1. The ANAO prepares two reports annually that, drawing on information collected during audits, provide insights at a point in time to the financial statements risks, governance arrangements and internal control frameworks of Commonwealth entities. These reports explain how entities’ internal control frameworks are critical to executing an efficient and effective audit and underpin an entity’s capacity to transparently discharge its duties and obligations under the Public Governance, Performance and Accountability Act 2013 (PGPA Act). Deficiencies identified during audits, that pose either a significant or moderate risk to an entity’s ability to prepare financial statements free from material misstatement, are reported.

2. This report, is the first in the series of reports and focuses on the results of the interim audits, including an assessment of entities’ key internal controls, supporting the 2018–19 financial statements audits. It examines 26 entities, including all departments of state and a number of major Australian government entities. The entities included in the report are selected on the basis of their contribution to the income, expenses, assets and liabilities of the 2017–18 Consolidated Financial Statements of the Australian Government (CFS). Significant and moderate findings arising from the interim audits are reported to the responsible Minister(s), and all findings are reported to those charged with governance of each entity.

Summary of audit findings and related issues

Entity internal controls

3. The interim audit phase includes an assessment of the effectiveness of each entity’s internal controls as they relate to the risk of misstatement in the financial statements. At the completion of our interim audits for the 26 entities included in this report we noted that key elements of internal control were operating effectively for 19 entities. For four entities,¹ except for particular finding/s outlined in chapter 3, the key elements of internal control were operating effectively to support the preparation of financial statements that are free from material misstatement. For the Departments of: Defence; Education and Training, and the National Disability Insurance Agency, the ANAO identified a number of findings which reduced the level of confidence that could be placed on key elements of internal control and limited the assurance that could be obtained from that entity’s control framework.

Summary of audit findings

4. A total of 70 findings were reported to the entities included in this report as a result of interim audits, comprising of one significant, 12 moderate and 57 minor findings. This is an increase of one significant and a reduction of 30 minor findings compared with the 2017–18 interim audit results.

5. Fifty-six per cent of findings relate to the management of Information Technology (IT) controls, particularly the management of privileged user access. The continued level of findings indicates that entities need to focus on processes to monitor IT controls to prevent reoccurrence of issues.

Policies reviews for fraud, payment cards and compliance with finance law

6. Accountable authorities duties under Division 2 of the PGPA Act include: promoting the proper use and management of public resources; and reporting to the Minister on significant issues and activities in the entity. In the context of these obligations and a review of entity internal controls, this report includes a focus on and an analysis of, payment card and fraud control policies together with a continued review of compliance with the Commonwealth’s finance law.

7. Review of these areas found that entities’ have an opportunity to learn from each other to strengthen monitoring and reporting processes, leading to increased transparency over compliance with internal policies, building fraud awareness and enhancing assurance that payment card expenditure is appropriate, within delegation and supported by receipts

8. The ANAO observed that entities had processes in place for monitoring and reporting instances of non-compliance with finance law. Following changes to the mandatory external reporting of non-compliance in 2015–16, where entities have reduced their internal reporting of breaches of finance law, this can lead to a lack of visibility over, or capacity to identify, risks and reduce the completeness and relevance of the information provided to the accountable authority.

Reporting and auditing frameworks

Summary of developments

9. Major changes in accounting standards are applicable in 2018–19 and 2019–20 with the implementation of revised standards for financial instruments, revenue and leases. Early engagement in planning for these standards will provide entities with more options for transitioning, time to review and potentially renegotiate underlying contracts and agreements and time to organise and implement necessary FMIS changes.

10. The Independent Review into the operation of the Public Governance, Performance and Accountability Act 2013 and Rule has made a number of recommendations to the Minister for Finance including, for example, bringing forward the date for the tabling of annual reports, removing duplication and improving linkages between accountability documents, and increasing disclosures around remuneration paid to executives and highly paid staff. In response, the Minister for Finance amended the PGPA Rule to require Commonwealth entities to make remuneration disclosures for key management personnel, senior executives and other highly paid staff in annual reports. The Minister for Finance also amended the PGPA (Annual Report) Rules to require Commonwealth companies and Commonwealth entities to publish annual reports online.

Cost of this report

11. The cost to the ANAO of producing this report is approximately $405,000.

Note a: The Departments of: Agriculture and Water Resources; Communications and the Arts; Health; and Jobs and Small Business.

Introduction

1.1 The ANAO publishes an Annual Audit Work Program (AAWP) which reflects the ANAO’s strategy and deliverables for the forward year. The purpose of the AAWP is to inform the Parliament, the public and government sector entities of the ANAO’s planned audit coverage for Australian Government entities by way of financial statements audits, performance audits and other assurance activities.

1.2 The financial statements audit coverage, as outlined in the AAWP, includes presenting two reports to the Parliament addressing the outcomes of the financial statements audits of Australian Government entities and the Consolidated Financial Statements of the Australian Government (CFS). These reports provide Parliament with an independent examination of the financial accounting and reporting of Commonwealth public sector entities.

1.3 This report focuses on the results of the interim audits of 26 entities. This includes a review of the governance arrangements related to entities’ financial reporting responsibilities and an examination of the relevant internal controls, including IT system controls that support the preparation of financial statements that are free from material misstatement. The second report presents the final results of the financial statements audits of the CFS and all Australian Government entities.

1.4 The entities included in this report are those entities that contribute significantly to the three sectors of the CFS: the General Government Sector (GGS), Public Non-Financial Corporation (PFNC) sector and Public Financial Corporation (PFC) sector. A listing of these entities is provided in Appendix 1.

1.5 The ANAO conducts its financial statements audits in four phases: planning, interim, final and completion. Figure 1.1 outlines the key elements of each phase.

Figure 1.1: ANAO financial statements audit process

Source: ANAO data.

1.6 A central element of the ANAO’s financial statements audit methodology, and the focus of the planning phase of ANAO audits, is a sound understanding of an entity’s environment and internal controls relevant to assessing the risk of material misstatement in the financial statements. This understanding informs the ANAO’s audit approach, including the reliance that may be placed on entity systems to produce financial statements that are free from material misstatement. The interim phase of the audit assesses the operating effectiveness of controls. In the final audit phase the ANAO completes its assessment of the effectiveness of controls for the full year, undertakes detailed testing of material balances and disclosures in the financial statements, and finalises its audit opinion on entities’ financial statements.

1.7 In accordance with generally accepted auditing practice, the ANAO accepts a low level of risk that an audit will fail to detect the financial statements are materially misstated. This low level of risk is accepted because it is too costly to perform an audit that is predicated on no level of risk. An understanding of the entity, its environment and its controls, helps the ANAO design the required work and respond to risks that bear on financial reporting. The key areas of financial statements risks identified through this planning approach are discussed in chapter 3 for each entity included in this report.

1.8 A key component of understanding the entity and its environment is to understand the governance arrangements established by its accountable authority.² Accountable authorities of all Commonwealth entities and companies subject to the PGPA Act are required to govern their entity in a way that promotes the proper use and management of public resources, the achievement of the purposes of the entity and the entity’s financial sustainability.

1.9 The development and implementation of effective corporate governance arrangements and internal controls should be designed to meet the individual circumstances of each entity. These processes also assist in the orderly and efficient conduct of the entity’s business and compliance with applicable legislative requirements, including the preparation of annual financial statements that present fairly the entity’s financial position, financial performance and cash flows.

Understanding the entity

1.10 The ANAO uses the framework in the Australian Auditing Standards (ASA) 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment to consider the impact of different elements of an entity’s internal controls that support the preparation of financial statements. This approach provides a basis for designing and implementing the audit work program that reflects the ANAO’s assessment of the risk of material misstatement. Deficiencies in the internal control framework increase the requirement of the ANAO to perform additional audit work in the final phase. Figure 1.2 outlines these elements.

Figure 1.2: Elements of entity internal controls

Source: ASA 315 Identifying and assessing the risk of material misstatement through understanding the entity and its environment, paragraph A59.

1.11 This chapter discusses each of these elements and outlines observations based on the ANAO’s review of aspects of each entity’s internal controls, relevant to the risk of material misstatement to the financial statements, including the detailed results of the interim audits.

1.12 At the completion of the interim audits for the 26 entities included in this report, the ANAO noted that key elements of internal control were operating effectively for 19 entities. For four entities³, except for particular finding/s outlined in chapter 3, the key elements of internal control were operating effectively to support the preparation of financial statements that are free from material misstatement. For the Departments of: Defence; Education and Training, and the National Disability Insurance Agency, a number of findings were identified which reduced the level of confidence that could be placed on key elements of internal control and that financial statements can be prepared free from material misstatement.

1.13 The key elements of internal controls for the full financial year will be assessed in conjunction with additional audit testing during the 2018–19 final audits.

Control environment

1.14 The PGPA Act sets out the requirements to establish and maintain systems relating to risk and control. Division 2, section 16 of the PGPA Act states that:

The accountable authority of a Commonwealth entity must establish and maintain:

1. an appropriate system of risk oversight and management for the entity; and
2. an appropriate system of internal control for the entity.

including by implementing measures directed at ensuring officials⁴ of the entity comply with finance law.⁵

1.15 An effective control environment is underpinned by a fit-for-purpose governance structure. Indicators of an effective governance structure include whether management has established frameworks and processes that promote positive attitudes, awareness and actions concerning the entity’s internal controls and their importance in the entity. The main elements reviewed included: governance structures relevant to the preparation of the financial statements; audit committee and assurance arrangements; systems of authorisation; and processes for recording financial transactions.

1.16 All entities included in this report have established executive management structures that meet at least monthly, in the form of executive committees and sub-committees, supporting financial decision making at the strategic and operational levels.⁶ Consistent with previous years, consideration of financial reporting was included on the agendas of all 26 entities’ executive and audit committees. The financial information provided to the entities’ executives was supplemented by non-financial operational information.

1.17 Clear lines of accountability and reporting are important in establishing a strong internal control environment for the purposes of preparing the financial statements. The involvement of those charged with governance is an important element of these structures. Just as important is ensuring that staff at all levels understand their own role in the control framework. This can be achieved through the issuance of accountable authority instructions, and delegation instruments.⁷ All entities have established accountable authority instructions and delegations reflecting current business arrangements.

Audit committees

1.18 The PGPA Act requires audit committees to be established for Commonwealth entities and Commonwealth companies.⁸ An independent audit committee is a fundamental principle of good governance.⁹ The audit committee plays a key role in assisting the accountable authority to fulfil its governance, risk management and oversight responsibilities through the provision of independent assurance and advice.

1.19 Section 17 of the Public Governance Performance and Accountability Rule 2014 (PGPA Rule) sets out the minimum requirements relating to the audit committee of a Commonwealth entity. The key requirements of the PGPA Rule are outlined below.

• A written charter, set by the accountable authority, determining the functions of the audit committee for the entity. These functions must include reviewing the appropriateness of the accountable authority’s: financial reporting; performance reporting; system of risk oversight and management; and system of internal control for the entity.
• Membership of the committee to include at least three persons with appropriate qualifications, knowledge, skills or experience to assist the committee to perform its functions. A majority of committee members and the committee chair, must be independent of the entity.
• Persons that must not be a member of the audit committee: the accountable authority or, if the accountable authority has more than one member, the head; the Chief Financial Officer; and the Chief Executive Officer.

1.20 All entities have established audit committees consisting of a majority of members which were assessed by the entity to be independent. All entities have an audit committee charter that is consistent with their obligations under subsection 17(2) of the PGPA Rule. Each entity has appointed an independent audit committee chair.

Risk assessment processes

1.21 Section 16 of the PGPA Act sets out an accountable authority’s responsibilities in regard to the establishment of appropriate risk oversight and management in an entity. An understanding of an entity’s process to identify and manage risk is essential to an effective and efficient financial statements audit. A review of this process is done to assist the ANAO to, understand how entities identify and manage risks relating to financial statements and assess the risk of material misstatement to an entity’s financial statements.

1.22 All entities included in this report have a process to develop and update risk management plans at the organisational and work area levels. In addition, each entity has developed processes for the identification and notification of risks relevant to financial statements preparation either as part of the overall risk management plan, or through a targeted risk identification exercise. The monitoring of risks, and the entities’ implementation of risk management strategies, was typically assigned to either an executive committee and/or the audit committee.

1.23 For this report the ANAO is providing a detailed analysis of entity Fraud Control Management. This is included in Case Study 1 below.

Monitoring of controls

1.24 Entities undertake many types of activities as part of their monitoring of control processes, including external reviews, self-assessment processes, post-implementation reviews and internal audits. The level of review of these activities by the ANAO is determined through a risk assessment approach that takes into consideration the nature, extent and timing of each activity and the activities application to the preparation of the financial statements.

