Reports and publications

Browse our range of reports and publications including performance and financial statement audit reports, assurance review reports, information reports and annual reports.

View reports and publications

Insights

The aim of audit insights is to communicate lessons from our audit work to make it easier for people working within the Australian public sector to apply those lessons.

View ANAO Insights

Work program

The ANAO work program outlines potential and in-progress work across financial statement and performance audit.

View the work program

Careers

Our staff add value to public sector effectiveness and the independent assurance of public sector administration and accountability, applying our professional and technical leadership to have a real impact on real issues.

View Careers

About us

The Australian National Audit Office (ANAO) is a specialist public sector practice providing a range of audit and assurance services to the Parliament and Commonwealth entities.

About Us

An Audit Committee Chairs Forum was held on Friday 8 December 2023. The text on this page is the communique from the forum.

Auditor-General’s Update

ANAO Update

This is a summary of the key points from the Auditor-General’s presentation. A copy of the speaking notes is available on this page.

Overview

  • The ANAO’s Corporate Plan 2023–24 and Annual Audit Work Program 2023–24 was published on 6 July 2023.
  • The Annual Audit Work Program considers key features impacting the public sector operating environment including shifting priorities in the public sector, such the APS reform agenda and an increased focus on stewardship and integrity. The ANAO will increase its focus on the National Disability Insurance Agency and topics related climate change and the environment.
  • The 2023–24 work program will also continue to focus on core government activities such as procurement and contract management, service delivery and grants.
  • The ANAO are building a stronger compliance program in performance audit commencing with audits on gifts and benefits and corporate credit card compliance. Generally compliance audits will be multi-entity audits and provides broader sector coverage of controls
  • The ANAO published its Annual Report 2022–23 on 24 August 2023. The provides an overview of key issues in the sector, including cybersecurity, the quality of performance reporting, the financial control framework and matters of integrity and ethics.
  • The Joint Committee on Public Accounts and Audit (JCPAA) has recently published the following reports:
  • The JCPPA Inquiry into probity and ethics in the Australian Public Sector is ongoing. The ANAO has made a submission to this inquiry.
  • The JCPAA has commenced an Inquiry into Policy and Program Design and Implementation.
  • The Government has yet to respond to the JCPAA recommendations in its report on the inquiry into the Auditor General Act 1997.
  • The ANAO will now be publishing three new types of Insights products:
    • Audit Lessons — This will communicate key lessons from ANAO audits. Since the July forum, the ANAO has published one Audit Lessons on Probity Management.
    • Audit Opinion — This will provide the auditor-general’s views on what is considered to be key issues facing the Australian public sector. We recently published the first ‘Audit Opinion’ on Using Performance Information to Drive Effectiveness
    • Audit Practice — This will explain the ANAO’s methodologies to help entities understand the standards the ANAO applies to audit topics and to assist entities prepare for ANAO audits.
  • The ANAO published its Integrity Framework and Annual Integrity Report 2022–23 and the Audit Quality Report.

Financial statements audit

  • The ANAO implemented the revised auditing standard ASA 315 in this year’s financial statements audit. There was an increased focus on entities’ processes and controls around governance, as well as IT risk and control environments.
  • The ANAO raised a number of significant audit findings relating to governance matters, including in relation to entities failing to appropriately assess and report the impact of relevant legal matters in their financial statements.
  • Audits have found ongoing deficiencies in cyber security environments and governance over cyber risks, such as user access and privileged user access management.
  • The ANAO considered the use of emerging technologies such as AI, Robotic Process Automation and Machine Learning by entities. 36 entities advised the us that they had adopted some form of emerging technology - AI was the most common. The majority of entities did not implement a governance framework or policies specific to the use of the technology, or have regard to external policies and guidance such as Australia’s eight Artificial Intelligence Ethics Principles in implementation.
  • There are still some entities without an internal audit function. Audit Committee Chairs should ensure that they appropriately challenge this position. Audit committees can also provide advice to Accountable authorities to consider the independence and authority of internal audit through:
    • a greater adoption of formal charters;
    • regularly discussing the sufficiency of the internal audit budget; and
    • having clear view of the lines of reporting for chief audit executives.
  • The ANAO has become aware of four instances of independence breaches with respect to firms contracted to perform financial statement audits on behalf of the ANAO. Firms are required to seek approval from the ANAO before bidding for work for entities they audit on behalf of the ANAO.

