Content in this communique is supported by the slides that were presented at the forum.

• The ANAO Corporate Plan and Annual Audit Work Plan 2020-21 have been published.
• ANAO’s work has continued as business as usual (BAU), mainly due to the advances made by entities, including for audit committee meetings, in providing remote access.
  • The financial statements auditors are working on ‘final’.
  • The interim phase was completed before many COVID-19 impacts were felt, and the Interim Report on Key Financial Controls of Major Entities 2019-20 was released in May. It is worth reading Chapter 2 of the in particular for discussion on the forward thinking about COVID-19 impacts
• In April, the Auditor-General implemented a pause on engagement with entities on performance audits in recognition of efforts being made by entities to both adjust to new working arrangements and in implementing the government’s economic response measures.. Delays by entities in providing evidence and comments on draft reports due to COVID-19 combined with the engagement pause meant the Auditor-General tabled 42 audit reports in the Parliament instead of the forecast 46.
• There was little impact in financial audit. During April, financial auditors were reassessing risk and undertaking controls testing.
• During the pandemic, the ANAO has continued to table reports in the Parliament under normal out-of-session arrangements in the Senate.
• The Rapid Implementation Audit Insights report was published, which highlights good practice and lessons from audits in other ‘disaster’ events.
• Within the ANAO, a technical and accounting working group has been established to consider key accounting issues and audit issues that will emerge during this auditing season. Liaison with the Department of Finance is also underway on key issues.
  • Current issues include asset valuations, and estimation uncertainty, inventory where the ability to perform stocktakes has been restricted, changes to how systems of internal control operate and going concern, especially where entities are reliant on revenue from non-Government sources.
• The ANAO released a COVID-19 strategy setting out the approach to auditing measures in response to the COVID-19 pandemic.
• The ANAO is undertaking a monthly assurance review of Advances to the Finance Minister (AFM), tabled in the Parliament and published on the ANAO website. The assurance review of the AFM is normally undertaken annually and published late in the calendar year. The Auditor-General has decided to provide more timely and regular assurance due to the size of advances (in the order of $42 billion) released as per the various COVID-19 response and appropriation Acts.
• The current COVID-19 audit topics are as follows:
  • Services Australia COVID-19 measures and enterprise risk management;
  • The Australian Taxation Office’s management of risks related to the rapid implementation of COVID-19 economic response measures;
  • Management of the Australian Public Service’s workforce response to COVID-19; and
  • Procurements to increase the national medical stockpile.
• These audits are expected to be tabled before December 2020.
• As part of its audit strategy, the ANAO is consulting with audit offices internationally to learn from and share experience.
• In 2019 the Finance Minister wrote to the Auditor-General in response to a recommendation from the independent review of the PGPA Act to commence pilot audits of performance statements, in conjunction with the JCPAA.
  • ANAO is creating a similar mechanism for the Parliament to have assurance over annual performance statements, as there is for financial statements.
  • The ANAO has engaged with Department of Finance during this process and is confident with the new framework that has been established and the ability to audit against it. The three entities chosen for the pilot have positively engaged with the ANAO.
  • The next phase is to finalise those audits and through the Finance Minister, present to Parliament the independent assurance over those performance statements.
  • The ANAO offered to discuss with any Audit Committee that would like a briefing on the pilot.

• The COVID-19 pandemic has brought multiple challenges to Commonwealth entities (entities) and audit committees supporting good governance in those entities.
• Finance has been working to enhance its ongoing support to entities through these challenging times:
  • Amending the Public Governance Performance and Accountability Rule 2014 (PGPA Rule) to allow entities and commonwealth companies (companies) impacted by COVID-19 to defer the publication of 2020 21 corporate plans up until 31 January 2021.
  • Developing guidance to assist entities and companies to seek an extension from their responsible Minister for the 2019-20 annual report.
  • Deferring the requirements for disclosure of consultancy and non-consultancy contracts in non-corporate Commonwealth entities’ annual reports.
• The oversight of preparation of financial statements by audit committees will be more important than ever. It may be prudent to seek a briefing or issues paper from the entity’s Chief Financial Officer on any COVID-19 related issues that will impact on the entity’s financial statements and their preparation.
• Other developments and enhancements to Finance Resource Management Guides (RMG):
  • PGPA Rule amendments relating to reporting requirements following machinery of government changes − RMG 119 (new)
  • Developing Performance Information − RMG 131 (updated)
  • Annual Reporting − RMGs 135, 136 and 137 (updated)
  • Executive remuneration reporting for annual reports − RMGs 138 and 139 (updated)
  • Procurement Publishing and Reporting Obligations − RMG 423 (new).