Internal audit

1.25 As part of the financial statements audit coverage, the activities of internal audit are reviewed to gain an understanding of its role and activities in the entity. Where an internal audit function has been established it can play an important role in providing assurance to the accountable authority that the internal control framework is operating effectively. Entities are encouraged to identify opportunities for internal audit coverage of key financial systems and controls as a means of providing increased assurance to accountable authorities to support their opinion on the entity’s financial statements.

1.26 The extent to which the work of internal audit may be able to be used, in a constructive and complementary manner, varies between entities and is more likely to occur where internal audit work is focused on financial controls and legislative compliance. If the ANAO expects to use the work of internal audit, in accordance with ASA 610 Using the Work of Internal Auditors, the ANAO is required to assess whether the internal audit function has: appropriate organisational status; relevant policies and procedures to support their objectivity; an appropriate level of competence; and whether they apply a systematic and disciplined approach in the execution of their work including quality control.

1.27 When it is determined that the work of internal audit can be used to support an effective audit approach, additional work is performed to confirm its adequacy to support the external audit. This will include confirmation that the scope of the work is appropriate, that there is sufficient evidence to support the conclusions drawn and selected re-performance of internal audit’s testing.

1.28 For the entities included in this report it was observed that internal audit coverage is based on an internal audit plan that is aligned with entities’ risk management plans and includes combinations of audits that address assurance, compliance, performance improvements and IT systems reviews. In addition, suggested topics from management, audit committees and external influences, such as the ANAO’s planned performance and financial statements coverage, are factors considered in the development of internal audit work plans.

Reporting relating to compliance with finance law

1.29 The introduction of the PGPA Act resulted in a move from a compliance-based approach to a principle-based framework for Commonwealth entities. To promote the safe custody and proper use of public resources whilst reducing red tape, a greater emphasis is placed on the robustness of an entity’s self-assessment processes, strong governance structures and internal control frameworks to identify risks. A practical example of this is an entity’s requirement to report on compliance with finance law.¹⁷

1.30 Prior to 2015–16, General Government Sector entities were required to submit an annual Certificate of Compliance to the Minister for Finance and the responsible Minister summarising all non-compliance with the PGPA Act Framework. From 2015–16, the Department of Finance changed the compliance reporting process to require entities to report only significant non-compliance with the finance law to both the Finance Minister and the responsible Minister.

1.31 To support the change in requirements, the Department of Finance issued guidance in relation to reporting of significant non-compliance through the Resource Management Guide 214 Notification of significant non-compliance with finance law (PGPA Act, section 19) (RMG 214). The guide outlines factors which may be considered when determining whether significant non-compliance occurred including:

• failure to comply with the duties of accountable authorities (PGPA Act section 15 to 19);
• serious breaches of the general duties of officials (PGPA Act sections 25 to 29) including any fraudulent activity by officials;
• systemic issues reflecting internal control failings or high volume instances of non-compliance; and
• non-compliance issues that are likely to impact on the entity’s financial sustainability.

1.32 RMG 214 notes that the accountable authority should consider their entity’s environment when determining whether instances of non-compliance are significant. As part of the interim audits the ANAO considered entities’ application of RMG 214.¹⁸

1.33 Entities advised that professional judgement is applied and consideration given, to the nature and volume of breaches when assessing significance.¹⁹ Seven entities²⁰ provided further guidance within their definition of significant non-compliance, specifying a financial threshold above which non-compliance would be considered significant. The financial thresholds include: a percentage of either departmental budget amounts or entity determined materiality thresholds; or set dollar figure. The dollar range of thresholds varies from $50,000 to $20 million.

1.34 As part of an audit committee’s governance role, it usually has oversight of the process for collating instances of non-compliance and the subsequent assessment regarding their significance. Changes to mandatory external compliance reporting process in 2015–16 removed the requirement for all instances of non-compliance to be centrally reported to the Department of Finance. As a consequence, the Departments of: Foreign Affairs and Trade; Human Services, and the National Disability Insurance Agency reduced their level of reporting, requiring only significant non-compliance to be reported to their audit committee and accountable authorities. As a central listing of non-compliance is not maintained, these entities have been excluded from the analysis of non-compliance summarised in Figure 1.3. The scope of the PGPA Act compliance reporting process at the Department of Parliamentary Services focused on procurement functions and was not standardised or embedded across the entity.

1.35 In addition to notifying the relevant minister of any significant issues which occur, entities must also report any significant non-compliance in their annual report in line with the PGPA Rule subsection 17AG. The Departments of: Defence, and Industry Innovation and Science reported significant non-compliance with finance law in their 2017–18 annual reports, as outlined below.

• During 2017–18, Defence reported 26 instances of significant noncompliance with the finance law. These [instances related to] transactions which were proven as fraud committed by an official. Defence authorities addressed these instances through criminal, or disciplinary prosecution action. Significant fraud cases are also reported separately to the Minister for Defence in accordance with reporting requirements set out in the Commonwealth Fraud Control Framework.²¹
• The department [Industry, Innovation and Science] identified significant instances of non-compliance with the finance law, specifically with the Commonwealth Procurement Rules (including consequential breaches relating to section 23 of the PGPA Act). Corrective action has been undertaken, which ensures that the department’s needs for operational efficiency and flexibility are met within a compliant framework.²²

1.36 Entities undertake a range of activities to identify instances of non-compliance and support their assessment of whether identified breaches meet the definition of significant. These activities include self-reporting, internal assurance activities, and questionnaires completed by officers holding delegations. Through these processes, in 2017–18 the entities included in this report identified a total of 4,975 instances of non-compliance.²³ Two entities reported no non-compliance²⁴, two entities have above 10 percent of the total breaches²⁵ and the remaining 18 entities each reported between one and nine per cent of the non-compliance.

1.37 Figure 1.3 provides the ANAO analysis of instances of non-compliance by category as identified by entities in 2017–18.

Figure 1.3: Non-compliance identified with finance law during 2017–18 by entities

Source: ANAO analysis of non-compliance identified by entities.

1.38 Further details of the areas of non-compliance depicted in Figure 1.3 are detailed below.

• The following three entities identified the highest levels of non-compliance with the Commonwealth Procurement Rules: the Department of Defence (1,682 instances); the Department of Home Affairs (406 instances); and the Department of the Prime Minister and Cabinet (225 instances). Of the non-compliance with Commonwealth Procurement Rules, a high proportion of breaches related to rule 7.16, which requires entities to report contracts entered into or amended over $10,000 on AusTender within 42 days.
• Breaches of section 23 of the PGPA include failure to obtain appropriate delegate approval prior to entering into contracts and exceeding a delegate’s approval. The following three entities identified the highest levels of non-compliance in this area; the Department of Defence (414 instances); the Department of Home Affairs (178 instances); and the Department of Agriculture and Water Resources (175 instances).
• Non-compliance with the Commonwealth Grant Rules and Guidelines predominately resulted from entities not meeting the requirement to publish grants on GrantConnect within 21 days.
• The majority of instances of non-compliance with the PGPA Act, excluding section 23, related to breaches of officer duties under sections 25 and 26 arising from misuse of corporate credit cards.
• The non-compliance with the PGPA Rule relates to failure to document the approvals to enter into arrangements under section 23 of the PGPA Act and banking monies within five days from receipt.

1.39 The collation and reporting of non-compliance allows audit committees and accountable authorities to assess emerging risks and determine training requirements or changes to procedures required to address trends. The ANAO has undertaken a detailed analysis of reporting of non-compliance, over the last three financial years, and observed both divergent practices between entities in identifying and assessing the significance of non-compliance, and a reduction in detailed reporting provided to audit committees and accountable authorities.

1.40 For this report the ANAO is providing a detailed analysis of entity Payment Card Policy and Monitoring, this is included in Case Study 2 below.

Information systems

1.41 A review of an entity’s information systems and related controls forms a significant part of the ANAO’s examination of internal controls. Information system controls include entity-wide general controls that establish an entity’s IT infrastructure, policies and procedures as well as specific application controls that validate, authorise, monitor and report financial and human resource transactions.

1.42 As discussed at paragraph 1.10, ASA 315 provides guidance on identifying and assessing the risks of material misstatement of financial statements, including risks associated with an entity’s IT environment. Where those risks are applicable to an entity’s particular business and operational circumstances, it is expected that the entity will implement appropriate controls to mitigate them, and these controls are assessed by the ANAO.

1.43 Table 1.1 outlines the areas of focus used by the ANAO in assessing an entity’s information system controls, including common controls tested to determine the effectiveness of those systems in supporting complete and accurate financial statements reporting.

Table 1.1: Information system controls — areas of focus

Source: ANAO compilation.

1.44 Observations from the ANAO’s interim audit phase relating to entities’ information system controls are provided under the Information Technology Control Environment section included in Interim Audit Results below. Refer to paragraphs 1.56 to 1.76.

Cyber resilience

1.45 In addition to work performed as part of the financial statements audits, the ANAO reviews information systems and related controls as part of its program of performance audits. Since 2013–14, the ANAO has conducted four performance audits to assess the controls over cyber security for fourteen different government entities.⁴⁰

1.46 The first three of these audits assessed both IT general controls and the selected entities’ implementation of the mandatory Strategies to Mitigate Targeted Cyber Intrusions (commonly known as the top four mitigation strategies) in the Australian Government Information Security Manual (ISM)⁴¹, which are required by the Protective Security Policy Framework (PSPF). These controls have been mandatory for non-corporate Commonwealth entities since July 2014. The fourth audit was extended to also review implementation of the four non-mandatory strategies that make up the Essential Eight.⁴² A fifth audit in this series is being conducted as part of the ANAO 2018–19 Annual Audit Work Program.

1.47 All non-corporate Commonwealth entities are required to undertake an annual point in time self-assessment against the requirements of the PSPF and report the results to the relevant Portfolio Minister, with a copy to be sent to the Secretary of the Attorney-General’s Department and to the Auditor-General.⁴³ These requirements are divided into four categories:

• Governance — to implement and manage protective security protocols;
• Personnel Security — to ensure the suitability of personnel to access Australian Government resources;
• Information Security — to ensure the confidentiality, availability and integrity of all official information; and
• Physical Security — to ensure a safe working environment for employees, contractors, clients and the public, and to provide a secure environment for official assets.

1.48 Prior to October 2018, the strategies to mitigate cyber intrusions formed part of the mandatory information security requirements of the PSPF (INFOSEC 4). The new PSPF commenced on 1 October 2018 and uses a different numbering system, however, the requirement to implement the top four strategies is still reflected in the Framework. For 2018, entities have reported on their compliance with INFOSEC 4 under the version current at the time of reporting. Therefore, the ANAO has continued to use this terminology for this report.

1.49 Figure 1.4 summarises the 2018 PSPF compliance reporting by the 22 entities included in this report that were required to report.⁴⁴ Twelve entities reported that they were compliant, which is a small increase from the 11 reporting compliance in the previous year. Of the remaining entities, two entities reported partial compliance with INFOSEC 4 and eight entities reported that they were not compliant.

Figure 1.4: Entity Compliance with INFOSEC 4

Source: ANAO Analysis.

1.50 Figure 1.5 summarises the 2018 PSPF compliance reporting across all categories by the 22 entities. INFOSEC 4 continues to be the area of least compliance. This is consistent with the outcomes of the ANAO performance audits, which found that 10 of the 14 entities assessed in those audits were not fully compliant with INFOSEC 4.

Figure 1.5: PSPF compliance comparison by mandatory requirement

Source: ANAO analysis.

1.51 Not implementing the recommended mitigation strategies reduces an entity’s ability to continue providing services while deterring and responding to cyber intrusions. It also increases the likelihood of a cyber intrusion. Recent ANAO reports relating to cyber security include a number of recommendations to assist with this, which entities should review and implement where applicable.

Control activities

1.52 As part of the interim audits, the ANAO assesses the effectiveness of key controls identified during the planning stages. This assessment is made at a point in time and provides the Parliament, the public and entities with an insight into weaknesses that have the potential to impact the financial statements at year end.

Interim audit results

1.53 Audit findings are raised in response to the identification of a potential business or financial risk posed to an entity. Often these risks arise from deficiencies within an entity’s internal control processes or frameworks. Weaknesses in internal controls increase the possibility that a material misstatement of an entity’s financial statements will not be prevented or detected in a timely manner. The ANAO rates audit findings according to the potential business or financial management risk posed to the entity. The rating scale is presented in Table 1.2.

Table 1.2: Findings rating scale

1.54 A summary of all significant, moderate and minor audit findings identified at the conclusion of the interim audit phase across the past five financial years is presented in Figure 1.6 below.