Performance statements audit

  • The ANAO continues to build its program of work in auditing performance statements. We will again produce an end of year report on the key findings of audits of performance statements.
  • Audit Committees play a key role in reviewing the performance measures and performance reports of entities.

Integrity and ethics

  • The ANAO is increasing the number of audits focusing on ethics/integrity related issues and this is also an area of interest for the Parliament.
  • Upholding the ethical values of the public sector requires compliance with all relevant laws and acting in a way that is right and proper as well as technically and legally correct.
  • Not consistently meeting requirements raises questions of whether compliance with them, and their intent, is embedded as part of public sector culture.
  • Audit Committees can play an important role in this area. If integrity is an elevated risk, do your entities have an effective integrity framework? How is its effectiveness tested? Where you see matters of non-compliance, particularly where they recur, are you considering whether this is an indicator of the effectiveness of the integrity framework?

ANAO Updates

Performance Statements Update

  • The ANAO is currently at the mid-point of its 2023-24 program of performance statements audits. The ANAO plans to conduct 14 performance statements audit in the 23-24 financial year and increase this to 19 and 24 audits in 2024-25 and 2025-26 respectively.
  • The ANAO has observed improvements in performance statements and noticed that entities audited in the pilot phase of the program have been sharing information which has provided a smooth transition for entities that have recently entered the program.
  • The ANAO has recently published an Audit Opinion, Using Performance Information to Drive Effectiveness, which comments on the key issues identified in entity-wide performance frameworks. The ANAO encourages entities to assess its own performance, including its purpose, key activities, performance measurements and question whether the performance information is meaningful and necessary to understand its performance and achievement of purposes.
  • A key aspect of performance statement auditing is reliable and verifiable data. The ANAO has observed that many entities have not assured that sufficient data is available and whether this data is reliable, verifiable and trustworthy. The ANAO is working with entities to develop rigorous planning mechanisms to assist with this challenge.
  • Maintaining transparency is important, in the case of a performance measure presenting any caveats or limitations, entities need to find a balance between providing details and preparing clear and concise reports. (caveats where necessary)
  • The ANAO’s audit assessment includes leadership, governance, data and systems, capability and resourcing. Closing letters sent to entities included in last year’s report communicated that it should consider the components to maturity and how they can report year-to-year.
  • The ANAO has received feedback from audited entities about the key challenges in performance states audits:
    • Audited entities communicated to the ANAO that the burden of evidence and resourcing required during the performance statements audit process is extensive.
    • The Performance Statements team is working to provide earlier feedback on interim assessments and are mindful that it is difficult for entities to incorporate feedback from interim assessments into new performance information under the current timeframes.
    • The ANAO is aware that there are difficulties for entities in systems assurance of third-party data, and notes that this is a work in progress.
  • The ANAO continues to engage with the sector about its performance statement work:
    • Its publications such as the Insights products, End of Year Report and lessons learned and areas of focus for the sector.
    • The ANAO communicates with entities through its Post Audit Roundtables and Community of Practice.
    • The Expert Advisory Panel is important within and outside the sector, in particular the audit methodology, and the performance statements audit manual was published recently.
    • The ANAO collaborates with the Department of Finance and will check that our methodology is consistent with the Resource Management Guidance (RMG).

