1. The ANAO prepares two reports annually that provide insights at a point in time to the financial statements risks, governance arrangements and internal control frameworks of Commonwealth entities, drawing on information collected during our audits. These reports explain how entities’ internal control frameworks are critical to executing an efficient and effective audit and underpin an entity’s capacity to transparently discharge its duties and obligations under the Public Governance, Performance and Accountability Act 2013 (PGPA Act). Deficiencies identified during ANAO audits, posing a significant or moderate risk to entities’ ability to prepare financial statements free from material misstatements, are reported.

2. This report is the first of the two reports and focuses on the results of the interim audits, including an assessment of entities’ key internal controls, supporting the 2021–22 financial statements audits. This report examines 25 entities, including all departments of state and a number of major Australian government entities. The majority of entities included in the report are selected on the basis of their contribution to the income, expenses, assets and liabilities of the 2020–21 Consolidated Financial Statements (CFS).

Understanding the entity

3. The interim audit phase includes an assessment of the effectiveness of each entity’s internal controls as they relate to the risk of misstatement in the financial statements. At the completion of interim audits for the 25 entities included in this report, the key elements of internal control were assessed as operating effectively for 18 entities. For five entities, except for particular finding/s outlined in chapter 3, the key elements of internal control are operating effectively to support the preparation of financial statements that are free from material misstatement. For the remaining two entities, the findings reported reduced the level of confidence that can be placed on the key elements of internal control supporting the preparation of the financial statements free from material misstatement.

Audit committees

4. The Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) sets out reporting requirements for entities in relation to their audit committees. In February 2020, changes were made to the PGPA Rule that introduced requirements for specific audit committee information to be included in entity annual reports for reporting periods beginning 1 July 2019. Analysis of 2020–21 entity annual reports identified improved compliance with the mandatory reporting requirements of the PGPA Rule relating to the disclosure of audit committee members’ names; member qualifications, skills and experience; member attendance at meetings; and member remuneration. There has been a decrease in compliance relating to the disclosure of a direct address to the audit committee charter.

5. The PGPA Rule was further amended with regard to the composition of audit committee membership from 1 July 2021. This included requirements where an entity could not have an official of the entity as a member and for non-corporate Commonwealth entities, the majority of members must be persons who are not officials of any Commonwealth entity. Analysis of these new audit committee membership requirements noted one non-corporate Commonwealth entity and one corporate Commonwealth entity that had officials of the entity as audit committee members after 1 July 2021. There was one non-corporate Commonwealth entity where the majority of members were officials of Commonwealth entities.

6. As part of the analysis, the ANAO noted seven non-corporate Commonwealth entities where audit committees did not have the minimum required number of members for a period of time between 1 July 2021 and 25 March 2022.

Safeguarding financial information from cyber threats

7. The Protective Security Policy Framework (PSPF) contains the Essential Eight mitigation strategies and recommends controls intended to strengthen cyber resilience and the capacity of Government to mitigate cyber threats. Review of entities’ current implementation and compliance with these strategies found that there have been noted improvements in reported maturity levels since the 2020–21 assessment.

Summary of audit findings

8. A total of 62 findings were reported to the entities included in this report at the end of the interim audits, comprising one significant, 14 moderate, 45 minor and two legislative findings. This is a small overall increase in the number of findings reported with an increase in significant, moderate and legislative findings from the prior year interim phase. There has been a decrease in the total number of minor findings compared to the 2020–21 interim audit results.

9. Fifty-eight per cent of all findings relate to the management of IT controls, particularly the management of user terminations, logging and monitoring of privileged users, and password management.

Reporting and auditing frameworks

Summary of developments

10. From 1 July 2021, a new standard AASB 1060 General Purpose Financial Statements – Simplified Disclosures for For-Profit and Not-for-Profit Tier 2 entities applied. The changes to disclosures for Tier 2 Commonwealth entities was minimal, with the recognition and measurement requirements in other Australia Accounting Standards (AAS) retained.

11. In continued support of a more flexible and agile audit approach, the ANAO continues to employ remote access where the entities consent to this arrangement, or where it is more efficient to do so.

Department of Social Services operations of Community Grants Hub

12. ANAO completed an analysis of the Department of Social Services’ (DSS) Community Grants Hub (CGH) data, to assess the grants administration compliance with the selected legislative requirements and consistency with selected business processes for grant activities administered between 1 July 2016 and 31 December 2021.

13. Where data was available, the ANAO analysis concluded there was a high level of compliance with the selected legislative requirements and a high level of consistency with the selected standard business processes of the CGH.

Cost of this report

14. The cost to the ANAO of producing this report is approximately $320,000.

Introduction

1.1 The ANAO publishes an Annual Audit Work Program (AAWP) which reflects the ANAO’s strategy and deliverables for the forward year. The purpose of the AAWP is to inform the Parliament, the public and government sector entities of the ANAO’s planned audit coverage for Australian Government entities by way of financial statements audits, performance audits, performance statements audits and other assurance activities.

1.2 The financial statements audit coverage, as outlined in the AAWP, includes presenting two reports to the Parliament addressing the outcomes of the financial statements audits of Australian Government entities and the Consolidated Financial Statements of the Australian Government (CFS). These reports provide Parliament with an independent examination of the financial accounting and reporting of Commonwealth public sector entities.

1.3 This report focuses on the results of the interim audits of 25 entities including an assessment of key internal controls supporting the 2021–22 financial statements. The assessment includes a review of the governance arrangements related to entities’ financial reporting responsibilities and the design and implementation of key internal controls relating to significant business processes. Where the auditor plans to rely upon key controls for assurance that financial statements are free from material misstatement, the controls are tested for operating effectiveness. Testing of controls during the interim audit phase allows the ANAO to form a conclusion on the operating effectiveness of those controls for the period up to the date of testing. During the final phase of the 2021–22 financial statements audit, the ANAO completes testing over the operating effectiveness of those controls it intends to rely upon, and also controls not assessed at interim. The second report presents the final results of the financial statements audits of the CFS and all Australian Government entities.

1.4 The entities included in this report are those entities that contribute significantly to the three sectors of the CFS: the General Government Sector (GGS), Public Non-Financial Corporation (PFNC) sector and Public Financial Corporation (PFC) sector. A listing of these entities is provided in Appendix 1.

1.5 The ANAO conducts its financial statements audits in four phases: planning, interim, final and completion. Figure 1.1 outlines the key elements of each phase.

Figure 1.1: ANAO financial statements audit process

Source: ANAO data.

1.6 A central element of the ANAO’s financial statements audit methodology, and the focus of the planning phase of ANAO audits, is a sound understanding of an entity’s environment and internal controls relevant to assessing the risk of material misstatement in the financial statements. This understanding informs the ANAO’s audit approach, including the reliance that may be placed on entity systems to produce financial statements that are free from material misstatement.

1.7 In accordance with generally accepted auditing practice, the ANAO accepts a low level of risk that an audit will fail to detect the financial statements are materially misstated. This low level of risk is accepted because it is too costly to perform an audit that is predicated on no level of risk. An understanding of the entity, its environment and its controls, helps the ANAO design the required work and respond to risks that bear on financial reporting. The key areas of financial statements risks identified through this planning approach are discussed in chapter 3 for each entity included in this report.

1.8 A key component of understanding the entity and its environment is to understand the governance arrangements established by its accountable authority.¹ Accountable authorities of all Commonwealth entities and companies subject to the Public Governance, Performance and Accountability Act 2013 (PGPA Act) are required to govern their entity in a way that promotes the proper use and management of public resources, the achievement of the purposes of the entity and the entity’s financial sustainability.

1.9 The development and implementation of effective corporate governance arrangements and internal controls should be designed to meet the individual circumstances of each entity. These processes also assist in the orderly and efficient conduct of the entity’s business and compliance with applicable legislative requirements, including the preparation of annual financial statements that present fairly the entity’s financial position, financial performance and cash flows.

Understanding the entity

1.10 The ANAO uses the framework in the Australian Auditing Standards (ASA) 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment to consider the impact of different elements of an entity’s internal controls that support the preparation of financial statements. This approach provides a basis for designing and implementing the audit work program that reflects the ANAO’s assessment of the risk of material misstatement. Deficiencies in the internal control framework increase the requirement of the ANAO to perform additional audit work in the final audit phase. Figure 1.2 outlines these elements.

Figure 1.2: Elements of entity internal controls

Source: ASA 315 Identifying and assessing the risk of material misstatement through understanding the entity and its environment, paragraph A59.

1.11 This chapter discusses each of these elements and outlines observations based on the ANAO’s review of aspects of each entity’s internal controls, relevant to the risk of material misstatement to the financial statements, including the detailed results of the interim audits.

1.12 At the completion of the interim audits for the 25 entities included in this report, the ANAO noted that key elements of internal control were operating effectively for 18 entities. For the remaining seven entities, five² were assessed as having internal controls that were operating effectively except for a particular finding which will be outlined in chapter three. For two entities³ the assessment of the operating effectiveness of their internal controls indicated a reduced level of confidence can be placed due to either having a significant finding or number of moderate findings.

1.13 The key elements of internal control for the full financial year will be assessed in conjunction with additional audit testing during the 2021–22 final audits.

Control environment

1.14 The PGPA Act sets out the requirements to establish and maintain systems relating to risk and control. Division 2, section 16 of the PGPA Act states that:

The accountable authority of a Commonwealth entity must establish and maintain:

a) an appropriate system of risk oversight and management for the entity; and

b) an appropriate system of internal control for the entity.

including by implementing measures directed at ensuring officials of the entity comply with finance law. ^4,5

1.15 An effective control environment is underpinned by a fit-for-purpose governance structure. Indicators of an effective governance structure include whether management has established frameworks and processes that promote positive attitudes, awareness and actions concerning the entity’s internal controls and their importance in the entity. The main elements reviewed included: governance structures relevant to the preparation of the financial statements; audit committee and assurance arrangements; systems of authorisation; and processes for recording financial transactions.

1.16 All entities included in this report have established audit committees consisting of a majority of members which were assessed by the entity to be independent. All entities have an audit committee charter that is consistent with their obligations under subsection 17(2) of the PGPA Rule. Each entity has appointed an independent audit committee chair.

1.17 All entities have established executive management committees and/or sub-committees that meet at least monthly, which support financial decision making at the strategic and operational levels.⁶ Consideration of financial reporting was included on the agendas of all 25 entities’ executive and audit committees. The financial information provided to the entities’ executives was supplemented by non-financial operational information.

1.18 Clear lines of accountability and reporting are important in establishing a strong internal control environment for the purposes of preparing the financial statements. The involvement of those charged with governance is an important element of these structures. Just as important is ensuring that staff at all levels understand their own role in the control framework. This can be achieved through the issuance of accountable authority instructions and delegation instruments. All entities have established accountable authority instructions and delegations reflecting current business arrangements.

Risk assessment processes

1.19 Section 16 of the PGPA Act sets out an accountable authority’s responsibilities in regard to the establishment of appropriate risk oversight and management in an entity. An understanding of an entity’s process to identify and manage risk is essential to an effective and efficient financial statements audit. A review of this process is done to assist the ANAO to understand how entities identify and manage risks relating to financial statements and assess the risk of material misstatement to an entity’s financial statements.

1.20 All entities included in this report have a process to develop and update risk management plans at the organisational and strategic risk levels. In addition, each entity has developed processes for the identification and notification of risks relevant to financial statements preparation either as part of the overall risk management plan, or through a targeted risk identification exercise. The monitoring of risks, and the entities’ implementation of risk management strategies, was typically assigned to either an executive committee and/or the audit committee.

Monitoring of controls

1.21 Entities undertake many types of activities as part of their monitoring of control processes, including external reviews, self-assessment processes, post-implementation reviews and internal audits. The level of review of these activities by the ANAO is determined through a risk assessment approach that takes into consideration the nature, extent and timing of each activity and the activities’ application to the preparation of the financial statements. All entities included in this report have an ongoing process for monitoring and evaluating internal controls.

Internal Audit

1.22 As part of the financial statements audit coverage, internal audit is reviewed to gain an understanding of its role and activities in the entity. Where an internal audit function has been established it can play an important role in providing assurance to the accountable authority that the internal control framework is operating effectively. Entities are encouraged to identify opportunities to leverage internal audit coverage as a means of providing increased assurance to accountable authorities to support their opinion on the entity’s financial statements. All entities included in this report have established an effective internal audit function.

1.23 The extent to which the work of internal audit may be able to be used, in a constructive and complementary manner, varies between entities and is more likely to occur where internal audit work is focused on financial controls and legislative compliance. The ANAO is expecting to rely upon the work of internal audit for three entities in the current year.⁷ If the ANAO is anticipating to use the work of internal audit, in accordance with ASA 610 Using the Work of Internal Auditors, the ANAO is required to assess whether the internal audit function has: appropriate organisational status; relevant policies and procedures to support their objectivity; an appropriate level of competence; and whether they apply a systematic and disciplined approach in the execution of their work including quality control.

1.24 When it is determined that the work of internal audit can be used to support an effective audit approach, additional work is performed to confirm its adequacy to support the external audit. This will include confirmation that the scope of the work is appropriate, that there is sufficient evidence to support the conclusions drawn and selected re-performance of internal audit’s testing.

1.25 For the entities included in this report it was observed that internal audit coverage is based on an internal audit plan that is aligned with entities’ risk management plans and includes combinations of audits that address assurance, compliance, performance improvements and IT systems reviews. In addition, suggested topics from management, audit committees and external influences, such as the ANAO’s planned performance and financial statement coverage, are factors considered in the development of internal audit work plans.

Audit committees

Annual reporting requirements

1.26 The PGPA Act requires audit committees to be established for all Commonwealth entities and Commonwealth companies.⁸ An audit committee is a fundamental principle of good governance⁹ and provides advice and assurance to the entity’s accountable authority. The audit committee plays a key role in assisting the accountable authority to fulfil its governance, risk management and oversight responsibilities through the provision of assurance and advice.

1.27 In February 2020, changes were made to the Public Governance, Performance and Accountability Rule 2014 (PGPA Rule) that introduced requirements for specific audit committee information to be included in entity annual reports for reporting periods beginning 1 July 2019.¹⁰ In addition, a new requirement was introduced relating to the independence of the audit committee members for reporting periods beginning 1 July 2021.¹¹

1.28 Section 17 of the PGPA Rule sets out the minimum requirements relating to the functions and membership of the audit committee of a Commonwealth entity. The key requirements of the PGPA Rule include:

• a written charter, set by the accountable authority, determining the functions of the audit committee for the entity. The functions must include reviewing the appropriateness of the accountable authority’s financial reporting; performance reporting; system of risk oversight and management; and system of internal control for the entity; and
• the membership of the committee to include at least three persons with appropriate qualifications, knowledge, skills or experience to assist the committee to perform its functions. Additionally, from 1 July 2021 audit committee members of non-corporate Commonwealth entities must be persons who are not officials of the entity, and a majority of the members must be persons who are not officials of any Commonwealth entity. All members of Commonwealth corporate entities and companies must not be employees of the entity.