Figure 1.6: Trend in aggregate audit findings 2015–16 to 2018–19

Source: ANAO data.

1.55 The findings have been classified into to broad categories as follows:

• IT control environment;
• compliance and quality assurance frameworks;
• accounting and control of non-financial assets;
• revenue, receivables and cash management processes;
• human resources financial processes; and
• purchases and payables management.

Table 1.3: Audit findings by category for the 2018–19 interim period

Source: Compilation of ANAO interim audit findings.

Information technology control environment

1.56 As described in paragraph 1.41, the review of information systems and related controls is an integral part of an entity’s control environment. Figure 1.7 demonstrates the trends in interim audit findings related to entities’ overall IT control environments from 2015–16 to 2018–19.

1.57 At the time of this report, testing of the operating effectiveness of IT controls had not been completed for three entities⁴⁵ and therefore those results are not reflected in this summary.

Figure 1.7: IT control environment findings 2015–16 to 2018–19

Source: ANAO data.

1.58 Findings related to entities’ IT control environments represent 56 per cent of total findings identified during the 2018–19 interim period. IT control environment findings continue to represent the highest proportion of all findings. Seven new moderate findings were reported in 2018–19, which is an increase of two from the previous year.⁴⁶ No moderate findings were carried over from the previous year. The continued level of findings in IT control environments indicates that entities need to focus on processes to monitor IT controls to prevent reoccurrence of issues as recommended by the Joint Committee of Public Accounts and Audit (JCPAA).⁴⁷

1.59 The information systems control environment findings reported at the conclusion of the 2018–19 interim audits for entities included in this report have been grouped as follows⁴⁸:

• IT security;
• IT change management; and
• disaster recovery arrangements.

IT Security

1.60 IT security is concerned with protecting an entity’s information assets from internal and external threats. It includes controls to prevent or detect unauthorised access to systems, programs and data. In the context of the financial statements audit, the focus is on the financially significant systems and data only.

1.61 The key controls that address risks relating to IT security and that are assessed as part of the interim audit are:

• IT security governance;
• general and privileged user access; and
• monitoring and reporting.

1.62 Figure 1.8 illustrates the trends in findings observed in entities’ IT security arrangements between 2015–16 and 2018–19.

Figure 1.8: IT security findings 2015–16 to 2018–19

Note: The comparative numbers in this figure have been updated to include findings previously categorised as IT application controls which related to IT security.

Source: ANAO data.

1.63 The IT security findings represents 69 per cent of all IT related findings reported in 2018–19. Six moderate findings were reported in the current year (2017–18: five). Further details of the moderate findings are detailed in chapter 3.⁴⁹ Findings related to:

• logging and monitoring of privileged user activity;
• removal of user access when it is no longer required;
• user access management, including performing regular user access reviews; and
• password configuration.

1.64 Users with administrative access privileges, commonly referred to as privileged users, are able to make significant changes to IT systems configuration and operation, bypass critical security settings and access sensitive information. As part of reviewing IT security arrangements, different groups of privileged users were examined, including:

• application administrators, sometimes referred to as super users;
• database administrators;
• system administrators; and
• network or domain administrators.

1.65 To reduce the risks associated with this access, the ISM recommends that privileged user access be appropriately restricted and when provided, that the access is logged, regularly reviewed and monitored. Five moderate⁵⁰ and eight minor findings relate to entities that have not implemented adequate logging and monitoring procedures over privileged user accounts. There were also five minor findings relating to access rights for both privileged and regular users not being monitored for appropriateness.

1.66 Entities must remove or suspend user access on the same day a user no longer has a legitimate business requirement for its use.⁵¹ Terminating a user account when the user no longer has a requirement to access it, such as upon departure from an entity, can prevent unauthorised use. Two of the moderate findings in relation to privileged user access weaknesses also identified issues with the untimely removal of user access.⁵² There was also one additional moderate and five minor findings in this area.

1.67 Two minor findings relate to inadequate password controls increasing the likelihood of unauthorised access to systems and data. The ISM provides guidance on the password requirements for Australian Government systems. One minor finding related to policies and procedures not reflecting the current environment.

1.68 The findings within this category increase the risk of unauthorised changes being made to systems and data, or unauthorised data leakage. Entities should review their management of these areas in light of the recommendations of the ISM and the risks to their operational environment.

IT change management

1.69 IT change management provides a disciplined approach to making changes to the IT environment. It includes controls to prevent unauthorised changes being introduced, and to reduce the likelihood that normal business operations are not interrupted with the implementation of authorised changes.

1.70 Figure 1.9 illustrates the trends in findings identified in entities’ IT change management controls between 2015–16 and 2018–19.

Figure 1.9: IT change management findings 2015–16 to 2018–19

Note: The comparative numbers in this figure have been updated to include findings previously categorised as IT application controls which related to IT change management.

Source: ANAO data

1.71 Changes to entities’ IT environments were managed using standardised processes, usually based on the ITIL Framework.⁵³ One moderate and eight minor findings were identified in this area. The moderate audit finding relates to the Department of Agriculture and Water Resources. Further detail can be found in the Department of Agriculture and Water Resources section chapter 3. One minor finding related to data migration performed as part of implementing a change. The remaining findings related to weaknesses in the operation of the change management processes and a lack of segregation between the developer and migrator of a change.

1.72 The number of findings in this area has increased over the last two years. This elevates the risk of unauthorised changes to systems, and may affect the availability or reliability of the overall IT environment. Entities should monitor the operating effectiveness of their IT control environments to mitigate risks.

Disaster recovery arrangements

1.73 Disaster recovery is concerned with the resumption of the IT environment including systems and data. It relies on:

• effective back-up and recovery arrangements, to allow data to be recovered from current versions of key IT systems; and
• disaster recovery planning, including the development, maintenance and testing of a disaster recovery plan to enable IT systems to be recovered in line with defined business requirements.

1.74 The ANAO assesses entities’ disaster recovery arrangements in view of the potential for a disruptive event to impact on financial reporting. Figure 1.10 illustrates the trend for findings identified in entities’ disaster recover arrangements between 2015–16 and 2018–19.

Figure 1.10: Disaster recovery findings 2015–16 to 2018–19

Source: ANAO data

1.75 All entities undertook regular backups of financially significant data and had disaster recovery plans in place. Three entities received minor audit findings relating to not undertaking testing of their disaster recovery plans, two of these have remained unresolved since 2017–18.

1.76 Overall, the majority of IT controls continued to be effective in most entities included in this report during 2018–19. Consistent with observations in previous years, IT Security, particularly with regard to management of user access, continues to be an area requiring improvement to address the risk of inappropriate access to systems and data.

Compliance and quality assurance frameworks

1.77 Entities place reliance on internal and external systems, parties and information in decision-making processes. The implementation of effective compliance and quality frameworks and processes, provides assurance over the completeness and accuracy of information and is integral to the preparation of financial statements that are free from material misstatement.

Figure 1.11: Compliance and quality assurance framework findings 2015–16 to 2018–19

Source: ANAO data

1.78 The three moderate findings related to weaknesses in either assurance processes over information sourced from third parties or risk management practices relating to loan facilities. ⁵⁴ One of these finding, relating to the National Disability Insurance Agency: Streamlined Access to Scheme — Defined Programs, was first reported in 2016–17 and remains unresolved.

1.79 The number of minor audit findings reported in 2018–19 has significantly decreased compared with 2017–18. There remains a need for entities to focus attention on:

• maintaining effective governance over third party or joint service delivery arrangements;
• implementing quality assurance processes over data integrity;
• developing and implementing risk management frameworks that support the effective management of risk in the delivery of programs; and
• implementing effective quality assurance processes over key financial statements inputs particularly those subject to professional judgement and uncertainty.

Accounting and control of non-financial assets

1.80 Entities control a diverse range of non-financial assets on behalf of the Commonwealth, including land and buildings, specialist military equipment, leasehold improvements, infrastructure, plant and equipment, inventories and internally-developed software.

Figure 1.12: Accounting and control of non-financial assets audit findings 2015–16 to 2018–19

Source: ANAO data.

1.81 The significant and moderate findings were reported to the Department of Defence. They were raised during the 2017–18 final audit phase and remain unresolved.⁵⁵ The significant audit finding relates to the Department of Defence’s management and monitoring of specialist military equipment and inventory balances. The unresolved moderate audit finding relates to weaknesses in revaluation and impairment processes.

1.82 The three minor audit findings reported in 2018–19 relate to control weaknesses in relation to management of assets under construction, stocktaking processes and integrity of data recorded in the asset register.

Revenue, receivables and cash management

1.83 Revenue and receivables consists of Parliamentary appropriations, taxation revenue, customs and excise duties and administered levies. Revenue is also generated by entities from the sale of goods and services and a range of other sources. Cash management involves the collection and receipt of public monies and the management of official bank accounts.

Figure 1.13: Revenue, receivables and cash management audit findings 2015–16 to 2018–19

Source: ANAO data.

1.84 Consistent with 2017–18, no significant or moderate audit findings have been identified that relate to revenue, receivables and cash management. The two minor audit findings reported in 2018–19 relate to weaknesses in controls supporting the completeness and accuracy of reported revenue.

Human resource financial processes

1.85 Human resources encompass the day-to-day management and administration of employee entitlements and payroll functions. Employee benefits expenditure represents a significant departmental expenditure item for most entities. Employee entitlement liabilities involve estimates and judgements in inputs. It is important for entities to establish robust controls in these areas to support complete and accurate payment and recording of transactions.

Figure 1.14: Human resources financial processes audit findings 2015–16 to 2018–19

Source: ANAO data.

1.86 Consistent with 2017–18 there were no significant or moderate audit findings relating to human resource processes. Minor audit findings have decreased in 2018–19 and relate to weaknesses identified in relation to commencements and terminations of employees and the monitoring of controls over payroll processing and reporting.

Purchases and payables management

1.87 Purchases and payables management covers controls and processes that provide management assurance that payments processed by the entity are complete and accurate. This may include the implementation of appropriate systems of approval or controls designed to ensure that payments processed through the financial management information system are appropriate.

Figure 1.15: Purchases and payables management audit findings 2015–16 to 2018–19

Source: ANAO data.

1.88 The minor findings relate to weaknesses in reconciliation processes and the timely acquittal of credit cards. Reconciliation processes are designed to confirm the completeness and accuracy of payments initiated in business systems and processed through financial management information systems. The ANAO has reviewed the payment card policies and monitoring for the entities included in this report within case study 2.

Other audit findings

1.89 Other audit findings typically include items relating to the: management and implementation of service level agreements or memoranda of understanding; updating or maintaining key governance documentation; and presentation and disclosure in the financial statements.

Figure 1.16: Other audit findings 2015–16 to 2018–19

Source: ANAO data.

1.90 The moderate audit finding, first reported in 2017–18, relates to weaknesses in appropriate exercise of delegations at the National Disability Insurance Agency.⁵⁶ The weaknesses in this category related to the:

• formalisation and implementation of key corporate documents including agreements with third parties and legislation compliance frameworks; and
• classification of expenditure and the completeness of reconciliations between systems.

Introduction

2.1 The Australian Government’s financial reporting framework is based, in large part, on standards made independently by the Australian Accounting Standards Board (AASB). The framework is designed to support decision-making by, and accountability to, the Parliament.

2.2 The AASB bases its accounting standards on the International Financial Reporting Standards (IFRS) issued by the International Accounting Standards Board. As IFRS are designed primarily for use by private sector and for-profit organisations, the AASB amends the IFRS to reflect significant transactions and events that are particularly prevalent in the public and not-for-profit private sectors. In doing so, it takes into account standards issued by the International Public Sector Accounting Standards Board.

2.3 The Finance Minister prescribes additional reporting requirements for Commonwealth entities. These are contained in the Public Governance, Performance and Accountability (Financial Reporting) Rule 2015 (the Rule). The Rule is made under the Public Governance, Performance and Accountability Act 2013 (the PGPA Act).

2.4 The audits of the financial statements of Australian Government entities are conducted in accordance with the ANAO Auditing Standards, which are made by the Auditor-General under section 24 of the Auditor-General Act 1997. The ANAO Auditing Standards incorporate, by reference, the auditing standards made by the Australian Auditing and Assurance Standards Board (AUASB). The Australian Auditing and Assurance Standards Board bases its standards on those made by the International Auditing and Assurance Standards Board, an independent standard setting board of the International Federation of Accountants.

2.5 The financial reporting and auditing frameworks that applied in 2018–19 are illustrated in Appendices 2 and 3 of this report.

