Summary

Under section 57 of the Financial Management and Accountability Act 1997 (FMA Act) and under clause 3, part 2 of Schedule 1 of the Commonwealth Authorities and Companies Act 1997 (CAC Act), the Auditor-General is required to report each year to the relevant Minister, on whether the financial statements of public sector entities have been prepared in accordance with the Finance Minister's Orders (FMOs) and whether they give a true and fair view of the matters required by those Orders.¹

This report presents the results of the interim phase of the 2006–07 financial statement audits of all portfolio departments and other major General Government Sector (GGS) agencies that collectively represent 95 per cent of total GGS revenues and expenses. The agencies covered by this report are listed at Appendix 1. The audits have encompassed a review of governance arrangements related to agencies' financial management responsibilities, and an examination of internal control, including information technology system controls. An examination of such issues is designed to assess the reliance that can be placed on internal controls to produce complete and accurate information for financial reporting purposes. All ANAO findings have been reported to agency management and summary reports provided to the relevant Minister(s). In addition, each audit issue identified in this report has been formally reported to the Chief Executives (CE) and their respective audit committees.

The final phase of most audits is expected to be completed in the June to August 2007 period. Consistent with past ANAO practice, a second report will be tabled in the Parliament in December 2007 following completion of the financial statement audits of all entities for 2006–07. The ANAO will also report, at that time, on any additional operational and financial management issues arising from the final audits.

Consistent with previous reports, this report discusses a number of strategic issues that are designed to improve the overall quality and comparability of entities' financial reports for 2006–07 and subsequent years (Chapter 1).

The results of the interim phase of the 2006–07 financial statement audits reflect two broad categories of audit findings:

• observations relating to various components of agencies' internal controls (including the control environment, the risk assessment process, control activities and monitoring of controls), and accounting issues arising from the interim phase of the audits of control activities over significant business and accounting processes (discussed in summary form in Chapter 2 and by portfolio in Chapter 4); and
• audit findings relating to the audit of information technology systems focusing on IT governance, IT security, systems delivery and application controls in financial management information systems and human resource management information systems (discussed in summary form in Chapter 3 and by portfolio in Chapter 4).

Summary of audit results

The ANAO rates its findings according to a risk scale. Audit findings that pose a significant risk to the entity and that must be addressed as a matter of urgency, are rated as ‘A'. Findings that pose a moderate risk are rated as ‘B'. These should be addressed by entities within the next 12 months. Findings that are procedural in nature, or reflect relatively minor administrative shortcomings, are rated as ‘C'.

Most agencies had areas of their control environment that required attention although our interim audits found that there had been an overall improvement in agencies' financial and related controls. This has resulted in a reduction in the number of ‘A' and ‘B' findings compared with 2005–06, as reflected in the following analysis:

• there were three agencies with ‘A' category audit findings in 2006–07, a decrease from five in 2005–06; 
• the total number of ‘A' category issues (excluding Defence and DMO) was two in 2006–07 a reduction from nine in 2005–06; 
• the total number of ‘A' category findings for Defence decreased from 18 in 2005–06 to 16 in 2006–07, while the number for DMO remained the same at 6; 
• the number of agencies with no category ‘A' or ‘B' findings is nine in 2006–07, up from seven in 2005–06; 
• the total number of ‘B' category findings across agencies (excluding Defence and DMO) decreased from 67 in 2005–06 to 42 in 2006–07. Defence and DMO showed an increase in the total number from 50 in 2005–06 to 55 in 2006–07; and 
• eleven agencies reported a reduction in the number of ‘B' category findings, six showed an increase and the number in six agencies remained the same.

A summary of ‘A' and ‘B' category audit findings by agency is outlined at page 90 in Chapter 4, of the report.

Financial statement audit coverage

A central element of the ANAO's financial statement audit methodology, and the focus of the interim phase of our audits, is a sound understanding of an agency's internal controls. To do this, the ANAO uses the framework contained in the Australian Auditing Standards ASA 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. The key elements, as detailed in ASA 315, are the control environment, the risk assessment process, information systems, control activities and monitoring of controls.