1.29 The reporting requirements applied to annual reports for reporting periods beginning on or after 1 July 2019 are that they must include the following information:

• a direct electronic address of the charter determining the functions of the audit committee for the entity;
• the name of each member of the audit committee during the period;
• the qualifications, knowledge, skills or experience of those members;
• information about each of those member’s attendance at meetings of the audit committee during the period; and
• the remuneration of each of those members.

1.30 As reported in Auditor-General Report No. 40 2020–21 Interim Report on Key Financial Controls of Major Entities, the ANAO reviewed the 2019–20 annual reports of Commonwealth entities subject to the reporting requirements of the PGPA Rule. As part of the 2021–22 Interim Report on Key Financial Controls of Major Entities, the ANAO has reviewed the 2020–2021 annual reports of 181 entities subject to the reporting requirements of the PGPA Rule.¹² The review was undertaken in the current year to determine whether there has been any improvement in reporting against these requirements. As part of the analysis, the ANAO reviewed annual reports for 93 non-corporate Commonwealth entities, 70 corporate Commonwealth entities and 18 Commonwealth companies.

1.31 As the PGPA Rule requires entities to publish annual reports on the digital annual reporting tool, the 2020–21 annual reports as published on the Transparency Portal were reviewed.¹³ Where the annual report was not published on the Transparency Portal or the annual report on Transparency Portal does not address the relevant requirements for all members, the ANAO has assessed this to be non-compliant.

1.32 The current year review demonstrates improved compliance with PGPA Rule requirements relating to the disclosure of audit committee member names; member qualifications, skills and experience; member attendance at meetings; and member remuneration. There has been no improvement in compliance relating to the disclosure of a direct address to the audit committee charter.

Disclosure of audit committee charters

1.33 The PGPA Rule requires entities to provide a direct electronic address of the charter determining the functions of the audit committee in the annual report. Finance guidance states that the address needs to allow the entity’s charter to be publicly available¹⁴. For the purposes of this analysis, the ANAO has considered a direct address to be a link that opens either the audit committee charter or the webpage where the charter is available on the entity’s website. Table 1.1 provides details on the number of entities that did not include a direct electronic address to the audit committee charter in both the current and previous year.

Table 1.1: Direct electronic link to audit committee charter not included in entity annual reports

Source: ANAO analysis of 2019–20 and 2020–21 annual reports of Commonwealth entities.

1.34 Seventeen of 93 non-corporate Commonwealth entities did not include a direct link to the audit committee charter. Six of these entities were material to the 2020–21 Australian Government Consolidated Financial Statements (CFS). These entities were: the Australian Prudential Regulation Authority; Australian Signals Directorate; Bureau of Meteorology; National Archives of Australia; National Capital Authority; and Services Australia.¹⁵ Four of the 17 entities that did not include a direct link to the audit committee charter also did not include a link to the charter in the 2019–20 annual report.¹⁶

1.35 Twenty of 70 corporate Commonwealth entities did not include a direct link to the audit committee charter. Seven of these entities were material to the CFS and include: Airservices Australia; Australian War Memorial; Clean Energy Finance Corporation; Export Finance Australia; Indigenous Land and Sea Corporation; National Gallery of Australia; and National Housing Finance and Investment Corporation.¹⁷ Seven of the 20 entities that did not include a direct link to the audit committee charter also did not include a link in the 2019–20 annual reports.¹⁸

1.36 Ten of the 18 Commonwealth companies did not report a direct link to the audit committee charter in their annual report. Three of these entities were material to the CFS. The entities were: ASC Pty Ltd; Australian Naval Infrastructure Pty Ltd; and NBN Co Limited.¹⁹ Seven of the ten entities that did not include a direct link to the audit committee charter also did not include a link in the 2019–20 annual reports.²⁰

1.37 Where entities did not include a direct link to the audit committee charter, the ANAO searched the relevant entities’ websites to identify if the audit committee charter had been published. Five corporate Commonwealth entities²¹ and three Commonwealth companies²² did not have an audit committee charter available on their websites. The ANAO has confirmed as part of the financial statements audit that all entities have an audit committee charter which meets the requirements of the PGPA Rule.

Disclosure of audit committee members’ name

1.38 The PGPA Rule requires entities to disclose the name of each member of the audit committee during the reporting period. Where an entity was subject to machinery of government changes within the reporting period, all members from both the abolished and newly established entities are required to be reported. ²³

1.39 Table 1.2 summarises the number of entities that did not include the name of each audit committee member in the entity annual report.

Table 1.2: Audit committee member name disclosures not included in entity annual reports

Source: ANAO analysis of 2019–20 and 2020–21 annual reports of Commonwealth entities.

1.40 One non-corporate Commonwealth entity did not include the 2020–21 annual report on the Transparency Portal.²⁴ This entity did not include the names of all audit committee members in the previous year. All corporate Commonwealth entities and Commonwealth companies included the names of all audit committee members in the 2020–21 financial year.

Disclosure of qualifications, knowledge, skills or experience of each audit committee member

1.41 Entities are required to provide information on the qualifications, knowledge, skills and experience of each member of the audit committee. The PGPA Rule does not include details of the specific disclosure required, however this disclosure provides the opportunity for entities to demonstrate that the audit committee has the appropriate qualifications, knowledge, skills and experience to fulfil the legal requirements of the audit committee.²⁵ Table 1.3 details the number of entities that have not included audit committee members’ qualifications, knowledge, skills and/or experience.

Table 1.3: Qualifications, knowledge, skills or experience of each member

Source: ANAO analysis of 2019–20 and 2020–21 annual reports of Commonwealth entities.

1.42 Two of the 93 non-corporate Commonwealth entities did not include the skills and experience of all audit committee members.²⁶ One of these entities did not include details in the previous year.²⁷ One of the 70 corporate Commonwealth entities²⁸ and one of the 18 Commonwealth companies²⁹ did not disclose the skills and experience of all audit committee members in 2020–21.

Disclosure of attendance at audit committee meetings

1.43 Entities are required to report information relating to each member’s attendance at audit committee meetings during the reporting period. Table 1.4 summarises the number of entities that did not include this information.

Table 1.4: Details of member attendance at audit committee meetings

Source: ANAO analysis of 2019–20 and 2020–21 annual reports of Commonwealth entities.

1.44 There were three non-corporate Commonwealth entities that did not include audit committee meeting attendance information.³⁰ There was one non-material corporate Commonwealth entity that did not include audit committee meeting attendance information.³¹ There were two non-material Commonwealth companies that did not include audit committee meeting attendance for members.³² There were three entities that did not include attendance information in both 2019–20 and 2020–21 annual reports.³³

Disclosure of remuneration of audit committee members

1.45 The remuneration of each member of the audit committee must be disclosed in the annual report. Audit committee remuneration must be disclosed and separately identifiable from any amounts received for other roles performed, such as being on an entities’ Board. The Department of Finance (Finance) provided further guidance that where audit committee members are not remunerated, a nil figure should be disclosed.³⁴

1.46 Corporate Commonwealth entities and Commonwealth companies often have audit committee members that are directors of the Board. The remuneration of the board members is required to be disclosed in annual reports. The ANAO noted that most Corporate Commonwealth entities and Commonwealth companies separately disclosed audit committee remuneration. For the purposes of this analysis, where there was no specific disclosure relating to the audit committee remuneration, the entity has been assessed as not reporting against the PGPA Rule. Table 1.5 outlines the reporting on audit committee member remuneration.

Table 1.5: Audit committee member remuneration

Source: ANAO analysis of 2019–20 and 2020–21 annual reports of Commonwealth entities.

1.47 There were four non-corporate Commonwealth entities that did not report remuneration for one or more of their members.³⁵ There were five corporate Commonwealth entities that did not disclose specific member remuneration for one or more of their members and two were material to the CFS. These entities were: Australian Reinsurance Pool Corporation and National Housing Finance and Investment Corporation.³⁶ There were four non-material Commonwealth companies that did not report on remuneration specific to the audit committee.³⁷ There were five entities that did not include audit committee specific remuneration in both 2019–20 and 2020–21 financial years.³⁸

Audit committee membership requirements

1.48 The amendments made to the PGPA Rule in February 2020 included changes to the member composition of an audit committee. The new members’ composition requirements for all Commonwealth entities apply for audit committees after 1 July 2021 and include:

• for a non-corporate Commonwealth entity, all of the members of the audit committee must be persons who are not officials of the entity; and a majority of the members must be persons who are not officials of any Commonwealth entity;³⁹ and
• for a corporate Commonwealth entity and Commonwealth companies, all of the members of the audit committee must be persons who are not employees of the entity.⁴⁰

1.49 Additionally, the PGPA Rule excludes the following persons from being members of the audit committee:⁴¹

• the accountable authority or, if the accountable authority has more than one member, the head (however described) of the accountable authority;
• the Chief Finance Officer (however described) of the entity; and
• the Chief Executive Officer (however described) of the entity.

1.50 The ANAO reviewed the membership of audit committees from 1 July 2021 to 25 March 2022 for 183⁴² entities subject to the PGPA Rule. Where an entity had less than three members, or the PGPA Rule requirements relating to the composition of membership had not been met, for any period during this time, the ANAO has assessed the entity as non-compliant. Table 1.6 provides details of entities’ compliance with member composition requirements that were effective from 1 July 2021.

Table 1.6: Audit committee membership composition

Source: ANAO audit committee membership analysis

1.51 There was one non-corporate Commonwealth entity⁴³ and one corporate Commonwealth entity⁴⁴ that had officials of the entity as audit committee members after 1 July 2021. The corporate Commonwealth entity held audit committee meetings during this time. None of the 183 entities assessed had the accountable authority, accountable authority head, Chief Financial Officer or Chief Executive Officer as a member of the entity audit committee.

1.52 There was one non-corporate Commonwealth entity⁴⁵ where the majority of members were officials of Commonwealth entities. This entity held meetings during this time.

1.53 The PGPA Rule also requires that audit committees consist of at least three persons. Table 1.7 provides details of the number of entities where audit committee membership did not comply with the requirements.

Table 1.7: Audit committee membership numbers

Source: ANAO audit committee membership analysis.

1.54 There were seven non-corporate Commonwealth entities that were identified as having less than the required three members for any period of time between 1 July 2021 and 25 March 2022.⁴⁶ Two entities held audit committee meetings during these periods.⁴⁷

Safeguarding information from cyber threats

1.55 The Protective Security Policy Framework (PSPF) requires non-corporate Commonwealth entities to consider and implement the Australian Signals Directorate’s (ASD) Essential Eight mitigation strategies (Essential Eight).⁴⁸ The initial requirements were defined in 2013 and are now specified in PSPF Policy 10, ‘Safeguarding information from cyber threats’ (Policy 10).⁴⁹ The Essential Eight is considered the baseline for cyber resilience within the Australian Government and provides advice on measures that entities can implement to mitigate cyber threats.⁵⁰

1.56 Policy 10 requires each non-corporate Commonwealth entity to:

• implement the following Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents:⁵¹
  • application control;⁵²
  • patching applications;⁵³
  • configure Microsoft Office macro settings;⁵⁴
  • user application hardening;⁵⁵
  • restricting administrative privileges;⁵⁶
  • patching operating systems;⁵⁵³
  • multi-factor authentication;⁵⁷ and
  • regular backups.⁵⁸
• consider which of the remaining mitigation Strategies from the Strategies to Mitigate Cyber Security Incidents⁵⁹ need to be implemented to protect the entity.⁶⁰

1.57 Since 2013, the ANAO has conducted a series of performance audits focused on assessing entities’ implementation of the PSPF cyber security requirements. These performance audits continue to identify low levels of compliance with mandatory PSPF cyber security requirements and concerns in annual self-assessments by entities. The ANAO has reported its concern that there is little evidence through the series of audits that the regulatory framework had driven sufficient improvement in entities mitigating their cyber security risks since 2013.

1.58 Australia’s Cyber Security Strategy 2020⁶¹ outlines a range of initiatives to uplift Australia’s cyber security, including to harden government IT systems. The Hardening Australian Government IT initiative is led by the Digital Transformation Agency and supported by the ASD, the Department of Home Affairs and the Attorney-General’s Department.

1.59 The program involves the development of a new operating model to address the varying levels of cyber security maturity across Commonwealth entities. While this program aims to strengthen Government’s cyber security posture across Commonwealth entities, it is still under development.

1.60 The 2022–23 Portfolio Budget Statements specifies a $9,900.0 million investment in ASD over the next decade in new national cyber and intelligence capabilities. This will be a project called REDSPICE (Resilience, Effects, Defence, Space, Intelligence, Cyber, and Enablers). Project REDSPICE is planned to increase ASD’s offensive and defensive cyber capabilities, including creating 1,900 new ASD positions.

1.61 In 2021–22, the ANAO performed a review of the 2020–21 Policy 10 annual self-assessment as part of its assurance audit program for financial statements. This review focused on the protection of information relevant to the preparation of financial statements, specifically the financial management information system (FMIS) and human resource management information systems (HRMIS). The review was performed on 19 of the 20⁶² entities included in this report, which are required to report annually against the Policy 10 requirements.⁶³ The review was undertaken to assess the evidence supporting the self-assessment and reporting, and to identify cyber security risks that may impact on the preparation of financial statements. The review was based on the May 2020 Policy 10 requirements as these are the requirements that entities reported against in their 2020–21 self-assessments. The review consisted of analysis of policy and procedural documentation, testing of some Essential Eight mitigation strategies specific to the FMIS and HRMIS and meetings with entity personnel.

1.62 The ANAO noted improvements in reported⁶⁴ maturity levels since the 2020–21 assessment, particularly with ‘Application Control’ and ‘Multi-factor Authentication’. Figure 1.3 shows the reported maturity levels for each Essential Eight mitigation strategy between in 2019–20 and 2021–22. The Essential Eight mitigation strategies within the shaded area of Figure 1.3 represent the mitigation strategies that were mandatory during the 2020–21 reporting period.

Figure 1.3: Reported compliance with the PSPF Policy 10 requirements

Source: ANAO data

1.63 Three entities reported improvements in Essential Eight maturity levels across several of the Essential Eight mitigation strategies. The number of entities reporting improvements is has not changed since the 2020–21 assessment. These three entities had established regular maturity assessments of Essential Eight mitigation strategies and prioritised the implementation of PSPF Policy 10 requirements, including the implementation of other mitigation strategies.

1.64 Two entities reported lower maturity since last year’s assessment. The lower maturity resulted from changes in the security environment.

1.65 Although some reported improvements were observed, the ANAO found the reported maturity levels for most entities were still significantly below the Policy 10 requirements. Of the 19 entities assessed, two had self-assessed as achieving a Managing maturity level. These entities were able to demonstrate evidence to support their self-assessments as required by the PSPF.