Changes to the Australian public sector reporting framework

Changes in the financial framework

2.6 The Independent Review into the operation of the Public Governance, Performance and Accountability Act 2013 and Rule (the PGPA Review), released in September 2018, made a number of recommendations, the responses to which will impact the presentation and preparation of financial statements. The PGPA Review mirrors recommendations made by the Joint Committee of Public Accounts and Audit (JCPAA) in 2017 in response to the Auditor-General’s report number 33 (2016–17)⁵⁷.

2.7 The Department of Finance has undertaken a number of initiatives in response to the PGPA Review including the development of a ‘Transparency Portal’ for the publication and utilisation of annual reports, the preparation of a Financial Statements Better Practice Guide, and amendments to the PGPA Rules in relation to reporting on executive and highly paid staff remuneration.

Transparency Portal

2.8 The Transparency Portal⁵⁸ (the Portal) is an online digital reporting tool for the publication and presentation of annual reports of all Commonwealth companies and Commonwealth entities. The Portal was opened for public use in March 2019.

2.9 The Portal has the functionality to:

• provide a single point of access for all Commonwealth company and Commonwealth entity annual reports;
• support compliance with the Commonwealth financial reporting framework through the use of data sets based on the minimum financial reporting and disclosure requirements of the PGPA Act and Financial Reporting Rule;
• enable Portal users to search for and compare financial statements data between entities and between years using viewer generated tables and graphs;
• perform financial ratio analysis with the Portal currently providing users with ratios for total assets to total liabilities and financial asset to liabilities; and
• have entities upload Corporate Plans and Portfolio Budget Statements.

2.10 In April 2019, the Finance Minister amended the PGPA Rule⁵⁹ to require all Commonwealth companies and Commonwealth entities to publish their 2018–19 annual reports on the Portal. The Rule does not require entities to upload Corporate Plans or Portfolio Budget Statements.

Financial Statements Better Practice Guide

2.11 The Department of Finance has published a Financial Statements Better Practice Guide60 as a practical resource to support finance staff in the financial statement preparation process by including draft timetables, compliance checklists, a range of administrative templates and practical guidance e.g. how to prepare an accounting position paper and what sort of information an auditor is likely to request.

Reporting of Executive Remuneration

2.12 The PGPA Review and JCPAA⁶¹ recommended that increased disclosure of Executive and highly paid staff remuneration would be beneficial to users of Commonwealth annual reports and allow for increased transparency.

2.13 In April 2019 the Minister for Finance amended the PGPA Rule⁶² to require Commonwealth entities⁶³ to disclose in the annual report remuneration of:

• key management personnel;
• senior executive staff in aggregate by $25,000 band starting from a threshold of $0 to $220,000; and
• other highly paid staff in aggregate by $25,000 band starting from a threshold of $220,000.

Performance framework

2.14 The PGPA Act provides the basis for the Commonwealth performance framework. Commonwealth entities are required to publish planned financial and non-financial performance information with the aim of providing more transparent and meaningful information to the Parliament and the public.

2.15 The PGPA review recommended the Finance Minister, in consultation with the JCPAA, should request that the Auditor-General pilot assurance audits of annual performance statements to trial an appropriate methodology for these audits. The Committee should monitor the implementation of the pilot on behalf of the Parliament.

2.16 The ANAO has completed three performance audits that covered elements of ten individual entity performance statements. The results are published in three Auditor General Reports: Implementation of the Annual Performance Statements Requirements 2015–16⁶⁴, 2016–17⁶⁵ and 2017–18.⁶⁶

Changes to accounting standards

2.17 Public sector entities must implement the new standard for financial instruments for 2018–19. This represents a major revision to the current methods for recognition and disclosure of financial instruments. The effort and time required to transition to this new standard should not be underestimated with preparers required to develop business models and update accounting policies particularly in regard to the expected credit loss model.

Financial instruments

2.18 The new financial instruments standard AASB 9 Financial Instruments (AASB 9) is effective for financial years commencing on or after 1 January 2018. This means it will have implications for most entities in the 2018–19 financial year. AASB 9 moves away from recognition and disclosure primarily determined by the type of instrument to recognition and disclosure determined in large part by an entity’s purpose for acquiring and holding the instrument. Where the financial instrument is held for the purpose of government policy, the entity will need to document the relationship between classification and policy.

2.19 AASB 9 amends the existing historical loss model for the assessment of credit risk to an expected loss model. This will require entities to consider the initial and ongoing ability of the creditor to settle the obligation.

2.20 The Department of Finance has issued a positon paper Implementation Options for AASB 9 Financial Instruments⁶⁷, which outlines the Commonwealth’s position with regard to selected options and application guidance for transitioning to the new standard. This includes the position that in applying the new standard retrospectively, as required by AASB 9, entities are not required to restate comparative information and any difference between the previous and revised carrying amount is recognised in opening retained earnings.

Future changes to accounting standards

2.21 Public sector entities will also need to prepare for a number of new standards for 2019–20. These new standards represent major revisions to existing standards for revenue and leases. The effort and time required to transition to these new standards should not be underestimated with preparers required to write new or revise existing accounting policies, and undertake a review of all the underlying contracts and in some instances consider amending contracts.

Revenue

2.22 The new revenue standard AASB 15 Revenue from Contracts with Customers (AASB 15) is effective for financial years commencing on or after 1 January 2019 for not-for-profit entities, meaning it will impact most Commonwealth entities in the 2019–20 financial year.⁶⁸ AASB 15 applies to all exchange transactions and provides a consistent approach to revenue recognition. The principle underpinning AASB 15 is that revenue is earned when the customer receives the goods or services that have been promised under the contract. AASB 15 will impact entities where:

• funding is given to provide goods or services to a third party - the entity will recognise revenue when the goods or services are provided to the third party. Under standards currently in force, revenue is recognised when the money is received from the funding provider;
• funding agreements do not identify specific goods or services to be delivered over the term of the contract. Entities will recognise revenue up front unless contract completion is a deliverable; and
• both revenue and the related expense are deferred until the goods or services are delivered, entities with significant non-appropriation revenue are likely to see an impact on their balance sheet and operating result, particularly for long term projects with a significant delay between establishment and initial delivery.

2.23 The Department of Finance has issued a positon paper Implementation Options for AASB 1058 Income of Not-for-Profit Entities in conjunction with AASB 15 Revenue from Contracts with Customers⁶⁹, which outlines the Commonwealth’s position on options for the implementation of AASB 1058 Income of Not-for-Profit Entities (AASB 1058), in conjunction with AASB 15. This includes the position that entities are required to adopt a modified retrospective application on transition. As a consequence, AASB 15 is to be applied to all new and uncompleted contracts from the date of initial application and comparative information for the preceding periods is not required to be restated.

Leases

2.24 The revised leasing standard AASB 16 Leases (AASB 16) is effective for financial years commencing on or after 1 January 2019; this means it will impact entities in the 2019–20 financial year. AASB 16 significantly increases the recognition and disclosure of leases by lessees with the majority of leases currently treated as operating leases recognised on the balance sheet. The net impact on the balance sheet is expected to be limited as the right-of-use asset and liability for future lease payments will be largely offsetting as the value of the right-of-use asset is based on the net present value of the future lease payments. In terms of profit or loss impact, rather than the current annual rent expense over the term of the lease, two expenses will be recognised — interest on the lease liability and amortisation of the right-of-use asset. The effect of AASB 16 is to “front-load” the recognition of expense, rather than recognising it on a straight-line basis.

2.25 The adoption of AASB 16 is expected to be a time consuming task for those entities with significant numbers of operating leases. Entities will need to review all lease agreements to identify the individual right-of-use assets, unbundle any service arrangements and identify where the lease payments are significantly below market value. Lessees will also need to consider that AASB 16 requires entities to include known contingent rents on initial measurement of the asset and liability and subsequently remeasure the lease asset and liability as subsequent contingent rent events become known.

2.26 The Department of Finance have issued a positon paper Implementation Options for AASB 16 Leases⁷⁰ which outlines the Commonwealth position on the options available for the implementation of AASB 16. This includes mandating the election to not reassess previous lease contracts under the new standard and the modified transition model under which the cumulative effect of application of the new standard is recognised in opening retained earnings.

Introduction

3.0.1 The ANAO’s assessment of the overall risk of material misstatement of the financial statements is based on professional judgement relating to the entity’s particular circumstances. The financial statements audit planning process involves joint procedures with performance audit and takes into account each entity’s environment and governance arrangements, its system of internal control, and prior year financial and performance audit findings. These planning processes inform the identification of areas of key risk that have the potential to impact on the integrity of the financial statements.

3.0.2 The interim phase of the audit focuses on the steps taken by entities to manage these risks, including their systems of internal control. This chapter reflects portfolio and funding arrangements established by the Administrative Arrangement Order of 4 April 2019 and outlines the following information for each of the reported entities:

• the entity’s primary role as reflected in its Portfolio Budget Statements;
• 2018–19 appropriation funding and key financial statements items;
• key areas of financial statements risk including where the ANAO has identified Key Audit Matters (KAM);
• the ANAO’s assessment of the overall risk of material misstatement of the financial statements, which informs the audit processes to be undertaken; and
• the status of significant and moderate audit findings at the completion of the interim audit, and the conclusion relating to audit coverage to date.

3.0.3 The entities included in this report include all Departments of State, the Department of Parliamentary Services and other Commonwealth entities that significantly contribute to the revenues, expenses, assets and liabilities within the 2017–18 CFS.

3.0.4 Where a performance audit was tabled during 2018–19 that was relevant to the financial management or administration of an entity, the impact of those observations on the audit approach are discussed within the relevant portfolio section.

3.0.5 An analysis of each of these entities’ 2017–18 results as a percentage of the 2017–18 CFS is presented below. Figure 3.0.1 presents the results of nine entities that contribute more than 10 per cent of either the income, expenses, assets or liabilities of the CFS. The remaining entities are presented in Figure 3.0.2 and contribute less than 10 per cent of all categories.

Figure 3.0.1: Entities contributing more than 10 per cent to the Australian Government’s 2017–18 Consolidated Financial Statements⁷¹

Source: ANAO analysis of CFS and entities’ financial statements for the year ended 30 June 2018

Figure 3.0.2: Entities contributing less than 10 per cent to the Australian Government’s 2017–18 Consolidated Financial Statements⁷²

Source: ANAO analysis of CFS and entities’ financial statements for the year ended 30 June 2018.

Results of Financial Statements Audits

3.0.6 Table 3.0.1 presents a summary of new and unresolved significant and moderate findings⁷³ at the conclusion of the 2018–19 interim audits and the 2017–18 interim and final audits.

Table 3.0.1: Significant and moderate findings by entity

Note a: Minor findings identified previously but upgraded to a moderate or significant finding are considered new for the purposes of this table.

Note b: Findings transferred to another entity as a result of Machinery of Government changes, which remain unresolved, are treated as repeat findings for the purposes of this table.

Source: 2017–18 and 2018–19 ANAO audit correspondence.

3.1 Department of Agriculture and Water Resources

Overview

3.1.1 The Department of Agriculture and Water Resources (Agriculture) supports: the sustainability, profitability and competitiveness of Australia’s agricultural, fisheries, food and forestry industries; and the sustainable and productive management and use of rivers and water resources.

3.1.2 Figure 3.1.1 and Figure 3.1.2 show the 2018–19 departmental and administered financial statement items reported by Agriculture and the key areas of financial statements risk.

Figure 3.1.1: Key departmental financial statement items and areas of financial statements risk

Source: ANAO analysis of Agriculture’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Figure 3.1.2: Key administered financial statement items and areas of financial statements risk

Source: ANAO analysis of Agriculture’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

3.1.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact Agriculture’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Agriculture’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 3.1.3 and the ANAO’s understanding of the operations of Agriculture, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.1.4 Annual appropriation funding of $408.9 million (departmental) and $1,169.9 million (administered) was provided to Agriculture in 2018–19 to support the achievement of the entity’s outcomes.⁷⁴ Agriculture was also budgeted to receive special appropriation funding of $1,014.4 million.⁷⁵ Special appropriations are used for: payments to industry bodies; funding provided under contractual arrangements for research and development, and marketing; and payments related to the farm household allowance.

3.1.5 Table 3.1.1 and Table 3.1.2 provide a summary of the key 2018–19 departmental and administered estimated financial statements items.

Table 3.1.1: Key expenses and total own-sourced income

Source: Agriculture’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Table 3.1.2: Key assets and liabilities

Note: Agriculture’s estimated average staffing level for 2018–19 is 4,657.

Source: Agriculture’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Key areas of financial statements risk

3.1.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2018–19 are provided in Table 3.1.3.

