight mitigation strategies to the standard of Maturity Level Two, and that these entities conduct an annual self–assessment of their compliance with policy requirements.¹³

3.24 Figure 3.6 summarises entities’ self–assessed compliance with Maturity Level Two of the Essential Eight mitigation strategies (as at 30 June 2025). Self–assessed compliance decreased across seven strategies and did not change for one strategy. Decreases in reported maturity can occur for a number of reasons, including changes in the entity environment, that result in the entity no longer meeting the requirements for the maturity level, changes in the approach taken by entities to self–assess and changes in the maturity level requirements.¹⁴

Figure 3.6: Number of entities who have reported compliance with PSPF Essential Eight Maturity Requirements between 2022–23 and 2025–26

Source: ANAO analysis of entity self-assessment data.

3.25 Of the 22 entities that are required to comply, one (five per cent) reported full compliance across all Essential Eight Mitigation Strategies. In the prior year five entities (23 per cent) reported full compliance. Reported mitigation strategies, put in place by entities to address instances where specific controls were not implemented, included compliance monitoring, vulnerability scanning, residual risk assessments and strategic uplifts.

Artificial Intelligence

3.26 The Australian Government has committed to capturing the opportunities of AI in a way that facilitates innovation while mitigating harm. Government policy ‘aims to strengthen public trust in government adoption of AI by positioning the Australian Government as an exemplar in safe and responsible AI use’.¹⁵ The Joint Committee of Public Accounts and Audit (JCPAA)¹⁶ and the Organisation for Economic Co-operation and Development (OECD)¹⁷ have highlighted the importance of transparency, oversight and accountability in building public trust and managing risks associated with the adoption of AI in government.

3.27 The government published its Standard for AI transparency statements¹⁸ (the Standard) to support the implementation of clear and consistent transparency statements. Non-corporate Commonwealth entities using AI must¹⁹ now publish and maintain AI transparency statements on their public website. Entities may also volunteer AI transparency statements. Entity transparency statements are intended to provide a high-level overview of entity AI use and management in line with policy intent.²⁰

3.28 The non-corporate Commonwealth entities included in this report published an AI transparency statement where required by the Standard. In addition, one entity from the Defence portfolio published an AI transparency statement. Common use cases reported in the AI transparency statements included the automation of routine administrative tasks, preliminary analytics for large datasets to inform decision-making or to assist with research and retrieval of information.

3.29 The transparency statements varied in the level of detail across entities. This highlights the varying degree of interpretation and application of the Standard across entities. The transparency statements do not provide a clear and consistent description of entity AI use for the public and this reduces the meaningfulness of transparency statements. There is an opportunity to enhance the Standard and guidance to support entities to improve the clarity and consistency of AI transparency statements. Clearer and consistent transparency statements can assist entities in achieving the intent of the Standard and support building public trust.

3.30 The Digital Transformation Agency (DTA) has performed a review of entity transparency statements and is progressing activities to support entities’ implementation against the Standard, for example, providing better practice guidance to entities.

4.1 Department of Agriculture, Fisheries and Forestry

4.1.1 The Department of Agriculture, Fisheries and Forestry (DAFF) advises the Australian Government and implements programs to support Australia’s agriculture, fisheries and forestry sectors. Key activities include: building drought resilience and preparedness; protecting plant and animal biosecurity; supporting sustainable and productive agricultural, food and fibre industries; and safeguarding Australia’s animal and plant health status to facilitate market access and protect the economy and environment from exotic pests and diseases.

Engagement risk rating

4.1.2 The engagement risk for the 2025–26 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• legislative complexity in administering import and export charges and primary industry levies;
• significant management judgement in determining material financial statement balances; and
• external events (drought, bushfires and emergency disease events) affecting DAFF’s activities and responsibilities.

Interim audit results

4.1.3 At the 2025–26 interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to DAFF. One new minor finding was identified and two minor findings from 2024–25 remain unresolved.

Key areas of financial statements risk

4.1.4 Figure 4.1.1 and Figure 4.1.2 below show the key financial statements items reported by DAFF and the key areas of financial statements risk.

Figure 4.1.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DAFF 2025–26 Portfolio Additional Estimates Statements (PAES).

Figure 4.1.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DAFF 2025–26 PAES.

Conclusion

4.1.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DAFF will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.2 Attorney-General’s Department

4.2.1 The Attorney-General’s Department (AGD) supports the Attorney-General through the provision of expert advice and services on a range of law, justice, integrity, and national security issues.

Engagement risk rating

4.2.2 The engagement risk for the 2025–26 financial statements audit has been assessed as low. Key factors contributing to this rating include:

• stable structure and operations of AGD; and
• low complexity of transactions and balances in AGD’s financial statements.

Interim audit results

4.2.3 At the 2025–26 interim audit phase, the ANAO has not identified any findings that pose a significant business or financial risk to AGD and reported one finding that posed a moderate business or financial risk to AGD.

Audit findings

Table 4.2.1: Status of significant or moderate audit findings

Note a: The audit finding has been reassessed from a minor to a moderate rating after the completion of the 2025–26 interim audit phase.

Source: ANAO 2025–26 interim audit phase.

Unresolved moderate audit finding

Review of users accessing AGD network post-cessation

4.2.4 The Australian Government’s Information Security Manual (ISM) Control 0430 requires entities to ensure that ‘access to systems and their resources are removed or suspended the same day personnel no longer have a legitimate requirement for access’. AGD has developed a standard operating procedure (SOP) that outlines the process for review of user access post termination.

4.2.5 At the conclusion of the 2024–25 audit, operational effectiveness of the reviews was found not effective as the review process was not undertaken in a timely manner, and AGD agreed to implement processes to strengthen this area. Upon review in the 2025–26 interim audit phase, the ANAO identified that employees were not made inactive or removed upon termination and concluded that the process to remove users in a timely manner after termination was not operating effectively.

4.2.6 In addition, AGD’s review process to investigate users that were not removed in a timely manner was also not operating effectively. The ANAO identified users that accessed the financial management information system (FMIS) post termination. The ANAO requested that AGD investigate actions of these users on the FMIS. The ANAO has received initial information and will review the impact of this on the financial statements in the final audit phase.

Key financial balances and areas of financial statements risk

4.2.7 Figure 4.2.1 and Figure 4.2.2 below show the key financial statements items reported by AGD and the key areas of financial statements risk.

Figure 4.2.1: Key departmental financial balances and areas of key financial statements risk

Source: ANAO analysis and AGD 2025–26 PAES.

Figure 4.2.2: Key administered financial balances and areas of key financial statements risk

Source: ANAO analysis and AGD 2025–26 PAES.

Conclusion

4.2.8 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that AGD will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.3 Department of Climate Change, Energy, the Environment and Water

4.3.1 The Department of Climate Change, Energy, the Environment and Water (DCCEEW) is responsible for: developing and implementing a national response to climate change; improving Australia’s energy supply, efficiency, quality, performance and productivity; conserving, protecting and sustainably managing Australia’s biodiversity, ecosystems, environment and heritage; advancing Australia’s interests in the Antarctic region; and improving the health of rivers and freshwater ecosystems and water use efficiency.

Engagement risk rating

4.3.2 The engagement risk for the 2025–26 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• DCCEEW’s broad strategic direction across several diverse functions that have a high-level of public interest and Parliamentary scrutiny;
• the complexity of some financial statements balances which require increased management judgement, are reliant on external advice, and impact the Australian Government’s consolidated financial statements;
• shared services arrangements with other Australian Government entities that support key financial statements balances; and
• a financial reporting function, internal control environment and governance arrangements that has matured since DCCEEW was established on 1 July 2022.

Interim audit results

4.3.3 At the 2025–26 interim audit phase, the ANAO has not identified any findings that pose a significant business or financial risk to DCCEEW and reported one unresolved finding that posed a moderate business or financial risk to DCCEEW. Two minor findings from 2024-25 remain unresolved.

Audit findings

Table 4.3.1: Status of significant or moderate audit findings

Source: ANAO 2025–26 interim audit results.

Unresolved moderate audit finding

TechnologyOne (TechOne) privileged user activity monitoring

4.3.4 During the 2023–24 interim audit, the ANAO performed a walkthrough of the design, implementation and operating effectiveness of privileged user monitoring in TechOne.²¹ The ANAO identified that evidence of reviews was not maintained, a policy for privileged user monitoring was not finalised and reviews were being undertaken by certain users that presented a self-review risk.

4.3.5 During the 2023–24 final audit, the ANAO confirmed that DCCEEW intended on implementing a formal privileged user policy during 2024–25, and that a suite of reports would be developed in relation to privileged user access monitoring.

4.3.6 In the current year, audit work has focused on understanding DCCEEW’s progress in strengthening privileged user access monitoring arrangements, including the stability and maturity of the revised process. DCCEEW has advised the ANAO that a new process has been implemented to log and monitor privileged user activities in TechOne, supported by updated policies and procedures.

4.3.7 Audit activity to date has concentrated on understanding the design of this process. Assessment of implementation and operating effectiveness will be undertaken once the process has been in operation for a sufficient period to support testing. The ANAO will focus on the action taken by DCCEEW in response to this finding as part of the 2025–26 final audit.

Key financial balances and areas of financial statements risk

4.3.8 Figure 4.3.1 and Figure 4.3.2 below show the key financial statements items reported by DCCEEW and the key areas of financial statements risk.

Figure 4.3.1: Key departmental financial balances and areas of key financial statements risk

Source: ANAO analysis and DCCEEW 2025–26 PAES.

Figure 4.3.2: Key administered financial balances and areas of key financial statements risk

Source: ANAO analysis and DCCEEW 2025–26 PAES.

Conclusion

4.3.9 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DCCEEW will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.4 Snowy Hydro Limited

4.4.1 Snowy Hydro Limited (Snowy Hydro) is a government business enterprise responsible for energy generation activities to supply the National Electricity Market as well as operating as a retail energy provider through the Red Energy, Lumo Energy and Snowy Energy brands.

Engagement risk rating

4.4.2 The engagement risk for the 2025–26 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• the value of and complexity of delivery of the long-term infrastructure developments relating to the Snowy 2.0 and Hunter Power projects;
• Snowy Hydro’s dynamic and complex operating and regulatory environment and level of competition for customers for the supply of electricity; and
• the complexity of and judgement required in determining the fair value of the energy derivatives portfolio.

Interim audit results

4.4.3 At the 2025–26 interim audit phase, the ANAO has not identified any findings that pose a significant business or financial risk to Snowy Hydro and reported one finding that poses a moderate business or financial risk to Snowy Hydro. One minor finding from the prior year remains unresolved.