Cyber Security and data governance

Cyber Security
  • The ANAO encourages entities to focus on the basics of cyber security, being IT controls and IT security.
    • User access removal continues to be a concern. The ANAO has observed instances of user access not being removed when staff or contractors cease employment with an entity.
    • Issues with the management and monitoring of privileged users continue to be identified. The ANAO has noted two commonly occurring scenarios:
      • Reviews of privileged users are not being conducted and consequently not being managed; or
      • Reviews of privileged users have occurred but required amendments have not been implemented.
  • The ANAO has also observed the following issues within entities:
    • Appropriate password management. The ANAO acknowledges that the Information Security Manual (ISM) is updated frequently, and entities must assess the potential risks and implement changes to actively manage risks.
    • Not maintaining system backup and recovery plans. IT systems will have different requirements and it is the entities’ responsibility to ensure systems are appropriately backed up and can be restored successfully.
    • Change management. This year the ANAO has seen an increase in change management issues. Generally it has been appropriately controlled within the sector but entities should note that as technology changes so may the IT controls required to provide assurance your systems are operating as intended.
    • Optimism bias in relation to entities’ self-assessment against the Protective Security Policy Framework (PSPF). Entities need to question whether the different risks and challenges that an organisation has are being feed-through and assessed when considering PSPF self-assessment.
Data Governance
  • The quantity of data in the public sector is continually increasing and it is important to consider how data is governed.
  • Key questions for Audit Committees to consider in data governance includes:
    • What data is held?
    • What data is critical or sensitive?
    • How well is the data documented?
    • Who can access the data?
    • Who is the data custodian?
    • Who is accountable for the data?
    • Is there a data governance framework in place?

Department of Finance Update

2022-23 Financial Reporting Update

  • The Consolidated Financial Statements were signed by the Finance Minister on 15 November 2023, and were tabled on 8 December 2023.
  • Chief Financial Officers have provided feedback on the 2022-23 financial reporting process through Finance’s annual Financial Reporting Rule survey.
  • Staffing shortages and high turnover within entities remains an ongoing pressure for the accounting and finance profession in the Australian Public Service.
  • An Australian Public Service Accounting and Finance Profession Workforce Strategy has been developed to assist Chief Financial Officers address workforce issues.

Australian Public Service Commission - Update

Australian Public Service Accounting and Finance Profession

  • The Australian Public Service Commission, through the APS Centre of Excellence for Workforce Planning conducts analysis of key job families across the APS.
  • Analysis conducted over the 2022-23 Financial Year of the accounting and finance profession highlight:
    • Strong, sustained demand for emerging capabilities and accounting and finance skills.
    • The need to invest in development of staff in roles impacted by automation.
    • Attrition risks arising from increased proactive career behaviours.
    • Sustained competition for graduate talent owing to falling domestic enrolments in relevant degrees.
    • Growing competition for emerging green skills in the accounting and finance profession and a strong need to invest in the development of these skills in the APS.
  • Queries can be directed to apswfp@apsc.gov.au

Speaking Notes for Auditor-General

Introduction

Welcome everyone to today’s forum. As you know, you play an important role in the governance, performance and integrity of Commonwealth entities. The purpose of these forums is to support you in this role and provide you with relevant information about our work.

ANAO Update

At the July forum I spoke about the ANAO’s Corporate Plan and Annual Audit Work Program for 2023-24.

I indicated at that time that the AAWP considers key features impacting the public sector operating environment including shifting priorities in the public sector, such the APS reform agenda and an increased focus on stewardship and integrity. We will place increasing priority on the National Disability Insurance Agency as it grows. Similarly, the ANAO has developed a multi-year strategy to focus on government priorities in climate change.

The 2023–24 work program will also continue to focus on core government activities such as procurement and contract management, service delivery and grants.

We will also commence a program of compliance audits, such compliance with gifts and benefits and corporate credit cards.

Annual report

Since I spoke to you in July, the ANAO published its annual report. My foreword to the annual report provides an overview of key issues in the sector, including cybersecurity, the quality of performance reporting and matters of integrity and ethics.

I also commented on the importance of adhering to the appropriation control framework our parliament has put in place.

Parliamentary engagement

We have been continuing our engagement with the JCPAA. The JCPAA has a significant agenda at the moment and we have attended 19 public hearings this year.

