At the opening of the meeting an update was provided on the Department of Finance’s response to a request from audit committee chairs at the December 2017 forum for an opportunity to have a discussion and participate in the consultations on the draft guidance on audit committees:

• The Department consulted audit committees on 22 November 2017 and 5 February 2018, through chief finance officer’s (CFOs) and chief operating officers (COOs), on the draft guide for non-corporate Commonwealth entities (NCE) on the role of audit committees.
• The Department considered the feedback received from entities, which included audit committees responses.

The forum was also informed that in response to requests to provide opportunities for interstate chairs to participate in a forum, the Auditor-General held a mini audit committee chairs forum in Sydney on 23 February 2018. The meeting was attended by seven chairs of audit committees. Future opportunities to participate in mini forums in Sydney and Melbourne will be identified and communicated to audit committee chairs.

Key updates from the Auditor-General

General overview of 2017-18 audit program coverage:

• Audit coverage across portfolios is tailored to the level of Australian Government budget commitments, the breadth of responsibilities within entities and risks to the achievement of government and parliamentary objectives.
• Performance audit objectives largely focused on examining effectiveness, with an increased expansion into measuring compliance, efficiency and economy.
• Increasing coverage across the policy/program continuum with more audits examining program and policy design phase as well as implementation.
• Undertook audits in four government business enterprises (GBEs):
  • Management of the Pre-construction Phase of the Inland Rail Programme;
  • Australia Post’s Efficiency of Delivering Reserved Letter Services;
  • Administration of the National Broadband Network Satellite Support Scheme; and
  • Delivery of the Moorebank Intermodal Terminal.

Issues observed in the 2017-18 audit program:

• Getting the basics right — framework is principles based and the defined mandatory requirements are important to comply with. Entities should be assessing if the control environment is sufficient to meet mandatory requirements, as well as ensuring there is a positive performance culture. Systemic issues are presenting in record keeping, cyber security, compliance with grant guidelines and implementation of government budget decisions.
• Value for money — there doesn’t appear to be a strong enough focus on achieving value for money.
• Use of evidence base in developing and assessing programs — not seeing use of robust evidence base for policy design and strong linkage to evaluation frameworks.

Supporting the Parliament:

The ANAO’s primary relationship is with the Australian Parliament with the central function being to perform audit work and provide reports to the Parliament to support accountability in the Australian government sector. The ANAO appears before and makes submissions to the Joint Committee of Public Accounts and Audit (JCPAA), the ANAO’s oversight committee, and other parliamentary committees, including Senate estimates committees and in the context of specific parliamentary inquiries. The number of individual mentions of ANAO reports in Parliament is an indicator of the ANAO contribution to informing Parliament on a wide range of matters relating to the performance of the public sector.

Timeliness of financial reporting:

The Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2017 report included an analysis of the timeframes in which auditors’ reports were issued on the signed financial statements of entities.

The timeliness of financial reporting will become even more important if the recommendation in the PGPA Act review to bring tabling of annual reports forward (to be tabled on or before 30 September) is implemented.

Suggested reference material:

• Auditor-General Report No.53 of 2017-2018, Cyber Resilience
• Auditor-General Report No.42 of 2016-2017, Cybersecurity Follow-up Audit
• Auditor-General Report No.37 of 2015-2016, Cyber Resilience
• Cyber security and information risk guidance for Audit Committees, published by the United Kingdom National Audit Office (NAO) based on their previous work and detailed systems audits, which have identified a high incidence of access-control weaknesses.

Other updates from the ANAO

Interim Report on Key Financial Controls of Major Entities

The Interim Report on Key Financial Controls of Major Entities focuses on the results of the interim audits, including an assessment of entities’ key internal controls, supporting the 2017–18 financial statements audits. The report examines 26 entities, including all departments of state, the Department of Parliamentary Services and other Commonwealth entities that significantly contribute to the revenues, expenses, assets and liabilities within the 2016–17 Consolidated Financial Statements.

A total of 99 findings were reported to the 26 entities as a result of interim audits, comprising of no significant, 12 moderate and 87 minor findings. This was an improvement on the interim audit results of 2016–17.

The majority of findings continue to be in the areas of:

• compliance and quality assurance frameworks supporting program payments, revenue collection and financial reporting; and
• management of IT controls, particularly the management of privileged users.