Audit findings

Table 4.4.1: Status of significant or moderate audit findings

Source: ANAO 2025–26 interim audit results.

Unresolved moderate audit finding

IT general controls for the financial management information system

4.4.4 Snowy Hydro’s financial management information system (FMIS) is provided under a cloud computing arrangement. Snowy Hydro’s service provider is largely responsible under contract for system administration activities, including designing and implementing appropriate IT general controls supporting user access management, including for privileged users, and change management processes.²² Under the terms of the contract, the service provider is required to provide assurance to Snowy Hydro, via a Service Organisation Control (SOC) report prepared by an independent auditor, that these controls are designed, implemented and operating effectively.

4.4.5 During 2023–24 and 2024–25, the service provider provided qualified SOC reports which identified a number of weaknesses in the operating effectiveness of IT general controls for the FMIS, for which no mitigating procedures were performed by Snowy Hydro.

4.4.6 The ANAO will focus on the action taken by Snowy Hydro in response to this finding as part of the 2025–26 final audit.

Key financial balances and areas of financial statements risk

4.4.7 Figure 4.4.1 below shows the key financial statements items reported by Snowy Hydro and the key areas of financial statements risk.

Figure 4.4.1: Key financial balances and areas of financial statements risk

Source: Snowy Hydro 2024–25 financial statements.

Conclusion

4.4.8 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Snowy Hydro will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.5 Department of Defence

4.5.1 The Department of Defence (Defence) is responsible for protecting and advancing Australia’s strategic interests through the promotion of security and stability, the provision of military capabilities to defend Australia and its national interests, and the provision of support for the Australian community and civilian authorities as directed by the Australian Government.

Engagement risk rating

4.5.2 The engagement risk for the 2025–26 financial statements audit has been assessed as high. Key factors contributing to this rating include:

• the nature, magnitude and complexity of Defence’s operations and strategic environment, which includes the implementation of the National Defence Strategy (NDS) and Integrated Investment Program (IIP);
• the high level of public interest and scrutiny of Defence’s activities;
• the decentralised control environment and the variety of processes implemented throughout Defence groups that affect significant business processes;
• the risks associated with the aggregation of financial reporting information due to the variety of information technology systems that operate independently of each other;
• the number of high and moderate risk financial statements items, which include complex accounting estimates subject to higher levels of estimation uncertainty and the significant contribution of these balances to the consolidated financial statements; and
• the number of audit adjustments to the financial statements reported in 2024–25.

Interim audit results

4.5.3 At the 2025–26 interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to Defence. One new minor finding was identified and four minor findings from 2024–25 remain unresolved.

Key financial balances and areas of financial statements risk

4.5.4 Figure 4.5.1 and Figure 4.5.2 below show the key financial statements items reported by Defence and the key areas of financial statements risk.

Figure 4.5.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Defence 2025–26 PAES.

Figure 4.5.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Defence 2025–26 PAES.

Conclusion

4.5.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Defence will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.6 Department of Veterans’ Affairs

4.6.1 The Department of Veterans’ Affairs (DVA) is responsible for developing and implementing programs to assist the veteran and ex-service communities. This includes: granting pensions, allowances and other benefits, and providing treatment under the Veterans’ Entitlements Act 1986 (VE Act); the administration of benefits and arrangements under the Military Rehabilitation and Compensation Act 2004; determining and managing claims relating to defence service under the Safety, Rehabilitation and Compensation (Defence-related Claims) Act 1988 (DRC Act); administering the Defence Service Homes Act 1918 and the War Graves Act 1980; and conducting commemorative programs to acknowledge the service and sacrifice of Australian servicemen and women.

4.6.2 From 1 July 2026, the VE Act and the DRC Act are closed to new claims, with all compensation and rehabilitation claims from that date to be determined under the new Veterans Entitlements, Treatment, and Support (Simplification and Harmonisation) Act 2025 (the VETS Act).

Engagement risk rating

4.6.3 The engagement risk for the 2025–26 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• the complexity of personal benefit and healthcare claims, the IT systems used to process these claims, and associated legislation which are administered by DVA;
• the complexity of estimate calculations, including the evaluation of key assumptions and judgements and the generation of data used to calculate provisions for future military compensation and health care payments; and
• implementation of the new financial management information system (FMIS) that impacts the financial records and DVA’s financial reporting process.

Interim audit results

4.6.4 At the 2025–26 interim audit phase, the ANAO has identified one new finding that poses a moderate business or financial risk to DVA. Six moderate findings from 2024–25 remain unresolved. One minor finding from 2023–24 remains unresolved.

Audit findings

Table 4.6.1: Status of significant or moderate audit findings

Source: ANAO 2025–26 interim audit results

New moderate audit finding

Information technology general control risks – TechnologyOne

4.6.5 On 10 November 2025, DVA implemented the TechnologyOne (TechOne) system as a replacement to its previous FMIS.

4.6.6 During interim audit, the ANAO noted that controls relating to privileged user logging and monitoring and periodic user access revalidation for TechOne were not in place.²³ Additionally, there was a lack of clarity regarding how DVA planned to assess, control, and manage risks within TechOne’s operating environment.

4.6.7 Testing over security controls supporting the previous FMIS (DOLARS), which operated during the first four months of the financial year, also identified issues relating to privileged user logging, monitoring, and access provisioning. While subsequent changes to DVA’s IT environment mean that risks associated with DOLARS are no longer applicable, these matters highlight weaknesses in the mechanisms used to ensure the effective operation of IT controls, particularly those relating to security.

4.6.8 These risk considerations should have been addressed during the development stage of the new system as opposed to post implementation and controls should have been designed to address these risks. The ANAO notes that there are open findings relating to weaknesses in security governance, system implementation, and privileged user logging and monitoring relating to other systems in the DVA IT environment. The themes from these findings should have been considered in the design of controls to support the operation of TechOne.

4.6.9 The weaknesses identified in the security controls over TechOne increase the risk that privileged users may bypass system-enforced controls and make unauthorised changes to data without detection and/or timely remediation, and that end-users may perform actions beyond the scope of their responsibilities due to the retention of inappropriate access. This reduces DVA’s ability to rely on internal controls supporting system processing used for financial reporting.

4.6.10 The ANAO will focus on the action taken by DVA in response to this finding as part of the 2025–26 final audit.

Unresolved moderate audit findings

Security Governance — monitoring implementation of controls

4.6.11 During the 2021–22 audit, the ANAO noted instances that indicated DVA’s information technology governance and monitoring processes were not fully effective to address identified business risks. The ANAO recommended an effective governance and assurance framework be developed over security governance to ensure controls were implemented and operating effectively.

4.6.12 During 2023–24, DVA advised the ANAO that it was planning to implement an assurance framework that addresses IT governance encompassing DVA’s own and outsourced arrangements. The assurance framework will set out the cadence of reporting on the effectiveness of IT controls to the DVA Security Committee. This assurance framework is expected to be finalised and presented to the DVA Security Committee for endorsement in 2025–26.

Process Direct security risk management

4.6.13 During the 2020–21 audit, the ANAO identified weaknesses relating to the management of security risks as part of an upgrade to Process Direct implemented in November 2020. The ANAO recommended that DVA address the self-identified security risks when implementing the system.

4.6.14 DVA affirmed that the accreditation of Process Direct was finalised in August 2021 and all required security documentation developed. The ANAO’s inspection of the accreditation documents, including the Process Direct System Security Plan, identified that one of the three self-identified risks remained untreated. DVA acknowledged that the untreated risks were accepted when the interim approval to operate was issued. DVA is in the process of remediating the last unmitigated risk (Authority to Operate).

Monitoring of privileged activity — Process Direct and Integrate Support Hub (ISH)

4.6.15 Privileged users are an essential part of any organisation. However, with access to sensitive information and to the most vulnerable areas of the entity network, they pose higher risks to cybersecurity. For this reason, the privileged users’ access is required to be monitored closely and regularly. Furthermore, privileged user monitoring is a requirement of multiple laws, regulations, and best practices for improving the protection of cybersecurity risks.

4.6.16 Discussions between the ANAO and the DVA team responsible for the Process Direct and ISH systems management identified that DVA was unable to demonstrate any activities performed to monitor privileged user transactions or activities. DVA advised that it relies on the work performed by Services Australia as part of the Shared Services Agreement. The ANAO confirmed with Services Australia that it produces a report of adverse user activity which covers all platforms (including Process Direct) and provides the report to DVA. However, Services Australia does not perform monitoring activities on DVA’s behalf. DVA is working with Services Australia (as its IT infrastructure provider) to develop an appropriate monitoring process to remediate this risk.

Bank reconciliations — identification of reconciling items

4.6.17 The ANAO review of bank reconciliations in 2022–23 identified weaknesses in the bank reconciliation process performed by DVA. The ANAO identified that a significant level of unreconciled items in the Administered Head bank accounts require matching and clearance. It was noted that payments and receipts had been netted off and the net amount used in the reconciliation. Netting off unmatched transactions does not provide clarity around reconciling items and assurance that there are not large errors or reconciling items embedded in the large variances.

4.6.18 In 2024–25, audit queries on the reconciliations performed resulted in adjustments of $2.04 million (departmental cash) and $112.5 million (administered cash). This related to timing differences that the bank reconciliation process was not correctly identifying.

4.6.19 The ANAO will continue to monitor the progress of this issue during the final phase of the 2025–26 audit.

Claim quality assurance program — Benefit payments

4.6.20 DVA undertakes a claim quality assurance program to support the accuracy and validity of claims processed. The quality assurance program also seeks to provide input based on the results into training programs or other areas requiring increased focus. The testing is conducted on a sample basis. The ANAO’s review of the quarterly quality assurance reports for income and compensation claims, Quality Assurance Protocols and the processes supporting the quality assurance processes noted the following.