• The ANAO has tabled a series of audits in the past few weeks which examined the effectiveness of fraud control arrangements in three Australian Government departments.
• The audits examined:
  • compliance with the mandatory requirements of the 2017 Commonwealth Fraud Control Framework;
  • application of the government’s better practice fraud guidance; and
  • steps taken by the entities to promote a fraud aware culture.
• The entities were audited against the requirements of the Framework which consists of three tiered documents – the Fraud Rule (Section 10 of the PGPA Rule 2014), the Commonwealth Fraud Control Policy and the Fraud Guidance (Resource Management Guide No. 201)
• The performance audits on fraud control arrangements for 2019-20 are as follows:
  • Auditor-General Report No. 42 2019-20 Fraud Control Arrangements in the Department of Foreign Affairs and Trade
  • Auditor-General Report No. 43 2019-20 Fraud Control Arrangements in the Department of Home Affairs
  • Auditor-General Report No. 44 2019-20 Fraud Control Arrangements in the Department of Social Services
• The audit observations revealed that fraud control arrangements were effective in the Department of Home Affairs and largely effective in the Department of Social Services (DSS) and the Department of Foreign Affairs and Trade (DFAT). The relatively small number of recommendations, largely directed to DSS and DFAT, indicates a high level of compliance with the key requirements of the Framework. The main lessons and focus areas that were drawn from the 2019-20 reports are:
  • Risk assessment — Review fraud risks and conduct assessments regularly
  • Planning — Plan both strategically and operationally
  • Prevention, awareness and training — Build fraud awareness and expertise
  • Third party arrangements — Oversee third party arrangements
  • Detection — Look for fraud
  • Investigation — Establish comprehensive procedures to support investigations
  • Quality assurance and review — Develop the capacity to measure and evaluate performance
  • Reporting — Ensure key personnel obtain the information and assurance they require
  • Culture — Promote a fraud aware culture

Interim Report on Key Financial Controls of Major Entities (2019-20 Financial Year)

