1. The ANAO prepares two reports annually that provide insights at a point in time to the financial statements risks, governance arrangements and internal control frameworks of Commonwealth entities, drawing on information collected during our audits. These reports explain how entities’ internal control frameworks are critical to executing an efficient and effective audit and underpin an entity’s capacity to transparently discharge its duties and obligations under the Public Governance, Performance and Accountability Act 2013 (PGPA Act). Deficiencies identified during ANAO audits, posing a significant or moderate risk to entities’ ability to prepare financial statements free from material misstatements, are reported.

2. This report is the first in the series of reports and focuses on the results of the interim audits, including an assessment of entities’ key internal controls, supporting the 2020–21 financial statements audits. This report examines 25 entities, including all departments of state and a number of major Australian government entities. The entities included in the report are selected on the basis of their contribution to the income, expenses, assets and liabilities of the 2019–20 Consolidated Financial Statements (CFS). At the completion of interim audits for the 25 entities included in this report the ANAO noted that key elements of internal control were operating effectively for 20 entities. For five entities¹, except for particular finding/s outlined in Chapter 3, the key elements of internal control were operating effectively to support the preparation of financial statements that are free from material misstatement.

Interim results and other matters

Audit committee disclosure reporting

3. The Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) sets out reporting requirements for entities in relation to their audit committees. The PGPA Rule was amended on 27 February 2020 to include changes that affect the reporting of audit committee information in a Commonwealth entity’s annual report for reporting periods beginning on or after 1 July 2019. The ANAO assessed compliance against the disclosure requirements for 182 entities subject to the PGPA Rule. This included the reporting of: a direct link to the audit committee charter; audit committee membership, knowledge and skills; meeting attendance; and member remuneration.

4. Forty five entities did not include a direct link to the audit committee charter; four entities did not report on audit committee membership; 11 entities did not report on the qualifications and skills of audit committee members; 10 entities did not report on audit committee attendance; and 41 entities did not report details of audit committee member remuneration.

Safeguarding financial information from cyber threats

5. The Protective Security Policy Framework (PSPF) contains the Essential Eight mitigation strategies including mandatory and recommended controls intended to strengthen cyber resilience and the capacity of government to mitigate cyber threats. Review of entities’ implementation and compliance with these strategies found that there continues to be limited improvement in the level of compliance with the controls since being first mandated in 2013.

Summary of audit findings

6. A total of 60 findings were reported to the entities included in this report as a result of interim audits, comprising nine moderate and 51 minor findings. This is an overall decrease in the number of findings, but an increase in moderate findings, compared to the 2019–20 interim audit results.

7. Fifty three per cent of all findings and fifty six per cent of moderate findings relate to the management of IT controls, particularly the management of privileged user access. The continued level of findings indicates that the IT control environment warrants further attention by entity management.

Reporting and auditing frameworks

Summary of developments

8. The ANAO will continue to monitor the ongoing impact of the COVID-19 pandemic on entities’ risks to assess their ability to provide sufficient and appropriate evidence for audits. ANAO’s financial auditing will continue to utilise remote access to entities’ financial systems where appropriate to complete audit procedures.

9. There are no significant changes in accounting standards applicable to Commonwealth entities for 2020–21, however Australian Auditing Standard ASA 540 Auditing Accounting Estimates and Related Disclosures was revised and re-issued with effect for the 2020–21 financial year.

10. The Auditing and Assurance Standards Boards (AUASB) has issued three revised Australian Quality Management Standards that become effective on 15 December 2022. The ANAO will review the revised standards, consider the impacts on the Quality Assurance Framework and make enhancements to the framework to ensure that it responds to the quality risks that arise in audits of public sector entities.

Cost of this report

11. The cost to the ANAO of producing this report is approximately $320,000.

Introduction

1.1 The ANAO publishes an Annual Audit Work Program (AAWP) each financial year. The purpose of the AAWP is to inform the Parliament, the public and government sector entities of the ANAO’s planned audit coverage for Australian Government entities by way of financial statements audits, performance audits and other assurance activities.

1.2 The financial statements audit coverage, as outlined in the AAWP, includes presenting two reports to the Parliament addressing the outcomes of the financial statements audits of Australian Government entities and the Consolidated Financial Statements (CFS) of the Australian Government. These reports provide Parliament with an independent examination of the financial accounting and reporting of Commonwealth public sector entities.

1.3 This report focuses on the results of the interim audits of 25 entities including an assessment of key internal controls supporting the 2020–21 financial statements. The assessment includes a review of the governance arrangements related to entities’ financial reporting responsibilities and the design and implementation of key internal controls relating to significant business processes. Where the auditor plans to rely upon key controls for assurance that financial statements are free from material misstatement, the controls are tested for operating effectiveness. Testing of controls during the interim audit phase allows the ANAO to form a conclusion on the operating effectiveness of those controls for the period up to the date of testing. During the final phase of the 2020–21 financial statements audit, the ANAO completes testing over the operating effectiveness of those controls intended to be relied upon, and also controls not assessed at interim. The second report presents the final results of the financial statements audits of the CFS and all Australian Government entities.

1.4 The entities included in this report are those entities that contribute significantly to the three sectors of the CFS: the General Government Sector (GGS), Public Non-Financial Corporation (PFNC) sector and Public Financial Corporation (PFC) sector. A listing of these entities is provided in Appendix 1.

1.5 The ANAO conducts its financial statements audits in four phases: planning, interim, final and completion. Figure 1.1 outlines the key elements of each phase.

Figure 1.1: ANAO financial statements audit process

 

 

Source: ANAO data.

1.6 A central element of the ANAO’s financial statements audit methodology, and the focus of the planning phase of ANAO audits, is a sound understanding of an entity’s environment and internal controls relevant to assessing the risk of material misstatement in the financial statements. This understanding informs the ANAO’s audit approach, including the reliance that may be placed on entity systems to produce financial statements that are free from material misstatement.

1.7 In accordance with generally accepted auditing practice, the ANAO accepts a low level of risk that an audit will fail to detect the financial statements are materially misstated. This low level of risk is accepted because it is too costly to perform an audit that is predicated on no level of risk. An understanding of the entity, its environment and its controls, helps the ANAO design the required work and respond to risks that bear on financial reporting. The key areas of financial statements risks identified through this planning approach are discussed in Chapter 3 for each entity included in this report.

1.8 A key component of understanding the entity and its environment is to understand the governance arrangements established by its accountable authority.³ Accountable authorities of all Commonwealth entities and companies subject to the Public Governance, Performance and Accountability Act 2013 (PGPA Act) are required to govern their entity in a way that promotes the proper use and management of public resources, the achievement of the purposes of the entity and the entity’s financial sustainability.

1.9 The development and implementation of effective corporate governance arrangements and internal controls should be designed to meet the individual circumstances of each entity. These processes also assist in the orderly and efficient conduct of the entity’s business and compliance with applicable legislative requirements, including the preparation of annual financial statements that present fairly the entity’s financial position, financial performance and cash flows.

Understanding the entity

1.10 The ANAO uses the framework in the Australian Auditing Standards (ASA) 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment to consider the impact of different elements of an entity’s internal controls that support the preparation of financial statements. This approach provides a basis for designing and implementing the audit work program that reflects the ANAO’s assessment of the risk of material misstatement. Deficiencies in the internal control framework increase the requirement of the ANAO to perform additional audit work in the final audit phase. Figure 1.2 outlines these elements.

Figure 1.2: Elements of entity internal controls

 

 

Source: ASA 315 Identifying and assessing the risk of material misstatement through understanding the entity and its environment, paragraph A59.

1.11 This chapter discusses each of these elements and outlines observations based on the ANAO’s review of aspects of each entity’s internal controls, relevant to the risk of material misstatement to the financial statements, including the detailed results of the interim audits.

1.12 At the completion of the interim audits for the 25 entities included in this report, the ANAO noted that key elements of internal control were operating effectively for 20 entities. For the remaining five⁴ entities, except for particular finding/s outlined in Chapter 3, the key elements of internal control were operating effectively to support the preparation of financial statements that are free from material misstatement.

1.13 The key elements of internal control for the full financial year will be assessed in conjunction with additional audit testing during the 2020–21 final audits.

Control environment

1.14 The PGPA Act sets out the requirements to establish and maintain systems relating to risk and control. Section 16 of the PGPA Act states that:

The accountable authority of a Commonwealth entity must establish and maintain:

a) an appropriate system of risk oversight and management for the entity; and

b) an appropriate system of internal control for the entity.

including by implementing measures directed at ensuring officials⁵ of the entity comply with finance law.⁶

1.15 An effective control environment is underpinned by a fit-for-purpose governance structure. Indicators of an effective governance structure include whether management has established frameworks and processes that promote positive attitudes, awareness and actions concerning the entity’s internal controls and their importance in the entity. The main elements reviewed included: governance structures relevant to the preparation of the financial statements; audit committee and assurance arrangements; systems of authorisation; and processes for recording financial transactions.

1.16 All entities included in this report have established audit committees consisting of a majority of members which were assessed by the entity to be independent. All entities have an audit committee charter that is consistent with their obligations under subsection 17(2) of the PGPA Rule. Each entity has appointed an independent audit committee chair.

1.17 All entities have established executive management committees and/or sub-committees that meet at least monthly, which support financial decision making at the strategic and operational levels.⁷ Consideration of financial reporting was included on the agendas of all 25 entities’ executive and audit committees. The financial information provided to the entities’ executives was supplemented by non-financial operational information.

1.18 Clear lines of accountability and reporting are important in establishing a strong internal control environment for the purposes of preparing the financial statements. The involvement of those charged with governance is an important element of these structures. Just as important is ensuring that staff at all levels understand their own role in the control framework. This can be achieved through the issuance of accountable authority instructions and delegation instruments. All entities have established accountable authority instructions and delegations reflecting current business arrangements.

Audit committee reporting requirements

1.19 The PGPA Act requires audit committees to be established for all Commonwealth entities and Commonwealth companies.⁸ An independent audit committee is a fundamental principle of good governance⁹ and provides independent advice and assurance to the entity’s accountable authority. The audit committee plays a key role in assisting the accountable authority to fulfil its governance, risk management and oversight responsibilities through the provision of independent assurance and advice.

1.20 Section 17 of the PGPA Rule sets out the minimum requirements relating to the audit committee of a Commonwealth entity. The key requirements of the PGPA Rule include:

• a written charter, set by the accountable authority, determining the functions of the audit committee for the entity;
• the functions must include reviewing the appropriateness of the accountable authority’s financial reporting, performance reporting, system of risk oversight and management and system of internal control for the entity;
• the membership of the committee¹⁰ to include at least three persons with appropriate qualifications, knowledge, skills or experience to assist the committee to perform its functions; and
• persons that must not be a member of the audit committee are: the accountable authority or, if the accountable authority has more than one member, the head of the accountable authority; the Chief Financial Officer; and the Chief Executive Officer.

1.21 The PGPA Rule was amended on 27 February 2020 to include changes that affect the reporting of audit committee information in a Commonwealth entity’s annual report.¹¹ The reporting requirements applied to annual reports for reporting periods beginning on or after 1 July 2019 and include the following information:

• a direct electronic address of the charter determining the functions of the audit committee;
• the name of each member of the audit committee during the period;
• the qualifications, knowledge, skills or experience of those members;
• information about each of those members’ attendance at meetings of the audit committee during the period; and
• the remuneration of each of those members.

1.22 The ANAO reviewed the 2019–20 annual reports of 182 of the 187 Commonwealth entities subject to the reporting requirements of the PGPA Rule.¹² In undertaking the analysis of reporting requirements, the ANAO has considered the annual report published on an entity’s website and the annual report on the transparency portal where the entity has included a link from its website.

Disclosure of audit committee charters

1.23 The PGPA Rule requires entities to provide a direct electronic address of the charter determining the functions of the audit committee in the annual report. Finance guidance notes that the address needs to allow the entity’s charter to be publicly available.¹³ For the purposes of this analysis, the ANAO has considered a direct link to be where it opens either the audit committee charter or the webpage where the charter is found on the entity website.

1.24 Table 1.1 provides details on the number of entities that included a working direct electronic address of the audit committee charter.

Table 1.1: Direct electronic link to audit committee charter

Source: ANAO analysis of 2019–20 annual reports and websites of Commonwealth entities and companies as at 30 April 2021.

1.25 Five of the 14 non-corporate Commonwealth entities that did not include a direct link to the audit committee charter, were material to the 2019–20 Consolidated Financial Statements (CFS) of the Australian Government. These entities were the Australian Securities and Investments Commission, Department of Social Services, Department of the Treasury, National Blood Authority and National Indigenous Australians Agency. The Department of Social Services included a link to the audit committee charter in the version of the annual report on the transparency portal, but the annual report on the transparency portal was not linked from the entity website.

1.26 Three of the 21 corporate Commonwealth entities that did not include a direct link to the audit committee charter were material to the CFS and included: Australian Postal Corporation; Indigenous Land and Sea Corporation; and National Gallery of Australia.

1.27 Four of the 10 Commonwealth companies, that did not include a direct link to the audit committee charter, were material to the CFS. The entities were ASC Pty Ltd; Australian Rail Track Corporation Limited; NBN Co Limited (NBN Co) and Western Sydney Airport Co Ltd. The ASC Pty Ltd included a working link to the audit committee charter in the version of the annual report on the transparency portal, but the annual report on the transparency portal was not linked from the entity website.

