1. The ANAO prepares two reports annually that provide insights at a point in time to the financial statements risks, governance arrangements and internal control frameworks of Commonwealth entities, drawing on information collected during audits. These reports explain how entities’ internal control frameworks are critical to executing an efficient and effective audit and underpin an entities capacity to transparently discharge their duties and obligations under the Public Governance, Performance and Accountability Act 2013 (PGPA Act). Deficiencies identified during audits that pose a significant or moderate risk to the entities ability to prepare financial statements free from material misstatements, are reported.

2. This report is the first in the series of reports and focuses on the results of the interim audits, including an assessment of entities’ key internal controls, supporting the 2019–20 financial statements audits. This report examines 24 entities, including all departments of state and a number of major Australian government entities. The entities included in the report are selected on the basis of their contribution to the income, expenses, assets and liabilities of the 2018–19 Consolidated Financial Statements (CFS). Significant and moderate findings arising from the interim audits are reported to the responsible Minister(s), and all findings are reported to those charged with governance of each entity.

Impact of COVID-19

3. The potential impact of the COVID-19 pandemic, and the Australian Government’s and global responses to the situation, on auditing frameworks, audit risks and audit opinions are covered throughout this report. However, it is important to acknowledge that the audit findings compiled in this report, were at a time largely before the COVID-19 pandemic. It is the ANAO’s intention to work co-operatively with audited entities to resolve any issues resulting from the COVID-19 pandemic, and audit teams will continue to assess the situation for each entity and revise audit approaches accordingly during what remains of the financial statements audit cycle.

4. The ANAO Auditing Standards require audit opinions to be modified where sufficient appropriate audit evidence is unable to be gathered and the possible effects of undetected misstatements arising from the lack of evidence are material. As a consequence of the COVID-19 pandemic, there may be a higher likelihood of disclaimers of opinions for entities’ 2019–20 financial statements. Where this occurs, it will be reported to Parliament in the second report of this series.

Summary of audit findings and related issues

Summary of audit findings

5. A total of 72 findings were reported to the entities included in this report as a result of interim audits, comprising of eight moderate and 64 minor findings. This is an overall increase in the number of findings but a decrease in both the significant and the moderate finding categories compared to the 2018–19 interim audit results. One significant legislative breach was also reported.

6. Fifty per cent of findings relate to the management of IT controls, particularly the management of privileged user access. The continued level of findings indicates that the IT control environment warrants further attention by entity management.

Policies reviews for compliance with finance law, gifts and benefit disclosures and cyber resilience

7. The ANAO observed that entities had processes in place for monitoring and reporting instances of non-compliance with finance law. Following changes in mandatory external reporting of non-compliance, there has been a trend towards entities reducing the level of internal reporting of non-compliance captured and reported to audit committees and accountable authorities.

8. The Australian Public Service Commissioner issued guidance requiring Commonwealth entities to publish quarterly, a register of all gifts and benefits valued at greater than $100, received by the agency head. It was observed that entities have largely made good progress in implementing these recommendations.

9. The Protective Security Policy Framework (PSPF) contains the Essential Eight mitigation strategies and recommended controls intended to strengthen cyber resilience and capacity of Government to mitigate cyber threats. Review of entities’ implementation and compliance with these strategies found that there continues to be limited improvement in the level of compliance with the controls, since being first mandated in 2013.

Entity internal controls

10. The interim audit phase includes an assessment of the effectiveness of each entity’s internal controls as they relate to the risk of misstatement in the financial statements. At the completion of interim audits for the 24 entities included in this report, the key elements of internal control were assessed as operating effectively for 17 entities. For the remaining seven entities, the key elements of internal control were operating effectively to support the preparation of financial statements that are free from material misstatement, except for particular finding/s outlined in chapter 4.¹

Management of staff leave

Summary of developments

11. The increase in audit findings relating to human resource management and administration, and the significance of these as a proportion of all financial statements audit findings, has prompted the ANAO to undertake targeted assurance activities over the management of staff leave. The activities have been performed to facilitate an assessment of compliance of the management of leave accruals, and balances with human resource policies and requirements, and to further inform assurance activities for future audits. The entities selected were the Departments of: Home Affairs; the Prime Minister and Cabinet; and the Treasury.

12. The analysis performed to date has identified weaknesses in processes relating to staff leave and associated monitoring controls. In particular, improvements can be made in the timeliness of submission and approval of leave requests and the application of requirements including minimum and maximum entitlements. The ANAO has also identified that the Department of Home Affairs’ leave policy does not contain current information or requirements following the February 2019 Workplace Determination.

13. These observations potentially impact entities’ operations and financial reporting. Taking leave prior to approval being given may impact the ability of entities to effectively manage resources and deliverables, while also potentially overstating the related employee liability balances in the financial statements.

14. The ANAO will continue to progress the assessment of the above criteria and will report the results in Auditor-General report: Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2020 and in a separate report to Parliament.

Reporting and auditing frameworks

Summary of developments

15. As a consequence of the COVID-19 pandemic and revised accounting standards for revenue and leases, Commonwealth entities will need to review and update the information, systems, processes and controls relied on in the preparation of their 2019–20 financial statements. The ANAO will revise its risk assessments and modify planned audit procedures in response to the changes made by Commonwealth entities.

Cost of this report

16. The cost to the ANAO of producing this report is approximately $480,000.

Note a: The seven entities are the: Departments of: Agriculture, Water and the Environment; Defence; Education, Skills and Employment; Home Affairs; Infrastructure, Transport, Regional Development and Communications; National Disability Insurance Scheme Launch Transition Agency and Services Australia.

Introduction

1.1 The ANAO publishes an Annual Audit Work Program (AAWP) which reflects the ANAO's strategy and deliverables for the forward year. The purpose of the AAWP is to inform the Parliament, the public and government sector entities of the ANAO's planned audit coverage for Australian Government entities by way of financial statements audits, performance audits and other assurance activities.

1.2 The financial statements audit coverage, as outlined in the AAWP, includes presenting two reports to the Parliament addressing the outcomes of the financial statements audits of Australian Government entities and the Consolidated Financial Statements of the Australian Government (CFS). These reports provide Parliament with an independent examination of the financial accounting and reporting of Commonwealth public sector entities.

1.3 This report focuses on the results of the interim audits of 24 entities² including an assessment of key internal controls supporting the 2019–20 financial statements. The assessment includes a review of the governance arrangements related to entities' financial reporting responsibilities and the design and implementation of key internal controls relating to significant business processes. Where the auditor plans to rely upon key controls for assurance that financial statements are free from material misstatement, the controls are tested for operating effectiveness. Testing of controls during the interim audit phase allows the ANAO to form a conclusion on the operating effectiveness of those controls for the period up to the date of testing. During the final phase of the 2019–20 financial statements audit, the ANAO completes testing over the operating effectiveness of those controls upon which the ANAO intends to rely, and also controls not assessed at interim. The second report presents the final results of the financial statements audits of the CFS and all Australian Government entities.

1.4 The Government's response to the COVID-19 pandemic has included significant new measures and expenditure to enhance the capacity of Commonwealth entities to provide support to individuals and businesses impacted by the reduced economic activity and downturn originating from the containment strategies. Much of the interim controls testing was undertaken before major decisions on the implementation of the COVID-19 response measures. As such, entities should consider whether appropriate controls have been established for COVID-19 activities. Further detail on how the developing COVID-19 situation may result in additional financial statements preparation and audit risks for entities is included in chapter 4 of this report.

1.5 The entities included in this report are those entities that contribute significantly to the three sectors of the CFS: the General Government Sector (GGS), Public Non-Financial Corporation (PFNC) sector and Public Financial Corporation (PFC) sector. A listing of these entities is provided in Appendix 1.

1.6 The ANAO conducts its financial statements audits in four phases: planning, interim, final and completion. Figure 1.1 outlines the key elements of each phase.

Figure 1.1: ANAO financial statements audit process

 

 

Source: ANAO data.

1.7 A central element of the ANAO's financial statements audit methodology, and the focus of the planning phase of ANAO audits, is a sound understanding of an entity's environment and internal controls relevant to assessing the risk of material misstatement in the financial statements. This understanding informs the ANAO's audit approach, including the reliance that may be placed on entity systems to produce financial statements that are free from material misstatement.

1.8 In accordance with generally accepted auditing practice, the ANAO accepts a low level of risk that an audit will fail to detect the financial statements are materially misstated. This low level of risk is accepted because it is too costly to perform an audit that is predicated on no level of risk. An understanding of the entity, its environment and its controls helps the ANAO design the required work and respond to risks that bear on financial reporting. The key areas of financial statements risks identified through this planning approach are discussed in chapter 4 for each entity included in this report.

1.9 A key component of understanding the entity and its environment is to understand the governance arrangements established by its accountable authority.³ Accountable authorities of all Commonwealth entities and companies subject to the Public Governance, Performance and Accountability Act 2013 (PGPA Act) are required to govern their entity in a way that promotes the proper use and management of public resources, the achievement of the purposes of the entity and the entity's financial sustainability.

1.10 The development and implementation of effective corporate governance arrangements and internal controls should be designed to meet the individual circumstances of each entity. These processes also assist in the orderly and efficient conduct of the entity's business and compliance with applicable legislative requirements, including the preparation of annual financial statements that present fairly the entity's financial position, financial performance and cash flows.

Understanding the entity

1.11 The ANAO uses the framework in the Australian Auditing Standards (ASA) 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment to consider the impact of different elements of an entity's internal controls that support the preparation of financial statements. This approach provides a basis for designing and implementing the audit work program that reflects the ANAO's assessment of the risk of material misstatement. Deficiencies in the internal control framework increase the requirement of the ANAO to perform additional audit work in the final phase. Figure 1.2 outlines these elements.

Figure 1.2: Elements of entity internal controls

 

 

Source: ASA 315 Identifying and assessing the risk of material misstatement through understanding the entity and its environment, paragraph A59.

1.12 This chapter discusses each of these elements and outlines observations based on the ANAO's review of aspects of each entity's internal controls, relevant to the risk of material misstatement to the financial statements, including the detailed results of the interim audits.

1.13 At the completion of the interim audits for the 24 entities included in this report, the ANAO noted that key elements of internal control were operating effectively for 17 entities. For the remaining seven⁴ entities, except for particular finding/s outlined in chapter 4, the key elements of internal control were operating effectively to support the preparation of financial statements that are free from material misstatement.

1.14 The key elements of internal controls for the full financial year will be assessed in conjunction with additional audit testing during the 2019–20 final audits. The impact of changes to the control environment arising from the COVID-19 situation and the required audit response will also be considered at this time.

Control environment

1.15 The PGPA Act sets out the requirements to establish and maintain systems relating to risk and control. Division 2, section 16 of the PGPA Act states that:

The accountable authority of a Commonwealth entity must establish and maintain:

a) an appropriate system of risk oversight and management for the entity; and

b) an appropriate system of internal control for the entity.

including by implementing measures directed at ensuring officials⁵ of the entity comply with finance law.⁶

1.16 An effective control environment is underpinned by a fit-for-purpose governance structure. Indicators of an effective governance structure include whether management has established frameworks and processes that promote positive attitudes, awareness and actions concerning the entity's internal controls and their importance in the entity. The main elements reviewed included: governance structures relevant to the preparation of the financial statements; audit committee and assurance arrangements; systems of authorisation; and processes for recording financial transactions.

1.17 All entities included in this report have established executive management committees and/or sub-committees that meet at least monthly, which support financial decision making at strategic and operational levels.⁷ Consistent with previous years, consideration of financial reporting was included on the agendas of all 24 entities' executive and audit committees. The financial information provided to the entities' executives was supplemented by non-financial operational information.

1.18 Clear lines of accountability and reporting are important in establishing a strong internal control environment for the purposes of preparing financial statements. The involvement of those charged with governance is an important element of these structures. Just as important is ensuring that staff at all levels understand their own role in the control framework. This can be achieved through the issuance of accountable authority instructions, and delegation instruments. All entities have established accountable authority instructions and delegations reflecting current business arrangements.

1.19 A number of entities included in this report, were impacted by Machinery of Government changes during 2019–20 which are discussed further below.

Machinery of Government

1.20 Machinery of Government (MoG) changes as a result of a new Administrative Arrangements Order involve change management processes on the part of the entities involved. A MoG change occurs when the Government decides to change the way Commonwealth responsibilities are managed. It can involve the movement of functions, resources and people from one agency to another. Successful implementation of MoG changes requires effective communication between all the parties affected by the changes, the full cooperation and commitment of both central and line agencies and sound project management arrangements to be developed and implemented in a timely manner.

Scale of the MoGs

1.21 The MoGs implemented in 2019–20 and considered as part of the interim audit were extensive. In all, six portfolio departments merged to become three⁸, an existing department was established as an Executive Agency⁹ and a new agency was established.¹⁰ As a result a large number of functions and programs were transferred between departments and four departments were renamed.

1.22 The most significant changes were:

• transfer of responsibility for functions relating to employment and skills to the newly named Department of Education, Skills and Employment. The vocational education and training, and apprenticeships functions had previously been transferred from the Education portfolio to the former Employment portfolio as part of the 29 May 2019 MoG and were subsequently transferred back as a result of the 5 December 2019 MoG.
• transfer of the communications and arts functions to the renamed Department of Infrastructure, Transport, Regional Development and Communications;
• transfer of agriculture functions to the renamed Department of Agriculture, Water and the Environment;
• establishment of Services Australia (formerly known as the Department of Human Services) as a new Executive Agency, within the Social Services Portfolio;
• establishment of the National Indigenous Australians Agency which assumed responsibility for functions relating to Indigenous Australians from the Department of the Prime Minister and Cabinet;
• transfer of small business, energy and climate change functions (excluding climate science and adaptation) to the renamed Department of Industry, Science, Energy and Resources;
• transfer of responsibility for industrial relations from the former Employment portfolio to the Attorney-General's portfolio;
• transfer of responsibility for whole-of-government service delivery from the Prime Minister and Cabinet portfolio to Services Australia;
• transfer of migrant adult education functions from the Education portfolio to the Home Affairs portfolio;
• transfer of settlement services for refugees and humanitarian migrants from the Social Services portfolio to the Home Affairs portfolio;
• transfer of the information technology group functions from the Department of Social Services to Services Australia; and
• transfer of the National Redress Scheme Branch and the administered investment for Hearing Services Australia from Services Australia to the Department of Social Services.

1.23 Where MoG changes affect areas such as governance arrangements, appropriations, IT systems, internal controls and financial reporting, the ANAO takes these into account in developing its audit approach as part of the annual financial statement audits of Australian Government entities.

1.24 The ANAO 2019–20 interim audit has identified that MoG changes resulted in over 10 000 staff transferring between entities effected through determinations under section 72 of the Public Service Act 1999. Appropriations totalling approximately $1.2 billion were transferred between entities through determinations under section 75 of the Public Governance, Performance and Accountability Act 2013.

Implementing MoG changes

1.25 Implementing MoG changes can be resource-intensive and involve complexity in managing a range of issues. These include: reaching agreement on the staff and appropriations to be transferred; establishing communication mechanisms with both 'gaining' and 'losing' staff; connecting gaining staff to existing IT networks and disconnecting transferred staff from IT systems; arranging accommodation requirements for staff being transferred; and negotiating the most effective way to maintain the delivery of services in both the short and longer term, particularly arrangements for the processing of employee entitlements and program payments.

1.26 The Machinery of Government changes A Guide for Agencies — April 2019 (the Guide), jointly issued by the Australian Public Service Commission (APSC) and the Department of Finance (Finance), outlines a set of principles to assist entities in implementing changes resulting from a MoG. The principles are:

• taking a whole-of-government approach;
• constructive and open communication with staff; and
• accountability and compliance with legislation and policy.

1.27 Implementation of MoG changes requires entities to work co-operatively and openly in a timely manner. Entities are expected to implement changes as quickly as possible, with a focus on achieving the best outcomes for the Australian community across the whole of government.¹¹ As the changes arise from an executive order of government, entities affected will have little or no notice of the specific changes that have been determined.

1.28 The Guide also outlines that where a completion date is not specified in relation to a MoG, entities are expected to complete changes within thirteen weeks from the date of effect of the MoG change. Agency heads are responsible for meeting this deadline and for implementing MoG changes in accordance with the principles set out in paragraph 1.26 above.

1.29 In order to achieve the best outcome, agencies are encouraged to:

• appoint an independent advisor to manage the MoG process, facilitate negotiations and to help resolve any contested issues (paragraph 6);
• establish a cross-agency steering committee that includes representatives from all affected agencies, has clear lines of responsibility and reporting (paragraph 12);
• complete a thorough due diligence exercise of all aspects of functions being transferred including statutory requirements, delegations, and related appropriations (paragraph 7); and
• develop a communications strategy to keep affected staff informed of the progress of changes relating to the timetable and impacts to conditions, hours and pay (Summary, page 11).

Observations

1.30 As part of the 2019–20 interim audit, the ANAO considered the application of the Guide by the entities subject to MoG changes in the current year. Ten entities included in this report, were impacted by MoG changes in 2019–20. The changes to entities varied in complexity and size, with a number of significant MoGs merging functions of entire entities. Although there was a range of complexities involved, the Attorney–General's Department was the only entity that appointed an independent arbitrator. The appointment was made in conjunction with the former Department of Employment, Skills, Small and Family Business and related to the transfer of industrial relations functions.

1.31 Nine¹² of the ten entities impacted established a steering or implementation committee to manage the MoG process. These committees were comprised of senior staff members who were assigned responsibility for settling implementation issues. All committees included representatives from both the gaining and losing entities. Of the entities that established a steering or implementation committee, only the committee from the Department of Industry, Science, Energy and Resources reported to the Audit Committee. Services Australia managed the process through its existing governance and executive committees.

1.32 As outlined in the Guide, as soon as it is apparent that a MoG change will occur, losing agencies are expected to undertake an immediate and thorough due diligence assessment over the transferred function. The due diligence exercise requires a detailed examination of all aspects of the function being transferred.¹³ Of the ten entities impacted by the MoGs, six¹⁴ lost functions. These six entities used a variety of approaches to undertake their due diligence.

• The Department of Education, Skills and Employment and Services Australia undertook a detailed assessment or review in relation to the MoG.
• The Department of Social Services undertook an initial due diligence assessment in relation to the MoG. As at 30 April 2020, the ANAO has not been provided with documentation in respect of the due diligence process.
• The Department of Agriculture, Water and the Environment undertook due diligence processes in relation to functions transferred out as a result of the MoG.
• The Department of Infrastructure, Transport, Regional Development and Communications received all functions of the former Department of Communications and the Arts. The priority of the project team was to work on organisational integration and having appropriate systems and procedures in place from day one to facilitate both entities continuing their delivery. As such, the due diligence exercise was undertaken as part of the integration process.
• The Department of the Prime Minister and Cabinet did not undertake a separate due diligence process relating to the functions being transferred to the National Indigenous Australians Agency. The due diligence was undertaken concurrently with the risk management processes.

1.33 Four entities that gained functions as a result of the changes also performed a due diligence assessment. The Attorney–General's Department and the Department of Industry, Science, Energy and Resources performed assessments to obtain essential information relating to the functions they were receiving and included details relating to human resources and financial information.

1.34 The Department of Social Services performed due diligence over the functions gained from Services Australia. The Department of Agriculture, Water and the Environment undertook due diligence processes for functions received from the former Department of Agriculture, but not to the extent of those undertaken for functions that were transferred out.

1.35 The Guide outlines that a risk management approach¹⁵ relating to the impact of the MoG on an entity, is required to avoid delays in negotiations. Entities used a variety of approaches to manage the risks associated with the MoGs as detailed below.

• The Departments of: Agriculture, Water and the Environment; Industry, Science, Energy and Resources; Education, Skills and Employment; Home Affairs; and Social Services¹⁶ undertook a formalised risk assessment process in relation to the impact of the MoG. The Attorney–General's Department established and maintained a detailed issues and risk register relating to the MoG changes. A number of high risks were identified across these entities.
• The Department of the Prime Minister and Cabinet and the National Indigenous Australians Agency did not undertake a full risk analysis due to the limited time-frame to implement the changes. Risk was managed via agile project methodology using daily stand up meetings where challenges and risks to objectives were identified and mitigated on a daily basis.
• Services Australia did not perform an overall risk assessment relating to the MoG. Risks were captured and managed through the individual business and program areas. The Chief Financial Officer's group tracked the financial implications of these risks through briefing papers to the Financial Statements Sub Committee and Audit Committee.
• The Department of Infrastructure, Transport, Regional Development and Communications has identified that it intends to prepare a position paper¹⁷ relating to the impact of MoG changes on the 2019–20 financial statements.

1.36 In addition to the overall risk assessments outlined above, seven of the ten entities undertook a financial statements risk analysis. The Department of Social Services has undertaken an initial assessment as the transfer of functions between the department and Services Australia is still in progress.

1.37 The National Indigenous Australians Agency is a newly established entity. It initially adopted a number of risk and mitigation approaches from the Department of the Prime Minister and Cabinet. During 2019–20 it has been refining its governance and practices, including risk assessments for financial statements preparation.

1.38 The Department of Home Affairs did not perform a separate financial statements risk assessment, but did review and update the Financial Statements Assurance Framework and noted nil financial statements risk resulting from the MoG.

Conclusion

1.39 The additional guidance provided by the Guide provides entities with a set of principles to follow when they are subject to MoG changes. Best practice would include all entities applying the principles of the Guide regardless of whether they are the losing agency or the gaining agency and regardless of the scale of the MoG. Performing a due diligence review and undertaking detailed risk assessments from an operational and financial statements perspective, assists entities to identify any new risks that could impact on the timely preparation of complete and accurate financial statements.

1.40 The principles of the Guide provide entities with valuable insights that can assist in ensuring the focus remains on completing the MoG processes quickly and achieving the best outcomes for the Australian community across the whole-of-government.

Audit Committees

1.41 The PGPA Act requires audit committees to be established for Commonwealth entities and Commonwealth companies.¹⁸ An independent audit committee is a fundamental principle of good governance.¹⁹ The audit committee plays a key role in assisting the accountable authority to fulfil its governance, risk management and oversight responsibilities through the provision of independent assurance and advice.

1.42 Section 17 of the Public Governance Performance and Accountability Rule 2014 (PGPA Rule) sets out the minimum requirements relating to the audit committee of a Commonwealth entity. The key requirements of the PGPA Rule are outlined below.

• A written charter, set by the accountable authority, determining the functions of the audit committee for the entity. These functions must include reviewing the appropriateness of the accountable authority's financial reporting; performance reporting; system of risk oversight and management; and system of internal control for the entity.
• Membership of the committee²⁰ to include at least three persons with appropriate qualifications, knowledge, skills or experience to assist the committee to perform its functions and a majority of committee members and the committee chair must be independent of the entity.
• Persons that must not be a member of the audit committee: the accountable authority or, if the accountable authority has more than one member, the head; the Chief Financial Officer; and the Chief Executive Officer.

1.43 All entities have established audit committees consisting of a majority of members assessed by the entity to be independent. All entities have an audit committee charter that is consistent with their obligations under subsection 17(2) of the PGPA Rule. Each entity has appointed an independent audit committee chair.

Board Governance Arrangements

1.44 The ANAO audit program has included topics on the implementation of the PGPA Act and the PGPA Rule. Under the PGPA Act, the accountable authority is responsible for leading, governing and setting the strategic direction for the entity. For corporate Commonwealth entities the governing body of the entity is the board, unless otherwise prescribed by the rules.²¹ In 2018–19, a series of performance audits reviewed whether corporate Commonwealth entities had established effective arrangements to comply with legislative and policy requirements, and adopted practices that support effective governance.²²

1.45 The board plays a key role in the effective governance of an entity. Corporate governance involves two dimensions, performance and conformance. In this report the ANAO has analysed the following entities governed by boards: Australian Postal Corporation, the Future Fund Management Agency and the Board of Guardians²³, NBN Co Limited (NBN Co) and the National Disability Insurance Scheme Launch Transition Agency (NDIA). The ANAO has also analysed the Reserve Bank of Australia's (RBA) Reserve Bank Board, noting that the RBA Governor is the accountable authority.

1.46 The interplay of the 'hard attributes' of governance (such as board composition, appointment processes and independence) and the 'soft attributes' of governance (such as the chair/CEO relationship, board behaviours and board culture) are critical to good governance and organisational performance.²⁴ The design of the board structures for the entities listed above is consistent with legislative and policy requirements. The entities have actively engaged with the portfolio department and minister in relation to the skills requirements for prospective board appointments, and provided advice to the decision-maker accordingly. Upon appointment to the board, all entities had appropriate induction processes that included details of the board's role and responsibilities as the accountable authority.

1.47 Establishing a charter can assist board members by providing a single reference point that clearly sets out the functions, powers and membership of the board, as well as roles, responsibilities and accountabilities. For the five entities considered, a charter was in place and reviewed on a regular basis. The boards of all the entities meet on average at least every six weeks. Sufficient and appropriate documentation and the recording of decisions and actions is kept by the entities, as well as the declaration of conflicts of interests by members, including the managing director, or equivalent.

1.48 The boards maintain a strategic focus on risk within the entity with regular briefings from the relevant audit and/or risk committee. Other items discussed by the boards include approval of key policies and frameworks, assurance from management regarding internal controls and compliance with legislation, and reporting on progress against the corporate plan. All entities undertake regular reviews to evaluate board performance, with external assessments complemented by more frequent internal reviews. Periodically evaluating board performance can enable a board to reflect on its operations and assess whether it has effectively met its purpose, objectives and obligations.

Risk assessment processes

1.49 Section 16 of the PGPA Act sets out an accountable authority's responsibilities in regard to the establishment of appropriate risk oversight and management in an entity. An understanding of an entity's process to identify and manage risk is essential to an effective and efficient financial statements audit. A review of this process is done to assist the ANAO to understand how entities identify and manage risks relating to financial statements and assess the risk of material misstatement to an entity's financial statements.