Table 3.1.3: Key areas of financial statements risk

Source: ANAO 2018–19 risk assessment for Agriculture and Agriculture’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Audit results

3.1.7 The ANAO has completed its 2018–19 interim audit coverage, including an assessment of the controls relating to the key areas of financial statements risk disclosed in Table 4.1.3. In addition, interim coverage of IT general controls and supplier and employee benefits expenses has been completed.

3.1.8 Audit procedures relating to all material line items will be undertaken as part of the 2018–19 final audit.

3.1.9 The following table summarises the status of audit findings reported by the ANAO in 2017–18 and 2018–19.

Table 3.1.4: Status of audit findings raised by the ANAO

New moderate audit findings

Weaknesses in Change Management Controls

3.1.10 IT change management provides a disciplined approach to making changes to the IT environment. It includes processes around the governance and approval of changes, controls designed to ensure that changes are properly tested before implementation, and processes for the management of emergency changes. The Australian Government Information Security Manual (ISM) outlines the change management requirements that Government entities should adhere to.

3.1.11 The ANAO identified a number of weaknesses in change management controls, including:

• instances where there was no documented evidence demonstrating system changes had been tested in the production environment;
• no evidence of controls around configuration management. Configuration management controls are important as they help ensure that that only approved and tested versions of software are implemented into the production environment;
• no evidence that a change migrated from the test environment to the production environment was performed by different users; and
• an increase to the percentage of changes implemented by the department using the emergency change procedures.

3.1.12 These weaknesses increase the risk of changes being made to key business and financial systems which are not properly tested, authorised and approved. This in turn may compromise the integrity of information contained within these systems. Agriculture’s emergency change procedures are required where an urgent change is identified that is not otherwise foreseen. If these procedures are applied to known and planned changes the key internal controls designed to ensure an appropriate level of governance oversight may be bypassed.

3.1.13 The ANAO recommends that the Department maintains evidence of the testing and approval of system changes and reduces the number of changes implemented using emergency change processes. The ANAO will review the Department’s remediation activities as part of the final audit phase.

Monitoring and Management of Privileged User Accounts

3.1.14 Maintaining and supporting IT systems requires that some individuals have privileged access rights. This level of access can be used to bypass security controls and make changes, either to system settings or directly to system data. Individuals with privileged access must be unique and identifiable, and have their activity regularly monitored to detect any unauthorised use.

3.1.15 The ANAO observed that the Department has an unusually large number of active privileged user accounts and has not formally monitored activities performed using those accounts.

3.1.16 The ANAO also identified that:

• there are a large number of privileged user accounts which have not been actively used during the financial year, and the automatic system control designed to disable inactive accounts after 42 days, has been switched off;
• there are a number of generic and superseded privileged user accounts which are still active. The ISM requires that entities must restrict privileged access to unique and identifiable users.; and
• three user accounts had passwords set to never expire which does not align with the ISM password management requirements.

3.1.17 The ANAO recommends that Agriculture evaluate the effectiveness of logging and monitoring activities for financial statement related systems and implement improvements to gain assurance that staff have appropriate access to systems and data in line with business requirements. The Department has advised that they are in the process of implementing the “OneIdentity” project, which is aimed at simplifying the processes around user access management. The Department expects that the above issues will be resolved through the implementation of this project. The ANAO will review the status of these remediation activities as part of the final phase of 2018–19 audit.

Conclusion

3.1.18 At the completion of the interim audit, and except for the findings outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Agriculture will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2018–19 final audit.

3.2 Attorney-General’s Department

Overview

3.2.1 The Attorney-General’s Department (AGD) supports the Attorney-General in achieving a just and secure society through the maintenance and improvement of Australia’s law, justice, security and integrity frameworks.

3.2.2 AGD has entered into shared service arrangements with the Department of Social Services for the provision of grant management services. AGD remains accountable for compliance with all accounting, legal and administrative requirements.

3.2.3 Figure 3.2.1 and Figure 3.2.2 show the 2018–19 departmental and administered financial statement items reported by AGD and the key areas of financial statements risk.

Figure 3.2.1: Key departmental financial statement items and areas of financial statements risk

Source: ANAO analysis and AGD’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Figure 3.2.2: Key administered financial statement items and areas of financial statements risk

Source: ANAO analysis and AGD’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

3.2.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact AGD’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of AGD’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 3.2.3 and the ANAO’s understanding of the operations of AGD, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.2.5 Annual appropriation funding of $155.8 million (departmental) and $391.2 million (administered) was provided to AGD in 2018–19 to support the achievement of the entity’s outcomes.⁷⁶ AGD was also budgeted to receive special appropriation funding of $0.48 million that primarily relates to pension payments to former Solicitors- General.⁷⁷

3.2.6 Table 3.2.1 and Table 3.2.2 provide a summary of the key 2018–19 departmental and administered estimated financial statements items.

Table 3.2.1: Key expenses and total own-sourced income

Source: AGD’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Table 3.2.2: Key assets and liabilities

Note: AGD’s estimated average staffing level for 2018–19 is 1,289.

Source: AGD’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Key areas of financial statements risk

3.2.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2018–19 are provided in Table 3.2.3.

Table 3.2.3: Key areas of financial statements risk

Source: ANAO 2018–19 risk assessment for AGD and AGD’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Audit results

3.2.8 The ANAO has completed its 2018–19 interim audit coverage, including an assessment of the controls relating to: administered grants; departmental revenue; and the management of appropriations and special accounts. IT general and application controls and key controls over payroll and cash management have also been assessed.

3.2.9 Audit procedures relating to the valuation of non-financial assets, including administered investments; and financial statements close processes including the consolidation of the AGS will be undertaken as part of the planned 2018–19 final audit.

3.2.10 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2017–18 audit also did not identify any significant or moderate audit findings.

Conclusion

3.2.11 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that AGD will be able to prepare financial statements that are free of material misstatements. The effective operation of these internal controls for the full financial year will be assessed during the 2018–19 final audit.

3.3 Department of Communications and the Arts

Overview

3.3.1 The Department of Communications and the Arts (Communications) is responsible for policy development, advice and program delivery with respect to digital technologies, communication services and promoting access to, and participation in, art and culture.

3.3.2 Figure 3.3.1 and Figure 3.3.2 show the 2018–19 departmental and administered financial statement items reported by Communications and the key areas of financial statements risk.

Figure 3.3.1: Key departmental financial statement items and areas of financial statements risk

Source: ANAO analysis and Communications’ 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Figure 3.3.2: Key administered financial statement items and areas of financial statements risk

Source: ANAO analysis and Communications’ 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

3.3.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact Communications’ financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Communications’ environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 3.3.3 and the ANAO’s understanding of the operations of Communications, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.3.4 Annual appropriation funding of $111.3 million (departmental) and $5.5 billion (administered) was provided to Communications in 2018–19 to support the achievement of the entity’s outcomes.⁷⁸

3.3.5 Table 3.3.1 and Table 3.3.2 provide a summary of the key 2018–19 departmental and administered estimated financial statements items.

Table 3.3.1: Key expenses and total own-sourced income

Source: Communications’ 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Table 3.3.2: Key assets and liabilities

Note: Communications’ estimated average staffing level for 2018–19 is 544.

Source: Communications’ 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Key areas of financial statements risk

3.3.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2018–19 are provided in Table 3.3.3.

Table 3.3.3: Key areas of financial statements risk

Source: ANAO 2018–19 risk assessment for Communications and Communications’ 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Audit results

3.3.7 The ANAO has completed its 2018–19 interim audit coverage, including an assessment of the controls relating to: grant expenses; cash and asset management; payroll processing; and supplier expenses. Audit coverage has also included an assessment of Communications’ IT general controls and selected applications.

3.3.8 As part of the 2018–19 final audit, audit coverage of the valuation of administered investments and loans, and assets associated with the RBBP will be completed. To date, our audit coverage has not identified any new significant or moderate audit findings. The following table summarises the status of audit findings reported by the ANAO in 2018–19.

Table 3.3.4: Status of audit findings raised by the ANAO

Unresolved moderate/significant audit finding

Risk management practices relating to NBN Co’s loan facility

3.3.9 On 22 December 2016, the Commonwealth entered into a loan arrangement with NBN Co which is administered by the department. The Commonwealth and NBN Co subsequently renegotiated the terms of the loan agreement, including extension of the loan term, with the re-settled loan agreement signed on 26 March 2019. The loan agreement sets out the terms of the $19.5 billion facility, including the applicable undertakings, restrictions and interest rate and a requirement that the principal amount borrowed is to be fully refinanced by 30 June 2024. The value of the loan drawn down as at 30 June 2018 was $5.5 billion. The NBN Co’s operating cash flows are forecast to be positive by 2021–22.

3.3.10 Communications had not established the practices necessary to manage the risks associated with the loan facility. Communications was not able to provide evidence of:

• their undertaking of the evaluation and assessment in establishing the loan, including suitability of the terms and conditions within the contract, other than the interest rate, and details of assessment undertaken to determine NBN Co’s capacity to fully service the loan;
• a governance policy or a suitable framework for Communications’ oversight, review and monitoring of NBN Co’s compliance with the lending arrangements;
• ongoing monitoring of NBN Co’s compliance with several aspects of the loan agreement; and
• an analysis to progressively assess NBN Co’s capacity to fully repay the loan.

3.3.11 The failure to fully establish practices to manage the risks associated with this loan significantly increases the Commonwealth’s risk of exposure to loss. The Commonwealth is the sole shareholder of NBN Co, therefore the recovery of any losses may need to be absorbed by the Commonwealth.

3.3.12 Communications is in the process of implementing a governance and risk management framework to better support the ongoing management of the loan facility. The implementation of the framework will be assessed as part of the final audit phase.

Conclusion

3.3.13 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Communications will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2018–19 final audit.

3.4 Australian Postal Corporation

Overview

3.4.1 The Australian Postal Corporation (Australia Post) is a government business enterprise responsible for operating post offices and distributing mail and parcels in Australia and internationally.

3.4.2 Australia Post’s business is focusing on four key areas: domestic parcel service; investing in network capability including tracking and scanning solutions; increasing international business; and providing financial services through Bank@Post particularly in rural and remote areas.

3.4.3 Figure 3.4.1 shows the 2017–18 departmental financial statement items reported by Australian Postal Corporation and the key areas of financial statements risk.

Figure 3.4.1: Key departmental financial statement items and areas of financial statements risk

Source: ANAO analysis and Australia Post’s financial statements for the year ended 30 June 2018

3.4.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact Australia Post’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Australia Post’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 3.4.3 and the ANAO’s understanding of the operations of Australia Post, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.4.5 The operational functions of Australia Post are largely funded from external sources, specifically revenue from parcel services, mail services and retail and agency Services.

3.4.6 Table 3.4.1 and Table 3.4.2 provide a summary of the key 2017–18 audited financial statements items.

Table 3.4.1: Key expenses and total own-sourced income

Source: Australia Post’s 2017–18 audited financial statements.

Table 3.4.2: Key assets and liabilities

Note: Australia Post’s estimated average staffing level for 2018–19 is 35,000.

Source: Australia Post’s 2017–18 audited financial statements.

Key areas of financial statements risk

3.4.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2018–19 are provided in Table 3.4.3.

Table 3.4.3: Key areas of financial statements risk

Source: ANAO 2018–19 risk assessment for Australia Post and Australia Post’s 2017–18 audited financial statements.

Audit results

3.4.8 The ANAO has substantially completed its 2018–19 interim audit coverage, including an assessment of the effectiveness of controls relating to: cash and cash equivalents; trade receivables; and property, plant and equipment. Interim coverage also included an assessment of the IT general application controls of key systems supporting the financial statements. In addition, an assessment of the effectiveness of non-system controls relating to sales revenue, employee expenses and trade and other payables has been completed.

3.4.9 Audit procedures relating to all key areas of audit focus including the valuation of the Australia Post Superannuation Scheme and the valuation of intangible assets will be undertaken as part of the planned 2018–19 final audit.

3.4.10 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2017–18 audit also did not identify any significant or moderate audit findings.

Conclusion

3.4.11 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Australia Post will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2018–19 final audit.

3.5 NBN Co Limited

Overview

3.5.1 The primary objective of NBN Co Limited (NBN Co) is to provide wholesale services to internet service providers. NBN Co is a government business enterprise incorporated under the Corporations Act 2001.

3.5.2 Figure 3.5.1 shows the 2017–18 financial statement items reported by NBN Co and the key areas of financial statements risks.

Figure 3.5.1: Key financial statement items and areas of financial statements risk

Source: ANAO analysis and NBN Co’s financial statements for the year ended 30 June 2018.