1.66 The lowest level of compliance continues to be with the ‘Patching Applications’ and ‘User Application Hardening’ controls. Although most entities had plans to improve ‘Patching Applications’ and ‘User Application Hardening’ controls by July 2020, as at June 2021 entities were still not achieving a Managing maturity level. The number of applications in entities’ systems and identifying all applicable hardening controls for specific applications continues to be the key issue with implementing this mitigation strategy. Some entities have also stated that the ‘Patching Applications’ requirements are not achievable and have chosen to implement other mitigation strategies to address the related cyber threats.

1.67 ‘Restricting macros’ was reported to be difficult as users continue to rely heavily on macros to perform business activities. Entities continue to differ in their maturity of addressing the associated risks, with some entities reporting difficulties with monitoring the use of macros in their environments. The reported improvements in this year’s assessment have been attributed to some entities completing their cyber security implementations of Macro controls.

1.68 For ‘Multi-Factor Authentication’ to be assessed at the Managing maturity level, multi-factor authentication needed to be used to authenticate all users when accessing sensitive data. Most have focused on achieving the Developing maturity level and are relying on other mitigation strategies to address the associated risks. Entities continue to prioritise multi-factor controls for remote access and privileged users, rather than all users.

1.69 Most entities conducted their self-assessment at a system or environment level and did not specifically assess the controls required to minimise cyber risks to their FMIS or HRMIS applications. Entities who access FMIS and HRMIS applications as part of Software-as-a-Service (SaaS) arrangements reported relying on system accreditation processes to assess relevant vendor cyber security controls. Entities viewed the risk to financial information as equivalent to the risks to its overall environment. The entities prioritised the protection of the environment which hosts the FMIS and HRMIS applications.

1.70 The ANAO found that the number of assessed entities that reported an Ad-hoc or Developing maturity level had not significantly changed since last year’s assessment. Only two of the entities reviewed reported meeting the required Policy 10 maturity level. The number of entities that reported as meeting the Managing maturity level has not changed since the 2020–21 assessment.

1.71 The PSPF cyber security requirements have been in place since 2013, with the March 2022 update mandating the implementation of all Essential Eight mitigation strategies. Entities’ inability to meet previous requirements indicates a weakness in implementing and maintaining strong cyber security controls over time.

1.72 Previous ANAO audits of entity compliance with PSPF cyber security requirements have not found a significant improvement over time. The work undertaken as part of this review indicates that this pattern continues, with limited improvements.

1.73 The Joint Committee of Public Accounts and Audit (JCPAA) Report 485 Cyber Resilience (2020)⁶⁵, Auditor-General Report No.53 2017–18 Cyber Resilience⁶⁶ and Auditor-General Report No.32 2020–21 Cyber Security Strategies of Non-Corporate Commonwealth Entities⁶⁷ recommended strengthening of arrangements for verifying self-assessment results and accountability for the implementation of mandatory cyber security requirements.

1.74 While entities’ compliance with PSPF cyber security requirements remains low, there continues to be the risk of compromise to information relevant to the preparation of financial statements.

Interim audit results

1.75 Audit findings are raised in response to the identification of a potential business or financial risk posed to an entity. Often these risks arise from deficiencies within an entity’s internal control processes or frameworks. Weaknesses in internal controls increase the possibility that a material misstatement of an entity’s financial statements will not be prevented or detected in a timely manner. The ANAO rates audit findings according to the potential business or financial management risk posed to the entity. The rating scale is presented in Table 1.8 below.

Table 1.8: Findings rating scale

Source: ANAO reporting policy.

1.76 A summary of findings identified at the end of the interim phase is presented in Table 1.9 below. The table includes all findings reported to the 25 entities included in this report.

Table 1.9: Audit findings by category for the 2021–22 interim period

Source: Compilation of ANAO 2021–22 interim audit findings.

1.77 A summary of all significant, moderate, minor and legislative findings reported at the conclusion of the interim audit phase across the past five financial years is presented in Figure 1.4 below.

Figure 1.4: Trend in aggregate interim audit findings 2017–18 to 2021–22

Source: ANAO findings analysis.

Information technology control environment

1.78 The review of information systems and related controls is an integral part of an entity’s control environment. This section summarises the results from interim tests of the operating effectiveness of general IT controls for each of the entities included in this report.

1.79 Figure 1.5 demonstrates the trends in interim audit findings related to entities’ overall IT control environments from 2017–18 to 2021–22. At the time of this report, testing of the operating effectiveness of IT controls was still in progress for three entities.⁶⁸

Figure 1.5: IT control environment interim audit findings 2017–18 to 2021–22

Source: ANAO data.

1.80 Findings related to entities’ IT control environments represent 58 per cent of total findings reported during the 2021–22 interim period. IT control environment findings continue to represent the highest proportion of all findings. There were 10 moderate findings reported in the 2021–22 interim audit compared to five moderate findings reported in 2020–21. Further details relating to the moderate findings are detailed in chapter 3 for the Departments of: Defence; Infrastructure, Transport, Regional Development and Communications; Social Services; Veterans’ Affairs; and the National Disability Insurance Agency.

1.81 The information systems control environment findings reported at the conclusion of the 2021–22 interim audits for entities included in this report have been grouped as follows:

• IT security;
• IT change management; and
• disaster recovery arrangements.

IT security

1.82 IT security is concerned with protecting an entity’s information assets from internal and external threats. It includes controls to prevent or detect unauthorised access to systems, programs and data. In the context of the financial statements audit, the focus is on the financially significant systems and data only. The Protective Security Policy Framework⁶⁹ (PSPF) sets out the government protective security policy and the Australian Cyber Security Centre’s Information Security Manual⁷⁰ (ISM) provides guidance on strategies for protecting information and systems from cyber threats.

1.83 The key controls areas that address risks relating to IT security and that are assessed as part of the interim audit are:

• IT security governance;
• general and privileged user access; and
• monitoring and reporting.

1.84 Figure 1.6 illustrates the trends in findings observed in entities’ IT security arrangements between 2017–18 and 2021–22.

Figure 1.6: IT security interim audit findings 2017–18 to 2021–22

Note: The comparative numbers in this figure have been updated to include findings previously categorised as IT application controls which related to IT security.

Source: ANAO data.

1.85 The IT security findings represent 83 per cent of all IT-related findings reported in 2021–22. Nine moderate findings were reported in the 2021–22 interim audit. Further details of the moderate findings are detailed in chapter 3.⁷¹

1.86 A review of all IT security findings identified issues in the following areas:

• logging and monitoring of privileged user activity;
• user access management, including approving new user access and performing regular user access reviews;
• removal of user access when it is no longer required;
• password configuration; and
• restricting access to financial and business data, and security configurations.

1.87 Users with administrative access privileges, commonly referred to as privileged users, are able to make significant changes to IT systems’ configuration and operation, bypass critical security settings and access sensitive information. As part of reviewing IT security arrangements, different groups of privileged users were examined, including:

• application administrators, sometimes referred to as super users;
• database administrators;
• system administrators; and
• network or domain administrators.

1.88 To reduce the risks associated with this access, the ISM specifies that privileged user access be appropriately restricted and when provided, that the access is logged, regularly reviewed and monitored. One moderate and seven minor findings related to the logging and monitoring of privileged user access. The moderate finding was first reported to the Department of Veterans’ Affairs in 2020–21. It relates to the adequacy of the control framework and implementation of monitoring controls. The seven minor findings related to issues with the design of controls, such as the scope of access being monitored and the independence of those monitoring activities. In some instances, monitoring had not been performed in accordance with the entities’ policies and procedures. The risk of inappropriate changes to financially significant systems and data arising from these findings is partially mitigated through alternate controls.

1.89 All users with access to financial systems may have the ability to change financial information, and therefore access should only be granted where it is required for the performance of the role; and should be reviewed whenever the role changes. Four moderate and three minor findings related to granting and reviewing user access. Three moderate findings reported to the Department of Veterans’ Affairs related to managing access security configurations and user access reviews not being performed in accordance with the entity’s policies and procedures across several systems. The fourth moderate finding was reported to the Department of Defence and related to management of access to sensitive business data. The three minor findings were related to managing access to payment files and the timeliness of user access reviews.

1.90 Entities must remove or suspend user access on the same day that a user no longer has a legitimate business requirement for its use.⁷² Terminating a user account when the user no longer has a requirement to access it, such as upon departure from an entity, can prevent unauthorised use. There were four moderate findings in this area and an additional five minor findings. The four moderate findings related to weaknesses in monitoring controls and access being performed by users who no longer required such access. The four moderate findings were reported to the Department of Infrastructure, Transport, Regional Development and Communications, Department of Social Services, Department of Veterans’ Affairs and the National Disability Insurance Agency. The four minor findings related to access not being removed when it was no longer required.

1.91 The ISM provides guidance on the password requirements for Australian Government systems. In October 2019 the ACSC updated this guidance to specify passphrase requirements for instances where multi-factor authentication⁷³ is not supported; passphrases used for single-factor authentication should be at least four random words with a minimum of 14 characters with complexity⁷⁴. Inadequate password controls increase the likelihood of unauthorised access to systems and data. The ANAO observed that most entities were in the process of implementing the requirement or had completed an appropriate security risk assessment. There were six minor findings in this area.

1.92 The weaknesses identified within this category increase the risk of unauthorised access to systems and data, or data leakage. Entities should review their management of these areas in light of the recommendations of the ISM and the risks to their operational environment.

IT change management

1.93 IT change management provides a disciplined approach to making changes to the IT environment. It includes controls to prevent unauthorised changes being introduced, and to reduce the likelihood that normal business operations are interrupted with the implementation of authorised changes.

1.94 The trends in findings identified in entities’ IT change management controls between 2017–18 and 2021–22 are illustrated in Figure 1.7.

Figure 1.7: IT change management interim audit findings 2017–18 to 2021–22

Source: ANAO data.

1.95 Changes to entities’ IT environments were managed using standardised processes, usually based on the ITIL Framework.⁷⁵ While still low when compared to IT security, the number of findings in this area still highlights the importance of maintaining and monitoring performance of change management processes.

1.96 One moderate finding and four minor findings related to weaknesses in the operation of the change management processes were reported as a result of the interim audits. The moderate finding related to weaknesses in the management of system interfaces at the Department of Veterans’ Affairs. The four minor findings related to restricting developer access to production systems and data, and management of batch processing and reporting data.

1.97 One third of the entities included in this report have advised that they are undertaking new systems implementations and/or data migration activities in 2021–22. Weaknesses in change management elevates the risk of unauthorised or untested changes to systems during these activities. These weaknesses may also affect the availability or reliability of the overall IT environment. Entities should monitor the operating effectiveness of their IT control environments to mitigate risks.

Disaster recovery arrangements

1.98 Disaster recovery is concerned with the resumption of the IT environment including systems and data following an interruption to services. It relies on:

• effective back-up and recovery arrangements, to allow data to be recovered from current versions of key IT systems; and
• disaster recovery planning, including the development, maintenance and testing of a disaster recovery plan to enable IT systems to be recovered in line with defined business requirements.

1.99 The ANAO assesses entities’ disaster recovery arrangements in view of the potential for a disruptive event to impact on financial reporting. The trend for findings identified in entities’ disaster recover arrangements between 2017–18 and 2021–22 is illustrated in Figure 1.8.

Figure 1.8: Disaster recovery interim audit findings 2017–18 to 2021–22

Source: ANAO data

1.100 In all cases where general IT controls testing has been completed, ANAO found that entities undertook regular backups of financially significant data. All entities but one had disaster recovery plans in place which were regularly tested. One minor finding was raised in the 2020–21 audit that remains unresolved. This increases the risk that, in the event of a significant disruption, systems and data will not be recovered within an acceptable timeframe.

1.101 Overall, the majority of IT controls continued to provide reasonable assurance about the operation of controls relied on to support the preparation of financial statements that are free from material misstatement. Consistent with observations in previous years, IT Security, particularly with regard to management of user access, continues to be an area requiring improvement to address the risk of inappropriate access to systems and data.

Compliance and quality assurance frameworks

1.102 Entities rely on internal and external systems, parties and information in decision-making processes. The implementation of effective compliance and quality frameworks and processes provides assurance over the completeness and accuracy of information and is integral to the preparation of financial statements that are free from material misstatement.

Figure 1.9: Compliance and quality assurance framework interim findings 2017–18 to 2021–22

Source: ANAO analysis of data provided by entities.

1.103 One moderate audit finding remains unresolved at the conclusion of the 2021–22 interim audit. This finding was reported to the Australian Taxation Office and relates to weaknesses in General Interest Charge (GIC) and Failure to Lodge (FTL) remissions. The finding was first reported in 2020–21.

1.104 The number of minor audit findings reported during the 2021–22 interim audit phase has decreased from the prior year. The findings relate to quality assurance processes and developing and implementing risk management frameworks. One minor finding remains unresolved from 2018–19 and two have remained unresolved from 2019–20.

Accounting and control of non-financial assets

1.105 Entities control a diverse range of non-financial assets on behalf of the Commonwealth, including land and buildings, specialist military equipment, leasehold improvements, infrastructure, plant and equipment, inventories and internally developed software.

Figure 1.10: Accounting and control of non-financial assets interim audit findings 2017–18 to 2021–22

Source: ANAO data.

1.106 The significant finding which was first reported to the Department of Defence in 2020–21 remains unresolved. The finding relates to the valuation of Specialised Military Equipment (SME). A moderate finding first reported to the Department of Defence in 2020–21 also remains outstanding and relates to the SME valuation methodology. The second unresolved moderate finding relates to the Department of Health’s recording and management of the National Medical Stockpile. This finding was first reported in 2019–20.

1.107 Of the two minor unresolved findings, one was first raised in 2020–21 and the second has remaining unresolved from 2018–19. The findings relate to the identification, disposal, and impairment of assets and leases.

Revenue, receivables and cash management

1.108 Revenue and receivables consist of Parliamentary appropriations, taxation revenue, customs and excise duties and administered levies. Commonwealth entities also generate revenue from the sale of goods and services and a range of other sources. Cash management involves the collection and receipt of public monies and the management of official bank accounts.

Figure 1.11: Revenue, receivables and cash management interim audit findings 2017–18 to 2021–22

Source: ANAO data.

1.109 The one unresolved minor finding was first reported in 2020–21 and relates to weaknesses in the timeliness and completeness of bank reconciliations.

Human resource financial processes

1.110 Human resources encompass the day-to-day management and administration of employee entitlements and payroll functions. Employee benefits expenditure represents a significant departmental expenditure item for most entities. Employee entitlement liabilities involve estimates and judgements in inputs. It is important for entities to establish robust controls in these areas to support complete and accurate payment and recording of transactions.

Figure 1.12: Human resources financial processes interim audit findings 2017–18 to 2021–22

Source: ANAO data.