1.50 For the 2019–20 interim audit phase the ANAO's review of entities' risk assessment processes was undertaken prior to the emergence of the COVID-19 pandemic. In order to minimise the impact on their financial statements, entities should review their current risk assessments. This is discussed further in paragraphs 2.6 to 2.8 of chapter 2.

1.51 All entities included in this report have a process to develop and update risk management plans at the organisational and strategic risk levels. In addition, each entity has developed processes for the identification and notification of risks relevant to financial statements preparation either as part of the overall risk management plan, or through a targeted risk identification exercise. The monitoring of risks and the entity's implementation of risk management strategies was typically assigned to either an executive committee and/or the audit committee.

1.52 Entities affected by machinery of government changes, including the Departments of: Agriculture, Water and the Environment; Education, Skills and Employment; and Infrastructure, Transport, Regional Development and Communications are currently applying risk management plans established at the former entities. The National Indigenous Australians Agency (NIAA) is adopting the risks assessed by the Department of the Prime Minister and Cabinet and will consider changes to risks for the new entity at a future date.

Monitoring of controls

1.53 Entities undertake many types of activities as part of their monitoring of control processes, including external reviews, self-assessment processes, post-implementation reviews and internal audits. The level of review of these activities by the ANAO is determined through a risk assessment approach that takes into consideration the nature, extent and timing of each activity and the activities application to the preparation of the financial statements.

Internal Audit

1.54 As part of the financial statements audit coverage, internal audit is reviewed to gain an understanding of its role and activities in the entity. Where an internal audit function has been established it can play an important role in providing assurance to the accountable authority that the internal control framework is operating effectively. Entities are encouraged to identify opportunities to leverage internal audit coverage as a means of providing increased assurance to accountable authorities to support their opinion on the entity's financial statements.

1.55 The extent to which the work of internal audit may be able to be used, in a constructive and complementary manner, varies between entities and is more likely to occur where internal audit work is focused on financial controls and legislative compliance. The ANAO is expecting to rely upon the work of internal audit for a number of entities.²⁵ When it is anticipated that the work of internal audit will be used, in accordance with ASA 610 Using the Work of Internal Auditors, an assessment is required of whether the internal audit function has: appropriate organisational status; relevant policies and procedures to support their objectivity; an appropriate level of competence; and whether they apply a systematic and disciplined approach in the execution of their work including quality control.

1.56 When it is determined that the work of internal audit can be used to support an effective audit approach, additional work is performed to confirm its adequacy to support the external audit. This will include confirmation that the scope of the work is appropriate, that there is sufficient evidence to support the conclusions drawn and selected re-performance of internal audit's testing.

1.57 For the entities included in this report, it was observed that internal audit coverage is based on an internal audit plan that is aligned with entities' risk management plans and includes combinations of audits that address assurance, compliance, performance improvements and IT systems reviews. In addition, suggested topics from management, audit committees and external influences such as the ANAO's planned performance and financial statement coverage, are factors considered in the development of internal audit work plans.

Reporting relating to compliance with finance law

1.58 The introduction of the PGPA Act resulted in a move from a compliance-based approach to a principle-based financial framework for Commonwealth entities. To promote the safe custody and proper use of public resources whilst reducing red tape, a greater emphasis is placed on the robustness of an entity's self-assessment processes, strong governance structures and internal control frameworks to identify risks. A practical example of this is an entity's requirement to report on compliance with finance law.²⁶

1.59 From 2015–16, the compliance reporting changed to require entities to report only significant non-compliance with finance law to both the Finance Minister and the responsible Minister. Prior to this, general government sector entities were required to submit an annual Certificate of Compliance to the Minister for Finance and the responsible Minister summarising all non-compliance with the PGPA Framework. To support the change in requirements, the Department of Finance issued guidance in relation to reporting of significant non-compliance through the Resource Management Guide 214 Notification of significant non-compliance with the finance law (RMG 214). The guide outlines factors which may be considered when determining whether significant non-compliance occurred including:

• failure to comply with the duties of accountable authorities (PGPA Act sections 15 to 19);
• serious breaches of the general duties of officials (PGPA Act sections 25 to 29) including any fraudulent activity by officials;
• systemic issues reflecting internal control failings or high volume instances of non-compliance; and
• non-compliance issues that are likely to impact on the entity's financial sustainability.

1.60 RMG 214 notes that the accountable authority should consider the entity's environment when determining whether instances of non-compliance are significant. In May 2019, the RMG was updated with additional guidance in the form of case studies. The case studies highlight the need for entities to consider the number of non-compliance issues in the context of the number of times the function had occurred within the entity. For example comparing the number of breaches relating to incorrect reporting of contracts on AusTender compared to the number of contracts executed in that year. As part of the interim audits the ANAO considered entities' application of RMG 214.²⁷

1.61 Entities advised that professional judgement is applied and consideration given, to the nature and volume of breaches when assessing significance.²⁸ Six entities²⁹ provided further guidance within their definition of significant non-compliance, specifying a financial threshold above which non-compliance would be considered significant. The financial thresholds include a percentage of either departmental budget amounts, entity determined materiality thresholds; or a set dollar figure. The dollar range of thresholds varies from $50,000 to $20 million.

1.62 As part of an audit committee's governance role, it usually has oversight of the process for collating instances of non-compliance and the subsequent assessment regarding their significance. Changes to mandatory external compliance reporting process in 2015–16 removed the requirement for all instances of non-compliance to be centrally reported to the Department of Finance. As a consequence, the Department of Foreign Affairs and Trade, the NDIA and Services Australia reduced their level of reporting, requiring only significant non-compliance to be reported to their audit committee and accountable authorities. In addition, as a register of all non-compliance is not maintained, these entities are not able to perform analysis consistent with additional guidance provided in the May 2019 update to RMG 214. While the Australian Office of Financial Management does periodically report all instances of non-compliance to the audit committee, it also does not maintain a register of non-compliance.

1.63 In the absence of a register, capturing all instances of non-compliance, these entities have been excluded from the analysis of non-compliance summarised in Figure 1.3. Similarly as the National Indigenous Australians Agency was established from 1 July 2019 it is also excluded.

1.64 In addition to notifying the relevant Minister of any significant issues which occur, entities must also report any significant non-compliance in their annual reports in line with the PGPA Rule subsection 17AG. The following two entities reported significant non-compliance in their 2018–19 annual reports:

• Department of Veterans' Affairs reported one significant non-compliance³⁰ relating to departmental transactions totalling $4.1 million found to be incorrectly recorded as administered items. They were subsequently transferred to departmental operations.
• Department of Defence reported 53 instances of significant non-compliance.³¹ Where these instances were proven as fraud committed by an official, Defence authorities addressed these instances through criminal or disciplinary prosecution action.

1.65 Entities undertake a range of activities to identify instances of non-compliance and support their assessment of whether identified breaches meet the definition of significant. These activities include self-reporting, internal assurance activities, and questionnaires completed by officers holding delegations. Through these processes, in 2018–19 entities included in this report identified a total of 4,203 instances of non-compliance.³² Two entities reported no non-compliance³³, three entities account for more than 10 per cent of the total breaches³⁴ and the remaining 13 entities each reported between one and nine per cent of the non-compliance. Figure 1.3 provides the ANAO analysis of instances of non-compliance by category as identified by entities in 2018–19.

Figure 1.3: Reported incidences of non-compliance 2018–19

 

 

Source: ANAO analysis of data provided by entities.

1.66 Further details of the areas of non-compliance depicted in Figure 1.3 are detailed below.

• The following three entities identified the highest number of instances of non-compliance with the Commonwealth Procurement Rules: Department of Home Affairs (775 instances); Department of the Prime Minister and Cabinet (302 instances); and Department of Veterans' Affairs (237 instances). Of the non-compliance with Commonwealth Procurement Rules, 61 per cent of breaches related to rule 7.16, which requires entities to report contracts entered into or amended over $10,000 on AusTender within 42 days.
• Breaches of section 23 of the PGPA Act include failure to obtain appropriate delegate approval prior to entering into contracts and exceeding a delegate's approval. The following three entities identified the highest number of instances of non-compliance in this area; Department of Defence (450 instances); Department of the Treasury (123 instances); and Department of Agriculture, Water and the Environment (86 instances).
• Non-compliance with the Commonwealth Grant Rules and Guidelines predominately resulted from entities not meeting the requirement to publish grants on GrantConnect³⁵ within 21 days.
• Forty-one per cent of instances of non-compliance with the PGPA Act, excluding section 23, related to breaches of governing in a way that is not inconsistent with the policies of the Australian Government under section 21, specifically section 83 of the Australian Constitution where by no money shall be drawn from the Treasury of the Commonwealth except under appropriation made by law.
• The non-compliance with the PGPA Rule relates to failure to document the approvals to enter into arrangements under section 23 of the PGPA Act and banking monies within five days from receipt.

1.67 The additional guidance provided within the RMG 214 indicates that consideration should be given to the number of breaches in light of the entity's environment. The collation and reporting of non-compliance allows audit committees and accountable authorities to assess emerging risks and determine training requirements or changes to procedures required to address trends. Through its interim reports to Parliament, the ANAO has undertaken a detailed analysis of reporting of non-compliance, over the last three financial years, and observed both divergent practices between entities in identifying and assessing the significance of non-compliance, and a reduction in detailed reporting provided to audit committees and accountable authorities.

Gifts and Benefits

1.68 Auditor-General Report No. 47 2017–18: Interim Report on Key Financial Controls of Major Entities, provided analysis of the gifts and benefits policies of those entities included in the report. The report concluded that there would be merit in the development of a whole-of-government gifts and benefits policy approach across Commonwealth entities.³⁶

1.69 In accordance with the Public Governance, Performance and Accountability Act 2013 and the Australian Public Service (APS) Code of Conduct, on 18 October 2019 the Australian Public Service Commissioner (the Commissioner) announced new guidance for reporting of gifts and benefits. The policy sets out a number of requirements for agency heads (including departmental secretaries)³⁷ and provides guidance on areas of better practice.

1.70 The Commissioner stated that agency heads must:

• not accept gifts and benefits which might reasonably be seen to compromise their integrity (paragraph 26);
• create and keep a register of gifts and benefits accepted (paragraph 15);
• update the register of all gifts and benefits accepted with a value of more than AUD$100.00 (excluding GST), within 28 days of receiving the gift or benefit (paragraph 16);
• publish on their agency's website the register of gifts and benefits accepted where the value of the gift or benefit exceeds AUD$100.00 (excluding GST) on a quarterly basis (paragraph 17); and
• publish the first register by 31 January 2020, the second register by 31 March 2020 and quarterly thereafter. (paragraphs 12 and 13).³⁸

1.71 The ANAO has reviewed the implementation of the policy across entities included in this report.³⁹ Table 1.1 below provides a snapshot of the recommendations that have been implemented.

Table 1.1: Implementation of public reporting of gifts and benefits received by agency heads

Note a: NBN Co as a Commonwealth company is strongly encouraged though not required to comply with the policy released by the Commissioner. NBN Co has not published a gifts and benefits register for the agency head and has set a minimum reporting threshold of $200.

Source: ANAO analysis.

1.72 As outlined in Table 1.1 four entities⁴⁰ had not published any registers for their agency heads or equivalent by the 31 January 2020 deadline. As at 30 April 2020 the Australian Office of Financial Management and NBN Co had not published any gifts and benefits received by agency heads on their websites. The NBN Co as a corporate Commonwealth company is strongly encouraged, though not required to comply with the requirements issued by the Commissioner. The Department of Veterans' Affairs advised that it published the register on its website on 17 February 2020. The Future Fund Management Agency and the Board of Guardians has published a gifts and benefits register for the quarter ended 31 March 2020.

1.73 The ANAO has been advised that the Commissioner acknowledged in an email to portfolio secretaries on 20 March 2020, that reporting of gifts and benefits for the March 2020 quarter deadline may not be feasible given the COVID-19 pandemic. Publication was however encouraged and as indicated in Table 1.1 above, 19 entities had published this information by 30 April 2020.

1.74 To increase transparency and consistency across the Government and as a matter of best practice the Commissioner stated that:

• Departmental Secretaries should circulate the guidance to all statutory office holders and heads of Commonwealth entities and companies within their portfolios;
• Commonwealth statutory office holders and heads of Commonwealth entities and companies are strongly encouraged to adopt this guidance and mirror these arrangements; and
• there is strong expectation that registers including gifts and benefits received by all staff valued over $100 are published on the entity's website.

1.75 The Departmental Secretaries for 11⁴¹ of the 14 portfolio departments confirmed they had circulated guidance to entities within their portfolio.

1.76 In line with best practice, 16 entities included gifts and benefits received by all staff in the register published on entity websites applying the $100 reporting threshold. The Departments of: Agriculture, Water and the Environment and Parliamentary Services publish gifts and benefits received by the agency head only. The Department of Foreign Affairs and Trade, the Department of Veterans' Affairs; and the Future Fund Management Agency and the Board of Guardians have extended the disclosures to include staff in key management positions. The Reserve Bank of Australia publishes gifts and benefits received by the Governor and Deputy Governor.

1.77 As noted in paragraph 1.72, the Australian Office of Financial Management and NBN Co have not published a gifts and benefits register on their websites, however, both entities maintain internal registers to record the gifts and benefits received by all staff. The Australian Office of Financial Management requires staff to report all gifts and benefits received and NBN Co requires staff to report gifts and benefits received over a threshold of $200.

1.78 An important element of a gifts and benefits policy is that it provides a process for monitoring and managing the gifts and benefits offered and/or accepted by officers within the entity. The maintenance of a register enables an assessment of the effectiveness of implementation of an entity's policies; the types and frequency of gifts and benefits received by an entity; and the identification of potential conflict of interest risks. Best practice would include the public disclosure of gifts and benefits received by all staff.

Safeguarding financial information from cyber threats

1.79 The Protective Security Policy Framework (PSPF) requires non-corporate Commonwealth entities to consider and implement the Australian Signal Directorate's (ASD) Essential Eight mitigation strategies (Essential Eight).⁴² The initial requirements were defined in 2013 and are now specified in PSPF Policy 10, "Safeguarding information from cyber threats" (Policy 10).⁴³ The Essential Eight is considered the baseline for cyber resilience within the Australian Government and provides advice on measures that entities can implement to mitigate cyber threats.⁴⁴

1.80 Policy 10 requires each entity to:

1. implement the following Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents (Top Four):
   • application whitelisting⁴⁵;
   • patching applications⁴⁶;
   • restricting administrative privileges⁴⁷; and
   • patching operating systems.⁴³
2. consider which of the remaining Top Four Strategies need to be implemented to protect the entity.⁴⁸

1.81 The PSPF and Essential Eight have defined maturity levels to help entities determine the maturity of their implementation of Policy 10 and Essential Eight requirements, respectively. Policy 10 states entities must achieve the maturity level 'Managing', which is equivalent to the Essential Eight 'Maturity Level Three'. The PSPF requires non-corporate Commonwealth entities to annually assess and report their performance against the PSPF information security requirements.

1.82 Since 2013, the ANAO has conducted a series of performance audits focused on assessing the progress of implementation against Policy 10 requirements. These performance audits continued to identify low levels of compliance with mandatory Policy 10 requirements and concerns relating to the accuracy of annual self-assessments. There was no evidence that the regulatory framework had driven sufficient improvement in entities mitigating their cyber security risks since 2013.

1.83 The Australian Cyber Security Centre (ACSC) was provided funding through the 'Cyber Uplift' budget measure, to strengthen the cyber security of Australian Government networks through enhanced technical guidance, improved verification, and increased transparency and accountability. The Cyber Uplift included a 'sprint' program which was focused on assessing and baselining the maturity of 25 Commonwealth entities' implementation of the Essential Eight. The sprint program also resulted in ACSC identifying additional measures for entities to strengthen their cyber security posture as a result of the program.

1.84 In 2019–20, the ANAO performed a review of the Policy 10 annual self-assessment as part of its assurance audit program of financial statements. This review focused on the protection of information relevant to the preparation of financial statements, specifically the Financial Management Information System (FMIS) and Human Resource Management Information System (HRMIS). The review was performed on 18 of the 20⁴⁹ government entities included in this report, which are required to report annually against the Policy 10 requirements.⁵⁰ The review was undertaken to confirm the accuracy of reporting and identify cyber security risks that may impact on the preparation of financial statements. The review consisted of analysis of policy and procedural documentation, testing of mitigation strategies specific to the FMIS and HRMIS, results of sprint assessments and interviews with entity personnel. Similarly to previous performance audits of non-corporate Commonwealth entities, the ANAO found maturity levels for most entities were significantly below the Policy 10 requirements. Of the 18 entities assessed, only one was rated as achieving a Managing maturity level across all eight controls. This is illustrated in Figure 1.4 below.

Figure 1.4: Compliance with the PSPF Policy 10 Requirements

 

 

Source: ANAO data.

1.85 The lowest levels of compliance were reported in the 'Application Hardening and Macro controls' and 'Multi-Factor Authentication' controls.

1.86 Achieving a Managing level for Application Hardening⁵¹ was viewed by entities to be difficult due to the number of applications in the entities' systems and the difficulty in identifying all applicable hardening controls. Entities have implementation plans focused on reducing the number of applications in their environments, with an aim to lowering their attack surface and minimising risk. Implementation of these plans is currently being actioned by the majority of entities, with most plans scheduled for completion by July 2020.

1.87 Restricting macros⁵² was reported to be difficult due to users relying heavily on macros to perform business activities. Entities differed in their maturity of addressing the associated risks, with some working with users to restrict macros in their environments and securely authorising business critical macros, while other entities accepted the risk of macros and relied on additional mitigations for protection.

1.88 For Multi-Factor Authentication⁵³ to be assessed at the Managing maturity level, multi-factor authentication needed to be used to authenticate all users when accessing important data. Entities found the process of organising/distributing multi-factor authentication tokens for all users to be an onerous one, and most have accepted the risk and focused on achieving the Developing maturity level. Entities prioritised multi-factor controls for remote access and privileged users, rather than all users.

1.89 Most entities conducted their self-assessment at a system or environment level, and did not specifically assess the controls required to minimise cyber risks to their FMIS or HRMIS applications. The entities prioritised the protection of the environment which hosts the FMIS and HRMIS applications.

1.90 Four entities were found to be incorrect in their self-assessments. The entities attributed the inaccuracies in their assessments to their interpretation of the scope of the requirement and indicated that they found it challenging to determine whether they had met the intention of the mitigation strategies.

1.91 In a report to Parliament on April 2019⁵⁴, ACSC noted that "While all of the Commonwealth entities assessed through the Cyber Uplift sprints were found to be taking positive and proactive steps to improve their cyber security, the ACSC assessed that they had not yet achieved the recommended maturity level for the Essential Eight. As a result, these entities are vulnerable to current cyber threats targeting the Australian Government". This aligns with the observations of the ANAO, which identified significant progress was still required for entities to meet the required Policy 10 maturity level of Managing.

1.92 ANAO found that 76 per cent of controls were at an Ad-hoc or Developing maturity level. This is in line with ACSC findings, which noted '73 per cent of non-corporate Commonwealth entities reporting ad hoc or developing levels of maturity'.⁵⁵ The majority of the entities reviewed are not meeting the required Policy 10 maturity level. The regulatory framework and self-assessments to date have not driven the achievement of the standard of cyber security required by Government policy.

1.93 The Policy 10 requirements, that non-corporate Commonwealth entities implement the Australian Signals Directorate (ASD) Mandatory Strategies to Mitigate Cyber Security Incidents (Top Four), have been in place since 2013. Entities' inability to meet these requirements indicates a weakness in implementing and maintaining strong security controls over time.

1.94 Previous audits of cyber security by the ANAO to assess the progress of implementation against Policy 10 requirements have not found an improvement in the level of compliance with the controls over time. The work undertaken as part of this review indicates that this pattern continues, with limited improvements.

1.95 The response to the COVID-19 pandemic has required the majority of entities to adapt IT systems to support remote working arrangements for their workforces. This change in business and control environment has brought additional security risk, with ACSC noting in its April 2020 Threat Report that 'Cybercrime actors are pivoting their online criminal methods to take advantage of the COVID-19 pandemic'.⁵⁶ Threats noted by ACSC include COVID-19 themed phishing attacks⁵⁷, exploitation of remote access weaknesses, as well as an increase in fraud based attacks.⁵⁸

1.96 ACSC has released guidance on preparing for COVID-19 threats⁵⁹, including reviewing business continuity plans and procedures, implementation of multi-factor authentication, hardening of systems⁶⁰ and restriction of macros to reduce the impact of any phishing based attacks. Strong security controls introduced by entities would minimise the risks emerging due to COVID-19 and remote working practices.

1.97 While entities' compliance with Essential Eight remains low, there continues to be the risk of compromise to information relevant to the preparation of financial statements.

Interim audit results

1.98 Audit findings are raised in response to the identification of a potential business or financial risk posed to an entity. Often these risks arise from deficiencies within an entity's internal control processes or frameworks. Weaknesses in internal controls increase the possibility that a material misstatement of an entity's financial statements will not be prevented or detected in a timely manner. The ANAO rates audit findings according to the potential business or financial management risk posed to the entity. The rating scale is presented in Table 1.2.

Table 1.2: Findings rating scale

1.99 A summary of all significant, moderate and minor audit findings reported at the conclusion of the interim audit phase across the past four financial years is presented in Figure 1.5: below.

Figure 1.5: Trend in aggregate interim audit findings 2016–17 to 2019–20

 

 

Source: ANAO data.

1.100 The findings have been classified into broad categories as follows:

• IT control environment;
• compliance and quality assurance frameworks;
• accounting and control of non-financial assets;
• revenue, receivables and cash management processes;
• human resources financial processes; and
• purchases and payables management.

Table 1.3: Audit findings by category for the 2019–20 interim period

Source: Compilation of ANAO interim audit findings.

1.101 In addition, to the findings reported in Table 1.3 one new legislative breach was reported during 2019–20. The legislative breach reported that the Department of Education, Skills and Employment made GST payments to non-government schools without the authority of the Australian Education Act 2013. For further details please refer to chapter 4, paragraphs 4.5.24–4.5.27.

Information Technology Control Environment

1.102 The review of information systems and related controls is an integral part of an entity's control environment. This section summarises the results from interim tests of the operating effectiveness of IT general controls for each of the entities included in this report. It should be noted that the majority of this testing was performed in the period September 2019 — February 2020, and does not reflect any changes in the risk and control environment arising from the impact of COVID-19. This will be addressed in the final testing of information systems controls scheduled to be performed in June and July 2020.

1.103 Figure 1.6 show the trends in interim audit findings related to entities' overall IT control environments from 2016–17 to 2019–20. At the time of this report, testing of the operating effectiveness of IT controls had not been completed for four entities⁶¹ and therefore those results are not reflected in this summary.

Figure 1.6: IT control environment interim audit findings 2016–17 to 2019–20

 

 

Source: ANAO data.

1.104 Findings related to entities' IT control environments represent 50 per cent of total findings identified during the 2019–20 interim period. IT control environment findings continue to represent the highest proportion of all findings. One new moderate finding was reported in 2019–20, which is a decrease of six from the previous year. Further detail regarding the new finding is detailed in chapter 4 for Services Australia. Three moderate findings were carried over from the previous year.⁶² While there has been a decline in the number of moderate findings reported this year, and in the number of findings overall, the need to focus on processes to monitor IT controls to prevent reoccurrence of issues continues to be of importance. This was a recommendation by the Joint Committee of Public Accounts and Audit (JCPAA).⁶³

1.105 The information systems control environment findings reported at the conclusion of the 2019–20 interim audits for entities included in this report have been grouped as follows:

• IT security;
• IT change management; and
• disaster recovery arrangements.

IT Security

1.106 IT security is concerned with protecting an entity's information assets from internal and external threats. It includes controls to prevent or detect unauthorised access to systems, programs and data. In the context of the financial statements audit, the focus is on the financially significant systems and data only.

1.107 The key controls areas that address risks relating to IT security and that are assessed as part of the interim audit are:

• IT security governance;
• general and privileged user access; and
• monitoring and reporting.

1.108 Figure 1.7 illustrates the trends in findings observed in entities' IT security arrangements between 2016–17 and 2019–20.

Figure 1.7: IT security interim audit findings 2016–17 to 2019–20

 

 

Note: The comparative numbers in this figure have been updated to include findings previously categorised as IT application controls which related to IT security.

Source: ANAO data.

1.109 The IT security findings represent 77 per cent of all IT related findings reported in 2019–20. Three moderate findings were reported in the current year (2018–19: six). Further details of the moderate findings are detailed in chapter 4.⁶⁴ Findings related to:

• logging and monitoring of privileged user activity;
• user access management, including approving new user access and performing regular user access reviews;
• removal of user access when it is no longer required;
• password configuration; and
• the overall governance and assurance framework to support the above activities.

1.110 Users with administrative access privileges, commonly referred to as privileged users, are able to make significant changes to IT systems' configuration and operation, bypass critical security settings and access sensitive information. As part of reviewing IT security arrangements, different groups of privileged users were examined, including:

• application administrators, sometimes referred to as super users;
• database administrators;
• system administrators; and
• network or domain administrators.

1.111 To reduce the risks associated with this access, the Australian Government Information Security Manual (ISM) recommends that privileged user access be appropriately restricted and when provided, that the access is logged, regularly reviewed and monitored. Two moderate⁶⁵ and seven minor findings relate to entities that have not implemented adequate logging and monitoring procedures over privileged user accounts. The risk of inappropriate changes to financially significant systems and data arising from these findings is partially mitigated through alternate controls.

1.112 All users with access to financial systems may have the ability to change financial information, and therefore access should only be granted where it is required for the performance of the role; and should be reviewed whenever the role changes. One moderate and three minor findings in paragraph 1.111 also identified issues with user access management, and there were a further six minor findings in this area.