• DVA’s sampling methodology allows projecting the sample error into the population. However, DVA did not extrapolate the sampling results to determine the population error rate in the claim population by claim types. DVA’s approved Quality Assurance Protocols indicate that the financial impact of the quality assurance program, including error, is to be reported by the Financial Accounting and Compliance Section in the department’s financial statements.
• The results of testing outcomes are reported as actual sample error percentages which provides limited detail to allow meaningful analysis of actual and trending error projections. It was noted that based on the sample errors, the correctness benchmarks were not met for most compensation programs and for a smaller number of income support programs.
• DVA’s approved Quality Assurance Protocols state that ‘the financial impact excludes the effect of recovery, waiver or write off action to correct the error.’ If the overall impacts were calculated, excluding these amounts would distort the true financial error profile. A decision not to pursue debt recovery does not preclude a claim noted as erroneous from being defined or included as an error in calculations.
• The ANAO noted that documentation of the sample testing results was incomplete. The quality assurance system did not have sufficient records for the ANAO to assess the conclusions reached by the compliance officers.
• DVA could not demonstrate how it gains assurance over the completeness of the data sets provided by Services Australia or provided by the Claims and Workforce Reporting Team within DVA before the data sets are uploaded into the quality assurance system for sampling. This has previously been the subject of an ANAO audit finding, indicating that the remediating controls and processes have not continued to operate effectively.

Key financial balances and areas of financial statements risk

4.6.21 Figure 4.6.1 and Figure 4.6.2 below show the key financial statements items reported by DVA and the key areas of financial statements risk.

Figure 4.6.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DVA 2025–26 PAES.

Figure 4.6.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DVA 2025–26 PAES.

Conclusion

4.6.22 At the completion of the interim audit, and except for the findings outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DVA will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.7 Department of Education

4.7.1 The Department of Education (Education) contributes to Australia’s economic prosperity and social wellbeing by creating opportunities and driving better outcomes through access to quality education. The department aims to deliver an education system that is inclusive, accessible, and affordable for all Australians.

Engagement risk rating

4.7.2 The engagement risk for the 2025–26 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• Education’s role in administering programs across Australia’s education system, including the Higher Education Loan Program (HELP) and the Higher Education Superannuation Program (HESP);
• a complex IT environment used for making payments to schools, universities, and other education providers; and
• the complexity of some financial statements balances, such as the valuation of loans under HELP, and valuation of the HESP provision, that require management judgement and involve estimation uncertainty.

Interim audit results

4.7.3 At the 2025–26 interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to Education. One minor finding from 2024–25 remains unresolved.

Key areas of financial statements risk

4.7.4 Figure 4.7.1 and Figure 4.7.2 below show the key financial statements items reported by Education and the key areas of financial statements risk.

Figure 4.7.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Education 2025–26 PAES.

Figure 4.7.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Education 2025–26 PAES.

Conclusion

4.7.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Education will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.8 Department of Employment and Workplace Relations

4.8.1 The Department of Employment and Workplace Relations (DEWR) is responsible for ensuring Australians can experience the social well-being and economic benefits that training and employment provide. DEWR is also responsible for workplace relations and work health and safety, rehabilitation, and compensation.

Engagement risk rating

4.8.2 The engagement risk for the 2025–26 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• DEWR’s administration and regulation of a complex legislative framework that underpins various significant payments; and
• financial statements balances, such as the valuation of the Vocational Student Loans, and Australian Apprenticeship Support Loans, which require significant management judgement and are subject to estimation uncertainty.

Interim audit results

4.8.3 At the 2025–26 interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to DEWR. One minor finding from 2024–25 remains unresolved.

Key areas of financial statements risk

4.8.4 Figure 4.8.1 and Figure 4.8.2 below show the key financial statements items reported by DEWR and the key areas of financial statements risk.

Figure 4.8.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DEWR 2025–26 PAES.

Figure 4.8.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DEWR 2025–26 PAES.

Conclusion

4.8.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DEWR will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.9 Department of Finance

4.9.1 The Department of Finance (Finance) is responsible for supporting the government’s budget process and the development and implementation of regulatory frameworks for public sector resource management, governance, and accountability. It is also responsible for preparation of the Australian Government’s consolidated financial statements and providing enabling services, including government technology services and shared services through the Service Delivery Office.

Engagement risk rating

4.9.2 The engagement risk for the 2025–26 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• the complexity of key accounting balances, estimates and judgements that impact the financial statements; and
• the significance of the administered schedule of financial position to the Australian Government’s consolidated financial statements.

Interim audit results

4.9.3 At the 2025–26 interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to Finance. One minor audit finding was resolved.

Key areas of financial statements risk

4.9.4 Figure 4.9.1 and Figure 4.9.2 below show the key financial statements items reported by Finance and the key areas of financial statements risk.

Figure 4.9.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Finance 2025–26 PAES.

Figure 4.9.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Finance 2025–26 PAES.

Conclusion

4.9.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Finance will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.10 Future Fund Management Agency

4.10.1 The Future Fund Board of Guardians, supported by the Future Fund Management Agency (together the Future Fund), is responsible for investing the assets of the Future Fund under the Future Fund Act 2006, and other investment funds, managed on behalf of the Department of Finance. The investment of the other funds is managed under the Disability Care Australia Fund Act 2013; the Medical Research Future Fund Act 2015; the Aboriginal and Torres Strait Islander Land and Sea Future Fund Act 2018; the Future Drought Fund Act 2019; the Disaster Ready Fund Act 2019; and the Housing Australia Future Fund Act 2023 as a means to provide financing sources for substantial future investments in the Australian economy.

Engagement risk rating

4.10.2 The engagement risk for the 2025–26 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• significant judgements required by management to value the investments of the Future Fund for financial reporting purposes, which are subject to estimation uncertainty;
• the significance of the Future Fund’s investment portfolio to the Australian Government’s financial position; and
• the reliance on external parties, particularly the valuation undertaken by the investment custodian and investment managers.

Interim audit results

4.10.3 At the 2025–26 interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to the Future Fund.

Key areas of financial statements risk

4.10.4 Figure 4.10.1 and Figure 4.10.2 below show the key financial statements items reported by the Future Fund and the key areas of financial statements risk.

Figure 4.10.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Future Fund 2025–26 Portfolio Budget Statements (PBS).

Figure 4.10.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Future Fund 2025–26 PBS.

Conclusion

4.10.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that the Future Fund will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.11 Services Australia

4.11.1 Services Australia is the Australian Government’s primary payment and service delivery provider. Services Australia delivers a range of payments and services to support individuals, families, and communities, as well as providers and businesses. These include income support payments and services, aged care payments, Medicare payments and services, child support services, and a range of ICT functionalities for Australian Government departments and agencies.

Engagement risk rating

4.11.2 The engagement risk for Services Australia 2025–26 financial statements audit has been assessed as high. Key factors contributing to this rating include:

• the role of Services Australia in the delivery of the Australian Government’s social welfare and health benefits programs;
• heightened public interest and parliamentary scrutiny in Services Australia’s operations; and
• significant audit findings identified by the ANAO, and multiple unresolved moderate and minor audit findings.

Interim audit results

4.11.3 At the 2025–26 interim audit phase, the ANAO has identified one significant legislative breach and four findings that pose a moderate business or financial risk to Services Australia. Sixteen minor findings remain unresolved.

Audit findings

Table 4.11.1: Status of significant or moderate audit findings

Source: ANAO 2025–26 interim audit results.

Unresolved moderate audit findings

IT Governance

4.11.4 During the 2022–23 audit, the ANAO examined controls around significant IT systems supporting the preparation of the financial statements. The ANAO identified a significant audit risk in relation to the increasing number of issues in IT governance within Services Australia. In particular, the ANAO identified weaknesses in IT controls in the implementation of the large-scale IT roll-out for residential aged care and the re-emergence of many individual control issues affecting change and access management and business operations. The volume of the findings identified indicates that Services Australia’s IT governance and monitoring processes are not providing appropriate assurance that policy requirements have been implemented and are operating effectively.

4.11.5 This audit finding was revised to a moderate audit finding during the 2024–25 interim audit, recognising Services Australia’s progress in addressing the ANAO’s recommendations, including the implementation of policy compliance testing across key ICT systems, updating Disaster Recovery Plans, the establishment of oversight committees, and other work. The ANAO will continue to review Services Australia’s ongoing implementation of these activities.

Monitoring of Superusers (Medicare, Child Support and Health)

4.11.6 Maintaining and supporting IT systems requires some user accounts, both at the network and the application level, to have extensive access rights (privileged access). Privileged user accounts can be used to circumvent security controls to make direct changes, either to system settings or systems data, or to access files and accounts used by others.²⁴ The ANAO identified weaknesses in the effectiveness of Services Australia’s monitoring of privileged user activities within the Medicare, Child Support and Health IT mainframes.

4.11.7 At the conclusion of the 2025–26 interim audit, Services Australia has undertaken remedial actions but is yet to complete this work to fully address the ANAO’s recommendations. The ANAO will focus on the action taken by Services Australia in response to this finding as part of the 2025–26 final audit.

Monitoring of Superusers (Centrelink)

4.11.8 During the 2022–23 audit, the ANAO identified weaknesses in the effectiveness of Services Australia’s monitoring of privileged user activities within the Centrelink IT mainframe. At the conclusion of the 2025–26 interim audit, Services Australia is continuing to progress remedial actions to fully address the ANAO’s recommendations. The ANAO will focus on the action taken by Services Australia in response to this finding as part of the 2025–26 final audit.

New residential aged care system access management

4.11.9 In August 2022, Services Australia implemented a new residential aged care IT system. During the 2022–23 audit, the ANAO identified that there were weaknesses in the design and operating effectiveness of controls supporting privileged and other user access. More broadly, the ANAO has observed a break-down in Services Australia’s re-established security governance control framework, particularly the lack of formal system accreditation or other supporting system security risk assessments that would identify and allow system and project owners to formally analyse, understand and mitigate and/or accept key security governance risks prior to the implementation of the new system. The ANAO recommended that Services Australia strengthen privileged user access and logging and monitoring processes.

4.11.10 During the 2024–25 audit, Services Australia implemented a weekly and monthly monitoring process to detect and investigate rule-based alerts generated from its Security Information and Event Management (SIEM) indicating privileged activity.

4.11.11 These reviews mostly verified that the action type was approved rather than confirming the appropriateness of the activity or changes made and the weekly and monthly reviews were not performed consistently.

4.11.12 The ANAO will focus on the action taken by Services Australia in response to this finding as part of the 2025–26 final audit.

Unresolved significant legislative breach

Significant legislative matters in Services Australia’s program delivery

4.11.13 Services Australia delivers social welfare and health programs and payments. Understanding of, and compliance with, legislation, is a key component underlying Services Australia’s delivery of these programs. In previous years, the ANAO became aware of breaches of legislation with respect to the: child support program; aged care program; and private health insurance rebate. These breaches included:

• assessments under the Health and Other Services (Compensation) Act 1995 are required to be completed within 90 days, however the assessments may not be completed in all instances within the required timeframes (see paras 4.11.15 to 4.11.17);
• the use of pre-issue income, instead of taxable income in calculating child support assessments and amounts recoverable from or payable to individuals in contravention of the Child Support (Assessment) Act 1989;
• a quarterly review process used by Services Australia to validate a care recipient’s maximum subsidy entitlement in arrears was inconsistent with the relevant provisions of the Aged Care Act 1997; and
• payments made under the Private Health Insurance Act 2007 without a decision as to the correctness or reasonableness of the claimed amount which may be inconsistent with the legislation.

