Content in this communique is supported by the slides that were presented at the forum.

Parliament

Service to the Parliament remains a high priority to the ANAO. The ANAO conducts audits for the Parliament, not for the entities it is auditing. There is some evidence that the Parliament is signalling a desire for more system-level assurance and transparency of the operation of frameworks in the public sector. Parliament continued to focus in the Public Management Reform Agenda (PMRA) space and on sector-wide compliance requirements, such as Cyber Security. The recommendation of the independent review of the PGPA Act regarding disclosure of executive remuneration is another example of a focus on transparency.

The JCPAA

In the 45^th Parliament the JCPAA had a high level of activity:

• Reports tabled – 18
• Inquiries commenced – 22 (six more than in 44^th Parliament)
• ANAO reports selected for inquiry – 37 (ten more than in 44^th Parliament)
• Hearings held – 34
• Recommendations made – 141 (44 more than in 44^th Parliament)

It was observed that the ANAO reports were also the subject of inquiry in a number of Senate Committees.

The ANAO expects this level of activity to continue and is gearing up to continue to provide high levels of support to the new Parliament, and directly to members of Parliament on request. Briefings provided to Parliamentarians are listed on the ANAO website.

JCPAA’s recent reports (Report 476: Australian Government Funding and Report 479: Australian Government Security Arrangements) included some commentary on the entities’ selection of witnesses appearing at scheduled hearings and the quality of evidence provided. The JCPAA indicated:

“It is a key requirement of officials coming before the Joint Committee of Public Accounts and Audit to not only answer questions but to provide members of the Committee with the highest level of confidence that their concerns are being addressed.” (JCPAA Report 479 April 2019)

“As a guiding principle, the Committee emphasizes that departments should ensure all witnesses giving evidence before the JCPAA are adequately briefed on all matters relating to the Committee’s inquiry.” (JCPAA Report 476 February 2019)

The ANAO’s role is to support the Parliament through its auditing functions – this includes briefing members and Committees on our reports. In order to improve communication with Committees (and more generally), the ANAO will be adding new search options on our website to enable search activity (e.g. procurement, grants) and by Senate Estimates Committee coverage from the 2019 financial year.

Overview of ANAO’s portfolio coverage 2018–19

The ANAO’s spread of audit activity is reflective of emerging risks and challenges impacting on public administration. The ANAO monitors the balance of its audit coverage.

• Governance and service delivery remained key activity focus areas.
• The ANAO continues to focus on corporate planning and performance statements. The audit on Commonwealth resource management framework and the clear read principle is expected to be tabled later this year.
• A series of performance audits tabled in April and May 2019 examined the effectiveness of governance boards in four corporate Commonwealth entities. More information on the key audit findings can be found in the Board governance audit insights.
• The ANAO is currently examining the governance of and implementation of ANAO and parliamentary committee recommendations. Early signs in this audit work is that more attention is being given to ANAO recommendations than Parliamentary Committee recommendations. Audit Committees should consider the assurance given to the Accountable Authority over both the governance and implementation of recommendations.

Issues observed in 2018–19 audits

The ANAO is continuing to observe ongoing risks in procurement and contract management. Quality frameworks have had some attention and there are good learnings for others there. Recordkeeping continues to be a problem which creates risks for entities.

• Procurement – high focus on Defence audits and more generally a need to consider value for money. ANAO’s Insights from reports tabled January to March 2018 discusses the need to understand the market to deliver value in the procurement life cycle.
• Contract management– identified as an ongoing risk in the sector, as observed in The Australian Criminal Intelligence Commission’s Administration of the Biometric Identification Services Project.
• Record keeping remains a risk in the sector – needs to be an ongoing focus for entities. Record keeping systems need to be used appropriately. It is an internal compliance issue whereby accountable authorities are setting rules frameworks, and staff aren’t following them.
• Quality frameworks – the ANAO has observed that quality frameworks are developed and implemented for service delivery but fitness for purpose for other activities needs to be considered (DHS). In ATO, quality framework is in operation but important to get the visibility over firmer action, and the sampling methodology needs attention. These are useful watch points for Audit Committees: Design and Implementation of the Quality Framework; and Management of Small Business Tax Debt.
• Financial reporting - remains strong overall and is a continued focus for the ANAO. Some significant issues observed in Interim Report on Key Financial Controls of Major Entities were the absence of compliance activity, particularly in fraud training and controls over outgoing payments. The ANAO will continue to collect data on unadjusted differences and consider what to report to the Parliament. The JCPAA has shown interest in the way government funds activities and programs, for example, concessional loans and equity. The ANAO will continue to watch this.