• The Interim Report on Key Financial Control of Major Entities was tabled on 28 May which covered 24 entities, including all Departments of State, Department of Parliamentary Services, and other entities that significantly contribute to the whole-of-government results. Due to recent Machinery of Government Changes (MoGs), there were two less entities than previous years whilst the National Indigenous Australians Agency (NIAA) has been newly added to the list.
• This report is the first of two financial audit reports. The End of Year report will be tabled in late November-December and will cover the audits of all Australian government entities and whole of government.
• Since COVID-19, the ANAO is revising its risk assessments for each entity and modifying planned audit procedures in response to any heightened or new risks identified.
• Some key areas include:
  • changes to how systems of internal control operate;
  • reprioritising staff and resources to operational areas delivering the Government’s response to COVID-19;
  • significant new areas of estimation uncertainty – for example, market changes and their impacts on interest rates, share markets etc.;
  • ability to operate as a going concern; and
  • challenges to the ability of the ANAO to comply with requirements of the auditing standards as the ANAO Auditing Standards require audit opinions to be modified where it is not possible to get sufficient appropriate audit evidence.
• As part of the interim audits, the ANAO assesses the effectiveness of key controls identified during the planning stages. This assessment is made at a point in time and provides the Parliament and entities with an insight into weaknesses which have the potential to impact the preparation of financial statements at year end. This provides time for entities to address those issues to help prepare for year-end financial statements.
• The broad categories of control activities assessed by the ANAO are:
  1. IT control environment
  2. Compliance and Quality Assurance Frameworks
  3. Accounting and control of non-financial assets
  4. Revenue, receivables and cash management processes
  5. Human resource financial processes
  6. Purchases and Payables Management
• These findings are classified as Significant, Moderate or Minor.
• This year, the ANAO reported 72 findings – 8 Moderate and 64 Minor. That was an overall increase of two in the number of findings but a decrease in the Significant and Moderate finding level. The report found 1 Significant legislative breach at the interim phase this year but there were no findings of such nature last year.
• In relation to findings by category, they have been very similar to the last few years. 50% of all findings and 88% of Significant and Moderate findings continue to be in the areas of: management of IT controls, particularly around management of privileged users; and Compliance and Quality Assurance Frameworks that are in place to support program payments, revenue collection and financial reporting.
• Within the information systems and IT controls category, the main areas of findings were in privileged user activity (logging and monitoring), monitoring of user activity in databases, controls over change management processes and, the governance and monitoring processes that support information security.
• Many entities in the Australian Government need to rely on external systems and third parties for information that support some program payments, revenue collection and financial reporting. For this reason, the implementation of effective compliance frameworks, and processes that provide assurance regarding the completeness, accuracy and validity of information, are integral to an entity’s internal controls.
• Following changes in 2015-16 in respect of reporting of Significant non-compliance matters, the report found that entities are undertaking different approaches in response – three entities only advised their Audit Committee and Accountable Authority of breaches they had already assessed as Significant, which meant that the Audit Committee and Accountable Authority did not obtain a complete list of breaches. As a result, these were not included in the ANAO’s analysis of data provided by entities. The report also found other divergent practices of reporting non-compliance among entities. In May 2019, RMG214 was updated to include additional guidance which made suggestions for entities to consider breaches in light of the number of non-compliance issues in the context of the number of times the function had occurred within the entity e.
• The reported incidences of non-compliance in 2018-19 fell under five categories of finance law:
  1. Commonwealth Procurement Rules – 2126 instances
  2. PGPA Act Section 23 – 852 instances
  3. Commonwealth Grant Rules and Guidelines – 480 instances
  4. PGPA Act (excluding Section 23) – 705 instances
  5. PGPA Rule – 40 instances
• In line with the whole-of-government gifts and benefits policy, the report found that four entities had not published any registers for their agency head by the 31 January deadline. Out of those four, two had still not published anything by the 30 April. One of them was a Commonwealth Company. Commonwealth companies are strongly encouraged, though not required to comply with the requirements issued by the Commissioner..
• In regard to compliance with PSPF Policy 10 Requirements¹, the report looked at eighteen entities as the ANAO’s audit work on two entities was not able to be completed before this report was finalised and the rest were Non-Corporate Entities (NCEs) that do not have a requirement to comply with the PSPF Policy 10 Requirements. It was found that the maturity levels are significantly below the Policy 10 Requirements. Of the 18 entities assessed, only one was rated as achieving a Managing maturity level across all eight controls.
• Financial statements audits have identified issues in the area of management of leave and entitlements over a number of years. As part of the ANAO’s financial statements audit work, three financial statements audits (the Departments of: Home Affairs; the Prime Minister and Cabinet; and the Treasury) were selected for further assessment of compliance of the management of leave accruals and balances with human resource policies and requirements.
• The ANAO used its data analytics capability to undertake this work and assessed the monitoring of controls and reporting in the management of staff leave and the completeness and accuracy of leave accruals and adjustments. The analysis performed identified weaknesses in processes relating to staff leave and associated monitoring controls and I would suggest all entities should review their own processes and data to determine if they have similar issues. Improvements can be made in the timeliness of submission and approval of leave requests and application of requirements including minimum and maximum entitlements and how leave can be taken.
• The observations made could impact entities’ operations and financial reporting. Leave being taken prior to approval being given may impact the ability for entities to effectively manage resources and deliverables, while also potentially overstating the related employee liability in the financial statements.
• The ANAO is continuing to progress the assessment of the management of staff leave and the results will be reported in the Auditor-General report Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2020 and a separate report to Parliament.

End of Year Report

• Information that will be collected for the Year End Report are as follows:
  • Number and value of audit adjustments;
  • Adherence to financial reporting timetable including revisions to annual report tabling deadlines; and
  • Information on entity responses to COVID-19, including inclusion of additional disclosures. This is expected to include details of entity assessments relating to business risk and/or financial statements risk, management of information, changes to manual and IT control environments, revisions or amendments to entities’ assurance processes and the approach taken to additional disclosures in the financial statements on areas of increased uncertainty and the impact of the COVID-19 pandemic on the entity.