1.113 Entities must remove or suspend user access on the same day a user no longer has a legitimate business requirement for its use.⁶⁶ Terminating a user account when the user no longer has a requirement to access it, such as upon departure from an entity, can prevent unauthorised use. Two minor findings in paragraph 1.111 and one minor finding in user access management also related to issues where access was not removed on a timely basis, and there were a further nine minor findings in this area.

1.114 Two minor findings relate to inadequate password controls increasing the likelihood of unauthorised access to systems and data. The ISM provides guidance on the password requirements for Australian Government systems.

1.115 One moderate and one minor finding relates to the governance and monitoring processes that support the overall information security framework. For further details on the moderate finding, refer to the detailed results in chapter 4 for Services Australia.

1.116 The findings within this category increase the risk of unauthorised changes being made to systems and data, or unauthorised data leakage. Entities should review their management of these areas in light of the recommendations of the ISM and the risks to their operational environment.

IT change management

1.117 IT change management provides a disciplined approach to making changes to the IT environment. It includes controls to prevent unauthorised changes being introduced, and to reduce the likelihood that normal business operations are interrupted with the implementation of authorised changes.

1.118 Figure 1.8 illustrates the trends in findings identified in entities' IT change management controls between 2016–17 and 2019–20.

Figure 1.8: IT change management interim audit findings 2016–17 to 2019–20

 

 

Source: ANAO data.

1.119 Changes to entities' IT environments were managed using standardised processes, usually based on the ITIL Framework.⁶⁷ One moderate⁶⁸ and six minor findings were identified in this area. Two of the minor findings related to data migration performed as part of implementing a change. The remaining findings related to weaknesses in the operation of the change management processes and a lack of segregation between the developer and migrator of a change. Two minor findings also included issues related to IT security.

1.120 While low when compared to IT security, the number of findings in this area has increased over the last three years. One third of the entities included in this report have advised that they are undertaking new systems implementations and/or data migration activities in 2019–20. Weaknesses in change management elevate the risk of unauthorised or untested changes to systems during these activities, and may affect the availability or reliability of the overall IT environment. Entities should monitor the operating effectiveness of their IT control environments to mitigate risks.

Disaster recovery arrangements

1.121 Disaster recovery is concerned with the resumption of the IT environment including systems and data. It relies on:

• effective back-up and recovery arrangements, to allow data to be recovered from current versions of key IT systems; and
• disaster recovery planning, including the development, maintenance and testing of a disaster recovery plan to enable IT systems to be recovered in line with defined business requirements.

1.122 The ANAO assesses entities' disaster recovery arrangements in view of the potential for a disruptive event to impact on financial reporting. Figure 1.9 illustrates the trend for findings identified in entities' disaster recover arrangements between 2016–17 and 2019–20.

Figure 1.9: Disaster recovery interim audit findings 2016–17 to 2019–20

 

 

Source: ANAO data

1.123 All entities undertook regular backups of financially significant data and had disaster recovery plans in place. Three entities received minor audit findings relating to not undertaking testing of their disaster recovery plans; two of these have remained unresolved since 2017–18. Lack of regular testing increases the risk that in the event of a significant disruption, systems and data will not be able to be recovered within an acceptable timeframe.

1.124 Overall, the majority of IT controls continued to be effective in most entities included in this report during 2019–20. Consistent with observations in previous years, IT Security, particularly with regard to management of user access, continues to be an area requiring improvement to address the risk of inappropriate access to systems and data.

1.125 As noted in paragraph 1.95, the introduction of remote working for large parts of the public sector workforce in response to COVID-19 measures has resulted in a change to the IT risk and control environment. This change occurred after the work that underpins this assessment was completed, and it increases the importance of strong IT security and business continuity controls. In addition, IT–dependent manual controls may need to operate differently in a remote working environment. The continued effectiveness of all of these controls to address identified risks in the changed environment will be a focus of ANAO testing at the end of the financial year.

Compliance and quality assurance frameworks

1.126 Entities place reliance on internal and external systems, parties and information in decision-making processes. The implementation of effective compliance and quality frameworks and processes, provides assurance over the completeness and accuracy of information and is integral to the preparation of financial statements that are free from material misstatement.

Figure 1.10: Compliance and quality assurance framework interim findings 2016–17 to 2019–20

 

 

Source: ANAO data.

1.127 As per Figure 1.10 there are three moderate audit findings at the conclusion of the 2019–20 interim audit related to weaknesses in quality assurance processes designed to mitigate key financial or business risks or risk management practices relating to loan facilities.⁶⁹ The moderate finding reported to the Department of Home Affairs, relating to Visa and Citizenship quality management, was reported as a significant finding at the completion of the 2018–19 financial statements audit. The moderate finding, relating to the NDIA: Streamlined Access to Scheme — Defined Programs, was first reported in 2016–17 and remains unresolved.

1.128 The number of minor audit findings reported in 2019–20 has decreased compared with prior years. There remains a need for entities to focus attention on:

• maintaining effective governance over third party or joint service delivery arrangements;
• implementing quality assurance processes over data integrity;
• developing and implementing risk management frameworks that support the effective management of risk in the delivery of programs; and
• implementing effective quality assurance processes over key financial statements inputs particularly those subject to professional judgement and uncertainty.

Accounting and control of non-financial assets

1.129 Entities control a diverse range of non-financial assets on behalf of the Commonwealth, including land and buildings, specialist military equipment, leasehold improvements, infrastructure, plant and equipment, inventories and internally-developed software.

Figure 1.11: Accounting and control of non-financial assets interim audit findings 2016–17 to 2019–20

 

 

Source: ANAO data.

1.130 A significant finding which was first reported to the Department of Defence during the 2017–18 final audit phase has been downgraded to a moderate finding at the conclusion of the interim audit 2019–20.⁷⁰ The finding relates to the Department of Defence's management and monitoring of specialist military equipment and inventory balances.

1.131 The three minor audit findings were raised as part of the 2018–19 final audit and relate to control weaknesses in asset capitalisation processes, management of inventory and timely approval and recording of asset disposals.

Revenue, receivables and cash management

1.132 Revenue and receivables consists of Parliamentary appropriations, taxation revenue, customs and excise duties and administered levies. Revenue is also generated by entities from the sale of goods and services and a range of other sources. Cash management involves the collection and receipt of public monies and the management of official bank accounts.

Figure 1.12: Revenue, receivables and cash management interim audit findings 2016–17 to 2019–20

 

 

Source: ANAO data.

1.133 Since 2017–18, no significant or moderate audit findings have been identified that relate to revenue, receivables and cash management. The minor audit finding reported in 2019–20 related to weaknesses in the timely and accurate completion of bank reconciliations.

Human resources financial processes

1.134 Human resources encompass the day-to-day management and administration of employee entitlements and payroll functions. Employee benefits expenditure represents a significant departmental expenditure item for most entities. Employee entitlement liabilities involve estimates and judgements in inputs. It is important for entities to establish robust controls in these areas to support complete and accurate payment and recording of transactions.

Figure 1.13: Human resources financial processes interim audit findings 2016–17 to 2019–20

 

 

Source: ANAO data.

1.135 Since 2017–18 there have been no significant or moderate audit findings relating to human resource processes. The increase in minor audit findings in 2019–20 related to weaknesses identified regarding commencements and terminations of employees and the monitoring of controls over payroll processing and reporting. The increase in findings has prompted the ANAO to undertake targeted assurance activities over the management of staff leave. The preliminary results are included in chapter 3. The entities selected were the Departments of: the Prime Minister and Cabinet; the Treasury and Home Affairs.

Purchases and payables management

1.136 Purchases and payables management covers controls and processes that provide management assurance that payments processed by the entity are complete and accurate. This may include the implementation of appropriate systems of approval or controls designed to ensure that payments processed through the financial management information system are appropriate.

Figure 1.14: Purchases and payables management interim audit findings 2016–17 to 2019–20

 

 

Source: ANAO data.

1.137 The minor audit findings relate to weaknesses in reconciliation processes, incorrect delegate approval of payments and the timely acquittal of credit cards. Reconciliation processes are designed to confirm the completeness and accuracy of payments initiated in business systems and processed through financial management information systems. Two of the minor findings were first raised in the 2018–19 final audit phase, the remainder are new findings in 2019–20.

Other audit findings

1.138 Other audit findings typically include items relating to the: management and implementation of service level agreements or memoranda of understanding; updating or maintaining key governance documentation; and presentation and disclosure in the financial statements.

Figure 1.15: Other interim audit findings 2016–17 to 2019–20

 

 

Source: ANAO data.

1.139 The NDIA moderate finding was first reported in 2016–17 and was resolved during the final audit phase of 2018–19.⁷¹ The weaknesses resulting in the minor findings in this category related to the:

• segregation of duties between processing and approving of manual journals;
• weaknesses related to the exercise of delegations;
• classification of expenditure and the completeness of reconciliations between systems;
• completeness and accuracy of the calculation of long term provisions; and
• fraud risk assessments and reporting of fraud to those charged with governance.

Introduction

2.1 The Australian Government’s financial reporting framework is based largely on standards by the Australian Accounting Standards Board (AASB). The framework is designed to support decision-making by, and accountability to, the Parliament.

2.2 The AASB bases its accounting standards on the International Financial Reporting Standards (IFRS) issued by the International Accounting Standards Board. As IFRS are designed primarily for use by private sector and for-profit organisations, the AASB amends the IFRS to reflect significant transactions and events that are particularly prevalent in the public sector and not-for-profit private sector. In doing so, it takes into account standards issued by the International Public Sector Accounting Standards Board.

2.3 The Finance Minister prescribes additional financial reporting requirements for Commonwealth entities. These are contained in the Public Governance, Performance and Accountability (Financial Reporting) Rule 2015 (the FRR). The FRR is made under the Public Governance, Performance and Accountability Act 2013 (the PGPA Act).

2.4 The audits of the financial statements of Australian Government entities are conducted in accordance with the ANAO Auditing Standards, which are made by the Auditor-General under section 24 of the Auditor-General Act 1997. The ANAO Auditing Standards incorporate, by reference, the auditing standards made by the Australian Auditing and Assurance Standards Board (AUASB). The Australian Auditing and Assurance Standards Board bases its standards on those made by the International Auditing and Assurance Standards Board, an independent standard setting board of the International Federation of Accountants.

2.5 The financial reporting and auditing frameworks that applied in 2019–20 are illustrated in Appendix 2 and Appendix 3 of this report.

Changes to the Australian public sector reporting framework

Changes in the financial framework

COVID-19

2.6 Commonwealth entities will need to consider the impact of COVID-19 on their 2019–20 financial statements. In particular, AASB 101 Presentation of Financial Statements requires preparers to disclose judgements made in applying the entity’s accounting policies that are likely to have a significant effect on amounts recognised in financial statements. AASB 101 also requires preparers to disclose sources of estimation uncertainty with a significant risk of resulting in a material change in asset and liability values in the next financial year.

2.7 As a consequence of the COVID-19 pandemic, new transactions and events may have occurred and the information, systems, processes and controls on which the ANAO’s initial risk assessment was determined may have changed requiring the entity and the ANAO to reassess the risks of possible material misstatement in the financial statements. The ANAO will evaluate any impact, revise its risk assessments and modify planned audit procedures accordingly.⁷²

2.8 Commonwealth entities seeking to minimise the impact of COVID-19 on their financial statement preparation and audit may want to consider the following:

• make an early assessment as to the initial and ongoing impact of COVID-19 on key balances, financial statement preparation and ongoing operating activities of the entity, and engage with their auditor on identifying key risks;
• monitor and implement advice from the Department of Finance, standard setters and peak bodies; and
• consider alternative approaches for gaining assurance over material balances where critical controls are no longer possible, for example, physical stocktakes.

2.9 The Finance Minister has agreed that where Commonwealth entities and companies are significantly impacted by COVID-19 and the accountable authority or directors consider that it is not reasonably possible to provide the annual report to the responsible Minister by the PGPA Act deadline, the accountable authority or directors may seek an extension from the responsible Minister. The process for seeking an extension is set out under section 34C of the Acts Interpretation Act 1901. Finance proposes to issue guidance material to support those entities and companies that pursue an extension to the annual report deadline. Entities and companies who are not significantly impacted by COVID-19, or who have the capacity to meet existing annual report deadlines, are expected to adhere to current requirements.

Performance framework

2.10 The PGPA Act provides the basis for the Commonwealth performance framework. Commonwealth entities are required to publish planned financial and non-financial performance information with the aim of providing more transparent and meaningful information to the Parliament and the public.

2.11 The PGPA review recommended the Finance Minister, in consultation with the Joint Committee of Public Accounts and Audit (JCPAA), should request that the Auditor-General pilot assurance audits of annual performance statements to trial an appropriate methodology for these audits.

2.12 On 21 August 2019, the Minister for Finance requested that the Auditor-General conduct a program of pilot assurance audits of annual performance statements of Commonwealth entities subject to the PGPA Act, in consultation with the JCPAA. The Auditor-General responded on 14 November 2019, agreeing to the request and proposing to conduct pilot assurance audits of the 2019–20 performance statements of three entities.⁷³ Since 2016–17, the ANAO has completed three performance audits covering elements of 10 individual entity performance statements.⁷⁴

Changes to accounting standards

2.13 Public sector entities will need to prepare for a number of new standards for 2019–20. These new standards represent major revisions to existing standards for revenue and leases. The effort and time required to transition to these new standards should not be underestimated with preparers required to write new or revise existing accounting policies, and undertake a review of all the underlying contracts and in some instances consider amending contracts.

Revenue

2.14 The new revenue standard AASB 15 Revenue from Contracts with Customers (AASB 15) is effective for financial years commencing on or after 1 January 2019 for not-for-profit entities, meaning it will impact most Commonwealth entities in the 2019–20 financial year.⁷⁵ AASB 15 applies to all exchange transactions and provides a consistent approach to revenue recognition. The principle underpinning AASB 15 is that revenue is earned when the customer receives the goods or services that have been promised under the contract. AASB 15 will impact entities where:

• funding is given to provide goods or services to a third party — the entity will recognise revenue when the goods or services are provided to the third party. Under standards currently in force, revenue is recognised when the money is received from the funding provider;
• funding agreements do not identify specific goods or services to be delivered over the term of the contract. Entities will recognise revenue up front unless contract completion is a deliverable; and
• both revenue and the related expense are deferred until the goods or services are delivered, entities with significant non-appropriation revenue are likely to see an impact on their balance sheet and operating result, particularly for long term projects with a significant delay between establishment and initial delivery.

2.15 The Department of Finance has updated the FRR and Resource Management Guide 125 — Commonwealth Entities Financial Statements Guide (RMG 125)⁷⁶, which outlines the Commonwealth’s position on options for the implementation of AASB 1058 Income of Not-for-Profit Entities (AASB 1058), in conjunction with AASB 15. This includes the position that entities are required to adopt a modified retrospective application on transition. As a consequence, AASB 15 is to be applied to all new and uncompleted contracts from the date of initial application and comparative information for the preceding periods is not required to be restated.

Leases

2.16 The revised leasing standard, AASB 16 Leases (AASB 16), is effective for financial years commencing on or after 1 January 2019; this means it will impact entities in the 2019–20 financial year. AASB 16 significantly increases the recognition and disclosure of leases by lessees with the majority of leases currently treated as operating leases recognised on the balance sheet. The net impact on the balance sheet is expected to be limited as the right-of-use asset and liability for future lease payments will be largely offsetting as the value of the right-of-use asset is based on the net present value of the future lease payments. In terms of profit or loss impact, rather than the current annual rent expense over the term of the lease, two expenses will be recognised: interest on the lease liability; and amortisation of the right-of-use asset. The effect of AASB 16 is to ‘front-load’ the recognition of expense, rather than recognising it on a straight-line basis.

2.17 The adoption of AASB 16 is expected to be a time consuming task for those entities with significant numbers of operating leases. Entities will need to review all lease agreements to identify the individual right-of-use assets, unbundle any service arrangements and identify where the lease payments are significantly below market value. Lessees will also need to consider that AASB 16 requires entities to include known contingent rents on initial measurement of the asset and liability and subsequently remeasure the lease asset and liability as subsequent contingent rent events become known.

2.18 The Department of Finance has updated the FRR, RMG 125 and Resource Management Guide 110 — AASB 16 Leases Implementation (RMG 110)⁷⁷ which outlines the Commonwealth position on the options available for the implementation of AASB 16. This includes mandating the election to not reassess previous lease contracts under the new standard and the modified transition model under which the cumulative effect of application of the new standard is recognised in opening retained earnings.

Introduction

3.1 Human resource financial processes encompass the day-to-day management and administration of employee benefits inclusive of payroll and other entitlements, such as leave.

3.2 Employee benefits (including wages and salaries, superannuation, leave, separation and redundancies) represent the most significant departmental expenditure for most Commonwealth entities, and the inputs and estimates that contribute to the measurement of the associated liability are subject to management judgement. In 2018–19, leave and other entitlements represented $3.9 billion (7.5 per cent) of Australian Government employee benefits expenses ($52.2 billion) and $10.1 billion (2.2 per cent) of Australian Government employee benefits liabilities ($444.1 billion).

3.3 Employee benefit transactions are high volume and involve both automated and manual processing. As a result, any control weaknesses can result in systematic errors increasing the risk of material misstatement.

Previous financial audit findings for human resource financial processes

3.4 During the period from 2015–16 to 2018–19, the open audit findings relating to human resource financial processes reported by the ANAO increased from 2 moderate and 20 minor audit findings in 2015–16 to 3 moderate and 26 minor audit findings in 2018–19.⁷⁸

3.5 The analysis of open findings by category of financial process at the completion of the ANAO’s 2018–19 audits, shows the human resource financial process was the third highest category for moderate findings and the second highest category for minor findings.

3.6 The findings relating to human resource financial processes and significance of these as a proportion of all financial statements audit findings, has prompted the ANAO to undertake some targeted assurance activities over a significant component — the management of staff leave. The selection of the leave component of employee benefits was due to the relative complexities in the management of this compared to payroll.

Selected entities

3.7 Three financial statements audits were selected for further assessment of compliance of the management of leave accruals and balances with human resource policies and requirements. This will further inform the ANAO’s assurance activities for future audits as it relates to completeness and accuracy of leave accruals and adjustments. The entities selected were the Departments of: Home Affairs; the Prime Minister and Cabinet; and the Treasury.

3.8 Leave and other entitlements represented the following amounts and proportions for the three entities:

• Department of Home Affairs: $288.7 million expense or 8.8 per cent of departmental total expenses and $470.5 million liability or 51.4 per cent of departmental total liabilities.
• Department of the Prime Minister and Cabinet: $33.6 million expense or 7.4 per cent of departmental total expenses and $86.2 million liability or 57.9 per cent of departmental total liabilities.
• Department of the Treasury: $18.6 million expense or 8.8 per cent of departmental total expenses and $53.5 million liability or 77.5 per cent of departmental total liabilities.

3.9 Through this work, the ANAO will assess whether:

• established framework and policy documents are clearly articulated and consistent with laws, regulations and agreed conditions;
• the entity has implemented appropriate monitoring controls over the management of staff leave with results reported to appropriate levels of management; and
• the completeness and accuracy of leave accruals and adjustments are adequately supported.

3.10 The ANAO has utilised its data analytics capability in undertaking this financial statements work.

Frameworks, legislation and policies

3.11 Employees in Australia have entitlements and protection at work under⁷⁹:

• fair work laws that establish minimum entitlements for all employees and includes the National Employment Standards;
• awards that establish minimum pay and conditions for an industry or occupation and cover most employees in Australia;
• enterprise agreements that establish minimum pay and conditions for a particular workplace and are negotiated and approved through formal process; and
• employment contracts that provide additional conditions for an individual but cannot reduce or remove minimum entitlements.

3.12 If the bargaining representatives for a proposed enterprise agreement cannot agree, in special cases and after specific requirements are met, the Fair Work Act 2009 allows for a Full Bench of the Fair Work Commission to determine terms and conditions of employment. If the Commission makes such a determination, it is called a workplace determination.⁸⁰

3.13 Key legislation that establish employee conditions for Australian Public Service employees include:

• Fair Work Act 2009;
• Maternity Leave (Commonwealth Employees) Act 1973;
• Paid Parental Leave Act 2010;
• Long Service Leave (Commonwealth Employees) Act 1976;
• Remuneration Tribunal Act 1973;
• Safety, Rehabilitation and Compensation Act 1988;
• Public Service Act 1999; and
• Parliamentary Service Act 1999.

3.14 The financial reporting of employee entitlements in Australian Government entities is established by the:

• Australian Accounting Standards;
• Public Governance, Performance and Accountability (Financial Reporting) Rule 2015; and
• Commonwealth entities financial statements guide — 2019-20 (Resource Management Guide 125).

3.15 The complexity of authority that establishes employee entitlements is best managed by a structured approach that identifies and addresses requirements specific to an entity and its employees. In assessing whether established framework and policies are clearly articulated and consistent with laws, regulations and agreed conditions, the ANAO has considered:

• practices adopted by entities to identify various requirements and conditions; and
• employment frameworks established to address requirements and conditions.

Practices adopted by entities to identify various requirements and conditions

3.16 While analysis of the practices adopted by the three entities recognised varying approaches, each was found to be effective in identifying the requirements and conditions for employees. The practices adopted by each entity are detailed below.

Department of Home Affairs

3.17 The Department of Home Affairs has established a Policy and Procedural Control Register that includes all underpinning legislation and requirements, including specific requirements relating to staff leave.

Department of the Prime Minister and Cabinet

3.18 The Department of the Prime Minister and Cabinet has established a Leave Policy to complement the enterprise agreement. Contained within this policy is the identification of the purpose, authority and eligibility for leave including all legislative requirements.

Department of the Treasury

3.19 The Department of the Treasury has developed a Legislative Compliance Policy and Framework to establish arrangements to monitor and record compliance with legislative obligations. This includes the identification of key legislation that relates to leave. Separate leave guidelines provide further detail of specific leave requirements and conditions. This Framework was endorsed by the department’s Executive Committee in 2019.

Employment frameworks established to address requirements and conditions

3.20 Similar to the practices adopted to identify requirements and conditions, the three entities varied in their approach to establishing employment frameworks.

Department of Home Affairs

3.21 In addition to the inclusion of underpinning legislation, the Department of Home Affairs’ Policy and Procedural Control Register provides all leave related policy and procedural instructions, and forms part of the department’s Policy and Procedural Controls Framework. The ANAO has identified that the leave policy has not been updated to include current leave information or the requirements and conditions under the 8 February 2019 Department of Home Affairs Workplace Determination 2019.

3.22 The Department of Home Affairs also has:

• a Payroll Controls Framework which is accessed through a ‘collaboration space’. This collaboration space provides payroll officers a centralised management system for the development, maintenance and delivery of the procedural and controls framework used to deliver the payroll services function within the department. The department has not yet designed and mapped leave related controls embedded in the Payroll Controls Framework; and
• a central human resource intranet site ‘MyHR’ as a source of human resource related information for employees. MyHR includes: the Department of Home Affairs Workplace Determination 2019; procedural instructions; policies; and fact sheets.

3.23 Fact sheets and procedural instructions that have been established include those relating to the workplace determination for leave, personal leave and employment change conditions.

Department of the Prime Minister and Cabinet

3.24 In addition to establishing the purpose, authority and eligibility for leave, the Department of the Prime Minister and Cabinet’s Leave Policy also outlines: accrual and use; approval processes; cancellation processes; evidentiary requirements; role of IT systems; and other information specific to particular leave types.

3.25 The Leave Policy is supported by a range of Frequently Asked Questions pages on the department’s intranet website. These include questions relating to:

• annual leave;
• compassionate leave;
• cultural and ceremonial leave;
• community service leave;
• defence reserve leave;
• long service leave;
• maternity leave;
• remote leave fares; and
• war service personal leave.

The department has also established a Standard Operating Procedures — Leave document that defines procedures that are to be applied in processing long service and maternity leave.

Department of the Treasury

3.26 In addition to listing key legislation, the Department of the Treasury’s Legislative Compliance Policy and Framework identifies the following: compliance owners; related policy, procedures and delegations; education and awareness initiatives; assurance activities to evidence compliance; responses to non-compliance; and first line control owners.

3.27 Together with the Remuneration Guideline, a Leave Guideline has been established to provide supplementary information for each category of leave and appropriate key references for non-Senior Executive Staff (SES). SES employee conditions are reflected in individual SES determinations. The Leave Guidance, revised in September 2019, includes information for: guidance; accrual and use; evidence requirements; interaction between leave types; impact on leave entitlements through the use of leave and particular circumstances; and other information specific to particular leave types.

3.28 The Leave Guideline is supported by other key references including:

• Human Resource Delegations;
• Flextime and Overtime Guidelines;
• Time Off In Lieu Guidelines;
• Parental Leave Guidelines; and
• Studies Assistance Guidelines.

Monitoring controls and reporting in the management of staff leave

3.29 The establishment of effective monitoring controls and reporting is particularly important in the management of staff leave due to the significance, number and complexity of requirements, conditions and related policy. Establishment of such controls facilitates the validation of rates of compliance and targeted response for non-compliance.

3.30 Monitoring controls that are consistent across the three entities include:

• the use of a human resource management information system (HRMIS) to record, accrue and monitor leave. The use of the HRMIS facilitates significant reliance on IT dependent controls. Automated controls apply established pre-conditions and all leave transactions require manager approval;
• localised management of staff, leave and attendance; and
• HRMIS functionality supports the production of reports to manage staff leave.

3.31 Paragraphs 3.32 to 3.39 detail additional entity specific monitoring controls and reporting.

Department of Home Affairs

3.32 The Department of Home Affairs has developed an Executive Dashboard report as the primary mechanism for informing compliance with leave policy and procedures. This report facilitates the running of human resource related reports by governance bodies and Executive Level 2 officers and above, and includes functionality that enables data filtering for line areas and officers. Results and trends of key metrics within the report include: annual and long service leave; personal and miscellaneous (unscheduled) absences; and staff counts of those on leave, returning from leave and with excessive annual leave balances. The underlying data is automatically updated on a daily and monthly basis.