1.28 Where entities did not include a direct link to the audit committee charter the ANAO searched the relevant entities’ websites to identify if the audit committee charter had been published. Two non-corporate Commonwealth entities¹⁴, five corporate Commonwealth entities¹⁵ and one Commonwealth company¹⁶ did not have an audit committee charter available on their website. The ANAO has confirmed as part of the financial statements audit that all entities have an audit committee charter which meets the requirements of the PGPA Rule.

Disclosure of audit committee membership

1.29 The PGPA Rule requires entities to disclose the name of each member of the audit committee during the reporting period. Where an entity was subject to machinery of government changes within the reporting period, all members from both the abolished and newly established entities are required to be reported. ¹⁷

1.30 Table 1.2 summarises the number of entities that included the name of each audit committee member in the entity annual report.

Table 1.2: Audit committee membership disclosures

Source: ANAO analysis of 2019–20 annual reports of Commonwealth entities and companies.

1.31 The non-corporate Commonwealth entities¹⁸ and Commonwealth companies¹⁹ that did not report the name of each member of the audit committee were not material to the CFS.

1.32 A number of independent audit committee members provided their skills and experience to multiple Commonwealth audit committees during the 2019–20 financial year. A single individual was a member on audit committees for 18 entities²⁰, with another individual a member on audit committees for 12 entities²¹. A further two individuals were members on audit committees for 11 entities respectively.

Disclosure of qualifications, knowledge, skills or experience of each audit committee member

1.33 Entities are required to provide information on the qualifications, knowledge, skills and experience of each member of the audit committee. The PGPA rule does not include details of the specific disclosure required, however this disclosure provides the opportunity for entities to demonstrate that the audit committee has the appropriate qualifications, knowledge, skills and experience to fulfil the legal requirements of the audit committee.²² Table 1.3 details the number of entities that have reported audit committee members qualifications, knowledge, skills and/or experience.

Table 1.3: Qualifications, knowledge, skills or experience of each member

Source: ANAO analysis of 2019–20 annual reports of Commonwealth entities and companies.

1.34 The non-corporate Commonwealth entities²³ and corporate Commonwealth entities²⁴ that did not report the qualifications, skills or experience of members in line with the PGPA Rule were not material to the CFS. Of the four Commonwealth companies that did not report on each audit committee members’ skills and experience, NBN Co was material to the CFS.²⁵

Disclosure of attendance at audit committee meetings

1.35 Entities are required to report information relating to each member’s attendance at audit committee meetings during the reporting period. Table 1.4 summarises the number of entities that reported this information.

Table 1.4: Details of member attendance at audit committee meetings

Source: ANAO analysis of 2019–20 annual reports of Commonwealth entities and companies.

1.36 The National Archives of Australia was the only material entity of the four non-corporate Commonwealth entities that did not report audit committee meeting attendance for each member of the committee.²⁶ Two non-material corporate Commonwealth entities²⁷ and four non-material Commonwealth companies did not report member audit committee meeting attendance.²⁸

1.37 For non-corporate Commonwealth entities, on average there were 4.3 audit committee meetings during the year. For corporate Commonwealth entities, the average number of audit committee meetings held during the year was 4.0 and Commonwealth companies held an average of 4.0 audit committee meetings for the year.

Disclosure of remuneration of audit committee members

1.38 The remuneration of each member of the audit committee must be disclosed in the annual report. Only the remuneration that members receive for being on the audit committee during the reporting period should be reported. The Department of Finance (Finance) provided further guidance that entities should not report the total amount received by the member for all duties performed and where members are not remunerated, a nil figure should be disclosed.²⁹

1.39 Corporate Commonwealth entities and Commonwealth companies usually have audit committee members that are directors of the Board. The remuneration of the board members is required to be disclosed in annual reports. The ANAO noted that most corporate Commonwealth entities and Commonwealth companies separately disclosed audit committee remuneration. For the purposes of this analysis, where there was no specific disclosure relating to the audit committee remuneration, the entity has been assessed as not reporting against the PGPA Rule. Table 1.5 outlines the reporting on audit committee member remuneration.

Table 1.5: Audit committee member remuneration

Source: ANAO analysis of 2019–20 annual reports of Commonwealth entities and companies.

1.40 Of the five non-corporate Commonwealth entities that did not report audit committee remuneration, the Future Fund Management Agency was material to the CFS.³⁰ There were 26 corporate Commonwealth entities that did not disclose specific member remuneration for one or more of their members and five were material to the CFS: Airservices Australia; Australian Hearing Services; Australian Nuclear Science Technology Organisation; Clean Energy Finance Corporation and Defence Housing Australia.³¹

1.41 The Australian Naval Infrastructure Pty Limited, Australian Rail Track Corporation, Moorebank Intermodal Company Limited and NBN Co Limited were the material Commonwealth companies that did not report on remuneration specific to the audit committee.³²

1.42 Analysis was performed over the remuneration information disclosed to determine the average remuneration and average number of members per audit committee. Table 1.6 shows the average remuneration for an audit committee³³ and the average number of members for an audit committee.³⁴

Table 1.6: Average audit committee remuneration for entities that reported remuneration

Source: ANAO analysis of 2019–20 annual reports of Commonwealth entities and companies.

1.43 The lower average audit committee remuneration for corporate Commonwealth entities and Commonwealth companies is consistent with audit committee membership including directors of these entities.

1.44 The non-corporate Commonwealth entity with the highest total audit committee remuneration was Services Australia at $283,982. Eight non-corporate Commonwealth entities did not have audit committee remuneration costs.³⁵ The corporate Commonwealth entity with the highest total audit committee remuneration was Australian Digital Health Agency at $103,842 and the lowest was the National Museum of Australia at $1,254. The Commonwealth company with the highest total audit committee remuneration was the Australia Business Arts Foundation Ltd at $54,060.

1.45 The average remuneration paid for an audit committee was $44,876 for the 89 non-corporate Commonwealth entities that reported remuneration. For the 44 corporate Commonwealth entities that reported remuneration, the average remuneration paid for an audit committee was $29,941. For the eight Commonwealth companies that reported remuneration, the average remuneration paid for an audit committee was $24,612.

1.46 Non-corporate Commonwealth entities had an average of 5.0 members per audit committee with corporate Commonwealth entities having an average of 4.3 members per committee. Commonwealth companies had an average of 3.6 members per audit committee.

1.47 Table 1.7 shows the highest remuneration paid for a single audit committee chair and a single member that held a position during the year. The table also shows the average remuneration paid to audit committee chairs and to audit committee members.

Table 1.7: Highest and average remuneration paid for entities that reported remuneration³⁶

Source: ANAO analysis of 2019–20 annual reports of Commonwealth entities and companies.

1.48 For non-corporate Commonwealth entities the highest remuneration paid to an audit committee chair was $109,254 for Services Australia and there were fifteen entities that reported nil remuneration paid to the audit committee chair. The average remuneration for a non-corporate Commonwealth entity audit committee chair was $20,930 and for a member was $7,688.

1.49 For corporate Commonwealth entities the highest remuneration paid to an audit committee chair was $40,425 for the Australian Commission on Safety and Quality in Health Care and there were seventeen entities that reported nil remuneration paid to the audit committee chair. The average remuneration for a corporate Commonwealth entity audit committee chair was $9,927 and for a member was $5,029.

1.50 For Commonwealth companies the highest remuneration paid to an audit committee chair was $22,430 for Snowy Hydro Limited and there were two entities that reported nil remuneration paid to the audit committee chair. The average remuneration for a Commonwealth company audit committee chair was $10,956 and for a member was $5,009.

Controls report entity audit committee analysis³⁷

1.51 Further detailed analysis was undertaken on the membership and remuneration results of the audit committees of the 25 entities included in this report. This analysis highlighted that the number of audit committee members varied between entities - ranging from 12 members on the Department of Education, Skills and Employment to three members on the Snowy Hydro Limited audit committee.³⁸

1.52 Amendments made to the PGPA Rule in 2020 also included changes to the member composition of an audit committee. The new members’ composition requirements for all Commonwealth entities will apply on or after 1 July 2021 and include:

• for a non-corporate Commonwealth entity, all of the members of the audit committee must be persons who are not officials of the entity; and a majority of the members must be persons who are not officials of any Commonwealth entity; and
• for a corporate Commonwealth entity, all of the members of the audit committee must be persons who are not employees of the entity.³⁹

1.53 Figure 1.3 shows the total number of audit committee members by entity, including whether the member was independent or a management representative. The analysis also demonstrates that there are a varying number of management members on audit committees with a total of 49 management members across the entities included in this report.

Figure 1.3: Number of audit committee member positions during the year by entity – independent and management

 

 

Source: ANAO analysis of 2019–20 annual reports.

1.54 Entities are required to report all audit committee members for the 2019–20 year. Where an entity underwent a machinery of government change during the year, all audit committee members are required to be reported. This includes all members from abolished entities. During the 2019–20 year the Department of Agriculture, Water and the Environment reported the audit committee members of the former Department of Agriculture and the former Department of the Environment and Energy. The Department of Education, Skills and Employment reported the audit committee members of the former Department of Education and the former Department of Employment, Skills, Small and Family Business. The Department of Infrastructure, Transport, Regional Developments and Communications reported the audit committee members of the former Department of Communications and the Arts and the former Department of Infrastructure, Transport, Cities and Regional Development.

1.55 Six of the 25 audit committees consisted entirely of independent members. The remaining 19 entities had a combination of management and independent members for the 2019–20 financial year.

1.56 The total remuneration paid for an audit committees as well as the remuneration paid to a chair also varies significantly between the entities. Figure 1.4 shows the total remuneration paid for each audit committee along with the remuneration paid to the chair.

Figure 1.4: Audit committee chair remuneration as a component of total member remuneration for an entity audit committee

 

 

Note a: The Departments of: Agriculture, Water and the Environment; Education, Skills and Employment; and Infrastructure, Transport, Regional Development and Communications were subject to machinery of government changes during the 2019–20 financial year. These entities reported all members that served on the audit committee during the year.

Note b: The chair remuneration reported by the Department of Home Affairs includes the total remuneration paid to the two members that held the role of chair during the year including for the part of the year where they were not the chair. The remuneration for each role held during the year is not separately disclosed.

Source: ANAO analysis of 2019–20 annual reports.

1.57 The highest total remuneration of $283,982 is paid to the Services Australia audit committee with the lowest total remuneration of $23,170 paid to the Department of Parliamentary Services audit committee.⁴⁰ The highest paid audit committee chair was on the Services Australia audit committee and received $109,254. The lowest paid chair was on the Department of Parliamentary Services and received $12,200.

1.58 Of the 23 entities that paid remuneration, the Department of Health audit committee chair was the highest remunerated as a percentage of the total audit committee remuneration at 67%. The Department of Infrastructure, Transport, Regional Development and Communications audit committee chair was paid the lowest as a percentage of the total audit committee remuneration at 26%.

Risk assessment processes

1.59 Section 16 of the PGPA Act sets out an accountable authority’s responsibilities in regard to the establishment of appropriate risk oversight and management in an entity. An understanding of an entity’s process to identify and manage risk is essential to an effective and efficient financial statements audit. A review of this process is done to assist the ANAO to understand how entities identify and manage risks relating to financial statements and assess the risk of material misstatement to an entity’s financial statements.

1.60 All entities included in this report have a process to develop and update risk management plans at the organisational and strategic risk levels. In addition, each entity has developed processes for the identification and notification of risks relevant to financial statements preparation either as part of the overall risk management plan, or through a targeted risk identification exercise. The monitoring of risks, and the entities’ implementation of risk management strategies was typically assigned to either an executive committee and/or the audit committee.

Monitoring of controls

1.61 Entities undertake many types of activities as part of their monitoring of control processes, including external reviews, self-assessment processes, post-implementation reviews and internal audits. The level of review of these activities by the ANAO is determined through a risk assessment approach that takes into consideration the nature, extent and timing of each activity and the activities application to the preparation of the financial statements.

Internal Audit

1.62 As part of the financial statements audit coverage, internal audit is reviewed to gain an understanding of its role and activities in the entity. Where an internal audit function has been established it can play an important role in providing assurance to the accountable authority that the internal control framework is operating effectively. Entities are encouraged to identify opportunities to leverage internal audit coverage as a means of providing increased assurance to accountable authorities to support their opinion on the entity’s financial statements.

1.63 The extent to which the work of internal audit may be able to be used, in a constructive and complementary manner, varies between entities and is more likely to occur where internal audit work is focused on financial controls and legislative compliance. The ANAO is expecting to rely upon the work of internal audit for a number of entities.⁴¹ If the ANAO is anticipating to use the work of internal audit, in accordance with ASA 610 Using the Work of Internal Auditors, the ANAO is required to assess whether the internal audit function has: appropriate organisational status; relevant policies and procedures to support its objectivity; an appropriate level of competence; and whether the internal audit function applies a systematic and disciplined approach in the execution of their work including quality control.

1.64 When it is determined that the work of internal audit can be used to support an effective audit approach, additional work is performed to confirm its adequacy to support the external audit. This will include confirmation that the scope of the work is appropriate, that there is sufficient evidence to support the conclusions drawn and selected re-performance of internal audit’s testing.

1.65 For the entities included in this report, it was observed that internal audit coverage is based on an internal audit plan that is aligned with entities’ risk management plans and includes combinations of audits that address assurance, compliance, performance improvements and IT systems reviews.⁴² In addition, suggested topics from management, audit committees and external sources, such as the ANAO’s planned performance and financial statement coverage, are factors considered in the development of internal audit work plans.