4.11.14 These issues highlight significant legal concerns with Services Australia’s delivery of key programs on behalf of the Australian Government and policy agencies. Services Australia is making progress towards addressing the risks identified by the ANAO and has implemented systems as recommended by the ANAO, including by establishing a Legal Compliance and Remediation Program. Some of the issues noted by the ANAO have been resolved through legislative amendments including the Health Legislation Amendment (Miscellaneous Measures No. 1) Act 2025 and Aged Care Act 2024.

Resolved significant audit finding

Medicare Compensation Recovery Scheme

4.11.15 Services Australia is responsible for the administration of the Medicare Compensation Recovery (MCR) Program on behalf of the Department of Health, Disability and Ageing. In accordance with the Health and Other Services (Compensation) Act 1995 (the Act) receipt of a Medicare health benefit or subsidy, and receipt of compensation amount greater than $5,000 for the same illness/injury, triggers a requirement to repay the health benefit or subsidy to the Australian Government.

4.11.16 The ANAO identified that in prior financial years a large number of cases were not assessed by Services Australia within the statutory timeframes, contrary to specific requirements in the Act to process claims within timeframes or to make decisions to not pursue recovery. The Act requires that Services Australia must issue notices prior to statutory time periods expiring and has no discretion to not pursue recovery.

4.11.17 In 2025–26 the assessment within statutory timeframes has been substantially improved to over 99 per cent of cases, and while not fully compliant, represents a significant improvement.

4.11.18 Given the change in processing times, this matter has been resolved, however this has been listed as a non-compliance matter in the significant legislative breaches as the assessment rate is not 100 per cent, in accordance with the Act.

Key financial balances and areas of financial statements risk

4.11.19 Figure 4.11.1 and Figure 4.11.2 below show the key financial statements items reported by Services Australia and the key areas of financial statements risk.

Figure 4.11.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Services Australia 2025–26 PAES.

Figure 4.11.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Services Australia 2025–26 PAES.

Conclusion

4.11.20 At the completion of the interim audit, and except for the findings outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Services Australia will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.12 Department of Foreign Affairs and Trade

4.12.1 The Department of Foreign Affairs and Trade (DFAT) is responsible for the administration of Australia’s foreign, trade, international development and international security policies.

Engagement risk rating

4.12.2 The engagement risk for the 2025–26 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• the complexity of DFAT’s business operations arising from a decentralised control framework;
• the degree of professional judgement and estimation required to determine the fair value of land and buildings recognised in the financial statements; and
• the degree of reliance on third parties for the provision of services associated with the delivery and maintenance of the overseas property portfolio and provision of international development assistance.

Interim audit results

4.12.3 At the 2025–26 interim audit phase, the ANAO has reported one finding that poses a moderate business or financial risk to DFAT.

Audit findings

Table 4.12.1: Status of significant or moderate audit findings

Source: ANAO 2025–26 interim audit results.

Unresolved moderate audit finding

Governance over compliance with corporate policies

4.12.4 DFAT’s operations are highly decentralised, where development and management of corporate policies typically rest with a centralised team, while accountability for the application of the respective corporate policies is dispersed widely across DFAT, including the international post network.

4.12.5 During the 2023–24 audit, the ANAO identified a number of instances of non-compliance with corporate policies across a range of corporate functions, including procurement, human resources, monitoring of gifts and benefits and administration of international development assistance. The breadth, nature and number of instances of non-compliance with corporate policies indicated that there is a systemic breakdown in the control environment within DFAT to effectively monitor compliance with corporate policies and to drive improvements in compliance rates over time. DFAT has taken steps to address the finding by enhancing resourcing, strengthening compliance and assurance activities, and investing in staff capability and financial literacy. Key initiatives include the establishment of two new procurement and grants sections, expansion of assurance testing across financial controls, introduction of bi-annual contract management reviews, reinforcement of compliance expectations by the Secretary, and integration of Public Governance, Performance and Accountability Act 2013 (PGPA Act) obligations into SES and non-SES performance agreements. DFAT has also delivered targeted briefings to Divisions, overseas posts and Heads of Mission to strengthen compliance culture and awareness.

4.12.6 While these initiatives represent meaningful progress, recent internal reporting highlighting weaknesses across procurement, contract management, risk management and compliance confirms that further improvement is still required.

4.12.7 Internal reporting demonstrates that while DFAT is actively responding to the audit finding, the control and assurance environment requires further refinement as identified gaps continue to expose DFAT to increased risks of non-compliance. Sustained attention to embedding reforms, strengthening first and second-line controls, and ensuring effective governance oversight will be critical to achieving the desired uplift in compliance culture and assurance effectiveness.

4.12.8 Consistent or systemic non-compliance with corporate policies increases the risk of breaches of the PGPA Act and the potential for an increased risk of fraud or undetected errors in financial processes. The ANAO will focus on the action taken by DFAT in response to this finding as part of the 2025–26 final audit.

Key financial balances and areas of financial statements risk

4.12.9 Figure 4.12.1 and Figure 4.12.2 below show the key financial statements items reported by DFAT and the key areas of financial statements risk.

Figure 4.12.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DFAT 2025–26 PAES.

Figure 4.12.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DFAT 2025–26 PAES.

Conclusion

4.12.10 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DFAT will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.13 Department of Health, Disability and Ageing

4.13.1 The Department of Health, Disability and Ageing (Health) is responsible for achieving the Australian Government’s health, disability, and ageing policy priorities through evidence-based policy, program administration, research, regulatory activities, and partnerships with other government entities, consumers and stakeholders.

Engagement risk rating

4.13.2 The engagement risk for the 2025–26 financial statements has been assessed as high. Key factors contributing to this rating include:

• large number of findings reported at the conclusion of the 2024–25 audit including those relating to IT control environment deficiencies;
• multiple financial statement risk areas that are rated either high or moderate;
• the highly complex legislative environment and associated significant potential legislative breaches;
• Health’s complex operating environment, including the recent Machinery of Government changes; and
• continued risks over accuracy and valuation of personal benefits and subsidy expenditures.

Interim audit results

4.13.3 At the 2025–26 interim audit phase, the ANAO has reported one significant legislative breach, and two findings that pose a moderate business or financial risk to Health. Ten minor findings from 2024–25 remain unresolved. One minor audit finding was resolved.

Audit findings

Table 4.13.1: Status of significant or moderate audit findings

Source: ANAO 2025–26 interim audit results

Unresolved moderate audit finding/s

Inventory management system IT general controls – privileged user monitoring

4.13.4 The Inventory Management System (IMS) is used for financial and operational management of the National Medical Stockpile. Information from the IMS is used to inform decision making in response to national health emergencies. The IT general controls support the effective operation of information processing controls and other IT dependencies within an IT system. These include processes to manage security and changes to programs and data. Such controls address the risks of users bypassing system enforced controls, privileged users making direct changes to underlying data, and incorrect or inappropriate changes being made to programs or configurations.²⁵ Health uses privileged user accounts to perform administrative functions in the IMS, including both platform support and development of changes to the system.

4.13.5 The ANAO identified deficiencies in controls relating to privileged user logging as Health does not perform any monitoring over privileged user activities in the IMS. While audit logging is enabled on system events, no risk assessment is performed to identify a scope of high-risk privileged user activities that should be reviewed by an appropriate, independent reviewer to ensure such activities were done in accordance with an appropriate business case.

4.13.6 There is an increased likelihood that the risk of privileged users of the IMS making direct changes to underlying data, and incorrect or inappropriate changes being made to programs or configurations is not mitigated by Health’s control activities. This reduces Health’s ability to rely on the IMS to produce complete and accurate data to support the financial and operational management of the National Medical Stockpile, and for financial reporting.

4.13.7 The ANAO will focus on the action taken by Health in response to this finding as part of the 2025– 26 final audit.

Network terminations

4.13.8 The ANAO identified deficiencies in Health’s management of user access to key IT systems, including SAP and the IMS. While timely removal of access is required under the Australian Government Information Security Manual, Health does not monitor or review system activity after an employee’s termination to identify potential unauthorised use.

4.13.9 Testing identified that where access is not revoked promptly, there is no mechanism to detect or report potentially inappropriate activity undertaken by former users. Similar weaknesses were observed across multiple systems, including at the network level.

4.13.10 The ANAO recommended implementation of an effective post termination monitoring process that identifies post termination access, investigates users’ activities and rectifies/mitigates the associated risk with these activities, and incorporating in-scope activities in IMS in the post-termination activity monitoring control as informed by an appropriate risk assessment over IMS end-user functions. This process should be documented, performed consistently and include a reporting mechanism so that management is aware of any risks identified.

4.13.11 The ANAO will focus on the action taken by Health in response to this finding as part of the 2025–26 final audit.

Significant legislative breach

Legislative non-compliance and governance risks in program payments

4.13.12 Health has primary responsibility for administering legislation relating to health care. In 2024–25, payments totalling approximately $95.8 billion were authorised against special appropriations, including special accounts. A significant portion of these payments are administered on Health’s behalf by Services Australia.

4.13.13 During the 2024-25 audit, the ANAO identified significant non-compliance with legislative and constitutional requirements in Health’s administration of complex payment arrangements. Multiple potential breaches of section 83 of the Australian Constitution were identified and disclosed, reflecting the scale and complexity of Health’s responsibilities and ongoing compliance challenges.

4.13.14 Health reported potential section 83 breaches of the Australian Constitution in the 2024–25 financial statements in 13 separate areas. At the end of the interim audit phase, the ANAO is aware of potential section 83 breaches of the Australian Constitution in 15 separate areas, some of which have been resolved during the reporting year.

4.13.15 Key non-compliance matters included weaknesses in controls over aged care subsidies and fees, resulting in inconsistencies with legislative entitlements; lack of legal authority to credit funds within Service Australia’s systems; reliance on legacy controls that increased the risk of overpayments; some claims under the Highly Specialised Drugs Program that exceeded legislated limits for quantities and repeats; exemptions granted for Pharmaceutical Benefits Scheme (PBS) Authority Required prescriptions that were inconsistent with the National Health Act 1953; and payments made to insurers under the Private Health Insurance Act 2007 that may in certain circumstances result in breaches of section 83.

