Introduction

Under section 57 of the Financial Management and Accountability Act 1997 (FMA Act) the Auditor-General is required to report each year to the relevant Minister, on whether the financial statements of agencies have been prepared in accordance with the Finance Minister's Orders (FMOs) and whether they give a true and fair view of the matters required by those Orders.

Our interim audits of agencies encompass a review of governance arrangements related to agencies' financial reporting responsibilities, and an examination of relevant internal controls, including information technology system controls. An examination of such issues is designed to assess the reliance that can be placed on internal controls to produce complete and accurate information for financial reporting purposes.

This report presents the results of the interim phase of the 2008–09 financial statement audits of all portfolio departments and other major General Government Sector (GGS) agencies that collectively represent some 95 per cent of total GGS revenues and expenses. The agencies covered by this report are listed at Appendix 1.

All ANAO findings have been reported to agency management and summary reports provided to the relevant Minister(s). In addition, our audit processes provide for audit issues identified to be formally reported to agency Chief Executives and their respective Audit Committees.

Chapter 1 of this report discusses a number of recent developments in the accounting and auditing frameworks designed to improve the overall quality and comparability of entity financial reports for 2008–09 and subsequent years.

Observations relating to various elements of agencies' internal controls (including the control environment, the risk assessment process, control activities and monitoring of controls) are discussed in summary form in Chapter 2. This chapter includes a discussion of audit findings over the period 2005–06 to 2008–09.

Findings relating to the audit of Information Technology (IT) systems focusing on the IT control environment, IT security, systems delivery and application controls in financial management information systems and human resource management information systems are discussed in Chapter 3.

Chapter 4 outlines, for each agency, details of business operations; governance arrangements relevant to the agency's financial statements; factors impacting on the agency's financial reporting risks; estimated key financial figures and average staffing levels for 2008–09, and significant and moderate risk issues identified by our 2008–09 interim audits.

Financial statement audit coverage

A central element of the ANAO's financial statement audit methodology, and the focus of the interim phase of our audits, is a sound understanding of an agency's internal controls. To do this, the ANAO uses the framework contained in the Australian Auditing Standards ASA 315 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement. The key elements of internal control, as discussed in ASA 315, are the control environment; the risk assessment process; information systems, including the related business processes relevant to financial reporting, and communication; control activities and monitoring of controls.

The final phase of most audits will be completed in the period July to September 2009. Consistent with past practice, a second report will be tabled in the Parliament in December 2009 following completion of the financial statement audits of all entities for 2008–09. The ANAO will also report, at that time, on any additional control issues arising from the final audits.

The ANAO rates its audit findings according to a risk scale. Audit findings that pose a significant risk to the entity and that should be addressed as a matter of urgency, are rated as ‘A'. Findings that pose a moderate risk are rated as ‘B'; these should be addressed by entities within the next 12 months. Findings that are procedural in nature, or reflect relatively minor administrative shortcomings, are rated as ‘C'.

Control environment

The ANAO assesses whether an agency's control environment includes measures that contribute positively to sound corporate governance in the context of the preparation of an agency's financial statements. These measures should be designed to mitigate identified risks of material misstatement in the financial statements, and reflect the specific governance requirements of each agency.

Consistent with past findings, the ANAO observed that agencies have in place key elements of a financial control environment designed to provide a sound basis for the effective preparation of the agency's financial statements. Audit Committees, in particular, continue to have a positive influence on the effectiveness of agencies' control environment particularly in the areas of risk assessment, legislative compliance and financial system controls. No instances of non-compliance with key elements of the financial framework have been identified in our interim audits. The Certificate of Compliance process, introduced in 2006–07, has resulted in an ongoing focus on wider compliance issues.

Risk assessment process

An understanding of an agency's risk assessment framework is an essential element of the ANAO's financial statement audits. Agencies are expected to manage the key risks specific to their environment and our interim audits include a review of controls relating to risks that may have a material impact on agencies' financial statements. The ANAO found that the majority of agencies have a well-established risk assessment process and the results are generally reviewed by audit committees.
Important elements of the risk assessment process common to all agencies are business continuity and fraud control management. Our audits noted that a number of agencies did not have a current organisation-wide Business Continuity Plan that had been endorsed by the agency executive. In addition, some agencies did not review, update or test these plans as part of normal business practice. All agencies have in place fraud control plans prepared in accordance with the Commonwealth Fraud Control Guidelines. A small number of agencies needed to establish mechanisms for assessing the effectiveness of these plans.

Information systems

Information technology facilitates the way in which Australian Government agencies operate, and supports the business processes that deliver services to the Australian community.

During the interim phase of the 2008–09 financial statement audits, the ANAO assessed the design and operation of key IT controls to determine the effectiveness of these controls and their impact on reducing risks to the integrity of financial information presented in agencies' financial statements.

The ANAO noted improvements in a number of agencies' IT control environments since 2007–08. Most noticeable has been the implementation of more effective IT security, incident and problem management procedures. These improvements have enhanced the overall level of security and integrity of key financial systems. However, our audits noted continuing weaknesses in a number of agencies in the management of special or privileged users including a failure to log the activities of these users. The ANAO also observed that many agencies did not review their change management procedures on a regular basis. However, our audits continue to identify a range of IT control weaknesses in some agencies relating to security and management controls in both FMIS and HRMIS systems.

Control activities

The results of the 2008–09 interim audit phase indicated that, overall, control activities relating to financial and accounting processes have been maintained at an effective level. The total number of significant and moderate risk audit findings has decreased, continuing the trend over recent years. Control issues identified by our audits related to areas such as: the management of assets including stocktakes, the maintenance of asset registers and the capitalisation of expenditure; business continuity management; reconciliations between key financial statements; credit card expenditure and the approval of expenditure. A total of 280 Category A, B and C findings were identified from our interim audits, a small reduction compared with 2007-08.

Monitoring of controls

Many activities undertaken by an agency contribute to their regime of monitoring controls. These include quality assurance arrangements, internal and external reviews, control self-assessment processes, and internal audit. The ANAO noted that control self-assessment arrangements, first introduced by a number of agencies to assist in meeting their responsibilities to provide a Certificate of Compliance in respect of 2006–07, has become an integral part of agencies' control regimes. Internal audit was also continuing to have a key role in some agencies in assisting in the Certificate of Compliance process

Summary of audit results

Most agencies had areas of their financial control environment that required attention although our interim audits found there had been an overall improvement in agencies' financial and related controls. This is reflected in a reduction in the number of significant (Category A) and moderate risk (Category B) findings.

A summary of the trend in Category A and B audit findings between 2007–08 and 2008–09 is outlined below:

• there were two agencies with Category A audit findings in 2008–09 and four agencies in 2007–08;
• the total number of Category A audit findings in 2008–09 is three compared with ten in 2007–08;
• the total number of Category B audit findings across all agencies decreased from 84 in 2007–08 to 65 in 2008–09; and
• there was a decrease in the number of Category B audit findings in eight agencies; eight showed an increase; the number of Category B audit findings in two agencies remained the same as in 2007–08; and seven agencies had no Category B findings in either 2007–08 or 2008–09.

A summary of Category A and B audit findings by agency is provided in Chapter 4 of the report.