Safeguarding financial information from cyber threats

1.66 The Protective Security Policy Framework (PSPF) requires non-corporate Commonwealth entities to consider and implement the Australian Signals Directorate’s (ASD) Essential Eight mitigation strategies (Essential Eight).⁴³ The initial requirements were defined in 2013 and are now specified in PSPF Policy 10, “Safeguarding information from cyber threats” (Policy 10).⁴⁴ The Essential Eight is considered the baseline for cyber resilience within the Australian Government and provides advice on measures that entities can implement to mitigate cyber threats.⁴⁵

1.67 Policy 10 requires each non-corporate Commonwealth entity to:

1. implement the following Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents:⁴⁶
   • application control;⁴⁷
   • patching applications;⁴⁸
   • restricting administrative privileges;⁴⁹ and
   • patching operating systems.
2. consider which of the remaining mitigation Strategies from the Strategies to Mitigate Cyber Security Incidents⁵⁰ need to be implemented to protect the entity.⁵¹

1.68 Since 2013, the ANAO has conducted a series of performance audits focussed on assessing entities’ implementation of the PSPF cyber security requirements. These performance audits continue to identify low levels of compliance with mandatory PSPF cyber security requirements and concerns in annual self-assessments by entities. The ANAO has reported its concern that there was no evidence through the series of audits that the regulatory framework had driven sufficient improvement in entities mitigating their cyber security risks since 2013.

1.69 The Australian Cyber Security Centre (ACSC) was provided funding through the 2019 ‘Cyber Uplift’ budget measure⁵², to strengthen the cyber security of Australian Government networks through enhanced technical guidance, improved verification, and increased transparency and accountability. The Cyber Uplift measure included a ‘sprint’ program which was focussed on assessing and baselining the maturity of 25 Commonwealth entities’ implementation of the Essential Eight. The sprint program also resulted in ACSC identifying additional measures for entities to strengthen their cyber security posture as a result of the program.

1.70 In 2020–21, the ANAO performed a review of the 2019–20 Policy 10 annual self-assessment as part of its assurance audit program of financial statements. This review focussed on the protection of information relevant to the preparation of financial statements, specifically the Financial Management Information System (FMIS) and Human Resource Management Information Systems (HRMIS). The review was performed on 18 of the 20⁵³ entities included in this report, which are required to report annually against the Policy 10 requirements.⁵⁴ The review was undertaken to review the evidence supporting the self-assessment and reporting, and to identify cyber security risks that may impact on the preparation of financial statements. The review consisted of analysis of policy and procedural documentation, testing of some Essential Eight mitigation strategies specific to the FMIS and HRMIS, review of results of sprint assessments and interviews with entity personnel.

1.71 The ANAO noted improvements in reported maturity levels since the 2019–20 assessment, particularly with ‘Patching Operating Systems’, ‘User Application Hardening’, ‘Macro controls’ and ‘Daily Backups’. Figure 1.5 shows the maturity levels for each Essential Eight mitigation strategy in 2018–19 and 2019–20.

Figure 1.5: Compliance with the PSPF Policy 10 Requirements

 

 

Source: ANAO data

1.72 Three entities had significantly improved the maturity levels of the majority of Essential Eight mitigation strategies. These three entities had established regular maturity assessments of Essential Eight mitigation strategies and prioritised the implementation of PSPF Policy 10 requirements, including the implementation of other mitigation strategies.

1.73 One entity significantly lowered its maturity since last year’s assessment. The lower maturity resulted from poor monitoring of security controls, specifically controls that are managed by another party.

1.74 Although reported improvements were observed, the ANAO found the reported maturity levels for most entities were still significantly below the Policy 10 requirements. Of the 18 entities assessed, only five had self-assessed as achieving a Managing maturity level. ANAO found that only one of these entities had appropriate evidence to support the self-assessment. In each of the other cases, entities were not able to demonstrate evidence to support their self-assessments as required by the PSPF, or ANAO testing did not support the assessment that the mandatory Policy 10 requirements were fully implemented. Further, the ANAO considered some entities to have met the Policy 10 requirements, however, entities had reported as not fully implementing the mitigation strategy. The entities attributed the differences in the assessments to the interpretation of the scope and intent of the requirements. This is consistent with previous ANAO performance audit findings and indicates that measures taken to address this are not yet fully effective.

1.75 The lowest level of compliance continues to be with the Patching Applications, Multi-Factor Authentication and User Application Hardening⁵⁵ controls. Reported compliance with Macro controls has improved since last year’s assessment.

1.76 Although most entities had plans to improve Patching Applications and User Application Hardening controls by July 2020, entities are still not achieving a Managing maturity level. The number of applications in entities’ systems and identifying all applicable hardening controls for specific applications continues to be the key issue with implementing this mitigation strategy. Some entities have also stated that the Patching Applications requirements are not achievable and have chosen to implement other mitigation strategies to address the related cyber threats.

1.77 Restricting macros⁵⁶ was reported to be difficult as users continue to rely heavily on macros to perform business activities. Entities continue to differ in their maturity of addressing the risks associated, with some entities reporting difficulties with monitoring the use of macros in their environments. The improvements in this year’s assessment have been attributed to some entities completing their cyber security implementations of Macro controls.

1.78 For Multi-Factor Authentication⁵⁷ to be assessed at the Managing maturity level, multi-factor authentication needed to be used to authenticate all users when accessing sensitive data. Entities continue to find the process of organising/distributing multi-factor authentication tokens for all users to be an onerous process, and most have accepted the risk and focused on achieving the Developing maturity level. Entities continue to prioritise multi-factor controls for remote access and privileged users, rather than all users.

1.79 Most entities conducted their self-assessment at a system or environment level, and did not specifically assess the controls required to minimise cyber risks to their FMIS or HRMIS applications. Entities viewed the risk to its financial information as equivalent to the risks to its overall environment. The entities prioritised the protection of the environment which hosts the FMIS and HRMIS applications.

1.80 The ANAO found that the number of assessed entities that reported an Ad-hoc or Developing maturity level had not changed since last year’s assessment. Only one of the entities reviewed is meeting the required Policy 10 maturity level.

1.81 The PSPF cyber security requirements have been in place since 2013. Entities’ inability to meet these requirements indicates a weakness in implementing and maintaining strong cyber security controls over time.

1.82 Previous audits of cyber security by the ANAO to assess the entities’ implementation of PSPF cyber security requirements have not found an improvement in the level of compliance with the controls over time. The work undertaken as part of this review indicates that this pattern continues, with limited improvements.

1.83 The Joint Committee of Public Accounts and Audit (JCPAA) Report 485 Cyber Resilience (2020)⁵⁸, Auditor-General Report No.53 (2017–18) Cyber Resilience59 and Auditor-General Report No.32 Cyber Security Strategies of Non-Corporate Commonwealth Entities (2020–21)⁶⁰ recommended strengthening of arrangements for verifying self-assessment results and accountability for the implementation of mandatory cyber security requirements.

1.84 While entities’ compliance with PSPF cyber security requirements remains low, there continues to be the risk of compromise to information relevant to the preparation of financial statements.

Interim audit results

1.85 Audit findings are raised in response to the identification of a potential business or financial risk posed to an entity. Often these risks arise from deficiencies within an entity’s internal control processes or frameworks. Weaknesses in internal controls increase the possibility that a material misstatement of an entity’s financial statements will not be prevented or detected in a timely manner. The ANAO rates audit findings according to the potential business or financial management risk posed to the entity. The rating scale is presented in Table 1.8.

Table 1.8: Findings rating scale

1.86 A summary of all significant, moderate and minor audit findings reported at the conclusion of the interim audit phase across the past four financial years is presented in Figure 1.6 below.

Figure 1.6: Trend in aggregate interim audit findings 2017–18 to 2020–21

 

 

Source: ANAO data.

1.87 The findings have been classified into to broad categories as follows:

• IT control environment;
• compliance and quality assurance frameworks;
• accounting and control of non-financial assets;
• revenue, receivables and cash management processes;
• human resources financial processes;
• purchases and payables management; and
• other audit findings.

Table 1.9: Audit findings by category for the 2020–21 interim period

Source: Compilation of ANAO interim audit findings.

Information Technology Control Environment

1.88 The review of information systems and related controls is an integral part of an entity’s control environment. This section summarises the results from interim tests of the operating effectiveness of general IT controls for each of the entities included in this report.

1.89 Figure 1.7 demonstrates the trends in interim audit findings related to entities’ overall IT control environments from 2017–18 to 2020–21. At the time of this report, testing of the operating effectiveness of IT controls had not been completed for eight entities and therefore the results reported here may not include all IT control environment findings for 2020–21. ⁶¹

Figure 1.7: IT control environment interim audit findings 2017–18 to 2020–21

 

 

Source: ANAO data.

1.90 Findings related to entities’ IT control environments represent 53 per cent of total findings identified during the 2020–21 interim period. IT control environment findings continue to represent the highest proportion of all findings. Three new moderate finding were reported in 2020–21, which is an increase of two from the previous year. Further detail regarding the new findings is detailed in chapter 3 for the Department of Social Services and the National Disability Insurance Scheme Launch Transition Agency (NDIA). Two moderate findings were carried over from the previous year.⁶²

1.91 The information systems control environment findings reported at the conclusion of the 2019–20 interim audits for entities included in this report have been grouped as follows:

• IT security;
• IT change management; and
• disaster recovery arrangements.

IT security

1.92 IT security is concerned with protecting an entity’s information assets from internal and external threats. It includes controls to prevent or detect unauthorised access to systems, programs and data. In the context of the financial statements audit, the focus is on the financially significant systems and data only.

1.93 The key controls areas that address risks relating to IT security and that are assessed as part of the interim audit are:

• IT security governance;
• general and privileged user access; and
• monitoring and reporting.

1.94 Figure 1.8 illustrates the trends in findings observed in entities’ IT security arrangements between 2017–18 and 2020–21.

Figure 1.8: IT security interim audit findings 2017–18 to 2020–21

 

 

Note: The comparative numbers in this figure have been updated to include findings previously categorised as IT application controls which related to IT security.

Source: ANAO data.

1.95 The IT security findings represent 81 per cent of all IT-related findings reported in 2020–21. Five moderate findings were reported in the current year (2019–20: three). Further details of the moderate findings are detailed in chapter 3.⁶³ Findings related to:

• logging and monitoring of privileged user activity;
• user access management, including approving new user access and performing regular user access reviews;
• removal of user access when it is no longer required;
• password configuration; and
• the overall governance and assurance framework to support the above activities.

1.96 Users with administrative access privileges, commonly referred to as privileged users, are able to make significant changes to IT systems’ configuration and operation, bypass critical security settings and access sensitive information. As part of reviewing IT security arrangements, different groups of privileged users were examined, including:

• application administrators, sometimes referred to as super users;
• database administrators;
• system administrators; and
• network or domain administrators.

1.97 To reduce the risks associated with this access, the Australian Government Information Security Manual (ISM) recommends that privileged user access be appropriately restricted and when provided, that the access is logged, regularly reviewed and monitored. Seven minor findings relate to entities that have not implemented adequate logging and monitoring procedures over privileged user accounts. The risk of inappropriate changes to financially significant systems and data arising from these findings is partially mitigated through alternate controls.

1.98 All users with access to financial systems may have the ability to change financial information, and therefore access should only be granted where it is required for the performance of the role; and should be reviewed whenever the role changes. Seven minor findings relate to issues with user access management.

1.99 Entities must remove or suspend user access on the same day that a user no longer has a legitimate business requirement for its use.⁶⁴ Terminating a user account when the user no longer has a requirement to access it, such as upon departure from an entity, can prevent unauthorised use. Two minor findings in paragraph 1.95 also related to issues where access was not removed on a timely basis, and there were a further three moderate and three minor findings in this area. For further detail regarding the moderate finding in this category, refer to the detailed results in Chapter 3 for the Departments of: Health and Social Services and the NDIA.

1.100 The ISM provides guidance on the password requirements for Australian Government systems. In October 2019 the ACSC updated this guidance to identify that, where multi-factor authentication⁶⁵ was not able to be implemented, passphrases used for single-factor authentication should be set to a minimum of 14 characters with complexity, ideally as 4 random words⁶⁶. The ANAO observed that most entities were in the process of transitioning to the new requirement, and assessed password configuration settings against the earlier requirement. One minor finding in paragraph 1.95 also related to password configuration not meeting the earlier requirement, and there were a further three minor findings in this area. Inadequate password controls increase the likelihood of unauthorised access to systems and data.

1.101 Two moderate and one minor finding relate to the governance and monitoring processes that support the overall information security framework. For further detail on the moderate findings, refer to the detailed results in chapter 3 for the Department of Social Services and Services Australia.

1.102 The findings within this category increase the risk of unauthorised changes being made to systems and data, or unauthorised data leakage. Entities should review their management of these areas in light of the recommendations of the ISM and the risks to their operational environment.

IT change management

1.103 IT change management provides a disciplined approach to making changes to the IT environment. It includes controls to prevent unauthorised changes being introduced, and to reduce the likelihood that normal business operations are interrupted with the implementation of authorised changes.

1.104 Figure 1.9 illustrates the trends in findings identified in entities’ IT change management controls between 2017–18 and 2020–21.

Figure 1.9: IT change management interim audit findings 2017–18 to 2020–21

 

 

Source: ANAO data.

1.105 Changes to entities’ IT environments were managed using standardised processes, usually based on the ITIL Framework.⁶⁷ Six minor findings were identified in this area, related to weaknesses in the operation of the change management processes.

1.106 While still low when compared to IT security, the number of findings in this area has remained consistent over the last four years. Almost one third of the entities included in this report have advised that they are undertaking new systems implementations and/or data migration activities in 2020–21. Weaknesses in change management elevate the risk of unauthorised or untested changes to systems during these activities, and may affect the availability or reliability of the overall IT environment. Entities should monitor the operating effectiveness of their IT control environments to mitigate risks.