Since the last forum the JCPAA has published two reports in respect of ANAO audits:

  • Report 498: An inquiry into Commonwealth procurement. The inquiry observed deficiencies in procurement across the APS and made several recommendations to improve public sector procurement.
  • Report 499: Inquiry into the Annual Performance Statements 2021-22 2023. The Committee’s report makes four recommendations, including that the Auditor-General Act 1997 be amended to allow the ANAO to conduct performance statements audits, rather than on request from the Minister for Finance.

The JCPPA inquiry into probity and ethics in the Australian Public Sector is ongoing. The ANAO has made a submission to, and appeared at three hearings for, the inquiry.

An inquiry into Policy and Program Design and Implementation has commenced.

The Government has yet to respond to the JCPAA recommendations in its report on the inquiry into the Auditor General Act 1997.

Sector engagement

Looking at our broader sector engagement, in our July meeting I talked about reforming our Insights products.

The ANAO will now be publishing three new types of Insights products:

  • Audit Lessons — This will communicate key lessons from ANAO audits. Since the July forum, the ANAO has published one Audit Lessons on Probity Management.
  • Audit Opinion — This will provide the auditor-general’s views on what is considered to be key issues facing the Australian public sector. We recently published the first ‘Audit Opinion’ on Using Performance Information to Drive Effectiveness
  • Audit Practice — This will explain the ANAO’s methodologies to help entities understand the standards the ANAO applies to audit topics and to assist entities prepare for ANAO audits.

The purpose for these products is to share the results and lessons from our work with the aim of contributing to improved public sector performance. These products are a practical way to better understand the ANAO’s work and its relevance to audit committees. For example, our most recent Audit Lesson on Probity Management in financial regulators discusses issues of risk, developing culture, developing policies and procedures, and systems of control.

We plan to continue to refine our Insights products to make them as useful as possible.

NACC

The National Anti-Corruption Commission commenced operations on 1 July 2023. The NAAC and the ANAO will work to establish a relationship as integrity bodies operating under our respective legislative frameworks.

Integrity Report

The ANAO published its integrity framework and annual integrity report for the first time this month. Our Integrity Framework provides an overarching structure to the ANAO integrity control system, supporting our institution’s integrity. The framework serves to assist in ethical decision making and risk, fraud and misconduct management. Our integrity report includes integrity-related matters that occurred during the year and identifies emerging trends and areas where the ANAO may have vulnerabilities and risks to integrity or elements of the Integrity Framework that require strengthening. The report also highlights areas where new controls have been implemented in the ANAO Integrity Framework during the year.

Quality Report

The ANAO will publish its Audit Quality Report next week. The Report sets out my evaluation on the implementation and operating effectiveness of the ANAO Quality Management Framework. It is the first report which is prepared consistent with the new quality standard ASQM1.

I will now talk about some of the focus areas of our audit work.

Financial statements audit

The implementation of revised auditing standard ASA 315 has resulted in audits placing greater focus on entities’ processes and controls around governance, as well as IT risk and control environments. This increased focus has resulted in the identification of an increased number of insights, as well as areas of weakness in these areas.

The strengthened focus of the ANAO’s audits on entities’ processes and controls around governance included the examination and evaluation of:

  • whether the entity’s risk assessment process is appropriate to the entity’s circumstances;
  • whether the entity’s process for monitoring the system of internal control is appropriate; and
  • whether management, with oversight of those charged with governance, has created and maintained a culture of ethical behaviour.

The ANAO raised a number of significant audit findings relating to governance matters, including in relation to an entity failing to appropriately assess and report the impact of relevant legal matters in their financial statements. These findings highlighted instances where information on legal matters was not referred to entity Chief Financial Officers or was not otherwise assessed for impact on the financial statements. In other instances, evidence identified by the ANAO during the course of the audits did not accord with management representations and additional audit work was required to be undertaken by the ANAO.

This internal control weakness increases the risk that not all matters that affect the financial statements are captured and reported appropriately.

Cyber security has remained central to the ANAO’s audit program over the past year, including through its financial statements audit work. Audits have found ongoing deficiencies in cyber security environments and governance over cyber risks, such as user access and privileged user access management.

Emerging technologies

Our systems assurance auditors considered the adoption of emerging technologies such as AI, Robotic Process Automation and Machine Learning.