Control environment

The ANAO assesses whether an agency's control environment comprises measures that contribute positively to sound corporate governance. These measures should mitigate identified risks and reflect the specific governance requirements of each agency.
Consistent with past findings, the ANAO observed that all agencies have established key elements of a control environment that is designed to provide a sound basis for effective financial management. Audit committees, in particular, continue to have a positive influence on the effectiveness of agencies' control environment particularly in the areas of risk assessment, legislative compliance and financial system controls. In addition, instances of non-compliance with key elements of the financial framework identified during the audit process have reduced and the introduction of the Certificate of Compliance is resulting in an increased focus on wider compliance issues. Agencies generally have also improved their business continuity planning arrangements.

Risk assessment process

An understanding of an agency's risk assessment process is essential to an effective and efficient audit. Agencies are expected to manage the key risks specific to their environment and our interim audits include a review of controls relating to risks that have a material impact on agencies' financial statements. Important elements of the risk assessment process common to all agencies that are subject to review are business continuity and fraud control management. While noting an improvement in arrangements for business continuity planning, further attention by a number of agencies to this aspect is required, particularly in relation to the development of comprehensive business continuity plans and the periodic testing of plans. All agencies have in place fraud control plans prepared in accordance with the Commonwealth Fraud Control Guidelines, although a small number of agencies needed to improve aspects of their fraud control arrangements.

Information systems

The very substantial ongoing investment in information technology (IT) by Australian Government agencies continues to impact on the nature of public sector administration and service delivery. By continuing to adopt and make use of emerging technologies, this investment is contributing to the transformation of business processes, wider access to government services and improved client service. The financial statement reporting process within agencies is facilitated by IT. Together with the widespread and increasing use of technologies, there is an ongoing need for agencies to establish and maintain an effective IT control environment.

During the interim phase of the 2006–07 financial statement audits, the ANAO again assessed the effectiveness of controls that affect the availability and integrity of information and information systems supporting the financial statement reporting process.

The ANAO found that IT governance is a well established discipline in all the agencies assessed. All agencies had in place a defined IT organisation structure to deliver IT projects and sustain and manage IT support activities, as well as to implement initiatives outlined in their respective IT strategies. The ANAO also found that almost all agencies had developed an IT security policy and supporting procedures to sustain the agency's security environment and to demonstrate management's commitment to IT security. In a number of instances, agencies needed to improve their controls in relation to the management of user access and maintaining effective segregation of duties. A number of agencies also needed to give further attention to developing and maintaining security plans for individual systems and applications.

Control activities

The results of the interim audit phase indicate generally that the overall effectiveness of control activities relating to financial and accounting processes have been maintained at an effective level. The total number of significant audit findings has decreased compared with previous years. This is an encouraging sign reflecting more mature arrangements for the preparation of financial statements. Nevertheless, control issues relating to areas such as key reconciliations, the recording and accounting for assets, the timely follow up of any discrepancies, controls over the processing of transactions in agencies' Financial Management Information System (FMIS) and Human Resources Management Information System (HMRIS), the management and exercise of delegations and the maintenance of records, were identified in some agencies during our interim audits.

Monitoring of controls

Many activities undertaken by agencies contribute to their regime of monitoring of controls. These include quality assurance arrangements, internal and external reviews, control self-assessment processes, and internal audit. The ANAO noted an increase in control self-assessment arrangements, particularly directed at agencies meeting their responsibilities to provide a Certificate of Compliance in respect of 2006–07. Internal audit was also playing a key role in some agencies in assisting in the Certificate of Compliance process.

Footnotes

1. The Auditor-General's financial statement mandate includes the conduct of audits of Commonwealth owned and controlled companies. In this context, in November 2006 I resigned as auditor of the Telstra Group following the Australian Government's sale of shareholdings that resulted in the Government no longer controlling Telstra Corporation Limited.