Disaster recovery arrangements

1.107 Disaster recovery is concerned with the resumption of the IT environment including systems and data following an interruption to services. It relies on:

• effective back-up and recovery arrangements, to allow data to be recovered from current versions of key IT systems; and
• disaster recovery planning, including the development, maintenance and testing of a disaster recovery plan to enable IT systems to be recovered in line with defined business requirements.

1.108 The ANAO assesses entities’ disaster recovery arrangements in view of the potential for a disruptive event to impact on financial reporting. Figure 1.10 illustrates the trend for findings identified in entities’ disaster recover arrangements between 2017–18 and 2020–21.

Figure 1.10: Disaster recovery interim audit findings 2017–18 to 2020–21

 

 

Source: ANAO data

1.109 In all cases where general IT controls testing has been completed, ANAO found that entities undertook regular backups of financially significant data and had disaster recovery plans in place which were regularly tested. While there were no findings raised, ANAO observed that in three entities recent changes in the IT environment were not yet reflected in the plan. This increases the risk that, in the event of a significant disruption, systems and data will not be recovered within an acceptable timeframe.

1.110 Overall, the majority of IT controls continued to provide reasonable assurance about the operation of controls relied on to support the preparation of financial statements that are free from material misstatement. Consistent with observations in previous years, IT Security, particularly with regard to management of user access, continues to be an area requiring improvement to address the risk of inappropriate access to systems and data.

Compliance and quality assurance frameworks

1.111 Entities place reliance on internal and external systems, parties and information in decision-making processes. The implementation of effective compliance and quality frameworks and processes, provides assurance over the completeness and accuracy of information and is integral to the preparation of financial statements that are free from material misstatement.

Figure 1.11: Compliance and quality assurance framework interim findings 2017–18 to 2020–21

 

 

Source: ANAO analysis of data provided by entities.

1.112 As per Figure 1.11 there are two moderate audit findings, at the conclusion of the 2020–21 interim audit, related to weaknesses in quality assurance processes designed to mitigate key financial or business risks. The moderate finding reported to NDIA, relating to Business Assurance Plan Approval, was first reported in 2019–20 and remains unresolved. The moderate finding reported to the Department of Defence, relating to governance of ADF Health Services was first reported during interim phase in 2020–21.⁶⁸

1.113 The number of minor audit findings reported in 2020–21 has remained consistent compared with the prior year. There remains a need for entities to focus attention on:

• maintaining effective governance over third party or joint service delivery arrangements;
• implementing quality assurance processes over data integrity; and
• developing and implementing risk management frameworks that support the effective management of risk in the delivery of programs.

Accounting and control of non-financial assets

1.114 Entities control a diverse range of non-financial assets on behalf of the Commonwealth, including land and buildings, specialist military equipment, leasehold improvements, infrastructure, plant and equipment, inventories and internally-developed software.

Figure 1.12: Accounting and control of non-financial assets interim audit findings 2017–18 to 2020–21

 

 

Source: ANAO data.

1.115 The moderate finding which was first reported to the Department of Health during the 2019–20 final audit phase remains unresolved. The finding relates to the recording and management of the National Medical Stockpile.⁶⁹

1.116 Two of the minor audit findings remain unresolved from 2018–19 and 2019–20 final audits and relate to timely approval and recording of asset disposals. Three minor findings were raised during the 2020–21 interim audit phase and relate to the identification, disposal and impairment of assets and the timely reporting of work in progress assets.

Revenue, receivables and cash management

1.117 Revenue and receivables consists of parliamentary appropriations, taxation revenue, customs and excise duties and administered levies. Revenue is also generated by entities from the sale of goods and services and a range of other sources. Cash management involves the collection and receipt of public monies and the management of official bank accounts.

Figure 1.13: Revenue, receivables and cash management interim audit findings 2017–18 to 2020–21

 

 

Source: ANAO data.

1.118 Since 2017–18, no significant or moderate audit findings have been identified that relate to revenue, receivables and cash management. The minor finding reported in 2019–20 related to weaknesses in the timely and accurate completion of bank reconciliations.

Human resource financial processes

1.119 Human resources encompass the day-to-day management and administration of employee entitlements and payroll functions. Employee benefits expenditure represents a significant departmental expenditure item for most entities. Employee entitlement liabilities involve estimates and judgements in inputs. It is important for entities to establish robust controls in these areas to support complete and accurate payment and recording of transactions.

Figure 1.14: Human resources financial processes interim audit findings 2017–18 to 2020–21

 

 

Source: ANAO data.

1.120 Since 2017–18 there have been no significant or moderate audit findings relating to human resource processes raised during the interim audit phase. At the conclusion of the final audit phase for 2019–20, there was an unresolved moderate finding raised over the management of staff leave at the Department of Home Affairs. During the 2020–21 interim audit phase, this finding was downgraded to a minor finding.

1.121 There has been a decrease in minor audit findings from the prior year. The five minor findings reported relate to weaknesses identified over monitoring of controls for payroll processing and reporting, management of staff leave and leave requests, and related party disclosures.

Purchases and payables management

1.122 Purchases and payables management covers controls and processes that provide management assurance that payments processed by the entity are complete and accurate. This may include the implementation of appropriate systems of approval or controls designed to ensure that payments processed through the financial management information system are appropriate.

Figure 1.15: Purchases and payables management interim audit findings 2017–18 to 2020–21

 

 

Source: ANAO data.

1.123 The moderate audit finding reported to the Department of Defence relates to weaknesses over segregation of duties within the purchases and payables function.⁷⁰ The minor audit findings relate to weaknesses in reconciliation processes, duplicate creditor records and the timely acquittal of credit cards. Two of the minor findings were first raised in the 2019–20 final audit phase, and the third is a new finding in 2020–21.

Other audit findings

1.124 Other audit findings typically include items relating to the: management and implementation of service level agreements or memoranda of understanding; updating or maintaining key governance documentation; and presentation and disclosure in the financial statements.

Figure 1.16: Other interim audit findings 2017–18 to 2020–21

 

 

Source: ANAO data.

1.125 Consistent with the prior year, there were no significant or moderate findings raised. The weaknesses resulting in the minor findings in this category related to:

• discrepancies between source data and information used to account for leases;
• monitoring of balances in general ledger clearing accounts;
• insufficient evidence to support manual journal approvals;
• weaknesses relating to risk assessments over external provided information; and
• fraud risk assessments and reporting of fraud to those charged with governance.

Introduction

2.1 The Australian Government’s financial reporting framework is based, in large part, on standards made by the Australian Accounting Standards Board (AASB). The framework is designed to support decision-making by, and accountability to, the Parliament.

2.2 The AASB bases its accounting standards on the International Financial Reporting Standards (IFRS) issued by the International Accounting Standards Board. As IFRS are designed primarily for use by private sector and for-profit organisations, the AASB amends the IFRS to reflect significant transactions and events that are particularly prevalent in the public sector and not-for-profit private sector. In doing so, it takes into account standards issued by the International Public Sector Accounting Standards Board.

2.3 The Finance Minister prescribes additional financial reporting requirements for Commonwealth entities. These are contained in the Public Governance, Performance and Accountability (Financial Reporting) Rule 2015 (the FRR). The FRR is made under the Public Governance, Performance and Accountability Act 2013 (the PGPA Act).

2.4 The audits of the financial statements of Australian Government entities are conducted in accordance with the ANAO Auditing Standards, which are made by the Auditor-General under section 24 of the Auditor-General Act 1997. The ANAO Auditing Standards for financial statement audits incorporate, by reference, the auditing standards made by the Australian Auditing and Assurance Standards Board (AUASB). The AUASB bases its standards on those made by the International Auditing and Assurance Standards Board, an independent standard setting board of the International Federation of Accountants.

2.5 The financial reporting and auditing frameworks that applied in 2020–21 are illustrated in Appendix 2 and Appendix 3 of this report.

Changes to the Australian public sector reporting framework

Changes in the financial framework

COVID 19

2.6 The ANAO’s experience with 2019–20 financial statements audits identified particular challenges for entities when dealing with material uncertainties arising in asset valuations and in performing physical compliance activities such as inventory stocktakes. Due to travel restrictions and lock downs, ANAO staff were restricted in their ability to physically access entities’ premises leading to the increased use of remote access to entity financial management and relevant operational systems. Remote access allowed audit teams to undertake their audit work without the need to be onsite. It is expected that the use of remote access will continue in the 2020–21 audit.

Changes to auditing standards

2.7 In December 2018 the Auditing and Assurance Standards Board (AUASB) issued the revised ASA 540 Auditing Accounting Estimates and Related Disclosures (ASA 540) which prescribes the auditor’s responsibilities with respect to accounting estimates and their related disclosures, such as valuations of financial and non-financial assets and measurement of provisions and other liabilities. ASA 540 is the Australian adoption of the revised international auditing standard ISA 540 of the same name. The new standard will apply to ANAO audits of financial statements for the year ended 30 June 2021 and later years.

2.8 The revisions to the standard are intended to address two major threats to the quality of financial statement audits:

1. increasing complex business and accounting environment with respect to estimates, leading to the increased prevalence in financial statements of complex, higher-risk accounting estimates such as expected credit losses, insurance contracts, revenue recognition and lease recognition; and
2. recurring audit inspection findings with respect to audit quality over accounting estimates.

2.9 The standard emphasises and strengthens requirements for risk assessment, introducing new risk concepts of complexity, subjectivity and estimation uncertainty to assist auditors to identify the most important areas of audit effort and prescribing enhanced procedures with respect to understanding the entity, its environment and its internal control environment affecting estimation.

2.10 The standard also aims to drive audit quality by prescribing objective-based audit procedures, emphasising the importance of professional scepticism and enhancing the audit requirements for management disclosures.

2.11 The revised ASA 540 places emphasis on the need for auditors to understand and assess the risk that estimation uncertainty along with the use of management judgement may result in material misstatement in the financial statements. Entities should therefore expect that auditors are likely to seek evidence that management has identified and assessed significant estimation uncertainty risks. Where significant estimation uncertainty is identified auditors will want to review documentation supporting the methods, significant assumptions and data used by management to arrive at an estimate.

2.12 While audit committees are already expected to consider accounting estimates with significant judgement, closer attention by auditors in accordance with the revised ASA 540 may require management to provide additional information to audit committees around these areas. Audit committees are likely to continue to see significant coverage of accounting estimates in closing letters and other communication from the ANAO.

Changes to accounting standards

2.13 There are no new accounting standards expected to have a significant impact on Commonwealth entities’ financial statements for 2020–21.

Quality Assurance Framework and Reporting

ANAO Quality Assurance Framework

2.14 The quality of ANAO audit work is reliant on the strength of its independence and quality control processes. The ANAO defines audit quality as the provision of timely, accurate and relevant audits, performed independently in accordance with the Auditor-General Act 1997, ANAO auditing standards and methodologies, which are valued by the Parliament. Delivering quality audits results in improved public sector performance through accountability and transparency.

2.15 The ANAO Quality Assurance Framework and Plan 2020–21 is published on the ANAO website and articulates the system of quality control that the ANAO has established to support the delivery of high-quality audit work and enables the Auditor-General to have confidence in the opinions and conclusions in the reports prepared for the Parliament. The Framework is supported by the Audit Quality Report 2019–20 which reports on our achievement against the Framework for the 2019—20 financial year, including the results of internal and external review activities.

2.16 The ANAO quality assurance framework complies with the requirements of Auditing Standard ASQC 1 – Quality Control for Firms that Perform Audits and Reviews of Financial Reports and Other Financial Information, Other Assurance Engagements and Related Services Engagements. The AUASB has issued three revised Australian Quality Management Standards that become effective on 15 December 2022:

• ASQM 1 – Quality Management for Firms that Perform Audits or Reviews of Financial Reports and Other Financial Information, or Other Assurance or Related Services Engagements;
• ASQM 2 – Engagement Quality Reviews; and
• ASA 220 – Quality Management for an Audit of a Financial Report and Other Historical Information.

2.17 The revised standards introduce a quality management approach that is focused on proactively identifying and responding to risks of quality. The standards include enhanced requirements and focus on governance and leadership, monitoring and remediation. The ANAO will review the revised standards, consider the impacts on the Quality Assurance Framework and make enhancements to the framework to ensure that it responds to the quality risks that arise in audits of public sector entities.

Ethics, independence and integrity

2.18 Ethical requirements, with a focus on independence are core to the quality framework. The fundamental principles of professional ethics as set out in APES 110 Code of Ethics for Professional Accountants are integrity; objectivity; professional competence and due care; confidentiality; and professional behaviour. The ANAO maintains a continued focus on independence through the application of the ANAO Independence Policy that manages threats to independence in the conduct of the ANAO’s work. The ANAO Integrity Framework sets out the ANAO’s integrity control system, supporting our organisation’s integrity. The framework encompasses the ANAO Integrity Statement, which describes five key principles of integrity that staff at the ANAO uphold — independence, honesty, accountability, openness and courage.

Quality control and consultation processes

2.19 In the conduct of their work ANAO auditors apply a robust methodology to drive consistent quality and compliance with the ANAO Auditing Standards. The ANAO audit methodology incorporates policies regarding direction, supervision and review, consultation on significant technical and ethical issues, engagement quality control review of high risk audits and documentation of audit evidence and work performed.