3.33 The department’s monitoring of the use of the Executive Dashboard report is limited to identifying the number of officers at each level that have used this tool since its implementation. This information was reported to the People and Integrity Steering Committee in February and August 2019. The absence of monitoring and formal reporting of the frequency of individual usage inhibits the ability to assess stakeholder satisfaction with the information provided.

3.34 Key employee leave metrics, including significant leave balances and personal and miscellaneous absences, are presented to the Enterprise Business Committee (formerly Enterprise Operations Committee).

3.35 Specific issues regarding staff leave (including significant leave balances and unscheduled absences) are reported to the People and Integrity Steering Committee as considered appropriate by the First Assistant Secretary of the People Division. There were three instances reported in the period 1 July 2018 to 31 December 2019.

Department of the Prime Minister and Cabinet

3.36 The Department of the Prime Minister and Cabinet has established a toolkit entitled Attendance Management - Manager’s Guide. This toolkit has been developed to assist managers in the management of attendance and unscheduled leave.

3.37 The department has also developed an Operational HR Dashboard that enables all SES managers to view a range of staff statistics for their areas, including information on significant annual leave and flex balances, unscheduled absences and leave requests pending approval.

3.38 The Executive Board is provided with information on compliance with leave policies during periods when monitoring is seen as more critical and when ‘hot topics’ are identified by the Chief Operating Officer. There is no regular reporting of key leave management metrics to the Executive Board.

Department of the Treasury

3.39 The Department of the Treasury has adopted a risk-based approach to its implementation of monitoring controls. This includes:

• complementing controls contained within the HRMIS with guidelines for managers to fulfil their responsibilities in the management of staff leave;
• approval of particular leave by the human resources section (for example, personal leave) and second review of compliance with guidelines by this section for particular types of types of leave; and
• the establishment of a People Dashboard, that assists in the identification of human resource management issues and is provided to the Deputy Secretary, Corporate and Foreign Investment Group by the People, Organisational Strategy and Parliamentary Division. The Division Head, People, Organisational Strategy and Parliamentary has distributed the Dashboard to the Executive Board on a monthly basis and extended this to Division Heads and Chief Advisers from March 2020. Further circulation of the Dashboard, including parts thereof, to others is determined by the Deputy Secretary.

Completeness and accuracy of leave accruals and adjustments

3.40 The ANAO’s audit procedures in each of the three entities in respect of the completeness and accuracy of leave accruals and adjustments are in progress. Analysis to date has identified instances of potential non-compliance in the following areas:

• timeliness of submission and approval of leave requests. All entities reviewed have a policy that requires certain leave types (including annual, long service, purchased, study, time off in lieu, maternity and parental leave) to be approved in advance of leave commencing and for this be recorded on the HRMIS. Each entity has envisaged there may be occasions where this is not practical including through injury, illness and emergency. For the purpose of the following analysis, the ANAO has determined approval was obtained in advance of leave commencing where approval was obtained by the end of the previous day. The ANAO has identified the following proportions of those leave types where the HRMIS did not evidence approval in advance of that leave commencing: Department of Home Affairs 30 per cent; Department of the Prime Minister and Cabinet 24 per cent; and Department of the Treasury 18 per cent;
• minimum and maximum days of leave that can be taken for specific leave types including long service, maternity and parental leave;
• long service leave being broken by other types of leave or non-business days; and
• accrual of flexible leave (commonly referred to as “flex”) entitlements in excess of maximum allowable credit or debit thresholds, as set by entity policy.

3.41 The ANAO’s analysis has also identified a correlation between the proportions of unscheduled leave (including sick, carer and bereavement leave in addition to other types such as annual, long service, purchased, time off in lieu, maternity, parental and study) and employee levels — the proportion decreases with advancement of employee level.

3.42 The configuration of the Department of Home Affairs’ HRMIS, and the absence of standardised and formal reporting on timeliness of leave submission and approval, has resulted in the ANAO being unable to obtain detailed submission and approval data that reconciles to information used for financial reporting at the time of performing the analysis. For the purpose of determining timeliness of leave approvals, the ANAO has used a system field that identifies the date a leave request or approval was last actioned for comparison against the commencement of leave. To enhance precision of the analysis, the ANAO substituted the last action date with the approval date where the approval date could be established and directly matched to the information used for financial reporting purposes. The ANAO was able to directly match 65.9 per cent of instances and substitute the approval date, with the last action date being applied to the residual 34.1 per cent of transactions. The Department of Home Affairs has advised that the most significant reasons that the last action date may be later than the original date that the leave was approved include:

• changes to leave transactions associated with the 8 February 2019 workplace determination;
• retrospective changes to leave dates subsequent to the initial approval. For example, this could relate to a substitution of annual leave for sick leave;
• system configuration updates including changes in the application of leave without pay policies;
• movement of staff; and
• changes in roster patterns originally entered, particularly for the Marine Unit.

3.43 The policies of the three entities provide a clear requirement that leave is submitted and approved before the commencement of leave for the following types of leave: annual; long service leave; purchased; maternity; parental; time off in lieu; and study. The following paragraphs and figures represent analysis of instances where this has not occurred.

3.44 Figure 3.1 provides the proportions of approval before and after the commencement of leave where pre-approval is required, for the period 1 July 2018 to 31 December 2019. The Department of the Treasury had the highest level of demonstrated compliance with 82 per cent, followed by the Department of the Prime Minister and Cabinet (76 per cent) and the Department of Home Affairs (70 per cent).

Figure 3.1: Proportion of leave requiring pre-approval approved in advance of leave commencing

 

 

3.45 Figure 3.2 identifies the 1 July 2018 to 31 December 2019 distribution of delays between the commencement of leave and approval or last action for leave types where pre-approval is generally required for the Department of Home Affairs. The size of the Department of Home Affairs’ workforce (13,769 employees held an annual leave balance as at 30 June 2019) is evident in the concentration of identified instances in this figure. This figure demonstrated the prevalence of substantial delays in timeliness of the approval and finalisation of leave transactions across all leave types. This is particularly evident for annual leave, where a considerable number of instances were identified for each 30 day interval up to 240 days after the leave commenced.

Figure 3.2: Department of Home Affairs’ distribution of approval or last action date of leave transactions that were subsequent to the commencement of leave

 

 

3.46 Figure 3.3 and Figure 3.4 identify, for the period 1 July 2018 to 31 December 2019, distributions of delays between the commencement of leave and submission of leave requests for leave types required to be pre-approved for the Departments of: the Prime Minister and Cabinet and the Treasury.

3.47 As compared to the Department of Home Affairs, it is evident in these figures that delayed approvals are more concentrated within the 1–30 day range for the Departments of: the Prime Minister and Cabinet and the Treasury.

3.48 Similar to the Department of Home Affairs, the Departments of: the Prime Minister and Cabinet and the Treasury, have significant proportions of delayed approvals relating to study leave. The Department of the Prime Minister and Cabinet also has a substantial number of subsequent leave approvals for time off in lieu, which is also observed in Figure 3.2 for the Department of Home Affairs.

Figure 3.3: Department of the Prime Minister and Cabinet’s distribution of leave request submissions subsequent to the commencement of leave

 

 

Figure 3.4: Department of the Treasury’s distribution of leave request submissions subsequent to the commencement of leave

 

 

3.49 Figure 3.5 to Figure 3.7 identify the 1 July 2018 to 31 December 2019 proportion of each type of leave expected to be scheduled in advance of leave commencing that the HRMIS indicates was not scheduled in advance. Analysis of the Department of Home Affairs is again based on the approval or last action date, as detailed in paragraph 3.42.

3.50 Figure 3.5 for the Department of Home Affairs, indicates that the proportion of approval subsequent to leave commencement is considerable across all leave types. In particular, this percentage exceeds 30 per cent for: time off in lieu; study leave; maternity leave; and purchased leave.

Figure 3.5: Department of Home Affairs’ proportion of leave types with approval or last action date subsequent to the commencement of leave

 

 

3.51 In Figure 3.6 for the Department of the Prime Minister and Cabinet, while it is evident that the proportion of approval subsequent to leave commencement is high across all leave types, only study and long service leave exceed 30 per cent. The proportion for remaining leave types are relatively consistent.

Figure 3.6: Department of the Prime Minister and Cabinet proportion of leave types with approval subsequent to the commencement of leave

 

 

3.52 Consistent with the observation made in paragraph 3.44 that the Treasury recorded the lowest proportion of delayed approval for the three entities, Figure 3.7 also demonstrates greater levels of pre-approval compliance across leave types compared to the other two entities. Study leave is the only leave type where subsequent approval exceeds 30 per cent.

Figure 3.7: Department of the Treasury proportion of leave types with approval subsequent to the commencement of leave

 

 

3.53 The ANAO continues to perform procedures relating to assessments of the completeness and accuracy of leave accruals and adjustments. The above analysis suggests that entities should implement strategies to increase compliance by employees, strengthen related monitoring and reporting controls, and target identified non-compliance.

3.54 Delays in the submission and approval of leave will impact the reporting of employee entitlements within financial statements where leave is taken in a financial period prior to the leave request being made. The ANAO is currently assessing the impact upon financial reporting for the years ending 30 June 2019 and 30 June 2020 for the identified instances.

Conclusion

3.55 The increase in findings relating to human resource management and administration, and the significance of these as a proportion of all financial statements audit findings has prompted the ANAO to undertake targeted assurance activities over the management of staff leave. The activities have been performed to facilitate an assessment of compliance of the management of leave accruals and balances with human resource policies and requirements and to further inform assurance activities for future audits. The entities selected were the Departments of: Home Affairs; Prime Minister and Cabinet; and the Treasury.

3.56 The analysis performed to date has identified weaknesses in processes relating to staff leave and associated monitoring controls. In particular, improvements can be made in the timeliness of submission and approval of leave requests and application of requirements including minimum and maximum entitlements. The ANAO has also identified that the Department of Home Affairs’ leave policy does not contain current information or requirements following the February 2019 workplace determination.

3.57 The observations made to date potentially impact entities’ operations and financial reporting. Leave being taken prior to approval being given may impact the ability for entities to effectively manage resources and deliverables, while also potentially overstating the related employee liability in the financial statements.

3.58 The ANAO will continue to progress the assessment of the above criteria and will report the results of this in the Auditor-General report Audits of the Financial Statements of Australian Government Entities for the Period Ended 30 June 2020 and a separate report to Parliament.

Introduction

4.0.1 The ANAO’s assessment of the overall risk of material misstatement of the financial statements is based on professional judgement relating to the entity’s particular circumstances. The financial statements audit planning process involves joint procedures with performance audit and takes into account each entity’s environment and governance arrangements, its system of internal control, and prior year financial and performance audit findings. These planning processes inform the identification of areas of key risk that have the potential to impact on the integrity of the financial statements.

4.0.2 The interim phase of the audit focuses on the steps taken by entities to manage these risks, including their systems of internal control. This chapter reflects portfolio and funding arrangements established by the Administrative Arrangement Order of 5 December 2019 and outlines the following information for each of the reported entities:

• the entity’s primary role as reflected in its Portfolio Budget Statements;
• 2019–20 appropriation funding and key financial statements items;
• key areas of financial statements risk including where the ANAO has identified Key Audit Matters (KAM);
• the ANAO’s assessment of the overall risk of material misstatement of the financial statements, which informs the audit processes to be undertaken; and
• the status of significant and moderate audit findings at the completion of the interim audit, and the conclusion relating to audit coverage to date.

4.0.3 The entities included in this report include all Departments of State, the Department of Parliamentary Services and other Commonwealth entities that significantly contribute to the revenues, expenses, assets and liabilities within the 2018–19 CFS.

4.0.4 Where a performance audit was tabled during 2019–20 that was relevant to the financial management or administration of an entity, the impact of those observations on the audit approach are discussed within the relevant portfolio section.

Impact of COVID-19 on Audit Approach

4.0.5 Planning and risk assessment for financial statement audits is an iterative process and auditors revise the risk assessment and audit response for changes in the audited entity and the environment in which it operates. As at 30 April 2020, the developing COVID-19 situation presented potential new key risk areas for the operations and financial statement preparation processes of the entities that ANAO audits.

4.0.6 Given the evolving nature of the COVID-19 response the ANAO will reassess and revise audit plans throughout the remaining financial statements audit cycle. Where teams are aware of new risks at the time of this report, adjustments have been made to the audit plan in response to those risks. Where specific additional audit risks have been identified for entities, details are included in the relevant chapter contribution. Some key areas that may cause a change in the ANAO’s assessment of audit risk and consequential audit approach include:

• changes to how audited entities’ systems of internal control operate because relevant processes and controls are inconsistent with social distancing principles;
• entities reprioritising staff and resources to operational areas delivering the Government’s response to COVID-19, thus affecting the skills and capacity available for key financial statement preparation, governance and monitoring processes;
• significant new areas of estimation uncertainty arising because of the potential impact of the Government’s response to the virus and global market changes on interest rates, property and share markets and other areas, including those discussed in chapter 2;
• where the financial viability of entities is reliant upon significant non-government cash flows, the ability of those entities to operate as a going concern given the impacts on the national and global economy; and
• challenges to the ability of the ANAO to comply with requirements of the auditing standards, either because audited entities are unable to take actions that are prerequisites for the completion of audit procedures or because ANAO audit teams are unable to perform appropriate work in the current working environment.

4.0.7 These potential risks may require audit teams to change their audit approach. For example, where an audit team would normally rely on key controls for obtaining audit evidence, it may no longer be efficient and effective to do so and instead an increased proportion of the audit evidence may need to be gathered from detailed testing of transactions. In some cases where the overall level of audit risk has increased due to COVID-19, that may require additional audit effort to obtain the sufficient appropriate audit evidence necessary for forming the audit opinion.

4.0.8 While it is the ANAO’s intention to work co-operatively with audited entities to resolve such issues, the ANAO Auditing Standards require the ANAO to modify an audit opinion where it is unable to gather sufficient appropriate audit evidence and the possible effects of undetected misstatements arising from the lack of evidence are material. Refer to Appendix 3 for a detailed description of the circumstances that may give rise to a modification to our auditor’s reports.

4.0.9 To facilitate the 2019–20 audit process, and minimise the need for attendance at auditee premises, the ANAO has requested, where possible, that entities provide audit staff with remote access into the financial management and relevant operational systems. This will allow the ANAO to directly interrogate and extract the information required to provide the necessary audit evidence to form an opinion over the 2019–20 financial statements. Appendix 6, provides a summary of which entities included in this report have provided remote systems access.

Analysis of entities contribution to 2018–19 CFS

4.0.10 An analysis of the percentage contribution of entities in this report, to 2018–19 CFS is presented below. Figure 4.0.1 presents the results of nine entities that contribute greater than 10 per cent of either the income, expenses, assets or liabilities of the CFS. The remaining entities are presented in Figure 4.0.2 and contribute less than 10 per cent of all categories.

Figure 4.0.1: Entities contributing greater than 10 per cent to the Australian Government’s 2018–19 Consolidated Financial Statements

 

 

Source: ANAO analysis of CFS and entities’ financial statements for the year ended 30 June 2019.

Figure 4.0.2: Entities contributing less than 10 per cent to the Australian Government’s 2018–19 Consolidated Financial Statements

 

 

Note 1: Balances for entities where functions have been transferred as a result of the 5 December 2019 AAO have been consolidated with the total balances of the entity receiving the functions. The 30 June 2019 balances for the former Department of Employment, Skills, Small and Family Business have been consolidated with the balances for the former Department of Education and are represented in this graph as the Department of Education, Skills and Employment; 30 June 2019 balances for the former Department of Environment and Energy have been consolidated with the balances for the former Department of Agriculture and are represented in this graph as the Department of Agriculture, Water and the Environment; 30 June 2019 balances for the former Department of Communications and the Arts have been consolidated with the balances for the former Department of Infrastructure, Transport and Regional Development and are represented in this graph as the Department of Infrastructure, Transport, Regional Development and Communications.

Note 2: The National Indigenous Australians Agency was created on 1 July 2019. Balances relating to functions transferred to that entity are included in the graph as part of the total balances for the Department of the Prime Minister and Cabinet.

Source: ANAO analysis of CFS and entities’ financial statements for the year ended 30 June 2019.

Additional funding for COVID-19

4.0.11 Under the Government’s economic stimulus measures designed to support the economy as a result of the COVID-19 pandemic, additional multi-year⁸¹ funding was announced for entities. Government funding has also been approved in the 2019–20 financial year, through the Coronavirus Economic Response Packages Acts (No. 1 & No. 2)⁸² and Appropriation Acts. The amounts approved for 2019–20 expenditure are disclosed in the relevant chapter contributions.

4.0.12 The amounts authorised by the aforementioned legislation include $42.975 billion for ‘Advances to the Finance Minister’ (AFM). The AFM is a provision in the annual Appropriation Acts and the Coronavirus Economic Response Packages Acts which enable the Minister for Finance (Finance Minister) to provide additional appropriation to entities throughout the financial year.⁸³ An Advance may only be issued by the Finance Minister if he is satisfied that there is an urgent need for expenditure that is either not provided for or has been insufficiently provided for in the existing appropriations of the entity. The additional appropriation is provided by means of a determination.

4.0.13 Commencing in April 2020, the ANAO will be conducting six, monthly limited assurance reviews under section 19A of the Auditor-General Act 1997 over amounts advanced under the AFM. These reviews will be tabled in Parliament and published on the ANAO website.

Results of financial statements audits

4.0.14 Table 4.0.1 presents a summary of new and unresolved significant and moderate findings⁸⁴ at the conclusion of the 2019–20 interim audits and the 2018–19 interim and final audits. In addition to the significant and moderate findings, one significant legislative compliance finding was reported.⁸⁵

Table 4.0.1: Significant and moderate findings by entity

Note a: Minor findings identified previously but upgraded to a moderate or significant finding are considered new for the purposes of this table.

Note b: Findings transferred to another entity as a result of Machinery of Government changes, which remain unresolved, are treated as repeat findings for the purposes of this table.

Source: 2018–19 and 2019–20 ANAO audit correspondence.

4.1 Department of Agriculture, Water and the Environment

Overview

4.1.1 The Department of Agriculture, Water and the Environment is responsible for developing and implementing policies and programs to promote more sustainable, productive, internationally competitive and profitable Australian agricultural, food and fibre industries; safeguarding Australia’s animal and plant health; managing the conservation, protection and sustainability of Australia’s natural resources, biodiversity, ecosystems, environment and heritage; advancing Australia’s interests in the Antarctic; and improving the health of rivers and freshwater ecosystems and water use efficiency.

4.1.2 On 1 February 2020 under an Administrative Arrangements Order, the former Department of Agriculture was abolished and its functions were transferred to the former Department of the Environment and Energy, which was renamed the Department of Agriculture, Water and the Environment (DAWE). The energy function of the former Department of the Environment and Energy was transferred to the Department of Industry, Science, Energy and Resources.

4.1.3 Consistent with the Australian Government’s response to the COVID-19 pandemic, DAWE has implemented a range of measures, including enabling staff to work remotely where operational requirements allow. These working arrangements may impact: DAWE’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and DAWE’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.1.4 Figure 4.1.1 and Figure 4.1.2 show the 2019–20 departmental and administered financial statements items reported by DAWE and the key areas of financial statements risk.

Figure 4.1.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis of DAWE’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements (reflecting DAWE’s structure and outcomes, post machinery of government changes).

Figure 4.1.2: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis of DAWE’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements (reflecting DAWE’s structure and outcomes, post machinery of government changes)

4.1.5 The ANAO’s audit approach identifies key areas of risk that have the potential to impact DAWE’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DAWE’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.1.3 and the ANAO’s understanding of the operations of DAWE, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

4.1.6 Annual appropriation funding⁸⁶ of $1,015.6 million (departmental) and $1,469.0 million (administered) was provided to DAWE in 2019–20 to support the achievement of the entity’s outcomes.⁸⁷ DAWE was also budgeted to receive special appropriation funding of $933.6 million.⁸⁸ Special appropriations are used for: payments to industry bodies; funding provided under contractual arrangements for research and development, and marketing; and payments related to the farm household allowance.

4.1.7 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multi-year⁸⁹ funding was announced for entities. DAWE was appropriated $15.3 million in 2019–20 to support departmental operations related to COVID-19.

4.1.8 Table 4.1.1 and Table 4.1.2 provide a summary of the key 2019–20 departmental and administered estimated financial statements items.

Table 4.1.1: Key expenses and total own-sourced income

Source: DAWE’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements (reflecting DAWE’s structure and outcomes, post machinery of government changes).

Table 4.1.2: Key assets and liabilities

Note: DAWE’s estimated average staffing level for 2019–20 is 6,026.

Source: DAWE’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements (reflecting DAWE’s structure and outcomes, post machinery of government changes).

Key areas of financial statements risk

4.1.9 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.1.3, including areas which were considered Key Audit Matters (KAM) by the ANAO.

4.1.10 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.⁹⁰ As at the interim phase, no additional financial statements risks have been identified for DAWE. The implications of the risks identified in chapter four are currently being considered by the ANAO, and the key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.1.3: Key areas of financial statements risk

Source: ANAO 2019–20 risk assessment for DAWE and DAWE’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Audit results

4.1.11 The ANAO has completed its 2019–20 interim audit coverage, including an assessment of the controls relating to sale of goods and rendering of services revenue, administered levies, fees and charges revenue, and administered loans receivable. In addition, interim coverage of IT general controls and supplier and employee benefits expenses has been completed.

4.1.12 Audit procedures relating to other provisions, water entitlements and the impairment assessment of administered loans, in addition to substantive procedures over all material line items will be undertaken as part of the 2019–20 final audit phase.

4.1.13 To date, our audit coverage has not identified any new significant or moderate audit findings. The following table summarises the status of audit findings reported by the ANAO in 2019–20.

Table 4.1.4: Status of audit findings raised by the ANAO

Note a: The moderate finding included in the closing position for 2018–19 has been transferred from the former Department of Agriculture. This finding relates to processes now facilitated by DAWE following machinery of government changes and will be monitored through the 2019–20 audit of DAWE.

Unresolved moderate audit finding

Weaknesses in change management controls

4.1.14 IT change management provides a disciplined approach to making changes to the IT environment. It includes processes around the governance and approval of changes, controls designed to ensure that changes are properly tested before implementation, and processes for the management of emergency changes. The Australian Government Information Security Manual (ISM) outlines the change management requirements that Government entities should adhere to.

4.1.15 During 2018–19, the ANAO identified a number of weaknesses in change management controls, including:

• instances where there was no documented evidence demonstrating system changes had been tested in the production environment;
• no evidence of controls around configuration management. Configuration management controls are important as they help ensure that that only approved and tested versions of software are implemented into the production environment;
• no evidence that a change migrated from the test environment to the production environment was performed by different users; and
• an increase to the percentage of changes implemented by the department using the emergency change procedures.

4.1.16 Testing as part of the 2019–20 interim audit for the financial year to date, identified that whilst a revised change management policy was implemented in October 2019, there were still instances in our sample where system changes had been tested, but the evidence documenting this was not retained in the change management system. Instances were also identified in our sample, where evidence of controls around configuration management was not available to demonstrate that changes implemented in production were the most recent changes tested and approved, and one instance where a change migrated from the test environment to the production environment was performed by the same user. We noted approximately 25 percent of changes were still being implemented using emergency change procedures.

4.1.17 These weaknesses increase the risk of changes being made to key business and financial systems which are not properly tested, authorised and approved. This in turn may compromise the integrity of information contained within these systems. DAWE’s emergency change procedures are required where an urgent change is identified that is not otherwise foreseen. If these procedures are applied to known and planned changes the key internal controls designed to ensure an appropriate level of governance oversight may be bypassed.

4.1.18 The ANAO recommended that DAWE maintains evidence of the testing and approval of system changes and reduces the number of changes implemented using emergency change processes. The ANAO will continue to review the operational effectiveness of DAWE’s revised change management processes as part of the final audit phase.

Conclusion

4.1.19 Based on our interim audit coverage which was largely conducted in a pre-COVID-19 environment, and except for the finding outlined above, key elements of internal control were operating effectively to provide reasonable assurance that DAWE will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.2 Attorney-General’s Department

Overview

4.2.1 The role of the Attorney-General’s Department (AGD) is to contribute towards a just and secure society through the maintenance and improvement of Australia’s law, justice, security and integrity frameworks. This work helps people to thrive and succeed in a prosperous, fair and cohesive nation. The department supports the Attorney-General as First Law Officer to protect and promote the rule of law, to provide strong oversight and accountability and to act as principal legal advisor to government. AGD also has responsibility for a number of industrial relations and work place safety functions.

4.2.2 AGD has entered into shared service arrangements with the Department of Social Services for the provision of grant management services. AGD remains accountable for compliance with all accounting, legal and administrative requirements. AGD has been impacted by the Machinery of Government (MoG) changes made in May 2019 resulting in the transfer of the Industrial Relations and Work Place Safety functions from the former Department of Employment, Skills, Small and Family Business.

4.2.3 Consistent with the Australian Government’s response to the COVID-19 pandemic, AGD has implemented a range of measures, including enabling staff to work remotely where operational requirements allow. These working arrangements may impact: AGD’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and AGD’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.2.4 Figure 4.2.1 and Figure 4.2.2 show the 2019–20 departmental and administered financial statements items reported by AGD and the key areas of financial statements risk.

Figure 4.2.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and AGD’s 2019–20 revised budget as reported in the 2019–2020 Portfolio Additional Estimates Statements.

Figure 4.2.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and AGD’s 2019–20 revised budget as reported in the 2019–2020 Portfolio Additional Estimates Statements.