These areas warrant further attention by entity management and audit committees.

Compliance and quality assurance frameworks

While this is an area with a higher number of findings, there has been a reduction in the number of significant and moderate findings reported in 2017–18 compared to 2016–17.

There has been an increase in the number of minor audit findings in comparison to the prior two financial years. The number of moderate and minor audit findings reported indicates a need for entities to focus greater attention on:

• maintaining effective governance over third party or joint service delivery arrangements;
• the risk management frameworks that support the effective management of risk in the delivery of programs; and
• implementing effective quality assurance processes over key financial statements inputs particularly those subject to professional judgement and uncertainty.

Information systems and IT controls

Findings related to entities’ IT control environments represent 39 per cent of total findings identified during the 2017–18 interim period. It control environment findings continue to represent the highest proportion of all findings, as observed in previous years.

Findings related to:

• management of segregation of duties conflicts;
• removal of user access when it is no longer required;
• logging and monitoring of privileged user activity; and
• blocking privileged users from accessing the internet.

Cyber resilience

All non-corporate Commonwealth entities are required to undertake an annual point in time self-assessment against the requirements of the Protective Security Policy Framework (PSPF). PSPF compliance reporting by the entities shows that Strategies to Mitigate Cyber Intrusions continues to be the area of least compliance.

There were also findings across a number of other areas, and chairs are encouraged to read the report to assess whether any of these matters could be a risk to their entities.

Looking forward to the ‘End of Year Report’

The ANAO will be collecting information on the number and value of audit adjustments and adherence to the financial reporting timetable from all entities, for potential reporting in the Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2018 audit report.

The ANAO will consider the information once collated and determine whether, when looking across the whole of the sector, there is anything that the Parliament would benefit from knowing. If the information is included in the report to Parliament, the usual approach of providing entities any relevant extracts from the report where they are mentioned will occur.

Corporate plans and performance statements audits

Our most recent audit of corporate plans concluded that entities were at different levels of maturity in implementing the corporate plan requirements, and there remains scope for improvement in a range of areas. The audit made a number of recommendations which, along with key learnings, are applicable to all entities.

Our second audit of entities’ implementation of the annual performance statements involved an assessment of the appropriateness (relevance, reliability and completeness) of the performance criteria, and the completeness and accuracy (fair presentation) of reporting. The ANAO concluded that each of the audited entities’ performance criteria required improvement, to support the reporting of progress against their purposes and provide meaningful information to the Parliament and the public. The audit made a number of recommendations which, along with key learnings, are applicable to all entities.

The audit of performance statements also found that none of the entities’ audit committee charters reflected the requirement of the PGPA Rule that audit committees ‘review the appropriateness’ of the accountable authority’s performance reporting.

Key learnings and insights from 2017-18 performance audits

The purpose of audit insights is to provide information on audit issues and examples of good practice, as identified through financial statement and performance audit work, by way of shared learnings for all Australian Government entities. Quarterly audit insights are designed to share a summary of the lessons learned that were identified through audits tabled each quarter, and which are relevant across government.

Quarterly audit insights published to date have covered: risk management and performance measurement; record keeping and the related issue of evidence-based policy design; and knowing your market.

For quarter three audit insights had a change in format, shifting from a report with an explanatory animated video, to a question and answer video interview format. This new format helps us to tell the story of why broader audit findings are important to efficiency, effectiveness and economy, and also help tell the story of the interesting things we get involved in and get to see as we audit across the entire Australian Government sector. We continue to experiment with our approach and we are always welcoming of your ideas on how we can best communicate our messages in a meaningful and impactful way.

The quarter four audit insights will be released in July, soon after our annual audit work plan.

Systems Assurance and Data Analytics

The objective of our data analytics strategy is to increase the capability of the office to:

• maximise the opportunities presented by the increasing amounts of data and specific data and analytics initiatives implemented by entities; and
• deliver internal efficiencies in the way in which we collect, analyse, prepare and present information in our audits.

The key message to audit committees is that ‘our audit approach has not changed’. The audit approach remains focused on risk and designing appropriate audit test procedures to evidence our opinions and recommendations. The data and information that we collect does not differ from the data that we are already request in our audits.

Over the next six months our data and analytics team is focused on three activities relating to people, technology and audit process:

Capability – data literacy and data analytics

In line with the PM&C and APSC’s data literacy program we are updating our capability framework to improve the overall data skills and capability across all our auditors.