4.13.16 Collectively, these issues indicate an elevated and recurring risk of significant non-compliance, which may undermine public confidence if not addressed. Health is in the process of implementing a coordinated, risk-based approach for managing section 83 risks in 2025–26. This includes standardised guidance and risk assessment processes; centralised oversight and validation; targeted prioritisation of higher-risk programs; and strengthening governance and assurance by enhancing reporting and formalisation of governance arrangements. While remediation efforts are underway, sustained focus is required to strengthen governance, clarify accountability, and embed effective monitoring, reporting and escalation processes to reduce the likelihood of future breaches and support ongoing constitutional and legislative compliance.

Key financial balances and areas of financial statements risk

4.13.17 Figure 4.13.1 and Figure 4.13.2 below show the key financial statements items reported by Health and the key areas of financial statements risk.

Figure 4.13.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Health 2025–26 PAES.

Figure 4.13.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Health 2025–26 PAES.

Conclusion

4.13.18 At the completion of the interim audit, and except for the findings outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Health will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.14 National Disability Insurance Agency

4.14.1 The National Disability Insurance Agency (NDIA) is part of the Health, Disability and Ageing portfolio. It was established under the National Disability Insurance Scheme Act 2013. The NDIA has responsibility for delivering the National Disability Insurance Scheme (NDIS). The NDIS is designed to support individuals with significant and permanent disability (participants) to be more independent and engage socially and economically by providing reasonable and necessary disability related supports.

Engagement risk rating

4.14.2 The engagement risk for the 2025–26 financial statements has been assessed as high. Key factors contributing to this rating include:

• high level of public interest, and Parliamentary scrutiny of, the NDIA’s activities in implementing the NDIS;
• continuing reform of the NDIS including the implementation of legislative changes; and
• the complex decision-making required in the operation of the NDIS, which is supported by a complex and partially outsourced IT environment.

Interim audit results

4.14.3 At the 2025–26 interim audit phase, the ANAO has reported three findings that pose a moderate business or financial risk to the NDIA. One new minor finding was identified, and four minor findings from 2024-25 remain unresolved.

Audit findings

Table 4.14.1: Status of significant or moderate audit findings

Source: ANAO 2025–26 interim audit results.

Unresolved moderate audit findings

Privileged user access monitoring — SAP CRM

4.14.4 The NDIA utilises Services Australia as its infrastructure provider for the SAP Customer Relationship Manager (CRM) IT system. SAP CRM is used for essential business functions such as payment delivery. Maintaining and supporting IT systems requires some user accounts to have extensive access rights (privileged access). Privileged user accounts have the potential to modify system configurations or controls and perform inappropriate or fraudulent activities with a financial impact. ²⁶

4.14.5 During the 2023–24 audit, the ANAO identified weaknesses in the effectiveness of Services Australia’s logging and monitoring of privileged user activities. The ANAO recommended that the NDIA assess the risk of existing processes, document and implement processes to address the identified control weakness.

4.14.6 The NDIA has provided the ANAO with a risk assessment based on a privileged user access monitoring control performed by Services Australia. The ANAO assessed the risk assessment as appropriate and has commenced testing to confirm the operating effectiveness of the privileged user process. The ANAO will continue this testing as part of the 2025–26 final audit.

Privileged user activity monitoring — Provider and Participant Communication Environment (PACE)

4.14.7 During the interim phase of the 2022–23 audit, the ANAO found that the NDIA did not have a formal process to review privileged user activity in the PACE system. The ANAO recommended that the NDIA should assess whether the real-time alert system meets the underlying business risks relating to privileged user access and implement a formal process to document the outcomes of alerts raised.

4.14.8 The ANAO reviewed the NDIA remediated process which included implementing a formal monitoring process over privileged user activity. The review performed by NDIA did not include activity by all privileged users; assessment of the appropriateness of each activity performed; and there was no evidence of management oversight of the review. The NDIA advised it would enhance the process to address these weaknesses.

4.14.9 During the interim audit phase of the 2025–26 audit, the ANAO assessed the design of the revised controls as appropriate and has commenced testing to confirm the operating effectiveness of the privileged user process. The ANAO identified that weaknesses remain in how investigations are documented and reported. The ANAO will finalise this testing as part of the 2025–26 final audit.

Timeliness of IT user terminations

4.14.10 During the 2020–21 audit, the ANAO’s testing of user access found weaknesses in user access terminations processes. User accounts should be removed upon termination date as they no longer have a legitimate requirement to access the NDIA’s network.

4.14.11 The NDIA moved to a new ICT operating environment and created a new process to address this finding during 2022–23, however there were weaknesses with the reporting used to detect potentially inappropriate activity.

4.14.12 The process NDIA implemented did not cover SAP CRM activities, and the NDIA did not have formal change management processes to manage the code used to detect post-termination activity. The absence of change management processes limits the NDIA’s ability to assure itself that the code being used has been approved, tested, is fit for purpose, and has not been inappropriately modified.

4.14.13 During the 2024–25 final audit phase, the ANAO reviewed the NDIA’s revised processes and assessed them to be effectively designed. The ANAO’s testing over the implementation of the revised process was unable to be completed during the 2024–25 final phase due to delays in the provision of requested supporting documentation.

4.14.14 During the 2025–26 interim audit phase, the NDIA advised that due to an issue with the SAP CRM log history, the NDIA was unable to provide evidence requested by the ANAO in 2024–25. The ANAO requested the NDIA perform a risk assessment for the period of data loss and a finalised solution to the logging issue. The ANAO will focus on the action taken by the NDIA in response to this finding as part of the 2025–26 final audit.

Key financial balances and areas of financial statements risk

4.14.15 Figure 4.14.1 below shows the key financial statements items reported by the NDIA and the key areas of financial statements risk.

Figure 4.14.1: Key financial balances and areas of financial statements risk

Source: ANAO analysis and NDIA 2025–26 PAES.

Conclusion

4.14.16 At the completion of the interim audit, and except for the findings outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that the NDIA will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.15 Department of Home Affairs

4.15.1 The Department of Home Affairs (Home Affairs) coordinates policy and operations for Australia’s national and transport security, cyber security, immigration, border security, multicultural affairs, counterterrorism and customs-related functions.

Engagement risk rating

4.15.2 The engagement risk for the 2025–26 financial statements audit has been assessed as high. Key factors contributing to this rating include:

• the nature of Home Affairs’ geographically dispersed operating environment, including the management of people and goods across Australia’s borders;
• the management of high value contracts and payments for service delivery, including detention centres and regional processing centres, and the development and construction of IT and other assets; and
• the high value of customs revenue collected, and the reliance on IT systems in the collection of revenue, and management of programs.

Interim audit results

4.15.3 At the 2025–26 interim audit phase, the ANAO have reported one new finding that poses a moderate business or financial risk to Home Affairs.

Audit findings

Table 4.15.1: Status of significant or moderate audit findings

Source: ANAO 2025–25 interim audit results.

New moderate audit finding

Taxation revenue (customs duty) compliance

4.15.4 The ANAO identified weaknesses in Home Affairs’ compliance and assurance framework over customs duty revenue, limiting assurance over completeness and accuracy for financial reporting purposes. These included:

• the approach to estimate revenue leakage for Excise Equivalent Goods had not been analysed from a financial reporting perspective following changes in the responsibility for estimation and in its design;
• the need to revise an inter-agency memorandum of understanding to reflect changes over time in agreed roles and responsibilities and compliance reporting requirements to ensure risks of revenue leakage are effectively monitored;
• observed design and implementation gaps in operational compliance controls for drawbacks, and an absence of a formal risk assessment framework to support compliance activity;
• a need to document risk management and resourcing decisions associated with pre-clearance interventions including analysis of residual financial reporting risks; and
• limited documentation of an overarching, end-to-end organisational compliance framework that links operational compliance activities to confirm the completeness and accuracy of customs duty revenue reported in the Home Affairs financial statements.

4.15.5 The ANAO will focus on the action taken by Home Affairs in response to this as part of the final audit phase of the 2025–26 audit.

Key financial balances and areas of financial statements risk

4.15.6 Figure 4.15.1 and Figure 4.15.2 below show the key financial statements items reported by Home Affairs and the key areas of financial statements risk.

Figure 4.15.1: Departmental financial balances and areas of financial statements risk

Source: ANAO analysis and Home Affairs 2025–26 PAES.

Figure 4.15.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Home Affairs 2025–26 PAES.

Conclusion

4.15.7 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Home Affairs will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.16 Department of Industry, Science and Resources

4.16.1 The Department of Industry, Science and Resources (Industry) is responsible for supporting a productive, resilient, and sustainable economy that is enriched by science and technology. It does this by growing innovative and competitive businesses, industries and regions, and supporting a strong resources sector. Industry also operates the Business Grants Hub which helps a range of Australian Government agencies design and deliver grants programs.

Engagement risk rating

4.16.2 The engagement risk for the 2025–26 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• the size and complexity of Industry’s operations;
• a mature financial reporting function, internal control environment and governance arrangements; and
• the complexity of some financial statement balances, such as the Ranger Rehabilitation and the Northern Endeavour Decommissioning provisions, that require management judgement and involve estimation uncertainty.

Interim audit results

4.16.3 At the 2025–26 interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to Industry. One minor finding remains unresolved.

Key areas of financial statements risk

4.16.4 Figure 4.16.1 and Figure 4.16.2 below show the key financial statements items reported by Industry and the key areas of financial statements risk.

Figure 4.16.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DISR 2025–26 PAES.

Figure 4.16.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DISR 2025–25 PAES.

Conclusion

4.16.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Industry will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.17 Department of Infrastructure, Transport, Regional Development, Communication, Sports and the Arts

4.17.1 The Department of Infrastructure, Transport, Regional Development, Communications, Sport and the Arts (DITRDCSA) is responsible for: improving infrastructure across Australia through funding coordination of transport; providing an efficient, sustainable, competitive and safe transport system for all transport users; strengthening the sustainability, capacity and diversity of regional economies; implementing the national policy on cities; and promoting an innovative and competitive communications sector. DITRDSCA also supports participation in and access to sport, including through sport policy leadership, integrity and major events, and promotes participation in and access to Australia’s arts and culture sector. DITRDCSA supports governance arrangements in the Australian territories.