ANAO’s 2019–20 program

• Portfolio coverage will increase to focus on regulatory activities and asset management. Focus on service delivery and procurement will be maintained. Audit objectives (effectiveness, efficiency, economy and ethics) are largely stable. Expect an increased focus on audits in early stage of delivery.
• The ANAO’s AAWP for 2019–20 will be published on the ANAO website along with the Corporate Plan in early July. Audit Committee Chairs may be interested in the portfolio risk information drawn together and contained in the AAWP.
• The quality and transparency of performance information will continue to be a feature - the ANAO’s goal is to look at performance information in all of our performance audits as well as conduct individual performance audits on performance statements.
• Shared services – the move to shared services brings a heightened consideration of where accountabilities lie. The customer in a shared service arrangement still has accountability for their controls framework in respect of the services provided by another entity. Audit Committees should keep this in mind. We expect to conduct performance audits in the shared services arrangements space during the year.
• Basic compliance remains a focus – for example, in the recently tabled controls report (LINK) compliance with accountable authorities’ requirements for fraud training has issues. Compliance can be driven by both entity culture and monitoring (both within the entity and across the sector). We observed in the controls report in 2018 (LINK) that the removal of central reporting of compliance certificates had had some impacts in entity monitoring and reporting.
• The ANAO will continue to look at culture in its audits – culture can be difficult to audit (finding an appropriate framework against which to audit can be difficult). Audit Committees may be interested in our emerging approaches in cyber security audit series, and in board governance series.

Assessing integrity risk

INTOSAI (the International Organisation of Supreme Audit Institutions) has developed a tool to assist audit offices assess integrity risk and culture in their operations. This tool can assist organisations in measuring culture and mindset in the framework of integrity. The ANAO participated in a Self-Assessment of Integrity (IntoSAINT) in March 2019. The ANAO is happy to discuss this tool with entities – entities may find it useful in assessing integrity risk, particularly in light of the government’s policy of implementing an integrity framework in the Australian Government sector.

The ANAO made a submission to the Senate Standing Committee on Legal and Constitutional Affairs’ inquiry into bills to create a nationally coordinated integrity framework including an Integrity Commission. The focus of the ANAO submission was on independence, the relationship with the Parliament and the ability to execute our mandate. The ANAO submission can be viewed in full here. The Committee report, published in April 2019, can be found here.

Financial Analysis, Reporting and Management update

Key Accounting Standards Changes

There are four significant Accounting Standards changes impacting on 2018-19 and 2019-20 financial statements:

• AASB 9 Financial Instruments (2018-19);
• AASB 15 Revenue from Contracts with Customers (2018-19);
• AASB 1058 Income of Not-for-Profit Entities (2019-20); and
• AASB 16 Leases (2019-20).

Finance has published position papers and presentations on finance.gov.au relating to the new standards. We have also amended the Financial Reporting Rule (FRR), Resource Management Guide 125 (RMG 125) and the Primary Reporting Information Management Aid (PRIMA) to implement the changes, applicable to 2018-19 financial statements.

For AASB 16 Leases, Finance is managing the implementation over four phases:

• Phase 1 and Phase 2 undertaken over 2018-19 were about data capture and consistent policy application by entities.
• Phase 3 and Phase 4 to occur over 2019-20 deal with implementation of the standard in government and entity financial systems and associated financial statements reporting requirements.

Consolidated Financial Statements

In relation to financial statements requirements, a similar process and deadlines to previous years will apply to the 2018-19 Consolidated Financial Statements (CFS).

• The key deadlines for financial statements submission and material audit clearance is 15 August for material entities and 30 August for small entities.
• The supplementary reporting pack (SRP) for the CFS process was issued in May. The SRP is required to be submitted by 19 August (two business days after CBMS submission for material entities) and 30 August (for small entities).
• The new questions in this year’s SRP are related to the new accounting standards. Changes have been made in the FRR and reporting guidance to support the SRP process, including guidance on disclosure of maturity information in financial statements and the requirement for management assurance of the SRP process.