Data and analytic tools

The office already uses a number of analytics tools. However, we are reviewing our existing suite of analytics tools and evaluating new data analytics tools in the market. This will enable us to select a suite of fit-for-purpose tools that will continue to enable our auditors to perform data and analytics activities into the future.

We are also looking at the tools that entities are currently using, to leverage off what is already in place.

A data analytics pilot - procurement

The objective of the pilot is to leverage technology to automate manual audit procedures and enable our auditors to quickly focus audit attention on higher risk areas across complete populations of procurement data. Procurement, in a financial statement audit, is the first focus area due the commonality of the systems and processes across a large number of entities. As part of our phased approach, other common areas such as human resources and grants are being planned.

There needs to be strong engagement on both sides, with entities’ facilitating access to the right people and systems at the right time. This may include utilising remote access to entities’ systems to improve readiness for planning and fieldwork activities, improved information visibility and streamlined collaboration.

Accounting standard changes for the 2017-18 reporting period

Peter Brown, A/g Assistant Secretary, Budget Estimates and Accounting

• Finance has finalised its position on the implementation of a number of new accounting standards, and has circulated position papers to entities. Copies of the position papers are available here:
• https://www.finance.gov.au/resource-management/presentations-position-papers/
• For the 2018-19 reporting period, the only change is to AASB9 Financial Instruments. Entities expected to be affected by AASB9 are those that issue loans.
• For the 2019-20 reporting period, there are three standards changing:
  • AASB16 Leases – Finance provided its position to entities in March 2018. Finance is also assessing the impact of the changes on whole-of-government aggregates, such as the underlying cash balance (UCB), net operating balance (NOB) and net debt. Finance will circulate additional advice on implementation issues following the finalisation of the 2017-18 financial statements.
  • AASB15/AASB1058 Revenue from Contracts with Customers/Income of Non-for-Profit Entities – minimal impact on entities; modified retrospective approach will be adopted.
  • AASB1059 Service Concession – unlikely to have an impact on entities.

There will be no early adoption of these standards.

2017-18 Final Budget Outcome and Consolidated Financial Statements

Angela Baum, Assistant Secretary, Reporting and Resourcing

• A similar process and deadlines to previous years will apply to the 2017-18 Final Budget Outcome and Consolidated Financial Statements (CFS).
• Finance has taken on board lessons learned from last year’s Consolidated Financial Statements (CFS) process and introduced a new report which entities can download from the Central Budget Management System to cross check data entered against their final financial statements.
• Supplementary information will still be collected via a questionnaire (the Supplementary Reporting Pack). If any corrections are required after the due date to 2017-18 actual data submitted in CBMS, these should be detailed in the SRP.

Recent issues relevant to audit committees

Lembit Suur, First Assistant Secretary, Public Governance, Performance and Accountability

Guidance on audit committees

• RMG202: A guide for non-corporate Commonwealth entities on the role of audit committees was released on 29 May 2018.
• A model charter for audit committees was published on 25 June 2018.
• Copies of both documents are available here: https://www.finance.gov.au/resource-management/accountability/audit-committees/

Performance Reporting

• Finance is developing papers on lessons learned, based on feedback from the Joint Committee of Public Accounts and Audit (JCPAA) as well as the recent ANAO performance audits of 2017-18 corporate plans and 2016-17 performance statements.
• Key lessons include:
  • Making corporate plans more accessible;
  • Keeping corporate plans up to date on the website, rather than as a static document;
  • 2017-18 performance statements contained too much, low-level detail; 2019-20 performance statements should be at a higher level.

Independent review of the PGPA Act and Rule

• A draft report was released for public comment in late May with over 50 submissions received. In the draft report recommendations 15 to 22 specifically relate to audit committees. Reference to audit committees can also be found in recommendations 4 to 6, 8, 13 and 14.
• The draft report, along with published submissions, can be viewed here: https://www.finance.gov.au/pgpa-independent-review/

The next audit committee chairs forum is planned for Wednesday, 5 December, 10:00am-12:30pm, Galambany Centre, Department of Finance, One Canberra Avenue, Forrest ACT.

The ANAO would like to thank those that have attended past forums. If you have any feedback that you’d like to see incorporated into future forums, please do not hesitate to contact our External Relations team.