Engagement risk rating

4.17.2 The engagement risk for the 2025–26 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• significant equity investments in Commonwealth entities, which are measured at fair value. The measurement process requires the application of considerable judgement, the use of complex valuation methods, and the incorporation of sensitive valuation inputs. Assumptions made in this process can have a material impact on reported values;
• significant advances to other Government institutions and non-government institutions, which carry a higher risk of non-recoverability. The collectability of these advances must be carefully assessed to ensure the accuracy of the financial statements;
• significant non-financial assets, including heritage and cultural items, as well as regional broadband blackspot infrastructure. These assets present unique challenges in terms of valuation and management and require specialised approaches to ensure their proper accounting;
• significant grants administered by the department, which are subject to complex eligibility criteria. Proper administration and documentation are essential to ensure compliance and the accurate reporting of grant expenditure; and
• potential significant obligations relating to the use of Perfluoroalkyl and Polyfluoroalkyl Substances (PFAS) containing substances on both federal leased and non-leased airports. The management and recognition of these obligations require ongoing assessment to ensure all financial responsibilities are appropriately disclosed.

Interim audit results

4.17.3 At the 2025–26 interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to DITRDCSA.

Key areas of financial statements risk

4.17.4 Figure 4.17.1 and Figure 4.17.2 below show the key financial statements items reported by DITRDCSA and the key areas of financial statements risk.

Figure 4.17.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DITRDCSA 2025–26 PAES.

Figure 4.17.2: Key administered financial balances and areas of financial statements risk

Conclusion

4.17.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DITRDCSA will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.18 Australian Postal Corporation

4.18.1 The Australian Postal Corporation (Australia Post) is a government business enterprise responsible for supplying postal services to Australia, including the distribution of letters and parcels in Australia and internationally.

Engagement risk rating

4.18.2 The engagement risk for the 2025–26 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• the complexity of Australia Post’s business and financial operations;
• the ongoing reform agenda; and
• the number and complexity of revenue streams and revenue recognition.

Interim audit results

4.18.3 At the 2025–26 interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to Australia Post. Two minor findings were resolved.

Key areas of financial statements risk

4.18.4 Figure 4.18.1 below shows the key financial statements items reported by Australia Post and the key areas of financial statements risk.

Figure 4.18.1: Key financial balances and areas of financial statements risk

Source: ANAO analysis and APC 2024–25 Annual Report.

Conclusion

4.18.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Australia Post will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.19 NBN Co Limited

4.19.1 NBN Co Limited (NBN Co) provides wholesale broadband services to retail internet service providers. NBN Co is a government business enterprise incorporated under the Corporations Act 2001.

Engagement risk rating

4.19.2 The engagement risk for the 2025–26 financial statements audit has been assessed as high. Key factors contributing to this rating include:

• ongoing investment in network upgrades and the risk of technological change to NBN Co’s business;
• regulated nature of the industry; and
• NBN Co’s financial position as a highly leveraged organisation with exposure to external debt markets, including debt listed on the Singapore Exchange.

Interim audit results

4.19.3 At the 2025–26 interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to NBN Co. Two new minor findings were identified.

Key areas of financial statements risk

4.19.4 Figure 4.19.1 below shows the key financial statements items reported by NBN Co and the key areas of financial statements risk.

Figure 4.19.1: Key financial balances and areas of financial statements risk

Source: ANAO analysis and NBN 2024–25 Annual Report.

Conclusion

4.19.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that NBN Co will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.20 Department of the Prime Minister and Cabinet

4.20.1 The Department of the Prime Minister and Cabinet (PM&C) is responsible for providing advice to the Prime Minister, the Cabinet, portfolio ministers, and assistant ministers to improve the lives of all Australians. The role of PM&C is to support the policy agenda of the Prime Minister and Cabinet and the coordination of the implementation of key government programs, to provide leadership to the Australian Public Service, coordination of government activities, effective policy advice and development, and program delivery.

Engagement risk rating

4.20.2 The engagement risk for the 2025–26 financial statements has been assessed as low. Key factors contributing to this rating include:

• accounting for investments in corporate Commonwealth entities and companies; and
• shared services provided to the National Indigenous Australians Agency and other entities.

Interim audit results

4.20.3 At the 2025–26 interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to PM&C.

Key areas of financial statements risk

4.20.4 Figure 4.20.1 and Figure 4.20.2 below show the key financial statements items reported by PM&C and the key areas of financial statements risk.

Figure 4.20.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and PM&C 2025–26 PAES.

Figure 4.20.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and PM&C 2025–26 PAES.

Conclusion

4.20.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that PM&C will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.21 National Indigenous Australians Agency

4.21.1 The National Indigenous Australians Agency (NIAA) is responsible for:

• the provision of advice on whole-of-government priorities for Aboriginal and Torres Strait Islander people to the Prime Minister and the Minister for Indigenous Australians;
• leading and coordinating the Australian Government policy development, program design and implementation and service delivery for Aboriginal and Torres Strait Islander peoples; and
• administering funding and related arrangements in accordance with legislative and policy requirements.

Engagement risk rating

4.21.2 The engagement risk for the 2025–26 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• the scale and decentralised administration of grant programs across Australia, including reliance on multiple delivery partners and systems;
• NIAA’s reliance on shared service arrangements with other Australian Government entities for finance, payroll, information and communications technology, and grant payment processing; and
• the implementation of the Remote Australia Employment Service (RAES) from 1 November 2025, involving significant program change, new system functionality and evolving compliance arrangements.

Interim audit results

4.21.3 At the 2025–26 interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to the NIAA.

Key areas of financial statements risk

4.21.4 Figure 4.21.1 and Figure 4.21.2 below show the key financial statements items reported by the NIAA and the key areas of financial statements risk.

Figure 4.21.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and NIAA 2025–26 PAES

Figure 4.21.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and NIAA 2025–26 PAES.

Conclusion

4.21.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that the NIAA will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.22 Department of Social Services

4.22.1 The Department of Social Services (DSS) is responsible for social security, families and communities, disability and carers. DSS works in partnership with other government and non-government organisations on a range of policies, programs and services focused on improving the wellbeing of people and families in Australia.

Engagement risk rating

4.22.2 The engagement risk for the 2025–26 financial statements has been assessed as moderate. Key factors contributing to this rating include:

• the range and complexity of DSS’ operations;
• reliance on third parties to provide information that is critical to support payments made for personal benefits and grants;
• significant judgements and assumptions made in the complex estimation process around the valuation of personal benefit provisions and receivables;
• unresolved legal issues regarding the historical use of the income apportionment methodology;
• DSS’ involvement in the delivery of corporate services, as part of shared services arrangements, on behalf of other commonwealth entities;
• a complex and outsourced IT environment; and
• a mature internal control environment including consistent monitoring of controls.

Interim audit results

4.22.3 At the 2025–26 interim audit phase, the ANAO identified one significant legislative breach. One moderate finding from 2023–24 remains unresolved. One minor finding from 2025–26 was identified, and one minor finding from 2024–25 remains unresolved.

Audit findings

Table 4.22.1: Status of significant or moderate audit findings

Note a: The moderate audit finding relating to ‘SAP privileged user monitoring’ has been downgraded to a minor audit finding.

Source: ANAO 2025–26 interim audit results.

New significant audit finding

4.22.4 Refer to the ‘Significant legislative breach’ section below for the details of the new significant audit finding related to legislative breaches.

Unresolved moderate audit finding

SAP terminations monitoring and reporting

4.22.5 In 2023–24, DSS implemented new SAP termination and post-termination access monitoring controls to address a prior audit finding raised in 2020–21. In 2023–24, the ANAO recommended that DSS:

• establish and document whether internally generated reports are complete, accurate, and fit for purpose, or develop alternative reports where feasible; and
• fully implement the designed controls and adhere to the standard operating procedure (SOP), including regular reporting requirements.

4.22.6 DSS subsequently updated the SOP to document established post-termination access monitoring processes and strengthen monitoring, including enhancements to improve the accuracy and efficiency of SAP user termination reviews. An updated closure pack was provided to the ANAO on 25 June 2025. Based on testing, the ANAO concluded that the mitigating controls were effective; however, residual questions remained regarding the completeness, accuracy, and suitability of the reports used to detect potential post-termination logins at the conclusion of the 2024–25 audit.

4.22.7 During the 2025–26 interim phase of the audit, the ANAO tested the new HR report introduced to capture all back-dated terminations for investigation and confirmed the completeness of the reports to ensure all potential post-termination access is detected. DSS also performed a retrospective review, confirming that there was no undetected post-termination access for the period from 1 July to 31 December 2025.

4.22.8 While the monthly review process has been implemented, reviews have not been completed in a timely manner, and management reporting had not yet been completed at the conclusion of the interim audit phase. DSS advised that this was due to the significantly increased effort required in 2025–26 to implement new reporting formats and undertake enhanced data testing and assurance activities. A risk-based approach was applied, with priority given to identifying and investigating any instances of unauthorised access. DSS also advised that it is currently finalising a SOP for post-termination access logging and monitoring processes and reintroducing management reporting and escalation processes.

4.22.9 The ANAO will review the SOP and assess the implementation of the monthly review and management reporting processes during the 2025–26 final audit.

Significant legislative breach

Non-compliance with legislation

4.22.10 DSS is responsible for administering various policy and legislation including the Social Security Act 1991 and Child Support (Assessment) Act 1989 (Assessment Act). Services Australia delivers programs and services in accordance with legislative authorities and agreed administrative arrangements on behalf of DSS. The service delivery relationship between DSS and Services Australia is governed by a formal Bilateral Management Arrangement (BMA).

4.22.11 The ANAO observed that DSS has enhanced its control environment including clearly defined roles and responsibilities, establishing BMA and supporting protocols, a structured legal risk framework for identifying and reporting legal matters via Legal Risk Register, regular senior executive oversight, established reporting processes to governance committee and the ANAO.

4.22.12 The ANAO became aware of various matters where Services Australia did not process personal benefits payments correctly or in accordance with legislation. Those matters may have implications for DSS as the policy entity. The ANAO noted that some non-compliance matters have been known for years without adequate remedial actions.

4.22.13 These matters have been identified through DSS governance and assurance processes, including the Legal Risk Register, and are reported to the DSS internal governance committees and the ANAO. Some matters require extended timeframes for resolution due to legal complexity, cross-portfolio consultation and the need for legislative amendment; however, they are managed, risk-assessed and prioritised based on impact and materiality.

4.22.14 Services Australia established the Legal Compliance and Remediation Program (the Program) to centrally coordinate the management and resolution of issues in the administration of payments and services on behalf of other policy agencies. As at 21 November 2025, there were 93 matters included in the Program issue register related to DSS, noting that the register is updated and regularly reviewed, with matters risk-rated and not all carrying equal significance. These matters include potential or actual breaches of section 83 of the Australian Constitution.