3.5.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact NBN Co’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of NBN Co’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 3.5.3 and the ANAO’s understanding of the operations of NBN Co, the ANAO has assessed the risk of a material misstatement as high.

Key financial statements items

3.5.4 The operational functions of NBN Co are funded from the committed equity funding of $29.5 billion from the Australian Government as well as a loan agreement between the Australian Government and NBN Co of up to $19.5 billion, initially for the period from 1 July 2017 to 30 June 2021. The Commonwealth Government has extended the tenor of its loan by three years (from 30 June 2021 to 30 June 2024) and allowed NBN Co to access up to $2 billion of private sector debt. NBN Co’s 2019–22 corporate plan estimates peak funding to be $51 billion.

3.5.5 Table 3.5.1 and Table 3.5.2 provide a summary of the key 2017–18 audited financial statements items.

Table 3.5.1: Key expenses and total own-sourced income

Source: NBN Co’s financial statements for the year ended 30 June 2018

Table 3.5.2: Key assets and liabilities

Note: NBN Co’s staffing level as at 30 June 2018 was 6,184.

Source: NBN Co’s financial statements for the year ended 30 June 2018

Key areas of financial statements risk

3.5.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2018–19 are provided in Table 3.5.3.

Table 3.5.3: Key areas of financial statements risk

Source: ANAO 2018–19 risk assessment for NBN Co and NBN Co’s financial statements for the year ended 30 June 2018.

Audit results

3.5.7 The ANAO has completed its 2018–19 interim audit coverage, including an assessment of the controls relating to: supplier expenses; employee benefits; inventory; fixed assets; revenue and receivables; purchases and payables; payroll; and accounting for the significant contractual arrangements with Telstra and Optus.

3.5.8 Audit procedures relating to key processes and financial statements line items including IT general and application controls, where appropriate, will be undertaken as part of the planned 2018–19 final audit. In addition, audit procedures will be performed to assess the valuation of network assets.

3.5.9 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2017–18 audit also did not identify any significant or moderate audit findings.

Conclusion

3.5.10 Based on our audit coverage to date, key elements of non-IT internal control were operating effectively to provide reasonable assurance that NBN Co will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2018–19 final audit.

3.6 Department of Defence

Overview

3.6.1 The Department of Defence (Defence) is responsible for protecting and advancing Australia’s strategic interests through: the promotion of security and stability; the provision of military capabilities to defend Australia and its national interests; and the provision of support for the Australian community and civilian authorities as directed by the Government.

3.6.2 As a result of the enactment of the Intelligence Services Amendment (Establishment of the Australian Signals Directorate) Act 2018, the Australian Signals Directorate transitioned from a division within Defence to a statutory agency with effect on 1 July 2018.

3.6.3 Figure 3.6.1 and Figure 3.6.2 show the 2018–19 departmental and administered financial statement items reported by the Department of Defence and the key areas of financial statements risk.

Figure 3.6.1: Key departmental financial statement items and areas of financial statements risk

Source: ANAO analysis and Defence’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Figure 3.6.2: Key administered financial statement items and areas of financial statements risk

Source: ANAO analysis and Defence’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

3.6.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact Defence’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Defence’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 3.6.3 and the ANAO’s understanding of the operations of Defence, the ANAO has assessed the risk of a material misstatement as high.

Key financial statements items

3.6.5 Annual appropriation funding of $36.0 billion (departmental) was provided to Defence in 2018–19 to support the achievement of the entity’s outcomes.⁷⁹ Defence was also budgeted to receive special appropriation funding of $8.5 billion predominantly for the military superannuation provisions.⁸⁰

3.6.6 Table 3.6.1 and Table 3.6.2 provide a summary of the key 2018–19 departmental and administered estimated financial statements items.

Table 3.6.1: Key expenses and total own-sourced income

Source: Defence’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Table 3.6.2: Key assets and liabilities

Note: Defence’s estimated average staffing level for 2018–19 is 74,675.

Source: Defence’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Key areas of financial statements risk

3.6.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2018–19 are provided in Table 3.6.3.

Table 3.6.3: Key areas of financial statements risk

Note a: Capital commitments has been obtained from the Defence 2017–18 audited financial statements.

Source: ANAO 2018–19 risk assessment for Defence and Defence’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

3.6.8 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. The following performance audit reports were tabled during 2018–19 and are relevant to the financial management or administration of Defence:

• Auditor-General Report No.6 2018–19 Army’s Protected Mobility Vehicle – Light;
• Auditor-General Report No.20 2018–19 Major Projects Report;
• Auditor-General Report No.31 2018–19 Defence’s Management of its Projects of Concern; and
• Auditor-General Report No.40 2018–19 Modernising Army Command and Control – the Land 200 Program.

3.6.9 The above reports included observations relevant to the accounting for and valuation of SME and platforms under construction outlined in Table 3.6.3. These reports were considered in designing audit procedures to address areas considered to pose moderate and higher risks of material misstatement.

Audit results

3.6.10 The ANAO has substantially completed its 2018–19 interim audit coverage, including an assessment of the controls relating to asset management processes and the controls implemented to determine the value of inventory at year-end. Interim audit coverage also included assessing IT general and application controls for systems that support the preparation of Defence’s financial statements, in addition to assessing the operation of key non-IT controls in areas including appropriation and cash management, suppliers and employee expenses.

3.6.11 Audit procedures relating to the 30 June 2019 balances for employee provisions, decontamination and decommissioning provisions, inventory, SME and other fixed assets, and the military superannuation provision will be undertaken during the 2018–19 final audit. The ANAO will test Defence’s systems and processes supporting the complete and accurate disclosure of commitments, litigation and compensation schemes as part of the final audit. Additionally the ANAO will assess Defence’s progress in addressing audit findings up to and during the final audit.

3.6.12 The following table summarises the status of audit findings reported by the ANAO in 2017–18 and 2018–19.

Table 3.6.4: Status of audit findings raised by the ANAO

Unresolved significant audit finding

Management and monitoring of SME balances in ROMAN and MILIS

3.6.13 In 2017–18 the ANAO identified a number of issues with the substantiation of SME transactions in the Military Integrated Logistics Information System (MILIS) and the corresponding clearing accounts in the financial management information system (ROMAN). Defence uses these systems to manage the acquisition and sustainment of SME assets. The issues identified include:

• delays in processing payments and receipts in ROMAN and MILIS;
• delays in validating MILIS transactions and reconciling to balances in the clearing accounts;
• payments and purchases posted to incorrect general ledger accounts and cost centres; and
• delays in transferring SME from assets under construction to the fixed asset register after confirmation of being in use by business units.

3.6.14 At the conclusion of the 2017–18 audit, a residual uncertainty in the SME balances of $442.8 million remained.

3.6.15 In 2018–19 Defence advised it has:

• substantially cleared transactions relating to foreign military sales from the United States Department of Defense to the Australian Department of Defence and implemented a monthly reconciliation of these transactions; and
• transferred $250.0 million of SME from assets under construction to the fixed asset register.

3.6.16 Defence plans to remediate the issues identified and substantiate each clearing account and SME balance by implementing additional controls designed to ensure that SME balances are accurate and free from material misstatement.

3.6.17 The ANAO will undertake testing of the remediation activities implemented by Defence throughout the remainder of the 2018–19 audit cycle.

Unresolved moderate audit finding

Documentation supporting the annual assessment of SME impairment indicators

3.6.18 During the 2016–17 audit, the ANAO identified weaknesses in the documentation of Defence’s SME impairment assessment which is required annually under Australian Accounting Standards Board (AASB) 136 Impairment of Assets. SME is dispersed across Defence bases with the acquisition, custodian and sustainment responsibility residing with Systems Program Offices and Project Offices and other service groups. These business units advise the Defence Finance Group annually of any impairment indicators.

3.6.19 As reported by the ANAO in 2016–17, documentation provided to the Defence Finance Group by the business units did not reflect current circumstances providing limited value to the overall impairment assurance process. Additionally, in 2017–18 the ANAO noted instances where the assessment of impairment indicators had not been completed by Defence.

3.6.20 During the 2018–19 interim audit Defence advised it is in the process of performing SME impairment assessments and will:

• consider internal and external sources of information;
• assess whether at an operational or strategic level there are any additional impairment indicators to be considered; and
• support these assessments with documentation which has been reviewed by an appropriate delegate.

3.6.21 The ANAO will progressively undertake testing of the remediation activities implemented by Defence throughout the remainder of the 2018–19 audit cycle.

New moderate audit finding

Monitoring and management of accounts with privileged access

3.6.22 Maintaining and supporting IT systems requires that some individuals have privileged access rights. This level of access can be used to bypass security controls and make changes, either to system settings or directly to system data. Individuals with privileged access must be unique and identifiable, and have their activity regularly monitored to detect any unauthorised use.

3.6.23 The ANAO’s review of privileged access identified five accounts within modules of the Defence One (Payroll and Human Resources Management) system that were shared by up to 16 users. The Australian Government Information Security Manual (ISM) requires that entities must restrict privileged access to unique and identifiable users. Defence was unable to provide evidence of management review over these privileged users’ activities in Defence One, and in several other business systems that underpin the financial statements as they were either not logged or not monitored.

3.6.24 The ANAO also identified privileged users with inappropriate access that would enable them to alter or delete database tables including a privileged user that had moved positions over a year ago. The ISM requires that access be terminated or suspended when a user no longer requires it for their role, and such privileged access must be restricted to database administrators. In addition, password parameters did not align with the ISM requirements for password management in Defence One and the Joint Fuel Information Management System.

3.6.25 The ANAO has confirmed Defence removed the roles providing the privileged users access to the database and the access for the staff member who moved positions. The ANAO confirmed that the user had not made any changes during the period of inappropriate access. ANAO recommends that Defence evaluate the effectiveness of logging and monitoring activities for financial statement related systems and implement improvements to gain assurance that staff have appropriate access to systems and data in line with business requirements. The ANAO will review the status of these remediation activities as part of the final phase of 2018–19 audit.

Conclusion

3.6.26 At the completion of the interim audit, the ANAO has reported a number of areas where improvements are required. The audit findings outlined above reduce the level of confidence that can be placed on the key elements of internal control that support the preparation of the financial statements that are free from material misstatement. During the 2018–19 final audit the ANAO will undertake further procedures and assess action taken by Defence to address the weaknesses identified.

3.7 Department of Veterans’ Affairs

Overview

3.7.1 The Department of Veterans’ Affairs (DVA) is responsible for developing and implementing programs to assist the veteran and ex-service communities. This includes granting pensions, allowances and other benefits, and providing treatment under the Veterans’ Entitlements Act 1986; the administration of benefits and arrangements under the Military Rehabilitation and Compensation legislation; administering the Defence Service Homes Act 1918 and the War Graves Act 1980; and conducting commemorative programs to acknowledge the service and sacrifice of Australian servicemen and women.

3.7.2 Figure 3.7.1 and Figure 3.7.2 show the 2018–19 departmental and administered financial statement items reported by DVA and the key areas of financial statements risk.

Figure 3.7.1: Key departmental financial statement items and areas of financial statements risk

Source: ANAO analysis and DVA’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Figure 3.7.2: Key administered financial statement items and areas of financial statements risk

Source: ANAO analysis and DVA’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

3.7.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact DVA’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DVA’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 3.7.3 and the ANAO’s understanding of the operations of DVA, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.7.4 Annual appropriation funding of $415.7 million (departmental) and $116.1 million (administered) was provided to DVA in 2018–19 to support the achievement of the entity’s outcomes.⁸¹ DVA was also budgeted to receive special appropriation funding of $10.7 billion⁸² for income and disability support, community and residential care, and various healthcare and rehabilitation services for war veterans, members of the Australian Defence Force, members of the Australian Federal Police and their dependants.

3.7.5 Table 3.7.1 and Table 3.7.2 provide a summary of the key 2018–19 departmental and administered estimated financial statements items.

Table 3.7.1: Key expenses and total own-sourced income

Source: DVA’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Table 3.7.2: Key assets and liabilities

Note: DVA’s estimated average staffing level for 2018–19 is 1,723.

Source: DVA’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Key areas of financial statements risk

3.7.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2018–19 are provided in Table 3.7.3.

Table 3.7.3: Key areas of financial statements risk

Source: ANAO 2018–19 risk assessment for DVA and DVA’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Audit results

3.7.7 The ANAO has completed its 2018–19 interim audit coverage, including: an assessment of the department’s methodology to estimate the military compensation provision; and an assessment of the controls supporting personal benefits and healthcare payments.

3.7.8 Audit coverage also included an assessment of: IT general and application controls in the financial management information system and human resources management information system; manual controls relating to cash and asset management, non‐financial assets, supplier expenses and employee benefits.