4.2.5 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on AGD’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of AGD’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.2.3 and the ANAO’s understanding of the operations of AGD, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

4.2.6 Annual appropriation funding of $219.1 million (departmental) and $550.8 million (administered) was provided to AGD in 2019–20 to support the achievement of the entity’s outcomes.⁹¹ AGD was also budgeted to receive special appropriation funding of $404.6 million.⁹² The special appropriation funding is largely for industrial relations and workplace safety functions.

4.2.7 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multi-year⁹³ funding was announced for entities. No funding was appropriated to AGD in 2019-20 for COVID-19.

4.2.8 Table 4.2.1 and Table 4.2.2 provide a summary of the key 2019–20 departmental and administered estimated financial statements items.

Table 4.2.1: Key expenses and total own-sourced income

Source: AGD’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Table 4.2.2: Key assets and liabilities

Note: AGD’s estimated average staffing level for 2019–20 is 1,650.

Source: AGD’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

4.2.9 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.2.3. There were no Key Audit Matters identified for the 2019–20 AGD financial statements audit.

4.2.10 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.⁹⁴ As at the interim phase, no additional financial statements risks have been identified for AGD. The implications of the risks identified in chapter four are currently being considered by the ANAO, and the key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.2.3: Key areas of financial statements risk

Source: ANAO 2019–20 risk assessment for AGD and AGD’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Audit results

4.2.11 The ANAO has substantially completed its 2019–20 interim audit coverage, including the assessment of the controls relating to: departmental revenue, FEG Scheme expenses and the management of appropriations and special accounts. Testing related to IT general and application controls is in progress.

4.2.12 Audit procedures relating to: the valuation of non-financial assets, including administered investments; and financial statements close processes including the consolidation of the AGS will be undertaken as part of the planned 2019–20 final audit.

4.2.13 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2018–19 audit also did not identify any significant or moderate audit findings.

Conclusion

4.2.14 Based on our interim audit coverage which was largely conducted in a pre-COVID-19 environment, key elements of internal control were operating effectively to provide reasonable assurance that AGD will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.3 Department of Defence

Overview

4.3.1 The Department of Defence (Defence) is responsible for protecting and advancing Australia’s strategic interests through the: promotion of security and stability; the provision of military capabilities to defend Australia and its national interests; and the provision of support for the Australian community and civilian authorities as directed by the Government.

4.3.2 Consistent with the Australian Government’s response to the COVID-19 pandemic, Defence has implemented a range of measures, including enabling staff to work remotely where operational requirements allow. These working arrangements may: impact Defence’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and Defence’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.3.3 Figure 4.3.1 and Figure 4.3.2 show the 2019–20 departmental and administered financial statements items reported by the Department of Defence (Defence) and the key areas of financials statements risk.

Figure 4.3.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Defence’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Figure 4.3.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Defence’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

4.3.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Defence’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Defence’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.3.3 and the ANAO’s understanding of the operations of Defence, the ANAO has assessed the risk of a material misstatement as high.

Key financial statements items

4.3.5 Annual appropriation funding of $38.4 billion (departmental) was provided to Defence in 2019–20 to support the achievement of the entity’s outcomes.⁹⁵ Defence was also budgeted to receive special appropriation funding of $9.9 billion predominantly for military superannuation provisions.⁹⁶

4.3.6 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multi-year⁹⁷ funding was announced for entities. No funding was appropriated to Defence in 2019–20 in response to COVID-19.

4.3.7 Table 4.3.1 and Table 4.3.2 provide a summary of the key 2019–20 departmental and administered estimated financial statements items.

Table 4.3.1: Key expenses and total own-sourced income

Source: Defence’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Table 4.3.2: Key assets and liabilities

Note: Defence’s estimated average staffing level for 2019–20 is 76,361.

Source: Defence’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

4.3.8 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.3.3, including areas which were considered Key Audit Matters (KAM) by the ANAO.

4.3.9 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.⁹⁸ As at the interim phase, no additional financial statements risks have been identified for Defence. The implications of the risks identified in chapter four are currently being considered by the ANAO, and the key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.3.3: Key areas of financial statements risk

Source: ANAO 2019–20 risk assessment for Defence and Defence’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

4.3.10 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. The following performance audit reports were tabled during 2019–20 relevant to the financial management or administration of Defence:

• Auditor-General Report No. 19 Major Projects Report;
• Auditor-General Report No. 22 Future Submarine Program — Transition to Design; and
• Auditor-General Report No. 24 Defence’s management of its public communications and media activities.

4.3.11 The above reports included observations relevant to impairment of assets under construction and IT systems as outlined in Table 4.3.3. These reports were considered in designing audit procedures to address areas considered to pose moderate or higher risks of material misstatement.

Audit results

4.3.12 The ANAO has completed its 2019–20 interim audit coverage, including an assessment of the controls relating to asset management processes and the controls implemented to determine the value of inventory at year-end. Interim audit coverage also included assessing IT general and application-specific controls for systems that support the preparation of Defence’s financial statements, in addition to assessing the operation of key non-IT controls in areas including appropriation and cash management, suppliers and employee expenses. Additionally, the ANAO has assessed Defence’s progress on the significant and moderate audit finding discussed below.

4.3.13 Audit procedures relating to the 30 June 2020 balances for employee provisions, decontamination and decommissioning provisions, inventory, SME and other fixed assets, and the military superannuation provision will be undertaken during the 2019–20 final audit. The ANAO will test Defence’s systems and processes supporting the complete and accurate disclosure of commitments, litigation and compensation schemes as part of the final audit. Additionally the ANAO will assess Defence’s progress in addressing audit findings up to and during the final audit.

4.3.14 The following table summarises the status of audit findings reported by the ANAO in 2018–19 and 2019–20.

Table 4.3.4: Status of audit findings raised by the ANAO

Note a: The significant audit finding relating to Management and monitoring of SME balances in MILIS and ROMAN has been revised to a moderate audit finding.

New moderate audit finding

Management and monitoring of SME balances in MILIS and ROMAN

4.3.15 In 2017–18 the ANAO reported a number of issues with the substantiation of SME transactions in the Military Integrated Logistics Information System (MILIS) and the corresponding accounts in the financial management information system (ROMAN). Defence uses these systems to manage the acquisition and sustainment of SME assets. The issues identified included:

• difficulties of identifying ROMAN payments for Military Support assets against the respective asset receipts in MILIS;
• significant unreconciled balances in asset clearing accounts;
• delays in validating MILIS transactions and reconciling to balances in the clearing accounts;
• posting of assets acquisitions in to incorrect general ledger accounts; and
• delays in transferring Military Support assets from assets under construction to the fixed asset register after confirmation of being in use by business units.

4.3.16 During 2018–19 Defence commenced remediation of this issue, by:

• matching a significant number of ROMAN and MILIS transactions and validating price differences;
• undertaking a comprehensive review of aged balances which resulted in the transfer of assets to the fixed asset register; and
• communicating with business units to address processing issues.

4.3.17 In 2019–20, Defence has continued the remediation activities and:

• embedded the monthly reconciliation process, including investigation and correction where appropriate of identified variances;
• made significant progress in transferring assets under construction to the fixed asset register; and
• implemented a dashboard reporting process for outstanding clearing balances and improved the timeliness and the extent validation of MILIS transactions.

4.3.18 As a result of this progress, the ANAO has revised this finding to a moderate audit issue. The ANAO will continue testing of Defence remediation activities during the 2019–20 final audit phase.

Unresolved moderate audit finding

Monitoring and management of accounts with privileged users

4.3.19 Maintaining and supporting IT systems requires some individuals to have privileged access rights. This level of access can be used to bypass security controls and make changes, either to system settings or directly to system data. Individuals with privileged access must be unique and identifiable, and have their activity regularly monitored to detect any unauthorised use.

4.3.20 During the 2018–19 audit, the ANAO’s review of privileged user access identified several issues with the monitoring and management of accounts within financially significant applications. This included instances of shared privileged accounts, for which Defence was unable to provide evidence of management review over these privileged users’ activities as they were either not logged or not monitored. The ANAO also identified privileged users with inappropriate access that had not been terminated or suspended when the user no longer required it for their role. In addition, password parameters for some applications did not align with the industry standards for password management.

4.3.21 Over the course of the 2019–20 audit, the ANAO acknowledges Defence has made significant progress towards resolving the above weaknesses. The ANAO confirmed that Defence has evaluated the logging and monitoring of high risk activities for financially significant applications and are implementing improvements to gain assurance that staff have been provided uniquely identifiable and appropriate access to systems and data in line with business requirements. Additionally, work is underway to mitigate or accept the weaknesses in password security within affected systems.

4.3.22 Controls for timely termination of user access have still evidenced weakness during the interim testing, with both the ANAO and Defence internal audit identifying instances of users who retained access when it was no longer required for their role, as well as reliance being placed on controls that do not sufficiently address the risk of inappropriate access continuing. The ANAO understands that Defence is continuing to implement activities to address these issues and will provide the ANAO with additional assurance towards the end of the financial year. The ANAO will review the status of these remediation activities as part of the 2019–20 final audit phase.

Conclusion

4.3.23 Based on our interim audit coverage which was largely conducted in a pre-COVID-19 environment, and except for the findings outlined above, key elements of internal control were operating effectively to provide reasonable assurance that Defence will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.4 Department of Veterans’ Affairs

Overview

4.4.1 The Department of Veterans’ Affairs (DVA) is responsible for developing and implementing programs to assist the veteran and ex-service communities. This includes: granting pensions, allowances and other benefits, and providing treatment under the Veterans’ Entitlements Act 1986; the administration of benefits and arrangements under the Military Rehabilitation and Compensation and the Safety, Rehabilitation and Compensation (Defence-related Claims) legislation; administering the Defence Service Homes Act 1918 and the War Graves Act 1980; and conducting commemorative programs to acknowledge the service and sacrifice of Australian servicemen and women.

4.4.2 Consistent with the Australian Government’s response to the COVID-19 pandemic, DVA has implemented a range of measures, including requesting staff to work remotely where operational requirements allow. These working arrangements may impact: DVA’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and DVA’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.4.3 Figure 4.4.1 and Figure 4.4.2 show the 2019–20 departmental and administered financial statement items reported by DVA and the key areas of financial statements risk.

Figure 4.4.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and DVA’s 2019–20 revised budget as reported in the 2019–2020 Portfolio Additional Estimates Statements.

Figure 4.4.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and DVA’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

4.4.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DVA’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DVA’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.4.3 and the ANAO’s understanding of the operations of DVA, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

4.4.5 Annual appropriation funding of $382.6 million (departmental) and $135.5 million (administered) was provided to DVA in 2019–20 to support the achievement of the entity’s outcomes.⁹⁹ DVA was also budgeted to receive special appropriation funding of $10.4 billion¹⁰⁰ for income and disability support, community and residential care, and various healthcare and rehabilitation services for war veterans, members of the Australian Defence Force, members of the Australian Federal Police and their dependants.

4.4.6 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multiyear¹⁰¹ funding was announced for entities. As part of that funding DVA was provided $1.04 million in 2019–20 to support departmental operations.

4.4.7 Table 4.4.1 and Table 4.4.2 provide a summary of the key 2019–20 departmental and administered estimated financial statements items.

Table 4.4.1: Key expenses and total own-sourced income

Source: DVA’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Table 4.4.2: Key assets and liabilities

Note: DVA’s estimated average staffing level for 2019–20 is 1,615.

Source: DVA’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

4.4.8 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.4.3, including the area considered a Key Audit Matter (KAM) by the ANAO.

4.4.9 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹⁰² As at the interim phase, no additional financial statements risks have been identified for DVA. The implications of the risks identified in chapter four are currently being considered by the ANAO, and the key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.4.3: Key areas of financial statements risk

Source: ANAO 2019–20 risk assessment for DVA and DVA’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Audit results

4.4.10 The ANAO has completed its 2019–20 interim audit coverage, including an assessment of: IT general controls; manual controls relating to cash; asset management; supplier expenses; and employee benefits.

4.4.11 Audit procedures relating to: testing of application controls in key processing systems, accuracy of administered personal benefit and health care payments and review of the personal benefits and health care provision valuation will be performed during the final audit phase.

4.4.12 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2018–19 audit also did not identify any significant or moderate audit findings.

Conclusion

4.4.13 Based on our interim audit coverage which was largely conducted in a pre-COVID-19 environment, key elements of internal control were operating effectively to provide reasonable assurance that DVA will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.5 Department of Education, Skills and Employment

Overview

4.5.1 The Department of Education, Skills and Employment (DESE) is responsible for ensuring Australians can experience the social wellbeing and economic benefits that quality education, training and employment provide.

4.5.2 The department was formerly known as the Department of Education and largely merges the functions of that entity with the now abolished Department of Employment, Skills, Small and Family Business (Employment).

4.5.3 The Administered Arrangement Order (AAO) of 29 May 2019 renamed the then Department of Jobs and Small Business — to become the Department of Employment, Skills, Small and Family Business and also transferred responsibility for skills, vocational education and training from the then Department of Education. An amending AAO on 8 August 2019 also transferred legislation relating to vocational student loans to Employment. A further AAO on 5 December 2019, effective 1 February 2020, resulted in the cessation of Employment with the employment and skills functions transferred back to DESE). Other functions transferred to the Industry, Attorney-General, and the Prime Minister and Cabinet portfolios.

4.5.4 Consistent with the Australian Government’s response to the COVID-19 pandemic, DESE has implemented a range of measures, including enabling staff to work remotely where operational requirements allow. These working arrangements may impact: DESE’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and DESE’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.5.5 Figure 4.5.1 and Figure 4.5.2 show the 2019–20 departmental and administered financial statements items reported by DESE and the key areas of financial statements risk.

Figure 4.5.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and DESE’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Figure 4.5.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and DESE’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

4.5.6 The ANAO’s audit approach identifies key areas of risk that have the potential to impact DESE’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DESE’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.5.3 and the ANAO’s understanding of the operations of DESE, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

4.5.7 Annual appropriation funding of $775.2 million (departmental) and $3,636.9 million (administered) was provided to DESE in 2019–20 to support the achievement of the entity’s outcomes.¹⁰³ DESE was also budgeted to receive special appropriation funding of $46.5 billion¹⁰⁴ for child care, schools, and higher education, including research grants.

4.5.8 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multi-year¹⁰⁵ funding was announced for entities. As part of that funding DESE was provided $277.4 million in 2019–20 to support its skills, training and employment programs.

4.5.9 Table 4.5.1 and Table 4.5.2 provide a summary of the key 2019–20 departmental and administered estimated financial statements items.

Table 4.5.1: Key expenses and total own-sourced income

Table 4.5.2: Key assets and liabilities

Note: DESE’s estimated average staffing level for 2019–20 is 3,387.

Source: DESE’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

4.5.10 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.5.3, including areas which were considered Key Audit Matters (KAM) by the ANAO.

4.5.11 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹⁰⁶ As at the interim phase, no additional financial statement risks have been identified for DESE. The implications of the risks identified in chapter four are currently being considered by the ANAO, and the key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.5.3: Key areas of financial statements risk

Source: ANAO 2019–20 risk assessment for DESE and DESE’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

4.5.12 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. Auditor-General Report No. 10 2019–20 Design and Governance of the Child Care Package did not include recommendations regarding risks to DESE’s financial administration as it relates to the financial statements. However, the observations of this report were considered in designing audit procedures.

Audit results

4.5.13 The ANAO has completed its 2019–20 interim audit coverage, including an assessment of the controls relating to: transactional processing of supplier expenses and payables, revenue and receivables, and payroll performed by the Department of Finance’s Service Delivery Office on behalf of DESE and the monitoring controls in place at DESE relating to these processes; reviewed controls relating to administered grants payments; HELP, Vocational Education and Training (VET) FEE-HELP and VET student loans; reconciliations between administered business systems and the financial information systems for grants payments, administered supplier and subsidy payments; personal benefits and subsidy payments; and grants expenditure. Interim audit coverage also included an assessment of IT general controls, IT application controls and the design and implementation of the jobactive compliance program.

4.5.14 Audit procedures relating to: accounting for the HELP, Vocational Education and Training (VET) FEE-HELP and VET student loans, HESP and personal benefits receivables and provisions; payments to providers, schools and universities; and detailed testing over the child care subsidy payments; administered supplier expenses; and review of the department’s monitoring of the jobactive compliance program, will be undertaken as part of the planned 2019–20 final audit.

4.5.15 To date, our audit coverage has not identified any new significant or moderate audit findings.

4.5.16 The following table summarises the status of audit findings reported by the ANAO in 2018–19.

Table 4.5.4: Status of audit findings raised by the ANAO

Note a: The moderate audit issue relating to Unauthorised Network Access has been downgraded to a minor audit finding.

Note b: Following the formation of the new department, the ANAO merged two separate but related findings into one unresolved finding, Monitoring of Database Activity.

Resolved moderate audit finding

Unauthorised Network Access (Education)

4.5.17 During the IT general control testing undertaken for the 2018–19 financial statements audit, the ANAO identified a network account that remained active after the employee had been terminated. This account did not have an ‘expiry date’ making this account fully accessible.

4.5.18 The account remained active as a result of the Exit Advice Notification (EAN) not being finalised when the employee terminated. Further testing identified additional cases where the EAN process was not followed, as well as other instances where network access had not been disabled on cessation of employment

4.5.19 In response to this finding, the Department has implemented a daily automated procedure to identify employees who have ceased employment and ensure that their network account is disabled. During the interim audit phase the ANAO undertook testing over terminations and identified a small number of exceptions where there was a delay between employment cessation and the disabling of the network account. These occurred before the automated procedure had been put in place. The ANAO has downgraded the finding and further testing will be conducted during the final audit phase to close it.

Unresolved moderate audit finding

Monitoring of Database Activity (Education and Employment)

4.5.20 IT databases supporting core departmental applications were managed and maintained at the then Department of Employment, Skills, Small and Family Business for both entities, with each entity maintaining responsibility for their own data. This finding applied to the databases supporting the financially significant applications for both entities in the 2018–19 audit.

4.5.21 The ANAO recommended during the 2018–19 interim audit that a regular and formalised process be put in place that will ensure the actions of privileged users at the database level are logged and monitored for all applications. It was also recommended that standard operating procedures providing support to this process should also be developed and formally approved by senior management.

4.5.22 During the interim audit phase of the 2019–20 audit, the ANAO reviewed the progress that has been made to address this finding. The Department is logging database activity and has implemented a tool to analyse the logs and report exceptions for manual review and follow up. An assessment has also been done across the financially significant systems, to identify the key database tables and fields to be monitored. The Department is now piloting the new process before implementing a wider rollout, with a standard operating procedure document drafted to support the process.

4.5.23 The ANAO has assessed the design of the control detailed above, and considers that it is effective to address the risks identified. Testing of implementation and operating effectiveness will be conducted during the final audit phase.

New L1 legislative compliance finding

S83 Breach — GST on payments to non-government schools

4.5.24 DESE makes payments to non-government schools in accordance with the Australian Education Act 2013 (AE Act). GST has historically been included in the payments since the introduction of GST in 2000. Legal advice obtained by DESE has confirmed that the AE Act did not provide authority for inclusion of GST in the amounts paid to non-government schools. The department has identified GST to the value of $14.6 billion included in the payments made to non-government schools over a period of 20 years.

4.5.25 To address this issue, it is acknowledged that DESE has acted to ensure the appropriate legislative amendments via the Australian Education Amendment (Direct Measure of Income) Act 2020.

4.5.26 The ANAO agrees with the assessment that the lack of a valid appropriation for the inclusion of GST in the payments to non-government schools is a significant legislative breach and recommended that appropriate disclosures be made in DESE’s 2019–20 financial statements including quantification of the amount of the breaches, and disclosure of changes to the relevant legislation and internal processes within the department.

4.5.27 The ANAO also awaits the outcome of DESE’s consultations regarding the recognition/waiver of debt associated with the GST amounts.

Conclusion

4.5.28 Based on our interim audit coverage which was largely conducted in a pre-COVID-19 environment, and except for the finding outlined above, key elements of internal control were operating effectively to provide reasonable assurance that DESE will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.6 Department of Finance

Overview

4.6.1 The Department of Finance (Finance) is responsible for supporting the Government’s Budget process and oversight of public sector resource management, governance and accountability frameworks. In addition, the department is responsible for the preparation of the annual Consolidated Financial Statements (CFS), which includes the whole-of-government and the general government sector financial statements and the Australian Government’s financial outcome.

4.6.2 Consistent with the Australian Government’s response to the COVID-19 pandemic, Finance has implemented a range of measures, including enabling staff to work remotely where operational requirements allow. These working arrangements may impact: Finance’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and Finance’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.6.3 Figure 4.6.1 and Figure 4.6.2 show the 2019–20 departmental and administered financial statements items reported by Finance and the key areas of financial statements risk.

Figure 4.6.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Finance’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Figure 4.6.2: Key administered financial statements items and area of financial statements risk

 

 

Source: ANAO analysis and Finance’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

4.6.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Finance’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Finance’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.6.3 and the ANAO’s understanding of the operations of Finance, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

4.6.5 Annual appropriation funding of $445.9 million (departmental) and $566.2 million (administered) was provided to Finance in 2019–20 to support the achievement of the entity’s outcomes.¹⁰⁷ Finance was also budgeted to receive special appropriation funding of $8,672.8 million.¹⁰⁸ The special appropriation funding is largely to settle payments for superannuation liabilities.

4.6.6 Finance is responsible for the payment of superannuation through public sector civilian (non-Defence) superannuation schemes. Finance recognises the unfunded liability on behalf of the Commonwealth and meets the ongoing payments of superannuation liabilities. The majority of the liabilities are managed by the Commonwealth Superannuation Corporation on behalf of the Commonwealth.

4.6.7 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multi-year¹⁰⁹ funding was announced for entities. No funding was appropriated to Finance in 2019–20 for COVID-19.

4.6.8 Table 4.6.1 and Table 4.6.2 provide a summary of the key 2019–20 departmental and administered estimated financial statements items.

Table 4.6.1: Key expenses and total own-sourced income

Source: Finance’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Table 4.6.2: Key assets and liabilities

Note: Finance’s estimated average staffing level for 2019–20 is 1,237.

Source: Finance’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

4.6.9 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.6.3, including areas which were considered Key Audit Matters (KAM) by the ANAO.

4.6.10 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹¹⁰ In addition to the risks identified in chapter four, the ANAO has identified additional risk factors for Finance’s financial statements relating to valuation of the superannuation provision and the valuation of properties. The implications of these risks are in the process of being considered by the ANAO and as a result have not been included in Table 4.6.3. The key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.6.3: Key areas of financial statements risk

Source: ANAO 2019–20 risk assessment for Finance, and Finance’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Audit results

4.6.11 The ANAO has completed its 2019–20 interim audit coverage, including an assessment of the controls relating to: administered investment funds, property management, payroll management and supplier expenditure. As part of the interim coverage, the ANAO has also assessed controls relating to the payment of entitlements to Parliamentarians and their staff.

4.6.12 Audit procedures relating to valuations: of superannuation provisions; insurance provisions and properties will be undertaken as part of the 2019–20 final audit. In addition, we will complete IT general and application controls over the Service Delivery Office and other relevant systems during the final phase of the audit.

4.6.13 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2018–19 audit also did not identify any significant or moderate audit findings.

Conclusion

4.6.14 Based on our interim audit coverage which was largely conducted in a pre-COVID-19 environment, key elements of internal control were operating effectively to provide reasonable assurance that Finance will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.7 Future Fund Management Agency and the Board of Guardians

Overview

4.7.1 The Future Fund Board of Guardians supported by the Future Fund Management Agency (together the Future Fund) is responsible for investing the assets of the Future Fund under the Future Fund Act 2006 and other investment funds, managed on behalf of the Department of Finance, under the DisabilityCare Australia Fund Act 2013, the Medical Research Future Fund Act 2015, the Aboriginal and Torres Strait Islander Land and Sea Future Fund Act 2018, the Emergency Response Fund Act 2019, and the Future Drought Fund Act 2019, for the benefit of future generations of Australians.

4.7.2 Consistent with the Australian Government’s response to the COVID-19 pandemic, the Future Fund has implemented a range of measures, including enabling staff to work remotely where operational requirements allow. These working arrangements may impact: the Future Fund’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and the Future Fund’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.7.3 Figure 4.7.1 and Figure 4.7.2 show the 2019–20 departmental and administered financial statement items reported by Future Fund, and the key areas of financial statements risk.

Figure 4.7.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Future Fund’s 2019–20 budget as reported in the 2019–2020 Portfolio Budget Statements.

Figure 4.7.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Future Fund’s 2019–20 budget as reported in the 2019–2020 Portfolio Budget Statements.

4.7.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact the Future Fund’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of the Future Fund’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.7.3 and the ANAO’s understanding of the operations of Future Fund, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

4.7.5 From May 2006 to November 2008, the Government made cash contributions to the Future Fund totalling $51.3 billion as well as providing Telstra shares to the value of $9.2 billion. No further Government contributions have been received since this time.

4.7.6 As a result, the operational functions of the Future Fund are funded through payments from the administered Future Fund special account and the other Australian Government Investment Funds. In 2019–20, these payments are estimated to total $92.3 million.

4.7.7 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multi-year¹¹¹ funding was announced for entities. No funding was appropriated to the Future Fund in 2019–20 for COVID-19.

4.7.8 Table 4.7.1 and Table 4.7.2 provide a summary of the key 2019–20 departmental and administered estimated financial statements items.

Table 4.7.1: Key expenses and total own-sourced income

Source: Future Fund’s 2019–20 budget as reported in the 2019–20 Portfolio Budget Statements.

Table 4.7.2: Key assets and liabilities

Note: Future Fund’s estimated average staffing level for 2019–20 is 182.

Source: Future Fund’s 2019–20 budget as reported in the 2019–20 Portfolio Budget Statements.

