Introduction

1. Under section 57 of the Financial Management and Accountability Act 1997 (FMA Act) the Auditor-General is required to report each year to the relevant Minister, on whether the financial statements of agencies have been prepared in accordance with the Finance Minister's Orders (FMOs) and whether they give a true and fair view of the matters required by those Orders.

2. Our interim audits of agencies encompass a review of governance arrangements related to agencies' financial reporting responsibilities, and an examination of relevant internal controls, including information technology system controls. The ANAO's examination of these areas is designed to assess the reliance that can be placed on agency internal controls to produce complete and accurate information for financial reporting purposes.

3. This report presents the results of the interim phase of the 2009–10 financial statement audits of all portfolio departments and other major General Government Sector (GGS) agencies that collectively represent some 95 per cent of total GGS revenues and expenses. The agencies covered by this report are listed at Appendix 1.

4. All ANAO findings have been reported to agency management and summary reports provided to the relevant Minister(s). In addition, our audit processes provide for audit issues identified to be formally reported to agency Chief Executives and their respective Audit Committees.

5. Chapter 1 of this report discusses a number of recent developments in accounting and auditing requirements and, in doing so, provides an overview of changes impacting on the Australian Government's reporting and accountability frameworks.

6. Observations relating to various elements of agencies' internal controls (including the control environment, the risk assessment process, control activities and monitoring of controls) are discussed in summary form in Chapter 2. This chapter also includes a discussion of audit findings over the period 2006–07 to 2009–10.

7. Findings relating to the audit of Information Technology (IT) systems focusing on the IT control environment, IT security, application controls in financial management information systems, and human resource management information systems are discussed in Chapter 3.

8. Chapter 4 outlines, for each agency, details of business operations that influence financial statement audit coverage; governance arrangements relevant to the agency's financial statements; areas of audit focus, and significant and moderate risk issues identified by our 2009–10 interim audits.

Financial statement audit coverage

9. A central element of the ANAO's financial statement audit methodology, and the focus of the interim phase of our audits, is a sound understanding of an agency's internal controls. To do this, the ANAO uses the framework contained in the Australian Auditing Standards ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment. The key elements of internal control, as discussed in ASA 315, are the control environment; the risk assessment process; information systems, including the related business processes relevant to financial reporting, and communication; control activities and monitoring of controls.

10. The final phase of most audits will be completed in the period July to September 2010. Consistent with past practice, a second report will be tabled in the Parliament in December 2010 following completion of the financial statement audits of all entities for 2009–10. The ANAO will also report, at that time, on any additional control issues arising from the final audits.

11. The ANAO rates its audit findings according to a risk scale. Audit findings that pose a significant risk to the entity and that should be addressed as a matter of urgency, are rated as ‘A'. Findings that pose a moderate risk are rated as ‘B' and should be addressed by entities within the next 12 months. Findings that are procedural in nature, or reflect relatively minor administrative shortcomings, are rated as ‘C'.

Control environment

12. The ANAO assesses whether an agency's control environment includes measures that contribute positively to sound corporate governance in the context of the preparation of an agency's financial statements. These measures should be designed to mitigate identified risks of material misstatement in the financial statements, and reflect the specific governance requirements of each agency.

13. The ANAO observed that agencies have in place key elements of a financial control environment designed to provide a sound basis for the effective preparation of the agency's financial statements. Audit Committees, in particular, continue to have a positive influence on the effectiveness of agencies' control environment particularly in the areas of risk assessment, legislative compliance and financial system controls.

Risk assessment process

14. An understanding of an agency's risk assessment framework is an essential element of the ANAO's financial statement audits. Agencies are expected to manage the key risks specific to their environment and our interim audits include a review of controls relating to risks that may have a material impact on agencies' financial statements. The ANAO found that the majority of agencies have a well-established risk assessment process, overseen by audit committees or other committees with specific risk management responsibilities.

15. Important elements of the risk assessment process common to all agencies are business continuity and fraud control management. Our audits noted that a number of agencies did not review, update or test their Business Continuity Plans (BCPs) as part of normal business practice. In relation to fraud control, all agencies have in place fraud control plans prepared in accordance with the Commonwealth Fraud Control Guidelines. Consistent with our observations in previous years, a small number of agencies needed to improve mechanisms for assessing the effectiveness of their fraud plans.
Information systems

16. Information technology facilitates the way in which Australian Government agencies operate, and supports the business processes that deliver services to the Australian community.

17. During the interim phase of the 2009–10 financial statement audits, the ANAO assessed the design and operation of key IT controls to determine the effectiveness of these controls and their impact on reducing risks to the integrity of financial information presented in agencies' financial statements.

18. The ANAO noted improvements in elements of agencies' IT control environments during 2009–10, particularly in respect of IT security management controls such as security awareness and training, and security monitoring and reporting practices. However, there was a decline in the effectiveness of incident and problem management controls and a number of agencies would benefit from improving their change management policy and governance frameworks.

19. Consistent with previous years' findings, our audits have continued to identify the need for a number of agencies to improve the management of user access to their Financial Management and Human Resource Management Information systems.

Control activities

20. The results of the 2009–10 interim audit phase indicated that, overall, control activities relating to financial and accounting processes have been maintained at an effective level. The total number of significant and moderate risk audit findings has decreased, continuing the trend over recent years. Control issues identified by our audits related to areas such as: the management of assets including stocktakes, the maintenance of asset registers and the capitalisation of expenditure; business continuity management; and the processing of payments. A total of 188 Category A, B and C findings were identified from our 2009–10 interim audits, a significant reduction compared with the 280 findings identified in 2008–09.

Monitoring of controls

21. Many activities undertaken by agencies contribute to their regime of monitoring controls. These include quality assurance arrangements, internal and external reviews, control self-assessment processes, and internal audit. In particular, all agencies have in place arrangements to enable Chief Executives to provide an annual Certificate of Compliance.

Summary of audit results

22. As previously indicated, our interim audits found there had been an overall improvement in agencies' financial and related controls. This is reflected in a reduction in the number of significant (Category A) and moderate risk (Category B) findings.

23. A summary of the trend in Category A and B audit findings between 2008–09 and 2009–10 is outlined below:

• there were three agencies with Category A audit findings in 2009–10 and two agencies in 2008–09;
• the total number of Category A audit findings in 2009–10 is three, the same number as in 2008–09;
• the total number of Category B audit findings across all agencies decreased from 65 in 2008–09 to 52 in 2009–10; and
• there was a decrease in the number of Category B audit findings in eight agencies; six showed an increase; the number of Category B audit findings in three agencies remained the same as in 2008–09; and nine agencies had no Category B findings in either 2008–09 or 2009–10.

24. A summary of Category A and B audit findings by agency is provided in Table 4.1 in Chapter 4 of the Report.