3.7.9 As part of the 2018–19 final audit, further audit procedures will be performed to: substantiate the year–end balances in respect of the military compensation provision and personal benefits and healthcare payments; review the work of the valuation experts; and review the department’s disclosures relating to legislative compliance.

3.7.10 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2017–18 audit also did not identify any significant or moderate audit findings.

Conclusion

3.7.11 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that DVA will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2018–19 final audit.

3.8 Department of Education and Training

Overview

3.8.1 The Department of Education and Training (Education) is responsible for national policies and programs that help Australians access quality and affordable early child care and childhood education, school education, higher education, vocational education and training, international education and research.

3.8.2 Figure 3.8.1 and Figure 3.8.2 show the 2018–19 departmental and administered financial statement items reported by Education and the key areas of financial statements risk.

Figure 3.8.1: Key departmental financial statement items and areas of financial statements risk

Source: ANAO analysis and Education’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Figure 3.8.2: Key administered financial statement items and areas of financial statements risk

Source: ANAO analysis and Education’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

3.8.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact Education’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Education’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 3.8.3 and the ANAO’s understanding of the operations of Education, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.8.4 Annual appropriation funding of $361.1 million (departmental) and $1.9 billion (administered) was provided to Education in 2018–19 to support the achievement of the entity’s outcomes.⁸³ Education was also budgeted to receive special appropriation funding of $44.5 billion⁸⁴ for child care, schools, and higher education, including research grants.

3.8.5 Table 3.8.1 and Table 3.8.2 provide a summary of the key 2018–19 departmental and administered estimated financial statements items.

Table 3.8.1: Key expenses and total own-sourced income

Source: Education’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Table 3.8.2: Key assets and liabilities

Note: Education’s estimated average staffing level for 2018–19 is 1,786.

Source: Education’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Key areas of financial statements risk

3.8.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2018–19 are provided in Table 3.8.3.

Table 3.8.3: Key areas of financial statements risk

Source: ANAO 2018–19 risk assessment for Education and Education’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

3.8.7 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. Auditor-General Report No.11 2018–19 Design and Implementation of the VET Student Loans Program was tabled during 2018–19 and was relevant to the administered HELP receivable risk outlined in Table 3.8.3. The recommendations outlined in the report related to analysis of maturing payments data under the new program and development of new performance indicators to support measurement of the program. The financial statements audit approach includes a review of the payments data analysis that forms part of the HELP receivable balance (estimated actual for 2018–19 is $46.7 billion).

Audit results

3.8.8 The ANAO has completed its 2018–19 interim audit coverage, including an assessment of the controls relating to: transactional processing of supplier expenses and payables, revenue and receivables, and payroll performed by the Department of Finance’s Service Delivery Office on behalf of Education and the monitoring controls in place at Education relating to these processes.

3.8.9 In addition, the ANAO has reviewed controls relating to administered grants payments; HELP, Vocational Education and Training (VET) FEE-HELP and VET student loans; reconciliations between administered business systems and the financial information systems for grants payments, administered supplier and subsidy payments and IT application controls.

3.8.10 Audit procedures relating to: accounting for the HELP, HESP and personal benefits receivables and provisions; payments to providers, schools and universities; and detailed testing over the new child care subsidy payments will be completed during the final audit phase.

3.8.11 The following table summarises the status of audit findings reported by the ANAO in 2017–18 and 2018–19.

Table 3.8.4: Status of audit findings raised by the ANAO

New moderate audit findings

Monitoring of privileged access to databases

3.8.12 Maintaining and supporting IT systems requires that some individuals have powerful access rights — known as privileged access. This level of access can be used to bypass security controls and make changes, either to system settings or directly to system data. Individuals with privileged access should have their activity regularly monitored to detect any unauthorised use.

3.8.13 Education’s database systems are hosted and maintained by the Department of Jobs and Small Business (Jobs) including privileged user access. Although Jobs manage the granting of privileged access, Education is accountable for ensuring that privileged access is used appropriately. During the interim audit, no evidence of the regular monitoring of privileged user access was able to be provided by Education.

3.8.14 Education has committed to: developing and implementing a logging and monitoring policy for all privileged user activity at the database level; and implementing processes to gain assurance that Jobs IT staff have appropriate access to Education’s systems and data in line with business requirements. The ANAO will review these processes as part of the final phase of 2018–19 audit.

Unauthorised network access

3.8.15 During the interim audit testing, the ANAO’s review of user access to Education’s systems found weaknesses in the process for termination of user access to the department’s network and systems. The ANAO identified an instance where a user continued to actively use the network and systems for over two weeks following separation from Education.

3.8.16 The Department did not identify this access and ongoing activity through their existing control framework, and once made aware of the access provided advice that they were not able to fully determine which systems had been accessed. As a result of not identifying the control breakdown, Education had not followed the processes required by their security policies.

3.8.17 The ANAO has recommended that Education undertake a detailed review of all logs related to the unauthorised access; determine which systems have been accessed; assess the impact to the department from both a business and a financial aspect; review the current terminations processes to identify the cause of the issue; implement necessary changes to these processes to ensure the controls prevent and/or detect inappropriate and unauthorised access to departmental systems and data; and confirm all requirements of the department’s security and user access policies have been complied with. The ANAO will review Education’s progress in addressing this issue during the final audit phase.

Conclusion

3.8.18 At the completion of the interim audit, the ANAO has reported a number of areas where improvements are required. The audit findings outlined above reduce the level of confidence that can be placed on the key elements of internal control that support the preparation of the financial statements that are free from material misstatement. During the 2018–19 final audit the ANAO will undertake further procedures and assess action taken by Education to address the weaknesses identified.

3.9 Department of the Environment and Energy

Overview

3.9.1 The Department of the Environment and Energy (Environment) is responsible for developing and implementing, environmental and energy policy to support the government. The department is also responsible for managing the conservation, protection and sustainability of Australia’s natural resources, biodiversity, ecosystems, environment and heritage, and contributing to the national response to climate change. In addition, the department’s role includes advancing Australia’s interests in the Antarctic, managing environmental water use, and supporting the reliable, sustainable and secure operation of energy markets.

3.9.2 On the 29 June 2018, the Commonwealth acquired the remaining 87% of Snowy Hydro Ltd (SHL) from the NSW and Victorian State Governments. The 100% ownership of SHL is recorded as an administered investment by the Department.

3.9.3 Figure 3.9.1 and Figure 3.9.2 show the 2018–19 departmental and administered financial statement items reported by Department of the Environment and Energy (Environment) and the key areas of financial statements risk.

Figure 3.9.1: Key departmental financial statement items and areas of financial statements risk

Source: ANAO analysis and Environment’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Figure 3.9.2: Key administered financial statement items and areas of financial statements risk

Source: ANAO analysis and Environment’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

3.9.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact Environment’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of the Department’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 3.9.3 and the ANAO’s understanding of the operations of Environment, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.9.5 Annual appropriation funding of $898.2 million (departmental) and $666.5 million (administered) was provided to Environment in 2018–19 to support the achievement of the entity’s outcomes.⁸⁵ Environment was also budgeted to receive special appropriation funding of $235.4 million⁸⁶ primarily for payments under Australian Renewable Energy Agency Act 2011.

3.9.6 Table 3.9.1 and Table 3.9.2 provide a summary of the key 2018–19 departmental and administered estimated financial statements items.

Table 3.9.1: Key expenses and total own-sourced income

Source: Environment’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Table 3.9.2: Key assets and liabilities

Note: Environment’s estimated average staffing level for 2018–19 is 1,995.

Source: Environment’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Key areas of financial statements risk

3.9.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2018–19 are provided in Table 3.9.3.

Table 3.9.3: Key areas of financial statements risk

Source: ANAO 2018–19 risk assessment for Environment and Environment’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Audit results

3.9.8 The ANAO has completed its 2018–19 interim audit coverage, including an assessment of the controls relating to: drawdowns, administered grant payments; payroll processing (including commencements and terminations); revenue and supplier expenses. As part of the interim audit coverage, a review of key accounting judgements relating to the areas of audit focus and an assessment of Environment’s key IT general and application controls has been undertaken.

3.9.9 Audit procedures relating to valuations of water assets and Snowy Hydro Limited; and the assessment of the estimated restoration costs for Antarctic bases will be undertaken as part of the 2018–19 final audit.

3.9.10 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2017–18 audit also did not identify any significant or moderate audit findings.

Conclusion

3.9.11 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Environment will be able to prepare financial statements that are free of material misstatements. The effective operation of these internal controls for the full financial year will be assessed during the 2018–19 final audit.

3.10 Department of Finance

Overview

3.10.1 The Department of Finance (Finance) assists the Australian Government to achieve its fiscal and policy objectives by advising on expenditure, managing sustainable public sector resourcing, driving public sector transformation and delivering efficient, cost effective services to, and for, the government.

3.10.2 The department is also responsible for the Service Delivery Office and the preparation of the annual Consolidated Financial Statements. The Service Delivery Office provides shared services to 14 Commonwealth agencies. The Consolidated Financial Statements includes both the whole-of-government and the general government sector (GGS) financial statements. The GGS statements includes the reporting of the Australian Government’s financial outcome.

3.10.3 Figure 3.10.1 and Figure 3.10.2 show the 2018–19 departmental and administered financial statement items reported by Finance and the key areas of financial statements risk.

Figure 3.10.1: Key departmental financial statement items and areas of financial statements risk

Source: ANAO analysis and Finance’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Figure 3.10.2: Key administered financial statement items and areas of financial statements risk

Source: ANAO analysis and Finance’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

3.10.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Finance’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Finance’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 3.10.3 and the ANAO’s understanding of the operations of Finance, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.10.5 Annual appropriation funding of $309.7 million (departmental) and $536.3 million (administered) was provided to Finance in 2018–19 to support the achievement of the entity’s outcomes.⁸⁷ Finance was also budgeted to receive special appropriation funding of $8,685.1 million.⁸⁸ The special appropriation funding is largely to settle payments for superannuation liabilities.

3.10.6 Finance is responsible for the payment of superannuation through public sector civilian (non-Defence) superannuation schemes. Finance recognises the unfunded liability on behalf of the Commonwealth and meets the ongoing payments of superannuation liabilities. The majority of the liabilities are managed by the Commonwealth Superannuation Corporation on behalf of Commonwealth.

3.10.7 Table 3.10.1 and Table 3.10.2 provide a summary of the key 2018–19 departmental and administered estimated financial statements items.

Table 3.10.1: Key expenses and total own-sourced income

Source: Finance’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Table 3.10.2: Key assets and liabilities

Note: Finance’s estimated average staffing level for 2018–19 is 1,250.

Source: Finance’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Key areas of financial statements risk

3.10.8 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2018–19 are provided in Table 3.10.3.

Table 3.10.3: Key areas of financial statements risk

Source: ANAO 2018–19 risk assessment for Finance and Finance’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

3.10.9 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. ANAO Report No.8 2018–19 Management of Commonwealth Leased Office Property was tabled during 2018–19. The observations of the report were considered in designing audit procedures to address areas considered to pose a lower risk of material misstatement.

Audit results

3.10.10 The ANAO has completed its 2018–19 interim audit coverage, including an assessment of the controls relating to: administered investment funds, property management, payroll management and supplier expenditure. As part of the interim coverage, the ANAO has also assessed controls relating to the payment of entitlements to Parliamentarians and their staff.

3.10.11 Audit procedures relating to valuations of superannuation provisions, insurance provisions and properties will be undertaken as part of the planned 2018–19 final audit.

3.10.12 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2017–18 audit also did not identify any significant or moderate audit findings.

Conclusion

3.10.13 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Finance will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2018–19 final audit.

3.11 Future Fund Management Agency and Board of Guardians

Overview

3.11.1 The Future Fund Board of Guardians supported by the Future Fund Management Agency (together the Future Fund) is responsible for investing the assets of the Future Fund under the Future Fund Act 2006 and other investment funds, managed on behalf of the Department of Finance, under the Nation-building Funds Act 2008, the DisabilityCare Australia Fund Act 2013, Aboriginal and Torres Strait Islander Land and Sea Future Fund Act 2018 and the Medical Research Future Fund Act 2015, for the benefit of future generations of Australians.

3.11.2 Figure 3.11.1 and Figure 3.11.2 show the 2018–19 departmental and administered financial statement items reported by the Future Fund and the key areas of financial statements risk.