1.111 The two minor findings were first raised in 2020–21. They relate to weaknesses identified over monitoring of controls for payroll processing and reporting; and the maintenance of employee records.

Purchases and payables management

1.112 Purchases and payables management covers controls and processes that provide management assurance that payments processed by the entity are complete and accurate. This may include the implementation of appropriate systems of approval or controls designed to ensure that payments processed through the financial management information system are appropriate.

Figure 1.13: Purchases and payables management interim audit findings 2017–18 to 2021–22

Source: ANAO data.

1.113 The moderate finding was first reported in 2020–21 and relates to weaknesses in the governance of ADF health services at the Department of Defence. Two of the five minor audit findings were raised in 2021–22 and relate to weaknesses in the timeliness of reconciliation processes and contract management. Two minor audit findings remain unresolved from 2020–21 and one finding remains unresolved from 2019–20. These relate to weaknesses in controls over bank accounts, vendor management and procurement functions.

Financial statements preparation

1.114 Financial statements are an important means of demonstrating how Commonwealth entities, both at an individual and whole-of-government level, meet their financial management responsibilities. In order to provide relevant and reliable financial information to the users, entities should prepare quality financial statements in a timely manner to support entities in meeting legislative reporting obligations. Effective project management underpins successful financial statements preparation processes. Findings in this category are not expected to be resolved until the final audit phase.

Figure 1.14: Financial statements preparation interim audit findings 2017–18 to 2021–22

Source: ANAO data.

1.115 The one minor finding was first reported during the 2020–21 final audit and relates to the fraud assessment underpinning the preparation of the financial statements.

Other audit findings

1.116 Other audit findings typically include items relating to the: management and implementation of service level agreements or memoranda of understanding; and updating or maintaining key governance documentation.

Figure 1.15: Other interim audit findings 2017–18 to 2021–22

Source: ANAO data.

1.117 There was one minor finding raised in 2021–22 relating to the eligibility assessment of grant programs. Four minor findings remain unresolved from prior periods. These findings relate to weaknesses identified in accounting for leases; clearing account monitoring; completeness of reconciliations and conflict of interest declarations. Three findings were first reported in 2020–21 and one finding was first reported in 2019–20.

Legislative compliance

1.118 The ANAO also reports on entity compliance with relevant legislation. This includes reporting on compliance with key legislation including the Constitution, entity enabling legislation; legislation an entity is responsible for administering, the PGPA Act, or subordinate legislation including the PGPA Rules.

Figure 1.16: Legislative breaches 2017–18 to 2021–22

Source: ANAO data.

1.119 There were two legislative breaches reported to entities in 2021–22. These breaches related to section 23 of the PGPA Rule and breaches of the Remuneration Tribunal Act 1973.

Introduction

2.1 The Australian Government’s financial reporting framework is based, in large part, on standards made independently by the Australian Accounting Standards Board (AASB). The framework is designed to support decision-making by, and accountability to, the Parliament.

2.2 The AASB bases its accounting standards on the International Financial Reporting Standards (IFRS) issued by the International Accounting Standards Board. As IFRS are designed primarily for use by private sector and for-profit organisations, the AASB amends the IFRS to reflect significant transactions and events that are particularly prevalent in the public sector and not-for-profit private sector. In doing so, it takes into account standards issued by the International Public Sector Accounting Standards Board.

2.3 The Minister for Finance prescribes additional financial reporting requirements for Commonwealth entities. These are contained in the Public Governance, Performance and Accountability (Financial Reporting) Rule 2015 (the FRR). The FRR is made under the Public Governance, Performance and Accountability Act 2013 (the PGPA Act).

2.4 The audits of the financial statements of Australian Government entities are conducted in accordance with the ANAO Auditing Standards, which are made by the Auditor-General under section 24 of the Auditor-General Act 1997. The ANAO Auditing Standards for financial statement audits incorporate, by reference, the auditing standards made by the Australian Auditing and Assurance Standards Board (AUASB). The AUASB bases its standards on those made by the International Auditing and Assurance Standards Board, an independent standard setting board of the International Federation of Accountants.

2.5 The ANAO Auditing Standards were reissued in February 2021. The main change from the ANAO Auditing Standards made in February 2018 was allowing for the Auditor-General to elect, wholly or in part, to conduct a performance audit under Division 2 of Part 4 of the Act as a compliance engagement under ASAE 3100 Compliance Engagements (ASAE 3100).

2.6 For performance audits under Division 2 of Part 4 or Division 2 of Part 7 of the Act, the ANAO Auditing Standards incorporate ASAE 3100 for audits designated as performance engagements, except paragraph 56 relating to the assurance report content. Instead, the ANAO Auditing Standards have incorporated the reporting requirements specified by the International Standard of Supreme Audit Institutions ISSAI 4000 Standard for Compliance Auditing (ISSAI 4000). These reporting requirements are consistent with the practice of the ANAO in reporting conclusions, findings and recommendations in performance audit reports.

2.7 Auditing of performance statements under the PGPA Act is a function of the Auditor-General under section 15 of the Auditor-General Act. Section 40 of the PGPA Act allows the Minister for Finance or the responsible Minister to request the Auditor-General to conduct an audit of the performance statements of a Commonwealth entity. Where the Auditor-General conducts such an audit, the auditor’s report is provided to the requesting Minister who is required to table the report in the Parliament as soon as practicable after receipt.

2.8 In conducting audits of performance statements, the ANAO applies ASAE 3000 Assurance Engagements Other than Audits or Reviews of Historical Financial Information (ASAE 3000) and also considers the output from the International Auditing and Assurance Standards Board (IAASB) non-authoritative guidance on Extended External Reporting (EER) Assurance published in April 2021⁷⁶.

2.9 The financial reporting and auditing frameworks that applied in 2021–22 are illustrated in Appendix 2 and Appendix 3 of this report.

Changes to the Australian public sector reporting framework

Changes in the environment

2.10 With lock downs lifted and travel restrictions eased, ANAO staff have now been able to physically access most entities’ premises, which has removed the barriers to conducting audits that arose at the onset of the COVID-19 pandemic. However, the ANAO continues to employ remote access where entities consent to this arrangement, and where it is more effective and efficient to do so. This is in support of a more agile and flexible approach to conducting audits.

2.11 The Australian Cyber Security Centre (ACSC) stated that cyber threats will continue to increase as technology is further utilised to support Australians, government and business activities.⁷⁷ As the regulatory framework has not driven sufficient improvement in cyber security across government entities, information security will remain a particular focus of ANAO’s audit work for 2021–22.

Auditing under the performance framework

2.12 The PGPA Act provides the basis for the Commonwealth performance framework. Commonwealth entities are required to publish planned financial and non-financial performance information with the aim of providing more transparent and meaningful information to the Parliament and the public. Following a series of three performance audits from 2016–17 to 2018–19, the ANAO commenced a program of pilot assurance audits of annual performance statements for the years ended 30 June 2020 and 2021.

2.13 The pilot was used to trial and refine an appropriate audit methodology for performance statements audits and the same three entities were involved for both years⁷⁸. The methodology uses audit criteria based on the requirements of the Commonwealth’s performance reporting framework as set out in the PGPA Act and Rule.

2.14 As required by the performance framework, the assurance reports for the entities audited in 2020–21 were provided to the Minister for Finance in December 2021 and subsequently tabled in Parliament on 7 April 2022. The ANAO also tabled a report in April 2022 summarising the key observations from the 2020–21 pilot audit program.

2.15 For the year ended 30 June 2022, the ANAO has commenced implementation of its performance statements audit program. Consistent with the funding appropriated to the ANAO for performance statements audits in the 2021–22 Budget, six performance statements audits are being conducted in 2021–22. This includes the same three entities from the pilots with the addition of the Department of Agriculture, Water and the Environment, the Department of Education, Skills and Employment and the Department of the Treasury. The number of audits will increase progressively, rising to 10 audits for 2022–2023 and up to 24 audits per year from 2025–26.

Changes to auditing standards

2.16 In February 2020, the AUASB issued the revised Australian auditing standard ASA 315 Identifying and Assessing the Risks of Material Misstatement which addresses the auditor’s responsibility to identify and assess the risks of material misstatement in the financial report. The extant standard applies for audits of financial statements for the period ended 30 June 2022. The new standard is effective for financial reporting periods commencing on or after 15 December 2021.

2.17 The revised standard responds to changes in the financial reporting environment including more complex financial reporting frameworks, technology being used to a greater extent, and entities and their governance structures becoming more complex. The standard also clarifies and enhances requirements to support a more robust risk assessment process, which will result in a more focused response to identified risks.

2.18 The standard places emphasis on the need for auditors to significantly enhance their understanding of the entity’s: (i) use of information technology; and (ii) governance, business model and financial reporting framework. Consequently, it is likely that entities will need to share more detailed information and provide access to a broader range of management in relation to those matters.

Changes to accounting standards

2.19 A new standard AASB 1060 General Purpose Financial Statements — Simplified Disclosures for For-Profit and Not-for-Profit Tier 2 entities (AASB 1060) applied from 1 July 2021. AASB 1060 replaced the Reduced Disclosure Requirements (RDR) disclosures and provided Simplified Disclosure Requirements (SDR) for general purpose financial statements (GPFS) Tier 2 entities.

2.20 Commonwealth Tier 2 entities are required to apply AASB 1060 subject to the specific requirements of the FRR. Changes to the disclosures were minimal for Tier 2 Commonwealth entities with the recognition and measurement requirements in other AASs retained. Specific changes to the FRR because of the adoption of AASB 1060 included the following.

• A requirement for all entities (Tier 1 and Tier 2⁷⁹) to apply Tier 1 disclosures when applying AASB 16 Leases (AASB 16). The simplified disclosures relating to leases in AASB 1060 do not apply to Tier 2 entities.
• A requirement for all entities to disclose revenue recognised from contracts with customers and impairment losses on receivables arising from contracts with customers. This disclosure requirement was removed by AASB 1060 but has been reintroduced by the FRR for Tier 2 entities.
• The removal of specific listed Tier 1 reporting requirements for the Department of Agriculture, Water and the Environment.
• Clarification of the methodologies for estimating long service leave (LSL) liability. Entities with 1,000 or less employees must use the:
  • LSL shorthand method; or
  • an actuarial assessment; or
  • a detailed calculation basis (for example, employee by employee).
• A requirement for entities, when undertaking a regulatory charging activity⁸⁰, to disclose a list of regulatory charging activities.
• The clarification of appropriation disclosure requirements.
  • Annual appropriations:
    • disclose only current year appropriations increased by PGPA Act section 74 receipts; and
    • footnote disclosure for all current year appropriations that have been withheld under s51 of the PGPA Act and quarantined for administrative reasons.
  • Unspent annual appropriations:
    • disclose amount and explanation of all prior year departmental and administered appropriations withheld under s51 or administrative quarantine, by appropriation act; and
    • disclose total adjustments made to all prior years unspent departmental and administered appropriations under s74 of the PGPA Act, and departmental and administered appropriations under s75 of the PGPA Act.

Quality Assurance Framework and Reporting

ANAO Quality Assurance Framework

2.21 The quality of ANAO audit work is reliant on the strength of its independence and quality control processes. The ANAO defines audit quality as the provision of timely, accurate and relevant audits, performed independently in accordance with the Auditor-General Act, ANAO auditing standards and methodologies, which are valued by the Parliament. Delivering quality audits results in improved public sector performance through accountability and transparency.

2.22 The ANAO Quality Assurance Framework and Plan 2021–22 is published on the ANAO website and articulates the system of quality control that the ANAO has established to support the delivery of high-quality audit work and enables the Auditor-General to have confidence in the opinions and conclusions in the reports prepared for the Parliament.

2.23 The ANAO quality assurance framework complies with the requirements of Auditing Standard ASQC 1 – Quality Control for Firms that Perform Audits and Reviews of Financial Reports and Other Financial Information, Other Assurance Engagements and Related Services Engagements. The AUASB has issued three revised Australian Quality Management Standards that become effective on 15 December 2022:

• ASQM 1 – Quality Management for Firms that Perform Audits or Reviews of Financial Reports and Other Financial Information, or Other Assurance or Related Services Engagements;
• ASQM 2 – Engagement Quality Reviews; and
• ASA 220 – Quality Management for an Audit of a Financial Report and Other Historical Information.

2.24 The revised standards introduce a quality management approach that is focused on proactively identifying and responding to risks of quality. The standards include enhanced requirements and focus on governance and leadership, monitoring and remediation. The ANAO has commenced a project to implement the revised standards and make enhancements to the ANAO Quality Assurance Framework to ensure that it responds to the quality risks that arise in audits of public sector entities.

2.25 The ANAO engages the Australian Securities and Investments Commission (ASIC) to conduct an annual review of the ANAO quality assurance framework and financial statements audit files, in a similar way to the review work conducted by ASIC on external auditors in the private sector. This review provides additional external oversight and scrutiny over the ANAO quality assurance framework and ensures that it is in compliance with auditing standards. The reports from the ASIC annual review are published on the ANAO internet. In 2020–21, the scope of the review completed by ASIC included a review of the policies and approvals in place regarding other services conducted by contracted firms. ASIC provided the ANAO with one good practice recommendation to ensure that the documentation regarding approvals of other services sufficiently captures the evaluation and conclusion reached.

Ethics, independence and integrity

2.26 Ethical requirements, with a focus on independence are core to the quality framework. The fundamental principles of professional ethics as set out in APES 110 Code of Ethics for Professional Accountants (including Independence Standards) are integrity; objectivity; professional competence and due care; confidentiality; and professional behaviour. The ANAO maintains a continued focus on independence through the application of ANAO independence policies that manages threats to independence in the conduct of the ANAO’s work. The ANAO Integrity Framework sets out the ANAO’s integrity control system, supporting our organisation’s integrity. The framework encompasses the ANAO Integrity Statement, which describes five key principles of integrity that staff at the ANAO uphold — independence, honesty, accountability, openness and courage.

Quality control and consultation processes

2.27 In the conduct of their work ANAO auditors apply a robust methodology to drive consistent quality and compliance with the ANAO Auditing Standards. The ANAO audit methodology incorporates policies regarding direction, supervision and review, consultation on significant technical and ethical issues, engagement quality control review of high-risk audits and documentation of audit evidence and work performed.

ANAO Quality Reporting

2.28 The Audit Quality Report 2020–21 demonstrates the ANAO assessment of the implementation and operating effectiveness of the elements of the ANAO Quality Assurance Framework. The report provides transparency in respect of the processes, policies, and procedures that support each element of the ANAO Quality Assurance Framework, and reports audit quality indicators measuring ANAO performance against target benchmarks. The report also includes the achievement of the quality assurance strategy and deliverables set out in the Quality Assurance Framework and Plan, including the results of internal and external quality assurance reviews.