Introduction

3.0.1 The ANAO’s assessment of the overall risk of material misstatement of the financial statements is based on professional judgement relating to the entity’s particular circumstances. The financial statements audit planning process involves joint procedures with performance audit and takes into account each entity’s environment and governance arrangements, its system of internal control, and prior year financial and performance audit findings. These planning processes inform the identification of areas of key risk that have the potential to impact on the integrity of the financial statements.

3.0.2 The interim phase of the audit focuses on the steps taken by entities to manage these risks, including their systems of internal control. This chapter reflects portfolio and funding arrangements existing at 30 April 2021 and outlines the following information for each of the reported entities⁷¹:

• the entity’s primary role as reflected in its Portfolio Budget Statements;
• 2020–21 appropriation funding and key financial statements items;
• the ANAO’s assessment of the overall risk of material misstatement of the financial statements, which informs the audit processes to be undertaken;
• key areas of financial statements risk including where the ANAO has identified Key Audit Matters (KAM); and
• the status of significant and moderate audit findings at the completion of the interim audit, and the conclusion relating to audit coverage to date.

3.0.3 The entities included in this report include all departments of state, the Department of Parliamentary Services and other Commonwealth entities that significantly contribute to the revenues, expenses, assets and liabilities within the 2019–20 CFS.

3.0.4 Where a performance audit was tabled during 2020–21 that was relevant to the financial management or administration of an entity, consideration is given to the impact of observations on the audit approach. Further details are included under the entity headings.⁷²

Analysis of Entities Contribution to 2019–20 CFS

3.0.5 An analysis of the percentage contribution of entities in this report, to 2019–20 CFS is presented below. Figure 3.0.1 presents the results of nine entities that contribute greater than 10 per cent of either the income, expenses, assets or liabilities of the CFS. The remaining entities are presented in Figure 3.0.2 and contribute less than 10 per cent of all categories.

Figure 3.0.1: Entities contributing greater than 10 per cent to the Australian Government’s 2019–20 Consolidated Financial Statements

 

 

Source: ANAO analysis of CFS and entities’ financial statements for the year ended 30 June 2020.

Figure 3.0.2: Entities contributing less than 10 per cent to the Australian Government’s 2019–20 Consolidated Financial Statements

 

 

Source: ANAO analysis of CFS and entities’ financial statements for the year ended 30 June 2020.

Ongoing impact of the COVID-19 pandemic

3.0.6 The COVID-19 pandemic and the Australian Government’s response to it significantly impacts on the risk environment faced by the Australian public sector. This change in risk environment directly impacts on the work to be undertaken by the ANAO across its financial statement audits.

3.0.7 A variety of funding and delivery mechanisms are being employed by the government to address the health and economic needs arising from the pandemic. These include income support payments, grants, procurements, loans and tax relief. Rapid policy design and implementation can present new and increased risks to sound public administration and the proper use of public resources. These potential risks may require audit teams to change their audit approach.

3.0.8 The Advance to the Minister for Finance (AFM) is a provision in the annual Appropriation Acts which enables the Minister for Finance (Finance Minister) to provide additional urgently needed appropriation to agencies for expenditure in the current year. The Finance Minister may only agree to issue an AFM if satisfied that there is an urgent need for expenditure that is either not provided for or has been insufficiently provided for in the existing appropriations of the agency. In response to COVID-19, additional AFMs were enacted and subsequently passed by Parliament for the 2020–21 financial year.

3.0.9 The ANAO conducted monthly assurance reviews of the AFM from April 2020 to October 2020, which were tabled in Parliament. The reviews were conducted in accordance with section 19A of the Auditor-General Act 1997. They provided timely assurance to the Parliament about the AFM, which has significantly increased to support Australian Government activities during the COVID-19 pandemic.

3.0.10 The limited assurance reviews undertaken concluded that the Department of Finance has effective processes in place to provide assurance over information provided by agencies to access AFM. The September 2020 AFM monthly report – Auditor-General Report No.13 2020–21, recommended that the Department of Finance should formalise the process to consolidate relevant entities’ reporting to maintain effective oversight over entities’ management of AFM. The recommendation has been implemented by the Department of Finance.⁷³

Results of financial statements audits

3.0.11 Table 3.0.1 presents a summary of new and unresolved significant and moderate findings⁷⁴ at the conclusion of the 2020–21 interim⁷⁵ audits and the 2019–20 interim and final audits.

Table 3.0.1: Significant and moderate findings by entity

Note a: Minor findings identified previously but upgraded to a moderate or significant finding are considered new for the purposes of this table.

Source: 2019–20 and 2020–21 ANAO audit correspondence.

3.1 Department of Agriculture, Water and the Environment

Overview

3.1.1 The Department of Agriculture, Water and the Environment (DAWE) is responsible for developing and implementing policies and programs to promote more sustainable, productive, internationally competitive and profitable Australian agricultural, food and fibre industries; safeguarding Australia’s animal and plant health; managing the conservation, protection and sustainability of Australia’s natural resources, biodiversity, ecosystems, environment and heritage; advancing Australia’s interests in the Antarctic; and improving the health of rivers and freshwater ecosystems and water use efficiency.

3.1.2 Figure 3.1.1 and Figure 3.1.2 show the 2020–21 departmental and administered financial statements items reported by DAWE and the key areas of financial statements risk.

Figure 3.1.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and DAWE revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Figure 3.1.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and DAWE revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

3.1.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DAWE financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DAWE environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key aras of risk and the ANAO’s understanding of the operations of DAWE, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.1.4 Annual appropriation funding of $1,108.4 million (departmental) and $3,396.2 million (administered) was provided to DAWE in 2020–21 to support the achievement of the entity’s outcomes.⁷⁶ DAWE was also budgeted to receive special appropriation funding of $1,024.9 million.⁷⁷

3.1.5 Table 3.1.1 and Table 3.1.2 provide a summary of the key 2020–21 departmental and administered estimated financial statements items.

Table 3.1.1: Key expenses and total own-sourced income

Source: DAWE’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Table 3.1.2: Key assets and liabilities

Note: DAWE’s estimated average staffing level for 2020–21 is 6,079.

Source: DAWE’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

3.1.6 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2020–21 are provided in Table 3.1.3.

Table 3.1.3: Key areas of financial statements risk

Source: ANAO 2020–21 risk assessment, and DAWE’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

3.1.7 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. The following performance audit report was tabled during 2020–21 relevant to the financial management or administration of DAWE:

• Auditor-General Report No.2 Procurement of Strategic Water Entitlements.

3.1.8 Auditor-General Report No.2 of 2020–21 included observations relevant to the ‘Valuation of water entitlement assets’ risk outlined in Table 3.1.3. Four recommendations were made aimed at improving procurement guidance; developing assurance mechanisms for procurement processes; updating conflict of interest management arrangements; and developing a clear evaluation framework. The observations were considered in designing audit procedures for 2020–21. There were no changes made to the planned audit approach.

Audit results

3.1.9 The ANAO has completed its 2020–21 interim audit coverage, including an assessment of the controls relating to revenue from contracts with customers and administered levies. In addition, interim coverage of IT general controls, appropriations and special accounts, supplier expenses and employee benefits expenses has been performed.

3.1.10 Audit procedures relating to other provisions, water entitlements and administered loans will be undertaken as part of the planned 2020–21 final audit. The ANAO will continue to assess the integration of DAWE’s entity level risk assessment, control frameworks and IT systems, following the machinery of government changes that occurred during 2019–20, throughout the audit. DAWE is finalising timeframes for the system integration. Any significant changes prior to 30 June 2021 will require revision to the planned audit approach.

3.1.11 To date, our audit coverage has not identified any new significant or moderate audit findings. There were no unresolved significant or moderate audit findings at the conclusion of the 2019–20 audit.

Conclusion

3.1.12 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that DAWE will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2020–21 final audit.

3.2 Attorney-General’s Department

Overview

3.2.1 The Attorney-General’s Department (AGD) supports the Attorney-General and Minister for Industrial Relations and the Assistant Minister to the Attorney-General. The roles of the department are to contribute towards a just and secure society through the maintenance and improvement of Australia’s law, justice, security and integrity frameworks and to facilitate jobs growth through policies and programs that promote fair, productive and safe workplaces.

3.2.2 AGD has a shared services arrangement with the Department of Social Services for the provision of grant administration services. AGD remains accountable for compliance with all accounting, legal and administrative requirements.

3.2.3 Figure 3.2.1 and Figure 3.2.2 show the 2020–21 departmental and administered financial statement items reported by AGD and the key areas of financial statements risk.

Figure 3.2.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and AGD’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Figure 3.2.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and AGD’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

3.2.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on AGD’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of AGD’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of AGD, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.2.5 Annual appropriation funding of $254.3 million (departmental) and $449.7 million (administered) was provided to AGD in 2020–21 to support the achievement of the entity’s outcomes.⁷⁸ AGD was also budgeted to receive special appropriation funding of $688.3 million.⁷⁹

3.2.6 Table 3.2.1 and Table 3.2.2 provide a summary of the key 2020–21 departmental and administered estimated financial statements items.

Table 3.2.1: Key expenses and total own-sourced income

Source: AGD’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Table 3.2.2: Key assets and liabilities

Note: AGD’s estimated average staffing level for 2020–21 is 1,701.

Source: AGD’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

3.2.7 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2020–21 are provided in Table 3.2.3.

Table 3.2.3: Key areas of financial statements risk

Source: ANAO 2020–21 risk assessment, and AGD’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Audit results

3.2.8 The ANAO has substantially completed its 2020–21 interim audit coverage, including an assessment of the controls relating to: departmental revenue, FEG Scheme expenses, management of appropriations and special accounts and cash management activities. Testing related to IT general and application controls is in progress and will be completed prior to the final audit phase.

3.2.9 Audit procedures relating to: the valuation of non-financial assets, including administered investments; and financial statements close processes including the consolidation of the AGS will be undertaken as part of the planned 2020–21 final audit.

3.2.10 To date, our audit coverage has not identified any new significant or moderate audit findings. The 2019–20 audit also did not identify any significant or moderate audit findings.

Conclusion

3.2.11 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that AGD will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2020–21 final audit.

3.3 Department of Defence

Overview

3.3.1 The Department of Defence (Defence) is responsible for protecting and advancing Australia’s strategic interests through the: promotion of security and stability; the provision of military capabilities to defend Australia and its national interests; and the provision of support for the Australian community and civilian authorities as directed by the Government.

3.3.2 Figure 3.3.1 and Figure 3.3.2 show the 2020–21 departmental and administered financial statement items reported by Defence and the key areas of financial statements risk.

Figure 3.3.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Defence’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Figure 3.3.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Defence’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

3.3.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Defence’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Defence’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Defence, the ANAO has assessed the risk of a material misstatement as high.

Key financial statements items

3.3.4 Annual appropriation funding of $41.9 billion (departmental) was provided to Defence in 2020–21 to support the achievement of the entity’s outcomes.⁸⁰ Defence was also budgeted to receive special appropriation funding of $2.9 billion predominantly for military superannuation provisions.⁸¹

3.3.5 Table 3.3.1 and Table 3.3.2 provide a summary of the key 2020–21 departmental and administered estimated financial statements items.

Table 3.3.1: Key expenses and total own-sourced income

Source: Defence’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Table 3.3.2: Key assets and liabilities

Note: Defence’s estimated average staffing level for 2020–21 is 77,139.

Source: Defence’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

3.3.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2020–21 are provided in Table 3.3.3.

Table 3.3.3: Key areas of financial statements risk

Source: ANAO 2020–21 risk assessment, and Defence’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

3.3.7 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. The following performance audit reports were tabled during 2020–21 relevant to the financial management or administration of Defence:

• Auditor-General Report No. 6 Design and Implementation of the Defence Export Strategy;
• Auditor-General Report No. 12 Defence’s Procurement of Offshore Patrol Vessels — SEA 1180 Phase 1;
• Auditor-General Report No. 18 Defence’s Procurement of Combat Reconnaissance Vehicles (LAND 400 Phase 2);
• Auditor-General Report No. 19 Major Projects Report; and
• Auditor-General Report No. 21 Delivery of Security Vetting Services Follow-up.

3.3.8 The above reports included observations relevant to impairment of assets under construction and IT systems as outlined in Table 3.3.3. The observations from these reports were considered in designing audit procedures to address areas considered to pose a lower risk of material misstatement.

Audit results

3.3.9 The ANAO has completed its 2020–21 interim audit coverage, including an assessment of the controls relating to asset management processes and the controls implemented to determine the value of inventory at year-end. Interim audit coverage also included assessing IT general and application-specific controls for systems that support the preparation of Defence’s financial statements, in addition to assessing the operation of key non-IT controls in areas including appropriation and cash management, suppliers and employee expenses. Additionally, the ANAO has assessed Defence’s progress on addressing the moderate audit findings discussed below.

3.3.10 Audit procedures relating to 30 June 2021 balances for employee provisions, decontamination and decommissioning provisions, inventory, SME and other fixed assets, and the military superannuation provision will be undertaken during the 2020–21 final audit. The ANAO will test Defence’s systems and processes supporting the complete and accurate disclosure of commitments, litigation and compensation schemes as part of the final audit. Additionally the ANAO will assess Defence’s progress in addressing audit findings up to and during the final audit.

3.3.11 To date, our audit coverage has not identified any new significant audit findings. There was one new moderate finding identified.

3.3.12 The following table summarises the status of audit findings reported by the ANAO in 2020–21.

Table 3.3.4: Status of audit findings raised by the ANAO

New moderate audit finding

Governance of ADF health services

3.3.13 The provision of health services to ADF members is managed under a contract with an external service provider. The contract commenced on 1 July 2019 and includes two broad categories of charges covering off-base and on-base services. Defence undertakes a review of the fees and charges associated with off-base services to provide assurance that the invoiced amounts are accurate and valid.