Figure 3.11.1: Key departmental financial statement items and areas of financial statements risk

Source: ANAO analysis of the Future Fund’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Figure 3.11.2: Key administered financial statement items and areas of financial statements risk

Source: ANAO analysis of the Future Fund’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

3.11.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact the Future Fund’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of the Future Fund’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 3.11.3 and the ANAO’s understanding of the operations of Future Fund, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.11.4 From May 2006 to November 2008, the Government made cash contributions to the Future Fund totalling $51.3 billion as well as providing Telstra shares to the value of $9.2 billion. No further Government contributions have been received since this time.

3.11.5 As a result, the operational functions of the Future Fund are funded through payments from the administered Future Fund special account and the other Australian Government Investment Funds. In 2018–19, these payments are estimated to total $80.5 million.

3.11.6 Table 3.11.1 and Table 3.11.2 provide a summary of the key 2018–19 departmental and administered estimated financial statements items.

Table 3.11.1: Key expenses and total own-sourced income

Source: The Future Fund’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Table 3.11.2: Key assets and liabilities

Note: Future Fund’s estimated average staffing level for 2018–19 is 162.

Source: The Future Fund’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Key areas of financial statements risk

3.11.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2018–19 are provided in Table 3.11.3.

Table 3.11.3: Key areas of financial statements risk

Source: ANAO 2018–19 risk assessment for the Future Fund and the Future Fund’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Audit results

3.11.8 The ANAO has completed its 2018–19 interim audit coverage, including an assessment of the controls relating to the management of investments; monitoring of services providers; and operational expenses incurred by the Future Fund.

3.11.9 The valuation of investments, including the assessment of controls that reside within the outsourced custodian, will be completed as part of the 2018–19 final audit.

3.11.10 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2017–18 audit also did not identify any significant or moderate audit findings.

Conclusion

3.11.11 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that the Future Fund will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2018–19 final audit.

3.12 Department of Foreign Affairs and Trade

Overview

3.12.1 The Department of Foreign Affairs and Trade (DFAT) supports Australia’s foreign, trade and investment, development and international security policy priorities. DFAT is the lead agency managing Australia’s international presence and will lead efforts to maximise Australia’s security and prosperity through implementation of the Foreign White Paper.

3.12.2 As the lead overseas agency, in locations where DFAT has a presence they provide support under service level agreements to Australian government entities. This includes: management of property through DFAT’s Overseas Property Office; engaging and managing the payroll for locally engaged staff; and processing financial transactions.

3.12.3 Figure 3.12.1 and Figure 3.12.2 show the 2018–19 departmental and administered financial statement items reported by DFAT and the key areas of financial statements risk.

Figure 3.12.1: Key departmental financial statement items and areas of financial statements risk

Figure 3.12.2: Key administered financial statement items and areas of financial statements risk

Source: ANAO analysis of DFAT’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

3.12.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact DFAT’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DFAT’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 3.12.3 and the ANAO’s understanding of the operations of DFAT, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.12.5 Annual appropriation funding of $1 590.0 million (departmental) and $3 845.3 million (administered) was provided to DFAT in 2018–19 to support the achievement of the entity’s outcomes.⁸⁹

3.12.6 Table 3.12.1 and Table 3.12.2 provide a summary of the key 2018–19 departmental and administered estimated financial statements items.

Table 3.12.1: Key expenses and total own-sourced income

Source: DFAT’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Table 3.12.2: Key assets and liabilities

Note: DFAT’s estimated average staffing level for 2018–19 is 5,613.

Source: DFAT’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Key areas of financial statements risk

3.12.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2018–19 are provided in Table 3.12.3.

Table 3.12.3: Key areas of financial statements risk

Source: ANAO 2018–19 risk assessment for DFAT and DFAT’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Audit results

3.12.8 The ANAO has completed its 2018–19 interim audit coverage, including an assessment of the controls relating to: departmental revenue for rental accommodation and services provided to other entities at overseas posts; administered passport revenue; and management of appropriations.

3.12.9 Interim audit coverage has also been completed over the department’s processes relating to cash and asset management, employee and supplier expenditure, IT general controls in the Financial Management Information System (FMIS) and Human Resource Management Information System (HRMIS). In addition, the ANAO has reviewed a sample of administered aid program expenses to ascertain that the payments have been made in accordance with the agreements.

3.12.10 Audit procedures relating to the financial statement balances subject to valuation and IDA and ADF grants will be undertaken as part of the 2018–19 final audit. In addition, testing will be performed on the above processes for the remainder of the financial year.

3.12.11 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2017–18 audit also did not identify any significant or moderate audit findings.

Conclusion

3.12.12 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that DFAT will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2018–19 final audit.

3.13 Department of Health

Overview

3.13.1 The Department of Health (Health) is responsible for achieving the Australian Government’s health priorities through the development of policy; administering programs and services, including Medicare, the Pharmaceutical Benefits Scheme and aged care; managing increasing pressures on health expenditure, including for public hospitals and mental health care; progressing reforms to Australia’s health system; undertaking regulatory and compliance activities; and forming partnerships with the states and territories, other Australian Government entities, consumers and stakeholders.

3.13.2 The Department of Human Services (Human Services) delivers approximately $55 billion of health related payments on behalf of Health. These payments primarily relate to the Medicare Benefits Schedule, the Pharmaceutical Benefits Scheme, the Private Health Insurance Rebate and services funded under the Aged Care Act 1997.

3.13.3 Figure 3.13.1 and Figure 3.13.2 show the 2018–19 departmental and administered financial statement items reported by Health and the key areas of financial statements risk.

Figure 3.13.1: Key departmental financial statement items and areas of financial statements risk

Source: ANAO analysis of Health’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Figure 3.13.2: Key administered financial statement items and areas of financial statements risk

Source: ANAO analysis of Health’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

3.13.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact Health’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Health’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 3.13.3 and the ANAO’s understanding of the operations of Health, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.13.5 Annual appropriation funding of $759.4 million (departmental) and $10.4 billion (administered) was provided to Health in 2018–19 to support the achievement of the entity’s outcomes.⁹⁰ Health was also budgeted to receive special appropriation funding of $23.0 billion⁹¹ for payments and rebates made under legislation including: Aged Care Act 1997 ($14.8 billion); Private Health Insurance Act 2007 ($6.2 billion); and National Health Act 1953 ($1.6 billion).

3.13.6 Table 3.13.1 and Table 3.13.2 provide a summary of the key 2018–19 departmental and administered estimated financial statements items.

Table 3.13.1: Key expenses and total own-sourced income

Source: Health’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Table 3.13.2: Key assets and liabilities

Note: Health’s estimated average staffing level for 2018–19 is 4,058.

Source: Health’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Key areas of financial statements risk

3.13.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2018–19 are provided in Table 3.13.3.

Table 3.13.3: Key areas of financial statements risk

Source: ANAO 2018–19 risk assessment for Health and Health’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Audit results

3.13.7 The ANAO has undertaken its 2018–19 interim audit coverage, including an assessment of the controls relating to IT security and change management in the financial management information system and human resource management information system, cash and appropriations management, supplier expenses, assets, payroll processing, Therapeutic Goods Administration revenue, personal benefits, subsidies, and grant payments.

3.13.8 Other areas of audit focus including the compliance processes for Aged Care subsidies and Medicare payments and an assessment of the valuation methodologies used to estimate the medical indemnity program and Medicare outstanding claims liability provisions will be performed as part of the 2018–19 final audit.

3.13.9 To date, our 2018–19 audit coverage of the above areas has identified one new moderate audit finding and no new significant audit findings. The following table summarises the status of audit findings reported by the ANAO in 2017–18 and 2018–19.

Table 3.13.4: Status of audit findings raised by the ANAO

New moderate audit finding

Monitoring of privileged user activity

3.13.10 During the 2018–19 interim audit, the ANAO’s testing identified weaknesses in the monitoring of users with privileged access to IT business systems relevant to the collection of Therapeutic Goods Administration revenue and management of aged care providers. Privileged user access typically allows users to make significant changes to the IT business systems configuration and operations, and bypass critical security and segregation of duties settings. A lack of monitoring of privileged user activity increases the risk of unauthorised changes to business systems and underlying data. Privileged user access, should be appropriately restricted, logged and regularly monitored.

3.13.11 The ANAO identified that there were no processes in place to effectively monitor the activity of privileged users with access to several key IT business systems. The Department uses a program to monitor privileged user access at the network level and has committed to extend this program to the individual business systems. In addition the Department has advised it will perform regular reviews of activity reports.

Conclusion

3.13.12 Based on our audit coverage to date, except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Health will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2018–19 final audit.

3.14 Department of Home Affairs

Overview

3.14.1 The Department of Home Affairs (Home Affairs) is responsible for Australia’s national and transport security, federal law enforcement, criminal justice, cyber security, border, immigration, multicultural affairs, emergency management and trade related functions.

3.14.2 Figure 3.14.1 and Figure 3.14.2 show the 2018–19 departmental and administered financial statement items reported by Home Affairs and the key areas of financial statements risk.

Figure 3.14.1: Key departmental financial statement items and areas of financial statements risk

Source: ANAO analysis of Home Affairs’ 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Figure 3.14.2: Key administered financial statement items and areas of financial statements risk

Source: ANAO analysis of Home Affairs’ 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

3.14.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact Home Affairs’ financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Home Affairs’ environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 3.14.3 and the ANAO’s understanding of the operations of Home Affairs, the ANAO has assessed the risk of a material misstatement as high.

Key financial statements items

3.14.4 Annual appropriation funding of $2,935 million (departmental) and $2,052.8 million (administered) was provided to Home Affairs in 2018–19 to support the achievement of the entity’s outcomes.⁹² Home Affairs was also budgeted to receive special appropriation funding of $784.7 million.⁹³ Special appropriation funding is used for payment of refunds of customs duty and visa application charges and for the return of customs duty paid upon export of an item.

3.14.5 Table 3.14.1 and Table 3.14.2 provide a summary of the key 2018–19 departmental and administered estimated financial statements items.

Table 3.14.1: Key expenses and total own-sourced income

Source: Home Affairs’ 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Table 3.14.2: Key assets and liabilities

Note: Home Affairs’ estimated average staffing level for 2018–19 is 14,100.

Source: Home Affairs’ 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Key areas of financial statements risk

3.14.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2018–19 are provided in Table 3.14.3.

Table 3.14.3: Key areas of financial statements risk

Source: ANAO 2018–19 risk assessment for Home Affairs and Home Affairs’ 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Audit results

3.14.7 The ANAO has completed its 2018–19 interim audit coverage, including an assessment of the controls relating to: collection of customs duty revenue and visa application revenue; the management of the onshore immigration detention centres and overseas regional processing centres; accounting for employee entitlements; and the reporting of overseas transactions.

3.14.8 Interim audit coverage has also included an assessment of IT general controls, including security and change management processes relevant to the financial management information system and human resources management information system.

3.14.9 Audit procedures relating to: payment of personal benefits under the SRSS program; IT application controls; and testing on the processes above for the remainder of the financial year will be undertaken as part of the planned 2018–19 final audit.

3.14.10 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2017–18 audit also did not identify any significant or moderate audit findings.

Conclusion

3.14.11 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Home Affairs will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2018–19 final audit.

3.15 Department of Industry, Innovation and Science

Overview

3.15.1 The Department of Industry, Innovation and Science (Industry) is responsible for supporting science and commercialisation; growing business investment and improving business capability; developing northern Australia; and streamlining regulation.

3.15.2 Industry has established a grants hub and shared service centre which provides other Commonwealth entities with administrative support including grants administration and payments processing; human resources and financial transaction processing and provision of management information systems supporting these processes.

3.15.3 Figure 3.15.1 and Figure 3.15.2 show the 2018–19 departmental and administered financial statement items reported by Industry and the key areas of financial statements risk.

Figure 3.15.1: Key departmental financial statement items and areas of financial statements risk

Source: ANAO analysis of Industry’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Figure 3.15.2: Key administered financial statement items and areas of financial statements risk

Source: ANAO analysis of Industry’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

3.15.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact Industry’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Industry’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 3.15.3 and the ANAO’s understanding of the operations of Industry, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.15.5 Annual appropriation funding of $428.6 million (departmental) and $575.6 million (administered) was provided to Industry in 2018–19 to support the achievement of the entity’s outcomes.⁹⁴ Industry was also budgeted to receive special appropriation funding of $158.5 million⁹⁵ which includes: loan funding relating to the Northern Australia Infrastructure Facility; funding provided to the National Offshore Petroleum Safety and Environmental Management Authority; and the Automotive Transformation Scheme.

3.15.6 Table 3.15.1 and Table 3.15.2 provide a summary of the key 2018–19 departmental and administered estimated financial statements items.

Table 3.15.1: Key expenses and total own-sourced income

Source: Industry’s 2018–19 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Table 3.15.2: Key assets and liabilities