Introduction

3.0.1 The ANAO’s assessment of the overall risk of material misstatement of the financial statements is based on professional judgement relating to the entity’s particular circumstances. The financial statements audit planning process involves joint procedures with the performance audit and performance statements audit groups. The process takes into account an entity’s environment and governance arrangements, its system of internal control, and prior year financial and performance audit findings. These planning processes inform the identification of areas of key risk that have the potential to impact on the integrity of the financial statements.

3.0.2  The interim phase of the audit focuses on the steps taken by entities to manage these risks, including their systems of internal control. This chapter reflects entity funding arrangements existing at 30 April 2022 and outlines the following information for each of the reported entities:

• the entity’s primary role as reflected in its Portfolio Budget Statements;
• 2021–22 appropriation funding and key financial statements items;
• the ANAO’s assessment of the overall risk of material misstatement of the financial statements, which informs the audit processes to be undertaken;
• key areas of financial statements risk including where the ANAO has identified Key Audit Matters (KAM); and
• the status of significant and moderate audit findings at the completion of the interim audit, and the conclusion relating to audit coverage to date.

3.0.3 The entities included in this report include all departments of state, the Department of Parliamentary Services and other Commonwealth entities that significantly contribute to the revenues, expenses, assets and liabilities within the 2020–21 CFS. The National Indigenous Australians Agency is also included in this report given the role it plays working across government with indigenous communities and stakeholders.

3.0.4 Where a performance audit was tabled during 2021–22 that was relevant to the financial management or administration of an entity, consideration is given to the impact of observations on the audit approach. Further details are included under the entity headings below.⁸¹

Analysis of entities’ contribution to 2020–21 CFS

3.0.5 An analysis of the percentage contribution of entities in this report, to 2020–21 CFS is presented below. Figure 3.0.1 presents the results of nine entities that contribute greater than 10 per cent of either the income, expenses, assets or liabilities of the CFS. The remaining entities are presented in Figure 3.0.2 and contribute less than 10 per cent of all categories.

Figure 3.0.1: Entities contributing greater than 10 per cent to the Australian Government’s 2020–21 Consolidated Financial Statements

Source: ANAO analysis of CFS and entities’ financial statements for the year ended 30 June 2021.

Figure 3.0.2: Entities contributing less than 10 per cent to the Australian Government’s 2020–21 Consolidated Financial Statements

Source: ANAO analysis of CFS and entities’ financial statements for the year ended 30 June 2021.

Results of financial statements audits

3.0.6 Table 3.0.1 presents a summary of new and unresolved significant and moderate findings⁸² at the conclusion of the 2021–22 interim⁸³ audits and the 2020–21 interim and final audits.

Table 3.0.1: Significant and moderate findings by entity

Note a: Minor findings identified previously but upgraded to a moderate or significant finding are considered new for the purposes of this table.

Source: 2020–21 and 2021–22 ANAO audit correspondence.

3.1 Department of Agriculture, Water and the Environment

Overview

3.1.1 The Agriculture, Water and the Environment portfolio is responsible for advising the government and implementing programs on the environment, heritage, meteorological services, climate change adaptation strategy and science, water resources, rural adjustment and drought issues, plant and animal biosecurity, Antarctica, and Australia’s agricultural, fisheries, food and forestry industries.

3.1.2 The Department of Agriculture, Water and the Environment (DAWE) is the lead entity in the portfolio, and is responsible for conserving, protecting and sustainably managing Australia’s biodiversity, ecosystems, environment and heritage; advancing Australia’s interests in the Antarctic region; developing and implementing policies and programs to promote more sustainable, productive, internationally competitive and profitable Australian agricultural, food and fibre industries; safeguarding Australia’s animal and plant health status; and improving the health of rivers and freshwater ecosystems and water use efficiency.

3.1.3 Figure 3.1.1 and Figure 3.1.2 below show the 2021–22 departmental and administered financial statements items reported by DAWE and the key areas of financial statements risk.

Figure 3.1.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and DAWE’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.1.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and DAWE’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.1.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DAWE’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DAWE’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of DAWE, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.1.5 Annual appropriation funding of $1,263.1 million (departmental) and $1,821.6 million (administered) was provided to DAWE in 2021–22 to support the achievement of the entity’s outcomes.⁸⁴ DAWE was also budgeted to receive special appropriation funding of $1,069.1 million.⁸⁵

3.1.6 Table 3.1.1 and Table 3.1.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.1.1: Key expenses and total own-sourced income

Source: DAWE’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.1.2: Key assets and liabilities

Note: DAWE’s estimated actual average staffing level for 2021–22 is 6,306.

Source: DAWE’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.1.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of DAWE financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.1.3.

Table 3.1.3: Key areas of financial statements risk

Source: ANAO 2021–22 risk assessment, and DAWE’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.1.8 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. Auditor-General Report No.9 Regional Land Partnerships was tabled during 2021–22 and relevant to the financial management or administration of DAWE. The recommendations from this report were considered in designing audit procedures in relation to administered grants and supplier expenses.

3.1.9 At the conclusion of the interim audit, no significant or moderate findings have been identified during the performance statements audit that would have an impact on the financial statements audit.

Audit results

3.1.10 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to departmental revenue from contracts with customers, administered levies and administered loans. In addition, interim coverage of IT general controls, administered grants, non-financial assets and employee benefits expenses has been performed.

3.1.11 Audit procedures relating to other provisions, water entitlements and administered loans will be undertaken as part of the planned 2021–22 final audit.

3.1.12 To date, our audit coverage has not identified any new significant or moderate audit findings. There were no unresolved significant or moderate audit findings at the conclusion of the 2020–21 audit.

Conclusion

3.1.13 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that DAWE will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.2 Attorney-General’s Department

Overview

3.2.1 The Attorney-General’s Department (AGD) supports the Attorney-General and Minister for Industrial Relations as well as the Assistant Minister to the Attorney-General. The role of the department is to contribute towards a just and secure society by maintaining and improving Australia’s law, justice, security and integrity frameworks, and to facilitate jobs growth through policies and programs that promote fair, productive and safe workplaces.

3.2.2 AGD has a shared services arrangement with the Department of Social Services for the provision of grant administration services. AGD remains accountable for compliance with all accounting, legal and administrative requirements.

3.2.3 Figure 3.2.1 and Figure 3.2.2 below show the 2021–22 departmental and administered financial statements items reported by AGD and the key areas of financial statements risk.

Figure 3.2.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and AGD’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.2.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and AGD’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.2.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on AGD’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of AGD’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of AGD, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.2.5 Annual appropriation funding of $273.9 million (departmental) and $531.3 million (administered) was provided to AGD in 2021–22 to support the achievement of the entity’s outcomes.⁸⁶ AGD was also budgeted to receive special appropriation funding of $283.9 million.⁸⁷

3.2.6 Table 3.2.1 and Table 3.2.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.2.1: Key expenses and total own-sourced income

Source: AGD’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.2.2: Key assets and liabilities

Note: AGD’s estimated average staffing level for 2021–22 is 1,829.

Source: AGD’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.2.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of AGD’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.2.3.

Table 3.2.3: Key areas of financial statements risk

Source: ANAO 2021–22 risk assessment, and AGD’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.2.8 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. No performance audits have been tabled to date in 2021–22 relevant to the financial management or administration of AGD.

Audit results

3.2.9 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: departmental revenue; FEG scheme expenses; supplier expenses; human resources; management of appropriations and special accounts; and cash management activities.

3.2.10 The ANAO’s planned interim audit procedures included IT general and application controls for the AGD’s financial management information system, SAP. At the conclusion of the interim audit fieldwork, ANAO has not completed testing relating to: SAP IT general controls; access authorisation; change management; and application controls.

3.2.11 Audit procedures relating to: the valuation of non-financial assets including administered investments; and financial statements close processes including the consolidation of the AGS will be undertaken as part of the planned 2021–22 final audit.

3.2.12 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.2.13 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that AGD will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.3 Department of Defence

Overview

3.3.1 The Department of Defence (Defence) is responsible for protecting and advancing Australia’s strategic interests through the promotion of security and stability; the provision of military capabilities to defend Australia and its national interests; and the provision of support for the Australian community and civilian authorities as directed by the government.

3.3.2 Figure 3.3.1 and Figure 3.3.2 below show the 2021–22 departmental and administered financial statements items reported by Defence and the key areas of financial statements risk.

Figure 3.3.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Defence’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.3.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and Defence’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.3.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Defence’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Defence’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Defence, the ANAO has assessed the risk of a material misstatement as high.

Key financial statements items

3.3.4 Annual appropriation funding of $44,842.7 million (departmental) was provided to Defence in 2021–22 to support the achievement of the entity’s outcomes.⁸⁸ Defence was also budgeted to receive special appropriation funding of $3,136.1 million.⁸⁹

3.3.5 Table 3.3.1 and Table 3.3.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.3.1: Key expenses and total own-sourced income

Source: Defence’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.3.2: Key assets and liabilities

Note: Defence’s estimated average staffing level for 2021–22 is 75,863.

Source: Defence’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.3.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Defence financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.3.3.

Table 3.3.3: Key areas of financial statements risk

Note a: A moderate audit finding has been reported in respect of the application and documentation of judgements applied in determining the fair value of specialist military equipment.

Note b: A significant audit finding has been reported in respect of the cost attribution model that allocates accumulated capital costs between individual platforms assets, associated spares and inventory.

Source: ANAO 2021–22 risk assessment, and Defence’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.3.7 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. The following performance audit reports were tabled during 2021–22 relevant to the financial management or administration of Defence:

• Auditor-General Report No.1 Defence’s Administration of Enabling Services – Enterprise Resource Planning Program: Tranche 1;
• Auditor-General Report No.4 Defence’s Contract Administration – Defence Industry Security Program;
• Auditor-General Report No.13 Major Projects Report; and
• Auditor-General Report No.15 Department of Defence’s Procurement of Six Evolved Cape Class Patrol Boats.

3.3.8 Auditor-General Report No.13 2021–22 (Auditor-General Report No.13) included observations relevant to the valuation of SME. The report noted that Defence was unable to provide the staff cost component of projects and that its systems are not capable of calculating the cost of project staff over time. Additionally, Auditor-General Report No.13 included observations associated with the use of spreadsheets as a primary form of record for risk management. The observations reported were consistent with weaknesses reported at paragraph 3.3.15 in relation to the valuation of SME using the cost attribution model.

3.3.9 Auditor-General Report No.13 also included observations relevant to the impairment of assets under construction. No significant changes were made to the designed audit procedures for the financial statements audit.

3.3.10 The observations of the remaining reports were considered in designing audit procedures to address areas considered to pose a lower risk of material misstatement. No significant changes were made to the designed audit procedures for the financial statements audit.

Audit results

3.3.11 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: IT general controls over the financial management information system and human resources information management system. Testing of the operating effectiveness of the controls implemented to confirm the existence and completeness of inventory has been completed. Additionally, the ANAO has assessed Defence’s progress on addressing the significant and moderate audit findings discussed below.

3.3.12 Audit procedures relating to 30 June 2022 balances for SME, general assets and administered employee provisions will be performed as part of the 2021–22 final audit. The ANAO will also assess Defence’s progress in addressing audit findings up to and during the final audit.

3.3.13 The following table summarises the status of audit findings as at the end of the 2021–22 interim audit as reported by the ANAO.

Table 3.3.4: Status of audit findings raised by the ANAO

Unresolved significant audit finding

Valuation of SME using the cost attribution model

3.3.14 To support its primary outcomes, Defence undertakes a number of high value equipment acquisition projects. These projects are complex and span multiple financial years. Judgement is applied to allocate capitalised costs between individual platform assets, associated spares and inventory.

3.3.15 Defence uses a cost attribution model (referred to by Defence as the Asset Valuation Model) to capture costs against applicable projects for SME assets under construction. The model uses a methodology to allocate project costs across the deliverables associated with the project. The Asset Valuation Model (AVM) is maintained in an excel spreadsheet and captures costs across the life cycle of the project, against multiple contracts and variations, many of which are recorded in a foreign currency. The AVM captures both budget and actual costs. The ANAO identified internal control weaknesses in the methodology used by Defence to allocate costs relating to assets under construction. These included:

• limited policies and procedures outlining the approach to developing, maintaining, and recording transactions against the cost attribution model;
• the use of excel spreadsheets to record the AVM transactions, which have no evidenced controls or protection to prevent the accidental editing or deletion of data; and
• limited quality assurance mechanisms that could be relied upon to provide assurance over the asset allocations derived from the AVMs.

3.3.16 In addition, the ANAO noted that Defence does not capture employee-related costs as part of its asset under construction projects. There are currently no systems or processes to identify the time spent by officers on specific projects. Analysis of project employee costs estimated an understatement of asset capitalisations by $67.5 million in 2020–21.

3.3.17 Assets under construction are recorded at cost. The weaknesses noted increase the risk that the valuation of SME and the associated depreciation expense is misstated in the financial statements.

3.3.18 The ANAO recommended that Defence:

• consider the development of an IT solution to transition project management from excel spreadsheets or consider ways to implement controls to reduce the risks associated with unintended or unauthorised changes to the spreadsheets;
• develop guidelines, policies and procedures to assist project managers with the development, maintenance and recording of transactions associated with the cost attribution model. The guidelines should also aim to increase consistency across projects, where appropriate;
• implement quality assurance processes to provide assurance for financial reporting purposes;
• develop and implement a year-end close process to ensure that projects are up to date and complete for reporting as at 30 June. This should include examining the appropriateness of using budget figures to adjust asset roll-out costs; and
• consider implementing a time recording system to capture employee costs associated with each project. Costs should be capitalised to projects in accordance with AASB 116 Property, Plant and Equipment.

3.3.19 The ANAO has assessed the progress made by Defence to address the weaknesses as part of the interim audit.

3.3.20 Defence has considered the development and implementation of an IT solution to transition projects out of excel spreadsheets into a system with better version control, consistent with the JCPAA’s September 2018 recommendation. Defence has advised that it will commence assessing the feasibility of implementing a system-based solution to manage project finances.

3.3.21 The development and implementation of guidelines, policies and procedures was in progress at the conclusion of the interim audit. Quality assurance processes have also been designed and will be implemented to confirm the asset under construction balances at 30 June 2022.

Unresolved moderate audit findings

Weaknesses around the governance of Australian Defence Force (ADF) health services

3.3.22 The provision of health services to ADF members is managed under a contract with an external service provider. The contract commenced on 1 July 2019 and includes two broad categories of charges covering off-base and on-base services. Defence undertakes a review of the fees and charges associated with off-base services to provide assurance that the invoiced amounts are accurate and valid.

3.3.23 As part of the 2020–21 audit, the ANAO identified weaknesses associated with the processes implemented by Defence to confirm the accuracy and validity of the service provider’s monthly invoices. The ANAO recommended that Defence:

• examine and strengthen the design of processes to provide assurance over the accuracy and validity of the health service payments;
• extend assurance activities to include on-base services; and
• complete assurance activities in a timely manner and escalate issue to an appropriate level of management to ensure that issues can be dealt with promptly and recoveries initiated where required.