Key areas of financial statements risk

4.7.9 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.7.3 including the area considered a Key Audit Matters (KAM) by the ANAO.

4.7.10 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹¹² In addition to the risks identified in chapter four, the ANAO has identified additional risk factors for the Future Fund’s financial statements relating to the valuation of private and public market investments. The implications of these risks are in the process of being considered by the ANAO and as a result have not been included in Table 4.7.3. The key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.7.3: Key areas of financial statements risk

Source: ANAO 2019–20 risk assessment for the Future Fund and the Future Fund’s 2019–20 budget as reported in the 2019–20 Portfolio Budget Statements.

Audit results

4.7.11 The ANAO has completed its 2019–20 interim audit coverage, including an assessment of the controls relating to the management of investments; monitoring of service providers; and operational expenses incurred by the Future Fund.

4.7.12 The valuation of investments, including the assessment of controls that reside within the outsourced custodian, will be completed as part of the 2019–20 final audit.

4.7.13 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2018–19 audit also did not identify any significant or moderate audit findings.

Conclusion

4.7.14 Based on our interim audit coverage which was largely conducted in a pre-COVID-19 environment, key elements of internal control were operating effectively to provide reasonable assurance that the Future Fund will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.8 Department of Foreign Affairs and Trade

Overview

4.8.1 The Department of Foreign Affairs and Trade (DFAT) supports Australia’s foreign, trade and investment, development and international security policy priorities. DFAT is the lead agency managing Australia’s international presence and will lead efforts to maximise Australia’s security and prosperity through implementation of the Foreign Policy White Paper.

4.8.2 Consistent with the Australian Government’s response to the COVID-19 pandemic, DFAT has implemented a range of measures, including enabling staff to work remotely where operational requirements allow and deploying staff to other agencies and taskforces. The measures have also included the repatriation of non-essential Australian staff from overseas posts. These working arrangements may impact: DFAT’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and DFAT’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.8.3 Figure 4.8.1 and Figure 4.8.2 show the 2019–20 departmental and administered financial statement items reported by DFAT and the key areas of financial statements risk.

Figure 4.8.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and DFAT’s 2019–20 revised budget as reported in the 2019–2020 Portfolio Additional Estimates Statements.

Figure 4.8.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and DFAT’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

4.8.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DFAT’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DFAT’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.8.3 and the ANAO’s understanding of the operations of DFAT, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

4.8.5 Annual appropriation funding of $1,613.7 million (departmental) and $4,576.8 million (administered) was provided to DFAT in 2019–20 to support the achievement of the entity’s outcomes.¹¹³

4.8.6 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multi-year¹¹⁴ funding was announced for entities. As part of that funding DFAT was provided $10.6 million in 2019–20 to support departmental operations.

4.8.7 Table 4.8.1 and Table 4.8.2 provide a summary of the key 2019–20 departmental and administered estimated financial statements items.

Table 4.8.1: Key expenses and total own-sourced income

Source: DFAT’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Table 4.8.2: Key assets and liabilities

Note: DFAT’s estimated average staffing level for 2019–20 is 5,810.

Source: DFAT’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

4.8.8 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.8.3, including areas which were considered Key Audit Matters (KAM) by the ANAO.

4.8.9 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹¹⁵ As at the interim phase, no additional financial statements risks have been identified for DFAT. The implications of the risks identified in chapter four are currently being considered by the ANAO, and the key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.8.3: Key areas of financial statements risk

Source: ANAO 2019–20 risk assessment for DFAT and DFAT’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Audit results

4.8.10 The ANAO has completed its 2019–20 interim audit coverage, including an assessment of the controls relating to: administered passport revenue, administered aid programs, cash management, Australian Public Service (APS) engaged employees and supplier expenditure.

4.8.11 Interim audit coverage has also been completed over the department’s IT general controls in the Financial Management Information System (FMIS) and Human Resource Management Information System (HRMIS).

4.8.12 Audit procedures relating to: assets, appropriations, overseas based (excluding APS) employees, departmental revenue for rental accommodation and services provided to other entities at overseas posts will be undertaken as part of the planned 2019–20 final audit.

4.8.13 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2018–19 audit also did not identify any significant or moderate audit findings.

Conclusion

4.8.14 Based on our interim audit coverage which was largely conducted in a pre-COVID-19 environment, key elements of internal control were operating effectively to provide reasonable assurance that DFAT will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.9 Department of Health

Overview

4.9.1 The Department of Health (Health) is responsible for achieving the Australian Government’s health outcomes in the areas of: health system policy, design and Innovation; health access and support services; sport and recreation; individual health benefits; regulation, safety and protection; and ageing and aged care. This includes administering programs and services, such as Medicare and the Pharmaceutical Benefits Scheme, and forming partnerships with the states and territories as well as other stakeholders.

4.9.2 Services Australia delivers approximately $59 billion of health related payments on behalf of Health. These payments primarily relate to the Medicare Benefits Schedule, the Pharmaceutical Benefits Scheme, the Private Health Insurance Rebate and services funded under the Aged Care Act 1997.

4.9.3 Consistent with the Australian Government’s response to the COVID-19 pandemic, Health has implemented a range of measures, including requesting staff to work remotely where operational requirements allow. These working arrangements may impact: Health’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and Health’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.9.4 Figure 4.9.1 and Figure 4.9.2 show the 2019–20 departmental and administered financial statements items reported by Health and the key areas of financial statements risk.

Figure 4.9.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Health’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Figure 4.9.2: Key administered financial statement items and areas of financial statements risk

 

 

Source: ANAO analysis and Health’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

4.9.5 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Health’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Health’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.9.3 and the ANAO’s understanding of the operations of Health, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

4.9.6 Annual appropriation funding of $774.1 million (departmental) and $11.6 billion (administered) was provided to Health in 2019–20 to support the achievement of the entity’s outcomes.¹¹⁶ Health was also budgeted to receive special appropriation funding of $25.0 billion¹¹⁷ for payments and rebates made under legislation including: Aged Care Act 1997 ($16.6 billion); Private Health Insurance Act 2007 ($6.3 billion); and National Health Act 1953 ($1.6 billion).

4.9.7 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multi-year¹¹⁸ funding was announced for entities. As part of that funding Health was provided $1.3 billion in 2019–20 to provide support across primary care, aged care, hospitals, research and the national medical stockpile.

4.9.8 Table 4.9.1 and Table 4.9.2 provide a summary of the key 2019–20 departmental and administered estimated financial statements items.

Table 4.9.1: Key expenses and total own-sourced income

Source: Health’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Table 4.9.2: Key assets and liabilities

Note: Health’s estimated average staffing level for 2019–20 is 3,845.

Source: Health’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

4.9.9 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.9.3, including areas which were considered Key Audit Matters (KAM) by the ANAO.

4.9.10 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹¹⁹ As at the interim phase, no additional financial statements risks have been identified for Health. The implications of the risks identified in chapter four are currently being considered by the ANAO, and the key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.9.3: Key areas of financial statements risk

Source: ANAO 2019–20 risk assessment for Health and Health’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Audit results

4.9.11 The ANAO has undertaken its 2019–20 interim audit coverage, including an assessment of the controls relating to: IT security and change management in the financial management information system and human resource management information system; cash and appropriations management; supplier expenses; assets; payroll processing; Therapeutic Goods Administration revenue; personal benefits; subsidies; and grant payments.

4.9.12 Other areas of audit focus, including the compliance processes for Aged Care subsidies and Medicare payments, and an assessment of the valuation methodologies used to estimate the medical indemnity program and Medicare outstanding claims liability provisions, will be performed as part of the 2019–20 final audit.

4.9.13 To date, our audit coverage has not identified any new significant or moderate audit findings.

4.9.14 The following table summarises the status of audit findings reported by the ANAO in 2019–20.

Table 4.9.4: Status of audit findings raised by the ANAO

Resolved moderate audit finding

Monitoring of Privileged User Activity

4.9.15 During the 2018–19 interim audit, the ANAO’s testing identified weaknesses in the monitoring of users with privileged access to IT business systems relevant to the collection of Therapeutic Goods Administration revenue and management of aged care providers. Privileged user access typically allows users to make significant changes to the IT business systems configuration and operations, and bypass critical security and segregation of duties settings. A lack of monitoring of privileged user activity increases the risk of unauthorised changes to business systems and underlying data. Privileged user access, should be appropriately restricted, logged and regularly monitored.

4.9.16 The ANAO tested the new controls implemented by Health and found it to be operating effectively.

Conclusion

4.9.17 Based on our interim audit coverage which was largely conducted in a pre COVID-19 environment, key elements of internal control were operating effectively to provide reasonable assurance that Health will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.10 Department of Home Affairs

Overview

4.10.1 The Department of Home Affairs (Home Affairs) coordinates policy and operations for Australia’s national and transport security, federal law enforcement, criminal justice, cyber security, border, immigration, multicultural affairs, emergency management and trade related functions.

4.10.2 Consistent with the Australian Government’s response to the COVID-19 pandemic, Home Affairs has implemented a range of measures, including requesting staff to work remotely where operational requirements allow. These working arrangements may impact: Home Affairs’ internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and Home Affairs’ ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.10.3 Figure 4.10.1 and Figure 4.10.2 show the 2019–20 departmental and administered financial statements items reported by Home Affairs and the key areas of financial statements risk.

Figure 4.10.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Home Affairs’ 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Figure 4.10.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Home Affairs’ 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

4.10.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Home Affairs’ financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Home Affairs’ environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.10.3 and the ANAO’s understanding of the operations of Home Affairs, the ANAO has assessed the risk of a material misstatement as high.

Key financial statements items

4.10.5 Annual appropriation funding of $2,994.6 million (departmental) and $2,476.1 million (administered) was provided to Home Affairs in 2019–20 to support the achievement of the entity’s outcomes.¹²⁰ Home Affairs was also budgeted to receive special appropriation funding of $1.0 billion.¹²¹ Special appropriation funding is used for payment of refunds of customs duty and visa application charges and for the return of customs duty paid upon export of an item.

4.10.6 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multi-year¹²² funding was announced for entities. As part of that funding Home Affairs was provided $18.7 million in 2019–20 to support operations relevant to protecting Australia’s national security, emergency management, law enforcement and managing its border.

4.10.7 Table 4.10.1 and Table 4.10.2 provide a summary of the key 2019–20 departmental and administered estimated financial statements items.

Table 4.10.1: Key expenses and total own-sourced income

Source: Home Affairs’ 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Table 4.10.2: Key assets and liabilities

Note: Home Affairs’ estimated average staffing level for 2019–20 is 14,245.

Source: Home Affairs’ 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

4.10.8 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.10.3 including areas which were considered Key Audit Matters (KAM) by the ANAO.

4.10.9 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹²³ As at the interim phase, no additional financial statements risks have been identified for Home Affairs. The implications of the risks identified in chapter four are currently being considered by the ANAO, and the key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.10.3: Key areas of financial statements risk

Source: ANAO 2019–20 risk assessment for Home Affairs and Home Affairs’ 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Audit results

4.10.10 The ANAO has completed its 2019–20 interim audit coverage, including an assessment of the controls relating to: collection of customs duty revenue and visa application revenue; the management of the onshore immigration detention centres and overseas regional processing centres; accounting for employee entitlements; and the reporting of overseas transactions.

4.10.11 Interim audit coverage has also included an assessment of IT general controls, including security and change management processes relevant to the financial management information system and human resources management information system.

4.10.12 Audit procedures relating to: payment of personal benefits; IT application controls; and testing on the processes above for the remainder of the financial year will be undertaken as part of the 2019–20 final audit.

4.10.13 The following table summarises the status of audit findings reported by the ANAO in 2019–20.

Table 4.10.4: Status of audit findings raised by the ANAO

Note a: The significant audit finding relating to Visa and Citizenship Quality Management was identified during the 2018–19 audit. This audit finding was downgraded to a moderate audit finding.

Unresolved moderate audit finding

Visa and Citizenship Quality Management

4.10.14 Home Affairs established a Secretary Instruction and Quality Management Policy to mandate regular quality assurance reviews to improve consistency in decision making and ensure the effective identification and management of emerging business risks relating to the assessment and issuance of visas and citizenship. Consistent with this Instruction and Policy, a Visa and Citizenship Quality Management Framework (VCQMF) was established in 2014 with purposes including:

• identifying existing and emerging risks, including the risk of inappropriate or incorrect visa and citizenship decisions;
• the development and implementation of effective controls to mitigate identified risks;
• regularly testing controls using quality management and assurance activities to determine whether all key risks have been identified and are being effectively controlled;
• ensuring a consistent approach to visa and citizenship decision quality;
• the development of support tools that capture and measure the level of correctness and accuracy of visa and citizenship decisions; and
• identifying opportunities for improvement and staff training requirements.

4.10.15 The 2018–19 audit identified:

• throughout the international posts and visa program areas, there was significant non-compliance with the required quality assurance sample rate;
• there is no evidence of alternative assurance activities that compensate for the reduced level of assurance due to sample rates not being achieved;
• required reporting relating to the outcome of quality assurance management was suspended between January and June 2019 while capability of the tool was enhanced. This has significantly reduced oversight of activities being undertaken;
• Home Affairs was not able to demonstrate sufficient reporting to the Executive and Audit Committee to facilitate their assessment and action including independent advice and assurance by the Audit Committee regarding the appropriateness of the system of risk oversight and management and system of internal control; and
• certain content in the existing framework document is out of date.

4.10.16 The ANAO concluded that the audit finding did not impact the calculation and recognition of visa revenue in the financial statements. The significant non-adherence to the related requirements undermines:

• the assurance that was being obtained by management over key controls and the appropriateness of decisions, and the adequacy and validity of reports to the executive for strategic policy decisions;
• effective risk and resource management, including informed identification, and adjustment to risk mitigation activities; and
• opportunities for improvement and staff training requirements.

4.10.17 During 2019–20, Home Affairs has:

• progressed the drafting of revised framework documents and commenced stakeholder consultation;
• implemented an assurance activity procedural instruction to articulate the roles, responsibilities and expectations for rolling implementation from 1 July 2019. This includes:
• the requirement that programs develop and implement appropriate quality control and quality assurance activities within their program as defined in their Quality Management Plan. Program sample size expectations are to be communicated within Quality Management Plans; and
• Executive and centrally managed monitoring and reporting;
• commenced the development of program Quality Management Plans;
• significantly enhanced the compliance rate by location of required sample rates;
• implemented Executive dashboard reporting; commenced regular reporting to the Immigration and Citizenship Steering Group of compliance with expected sample rates and analysis of the results of samples undertaken; and introduced quarterly communication to program managers regarding performance and reinforcing expectations. Regular reporting to the Audit Committee on the performance of quality management has yet to commence. Home Affairs has reported to the Audit Committee on the progress of the remediation of the audit finding;
• completed system enhancements and commenced a post-implementation review to assess the effectiveness of enhancements made;
• commenced the development of processes to be applied where control frameworks or key controls are found to be ineffective and necessitate corrective action and alternative assurance or compensating controls being established. This has included mapping and performing maturity assessments of existing controls; and
• commenced a process to obtain further leverage from results in informing decisions regarding risk assessments at strategic and location levels and the required levels of assurance, including through sampling and other activity.

4.10.18 The ANAO will continue to assess progress made by Home Affairs during the 2019–20 final audit phase.

Conclusion

4.10.19 Based on our interim audit coverage which was largely conducted in a pre COVID-19 environment, and except for the finding outlined above, key elements of internal control were operating effectively to provide reasonable assurance that Home Affairs will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.11 Department of Industry, Science, Energy and Resources

Overview

4.11.1 The Department of Industry, Science, Energy and Resources (Industry) is responsible for supporting science and commercialisation; growing business investment and improving business capability; developing northern Australia; streamlining regulation; developing and implementing a national response to climate change; improving Australia’s energy supply, efficiency, quality, performance and productivity; and facilitating the growth of small and family business.

4.11.2 Industry continues to offer a grants hub and shared service centre which provides other Commonwealth entities with administrative support including grants administration and payments processing; human resources and financial transactions processing and the provision of management information systems supporting these processes.

4.11.3 As a result of the Administrative Arrangement Orders effective 1 February 2020 the Department of Industry, Science, Energy and Resources was created from a merger of: the Department of Industry, Innovation and Science; the energy and climate change functions (excluding climate science and adaptation) from the Department of the Environment and Energy; and small business functions from the Department of Employment, Skills, Small and Family Business.

4.11.4 Consistent with the Australian Government’s response to the COVID-19 pandemic, Industry has implemented a range of measures, including enabling staff to work remotely where operational requirements allow. These working arrangements may impact: Industry’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and Industry’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.11.5 Figure 4.11.1 and Figure 4.11.2 show the 2019–20 departmental and administered financial statements items reported by Industry and the key areas of financial statements risk.

Figure 4.11.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis of Industry’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements (reflecting Industry’s structure and outcomes, post machinery of government changes).

Figure 4.11.2: Key administered financials statement items and areas of financial statements risk

 

 

Source: ANAO analysis of Industry’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements (reflecting Industry’s structure and outcomes, post machinery of government changes).

4.11.6 The ANAO’s audit approach identifies key areas of risk that have the potential to impact Industry’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Industry’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.11.3 and the ANAO’s understanding of the operations of Industry, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

4.11.7 Annual appropriation funding¹²⁴ of $512.9 million (departmental) and $765.1 million (administered) was provided to Industry in 2019–20 to support the achievement of the entity’s outcomes.¹²⁵ Industry was also budgeted to receive special appropriation funding of $532.1 million¹²⁶ which includes: loan funding relating to the Northern Australia Infrastructure Facility; funding provided to the National Offshore Petroleum Safety and Environmental Management Authority; and the Automotive Transformation Scheme.

4.11.8 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multi-year¹²⁷ funding was announced for entities. No funding was appropriated to Industry in 2019–20 for COVID-19.

4.11.9 Table 4.11.1 and Table 4.11.2 provide a summary of the key 2019–20 departmental and administered estimated financial statements items.

Table 4.11.1: Key expenses and total own-sourced income

Source: Industry’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements (reflecting Industry’s structure and outcomes, post machinery of government changes).

Table 4.11.2: Key assets and liabilities

Note: Industry’s estimated average staffing level for 2019–20 is 2,717.

Source: 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements (reflecting Industry’s structure and outcomes, post machinery of government changes).

Key areas of financial statements risk

4.11.10 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.11.3, including areas which were considered Key Audit Matters (KAM) by the ANAO.

4.11.11 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹²⁸ As at the interim phase, no additional financial statements risks have been identified for Industry. The implications of the risks identified in chapter four are currently being considered by the ANAO, and the key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.11.3: Key areas of financial statements risk

Source: ANAO 2019–20 risk assessment for Industry, and Industry’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Audit results

4.11.12 The ANAO has completed its 2019–20 interim audit coverage, including an assessment of the controls relating to employee and supplier expenditure; appropriations and special accounts; and asset and cash management. As part of the interim audit coverage, the ANAO has also assessed controls relating to selected departmental and administered revenue streams, grant and subsidy payments and IT general and applications controls for key financial systems.

4.11.13 Audit procedures relating to the completeness and accuracy of royalties; and valuation of the administered advances and loans, investments (including Snowy Hydro Limited) and non-financial assets will be undertaken as part of the planned 2019–20 final audit.

4.11.14 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2018–19 audit also did not identify any significant or moderate audit findings.

Conclusion

4.11.15 Based on our interim audit coverage which was largely conducted in a pre-COVID-19 environment, key elements of internal control were operating effectively to provide reasonable assurance that Industry will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.12 Department of Infrastructure, Transport, Regional Development and Communications

Overview

4.12.1 The Department of Infrastructure, Transport, Regional Development and Communications (Infrastructure) is responsible for improving infrastructure across Australia through funding coordination of transport and other infrastructure; providing an efficient, sustainable, competitive and safe transport system for all transport users; strengthening the sustainability, capacity and diversity of regional economies providing advice on population policy; implementing the national policy on cities; promoting an innovative and competitive communications sector; participation in and access to Australia’s arts and culture through developing and supporting cultural expression; and supporting governance arrangements in the Australian territories.

4.12.2 As a result of a change to the Administrative Arrangements Orders, on 1 February 2020, all functions of the then Department of Communications and the Arts (Communications) were transferred to Infrastructure, and Communications was abolished. Infrastructure assumed responsibility for all outcomes and funding previously administered by Communications. As a result of this change, Infrastructure will prepare financial statements in 2019–20 that encompass the results of both Infrastructure and Communications as consolidated balances for the period 1 July 2019 to 30 June 2020.

4.12.3 Consistent with current Australian Government policy, Infrastructure has some services delivered by shared or common services providers. Employee payroll for the employees of the former Communications is (and continues to be) administered by the Department of Industry, Science, Energy and Resources (Industry). Infrastructure also uses the services of Industry’s business grants hub for the administration of selected grant programs, mainly for programs supporting regional development, including contracting and payment assessment. Both arrangements are governed by memoranda of understanding which detail services provided.

4.12.4 Consistent with the Australian Government’s response to the COVID-19 pandemic, Infrastructure has implemented a range of measures, including enabling staff to work remotely where operational requirements allow. These working arrangements may impact: Infrastructure’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and Infrastructure’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.12.5 Figure 4.12.1 and Figure 4.12.2 show the 2019–20 departmental and administered financial statements items reported by Infrastructure and the key areas of financial statements risk.

Figure 4.12.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis of Infrastructure’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements (reflecting Infrastructure’s structure and outcomes, post machinery of government changes).

Figure 4.12.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis of Infrastructure’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements (reflecting Infrastructure’s structure and outcomes, post machinery of government changes)

4.12.6 The ANAO’s audit approach identifies key areas of risk that have the potential to impact Infrastructure’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Infrastructure’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.12.3 and the ANAO’s understanding of the operations of Infrastructure, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

4.12.7 Annual appropriation funding¹²⁹ of $372.0 million (departmental) and $9,694.3 million (administered) has been provided to Infrastructure in 2019–20 to support the achievement of the entity’s outcomes.¹³⁰ Infrastructure has also been budgeted to receive special appropriation funding of $1,517.7 million primarily relating to funding for local councils determined in accordance with the Financial Assistance (Local Government) Act 1995.¹³¹

4.12.8 Infrastructure also administer the assessment and oversight functions for national partnership payments on behalf of the Department of the Treasury relating to road, rail and water infrastructure investment projects. Whilst these payments to State and Territory Governments are recorded in the Treasury financial statements, the project approval, advice to Government, milestone assessment, project monitoring and analysis processes are undertaken by Infrastructure. Expenses for these projects are estimated to be $6,176.6 million in 2019–20.¹³²

4.12.9 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multi-year¹³³ funding was announced for entities. As part of that funding Infrastructure was provided $422.0 million in 2019–20 mainly to provide assistance to the aviation industry through direct grants to support operations and provision of subsidies to maintain service on regular public transport air routes; and supporting Australia’s regional communities and the arts industry through provision of direct grants and financial assistance.

4.12.10 Table 4.12.1 and Table 4.12.2 provide a summary of the key 2019–20 departmental and administered estimated financial statements items.

Table 4.12.1: Key expenses and total own-sourced income

Source: Infrastructure’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements (reflecting Infrastructure’s structure and outcomes, post machinery of government changes).

Table 4.12.2: Key assets and liabilities

Note: Infrastructure’s estimated average staffing level for 2019–20 is 1,473.

Source: Infrastructure’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements (reflecting Infrastructure’s structure and outcomes, post machinery of government changes).

Key areas of financial statements risk

4.12.11 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.12.3, including areas which were considered Key Audit Matters (KAM) by the ANAO.

4.12.12 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹³⁴ In addition to the risks identified in chapter four, the ANAO has identified specific risks for Infrastructure’s financial statements relating to:

• the valuation of the Australian Government’s investments in Airservices Australia, the Australian Postal Corporation, Australian Rail Track Corporation and NBN Co Limited as the valuation model used to measure the value of these entities includes application of cash flows arising from fee for service arrangements and other broader economic parameters, such as growth in GDP, that may have been impacted by the COVID-19 situation; and
• the occurrence of grant expenses due to the rapid implementation of grant programs that support economic stimulus measures and significance of the funding committed.

4.12.13 The implications of these risks are in the process of being considered by the ANAO and as a result have not been included in Table 4.12.3. The key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.12.3: Key areas of financial statements risk

Note a: Communications implemented a new Financial Management Information System on 1 July 2019. Notwithstanding the machinery of government changes this system will be used to initiate, process and record transactions arising from former Communications functions for the 2019–20 financial year.

Source: ANAO 2019–20 risk assessment for Infrastructure and Infrastructure’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

4.12.14 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. Auditor-General Report No. 12 2019–20 Award of funding under the Regional Jobs and Investment Packages included observations relevant to the management of grant payments outlined in Table 4.12.3, particularly relating to the assessment and award of grant funding, which have been considered when designing audit procedures related to grants expenses.

Audit results

4.12.15 The ANAO has completed its 2019–20 interim audit coverage, including an assessment of the controls relating to: cash and cash equivalents; accounting for non-financial assets; appropriations and special accounts; grant expenses; concessional loans; supplier expenses; administered revenue; and receivables and employee payroll.

4.12.16 Interim audit coverage has also included an assessment of IT general controls (including security and change management processes relevant to the financial management information systems) and human resources management information systems. The ANAO’s interim audit procedures identified weaknesses in the governance process and framework for the management of changes and privileged users within the FMIS implemented by Communications on 1 July 2019. As a result of these procedures, for transactions processed through this FMIS we have adjusted our audit approach to mainly focus on substantive tests of detail in order to obtain sufficient and appropriate audit evidence in the absence of an effective control framework. The FMIS is expected to be decommissioned by Infrastructure by 30 June 2020 following transfer of accounts information to the existing Infrastructure FMIS.