4.22.15 Of the 93 matters relating to DSS, four matters have been resolved through legislative amendment, representing a significant and complex historical issue that has now been addressed through legislative reform and structured remediation:

• income Apportionment (one matter); and
• three matters were resolved through the passage of the Social Security and Other Legislation Amendment (Technical Changes No. 1) Act 2026 on 1 April 2026.

4.22.16 Seven matters are planned for resolution through legislation in the 2026 winter and spring Parliamentary sittings. The remaining five matters which may require legislative amendment to resolve are currently being considered by DSS and Services Australia. A further 11 matters across various programs require legislative change as remediation, including, but not limited to:

• inconsistent urgent payments under social security law;
• automation of advance payments not being permitted under social security law; and
• use of pre-issue income for Family Tax Benefit assessment not consistent with legislation.

4.22.17 In addition, 38 of the 93 matters are operational and policy matters requiring a permanent fix to operational processes, policy settings or historical remediation, with some matters already resolved or progressed, including via the Social Security and Other Legislation Amendment (Technical Changes No. 1) Act 2026.

4.22.18 The ANAO recommended that DSS enhance its governance and assurance processes to support effective management of legislative compliance under shared services arrangements. DSS should:

• establish and maintain appropriate mechanisms to obtain assurance that service delivery activities undertaken by Services Australia are being performed in accordance with legislative and policy requirements;
• periodically review shared services administrative arrangements, including the BMA, to confirm that compliance responsibilities, controls and assurance mechanisms remain appropriate and effective.
• strengthen its arrangements for implementing timely and effective remediation actions to address instances of legislative non-compliance, including:
  • ensure that identified non-compliance matters are assessed promptly to determine root causes, legislative impacts and remediation requirements;
  • establish clear accountability and timeframes for remediation actions, proportionate to the nature and risk of the non-compliance;
  • monitor the implementation and completion of remediation actions to ensure they are effective in restoring compliance and preventing recurrence; and
  • ensure that significant or systemic non-compliance and remediation progress are appropriately escalated and reported through governance and assurance frameworks., noting that some of these elements are already established through DSS’s Legal Risk Reporting and other governance processes.

Reassessed moderate audit finding

4.22.19 Users with privileged access within SAP have the ability to modify system configurations or controls and perform inappropriate or fraudulent activities with potential financial impacts. To manage these risks, SAP has been configured with Firefighter (FF) accounts to enable controlled access to high-risk transactions, with activity automatically logged for independent review.

4.22.20 During the 2023–24 audit, the ANAO identified weaknesses in DSS’ monitoring of SAP privileged users due to the absence of a comprehensive risk assessment for SAP privileged access, documented risk management strategies for identified risks, evidence of the effectiveness of risk management measures, and an assessment of residual risks.

4.22.21 DSS provided a closure pack in May 2025. The ANAO tested the design and implementation of FF logging and monitoring controls and assessed them as effective, however unresolved issues remained in relation to the risk assessment.

4.22.22 In the 2025–26 interim audit phase, the ANAO reviewed the annual SAP access risk assessment and found that all FF sessions were reviewed and closed, with review evidence retained and no unresolved activity logs at the time of testing. The ANAO observed that some FF logs were not reviewed within the prescribed policy timeframe of 14 days, and it was not clear whether the delays were reasonable or acceptable.

4.22.23 DSS advised the ANAO that an updated SOP is being finalised to clarify review timeframe requirements, define accountability for escalation and resolution of outstanding FF logs, and define the usage of FF accounts for non-emergency purposes. The ANAO has reassessed the finding from a moderate to a minor audit finding.

Key financial balances and areas of financial statements risk

4.22.24 Figure 4.22.1 and Figure 4.22.2 below show the key financial statements items reported by DSS and the key areas of financial statements risk.

Figure 4.22.1:  Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DSS 2025–26 PAES.

Figure 4.22.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DSS 2025–26 PAES.

Conclusion

4.22.25 At the completion of the interim audit, and except for the findings outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DSS will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.23 Department of the Treasury

4.23.1 The Department of the Treasury (Treasury) provides policy advice, analysis and the delivery of economic policies and programs, including legislation, administrative payments and regulatory functions, which support the effective management of the Australian economy.

Engagement risk rating

4.23.2 The engagement risk for the 2025–26 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• the complexity of some financial statements balances, such as the Disaster Recovery Funding Arrangement provision, that requires management judgement and involves estimation uncertainty; and
• the significance of the payments made by Treasury under the Federal Financial Relations framework.

Interim audit results

4.23.3 At the 2025–26 interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to Treasury.

Key areas of financial statements risk

4.23.4 Figure 4.23.1 and Figure 4.23.2 below show the key financial statements items reported by Treasury and the key areas of financial statements risk.

Figure 4.23.1: Key departmental financial balances and areas of financial statements risk

Source: Source: ANAO analysis and Treasury 2025–26 PAES.

Figure 4.23.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and Treasury 2025–26 PAES.

Conclusion

4.23.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Treasury will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.24 Australian Office of Financial Management

4.24.1 The Australian Office of Financial Management (AOFM) is responsible for managing Australian Government debt and financial assets. It issues Treasury Bonds, Treasury Indexed Bonds and Treasury Notes, manages the government’s cash balances and invests in high quality financial assets under the Australian Business Securitisation Fund and the Structured Finance Support Fund.

Engagement risk rating

4.24.2 The engagement risk for the 2025–26 financial statements audit has been assessed as moderate. The key factor contributing to this rating is the complexity of AOFM’s operations and investments, including management of the Australian Government’s debt portfolio.

Interim audit results

4.24.3 At the 2025–26 interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to AOFM. One minor finding from 2024–25 was resolved.

Key areas of financial statements risk

4.24.4 Figure 4.24.1 and Figure 4.24.2 below show the key financial statements items reported by AOFM and the key areas of financial statements risk.

Figure 4.24.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and AOFM 2025–26 PAES.

Figure 4.24.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and AOFM 2025–26 PAES.

Conclusion

4.24.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that AOFM will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.25 Australian Taxation Office

4.25.1 The Australian Taxation Office (ATO) is Australia’s principal revenue collection entity and is part of the Treasury portfolio. The ATO’s role is to administer Australia’s tax system, aspects of Australia’s superannuation system and business registry services, together with the provision of support to the Tax Practitioners Board and the Australian Charities and Not-for-profits Commission.

Engagement risk rating

4.25.2 The engagement risk for the 2025–26 financial statements audit has been assessed as high. Key factors contributing to this rating include:

• level of ongoing scrutiny of the ATO’s operations by Parliament and members of the public, given ATO’s role as Australia’s principal revenue collection agency and administrator of the legislation governing tax and aspects of Australia’s superannuation system;
• dependence on sophisticated and interfaced IT systems and business applications for financial reporting; and
• the significant level of judgement and estimation required to calculate key financial balances.

Interim audit results

4.25.3 At the 2025–26 interim audit phase, the ANAO has not identified any findings that pose a significant business or financial risk to the ATO and reported one unresolved finding that poses a moderate business or financial risk to the ATO. Two new minor findings were identified, four minor findings and one other legislative breach from 2024-25 remain unresolved, and two minor findings were resolved.

Audit findings

Table 4.25.1: Status of significant or moderate audit findings

Note a: A moderate finding relating to ATO’s business data system, the Enterprise Data Warehouse (EDW) was reassessed to a minor audit finding.

Source: ANAO 2025–26 interim audit results.

Unresolved moderate audit finding

Change Management – Business Reporting System

4.25.4 During the 2024–25 audit, the ANAO identified weaknesses associated with IT change management for ATO’s business reporting system, Cognos. Cognos had not transitioned into the new IT change control solution implemented by the ATO to provide additional controls assurance over segregation of duties with respect to development and migration activities. As a result, the required segregation of duties was not in operation for the 2024–25 financial year.

4.25.5 The issue posed a risk that unauthorised changes negatively impact the ATO’s business operations and required the ANAO to undertake additional testing to obtain assurance over the reliability of data and reports generated from the system to support financial statements balances. The ANAO recommended that the ATO formalise policy and control requirements for the management of data and report generation processes within Cognos. At the conclusion of the 2025–26 interim audit, the implementation of the ATO’s response remains in progress.

4.25.6 The ANAO will focus on the action taken by the ATO in response to this finding as part of the 2025–26 final audit.

Reassessed moderate audit finding

Change Management – Business Data System

4.25.7 During the 2024–25 audit, the ANAO identified weaknesses associated with IT change management for ATO’s business data system, the EDW. The EDW is transitioning into a new IT change control solution implemented by the ATO to provide additional controls assurance over segregation of duties with respect to development and migration activities.

4.25.8 As part of the review of ATO’s transition to the new IT change control solution, the ANAO identified weaknesses in the design and implementation of privileged logging and monitoring controls for privileged user accounts. ²⁷ Maintaining and supporting IT systems requires some user accounts to have extensive access rights (privileged access). Privileged user accounts have the potential to modify system configurations or controls and perform inappropriate or fraudulent activities with a financial impact.

4.25.9 The issue posed a risk that unauthorised changes negatively impact the ATO’s business operations and required the ANAO to undertake additional testing to obtain assurance over the reliability of data and reports generated from the system to support financial statements balances. The ANAO recommended that the EDW is fully transitioned into the new IT change control solution and that policy and control requirements are established for the management of all privileged user accounts.

4.25.10 At the conclusion of the interim audit phase the ATO had strengthened controls for EDW change management. While the control requirements for EDW privileged access remains in progress, the audit finding has been reassessed from a moderate to a minor audit finding.

Key financial balances and areas of financial statements risk

4.25.11 Figure 4.25.1 and Figure 4.25.2 below show the key financial statements items reported by ATO and the key areas of financial statements risk.

Figure 4.25.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and ATO 2025–26 PAES

Figure 4.25.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and ATO 2025–26 PAES.

Conclusion

4.25.12 At the completion of the interim audit, and except for the findings outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that the ATO will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.26 Reserve Bank of Australia

4.26.1 The Reserve Bank of Australia (RBA) is responsible for determining and implementing monetary policy that seeks to contribute to the stability of the currency and maintain full employment, works to maintain a strong financial system and efficient payments system and issues the nation’s banknotes. The RBA also provides selected banking services to a range of Australian Government entities and to a number of overseas central banks and official institutions. The RBA is also responsible for the management of Australia’s gold and foreign exchange reserves.