3.3.24 Defence has made progress to address the weaknesses reported. Remediation activities have included strengthening the design of processes and extending assurance activities to include off-base services. Defence has advised the remediation activities in relation to the tiered pricing structure are in progress.

SME valuation methodology

3.3.25 Defence manages SME assets to maintain its defence capability requirements and undertakes a fair value assessment of these assets in accordance with Australian Accounting Standard AASB 13 Fair Value Measurement. The ANAO assessed whether the selection of the method for determining fair value was appropriate for each class of SME and whether the key assumptions used in the valuation methodology were reasonable and appropriately supported.

3.3.26 The ANAO identified instances where the judgements supporting the valuation estimates were inconsistently applied or were not supported by a documented rationale. The ANAO also identified instances where the indexes used in the year-end valuations were not the 30 June index rates.

3.3.27 The ANAO also identified the following:

• Defence had not considered whether capabilities of similar assets could be adjusted to arrive at the asset’s current replacement cost when applying the comparator approach;
• Defence had not assessed the appropriateness of using adjusted market inputs when an asset had been constructed over an extended period of time;
• an assessment of the continued appropriateness of the application of indices for a particular asset had not been performed; and
• procedures to retrospectively assess whether estimates made in prior years were appropriate had not been implemented.

3.3.28 Weaknesses in the valuation methodology increase the risk of a material misstatement in the financial statements.

3.3.29 The ANAO recommended that Defence:

• ensure documentation to support the valuation is comprehensive and demonstrates management’s assessment of estimation uncertainty; the consideration of alternative methodologies and assumptions;
• undertake a retrospective review to confirm the reliability of estimates made in prior years;
• consider engaging an external expert to review the valuation methodology and key assumptions designed to support the judgement that assets are held at fair value;
• assess the continued appropriateness of cost as an input of fair value where assets are capitalised across multiple financial years; and
• document the assessment performed to confirm the carrying amount of assets not subject to the current year comparator valuation approach are not materially different to fair value.

3.3.30 Defence agreed with the recommendation and has commenced the implementation of remediation activities. An expert has been engaged to undertake the valuation of SME assets. Defence has advised that the scope of work to be performed by the expert will include:

• the consideration of alternative valuation methodologies and assumptions;
• the execution of retrospective reviews to confirm the reliability of estimates made in prior years; and
• assessment of the cost as an input of fair value where assets are capitalised across a number of years.

3.3.31 The ANAO will continue to assess management’s progress in implementing the remediation activities as part of the final audit.

Management of privacy data

3.3.32 Management of personally identifiable data is a responsibility of all Australian Government entities subject to the Privacy Act 1988. Under the Act, various supplementary directions such as the Australian Government Agencies Privacy Code (the Code) and the Australian Privacy Principles (APP) define an entity’s responsibility around the collection, use, storage and disclosure of personal information.

3.3.33 Defence has implemented a privacy policy which has been designed to inform individuals about the way Defence collects, stores, uses and discloses personal information. This policy also provides guidance to access, or seek correction of, personal information held by Defence.

3.3.34 In reviewing the privacy framework at Defence, the ANAO observed that:

• significant programs related to the management of personally identifiable information are outdated or scheduled for reviews that have not yet occurred;
• privacy impact assessments are not stored in an accessible format and are not searchable to discover known risks and impacts;
• there is no consistent data dictionary or data governance applied to allow for the discovery of specific data types across disparate applications and networks;
• information on historical data breaches is inconsistent across Defence, with no central repository or register to report against strategic risks; and
• compliance activities to ensure Defence is meeting the requirements are either not able to be performed or are not performed in a timely manner.

3.3.35 Defence was unable to provide evidence and assurance that personally identifiable information was being managed appropriately. The ANAO also identified that Defence has limited ability to discover systems that contain information that would be classified as personally identifiable information, as well as no systematic method for tracking changes, access or distribution of personally identifiable information.

3.3.36 The weaknesses observed increase the risk that privacy data may be accessed or modified by those without authorisation to do so, and discovery of this inappropriate activity may not be timely or accurate.

3.3.37 The ANAO has recommended that Defence:

• review its data governance framework and address control weaknesses surrounding the collection, use, storage and disclosure of personal information;
• establish a digital repository to index or record the locations, types of data, systems and other critical information relating to the management of personally identifiable information; and
• report regularly against compliance and application of the Privacy Policy as well as key indicators from the Code and APPs.

3.3.38 Defence advised that it will be instituting a number of remediation actions as part of the inaugural Defence Data Strategy 2021–23. The ANAO will review the implementation of the actions related to privacy data as part of the 2021–22 final audit.

Conclusion

3.3.39 At the completion of the interim audit, the ANAO has reported a number of areas where improvements are required. The audit findings outlined above reduce the level of confidence that can be placed on the key elements of internal control that support the preparation of the financial statements that are free from material misstatement. During the 2021–22 final audit the ANAO will undertake further procedures and assess action taken by Defence to address the weaknesses identified.

3.4 Department of Veterans’ Affairs

Overview

3.4.1 The Department of Veterans’ Affairs (DVA) is the primary service delivery entity with responsibility for implementing programs to assist the veteran and ex-service communities, including repatriation, rehabilitation and compensation, and war graves.

3.4.2 DVA is responsible for developing and implementing programs to assist the veteran and ex-service communities. This includes granting pensions, allowances and other benefits, and providing treatment under the Veterans’ Entitlements Act 1986; determining and managing claims relating to defence service under the Safety, Rehabilitation and Compensation (Defence-related Claims) Act 1988; the administration of benefits and arrangements under the Military Rehabilitation and Compensation Act 2004; administering the Defence Service Homes Act 1918 and the War Graves Act 1980; and conducting commemorative programs to acknowledge the service and sacrifice of Australian servicemen and women.

3.4.3 Figure 3.4.1 and Figure 3.4.2 below show the 2021–22 departmental and administered financial statements items reported by DVA and the key areas of financial statements risk.

Figure 3.4.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and DVA’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.4.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and DVA’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.4.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DVA’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DVA’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of DVA, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.4.5 Annual appropriation funding of $425.2 million (departmental) and $151.7 million (administered) was provided to DVA in 2021–22 to support the achievement of the entity’s outcomes.⁹⁰ DVA was also budgeted to receive special appropriation funding of $10,476.4 million.⁹¹

3.4.6 Table 3.4.1 and Table 3.4.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.4.1: Key expenses and total own-sourced income

Source: DVA’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.4.2: Key assets and liabilities

Note: DVA’s estimated average staffing level for 2021–22 is 2,062.

Source: DVA’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.4.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of DVA financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.4.3.

Table 3.4.3: Key areas of financial statements risk

Source: ANAO 2021–22 risk assessment, and DVA’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.4.8 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. No performance audits have been tabled to date in 2021–22 relevant to the financial management or administration of DVA.

Audit results

3.4.9 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: cash; appropriations; supplier expenses; employee benefits and administered personal benefit and health care payments.

3.4.10 Audit procedures relating to: the testing of IT general and application controls; accuracy of administered personal benefit and health care payments including payments to public and private hospitals; and review of the valuation of the personal benefits and health care (military compensation) provision will be undertaken as part of the planned 2021–22 final audit.

3.4.11 The following table summarises the status of audit findings as at the end of the 2021–22 interim audit as reported by the ANAO.

Table 3.4.4: Status of audit findings raised by the ANAO

Unresolved moderate audit findings

Process Direct Implementation

3.4.12 In November 2020, income and student support payment processing functions were transferred to the Process Direct system from old systems. The move to Process Direct was a component of the Veteran Centric Reform program.

3.4.13 ANAO identified weaknesses relating to security and data migration processes associated with the implementation of this upgrade. There was no authorisation to operate the system as required by the Protective Security Policy Framework and no system encryption was in place. At the end of the 2020–21 audit, DVA advised the ANAO that Process Direct had been appropriately certified with all required security documentation in August 2021 and that a review of cybersecurity governance, including the development and strengthening of appropriate security policies would occur in 2021–22. DVA noted the work was expected to be completed in June 2022.

3.4.14 During the interim audit, DVA provided the ANAO with a high-level action plan outlining the work planned to address this issue. Discussions held between DVA and the ANAO confirmed the approach outlined to address the issue appears reasonable. The progress of this work will be reviewed during the final audit phase

Monitoring of high-risk activity in IT systems

3.4.15 DVA reviews all activities in IT systems that are classified as high risk or a potential indicator of fraud. A software tool identifies this activity for review. As part of audit work undertaken, the ANAO identified that the software tool was no longer able to correctly identify high risk activity for review after a major IT change was implemented in November 2020.

3.4.16 As part of audit work undertaken during the 2020–21 audit, the ANAO identified that after a major IT change was implemented, the tool in place to monitor high-risk activity in IT systems was no longer able to correctly identify high risk activity for review. DVA subsequently made changes to ensure that the software tool could correctly identify high risk activity and retrospectively reviewed all activity that had occurred from November 2020 to July 2021.

3.4.17 During the interim audit, DVA provided the ANAO with a high-level action plan outlining the work planned to address this issue. Discussions held between DVA and the ANAO confirmed the approach outlined to address the issue appears reasonable. The progress of this work will be reviewed during the final audit phase.

User terminations

3.4.18 During the 2020–21 audit, the ANAO identified weaknesses in DVA’s controls relating to terminated users. There were no processes in place to identify users who had access to systems, applications and/or data repositories after cessation of employment or contract. Consequently, there was also no process to monitor activities undertaken by any users after access should have been removed.

3.4.19 The ANAO identified weaknesses in DVA’s controls relating to terminated users. There were no processes in place to identify users who had access to systems, applications and/or data repositories after cessation of employment or contract. Consequently, there was also no process to monitor activities undertaken by any users after access should have been removed.

3.4.20 During the interim audit, DVA provided the ANAO with a high-level action plan outlining the work planned to address this issue. Discussions held between DVA and the ANAO confirmed the approach outlined to address the issue appears reasonable. The progress of this work will be reviewed during the final audit phase.

User revalidations

3.4.21 A key aspect of system user management that protects systems and applications from exploitation is a regular user revalidation process that confirms only legitimate users have access to DVA systems and applications. ANAO noted that DVA does not have a user revalidation process in place for seven systems that support the financial statements. During the 2020–21 audit the ANAO identified that DVA did not have a process in place to revalidate user access for seven systems that support the financial statements.

3.4.22 During the interim audit, DVA provided the ANAO with a high-level action plan outlining the work planned to address this issue. Discussions were held with DVA and the ANAO confirmed the approach outlined to address the issue appears reasonable. The progress of this work will be reviewed during the final audit phase.

QUASARS claim populations

3.4.23 QUASARS is a system used by DVA to select and perform quality assurance testing of decisions and payments made in relation to Income Support and Rehabilitation and Compensation. The results of quality assurance testing are used as a basis for DVA to quantify the potential error rate in personal benefit and health care payments.

3.4.24 The ANAO identified that there were no processes in place to ensure the completeness and accuracy of data extracted from business systems and uploaded into QUASARS. In addition, there were no documented instructions that outline the information required in each report extracted.

3.4.25 During the interim audit, DVA provided the ANAO with a high-level action plan outlining the work planned to address this issue. Discussions held between DVA and the ANAO confirmed the approach outlined to address the issue appears reasonable. The progress of this work will be reviewed during the final audit phase.

Financial delegations

3.4.26 Financial delegations are a key part of DVA’s internal control framework and ensure appropriately skilled personnel perform key functions. As part of the 2020–21 final audit, the ANAO identified that changes to delegations approved by the Secretary in February 2021 had not been implemented in DVA’s financial management information system (FMIS) until July 2021. DVA advised the ANAO that it had developed a process to ensure future changes to delegation limits were updated in a timely manner.

3.4.27 As part of the interim audit, the ANAO reviewed DVA’s new process. Additional information was also provided by DVA that identified it may not be possible to replicate in the IT systems, the specific level of delegations reflected in the approved delegation document. This would mean there is no system application control available. DVA is currently working with Services Australia to investigate this. The ANAO will review the progress on this finding during the final audit phase.

Conclusion

3.4.28 At the completion of the interim audit, the ANAO has reported a number of areas where improvements are required. The audit findings outlined above reduce the level of confidence that can be placed on the key elements of internal control that support the preparation of the financial statements that are free from material misstatement. During the 2021–22 final audit the ANAO will undertake further procedures and assess action taken by DVA to address the weaknesses identified.

3.5 Department of Education, Skills and Employment

Overview

3.5.1 The Department of Education, Skills and Employment (DESE) is the lead entity in the portfolio and is responsible for ensuring Australians can experience the social wellbeing and economic benefits that quality education, skills and employment provide.

3.5.2 The department continues to support the formulation and delivery of targeted education, skills and employment initiatives through the next phase of the Government’s economic recovery plan through supporting Australians into jobs by investing in skills and higher education and helping job seekers to reconnect with employment. The department also supports the provision of essential services on which Australians rely, including early childhood education and care, schooling, skills and training, higher education, and employment services.

3.5.3 A Government decision on 10 November 2021 endorsed the transfer of responsibility for Seasonal Worker Programme (SWP) and Pacific Labour Scheme (PLS) from the Education Skills and Employment portfolio into a new single program—the Pacific Australia Labour Mobility (PALM) scheme to be administered by the Department of Foreign Affairs and Trade (DFAT).

3.5.4 Figure 3.5.1 and Figure 3.5.2 below show the 2021–22 departmental and administered financial statements items reported by DESE and the key areas of financial statements risk.

Figure 3.5.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and DESE’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.5.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and DESE’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.5.5 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DESE’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DESE’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of DESE, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.5.6 Annual appropriation funding of $1,072.1 million (departmental) and $8,103.3 million (administered) was provided to DESE in 2021–22 to support the achievement of the entity’s outcomes.⁹² DESE was also budgeted to receive special appropriation funding of $53,606.2 million.⁹³

3.5.7 Table 3.5.1 and Table 3.5.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.5.1: Key expenses and total own-sourced income

Source: DESE’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.5.2: Key assets and liabilities

Note: DESE’s estimated average staffing level for 2021–22 is 3,651

Source: DESE’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.5.8 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of DESE financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.5.3.

Table 3.5.3: Key areas of financial statements risk

Source: ANAO 2021–22 risk assessment, and DESE’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.5.9 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. Auditor-General Report No.8 Use and Administration of Wage Subsidies was tabled during 2021–22 and relevant to the financial management or administration of DESE. The recommendation from this report was considered in designing audit procedures for the current year.

Audit results

3.5.10 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: cash; appropriations; special accounts; non-financial assets; supplier expenses; and Commonwealth grants, Block grants, and schools’ recurrent funding payments. Audit coverage also included an assessment of the IT general controls over the financial management information system.

3.5.11 The 2021–22 final planned audit procedures will include testing of IT application controls on key business systems, and review and assessment of the year-end loan balances.⁹⁴ In addition audit procedures relating to: child care subsidy payments; administered grants payments to schools and universities; administered investments and compliance programs⁹⁵ will be performed.