4.12.17 The final audit phase will include procedures relating to: valuation of administered investments; accuracy of subsidy claims; and valuation of other assets including non-financial assets and concessional loans. This will also include procedures relating to the machinery of government changes, in particular relating to the transfer and valuation of assets and liabilities from Communications to Infrastructure.

4.12.18 The following table summarises the status of audit findings reported by the ANAO in 2018–19 and 2019–20.

Table 4.12.4: Status of audit findings raised by the ANAO

Note a: The two moderate findings included in the closing position for 2018–19 have been transferred from Communications. These findings relate to continuing processes now administered by Infrastructure following machinery of government changes and will be monitored through the 2019–20 audit of Infrastructure.

Resolved moderate audit finding

Risk management practices relating to NBN Co’s loan facility

4.12.19 The Commonwealth’s loan agreement with NBN Co Limited (NBN Co) sets out the terms of the $19.5 billion facility, including the applicable undertakings, restrictions and interest rate and a requirement that the principal amount borrowed is to be fully refinanced by 30 June 2024. The value of the loan drawn down as at 30 June 2019 was $13.1 billion and the loan continues to be drawn down in 2019–20. NBN Co’s operating cash flows are forecast to be positive by 2020–21.

4.12.20 During 2017–18 the ANAO identified that Communications had not established the policies and processes necessary to manage the financial risks associated with the loan facility. Particularly, Communications had not established an overarching framework for ongoing oversight, review and monitoring of NBN Co’s compliance with the lending arrangements, supported by analysis that progressively confirms NBN Co’s capacity to fully repay the loan. The failure to fully establish practices to manage the risks associated with the loan facility significantly increased the Commonwealth’s risk of exposure to loss

4.12.21 During 2018–19 Communications took steps to resolve this finding by developing a risk appetite statement associated with the loan facility which was supported by a detailed risk assessment. The appetite statement and risk assessment are subject to at least an annual review. Additionally, Communications also developed a ‘credit risk management framework’ which outlines key activities, analysis and controls to be performed to monitor the risks associated with the loan facility and provides a framework for determining whether additional actions should be taken to mitigate risks arising. This framework includes analysis of financial forecasts, emerging trends and information received from NBN Co and requires formal reporting on credit risks associated with the loan facility to an operational management committee within Communications (which included senior members of the department’s executive leadership team).

4.12.22 During 2019–20, Communications implemented the framework and commenced the specified monitoring and reporting activities. The ANAO has tested the analysis and reporting to confirm that key activities in the framework have been implemented and that risk analysis is regularly reviewed by the management committee. Whilst acknowledging that key aspects of the framework has been implemented, the documentation and assessment of risk continue to mature and as such remain a minor risk finding that will be subject to further review by the ANAO at the final phase of the 2019–20 audit.

Unresolved moderate audit finding

Documentation of significant estimates and judgements

4.12.23 During 2018–19 the ANAO identified that Communications did not adequately compile documentation to support the accounting position adopted on key material estimates and judgments, relating mainly to the Australian Government’s investment and loan to NBN Co Limited. Several accounting position papers provided by Communications also did not adequately address the application of the relevant accounting standard/s, consideration of alternative assumptions or outcomes, justification for the assumptions used and Communication’s basis for the ranges adopted. The completeness of papers and the untimely delivery by Communications on its documented accounting positions, increased the risk of material misstatements to the financial statements.

4.12.24 Following the machinery of government changes that transferred Communications functions to Infrastructure, Infrastructure has taken steps and planned to resolve this finding, primarily through development of a detailed financial statements preparation plan. The Plan outlines the requirements and key judgements expected to be captured in position papers and working papers to support the 30 June 2020 financial statements.

4.12.25 Given the expected timing of these position papers being prepared by Infrastructure this finding remains unresolved at the conclusion of the interim phase of the audit. The ANAO will review position papers in support of key estimates and judgements in the financial statements as part of the final phase of the 2019–20 audit.

Conclusion

4.12.26 Based on our interim audit coverage which was largely conducted in a pre-COVID-19 environment, and except for the findings outlined above, key elements of internal control were operating effectively to provide reasonable assurance that Infrastructure will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.13 Australian Postal Corporation

Overview

4.13.1 The Australian Postal Corporation (Australia Post) is a government business enterprise responsible for supplying postal services to Australia including the distribution of letters and parcels in Australia and internationally.

4.13.2 Consistent with the Australian Government’s response to the COVID-19 pandemic, Australia Post has implemented a range of measures, including enabling staff to work remotely where operational requirements allow. These working arrangements may impact: Australia Post’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and Australia Post’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.13.3 Figure 4.13.1 shows the 2019–20 financial statement items reported by Australia Post and the key areas of financial statements risk.

Figure 4.13.1: Key financial statement items and areas of financial statements risk

 

 

Source: ANAO analysis and Australia Post’s financial statements for the year ended 30 June 2019.

4.13.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Australia Post’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Australia Post’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.13.3 and the ANAO’s understanding of the operations of Australia Post, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

4.13.5 The operational functions of Australia Post are largely funded from external sources, specifically revenue from parcel services, mail services and retail and agency services.

4.13.6 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multi-year¹³⁵ funding was announced for entities. Australia Post has not requested nor been provided any supplementation funding due to COVID-19.

4.13.7 Table 4.13.1 and Table 4.13.2 provide a summary of the key 2018–19 audited financial statements items.

Table 4.13.1: Key expenses and total own-sourced income

Source: Australia Post’s 2018–19 audited financial statements.

Table 4.13.2: Key assets and liabilities

Note: Australia Post’s 2018–19 staffing level was 35,101.

Source: Australia Post Annual Report 2019 and financial statements for the year ended 30 June 2019.

Key areas of financial statements risk

4.13.8 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.13.3, including areas which were considered Key Audit Matters (KAM) by the ANAO.

4.13.9 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹³⁶ As at the interim phase, no additional financial statements risks have been identified for Australia Post. The implications of the risks identified in chapter four are currently being considered by the ANAO, and the key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.13.3: Key areas of financial statements risk

Source: ANAO 2019–20 risk assessment for Australia Post and Australia Post’s 2018–19 audited financial statements.

4.13.10 Auditor-General Report No. 1 2019–20 Cyber Resilience of Government Business Enterprises and Corporate Commonwealth Entities was tabled during July 2019 and was relevant to the financial management or administration of Australia Post.

4.13.11 The audit objective was to assess the effectiveness of the management of cyber security risks by Australia Post, ASC Pty Ltd and the Reserve Bank of Australia. Australia Post was found to not effectively manage cyber security risks. The ANAO recommended that Australia Post should continue to implement its cyber security improvement program and key controls across all its critical assets to enable cyber risks to be within its tolerance level. In light of the findings, the ANAO increased scrutiny over the key financial systems that Australia Post relies on to prepare the financial statements.

Audit results

4.13.12 The ANAO has substantially completed its 2019–20 interim audit coverage, including an assessment of the effectiveness of controls relating to: cash and cash equivalents; trade receivables; and property, plant and equipment. Interim coverage also included an assessment of the IT general controls and IT application controls of key systems supporting the financial statements. In addition, an assessment of the effectiveness of non-system controls relating to sales revenue, employee expenses and trade and other payables has also been completed, together with a significant body of substantive work regarding leases.

4.13.13 Audit procedures relating to all key areas of audit focus, including the valuation of the Australia Post Superannuation Scheme and the valuation of intangible assets, will be undertaken as part of the 2019–20 final audit.

4.13.14 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2018–19 audit also did not identify any significant or moderate audit findings.

Conclusion

4.13.15 Based on our interim audit coverage which was largely conducted in a pre-COVID-19 environment, key elements of internal control were operating effectively to provide reasonable assurance that Australia Post will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.14 NBN Co Limited

Overview

4.14.1 The primary objective of NBN Co Limited (NBN Co) is to provide wholesale services to internet service providers. NBN Co is a government business enterprise incorporated under the Corporations Act 2001.

4.14.2 Consistent with the Australian Government’s response to the COVID-19 pandemic, NBN Co has implemented a range of measures, including requesting staff to work remotely where operational requirements allow. These working arrangements may impact: NBN Co’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and NBN Co’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.14.3 Figure 4.14.1 shows the 2019–20 financial statement items reported by NBN Co and the key areas of financial statements risk.

Figure 4.14.1: Key financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and NBN Co’s financial statements for the year ended 30 June 2019.

4.14.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on NBN Co’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of NBN Co’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.14.3 and the ANAO’s understanding of the operations of NBN Co’s, the ANAO has assessed the risk of a material misstatement as high.

Key financial statements items

4.14.5 The operational functions of NBN Co are funded from the committed equity funding of $29.5 billion from the Australian Government as well as a loan agreement between the Australian Government and NBN Co of up to $19.5 billion, initially for the period from 1 July 2017 to 30 June 2021. The Commonwealth Government has extended the tenor of its loan by three years (from 30 June 2021 to 30 June 2024) and amended the terms of this loan to permit NBN Co to access up to $6.1 billion of private sector debt. NBN Co has since entered into facility agreements with the private sector to secure $6.1 billion of private sector debt for a period of five years.

4.14.6 To support its customers and the community during COVID-19, NBN Co has:

• established a $150.0 million fund to connect low income households with home schooling needs, support emergency and essential services, and assist small and medium sized business and residential customers facing financial hardship;
• enabled every Australian internet provider to order increased nbn network capacity of up to 40 per cent for up to five months at no additional cost; and
• introduced initiatives for up to five months, to support customers in regional and remote communities through increased data download limits for customers on Sky Muster services and for customers on Sky Muster Plus services, increased the range of applications that do not account to monthly data quotas.

4.14.7 Table 4.14.1 and Table 4.14.2 provide a summary of the key 2018–19 audited financial statements items.

Table 4.14.1: Key expenses and total own-sourced income

Source: NBN Co’s 2018–19 audited financial statements.

Table 4.14.2: Key assets and liabilities

Note: NBN Co’s staffing level as at 30 June 2019 was 6,400 inclusive of temporary contractors.

Source: NBN Co’s 2018–19 audited financial statements.

Key areas of financial statements risk

4.14.8 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.14.3, including areas which were considered Key Audit Matters (KAM) by the ANAO.

4.14.9 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹³⁷ The implications of the risks identified in chapter four are currently being considered by the ANAO, and the key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.14.3: Key areas of financial statements risk

Source: ANAO 2019–20 risk assessment for NBN Co and NBN Co’s 2018–19 audited financial statements.

Audit results

4.14.10 The ANAO has substantially completed its 2019–20 interim audit coverage, including an assessment of controls relating to: revenue and receivables; purchase and payables; payroll; inventory; treasury; fixed assets including lease management; and fair value reporting and accounting for the Telstra and Optus agreements.

4.14.11 Audit procedures relating to key processes and financial statement line items, including IT general and application controls, where appropriate, will be performed as a part of the planned 2019–20 final audit. In addition, we will perform audit procedures to assess the valuation of network assets.

4.14.12 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2018–19 audit also did not identify any significant or moderate audit findings.

Conclusion

4.14.13 Based on our interim audit coverage which was largely conducted in a pre-COVID-19 environment, key elements of internal control were operating effectively to provide reasonable assurance that NBN Co will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.15 Department of Parliamentary Services

Overview

4.15.1 The Department of Parliamentary Services (DPS) is responsible for supporting the Parliament through the provision of a range of services, including library, Hansard, broadcasting, telecommunications, building security and maintenance.

4.15.2 Consistent with the Australian Government’s response to the COVID-19 pandemic, DPS has implemented a range of measures, including enabling staff to work remotely where operational requirements allow and restricting access to Parliament House to essential business, which has included restricting access to some pass holders. These working arrangements may impact: DPS’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and DPS’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.15.3 Figure 4.15.1 and Figure 4.15.2 show the 2019–20 departmental and administered financial statement items reported by DPS and the key area of financial statements risk.

Figure 4.15.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and DPS’s 2019–20 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

Figure 4.15.2: Key administered financial statements items and area of financial statements risk

 

 

Source: ANAO analysis and DPS’s 2019–20 estimated actuals as reported in the 2019–20 Portfolio Budget Statements.

4.15.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DPS’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DPS’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key area of risk identified in Table 4.15.3 and the ANAO’s understanding of the operations of DPS, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

4.15.5 Annual appropriation funding of $141.7 million (departmental) and $62.2 million (administered) was provided to DPS in 2019–20 to support the achievement of the entity’s outcomes.¹³⁸

4.15.6 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multi-year¹³⁹ funding was announced for entities. No funding was appropriated to DPS in 2019–20 for COVID-19.

4.15.7 Table 4.15.1 and Table 4.15.2 provide a summary of the key 2019–20 departmental and administered estimated financial statements items.

Table 4.15.1: Key expenses and total own-sourced income

Source: DPS’s 2019–20 budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Table 4.15.2: Key assets and liabilities

Note: DPS’s estimated average staffing level for 2019–20 is 900.

Source: DPS’s 2019–20 budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

4.15.8 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. The area highlighted for specific audit coverage in 2019–20 is provided in Table 4.15.3, and is considered a Key Audit Matters (KAM) by the ANAO.

4.15.9 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹⁴⁰ As at the interim phase, no additional financial statement risks have been identified for DPS. The implications of the risks identified in chapter four are currently being considered by the ANAO, and the key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.15.3: Key area of financial statements risk

Source: ANAO 2019–20 risk assessment for DPS and DPS’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Audit results

4.15.10 The ANAO has completed its 2019–20 interim audit coverage, including an assessment of the controls relating to: cash and asset management; payroll processing; and supplier expenses. In addition, the ANAO has undertaken testing of IT general controls over the financial management and human resource management information systems.

4.15.11 As part of the 2019–20 final audit, audit procedures will be performed over all material financial statement line items, including the valuation of non-financial assets.

4.15.12 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2018–19 audit also did not identify any significant or moderate audit findings.

Conclusion

4.15.13 Based on our interim audit coverage which was largely conducted in a pre-COVID-19 environment, key elements of internal control were operating effectively to provide reasonable assurance that DPS will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.16 Department of the Prime Minister and Cabinet

Overview

4.16.1 The Department of the Prime Minister and Cabinet (PM&C) is responsible for supporting the Prime Minister as the head of the Australian Government and the Cabinet; providing advice on major domestic policy and international national security matters; and improving he lives of Aboriginal and Torres Strait Islander peoples.

4.16.2 PM&C underwent a major restructuring on 1 July 2019, when its indigenous advancement functions were transferred to the newly created National Indigenous Australians Agency (NIAA). A significant portion of PM&C’s assets, liabilities, appropriations and staff were transferred to the NIAA. PM&C remains responsible for the Australian Government’s investments in Corporate Commonwealth Entities (CCEs) within the PM&C portfolio.

4.16.3 Consistent with the Australian Government’s response to the COVID-19 pandemic, PM&C has implemented a range of measures, including requesting staff to work remotely where operational requirements allow. These working arrangements may impact: PM&C’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and PM&C’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.16.4 Figure 4.16.1 and Figure 4.16.2 show the 2019–20 departmental and administered financial statement items reported by PM&C and the key areas of financial statements risk.

Figure 4.16.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and PM&C’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Figure 4.16.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and PM&C’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

4.16.5 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on PM&C’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of PM&C’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key area of risk identified in Table 4.16.3 and the ANAO’s understanding of the operations of PM&C, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

4.16.6 Annual appropriation funding of $261.6 million (departmental) and $31.3 million (administered) was provided to PM&C in 2019–20 to support the achievement of the entity’s outcomes.¹⁴¹

4.16.7 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multi-year¹⁴² funding was announced for entities. No funding was appropriated to PM&C in 2019–20 for COVID-19.

4.16.8 Table 4.16.1 and Table 4.16.2 provide a summary of the key 2019–20 departmental and administered estimated financial statements items.

Table 4.16.1: Key expenses and total own-sourced income

Source: PM&C’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Table 4.16.2: Key assets and liabilities

Note: PM&C’s estimated average staffing level for 2019–20 is 926.

Source: PM&C’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

4.16.9 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. The area highlighted for specific audit coverage in 2019–20 is provided in Table 4.16.3, and is considered a Key Audit Matters (KAM) by the ANAO.

4.16.10 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹⁴³ At completion of the interim audit phase, no additional financial statement risks have been identified for PM&C. The implications of the risks identified in chapter four are currently being considered by the ANAO, and the key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.16.3: Key area of financial statements risk

Source: ANAO 2019–20 risk assessment for PM&C, and PM&C’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Audit results

4.16.11 The ANAO has completed its 2019–20 interim audit coverage, including testing of IT general controls and testing of controls over: payments to suppliers; credit card expenditure; grants: work in progress assets; depreciation expense and payroll. ANAO also tested the transfer of non-financial assets and liabilities to the National Indigenous Australians Agency.

4.16.12 Audit procedures relating to the valuation of non-financial assets, the provision for former Governor-General’s cost and investments in Corporate Commonwealth Entities will be undertaken during the final audit phase.

4.16.13 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2018–19 audit also did not identify any significant or moderate audit findings.

Conclusion

4.16.14 Based on our interim audit coverage which was largely conducted in a pre-COVID-19 environment, key elements of internal control were operating effectively to provide reasonable assurance that PM&C will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.17 National Indigenous Australians Agency

Overview

4.17.1 The National Indigenous Australians Agency (NIAA) was established on 29 May 2019 by an executive order of the Governor-General. The primary functions of NIAA, which were previously performed by the Department of the Prime Minister and Cabinet (PM&C), are to:

• lead and coordinate Commonwealth policy development, program design and implementation and service delivery for Aboriginal and Torres Strait Islander peoples;
• provide advice to the Prime Minister and the Minister for Indigenous Australians on whole-of-government priorities for Aboriginal and Torres Strait Islander peoples;
• lead and coordinate the development and implementation of Australia’s Closing the Gap targets in partnership with Indigenous Australians; and
• lead Commonwealth activities to promote reconciliation.

4.17.2 NIAA relies on several Australian Government agencies for the IT infrastructure to make payments under its programs, and for a range of corporate services. The majority of NIAA’s assets and liabilities were transferred from the Department of the Prime Minister and Cabinet.

4.17.3 Consistent with the Australian Government’s response to the COVID-19 pandemic, NIAA has implemented a range of measures, including encouraging staff to work remotely where operational requirements allow. These working arrangements may impact: NIAA’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and NIAA’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.17.4 Figure 4.17.1 and Figure 4.17.2 show the 2019–20 departmental and administered financial statements items reported by NIAA and the key areas of financial statements risk.

Figure 4.17.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and NIAA’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Figure 4.17.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and NIAA’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

4.17.5 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on NIAA’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of NIAA’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.17.3 and the ANAO’s understanding of the operations of NIAA, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

4.17.6 Annual appropriation funding of $265.2 million (departmental) and $1,279.0 million (administered) was provided to NIAA in 2019–20 to support the achievement of the entity’s outcomes.¹⁴⁴ NIAA was also budgeted to receive special appropriation funding of $522.7 million.¹⁴⁵ The special appropriation funding is largely for payments, under the Aboriginal Land Rights (Northern Territory) Act 1976, to traditional landowners.

4.17.7 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multi-year¹⁴⁶ funding was announced for entities. No funding was appropriated to NIAA in 2019–20 for COVID-19.

4.17.8 Table 4.17.1 and Table 4.17.2 provide a summary of the key 2019–20 departmental and administered estimated financial statements items.

Table 4.17.1: Key expenses and total own-sourced income

Source: NIAA’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Table 4.17.2: Key assets and liabilities

Note: NIAA’s estimated average staffing level for 2019–20 is 1,205.

Source: NIAA’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

4.17.9 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.17.3 including areas which were considered Key Audit Matters (KAM) by the ANAO.

4.17.10 The introduction to chapter four has outlines a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹⁴⁷ At completion of the interim audit phase, no additional financial statements risks have been identified for NIAA. The implications of the risks identified in chapter four are currently being considered by the ANAO, the key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.17.3: Key areas of financial statements risk

Source: ANAO 2019–20 risk assessment for NIAA and NIAA’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Audit results

4.17.11 The ANAO has completed its 2019–20 interim audit coverage, including an assessment of the controls relating to: supplier payments; commencement and termination of staff; payroll; work in progress; the opening and closing of bank accounts; and IT general controls and application controls relating to key financial systems. The ANAO has also reviewed the transfer of assets and liabilities from PM&C to the NIAA.

4.17.12 Audit procedures relating to the valuation of non-financial assets will be undertaken during the final audit phase. To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings.

Conclusion

4.17.13 Based on our interim audit coverage, which was largely conducted in a pre-COVID-19 environment, key elements of internal control were operating effectively to provide reasonable assurance that NIAA will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.18 Department of Social Services

Overview

4.18.1 The Department of Social Services (DSS) is responsible for social security, families and communities, disability and carers and housing. DSS works in partnership with other government¹⁴⁸ and non-government organisations, on a range of policies, programs and services focused on improving the wellbeing of people and families in Australia.

4.18.2 DSS provides shared services arrangements to other entities through the Community Grants Hub.

4.18.3 From 1 February 2020, as a result of an Administrative Arrangement Order (AAO), Services Australia (formerly known as the Department of Human Services) was established as a new Executive Agency within the Social Services Portfolio. Effective 6 February 2020: the Information Technology Group functions and staff transferred from DSS to Services Australia; and the National Redress Scheme Branch and the administered investment for Hearing Australia transferred to DSS from Services Australia.

4.18.4 Consistent with the Australian Government’s response to the COVID-19 pandemic, DSS has implemented a range of measures, including requesting staff to work remotely where operational requirements allow. These working arrangements may impact: DSS’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and DSS’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.18.5 Figure 4.18.1 and Figure 4.18.2 show the 2019–20 departmental and administered financial statement items reported by DSS and the key areas of financial statements risk.

Figure 4.18.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and DSS’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Figure 4.18.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and DSS’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

4.18.6 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DSS’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DSS’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.18.3 and the ANAO’s understanding of the operations of DSS, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

4.18.7 Annual appropriation funding of $461.8 million (departmental) and $9.7 billion (administered) was provided to DSS in 2019–20 to support the achievement of the entity’s outcomes.¹⁴⁹ DSS was also budgeted to receive special appropriation funding of $113.7 billion¹⁵⁰ which relates to payment of personal benefits under the social security and families and communities outcomes.

4.18.8 DSS administers the assessment and oversight functions for national partnership payments to State and Territory Governments on behalf of the Department of the Treasury relating to: Social Impact Investment, Social and Community Sector, transition to the National Disability Insurance Scheme and National Housing and Homelessness. Whilst these payments are recorded in the Treasury financial statements, the compliance with conditional requirements and payment certificate approval processes are undertaken by DSS.

4.18.9 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multi-year¹⁵¹ funding was announced for entities. No funding was appropriated to DSS in 2019–20 for COVID-19.

4.18.10 Table 4.18.1 and Table 4.18.2 provide a summary of the key 2019–20 departmental and administered estimated financial statements items.

Table 4.18.1: Key expenses and total own-sourced income

Source: DSS’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Table 4.18.2: Key assets and liabilities

Note: DSS’s estimated average staffing level for 2019–20 is 2,035.

Source: DSS’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

4.18.11 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.18.3, including areas which were considered Key Audit Matters (KAM) by the ANAO.

4.18.12 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹⁵² The ANAO has also identified changes impacting on an existing higher risk for DSS’s financial statements relating to personal benefits expenses. The changes relate to the suspension of the Random Sample Survey compliance process for personal benefits for the period March 2020 to June 2020 (Trimester 3), and stimulus measures that are being administered by DSS (such as the expansion of Job-Seeker payments and relaxing of the eligibility criteria for the payment) including any new manual or automated processes or controls that are implemented by DSS, or Services Australia, to administer the payments. The implications of these changes are in the process of being considered by the ANAO and as a result have not been included in Table 4.18.3. The key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.18.3: Key areas of financial statements risk

Source: ANAO 2019–20 risk assessment for DSS, and DSS’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Audit results

4.18.13 The ANAO has completed its 2019–20 interim audit coverage, including an assessment of the IT general controls relating to: financial management, human resources information, and grant management systems; and compliance and assurance processes relating to personal benefits and disability services. Audit coverage has also been completed on the processes relating to: grants; cash; appropriations; special accounts; asset management; payroll processing; suppliers’ expenses; departmental revenue; and payments on behalf of other entities.

4.18.14 Audit procedures relating to the assessment of the valuation of personal benefits asset and liability balances will be undertaken as part of the planned 2019–20 audit. This includes the valuation of investments and testing of the application controls for the IT systems that process payments related to personal benefits, disability services and grants.

4.18.15 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2018–19 audit also did not identify any significant or moderate audit findings.

Conclusion

4.18.16 Based on our interim audit coverage which was largely conducted in a pre-COVID-19 environment, key elements of internal control were operating effectively to provide reasonable assurance that DSS will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.19 Services Australia

Overview

4.19.1 Services Australia has responsibility for delivering a range of payments and services to support individuals, families and communities, as well as providers and businesses. These include income support payments and services, aged care payments, Medicare payments and services, and child support services.

4.19.2 From 1 February 2020, as a result of an Administrative Arrangements Order (AAO), Services Australia (formerly known as Department of Human Services) was established as a new Executive Agency within the Social Services Portfolio. Effective 6 February 2020: the Information Technology Group functions and staff transferred to Services Australia from the Department of Social Services (DSS); and the National Redress Scheme Branch, and the administered investments for Hearing Australia transferred from Services Australia to DSS.

4.19.3 Consistent with the Australian Government’s response to the COVID-19 pandemic, Services Australia has implemented a range of measures, including enabling staff to work remotely where operational requirements allow. These working arrangements may impact: Service Australia’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and Service Australia’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.19.4 Figure 4.19.1 and Figure 4.19.2 show the 2019–20 departmental and administered financial statements items reported by Services Australia and the key areas of financial statements risk.