Engagement risk rating

4.26.2 The engagement risk for the 2025–26 financial statements audit has been assessed as moderate. Key factors contributing to this rating include:

• the high level of public interest and accountability for the operations, given the RBA’s role as the central bank of Australia and in conducting monetary policy;
• value, complexity and level of judgment required to manage a significant portfolio of investments and other financial assets and liabilities that support monetary policy outcomes; and
• the reliance by the public and Australian financial institutions on the RBA to manage and provide key banking and settlements infrastructure in addition to issuing Australia’s banknotes.

Interim audit results

4.26.3 At the 2025–26 interim audit phase, the ANAO has not identified any findings that could pose a significant or moderate business or financial risk to the RBA. One new minor finding was identified, which remains unresolved and four minor findings were resolved.

Key areas of financial statements risk

4.26.4 Figure 4.26.1 below shows the key financial statements items reported by RBA and the key areas of financial statements risk.

Figure 4.26.1: Key financial balances and areas of financial statements risk

Source: ANAO analysis and RBA 2024–25 Annual Report.

Conclusion

4.26.5 At the completion of the interim audit, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that the RBA will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

4.27 Department of Parliamentary Services

4.27.1 The Department of Parliamentary Services (DPS) is responsible for supporting the operation of the Parliament through the provision of a range of services, including library, research, Hansard, broadcasting, Information, Communication & Technology (ICT) services, physical and cyber security services, visitor services, catering, and building and landscape management.

Engagement risk rating

4.27.2 The engagement risk for the 2025–26 financial statements audit has been assessed as low. Key factors contributing to this rating include:

• non-complex transactions and balances in DPS’s financial statements; and
• mature financial statements preparation process and internal control environment.

Interim audit results

4.27.3 At the 2025–26 interim audit phase, the ANAO identified one finding that poses a moderate business or financial risk to DPS. One minor finding from 2024–25 remains unresolved.

Audit findings

Table 4.27.1: Status of significant or moderate audit findings

Source: ANAO 2025–26 interim audit results.

Unresolved moderate audit finding

Network user terminations

4.27.4 User access management is fundamental to the effective operation of the IT systems. Revoking user access to a system in a timely manner is necessary to ensure that all access to IT systems, financially sensitive or otherwise, is authorised.

4.27.5 During the 2023–24 audit, the ANAO identified that contractor termination dates could not be readily verified due to the absence of exit forms for such terminations. DPS was unable to provide alternative evidence for the respective contractor terminations and there were no compensating controls relating to contractor terminations.

4.27.6 During 2024–25 DPS has made a significant effort to improve contractor offboarding processes, and the ANAO reviewed the controls implemented by DPS to address the risks identified. From this review, the ANAO concluded that the controls implemented partially addressed the risk of unauthorised access and activity relating to offboarded contractors, and weaknesses continue to be observed around the timely update of contractor termination dates in DPS’s offboarding systems.

4.27.7 Following these observations, DPS established a standard operating procedure for offboarding contractors. The ANAO will review the implementation of these procedures during the final 2025–26 audit phase.

Key financial balances and areas of financial statements risk

4.27.8 Figure 4.27.1 and Figure 4.27.2 below show the key financial statements items reported by DPS and the key areas of financial statements risk.

Figure 4.27.1: Key departmental financial balances and areas of financial statements risk

Source: ANAO analysis and DPS 2025–26 PAES.

Figure 4.27.2: Key administered financial balances and areas of financial statements risk

Source: ANAO analysis and DPS 2025–26 PAES.

Conclusion

4.27.9 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DPS will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed by the ANAO in conjunction with additional audit procedures during the 2025–26 final audit.

Audit results

5.1 As detailed in Auditor-General Report No. 17 2025–26 Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2025, there were four entities for which the 2024–25 financial statements audit had not been finalised in time for inclusion in the tabling of the report. Table 5.1 provides an update on the status of these audits as at 31 May 2026.

5.2 This chapter also provides an update on the financial statements audit of the Australian National University (ANU) that has a 31 December year end.

Table 5.1: 2024–25 financial statement audits not finalised at November 2025

Note a: NTAIC advised the ANAO that the Aboriginal Investment NT Trust would not prepare separate financial statements for the 2025–26 financial year.

Source: ANAO 2024–25 audits results.

Table 5.2: Audits with a 31 December 2025 year-end

Source: ANAO 2025 audits results.

Anindilyakwa Land Council

5.3 The Anindilyakwa Land Council (ALC) was formed by the Aboriginal Land Rights (Northern Territory) Act 1976 (ALRA).

2024–25 audit results

5.4 The conclusion of the 2024–25 financial statements audit was delayed due to the impact of weaknesses in ALC’s financial statements preparation process and delays in receipt of supporting documentation. At the conclusion of the audit, one finding posing a significant business or financial risk and one minor finding remained unresolved.

Audit findings

Table 5.3: Status of audit findings

Source: ANAO 2024–25 audit results.

Unresolved significant audit finding

Addressing previously reported governance findings

5.5 A significant audit finding that remained unresolved at the conclusion of the 2024–25 audit related to ALC’s progress in addressing 15 recommendations from the Auditor-General Report No. 29 2022–23 Governance of the Anindilyakwa Land Council, which was tabled on 31 May 2023. The ANAO found that while the ALC had closed all high priority findings, five findings remained open, meaning the finding category remained unchanged for 2024–25.

Northern Territory Aboriginal Investment Corporation

5.6 The Northern Territory Aboriginal Investment Corporation (NTAIC) is a corporate commonwealth entity, established under section 65B of the Aboriginal Land Rights (Northern Territory) Act 1976.

2024–25 audit results

5.7 The conclusion of the 2024–25 financial statements audit was delayed due to the late notification to the ANAO of the preparation of separate financial statements for the Aboriginal Investment NT Trust. As the Auditor-General is required under the Auditor-General Act 1997 to audit subsidiary financial statements, additional audit work was required to enable reliance on the component auditor, which extended the audit timeline.

5.8 At the conclusion of the audit, one new other legislative finding was reported, and two minor audit findings remained unresolved.

Audit findings

Table 5.4: Status of audit findings

Source: ANAO 2024–25 audit results.

New moderate legislative finding

Key Management Personnel incorrect payments

5.9 A new other legislative finding relating to incorrect payments to key management personnel was raised at the conclusion of the 2024–25 audit. The ANAO found three instances of incorrect payments (two overpayments and one underpayment) to key management personnel, in breach of the remuneration tribunal determination.

Aboriginal Investment NT Trust

5.10 The Aboriginal Investment NT Trust (the Trust) was established on 19 December 2024 as an unlisted, unregistered managed investment trust and is wholly owned and controlled by the Northern Territory Aboriginal Investment Corporation (NTAIC), a corporate Commonwealth entity. The Trust was established to invest funds to provide exposure to a diversified portfolio of asset classes through investments in underlying funds.

2024–25 audit results

5.11 The conclusion of the 2024–25 financial statements audit was delayed due to the late provision of signed financial statements and late identification by the entity that the Auditor-General is the mandated auditor. At the conclusion of the 2024–25 audit, one new moderate finding was identified.

Audit findings

Table 5.5: Status of audit findings

Source: ANAO 2024–25 audit results.

New moderate audit finding

Financial reporting omissions and audit arrangements

5.12 During the 2024–25 financial statements audits, the ANAO identified issues relating to the financial reporting and audit arrangements for the Trust. The Trust prepared and approved its first financial statements for the period ended 30 June 2025, which were audited by another auditor prior to engagement with the ANAO. The ANAO subsequently identified the existence of the Trust’s financial statements and that, as a subsidiary of a corporate Commonwealth entity, its financial statements fell within the Auditor-General’s audit mandate.

5.13 The originally issued financial statements did not include all disclosures required by Australian Accounting Standards. In particular, disclosures relating to the Trust’s parent entity, significant related party transactions with NTAIC—including the provision of funding of approximately $305 million and auditor remuneration—were not included. These disclosures are fundamental to users’ understanding of the Trust’s ownership structure, governance arrangements and use of public funds. The omission of this information resulted in a material misstatement of the originally issued financial statements.

5.14 The late identification of the Trust and its financial statements also affected the audit process. The ANAO was required to undertake audit procedures after the financial statements had been approved and an auditor’s report issued by another auditor, which limited the opportunity for timely audit planning and coordination with the audit of NTAIC and contributed to delays in completing both audits.

5.15 Following ANAO engagement with the Trust, the originally issued financial statements were withdrawn and replaced with revised financial statements that included the omitted disclosures. The ANAO completed the audit of the revised financial statements and issued an unmodified audit opinion, including an emphasis of matter drawing attention to the withdrawal and reissue of the financial statements. The matter highlights the importance of early identification of new subsidiary arrangements and timely engagement with the ANAO to support effective financial reporting and audit processes.

Australian Secret Intelligence Service

5.16 The ANAO issued an unmodified audit opinion on the Australian Secret Intelligence Service’s 2024-25 financial statements on 8 December 2025.

Australian National University

5.17 The Australian National University (ANU) was established by federal legislation to provide research and education of the highest quality, with a particular focus on advancing knowledge in areas of national importance to Australia. ANU’s financial statements are prepared and reported on a calendar year basis.

2025 audit results

5.18 At the conclusion of the 31 December 2025 financial statements audit, the ANAO issued an unmodified audit opinion with an emphasis of matter that drew attention to the correction of a prior period error. The ANAO reported one finding that poses a moderate business or financial risk to the ANU.

5.19 Auditor-General Report No. 36 2025–26 Australian National University Financial Management Report (the Report), was tabled on 4 June 2026. The ANAO will track the implementation of the recommendations in the Report as part of the ANAO’s annual financial statements audit of the ANU.

Audit findings

Table 5.6: Status of audit findings

Source: ANAO 2025 audit results.

New moderate audit finding – ANU policies

5.20 The ANAO observed the ANU re-classified of the majority of its investments from current to non-current in the 2025 financial statements. The issue arose as a result of the ANU’s accounting practice for the recognition of investments as current assets not being in accordance with the underlying policy framework of ANU and also not being in compliance with the requirements of the Australian Accounting Standard AASB 101 – Presentation of Financial Statements. As a result, a prior year error was reported and corrected in the financial statements and an Emphasis of Matter was included in the auditor’s report.

5.21 There is an increased risk of material misstatement if there are inconsistencies between policies and practices. The ANAO has recommended that ANU reviews all accounting policies and practices to ensure that they are in alignment with Australian Accounting Standards, having regard to accounting practices adopted by other universities.

Appendix 1 Audit findings by entity