In relation to audit committees’ role, consideration of the SRP will form part of the review of the appropriateness of financial reporting by entities.

Machinery of Government Changes (MoG)

Finance is working closely with entities to support early implementation of MoG changes.

Entities are required to adopt the following principles in implementing MoG changes:

• taking a whole-of-government approach;
• good faith negotiations;
• open and honest identification of resource implications;
• timely and accurate exchange of information;
• constructive and open communication with staff; and
• accountability and compliance with legislation and policy.

Five entities have been renamed by the amendment to the Administrative Arrangements Order (AAO). These changes took effect on 29 May 2019.

Two new entities, the Faster Rail Agency in the Infrastructure portfolio and the National indigenous Australian Agency within the Prime Ministers Portfolio, will commence from 1 July 2019.

MoG Transfer timings for staff and appropriations are:

• For Special Appropriations – the date of effect is the date when the relevant legislation transfers between entities, which occurred as at the date the AAO was issued on 29 May 2019.
• For other transfers including Annual Appropriations, entities have been advised that the date of effect should be 1 July 2019 and negotiations for appropriation transfers are to be concluded by that time.
  • For staff transfers, the transfer will likely line up for most entities with the first pay day after 1 July for simplicity.

Digital Annual Reporting

In the 2017-18 reporting period, Finance successfully piloted a digital annual reporting tool with 15 Commonwealth entities. The results of this pilot are available at www.transparency.gov.au:

• The Parliament has recently made changes to the Public Governance, Performance and Accountability Rule 2014, requiring all Commonwealth entities and companies to publish their annual reports “using the digital reporting tool administered by the Finance Minister”; this will see all (188) 2018-19 Government annual reports published on transparency.gov.au this year.
• Finance is currently providing annual report contacts with software access and training on how to use the tool.

The “digital reporting tool” implemented consists of two core elements:

• An authoring tool, for entities to develop content through customised flexible templates for publications and to manage the internal approval process.
• A public website, to provide digital access to the reports once publically released in one central location (www.transparency.gov.au).

For the 2019-20 reporting period, Finance is intending to expand www.transparency.gov.au to incorporate all entity Corporate Plans and Portfolio Budget Statements to enable comparisons and a clearer read across the financial and non-financial performance information.

Independent Review into the Operation of the Public Governance, Performance and Accountability Act 2013 and Rule

The Finance Minister, on 5 April 2019, tabled a statement in the parliament that agreed, in principle, to 48 of the 52 recommendations that are the responsibility of the government.

• Finance will shortly brief the Minister for Finance to provide an update on the status of recommendations and recommend further approaches to implementation.

Finance and the Government have already successfully implemented five recommendations from the Review:

• Recommendation 31 – The development of a digital reporting platform.
• Recommendation 35 – The enhanced disclosure of executive remuneration
• Recommendation 36 – The inclusion of an explanation of remuneration policy and practice in entity annual reports.
• Recommendation 41 – Disclosing material personal interest.
• Recommendation 49 – Improving entity banking arrangements.
  • Consultation on the remaining recommendations will commence shortly to inform a formal government response.

There is also a collection of recommendations from the Review currently in the process of implementation:

• Recommendation 39 - Enhancing Department of Finance support.
• Recommendations 11-13, 17-21 and 50 - Improving management practices and providing additional information.

Enhancing entity Support

Finance is continuing to enhance outreach tools and support of entities in the application of the PGPA Act and Rules. This includes a review of resource management guidance material to further advance entity support through our web presence with a self-service focus.

Culture and governance: Audit insights — board governance

The Board governance audit insights was published on 17 May 2019. It outlines key messages from a series of recent audits examining the effectiveness of governance boards in four corporate Commonwealth entities:

• Effectiveness of Board Governance at Old Parliament House (OPH);
• Governance of the Special Broadcasting Service Corporation (SBS);
• Effectiveness of Board Governance at the Australian Institute of Marine Science (AIMS); and
• Effectiveness of Board Governance at the Sydney Harbour Federation Trust (SHFT).

In line with the common messages on culture and governance from the HIH Royal Commission (2003), the APRA Prudential Inquiry (2018) and the Hayne Royal Commission (2019), the key insight from this series of audits was that ‘hard’ attributes of effective governance were necessary, but not sufficient – such as board composition, appointment and independence; and the interplay with ‘soft’ attributes such as relationships, behaviours and culture were key.