2019-2020 Financial Reporting

Key changes in Australian Accounting Standards

• The key accounting standard changes for the 2019-20 financial year include:
  • AASB 15 Revenue from Contracts with Customers (not-for-profit entities and the public sector from 1 July 2019)
  • AASB1058 Income of Not-for-Profit Entities
  • AASB16 Leases
  • AASB 2020-4 Amendments to Australian Accounting Standards – Covid-19-Related Rent Concessions (early adoption).
• Finance has published a number of accounting guidance documents and position papers:
  • RMG 110 Guide to implementing AASB 16 Leases
  • A position paper on measurement of right-of-use assets under AASB 16
  • A Frequently Asked Questions document about accounting and financial reporting issues relating to the impact of the COVID-19.

Financial reporting by entities – 2019-20 whole of government reporting process

• Entities are required to submit audit-cleared accounts to Finance by 15 August for material entities and 30 August for small entities, to support the preparation of the Australian Government’s Final Budget Outcome and Consolidated Financial Statements (CFS).
• To guide the Audit Committee’s role in reviewing the appropriateness of an entity’s financial reporting, questions that Audit Committee may want to ask are:
  • Has the entity verified the accuracy and completeness of the financial information submitted to Finance?
  • Is the information prepared for CFS supplementary reporting supported by proper records and management assurance?

Performance Statements pilot

• The intent of performance statements audits is to drive improvements in the transparency and quality of entities’ performance reporting and, in turn, increase entities’ accountability to the Parliament and public
• It applies the existing methodology from recent performance audits with some refinements including:
  • aggregation of results to support consistent and repeatable audit opinions;
  • interim results reported to entities in May 2020;
  • final audit work in parallel with financial statements audits, in time for entity annual reporting; and
  • provide audit opinions (under ASAE 3000) to the Minister for Finance and prepare a report for the JCPAA.
• Five areas of interim audit testing:
  1. Internal controls assessment
  2. Corporate Plan and PBS compliance
  3. ‘Purposes’ assessment
  4. ‘Key Activities’ assessment
  5. Appropriateness of performance criteria - Relevant; Reliable and Complete
• An emerging area for improvement in performance reporting is ensuring the purpose of the entity is clear in the Corporate Plan and reflected in the performance measures and targets.
• The next steps for the Pilot Program will include:
  • Final audit
    • Finalise internal controls assessments
    • Verify the completeness and accuracy of performance measures
  • Independent Assurance Reports (audit opinions) to entities and the Minister for Finance (tabled in Parliament) in advance of annual reports tabling
  • Final Report on the Pilot Program to the JCPAA (tabled in Parliament)

Reporting and the PGPA Act – Updates

Status of the PGPA Review

• The Government Response to the Independent Review into the operation of the PGPA Act and Rule (the Review) is currently under consideration by the Prime Minister.
• Of the 52 recommendations:
  • 28 recommendations have been implemented or actioned
  • 22 recommendations require an ongoing commitment
  • 2 recommendations are not progressing after careful consideration of existing arrangements and the purposes of the PGPA Act.

Audit Committee Amendments

• Several amendments have been made to the PGPA Rule which impact audit committees, including:
  • Enhanced audit committee disclosure requirements in annual reports that apply from the 2019-20 reporting period
  • Changes to membership of an audit committee applying from July 2021
  • Disclosure of consultancy and non-consultancy contract expenditure in annual reports from 1 July 2020, although entities are encouraged to make disclosures in their 2019-20 annual reports.
• Finance is providing assistance to audit committees to help them deliver their functions:
  • updated guidance to address changes made by the Amending Rule and addressing other recommendations in the Review
  • a dedicated web-page for audit committee members consolidating relevant guidance and tools, and offering quick access to the PGPA legislation and relevant information related to the requirements of their role
  • developing an induction program for new audit committee members to support the implementation of Recommendations 6 and 22.