3.3.14 The ANAO’s testing identified issues with the processes Defence has implemented to check the accuracy and validity of the service provider’s monthly invoice. Defence has completed three reviews of off-base service charges. All three reviews concluded a “low confidence level – significant issues identified requiring major rectification”. Two of the three reviews were conducted months after the period under review and were not finalised in a timely manner.

3.3.15 The reviews highlighted a number of issues including:

• a significant percentage of the provider’s invoices did not include sufficient information for Defence to confirm that an authorised service had been provided to an ADF member;
• instances of duplicate invoicing relating to multiple charges for a single service; and
• tiered pricing structures had not been correctly applied and instances where full price or higher fees were incorrectly charged.

3.3.16 The ANAO was unable to evidence that these issues had been escalated to senior management, and Defence continued to pay the invoices despite the high incidence of errors.

3.3.17 The ANAO recommends Defence examine and strengthen the design of processes to provide assurance over the accuracy and validity of the health service payments. Given the issues noted in the review of off-base health services, the ANAO recommends that the assurance activities be extended to include on-base service charges. The assurance processes should be completed in a timely manner and issues arising escalated to an appropriate level of management to ensure that issues can be dealt with promptly and recoveries initiated where required.

Resolved moderate audit findings

Management and monitoring of SME balances in ROMAN and MILIS

3.3.18 In 2017–18 the ANAO reported a number of issues with the substantiation of SME transactions in the Military Integrated Logistics Information System (MILIS) and the corresponding accounts in the financial management information system (ROMAN). Defence uses these systems to manage the acquisition and sustainment of SME assets. In 2019–20 Defence continued the remediation of this issue, by:

• matching a significant number of ROMAN and MILIS transactions and validating price differences between the two systems;
• undertaking a comprehensive review and remediation of a portion of the aged unreconciled balances between ROMAN and MILIS;
• implementing a number of controls for the ongoing monitoring of unvalidated transactions between ROMAN and MILIS; and
• improving the governance arrangements and monitoring over ROMAN and MILIS.

3.3.19 In 2020–21 Defence completed its investigations into the residual unreconciled balance between ROMAN and MILIS of $322.9 million. This balance was made up of aged transactions that have been adjusted against the asset revaluation reserve. The ANAO has reviewed the accounting treatment of the adjustment for the unreconciled balance and considers this finding to be resolved.

Monitoring and management of accounts with privileged access

3.3.20 During the 2018–19 audit, the ANAO’s review of privileged user access identified several issues with the monitoring and management of accounts within financially significant applications. In 2019–20, Defence provided evidence to the ANAO showing that weaknesses in a number of its IT systems had been remediated. The ANAO noted that remediation for three key financial processing systems remained outstanding.

3.3.21 As part of the 2020–21 interim audit, the ANAO assessed the remediation action completed by Defence which included testing the effectiveness of Defence’s logging and monitoring controls in the three key financial processing systems. Based on testing performed, sufficient evidence of the operating effectiveness of the monitoring processes was obtained to confirm that the previous issues had been resolved.

Unresolved moderate audit finding

Segregation of duties’ deficiencies within the purchase and payables function

3.3.22 During 2019–20, the ANAO identified a lack of segregation between the critical procurement functions involving the creation/modification of vendor data, the raising and approval of a purchase order, the goods receipting function, and the payment authorisation process. The segregation of duties weaknesses related to procurements which were not subject to panel arrangements. The lack of segregation of duties’ increases the risk of fraud and/or financial loss.

3.3.23 As part of the 2020–21 interim audit, the ANAO assessed the progress made by Defence to address the finding. Defence has commenced the roll-out of automated and manual controls to prevent officers from performing incompatible procurement functions. At the conclusion of the interim audit, the controls had been rolled out to approximately 20 per cent of all procurements.

3.3.24 The ANAO has assessed the design of the controls and considers the controls to be designed effectively to address the risk identified. The ANAO will continue to monitor the roll-out of the controls to Defence’s remaining procurement processes as part of the 2020–21 final audit.

Conclusion

3.3.25 At the completion of the interim audit, and except for the findings outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Defence will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2020–21 final audit.

3.4 Department of Veterans’ Affairs

Overview

3.4.1 The Department of Veterans’ Affairs (DVA) is responsible for developing and implementing programs to assist the veteran and ex-service communities. This includes: granting pensions, allowances and other benefits, and providing treatment under the Veterans’ Entitlements Act 1986; the administration of benefits and arrangements under the Military Rehabilitation and Compensation and the Safety, Rehabilitation and Compensation (Defence-related Claims) legislation; administering the Defence Service Homes Act 1918 and the War Graves Act 1980; and conducting commemorative programs to acknowledge the service and sacrifice of Australian servicemen and women.

3.4.2 Figure 3.4.1 and Figure 3.4.2 show the 2020–21 departmental and administered financial statement items reported by DVA and the key areas of financial statements risk.

Figure 3.4.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and DVA’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Figure 3.4.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and DVA’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

3.4.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DVA’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DVA’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of DVA, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.4.4 Annual appropriation funding of $404.6 million (departmental) and $113.6 million (administered) was provided to DVA in 2020–21 to support the achievement of the entity’s outcomes.⁸² DVA was also budgeted to receive special appropriation funding of $11.4 billion.⁸³

3.4.5 Table 3.4.1 and Table 3.4.2 provide a summary of the key 2020–21 departmental and administered estimated financial statements items.

Table 3.4.1: Key expenses and total own-sourced income

Source: DVA’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Table 3.4.2: Key assets and liabilities

Note: DVA’s estimated average staffing level for 2020–21 is 1,615.

Source: DVA’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

3.4.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2020–21 are provided in Table 3.4.3.

Table 3.4.3: Key areas of financial statements risk

Source: ANAO 2020–21 risk assessment, and DVA’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

3.4.7 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. The following performance audit report was tabled during 2020–21 relevant to the financial management or administration of DVA:

• Auditor-General Report No. 30 Effectiveness of the Planning and Management of Veteran Centric Reforms.

3.4.8 The observations of this report were considered in designing the financial statements audit procedures. There were no material changes to the planned audit approach.

Audit results

3.4.9 The ANAO has completed its 2020–21 interim audit coverage, including an assessment of manual controls relating to: cash; asset management; supplier expenses; and employee benefits.

3.4.10 Audit procedures relating to: testing of IT general and application controls; accuracy of administered personal benefit and health care payments and review of the personal benefits and health care provision valuation will be undertaken as part of the planned 2020–21 final audit.

3.4.11 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2019–20 audit also did not identify any significant or moderate audit findings.

Conclusion

3.4.12 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that DVA will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2020–21 final audit.

3.5 Department of Education, Skills and Employment

Overview

3.5.1 The Department of Education, Skills and Employment (DESE) is responsible for ensuring Australians can experience the social wellbeing and economic benefits that quality education, training and employment provide.

3.5.2 DESE continues to support the formulation and delivery of initiatives including the ongoing response to the COVID-19 pandemic. The department is delivering key elements of the Government’s five-year JobMaker Plan, including supporting Australians back into jobs by investing in skills and higher education and helping job seekers reconnect with employment. The department also continues to support the provision of essential services on which Australians rely including child care, schooling, training, higher education, and employment services.

3.5.3 The Administered Arrangement Order (AAO) of 18 March 2021, transferred responsibility for the coordination of youth affairs function from the Health portfolio to the Education Skills and Employment portfolio.

3.5.4 Figure 3.5.1 and Figure 3.5.2 show the 2020–21 departmental and administered financial statements items reported by DESE and the key areas of financial statements risk.

Figure 3.5.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and DESE’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Figure 3.5.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and DESE’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

3.5.5 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DESE’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DESE’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of DESE, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.5.6 Annual appropriation funding of $1,055.7 million (departmental) and $7,139.8 million (administered) was provided to DESE in 2020–21 to support the achievement of the entity’s outcomes.⁸⁴ DESE was also budgeted to receive special appropriation funding of $50.4 billion.⁸⁵

3.5.7 Table 3.5.1 and Table 3.5.2 provide a summary of the key 2020–21 departmental and administered estimated financial statements items.

Table 3.5.1: Key expenses and total own-sourced income

Source: DESE’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Table 3.5.2: Key assets and liabilities

Note: DESE’s estimated average staffing level for 2020–21 is 3,542.

Source: DESE’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

3.5.8 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2020–21 are provided in Table 3.5.3.

Table 3.5.3: Key areas of financial statements risk

Source: ANAO 2020–21 risk assessment, and DESE’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

3.5.9 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. The following performance audit reports were tabled during 2020–21 relevant to the financial management or administration of DESE:

• Auditor-General Report No.23 Services Australia COVID-19 Measures and Enterprise Risk Management; and
• Auditor-General Report No.32 Cyber Security Strategies of Non-Corporate Commonwealth Entities.

3.5.10 The observations of these reports were considered in designing audit procedures. There were no material changes to the planned audit approach compared to prior year as a result of the performance audits conducted.

Audit results

3.5.11 The ANAO has completed its 2020–21 interim audit coverage, including an assessment of the controls relating to: cash and appropriations, revenue and receivables, and transactional processing of special accounts; the National Partnership Program payments relating to Jobtrainer and Universal Access to Early Childhood Education; and reconciliations between administered business systems and the financial information systems for grants payments. This includes systems that process the Commonwealth Grant Payments scheme, Higher Education Support Act Block grant payments, Higher Education Superannuation Program, and Australian Education Act School funding (recurrent funding).

3.5.12 Further audit procedures relating to the following areas will be undertaken as part of the planned 2020–21 final audit phase: HELP; Vocational Student Loans; Trade Support Loans; HESP; child care subsidy payments; Jobactive and childcare compliance programs; administered grant payments to schools and universities; and departmental and administered supplier expenses.

3.5.13 Testing of the IT controls relating to services provided to DESE by the Department of Finance’s Service Delivery Office, including monitoring controls in place at DESE over these processes is progressing.

3.5.14 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings.

Conclusion

3.5.15 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that DESE will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2020–21 final audit.

3.6 Department of Finance

Overview

3.6.1 The Department of Finance (Finance) is responsible for supporting the Government’s Budget process and oversight of public sector resource management, governance and accountability frameworks. In addition, the department is responsible for the preparation of the annual Consolidated Financial Statements (CFS), which includes the whole-of-government and the general government sector financial statements and the Australian Government’s financial outcome.

3.6.2 The Service Delivery Office (SDO) is a business unit within Finance and is one of the providers of shared services for Australian Government entities. The SDO provides corporate transactional and technical services including; payroll administration, accounts payable, accounts receivable and credit cards.

3.6.3 Figure 3.6.1 and Figure 3.6.2 show the 2020–21 departmental and administered financial statement items reported by Finance and the key areas of financial statements risk.

Figure 3.6.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Finance’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Figure 3.6.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Finance’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

3.6.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Finance’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Finance’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Finance, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.6.5 Annual appropriation funding of $718.5 million (departmental) and $661.1 million (administered) was provided to Finance in 2020–21 to support the achievement of the entity’s outcomes.⁸⁶ Finance was also budgeted to receive special appropriation funding of $8.2 billion.⁸⁷

3.6.6 Table 3.6.1 and Table 3.6.2 provide a summary of the key 2020–21 departmental and administered estimated financial statements items.

Table 3.6.1: Key expenses and total own-sourced income

Source: Finance’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Table 3.6.2: Key assets and liabilities

Note: Finance’s estimated average staffing level for 2020–21 is 1,262.

Source: Finance’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

3.6.7 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2020–21 are provided in Table 3.6.3.

Table 3.6.3: Key areas of financial statements risk

Source: ANAO 2020–21 risk assessment, and Finance’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Audit results

3.6.8 The ANAO has substantially completed its 2020–21 interim audit coverage, including an assessment of the controls relating to: cash, appropriations, IT general controls, financial management and human resources.

3.6.9 Audit procedures relating to the assessment of the valuations of the: superannuation provision; the insurance provision; and properties will be undertaken as part of the planned 2020–21 final audit.

3.6.10 To date, our audit coverage has not identified any new significant or moderate audit findings.

3.6.11 The following table summarises the status of audit findings reported by the ANAO in 2019–20 and 2020–21.

Table 3.6.4: Status of audit findings raised by the ANAO

Resolved moderate audit finding

Privileged user logging and monitoring

3.6.12 Privileged user accounts (managed by the SDO) include powerful access to IT applications and networks for server administrators and database administrators. These accounts include access to applications and supporting databases which can be used to bypass security controls and make changes, either to system settings or directly to data. These accounts should be restricted to appropriate personnel, attributable to a single person, and activities should be logged and monitored.

3.6.13 In 2019–20, the ANAO identified a number of weaknesses in the effectiveness of the SDO’s management of privileged users, including:

• not all privileged users were subject to logging and monitoring controls; and
• the post-activity review of privileged user activity was not always undertaken on a timely basis.

3.6.14 The ANAO noted that the SDO has reviewed the appropriateness of each privileged account type and confirmed that all privileged accounts are logged and monitored in a timely manner. The SDO also performs routine checks on monitoring controls to gain its own assurance that these controls are operating effectively. Based on these observations, the finding has been resolved.

Conclusion

3.6.15 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Finance will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2020–21 final audit.