Some of the practices adopted by audited boards to support effective board governance included:

• establishing a board charter;
• periodically evaluating board performance;
• actively considering current and future board skill requirements;
• recognising and managing conflicts of interest;
• retaining adequate documentation and records of decisions and actions;
• actively questioning and challenging management;
• reviewing key strategic risks in corporate risk registers and setting the risk appetite;
• ensuring that the audit committee and its operating arrangements support the board obtaining the external advice and assurance it requires;
• approving and periodically reviewing key policies and frameworks, particularly those that relate to the duties of an accountable authority;
• providing appropriate induction to assist board members’ understanding of their obligations;
• seeking management assurance regarding internal controls and compliance; and
• seeking consolidated progress reports on results against all performance targets in the corporate plan.

Interim Report on Key Financial Controls of Major Entities

The ANAO Interim Report on Key Financial Controls of Major Entities was tabled on 13 June 2019 and focuses on the results of the interim audits for 26 major entities.

Summary of findings

• A total of 70 findings were reported to the entities included in the report as a result of interim audits, comprising of one significant, 12 moderate and 57 minor findings. This was a decrease in findings from the interim audit results of 2017–18, which had reported a total of 99 findings.
• As in previous years, the majority of findings continue to be in the areas of:
  • compliance and quality assurance frameworks supporting program payments, revenue collection and financial reporting; and
  • management of IT controls, particularly the management of privileged users.

Protective Security Policy Framework (PSPF) compliance

• All non-corporate Commonwealth entities are required to undertake an annual point in time self-assessment against the requirements of the PSPF. As with previous years and consistent with ANAO performance audits on cyber resilience, the mandatory Top Four mitigation strategies (INFOSEC 4) continues to be the area of least compliance.
• Of the 22 entities included in the report that were required to report on their compliance with INFOSEC 4:
  • 12 entities reported that they were compliant;
  • two entities reported partial compliance; and
  • eight entities reported that they were not compliant.

Reporting on compliance with finance law

Entities are required to report significant non-compliance with finance law to both the Minister for Finance and the responsible Minister.

• Three entities were excluded from the analysis as they did not maintain a central listing of all non-compliance. The remaining 23 entities included in the report identified a total of 4,975 instances of non-compliance in 2017–18.
  • two entities reported no non-compliance;
  • two entities reported over 10 per cent of the non-compliance; and
  • the remaining entities each reported between one and nine per cent of the non-compliance.

Fraud management

• The Fraud Rule is a legislative instrument binding all Commonwealth entities setting out the key requirements of fraud control. The Fraud Rule requires that entities must ensure officials are made aware of what constitutes fraud such as through entity-wide fraud awareness training.
  • 23 of the 26 entities had mandatory fraud awareness training. Of the 23 entities, the regularity with which the training has to be completed varies between annually (11 entities) and biennially (11 entities), with one department only requiring it is completed every three years or within 12 months of an overseas posting.
  • Monitoring of completion of mandatory fraud training varies between entities. Seven entities did not have a process to centrally monitor and report on completion of the mandatory training and five entities had compliance rates below 70 per cent.
• There is an opportunity for entities to strengthen their fraud awareness training programs and develop systems to monitor staff compliance with requirements.

Payment cards

• All entities included in the report have a payment card policy or equivalent document which sets out requirements for permissible expenditure, where personal use can be incurred and acquitted. Three entities have not updated their policy for more than three years.
• All entities had established payment card limits for their cardholders. With the exception of one entity, all relied on bank controls to ensure that limits were not exceeded. Nine entities advised they also used other assurance processes to ensure transactions were not split to circumvent limits.
• A robust acquittal process supports accountability with timely independent review and management expenditure oversight:
  • Six entities did not undertake regular review and reporting of the status of acquittals to management.
  • Three entities did not have formal management assurance processes.
  • Six entities only require receipts to be retained for transactions above the ATO substantiation limit for claiming GST of $82.50.

Looking forward to the ‘End of Year Report’

The ANAO will be collecting information on the number and value of audit adjustments, adherence to financial reporting timetable and Executive Remuneration Disclosures for potential reporting in the Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2019 audit report.