3.5.12 The assessment of IT controls over services provided to DESE by the Department of Finance’s Service Delivery Office, including monitoring controls in place at DESE relating to these processes, is in progress.

3.5.13 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.5.14 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that DESE will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.6 Department of Finance

Overview

3.6.1 The Department of Finance (Finance) is responsible for supporting the government’s budget process and the development and implementation of the government’s regulatory frameworks for public sector resource management, governance and accountability. In addition, Finance is responsible for the preparation of the consolidated financial statements of the Australian Government, which includes the whole-of-government and the general government sector financial statements and the Australian Government’s financial outcome. The department also provides shared services through the Service Delivery Office.

3.6.2 Figure 3.6.1 and Figure 3.6.2 below show the 2021–22 departmental and administered financial statements items reported by Finance and the key areas of financial statements risk.

Figure 3.6.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Finance’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.6.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and Finance’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.6.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Finance’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Finance’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Finance, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.6.4 Annual appropriation funding of $1,040.1 million (departmental) and $410.0 million (administered) was provided to Finance in 2021–22 to support the achievement of the entity’s outcomes.⁹⁶ Finance was also budgeted to receive special appropriation funding of $8,080.9 million.⁹⁷

3.6.5 Table 3.6.1 and Table 3.6.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.6.1: Key expenses and total own-sourced income

Source: Finance’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.6.2: Key assets and liabilities

Note: Finance’s estimated average staffing level for 2021–22 is 1,283.

Source: Finance’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.6.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Finance’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.6.3.

Table 3.6.3: Key areas of financial statements risk

Source: ANAO 2021–22 risk assessment, and Finance’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Audit results

3.6.7 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to cash, appropriation, financial management and human resources. Audit procedures relating to valuation of the superannuation provision, insurance provision and properties will be undertaken as part of the planned 2021–22 final audit.

3.6.8 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.6.9 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Finance will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.7 Future Fund Management Agency

Overview

3.7.1 The Future Fund Board of Guardians, supported by the Future Fund Management Agency (together the Future Fund), is responsible for investing the assets of the Future Fund under the Future Fund Act 2006, and other investment funds, managed on behalf of the Department of Finance, as a means to provide financing sources for substantial future investments in the Australian economy. Legislation under which the investments are made include: the Disability Care Australia Fund Act 2013; the Medical Research Future Fund Act 2015; the Aboriginal and Torres Strait Islander Land and Sea Future Fund Act 2018; the Emergency Response Fund Act 2019; and the Future Drought Fund Act 2019.

3.7.2 Figure 3.7.1 and Figure 3.7.2 below show the 2021–22 departmental and administered financial statements items reported by Future Fund and the key areas of financial statements risk.

Figure 3.7.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and the Future Fund’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.7.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and the Future Fund’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.7.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Future Fund’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Future Fund’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Future Fund, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.7.4 Future Fund does not receive any annual appropriation funding. The Future Fund is self-funded and does not rely on appropriations for its operations.

3.7.5 Table 3.7.1 and Table 3.7.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.7.1: Key expenses and total own-sourced income

Source: The Future Fund’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.7.2: Key assets and liabilities

Note: The Future Fund’s estimated average staffing level for 2021–22 is 350.

Source: The Future Fund’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements

Key areas of financial statements risk

3.7.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Future Fund’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.7.3.

Table 3.7.3: Key areas of financial statements risk

Source: ANAO 2021–22 risk assessment, and the Future Fund’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements

Audit results

3.7.7 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to the management of investments; monitoring of service providers; and operational expenses incurred by the Future Fund.

3.7.8 The valuation of investments, including the assessment of controls that reside within the outsourced custodian, will be completed as part of the planned 2021–22 final audit.

3.7.9 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.7.10 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Future Fund will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.8 Department of Foreign Affairs and Trade

Overview

3.8.1 The Department of Foreign Affairs and Trade (DFAT) supports Australia’s foreign, trade and investment, development and international security policy priorities. DFAT is the lead agency managing Australia’s international presence and will lead efforts to maximise Australia’s security and prosperity through implementation of the 2017 Foreign Policy White Paper.

3.8.2 Figure 3.8.1 and Figure 3.8.2 below show the 2021–22 departmental and administered financial statements items reported by DFAT and the key areas of financial statements risk.

Figure 3.8.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and DFAT’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.8.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and DFAT’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.8.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DFAT’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DFAT’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of DFAT, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.8.4 Annual appropriation funding of $1,980.5 million (departmental) and $4,097.5 million (administered) was provided to DFAT in 2021–22 to support the achievement of the entity’s outcomes.⁹⁸ DFAT was also budgeted to receive special appropriation funding of $330.9 million.⁹⁹

3.8.5 Table 3.8.1 and Table 3.8.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.8.1: Key expenses and total own-sourced income

Source: DFAT’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.8.2: Key assets and liabilities

Note: DFAT’s estimated average staffing level for 2021–22 is 5,990.

Source: DFAT’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.8.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of DFAT’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.8.3.

Table 3.8.3: Key areas of financial statements risk

Source: ANAO 2021–22 risk assessment, and DFAT’s 2021–22 estimated actual for the year ended 30 June 2022.

Audit results

3.8.7 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: payroll processing and IT general controls in the financial management information system; the human resource management information system; and the two International Aid information systems.

3.8.8 Audit procedures relating to: valuation of land and buildings; departmental revenue; supplier expenses; and employee benefits (including financial information processed through international post locations) will be undertaken as part of the planned 2021–22 final audit.

3.8.9 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.8.10 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that DFAT will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.9 Department of Health

Overview

3.9.1 The Department of Health is responsible for achieving the Australian Government’s health and ageing policy priorities through evidence-based policy, program administration, research, regulatory activities, and partnerships with other government entities, consumers and stakeholders.

3.9.2 Figure 3.9.1 and Figure 3.9.2 below show the 2021–22 departmental and administered financial statements items reported by Health and the key areas of financial statements risk.

Figure 3.9.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Health’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.9.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and Health’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.9.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Health’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Health’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Health, the ANAO has assessed the risk of a material misstatement as high.

Key financial statements items

3.9.4 Annual appropriation funding of $1,168.1 million (departmental) and $23,529.7 million (administered) was provided to Health in 2021–22 to support the achievement of the entity’s outcomes.¹⁰⁰ Health was also budgeted to receive special appropriation funding of $32,315.0 million.¹⁰¹

3.9.5 Table 3.9.1 and Table 3.9.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.9.1: Key expenses and total own-sourced income

Source: Health’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.9.2: Key assets and liabilities

Note: Health’s estimated average staffing level for 2021–22 is 4,884.

Source: Health’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.9.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Health’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.9.3.

Table 3.9.3: Key areas of financial statements risk

Source: ANAO 2021–22 risk assessment, and Health’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements

3.9.7 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. The following performance audit reports were tabled during 2021–22 relevant to the financial management or administration of Health:

• Auditor-General Report No.3 Department of Health’s Management of Financial Assistance under the Medical Research Future Fund;
• Auditor-General Report No.5 Improving Immunisation Coverage; and
• Auditor-General Report No.12 Management of International Travel Restrictions during COVID-19.

3.9.8 Auditor-General Report No.3 2021–22 included observations relevant to the administration of grants outlined above in Table 3.9.3. Health agreed with the recommendation to report grants in the same way that grant opportunities are classified in the grant opportunity guidelines and reported on GrantConnect. No significant changes were made to the designed audit procedures for the financial statements audit.

3.9.9 The observations of Auditor-General Report No.5 2021–22 and Auditor-General Report No.12 2021–22 were considered in designing audit procedures to address areas considered to pose a lower risk of material misstatement. The results of the reports were considered in designing our audit procedures. No significant changes were made to the designed audit procedures for the financial statements audit.

Audit results

3.9.10 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: IT security and change management in the financial management information system and human resource management information system; the accuracy of aged care subsidies; and the accuracy of personal benefit health care entitlements. Detailed testing has also been performed in relation to the pharmaceutical benefit scheme drug recoveries and grants expenses.

3.9.11 Other key areas of audit focus, including the valuation of personal benefit provisions and the subsidy provisions and payables and the completeness and existence of inventories will be performed as part of the 2021–22 final audit.

3.9.12 The following table summarises the status of audit findings as at the end of the 2021–22 interim audit as reported by the ANAO.

Table 3.9.4: Status of audit findings raised by the ANAO

Unresolved moderate audit finding

National Medical Stockpile (NMS)—recording and management

3.9.13 During the 2019–20 audit, the ANAO’s testing identified weaknesses in Health’s recording and management of the NMS. These included:

• the inventory management system supporting the NMS not being fit for purpose;
• the absence of reconciliations between the Health FMIS and inventory records and financial reporting by product and location for the last quarter of the financial year;
• a number of errors in the manually entered excel inventory register; and
• lack of frequency in stock taking processes, delays in provisions of stock take methodology and timely resolution of stock take variation.

3.9.14 During 2020–21, there were delays in implementing a fit for purpose inventory management system, resulting in the continued reliance on the manual inventory register. This resulted in continued weaknesses associated with regular reconciliation between key source reports, stock take validation reporting and the extent of quality assurance processes over the excel solution.

3.9.15 As part of the 2021–22 interim audit, the ANAO has assessed Health’s progress in addressing the weaknesses identified.

3.9.16 Health continues to implement the inventory management system (IMS) using a phased approached. Health have designed and implemented reconciliations to confirm that the balances are recorded in the financial information system aligning to the logistical provider records. Health have advised that the stocktake methodology was being prepared at the conclusion of the interim audit.

3.9.17 The ANAO will continue to monitor the department’s progress in implementing the IMS as part of the final audit phase. The ANAO will also focus of the processes implemented by management to confirm the completeness and accuracy of data supporting the transition to the inventory management system.

3.9.18 The ANAO will continue to test the operating effectiveness of the reconciliations implemented to confirm the completeness of information recorded in the financial management information system. Audit procedures related to the testing of the design and implementation of the stocktake methodology will also be completed as part of the final audit.

Conclusion

3.9.19 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Health will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2021–22 final audit.

3.10 Department of Home Affairs

Overview

3.10.1 The Department of Home Affairs (Home Affairs) coordinates policy and operations for Australia’s national and transport security, federal law enforcement, criminal justice, cybersecurity, border, immigration, multicultural affairs, emergency management and trade-related functions.

3.10.2 Figure 3.10.1 and Figure 3.10.2 below show the 2021–22 departmental and administered financial statements items reported by Home Affairs and the key areas of financial statements risk.

Figure 3.10.1:  Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Home Affairs’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.10.2:  Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and Home Affairs’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.10.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Home Affairs’ financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Home Affairs’ environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Home Affairs, the ANAO has assessed the risk of a material misstatement as high.

Key financial statements items

3.10.4 Annual appropriation funding of $3,271.2 million (departmental) and $2,478.1 million (administered) was provided to Home Affairs in 2021–22 to support the achievement of the entity’s outcomes.¹⁰² Home Affairs was also budgeted to receive special appropriation funding of $820.7 million.¹⁰³

3.10.5 Table 3.10.1 and Table 3.10.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.10.1: Key expenses and total own-sourced income

Source: Home Affairs’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.10.2: Key assets and liabilities

Note: Home Affairs’ estimated average staffing level for 2021–22 is 13,612.

Source: Home Affairs’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.10.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Home Affairs’ financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.10.3.

Table 3.10.3: Key areas of financial statements risk

Source: ANAO 2021–22 risk assessment, and Home Affairs’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Audit results

3.10.7 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: collection of customs duty revenue and visa application revenue; the management of the onshore immigration detention centres and overseas regional processing centres; and accounting for employee entitlements.

3.10.8 Interim audit coverage has also included an assessment of IT general controls, including security and change management processes relevant to the financial management information system and human resources management information system.

3.10.9 Audit procedures relating to: reporting of overseas transactions; IT application controls; and testing the processes identified above for the remainder of the financial year will be undertaken as part of the planned 2021–22 final audit.

3.10.10 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.10.11 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Home Affairs will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.11 Department of Industry, Science, Energy and Resources

Overview

3.11.1 The Department of Industry, Science, Energy and Resources (Industry) is responsible for: supporting science and commercialisation; growing business investment and improving business capability; developing northern Australia; streamlining regulation; developing and implementing a national response to climate change; improving Australia’s energy supply, efficiency, quality, performance and productivity; and facilitating the growth of small and family business.

3.11.2 Industry offers a grants hub and shared services centre which provides other Commonwealth entities with administrative support including grants administration and payments processing; human resources and financial transactions processing and the provision of management information systems supporting these processes.

3.11.3 Figure 3.11.1 and Figure 3.11.2 below show the 2021–22 departmental and administered financial statements items reported by Industry and the key areas of financial statements risk.

Figure 3.11.1:  Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Industry’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.11.2:  Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and Industry’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.11.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Industry’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Industry’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Industry, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.11.5 Annual appropriation funding of $717.6 million (departmental) and $3,216.8 million (administered) was provided to Industry in 2021–22 to support the achievement of the entity’s outcomes.¹⁰⁴ Industry was also budgeted to receive special appropriation funding of $342.6 million.¹⁰⁵

3.11.6 Table 3.11.1 and Table 3.11.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.11.1: Key expenses and total own-sourced income

Source: Industry’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.11.2: Key assets and liabilities

Note: Industry’s estimated average staffing level for 2021–22 is 3,184

Source: Industry’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.11.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Industry’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.11.3.

Table 3.11.3: Key areas of financial statements risk

Source: ANAO 2021–22 risk assessment, and Industry’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Audit results

3.11.8 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to employee and supplier expenditure; appropriations and special accounts; and asset and cash management. The interim audit coverage has also included assessments of controls relating to selected departmental and administered revenue streams, grant payments and IT general and applications controls for key financial systems.

3.11.9 Audit procedures relating to the completeness and accuracy of royalties, and valuation of the administered investments, including Snowy Hydro Limited, and the Ranger rehabilitation provision will be undertaken as part of the planned 2021–22 final audit.

3.11.10 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.11.11 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Industry will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.12 Snowy Hydro Limited

Overview

3.12.1 Snowy Hydro Limited (Snowy Hydro) is a government business enterprise. The primary business includes energy generation activities to supply the National Electricity Market (NEM) and operating as a retail energy provider to over 1.1 million customers through the Red Energy and Lumo Energy brands. Snowy Hydro’s energy generation capacity of 5,500 megawatts supplies New South Wales, Victoria and South Australia, primarily through the generating capacity of the Snowy Mountains hydroelectric scheme.

3.12.2 Snowy Hydro is currently progressing Snowy 2.0, a pumped hydro project that will add 2,000 megawatts of on-demand generation and approximately 350,000 megawatt hours of large-scale storage to the NEM. In 2021–22 Snowy Hydro commenced construction of a 660 megawatt open cycle gas turbine power station at Kurri Kurri, New South Wales, known as the Hunter Power Project. The project obtained approval from the NSW Government in December 2021 and environmental approval from the Australian Government in February 2022.