Annual Reports and the Transparency Portal

• All entities and companies have published their 1st digital annual report.
• RMGs have been updated in line with user feedback and include data templates which are crucial for consistent and comparable reporting.
• Entities have been provided with early access to the Digital Reporting Tool for the 2019-20 reporting period, based on feedback from a user survey released in January 2020.
• Additional support provided to entities to account for the disruptions caused by the COVID-19 pandemic:
  • GovTEAMS community established to bridge the gap left by the cancellation of community of practice sessions and digital report training.
  • a suite of training materials developed and available on GovTEAMS.
• In light of the constraints faced by entities, Finance has offered suggestions to entities to assist in minimising the resources required to produce a printed annual report:
  • rationalising the report content in line with the mandatory reporting requirements
  • utilising the digital reporting tool to its fullest capability.
• The suggestions align with the requirements of the PM&C Tabling Guidelines and the Printing Standards prepared by the Joint Committee on Publications.
• Finance will continue to support entities during the development of their Digital Annual Reports and continue to ensure the Transparency Portal remains a viable source of reporting information.

Working with Shared Services Providers

• The Service Delivery Office (SDO) provides corporate transactional and technical services for up to 15 client agencies. In performing these services, the SDO processes transactions and undertakes activities that have an impact on these client’s financial statements and general financial reporting.
• The SDO has developed an Internal Control Framework (ICF) to mitigate financial reporting risks and inform clients and their stakeholders of the effectiveness of financial controls as they relate to financial reporting. The health of the framework is reported to clients through a quarterly assurance report.
• The SDO has developed the framework, applying appropriate governance models and ensuring the framework complies with all applicable standards. The ICF has been designed to mitigate or treat inherent financial reporting risks related to the service provided by the SDO.
  • The design of the framework linking risk, control objective and control activity and also includes assurance procedures for regular checking of the design and operating effectiveness of the controls.
  • The design of the ICF considered the relationship between the service entity’s controls and the client’s control that compliment to achieve an overall control objective.
  • The SDO incorporated these elements into the ICF design to ensure that the framework could be audited under the Australian Assurance Engagement standard ASA3402 Assurance Reports on Controls at a Service Organisation.
• The SDO is engaging with other Commonwealth hubs to share lessons learnt and to provide advice and experience in the development of an internal controls framework.

ANAO COVID-19 Audit Strategy

• The ANAO is implementing a three phased strategy to consider the effective, efficient, economical and ethical delivery of the Australian Government’s response to the COVID-19 pandemic.
• This will include the examination of economic stimulus and social support packages as well as the management of related risks, such as:
  • system and technology changes;
  • fraud;
  • information management;
  • privacy;
  • compliance and regulatory effectiveness.
• Phase 1 will focus on the in-flight delivery of key government measures, including:
  • Risk management –in frontline delivery agencies –examining risks such as internal and external fraud, compliance, reaching beneficiaries in a timely manner, stakeholder engagement, IT system controls, data integrity, and impact on business as usual.
  • Resourcing –effectiveness of the APS to quickly and efficiently identify and train additional resources to implement new measures and deliver new policy.
  • Procurement –looking at the national medical stockpile and preparedness for pandemic response, procurement of personal protective equipment (PPE), pharmaceuticals and medical devices, the planning for distribution of the equipment quickly and to areas of highest need.
• There are four audits being undertaken in Phase 1, including:
  • Services Australia COVID-19 measures and enterprise risk management;
  • The Australian Taxation Office’s management of risks related to the rapid implementation of COVID-19 economic response measures;
  • Management of the Australian Public Service’s workforce response to COVID-19; and
  • Procurements to increase the National Medical Stockpile
• Phase 2 will focus on the three main stages of program delivery:
  • policy design;
  • implementation; and
  • performance assessment, evaluation and dissemination of lessons learnt.
• The phase two audit topics are still being determined, but will be informed by:
  • assessment of risk and system controls;
  • materiality of funds allocated to entities;
  • potential or actual impact of the response measure on the entity, individuals and/or industry;
  • extent of policy or systems change in each portfolio; and
  • Parliamentary interest.
• In Phase 3, audits will review the outcomes of the Australian Government’s COVID-19 response. This may include a post-pandemic assessment of the:
  • achievement of outcomes intended through the COVID-19 measures;
  • recovery plans and programs;
  • identification and dissemination of lessons learnt;
  • readiness of government systems and processes to respond to future crises; and
  • government’s response from a whole of sector perspective, looking at findings from all audits undertaken that have considered COVID-19 policy measures and associated impacts.