3.7 Future Fund Management Agency

Overview

3.7.1 The Future Fund Board of Guardians supported by the Future Fund Management Agency (together the Future Fund) is responsible for investing the assets of the Future Fund under the Future Fund Act 2006. The Future Fund is also responsible for managing other investments funds on behalf of the Department of Finance, under the DisabilityCare Australia Fund Act 2013, the Medical Research Future Fund Act 2015, the Aboriginal and Torres Strait Islander Land and Sea Future Fund Act 2018, the Emergency Response Fund Act 2019, and the Future Drought Fund Act 2019, for the benefit of future generations of Australians.

3.7.2 Figure 3.7.1 and Figure 3.7.2 show the 2020–21 departmental and administered financial statements items reported by Future Fund and the key areas of financial statements risk.

Figure 3.7.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Future Fund’s 2020–21 budget as reported in the 2020–21 Portfolio Budget Statements.

Figure 3.7.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Future Fund’s 2020–21 budget as reported in the 2020–21 Portfolio Budget Statements.

3.7.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Future Fund’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Future Fund’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Future Fund, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.7.4 Future Fund does not have any appropriations and no appropriations are expected to be made by Parliament during the 2020–21 financial year. The Future Fund is self-funded, and does not rely on appropriations for the continuance of its operations.

3.7.5 Table 3.7.1 and Table 3.7.2 provide a summary of the key 2020–21 departmental and administered estimated financial statements items.

Table 3.7.1: Key expenses and total own-sourced income

Source: Future Fund’s 2020–21 budget as reported in the 2020–21 Portfolio Budget Statements.

Table 3.7.2: Key assets and liabilities

Note: Future Fund’s estimated average staffing level for 2020–21 is 198.

Source: Future Fund’s 2020–21 budget as reported in the 2020–21 Portfolio Budget Statements.

Key areas of financial statements risk

3.7.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2020–21 are provided in Table 3.7.3.

Table 3.7.3: Key areas of financial statements risk

Source: ANAO 2020–21 risk assessment for the Future Fund and the Future Fund’s 2020–21 budget as reported in the 2020–21 Portfolio Budget Statements.

3.7.7 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. The following performance audit report was tabled during 2020–21 relevant to the financial management or administration of the Future Fund:

• Auditor-General Report No.32 Cyber Security Strategies of Non-Corporate Commonwealth Entities.

3.7.8 The observations of this report were considered in designing audit procedures to address areas considered to pose a lower risk of material misstatement. As such, this performance audit did not have a significant impact on the audit approach to the financial statements.

Audit results

3.7.9 The ANAO has completed its 2020–21 interim audit coverage, including an assessment of the controls relating to the management of investments; monitoring of service providers; and operational expenses incurred by the Future Fund.

3.7.10 The valuation of investments, including the assessment of controls that reside within the outsourced custodian, will be completed as part of the 2020–21 final audit.

3.7.11 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2019–20 audit also did not identify any significant or moderate audit findings.

Conclusion

3.7.12 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Future Fund will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2020–21 final audit.

3.8 Department of Foreign Affairs and Trade

Overview

3.8.1 The Department of Foreign Affairs and Trade (DFAT) supports Australia’s foreign, trade and investment, development and international security policy priorities. DFAT is the lead agency managing Australia’s international presence and will lead efforts to maximise Australia’s security and prosperity through implementation of the Foreign Policy White Paper.⁸⁸

3.8.2 Figure 3.8.1 and Figure 3.8.2 show the 2020–21 departmental and administered financial statement items reported by DFAT and the key areas of financial statements risk.

Figure 3.8.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and DFAT’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Figure 3.8.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and DFAT’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

3.8.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DFAT’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DFAT’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of DFAT, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.8.4 Annual appropriation funding of $1,888.3 million (departmental) and $4,362.1 million (administered) was provided to DFAT in 2020–21 to support the achievement of the entity’s outcomes.⁸⁹ DFAT was also budgeted to receive special appropriation funding of $305.2 million.⁹⁰

3.8.5 Table 3.8.1 and Table 3.8.2 provide a summary of the key 2020–21 departmental and administered estimated financial statements items.

Table 3.8.1: Key expenses and total own-sourced income

Source: DFAT’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Table 3.8.2: Key assets and liabilities

Note: DFAT’s estimated average staffing level for 2020–21 is 5,881.

Source: DFAT’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

3.8.6 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2020–21 are provided in Table 3.8.3.

Table 3.8.3: Table 3.8.3: Key areas of financial statements risk

Source: ANAO 2020–21 risk assessment, and DFAT’s revised budget as reported in the 2020–21 Portfolio Additional Estimate Statements.

3.8.7 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. The following performance audit report was tabled during 2020–21 relevant to the financial management or administration of DFAT:

• Auditor-General Report No. 42 Fraud Control Arrangements in the Department of Foreign Affairs and Trade.

3.8.8 The observations of this report were considered in designing audit procedures to address areas assessed as posing a lower risk of material misstatement. The audit team considered the findings of this report in evaluating the entity’s identification and management of fraud risks. There were no material changes to the planned audit approach compared to prior year as a result of the performance audit conducted.

Audit results

3.8.9 The ANAO has completed its 2020–21 interim audit coverage, including an assessment of the controls relating to: payroll processing and IT general controls in the Financial Management Information System; the Human Resource Management Information System; and the two International Aid Information Systems.

3.8.10 Audit procedures relating to: valuation of land and buildings; departmental revenue; supplier expenses; and employee benefits (including financial information processed through international post locations) will be undertaken as part of the planned 2020–21 final audit.

3.8.11 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2019–20 audit also did not identify any significant or moderate audit findings.

Conclusion

3.8.12 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that DFAT will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2020–21 final audit.

3.9 Department of Health

Overview

3.9.1 The Department of Health (Health) is responsible for achieving the Australian Government’s health outcomes in the areas of: health system policy, design and Innovation; health access and support services; sport and recreation; individual health benefits; regulation, safety and protection; and ageing and aged care. This includes administering programs and services, such as Medicare and the Pharmaceutical Benefits Scheme, and forming partnerships with the states and territories as well as other stakeholders.

3.9.2 Services Australia delivers approximately $61.9 billion of health related payments on behalf of Health. These payments primarily relate to Medicare Benefits Schedule, the Pharmaceutical Benefits Scheme, the Private Health Insurance Rebate and services funded under the Aged Care Act 1997.

3.9.3 Figure 3.9.1 and Figure 3.9.2 show the 2020–21 departmental and administered financial statements items reported by Health and the key areas of financial statements risk.

Figure 3.9.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Health’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Figure 3.9.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Health’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

3.9.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Health’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Health’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Health, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.9.5 Annual appropriation funding of $914.0 million (departmental) and $14,655.8 million (administered) was provided to Health in 2020–21 to support the achievement of the entity’s outcomes.⁹¹ Health was also budgeted to receive special appropriation funding of $26.1 billion.⁹²

3.9.6 Table 3.9.1 and Table 3.9.2 provide a summary of the key 2020–21 departmental and administered estimated financial statements items.

Table 3.9.1: Key expenses and total own-sourced income

Source: Health’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Table 3.9.2: Key assets and liabilities

Note: Health’s estimated average staffing level for 2020–21 is 3,954.

Source: Health’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

3.9.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2020–21 are provided in Table 3.9.3.

Table 3.9.3: Key areas of financial statements risk

Source: ANAO 2020–21 risk assessment, and Health’s budgeted financial statements for the year ended 30 June 2021.

3.9.8 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. The following performance audit report was tabled during 2020–21 relevant to the financial management or administration of Health:

• Auditor-General Report No.32 Cyber Security Strategies of Non Corporate Commonwealth Entities.

3.9.9 The results of the above report were considered in designing our audit procedures. No significant changes were made to the designed audit procedures for the financial statements audit.

Audit results

3.9.10 The ANAO has completed its 2020–21 interim audit coverage, including an assessment of the controls relating to: IT security and change management in the financial management information system and human resource management information system; cash and appropriations management; supplier expenses; assets; payroll processing; Therapeutic Goods Administration revenue; personal benefits; subsidies; and grant payments.

3.9.11 Other areas of audit focus, including the compliance processing of Aged Care subsidies and Medicare payments, and an assessment of the valuation methodologies used to estimate the medical indemnity program and Medicare outstanding claims liability provisions, will be performed as part of 2020–21 final audit.

3.9.12 To date, our audit coverage has not identified any new significant or moderate audit findings.

3.9.13 The following table summarises the status of audit findings reported by the ANAO in 2019–20 and 2020–21.

Table 3.9.4: Status of audit findings raised by the ANAO

Unresolved moderate findings

User Access Controls – Terminated Users

3.9.14 During 2019–20 audit, the ANAO’s testing identified weaknesses in the Health’s security controls relating to terminated users where a number of users who retained access to Health’s financial management information system post termination and a small number of these had accessed the system to print, email and access Human Resources self-service post termination.

3.9.15 During 2020–21 interim audit phase, the ANAO identified exceptions where user accounts remained active post termination, some of which appeared to have been logged on post termination dates. These exceptions are being investigated by Health and the finding remains unresolved during the 2020–21 interim audit phase.

National Medical Stockpile – recording and management

3.9.16 During the 2019–20 audit, the ANAO’s testing identified weaknesses in Health’s recording and management of the National Medical Stockpile (NMS). These included: the inventory management system supporting the NMS not being fit for purpose; absence of reconciliations between the Health FMIS and inventory records and financial reporting by product and location for the last quarter of the financial year; a number of errors in the manually entered excel inventory register; and lack of frequency in stock taking processes, delays in provisions of stock take methodology and timely resolution of stock take variation.

3.9.17 Health is in process of developing a solution incorporating reconciliations between Health’s FMIS and warehouse vendor records and on a rolling program for stock take that best suits the nature of the stock pile.

Conclusion

3.9.18 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Health’s will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2020–21 final audit.

3.10 Department of Home Affairs

Overview

3.10.1 The Department of Home Affairs (Home Affairs) coordinates policy and operations for Australia’s national and transport security, federal law enforcement, criminal justice, cyber security, border, immigration, multicultural affairs, emergency management and trade related functions.

3.10.2 Figure 3.10.1 and Figure 3.10.2 show the 2020–21 departmental and administered financial statements items reported by Home Affairs and the key areas of financial statements risk.

Figure 3.10.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Home Affairs’ revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Figure 3.10.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Home Affairs’ revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

3.10.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Home Affairs’ financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Home Affairs’ environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Home Affairs, the ANAO has assessed the risk of a material misstatement as high.

Key financial statements items

3.10.4 Annual appropriation funding of $3,030.1 million (departmental) and $2,463.3 million (administered) was provided to Home Affairs in 2020–21 to support the achievement of the entity’s outcomes.⁹³ Home Affairs was also budgeted to receive special appropriation funding of $512.6 million.⁹⁴

3.10.5 Table 3.10.1 and Table 3.10.2 provide a summary of the key 2020–21 departmental and administered estimated financial statements items.

Table 3.10.1: Key expenses and total own-sourced income

Source: Home Affairs’ 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Table 3.10.2: Key assets and liabilities

Note: Home Affairs’ estimated average staffing level for 2020–21 is 14,632.

Source: Home Affairs’ 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

3.10.6 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2020–21 are provided in Table 3.10.3.

Table 3.10.3: Key areas of financial statements risk

Source: ANAO 2020–21 risk assessment, and Home Affairs’ revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Audit results

3.10.7 The ANAO has completed its 2020–21 interim audit coverage, including an assessment of the controls relating to: collection of customs duty revenue and visa application revenue; the management of the onshore immigration detention centres and overseas regional processing centres; and accounting for employee entitlements.

3.10.8 Interim audit coverage has also included an assessment of IT general controls, including security and change management processes relevant to the financial management information system and human resources management information system.

3.10.9 Audit procedures relating to: payment of personal benefits; reporting of overseas transactions; IT application controls; and testing the processes identified above for the remainder of the financial year will be undertaken as part of the 2020–21 final audit.

3.10.10 To date, our audit coverage has not identified any new significant or moderate audit findings.

3.10.11 The following table summarises the status of audit findings reported by the ANAO in 2020–21.

Table 3.10.4: Status of audit findings raised by the ANAO

Note a: The moderate audit issues relating to Management of Staff Leave and Visa and Citizenship Quality Management have been downgraded to minor audit findings.

Resolved moderate audit findings

Management of staff leave

3.10.12 During 2019–20, the ANAO undertook targeted assurance activities over the management of staff leave within Home Affairs. The activities were performed to facilitate an assessment of compliance of the management of leave accruals, and balances with human resource policies and requirements.

3.10.13 The 2019–20 audit identified Home Affairs leave policy had not been updated to include current leave information or the requirements and conditions under the 8 February 2019 Department of Home Affairs Workplace Determination 2019. Further, the audit identified a number of instances of non-compliance with, and inconsistencies in the application of, Home Affairs’ staff leave policies and procedures. The ANAO concluded that the control weaknesses posed potential moderate business and financial reporting risks.

3.10.14 At the conclusion of the 2020–21 interim audit, the ANAO has confirmed that Home Affairs has: updated leave polices to include current leave information or the requirements and conditions under the 8 February 2019 Department of Home Affairs Workplace Determination 2019; enhanced its Policy and Procedural Control Register; communicated to staff and supervisors the importance of compliance with policies; and strengthened monitoring and reporting controls, including the enhancement of Executive Dashboard reporting.

3.10.15 While Home Affairs is continuing to implement strategies to increase compliance by employees and mature its monitoring and reporting controls to facilitate targeted responses for non-compliance, the ANAO has concluded that this no longer poses a moderate business and financial reporting risk to Home Affairs. The audit issue has been downgraded to a minor audit issue.