Figure 4.19.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Services Australia’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Figure 4.19.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Services Australia’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

4.19.5 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Services Australia’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Services Australia’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.19.3 and the ANAO’s understanding of the operations of Services Australia, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

4.19.6 Annual appropriation funding of $5.4 billion¹⁵³ (departmental) and $1.6 million (administered) was provided to Services Australia in 2019–20 to support the achievement of the entity’s outcomes.¹⁵⁴ Services Australia was also budgeted to receive special appropriation funding of $0.3 million¹⁵⁵ relating to refunds under the Public Governance, Performance and Accountability Act 2013 (PGPA Act).

4.19.7 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multi-year¹⁵⁶ funding was announced for entities. As part of that funding Services Australia was provided $321.0 million in 2019–20 to deliver the Government’s economic stimulus initiatives, which includes the Coronavirus Supplement, the Economic Support Payment and the changes to the Job Seeker program. Services Australia’s current year COVID-19 appropriations has been provided on a no-win, no-loss basis, and any of the unspent funding at 30 June 2020 will be quarantined by the Department of Finance and returned to Government.

4.19.8 Table 4.19.1 and Table 4.19.2 provide a summary of the key 2019–20 departmental and administered estimated financial statements items.

Table 4.19.1: Key expenses and total own-sourced income

Source: Services Australia’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Table 4.19.2: Key assets and liabilities

Note: Services Australia’s estimated average staffing level for 2019–20 is 27,325.

Source: Services Australia’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

4.19.9 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.19.3, including areas which were considered Key Audit Matters (KAM) by the ANAO.

4.19.10 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹⁵⁷ As at the interim phase, no additional financial statements risks have been identified for Services Australia. The implications of the risks identified in chapter four are currently being considered by the ANAO, and the key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.19.3: Key areas of financial statements risk

Source: ANAO 2019–20 risk assessment for Services Australia and the 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

4.19.11 As referenced at paragraph 4.19.1, Services Australia delivers payments on behalf of the Departments of Social Services, Health and a number of other Commonwealth entities. These payments are reported in the respective entities’ financial statements and are budgeted to be approximately $190.0 billion in 2019–20. The areas highlighted for specific audit coverage for these payments for 2019–20 are outlined in this report against the individual responsible entity.

4.19.12 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. Auditor-General Report No. 30 2019–20 Bilateral Agreement Arrangements Between Services Australia and Other Entities did not include recommendations regarding risks to Services Australia’s financial administration as it relates to the financial statements. However, the observations of this report were considered in designing audit procedures.

Audit results

4.19.13 The ANAO has completed its 2019–20 interim audit coverage, including an assessment of the controls in relation to areas of audit focus and IT controls over security and change management of the financial management and human resource management information system.

4.19.14 As part of the 2019–20 final audit, the ANAO will also assess the controls over social services and health related payments made by Services Australia on behalf of other Commonwealth entities, including associated compliance and quality assurance activities. In addition, the ANAO’s final audit coverage will include the valuation of child support debts and non-financial assets, particularly intangibles.

4.19.15 The following table summarises the status of audit findings reported by the ANAO in 2018–19 and 2019–20.

Table 4.19.4: Status of audit findings raised by the ANAO

New moderate audit finding

IT Security Governance

4.19.16 Services Australia has a complex IT environment made up of a suite of systems hosted across different IT platforms such as mid-range and mainframe to support business objectives. The overall effectiveness of the IT control environment forms a significant component of the overall integrity and reliability of financial transactions, which links closely with Services Australia’s strategic risks. For the 2019–20 audit, the ANAO identified weaknesses in the implementation and operation of the governance and monitoring processes that support Services Australia’s information security framework.

4.19.17 Weaknesses in Services Australia’s information security framework, could result in broader cyber security, access management, business and financial risks being inadequately managed across the agency. This could lead to inappropriate system access and insufficient monitoring of high risk activities, resulting in the failure to detect inappropriate access or activity that compromise the integrity of payments and financial data.

4.19.18 During the interim audit, the ANAO noted the following issues:

• within Services Australia’s IT environment, there are gaps in documentation to support the assessment of risk, identification of controls to mitigate assessed risks, and evidence of reporting and monitoring over the implementation of controls for key systems;
• the status of accreditation or risk assessments for critical financial systems have not been updated in the last two years. This includes the update of System Threat Risk Analysis, System Security Plans, and System Operating Procedures; and
• security and user access related observations across multiple applications, including in relation to user revalidation and privileged user functions.

4.19.19 Based on the above, the governance and monitoring processes are not operating effectively. The ANAO recommended that governance and monitoring processes are strengthened to include the review and reporting of adherence to Services Australia’s Cyber Security Information Services Manual. Services Australia has acknowledged the recommendation and are in the process of drafting a response. This area will be reviewed during the final phase of the audit.

Conclusion

4.19.20 Based on our interim audit coverage which was largely conducted in a pre COVID-19 environment, and except for the finding outlined above, key elements of internal control were operating effectively to provide reasonable assurance that Services Australia will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.20 National Disability Insurance Scheme Launch Transition Agency

Overview

4.20.1 The National Disability Insurance Scheme Launch Transition Agency (NDIA), which commenced operations on 1 July 2013, was established under the National Disability Insurance Scheme Act 2013. The NDIA is responsible for delivering the National Disability Insurance Scheme (NDIS). The NDIS is designed to provide individual control and choice in the delivery of reasonable and necessary care and support; to improve the independence, social and economic participation of eligible people with disability, their families and carers; and to provide associated referral services and activities.

4.20.2 Consistent with the Australian Government’s response to the COVID-19 pandemic, NDIA has implemented a range of measures, including requesting staff to work remotely where operational requirements allow. These working arrangements may impact: NDIA’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and NDIA’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.20.3 Figure 4.20.1 shows the 2019–20 financial statement items reported by NDIA and the key areas of financial statements risk.

Figure 4.20.1: Key financial statement items and areas of financial statements risk

 

 

Source: ANAO analysis and NDIA’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

4.20.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on NDIA’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of NDIA’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.20.3 and the ANAO’s understanding of the operations of NDIA, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

4.20.5 Annual funding of $17.6 billion is estimated to be provided to NDIA in 2019–20 to support the achievement of NDIA’s outcomes. The funding comprises $1.4 billion¹⁵⁸ appropriations from the Commonwealth government for operating costs, $14.3 billion from Commonwealth, state and territory governments for participant costs, and $1.9 billion services provided in-kind to participants from the Commonwealth, state and territory governments.

4.20.6 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, the NDIA has:

• made an advance payment to registered providers where supports are provided to Agency managed participants. The advance payment must be repaid by providers, with approximately $587.0 million already paid to just under 5,000 providers;
• applied a 10 per cent price loading on specified supports. The 10 per cent price increase is expected to cost $510 million over six months, with approximately $300 million impacting in 2019–20; and
• increased the cancelation payment from 90 per cent to 100 per cent, under specific terms and conditions.

4.20.7 Table 4.20.1 and Table 4.20.2 provide a summary of the key 2019–20 estimated financial statements items.

Table 4.20.1: Key expenses and total own-sourced income

Source: NDIA’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Table 4.20.2: Key assets and liabilities

Note: NDIA’s estimated average staffing level for 2019–20 is 3,780.

Source: NDIA’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

4.20.8 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.20.3, including areas which were considered Key Audit Matters (KAM) by the ANAO.

4.20.9 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹⁵⁹ As at the interim phase, no additional financial statements risks have been identified for NDIA. The implications of the risks identified in chapter four are currently being considered by the ANAO, and the key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.20.3: Key areas of financial statements risk

Source: ANAO 2019–20 risk assessment for NDIA, and NDIA’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Audit results

4.20.10 The ANAO has completed its 2019–20 interim audit coverage, including an assessment of the controls relating to: the NDIA’s IT general controls over security and change management; processes relating to cash; payroll processing; suppliers expenses; grants expenses; and participant expenses.

4.20.11 Audit coverage of the application controls in the financial management and human resource management information systems and the Customer Relationship Management (CRM) system will be completed prior to the final phase of the 2019–20 audit.

4.20.12 Audit procedures relating to the valuation of the participant provision, the completeness and accuracy of in-kind revenue and our review of the NDIA’s quality assurance framework supporting participant expenses will be undertaken as part of the planned 2019–20 final audit.

4.20.13 The following table summarises the status of audit findings reported by the ANAO in 2018–19 and 2019–20.

Table 4.20.4: Status of audit findings raised by the ANAO

Unresolved moderate audit finding

Streamlined Access to Scheme — Defined Programs

4.20.14 Streamlined access processes for participants were introduced to facilitate the timely transition of large numbers of people into the NDIS. One of the streamlined pathways is through Defined Programs. Defined Programs are existing Commonwealth, state, and territory disability support programs that have been assessed by the NDIA as having eligibility requirements that align with NDIS access requirements. People currently receiving support from a Defined Program are automatically deemed eligible for the NDIS, as long as they meet the age and residence requirements.

4.20.15 The Commonwealth, state and territory governments provide information to the NDIA on existing disability clients transitioning into the NDIS in accordance with an agreed data standard, including if a potential participant is a participant in a Defined Program.

4.20.16 Due to the reliance on state and territory information and the limited access review processes for participants once they have been accepted as eligible, there is an increased risk of ineligible participants entering the NDIS and not being identified as ineligible in a timely manner. A mitigation strategy had not been implemented to address this risk.

4.20.17 The NDIA has advised that an enhanced eligibility reassessment process was implemented in March 2020 and will form part of all future participant plan reviews. This process is designed to identify participants who may no longer meet eligibility requirements of residency and disability and require a reassessment of their eligibility to the NDIS. As this process is applied to all participants it will include participants who entered the NDIS through a Defined Program. The ANAO will monitor the NDIA’s progress in implementing the enhanced eligibility reassessment processes and review the results of NDIA’s post implementation report as part of the final phase of the 2019–20 financial statements audit.

Conclusion

4.20.18 Based on our interim audit coverage which was largely conducted in a pre-COVID-19 environment, and except for the finding outlined above, key elements of internal control were operating effectively to provide reasonable assurance that NDIA will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.21 Department of the Treasury

Overview

4.21.1 The Department of the Treasury (Treasury) is responsible for the development, delivery and implementation of economic analysis and authoritative policy advice issues such as: the economy; budget; taxation; financial; foreign investment; structural policy; superannuation; small business; housing affordability and international economic policy. The Treasury also works with State and Territory governments on key policy areas, as well as managing federal financial relations.

4.21.2 Consistent with the Australian Government’s response to the COVID-19 pandemic, Treasury has implemented a range of measures, including enabling staff to work remotely where operational requirements allow. These working arrangements may impact: Treasury’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and Treasury’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.21.3 Figure 4.21.1 and Figure 4.21.2 show the 2019–20 departmental and administered financial statements items reported by Treasury and the key areas of financial statements risk.

Figure 4.21.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Treasury’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Figure 4.21.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and Treasury’s 2019–20 revised budget as reported in the 2019–20 Portfolio Budget Additional Estimates Statements.

4.21.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Treasury’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Treasury’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.21.3 and the ANAO’s understanding of the operations of Treasury, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

4.21.5 Annual appropriation funding of $221.8 million (departmental) and $273.4 million (administered) was provided to Treasury in 2019–20 to support the achievement of the entity’s outcomes.¹⁶⁰ Treasury was also budgeted to receive special appropriation funding of $90.4 billion¹⁶¹, the majority of which relates to payments under the Federal Financial Relations Act 2009.

4.21.6 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multi-year¹⁶² funding was announced for entities. No funding has been appropriated to Treasury in 2019–20 for COVID-19, however, funding will be sourced for the National Communications Campaign.

4.21.7 Table 4.21.1 and Table 4.21.2 provide a summary of the key 2019–20 departmental and administered estimated financial statements items.

Table 4.21.1: Key expenses and total own-sourced income

Source: Treasury’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Table 4.21.2: Key assets and liabilities

Note: Treasury’s estimated average staffing level for 2019–20 is 948.

Source: Treasury’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

4.21.8 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.21.3, including areas which were considered Key Audit Matters (KAM) by the ANAO.

4.21.9 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹⁶³ As at the interim phase, no additional financial statements risks have been identified for Treasury. The implications of the risks identified in chapter four are currently being considered by the ANAO, and the key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.21.3: Key areas of financial statements risk

Source: ANAO 2019–20 risk assessment for Treasury, and Treasury’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Audit results

4.21.10 The ANAO has completed its 2019–20 interim audit coverage, including an assessment of the controls relating to: cash and asset management, payroll processing, revenue and receivables, supplier expenses and appropriations. Audit coverage also included an assessment of the IT general controls.

4.21.11 Interim audit coverage has also been completed over program management and eligibility managed by other entities and the Treasury’s internal payment processes for National Partnership Payments made under the Federal Financial Relations Act 2009.

4.21.12 Audit procedures relating to: the valuation of NDRRA; administered investments and transactions relating to the NHFIC will be undertaken as part of the 2019–20 final audit. Procedures will also be undertaken over the assurance processes for payments made under the Federal Financial Relations Act 2009, including those yet to be completed relating to the National Partnership Payments.

4.21.13 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2018–19 audit also did not identify any significant or moderate audit findings

Conclusion

4.21.14 Based on our interim audit coverage which was largely conducted in a pre-COVID-19 environment, key elements of internal control were operating effectively to provide reasonable assurance that Treasury will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.22 Australian Office of Financial Management

Overview

4.22.1 The Australian Office of Financial Management (AOFM) is responsible for managing Australian Government debt and financial assets and the issuing of Treasury bonds, Treasury indexed bonds and Treasury notes into the financial markets.

4.22.2 AOFM is also responsible for the recently created Australian Business Securitisation Fund (ABSF), a $2 billion fund with the aim of improving access to, and the cost of finance to small and medium enterprises (SMEs). AOFM will be making investments from the Fund in securitisations of loans made by SME lenders.

4.22.3 A new fund, to be administered by AOFM, was established by Parliament on 24 March 2020. The Structured Finance Support Fund is a $15 billion fund to enable the Government to support continued access to funding markets for small to medium enterprises impacted by the effects of COVID-19. The first transaction of $190 million occurred the week the fund was established.

4.22.4 Consistent with the Australian Government’s response to the COVID-19 pandemic, AOFM has implemented a range of measures, including enabling staff to work remotely where operational requirements allow. These working arrangements may impact: AOFM’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and AOFM’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.22.5 Figure 4.22.1 and Figure 4.22.2 show the 2019–20 departmental and administered financial statement items reported by AOFM and the key areas of financial statements risk.

Figure 4.22.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and AOFM’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Figure 4.22.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and AOFM’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

4.22.6 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on AOFM’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of AOFM’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.22.3 and the ANAO’s understanding of the operations of AOFM, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

4.22.7 Annual departmental appropriation funding of $14.2 million was provided to AOFM in 2019–20 to support the achievement of the entity’s outcomes.¹⁶⁴ AOFM was also budgeted to receive administered special appropriation funding of $442.7 billion¹⁶⁵, which provides for the payment of principal and interest on debt managed by AOFM and for the purchase of investments.

4.22.8 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multi-year¹⁶⁶ funding was announced for entities. AOFM was provided an administered special appropriation of $15 billion in 2019–20 for the Structured Finance Support Fund.¹⁶⁷

4.22.9 Table 4.22.1 and Table 4.22.2 provide a summary of the key 2019–20 departmental and administered estimated financials statements items.

Table 4.22.1: Key expenses and total own-sourced income

Source: AOFM’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Table 4.22.2: Key assets and liabilities

Note: AOFM’s estimated average staffing level for 2019–20 is 47.

Source: AOFM’s 2019–20 budget as reported in the 2019–20 Portfolio Additional Estimates Statements

Key areas of financial statements risk

4.22.10 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.22.3, including the areas which were considered a Key Audit Matter (KAM) by the ANAO.

4.22.11 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹⁶⁸ As at the interim phase, no additional financial statements risks have been identified for AOFM. The implications of the risks identified in chapter four are currently being considered by the ANAO, and the key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.22.3: Key areas of financial statements risk

Note a: $250 million of funding has been allocated by the Government for 2019–20. As at 30 April 2020, no investments have been made.

Note b: $15 billion was appropriated for the Structured Finance Support Fund. As at 30 April 2020, $193 million has been invested.

Source: ANAO 2019–20 risk assessment for the AOFM and the AOFM’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Audit results

4.22.12 The ANAO 2019–20 interim audit coverage is substantially complete, including an assessment of the controls relating to: the authorisations of new tenders, debt coupon payments and redemptions; debt buybacks; and the review of market valuations of debt, appropriations, and payroll processes. Payroll process controls, and IT and general application controls coverage specific to debt management are currently being finalised.

4.22.13 The final stage of the 2019–20 audit will include procedures relating to: the valuation of Australian Government securities, investments from the Australian Business Securitisation Fund and the Structured Finance Support Fund, loans to state and territories and term deposits; appropriations; employee benefits; and supplier expenses.

4.22.14 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2018–19 audit also did not identify any significant or moderate audit findings.

Conclusion

4.22.15 Based on our interim audit coverage which was largely conducted in a pre COVID-19 environment, key elements of internal control were operating effectively to provide reasonable assurance that AOFM will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.23 Australian Taxation Office

Overview

4.23.1 The Australian Taxation Office’s (ATO’s) core areas of responsibility are managing and shaping tax, excise and superannuation systems that fund services for Australians, together with the provision of support to the Tax Practitioners Board, the Australian Business Register and the Australian Charities and Not-for-profits Commission.

4.23.2 Consistent with the Australian Government’s response to the COVID-19 pandemic, the ATO has implemented a range of measures, including enabling staff to work remotely where operational requirements allow. These working arrangements may impact: ATO’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and the ATO’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.23.3 Figure 4.23.1 and Figure 4.23.2 show the 2019–20 departmental and administered financial statements items reported by ATO and the key areas of financial statements risk.

Figure 4.23.1: Key departmental financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and ATO’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Figure 4.23.2: Key administered financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and ATO’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

4.23.4 The ANAO’s audit approach identifies key areas of risk that have the potential to materially impact on ATO’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items in the context of the ATO’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.23.3 and the ANAO’s understanding of the operations of ATO, the ANAO has assessed the risk of a material misstatement as high.

Key financial statements items

4.23.5 Annual appropriation funding of $3.7 billion (departmental) and $7.8 million (administered) was provided to ATO in 2019–20 to support the achievement of the entity’s outcomes.¹⁶⁹ ATO is also budgeted to receive special appropriation funding of $12.4 billion¹⁷⁰ for administered subsidies including: fuel tax credits, research and development tax incentive, and Australian Screen Production Incentive; and estimated tax refunds, items worth $106.8 billion, which includes $290 million collected on behalf of the ATO by the Department of Home Affairs (Home Affairs) for the Tourist Refund Scheme (TRS) under Section 16 of the Tax Administration Act.¹⁷¹

4.23.6 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, additional multi-year¹⁷² funding was announced for entities. While no additional specific funding was appropriated to the ATO in 2019–20 for COVID-19, the special appropriation under Section 16 of the Tax Administration Act 1953 was expanded to include the JobKeeper payment and the Cash Flow Boost Payment.

4.23.7 Table 4.23.1 and Table 4.23.2 provide a summary of the key 2019–20 departmental and administered estimated financial statements items.

Table 4.23.1: Key expenses and total own-sourced income

Source: ATO’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Table 4.23.2: Key assets and liabilities

Note: ATO’s estimated average staffing level for 2019–20 is 17,115.

Source: ATO’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Key areas of financial statements risk

4.23.8 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.23.3, including areas which were considered Key Audit Matters (KAM) by the ANAO.

4.23.9 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹⁷³ On the 23 and 30 March 2020, in response to the COVID-19 pandemic, major stimulus packages were announced which are to be administered by the ATO. The new systems and processes were under development at the time of our interim audit. The key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.23.3: Key areas of financial statements risk

Source: ANAO 2019–20 risk assessment for ATO, and ATO’s 2019–20 revised budget as reported in the 2019–20 Portfolio Additional Estimates Statements.

Audit results

4.23.10 The ANAO has completed its 2019–20 interim audit coverage, including an assessment of the controls relating to the ATO’s business operations which incorporated ATO’s key financial administration systems and its key revenue collection processes.

4.23.11 Audit procedures relating to the ANAO’s interim audit coverage included an assessment of the ATO’s IT general controls and departmental application controls. The assessment included: logical security; change and release management and controls in the ATO’s financial management information system; human resource management information system; and other key administered financial systems.

4.23.12 In late December 2019 the ATO implemented a major project called the Activity Statement Financial Processing (ASFP). The project involved the data migration of the system used to process Activity Statements, including GST, into the Integrated Core Processing (ICP) system that processes Income Tax Returns. During the 2019–20 final audit the ANAO will review and assess the implementation of the system changes.

4.23.13 The ANAO will also finalise the assessment of the complex manual processes for financial reporting and coverage over the ATO’s external compliance program as part of the 2019–20 final audit. The ANAO will also conduct further testing on the effective operation of the ATO’s IT application controls during the 2019–20 final audit.

4.23.14 The interim audit work has not identified any new significant or moderate audit findings. The 2018–19 audit also did not identify any significant or moderate audit findings.

Conclusion

4.23.15 Based on our interim audit coverage which was largely conducted in a pre-COVID-19 environment, key elements of internal control were operating effectively to provide reasonable assurance that ATO will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.

4.24 Reserve Bank of Australia

Overview

4.24.1 The objective of the Reserve Bank of Australia (RBA) is to determine and implement monetary policy, work to maintain a strong financial system, and issue the nation’s currency. As well as being a policy making body, the RBA provides selected banking services to a range of Australian Government entities and to a number of overseas central banks and official institutions. The RBA is also responsible for the management of Australia’s gold and foreign exchange reserves.

4.24.2 Consistent with the Australian Government’s response to the COVID-19 pandemic, the RBA has implemented a range of measures, including enabling staff to work remotely where operational requirements allow. These working arrangements may impact: the RBA’s internal control environment; the ANAO’s assessment of whether controls have been implemented and are operating effectively for the full year; and the RBA’s ability to produce financial statements that are free from material misstatement. The ANAO will consider any changes to the control environment as part of the remaining audit procedures for the 2019–20 audit.

4.24.3 Figure 4.24.1 shows the 2018–19 financial statement items reported by RBA and the key areas of financial statements risk.

Figure 4.24.1: Key financial statements items and areas of financial statements risk

 

 

Source: ANAO analysis and RBA’s financial statements for the year ended 30 June 2019.

4.24.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on RBA’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of RBA’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk identified in Table 4.24.3 and the ANAO’s understanding of the operations of RBA, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

4.24.5 The operational functions of the RBA are funded from: net interest income earnings; net gains on securities and foreign exchange; and fees and commissions income.

4.24.6 Under the Government’s economic stimulus measures designed to support the economy as a result of COVID-19, the RBA:

• is purchasing Government bonds in the secondary market with a view to targeting a yield on 3-year Australian Government bonds of around 0.25 per cent, to help lower funding costs across the economy; and
• has provided a term funding facility (TFF), the objective of which is to lower funding costs for the entire banking system so that the cost of credit to households and businesses is low, and to provide an incentive for lenders to support credit to businesses, especially small and medium-sized businesses. Under the TFF, authorised deposit-taking institutions (ADIs) in total have access to at least $90 billion in funding from the RBA. The funding is for three years at a fixed interest rate of 0.25 per cent. ADIs are also able to borrow additional funds from the RBA if they increase credit to business this year.

4.24.7 Table 4.24.1 and Table 4.24.2 provide a summary of the key 2018–19 audited financial statements items.

Table 4.24.1: Key expenses and total own-sourced income

Source: RBA’s 2018–19 audited financial statements.

Table 4.24.2: Key assets and liabilities

Note: RBA’s estimated average staffing level for 2018–19 is 1,370.

Source: RBA’s 2018–19 audited financial statements.

Key areas of financial statements risk

4.24.8 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. Areas highlighted for specific audit coverage in 2019–20 are provided in Table 4.24.3, including areas which were considered Key Audit Matters (KAM) by the ANAO.

4.24.9 The introduction to chapter four has outlined a number of key financial statements risk areas arising from the COVID-19 situation that may impact the ANAO’s assessment of audit risk and the planned audit approach.¹⁷⁴ In addition to the risks identified in chapter four, the ANAO has identified specific risks for the RBA’s financial statements relating to the introduction of the term funding facility and the increase in volume of Australian bond holdings. The implications of these risks are in the process of being considered by the ANAO and as a result have not been included in Table 4.24.3. The key areas of financial statements risk will continue to be assessed throughout the audit cycle and where necessary the audit approach will be revised.

Table 4.24.3: Key areas of financial statements risk

Source: ANAO 2019–20 risk assessment for RBA, and RBA’s 2018–19 audited financial statements.

Audit results

4.24.10 The ANAO has completed its 2019–20 interim audit coverage, including an assessment of the controls relating to: the initiation and authorisation of Australian dollar and foreign currency investments; the return and issuance of Australian banknotes on issue; the processing of term deposits; and key IT controls over change management.

4.24.11 Audit procedures over the effectiveness of key controls for the remaining areas of audit focus will be undertaken as part of the 2019–20 final audit. This includes an assessment of the effectiveness of controls relating to: payments and settlements including those arising from trading activities in overseas offices; financial administration; user access management on core IT systems, and investment portfolio pricing controls.

4.24.12 In addition, detailed testing procedures relating to: the accuracy of net gains on security and foreign exchange; the valuation of foreign currency and Australian dollar investments and deposits; and accuracy of Australian banknotes on issue will be performed as part of the 2019–20 final audit.

4.24.13 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2018–19 audit also did not identify any significant or moderate audit findings.

Conclusion

4.24.14 Based on our interim audit coverage which was largely conducted in a pre-COVID-19 environment, key elements of internal control were operating effectively to provide reasonable assurance that the RBA will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year and the impact of any changes in the control environment arising subsequent to the completion of the interim audit, will be assessed during the 2019–20 final audit.