36 entities advised the us that they had adopted some form of emerging technology - AI was the most common. The majority of entities did not implement a governance framework or policies specific to the use of the technology, or have regard to external policies and guidance such as Australia’s eight Artificial Intelligence Ethics Principles in implementation.

The lack of fit for purpose governance frameworks for managing the use of emerging technologies could increase the risk of unintended consequences as these technologies are implemented and become more prevalent.

Internal audit

Our financial statements auditors have also focused entity internal audit functions.

There are still some entities without an internal audit function. Audit Committee Chairs should ensure that they appropriately challenge this position.

Audit committees can also provide advice to Accountable authorities to consider the independence and authority of internal audit through:

  • a greater adoption of formal charters;
  • regularly discussing the sufficiency of the internal audit budget; and
  • having clear view of the lines of reporting for chief audit executives.

We have also considered the balance of internal audit programs. We saw a decline in coverage on procurement and Information Technology, but an increase in cyber security and performance reporting.

Independence breaches

The ANAO has become aware of four instances of independence breaches with respect to firms contracted to perform financial statement audits on behalf of the ANAO.

Firms are required to seek approval from the ANAO before bidding for work for entities they audit on behalf of the ANAO. Prior to seeking the ANAO’s approval, approval is required from the Chair of the Audit Committee of the entity.

Audit Committee Chairs play an important role in ensuring these other services are appropriate for the auditors to provide from an independence perspective.

Performance statements audit

The ANAO continues to build its program of work in auditing performance statements. We will again produce an end of year report on the key findings of audits of performance statements.

The ANAO methodology for auditing performance statements will continue to evolve as the audit program expands. We will work closely with the sector to refine the methodology to ensure it appropriately incentivises entities to produce meaningful performance information, rather than taking the path of least resistance to avoid potential audit findings.

The ANAO supports the steps being taken by entities to improve their performance reporting and we encourage ongoing investment to build capability and capacity. It is also clear that accountability is a key driver for these improvements, and a major source of accountability is the assurance that the Parliament can receive from the auditing of performance statements by the ANAO.

There remains significant risk to manage if the PGPA Act reforms are to sustain and improve entity performance in an enduring way, where previous reforms did not. Performance statements may ultimately fail to make a lasting impact on departmental and whole-of-government performance if they are seen as primarily a compliance exercise, rather than a strategic tool for improving policies, programs and entity outcomes and strengthening accountability and transparency.

Audit Committees play a key role in reviewing the performance measures and performance reports of entities so I encourage you to look at the end of year report when it is published.

Integrity and ethics

Finally, I would like to touch on integrity and ethics and the role Audit Committees can play in this area. You may be aware that we originally considered organising a panel discussion on the role of audit committees in the integrity framework, unfortunately that didn’t happen for this meeting, but we may return to it in the future.

This year has seen several matters of integrity and ethics in public sector come to the forefront of public attention and discussion, most notably with the release of the Royal Commission into the Robodebt Scheme and the establishment of the National Anti-Corruption Commission.

The ANAO is increasing the number of audits focusing on ethics/integrity related issues.

In this environment I would expect to see an increased focus by entities on risks to their operating ethically and with integrity.

Upholding the ethical values of the public sector requires compliance with all relevant laws and acting in a way that is right and proper as well as technically and legally correct.

Not consistently meeting requirements raises questions of whether compliance with them, and their intent, is embedded as part of public sector culture. This presents challenges for leaders to ensure that they set a tone which promotes compliance with both the letter and intent of the law, along with an expectation that results are achieved.

At present there appears to be a relatively high risk-tolerance for non-compliance so long as results are achieved, rather than seeing compliance as a hallmark of integrity and essential to the craft of public administration.

Audit Committees can play an important role in this area. If integrity is an elevated risk, do your entities have an effective integrity framework? How is its effectiveness tested? Where you see matters of non-compliance, particularly where they recur, are you considering whether this is an indicator of the effectiveness of the integrity framework?

Related documents
ACC Forum 8 December 2023 presentation slides (PDF)