Visa and Citizenship Quality Management

3.10.16 Home Affairs established a Secretary Instruction and Quality Management Policy to mandate regular quality assurance reviews to improve consistency in decision making and ensure the effective identification and management of emerging business risks relating to the assessment and issuance of visas and citizenship. Consistent with this Instruction and Policy, a Visa and Citizenship Quality Management Framework was established in 2014.

3.10.17 The 2018–19 audit identified certain content in the existing framework document was out of date, there was significant non-compliance with the required quality assurance sample rates, reporting relating to the outcome of quality assurance management was suspended between January and June 2019 and Home Affairs was not able to demonstrate sufficient reporting of the matter to either the Executive or Audit Committee. The ANAO concluded that the control weaknesses posed potential significant business risks but did not impact the calculation and recognition of visa revenue in the financial statements.

3.10.18 At the conclusion of the 2020–21 interim audit, the ANAO has confirmed Home Affairs has continued to address the recommendations. In particular Home Affairs has:

• implemented a revised assurance framework and an assurance activity procedural instruction and progressed the development of a program management policy statement and program management plans;
• mapped program level controls and assessed the maturity of controls to facilitate targeted strengthening of controls;
• established compliance with required sample rates across programs and a significant proportion of locations;
• completed system enhancements and undertaken a post implementation review; and
• established regular reporting and monitoring controls, including reporting to the Executive and Audit and Risk Committee.

3.10.19 While Home Affairs finalises particular initiatives and matures others, the ANAO has concluded that this audit issue no longer poses a moderate business risk. The audit issue has been downgraded to a minor audit issue.

Conclusion

3.10.20 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Home Affairs will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2020–21 final audit.

3.11 Department of Industry, Science, Energy and Resources

Overview

3.11.1 The Department of Industry, Science, Energy and Resources (Industry) is responsible for supporting science and commercialisation; growing business investment and improving business capability; developing northern Australia; streamlining regulation; developing and implementing a national response to climate change; improving Australia’s energy supply, efficiency, quality, performance and productivity; and facilitating the growth of small and family business.

3.11.2 Industry offers a grants hub and shared service centre which provides other Commonwealth entities with administrative support including grants administration and payments processing, human resources and financial transactions processing and the provision of management information systems supporting these processes.

3.11.3 Figure 3.11.1 and Figure 3.11.2 show the 2020–21 departmental and administered financial statement items reported by Industry and the key areas of financial statements risk.

Figure 3.11.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Industry’s revised budget as reported in the 2020-–21 Portfolio Additional Estimates Statements.

Figure 3.11.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Industry’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

3.11.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Industry’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Industry’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Industry, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.11.5 Annual appropriation funding of $651.3 million (departmental) and $2,018.4 million (administered) was provided to Industry in 2020–21 to support the achievement of the entity’s outcomes.⁹⁵ Industry was also budgeted to receive special appropriation funding of $533.2 million.⁹⁶

3.11.6 Table 3.11.1 and Table 3.11.2 provide a summary of the key 2020–21 departmental and administered estimated financial statements items.

Table 3.11.1: Key expenses and total own-sourced income

Source: Industry’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Table 3.11.2: Key assets and liabilities

Note: Industry’s estimated average staffing level for 2020–21 is 3,096.

Source: Industry’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

3.11.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2020–21 are provided in Table 3.11.3.

Table 3.11.3: Key areas of financial statements risk

Source: ANAO 2020–21 risk assessment, and Industry’s budgeted financial statements for the year ended 30 June 2021.

Audit results

3.11.8 The ANAO has completed its 2020–21 interim audit coverage, including an assessment of the controls relating to employee and supplier expenditure; appropriations and special accounts; and asset and cash management. As part of the interim audit coverage, the ANAO has also assessed controls relating to selected departmental and administered revenue streams, grant and subsidy payments and IT general and applications controls for key financial systems.

3.11.9 Audit procedures relating to the completeness and accuracy of royalties; and valuation of the administered investment (including Snowy Hydro Limited) and Ranger Rehabilitation Security Funds will be undertaken as part of the planned 2020–21 final audit.

3.11.10 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2019–20 audit also did not identify any significant or moderate audit findings.

Conclusion

3.11.11 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Industry will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2020–21 final audit.

3.12 Snowy Hydro Limited

Overview

3.12.1 Snowy Hydro Limited (Snowy Hydro) is a government business enterprise. The primary business includes energy generation activities to supply the National Electricity Market (NEM) and operating as a retail energy provider to over 1.1 million customers through the Red Energy and Lumo Energy brands. Snowy Hydro’s energy generation capacity of 5,500 megawatts supplies New South Wales, Victoria and South Australia, primarily through the generating capacity of the Snowy Mountains hydroelectric scheme. Snowy Hydro is currently progressing Snowy 2.0, a pumped hydro project that will add 2,000 megawatts of on-demand generation and 175 hours of large-scale storage capability to the existing Snowy scheme.

3.12.2 Figure 3.12.1 shows the 2019–20 financial statements items reported by Snowy Hydro and the key areas of financial statements risk.

Figure 3.12.1: Key financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Snowy Hydro’s financial statements for the year ended 30 June 2020.

3.12.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Snowy Hydro’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Snowy Hydro’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Snowy Hydro, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.12.4 Snowy Hydro does not receive any annual appropriation funding. The operational functions of Snowy Hydro are primarily funded through own source income. The primary income sources for Snowy Hydro are retail revenue which arises from the supply of electricity and gas to customers through the Red and Lumo energy brands and wholesale revenue arising from the generation and supply of electricity to the NEM. Snowy Hydro is accessing a mix of private debt funding and equity injections from the Australian Government to fund the construction and delivery of the Snowy 2.0 project.

3.12.5 Table 3.12.1 and Table 3.12.2 provide a summary of the key 2019–20 audited financial statements items.

Table 3.12.1: Key expenses and total own-sourced income

Source: Snowy Hydro’s 2019–20 audited financial statements.

Table 3.12.2: Key assets and liabilities

Note: Snowy Hydro’s staffing level at 30 June 2020 was 1,782 (including non-ongoing contractors).

Source: Snowy Hydro’s 2019–20 audited financial statements.

Key areas of financial statements risk

3.12.6 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2020–21 are provided in Table 3.12.3, including areas which were considered Key Audit Matters (KAM) by the ANAO.

Table 3.12.3: Key areas of financial statements risk

Source: ANAO 2020–21 risk assessment, and Snowy Hydro’s audited financial statements for the year ended 30 June 2020.

Audit results

3.12.7 The ANAO has completed its 2020–21 interim audit coverage, including an assessment of the controls relating to: retail and generation billing revenue and receivables, purchases to pay, treasury, renewable energy certificates, financial reporting and payroll.

3.12.8 Audit procedures relating to: IT General and Application controls (where appropriate), assessment of controls relating to non-financial assets and substantive testing on all material financial statements line items will be undertaken as part of the planned 2020–21 final audit. This will include audit procedures to test material accounting estimates made by Snowy Hydro (and relating to the key areas of financial statements risk) including accuracy of the valuation of financial instruments, capitalised customer acquisition costs, unbilled electricity revenue receivable, renewable energy certificates, goodwill and impairment of trade and other receivables.

3.12.9 Snowy Hydro has identified potential investments in gas fired electricity generation to supply the NEM and is undertaking detailed business case analysis and planning. Any decision to proceed with this project prior to 30 June 2021 will require revision to the planned audit approach.

3.12.10 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2019–20 audit also did not identify any significant or moderate audit findings.

Conclusion

3.12.11 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Snowy Hydro will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2020–21 final audit.

3.13 Department of Infrastructure, Transport, Regional Development and Communications

Overview

3.13.1 The Department of Infrastructure, Transport, Regional Development and Communications (Infrastructure) is responsible for improving infrastructure across Australia through funding coordination of transport and other infrastructure; providing an efficient, sustainable, competitive and safe transport system for all transport users; strengthening the sustainability, capacity and diversity of regional economies providing advice on population policy; implementing the national policy on cities; promoting an innovative and competitive communications sector; participation in and access to Australia’s arts and culture through developing and supporting cultural expression; and supporting governance arrangements in the Australian territories.

3.13.2 Infrastructure continues to provide support to the aviation, creative arts and regional communities impacted by the economic impact of COVID-19. This support is through the provision of direct financial assistance in the form of subsidy and grant payments.

3.13.3 Figure 3.13.1 and Figure 3.13.2 show the 2020–21 departmental and administered financial statements items reported by Infrastructure and the key areas of financial statements risk.

Figure 3.13.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Infrastructure’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Figure 3.13.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Infrastructure’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

3.13.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Infrastructure’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Infrastructure’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Infrastructure, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.13.5 Annual appropriation funding of $397.1 million (departmental) and $6,901.2 million (administered) was provided to Infrastructure in 2020–21 to support the achievement of the entity’s outcomes.⁹⁷ Infrastructure was also budgeted to receive special appropriation funding of $1,746.7 million.⁹⁸

3.13.6 Infrastructure also administer the assessment and oversight functions for national partnership payments on behalf of the Department of the Treasury relating to road, rail and water infrastructure investment projects. Whilst these payments to State and Territory Governments are recorded in the Treasury financial statements, the project approval, advice to Government, milestone assessment, project monitoring and analysis processes are undertaken by Infrastructure. Expenses for these projects are estimated to be $9,016.2 million in 2020–21.⁹⁹

3.13.7 Table 3.13.1 and Table 3.13.2 provide a summary of the key 2020–21 departmental and administered estimated financial statements items.

Table 3.13.1: Key expenses and total own-sourced income

Source: Infrastructure’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Table 3.13.2: Key assets and liabilities

Note: Infrastructure’s estimated average staffing level for 2020–21 is 1,598.

Source: Infrastructure’s 2020–21 revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

3.13.8 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2020–21 are provided in Table 3.13.3.

Table 3.13.3: Key areas of financial statements risk

Source: ANAO 2020–21 risk assessment and Infrastructure’s revised budget as reported in the 2020–21 Portfolio Additional Estimates Statements.

3.13.9 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. The following performance audit report was tabled during 2020–21 relevant to the financial management or administration of Infrastructure:

• Auditor-General Report No. 9 Purchase of the Leppington Triangle for the Future Development of the Western Sydney Airport.

3.13.10 The findings made in this report have been considered in the ANAO’s overall assessment of the risk of material misstatement in the 2020–21 financial statements audit, particularly in relation to revising audit procedures to be performed on the acquisition and disposal of non-financial assets.

Audit results

3.13.11 The ANAO has completed its 2020–21 interim audit coverage, including an assessment of the controls relating to: cash and cash equivalents; accounting for non-financial assets; appropriations and special accounts; grant expenses; loans and advances; subsidies (including aviation COVID-19 support programs); supplier expenses; administered revenue; and employee payroll. Interim coverage also included procedures to address the risks identified in Table 3.13.3 in relation to the completeness and accuracy of the transfer of data from the former Communications HRMIS and FMIS to the Infrastructure FMIS and HRMIS on 1 July 2020. Interim audit coverage has also included an assessment of IT general controls (including security and change management processes relevant to the financial management information systems and human resources management information system).

3.13.12 Audit procedures relating to: the valuation of administered investments; accuracy of subsidy claims for the Tasmanian Freight Equalisation Scheme and Regional Broadband Scheme; valuation of other assets including non-financial assets; and loans and advances will be undertaken as part of the planned 2020–21 final audit.

3.13.13 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.13.14 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Infrastructure will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2020–21 final audit.

3.14 Australian Postal Corporation

Overview

3.14.1 The Australian Postal Corporation (Australia Post) is a government business enterprise responsible for supplying postal services to Australia including the distribution of letters and parcels in Australia and internationally.

3.14.2 Figure 3.14.1 shows the 2019–20 financial statements items reported by Australia Post and the key areas of financial statements risk.

Figure 3.14.1: Key financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Australia Post’s financial statements for year ended 30 June 2020

3.14.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Australia Post’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items, Australia Post’s environment and governance arrangements, together with its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Australia Post, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.14.4 Australia Post does not receive annual appropriation funding. The operational functions of Australia Post are funded from the following revenue sources: parcel services; mail services; retail; agency and other services. Australia Post pays a dividend to the Commonwealth from its profit after income tax.

3.14.5 Table 3.14.1 and Table 3.14.2 provide a summary of the key 2019–20 audited financial statements items.

Table 3.14.1: Key expenses and total own-sourced income

Source: Australia Post’s audited financial statements for the year ended 30 June 2020.

Table 3.14.2: Key assets and liabilities

Note: Australia Post’s 2019–20 staffing level was is 34,998.

Source: Australia Post’s Annual Report 2020 and audited financial statements for the year ended 30 June 2020.

Key areas of financial statements risk

3.14.6 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2020–21 are provided in Table 3.14.3.

Table 3.14.3: Key areas of financial statements risk

Source: ANAO 2019–20 audit results, and Australia Post’s audited financial statements for the year ended 30 June 2020.

Audit results

3.14.7 The ANAO has completed its 2020–21 interim audit coverage, including an assessment of the controls relating to: cash and cash equivalents; trade receivables; and property, plant and equipment. Interim coverage also included an assessment of the IT general controls and IT application controls of key systems supporting the financial statements. In addition, an assessment of the effectiveness of non-system controls relating to sales revenue, employee expenses and trade and other payables has also been completed.

3.14.8 Audit procedures relating to all key areas of audit focus, including the valuation of the Australia Post Superannuation Scheme and the valuation of intangible assets, will be undertaken as part of the 2020–21 final audit.

3.14.9 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings.

Conclusion

3.14.10 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Australia Post will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2020–21 final audit.