3.12.3 Figure 3.12.1 below shows the 2020–21 financial statements items reported by Snowy Hydro and the key areas of financial statements risk.

Figure 3.12.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Snowy Hydro’s audited financial statements for the year end 30 June 2021.

3.12.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Snowy Hydro’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Snowy Hydro’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Snowy Hydro, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.12.5 Snowy Hydro does not receive any annual appropriation funding. The operational functions of Snowy Hydro are primarily funded through own source income. The primary income sources for Snowy Hydro are retail revenue which arises from the supply of electricity and gas to customers through the Red and Lumo energy brands and wholesale revenue arising from the generation and supply of electricity to the NEM. Snowy Hydro is accessing a mix of private debt funding and equity injections from the Australian Government to fund the construction and delivery of the Snowy 2.0 and Hunter Power projects.

3.12.6 Table 3.12.1 and Table 3.12.2 below provide a summary of the key 2020–21 audited financial statements items.

Table 3.12.1: Key expenses and total own-sourced income

Source: Snowy Hydro’s 2020–21 audited financial statements.

Table 3.12.2: Key assets and liabilities

Note: Snowy Hydro’s staffing level at 30 June 2021 was 1,743 including non-ongoing contractors as reported in the 2020–21 annual report.

Source: Snowy Hydro’s 2020–21 audited financial statements.

Key areas of financial statements risk

3.12.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Snowy Hydro’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.12.3.

Table 3.12.3: Key areas of financial statements risk

Source: ANAO 2021–22 risk assessment, and Snowy Hydro’s audited financial report for the year ended 30 June 2021.

3.12.8 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. No performance audits have been tabled to date in 2021–22 relevant to the financial management or administration of Snowy Hydro.

Audit results

3.12.9 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: retail and generation billing revenue and receivables; purchases to pay; treasury; renewable energy certificates; financial reporting; and payroll.

3.12.10 Audit procedures relating to IT general and application controls, assessment of controls relating to non-financial assets and substantive testing on all material financial statements line items will be undertaken as part of the planned 2021–22 final audit. This will include audit procedures to test material accounting estimates made by Snowy Hydro, relating to the key areas of financial risk: valuation of financial instruments; capitalisation of customer acquisition costs; unbilled electricity revenue receivable; renewable energy certificates; goodwill; and impairment of trade and other receivables.

3.12.11 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.12.12 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Snowy Hydro will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.13 Department of Infrastructure, Transport, Regional Development and Communications

Overview

3.13.1 The Department of Infrastructure, Transport, Regional Development and Communications (Infrastructure) is responsible for improving infrastructure across Australia through funding coordination of transport and other infrastructure; providing an efficient, sustainable, competitive and safe transport system for all transport users; strengthening the sustainability, capacity and diversity of regional economies; providing advice on population policy; implementing the national policy on cities; and promoting an innovative and competitive communications sector. The department also promotes participation in and access to Australia’s arts and culture through developing and supporting cultural expression and supports governance arrangements in the Australian territories.

3.13.2 In addition to these ongoing responsibilities the department continues to deliver economic stimulus to the aviation and creative arts sectors and to regional Australian communities as a result of the COVID-19 pandemic.

3.13.3 The Northern Australia Infrastructure Facility (NAIF) was transferred from the Department of Industry, Science, Energy and Resources to the Department of Infrastructure, Transport, Regional Development and Communications on 2 July 2021. The purpose of NAIF is to encourage growth in Northern Australia through being a financing partner.

3.13.4 Figure 3.13.1 and Figure 3.13.2 below show the 2021–22 departmental and administered financial statements items reported by Infrastructure and the key areas of financial statements risk.

Figure 3.13.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Infrastructure’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.13.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and Infrastructure’s 2021–22estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.13.5 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Infrastructure’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Infrastructure’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Infrastructure, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.13.6 Annual appropriation funding of $426.4 million (departmental) and $7,430.4 million (administered) was provided to Infrastructure in 2021–22 to support the achievement of the entity’s outcomes.¹⁰⁶ Infrastructure was also budgeted to receive special appropriation funding of $4,219.3 million.¹⁰⁷

3.13.7 Table 3.13.1 and Table 3.13.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.13.1: Key expenses and total own-sourced income

Source: Infrastructure’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.13.2: Key assets and liabilities

Note: Infrastructure’s estimated average staffing level for 2021–22 is 1,708.

Source: Infrastructure’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.13.8 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Infrastructure’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.13.3.

Table 3.13.3: Key areas of financial statements risk

Source: ANAO 2021–22 risk assessment, and Infrastructure’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Audit results

3.13.9 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: cash and cash equivalents; accounting for non-financial assets; appropriations and special accounts; grant expenses; subsidies (including aviation COVID-19 support programs); supplier expenses; administered revenue and employee payroll. Interim audit coverage has also included an assessment of IT general controls including security and change management processes relevant to the financial management information systems and human resources management information system.

3.13.10 Audit procedures relating to: the valuation of administered investments; accuracy of subsidy claims for the Tasmanian Freight Equalisation Scheme and Regional Broadband Scheme; valuation of other assets including non-financial assets and loans and advances will be undertaken as part of the planned 2021–22 final audit.

3.13.11 The following table summarises the status of audit findings as at the end of the 2021–22 interim audit as reported by the ANAO.

Table 3.13.4: Status of audit findings raised by the ANAO

New moderate audit finding

User Access Removal

3.13.12 Infrastructure did not have sufficient controls in place to identify and investigate in a timely manner access by users post cessation of their employment or contract. Infrastructure has advised that previous access post cessation has been investigated and that no issues were identified. Infrastructure has confirmed that processes will be developed to identify and investigate any access by users post cessation in a timely manner. The ANAO will review the action taken by Infrastructure as part of the final phase of the audit.

Conclusion

3.13.13 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Infrastructure will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2021–22 final audit.

3.14 Australian Postal Corporation

Overview

3.14.1 The Australian Postal Corporation (Australia Post) is a government business enterprise responsible for supplying postal services to Australia, including the distribution of letters and parcels in Australia and internationally.

3.14.2 Figure 3.14.1 below shows the 2020–21 financial statements items reported by Australia Post and the key areas of financial statements risk.

Figure 3.14.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Australia Post’s audited financial statements for the year end 30 June 2021.

3.14.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Australia Post’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Australia Post’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of Australia Post, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.14.4 Australia Post does not receive any annual appropriation funding. The operational functions of Australia Post are funded from the following sources: parcel services; mail services; retail; agency and other services. Australia Post pays a dividend to the Commonwealth from its profit after income tax.

3.14.5 Table 3.14.1 and Table 3.14.2 below provide a summary of the key 2020–21 financial statements items reported by Australia Post.

Table 3.14.1: Key expenses and total income

Source: Australia Post’s 2020–21 audited financial statements.

Table 3.14.2: Key assets and liabilities

Note: Australia Post’s 2020–21 staffing level at 30 June 2021 was 34,734 as reported in the 2020–21 annual report.

Source: Australia Post’s 2020–21 audited financial statements.

Key areas of financial statements risk

3.14.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of Australia Post’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.14.3.

Table 3.14.3: Key areas of financial statements risk

Source: ANAO 2021–22 risk assessment, and Australia Post’s audited financial statements for the year ended 30 June 2021.

Audit results

3.14.7 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: cash and cash equivalents; trade receivables; and property, plant and equipment. Interim coverage also included an assessment of the IT general controls and IT application controls of key systems supporting the financial statements. In addition, an assessment of the effectiveness of non-system controls relating to sales revenue, employee expenses and trade and other payables has also been completed.

3.14.8 Audit procedures relating to all key areas of audit focus, including the valuation of unearned revenue liability, the valuation of the net superannuation asset and the valuation of goodwill, will be completed as part of the 2021–22 final audit.

3.14.9 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.14.10 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Australia Post will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.15 NBN Co Limited

Overview

3.15.1 The primary objective of NBN Co Limited (NBN Co) is to provide wholesale services to internet service providers. NBN Co is a government business enterprise incorporated under the Corporations Act 2001.

3.15.2 Figure 3.15.1 below shows the 2020–21 financial statements items reported by NBN Co and the key areas of financial statements risk.

Figure 3.15.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and NBN Co’s audited financial statements for the year end 30 June 2021.

3.15.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on NBN Co’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of NBN Co’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of NBN Co, the ANAO has assessed the risk of a material misstatement as high.

Key financial statements items

3.15.4 NBN Co does not receive any annual appropriation funding. The ongoing operational functions of NBN Co are funded from the following sources: telecommunications revenue, borrowings from the Australian Government, bank facilities and capital debts market.

3.15.5 Table 3.15.1 and Table 3.15.2 below provide a summary of the key 2020–21 financial statements items.

Table 3.15.1: Key expenses and total own-sourced income

Source: NBN Co’s 2020–21 audited financial statements.

Table 3.15.2: Key assets and liabilities

Note: NBN Co’s staffing level at 30 June 2021 was 4,951 as reported in the 2020–21 annual report.

Source: NBN Co’s 2020–21 audited financial statements.

Key areas of financial statements risk

3.15.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of NBN Co’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.15.3.

Table 3.15.3: Key areas of financial statements risk

Source: ANAO 2021–22 risk assessment, and NBN’s audited financial statements for the year ended 30 June 2021.

Audit results

3.15.7 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: revenue and receivables; purchases and payables; payroll; inventory; treasury, including derivatives and borrowings; non-financial assets, including lease management; accounting for the Telstra and Optus agreements; and IT general and application controls.

3.15.8 Audit procedures relating to key processes and financial statements line items, including IT general and application controls, where appropriate, will be undertaken as part of the planned 2021–22 final audit. In addition, the ANAO will perform audit procedures to assess the valuation of network assets.

3.15.9 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.15.10 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that NBN Co will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.16 Department of Parliamentary Services

Overview

3.16.1 The Department of Parliamentary Services (DPS) is responsible for supporting the Parliament through the provision of a range of services including library, Hansard, broadcasting, communications, and building security and maintenance.

3.16.2 Figure 3.16.1 and Figure 3.16.2 below show the 2021–22 departmental and administered financial statements items reported by DPS and the key areas of financial statements risk.

Figure 3.16.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and DPS’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.16.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and DPS’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.16.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DPS financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DPS’ environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of DPS, the ANAO has assessed the risk of a material misstatement as low.

Key financial statements items

3.16.4 Annual appropriation funding of $177.0 million (departmental) and $49.2 million (administered) was provided to DPS in 2021–22 to support the achievement of the entity’s outcomes.¹⁰⁸

3.16.5 Table 3.16.1 and Table 3.16.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.16.1: Key expenses and total own-sourced income

Source: DPS’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.16.2: Key assets and liabilities

Note: DPS’ estimated average staffing level for 2021–22 is 961.

Source: DPS’ 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.16.6 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of DPS’ financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.16.3.

Table 3.16.3: Key areas of financial statements risk

Source: ANAO 2021–22 risk assessment, and DPS’ estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Audit results

3.16.7 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: cash; asset management; payroll processing and revenue. In addition, the ANAO has undertaken testing of IT general controls over the financial management and human resource management information systems.

3.16.8 Audit procedures relating to all material financial statements line items, including the valuation of non-financial assets will be undertaken as part of the planned 2021–22 final audit.

3.16.9 The following table summarises the status of audit findings as at the end of the 2021–22 interim audit as reported by the ANAO.

Table 3.16.4: Status of audit findings raised by the ANAO

Note a: The moderate finding has been downgraded to a minor finding.

Resolved moderate audit finding

Removal of IT access for former employees

3.16.10 During 2020–21, the ANAO’s testing identified weaknesses in DPS’ security controls relating to a number of users not being terminated from the system when their employment ceased.

3.16.11 During the 2021–22 interim phase, the ANAO has reviewed the process being implemented by DPS to detect and remove users from the system when their employment ceases. It has been concluded that sufficient controls have now been implemented by DPS to reduce the risk that users continue to have access to systems post their terminations. Recognising the improvement in processes, the finding has been downgraded to a minor finding.

Conclusion

3.16.12 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that DPS will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.

3.17 Department of the Prime Minister and Cabinet

Overview

3.17.1 The Prime Minister and Cabinet portfolio is responsible for providing support and policy advice to the Prime Minister, the Cabinet and ministers on public and government administration matters, including policy development and whole-of-government coordination, and providing services to Indigenous Australians.

3.17.2 The Department of the Prime Minister and Cabinet (PM&C) is the lead entity in the portfolio. The department’s key purposes are to support the Prime Minister as the head of the Australian Government and the Cabinet, and to provide advice on major domestic policy and international national security matters.

3.17.3 Figure 3.17.1 and Figure 3.17.2 below show the 2021–22 departmental and administered financial statements items reported by PM&C and the key areas of financial statements risk.

Figure 3.17.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and PM&C’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.17.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and PM&C’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

3.17.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on PM&C’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of PM&C’s environment and governance arrangements, including its financial reporting regime and system of internal control. In light of the key areas of risk and the ANAO’s understanding of the operations of PM&C, the ANAO has assessed the risk of a material misstatement as moderate.

Key financial statements items

3.17.5 Annual appropriation funding of $236.8 million (departmental) and $42.3 million (administered) was provided to PM&C in 2021–22 to support the achievement of the entity’s outcomes.¹⁰⁹ PM&C was also budgeted to receive special appropriation funding of $10,000.¹¹⁰

3.17.6 Table 3.17.1 and Table 3.17.2 below provide a summary of the key 2021–22 departmental and administered estimated financial statements items.

Table 3.17.1: Key expenses and total own-sourced income

Source: PM&C’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Table 3.17.2: Key assets and liabilities

Note: PM&C’s estimated average staffing level for 2021–22 is 1,147.

Source: PM&C’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.17.7 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of PM&C’s financial statements. Areas highlighted for specific audit coverage in 2021–22 are provided below in Table 3.17.3.

Table 3.17.3: Key areas of financial statements risk

Source: ANAO 2021–22 risk assessment, and PM&C’s 2021–22 estimated actual as reported in the 2022–23 Portfolio Budget Statements.

Audit results

3.17.8 The ANAO has completed its 2021–22 interim audit coverage, including an assessment of the controls relating to: IT general controls and testing of leave processing, grants, bank accounts, payments to suppliers, revenue receipts, asset additions, accounts payable and receivable, credit cards and payroll.

3.17.9 Audit procedures relating to IT application controls, administered investments, employee benefits and provisions, stocktakes and asset revaluations will be undertaken as part of the planned 2021–22 final audit.

3.17.10 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings. The 2020–21 audit also did not identify any significant or moderate audit findings.

Conclusion

3.17.11 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that PM&C will be able to prepare financial statements that are free of material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2021–22 final audit.