1. The ANAO prepares two reports annually that provide insights at a point in time to the financial statements risks, governance arrangements and internal control frameworks of Commonwealth entities, drawing on information collected during our audits. These reports explain how entities’ internal control frameworks are critical to executing an efficient and effective audit and underpin an entity’s capacity to transparently discharge its duties and obligations under the Public Governance, Performance and Accountability Act 2013 (PGPA Act). Deficiencies identified during ANAO audits, posing a significant or moderate risk to entities’ ability to prepare financial statements free from material misstatements, are reported.

2. This report is the first of the two reports and focuses on the results of the interim audits, including an assessment of entities’ key internal controls, supporting the 2022–23 financial statements audits. This report examines 27 entities, including all departments of state and a number of major Australian government entities. The majority of entities included in the report are selected on the basis of their contribution to the income, expenses, assets and liabilities of the 2022–23 Consolidated Financial Statements (CFS). At the completion of interim audits for the 27 entities included in this report the ANAO noted that key elements of internal control were operating effectively for 12 entities. For the remaining 15 entities, except for particular finding/s outlined in Chapter 3, the key elements of internal control were operating effectively to support the preparation of financial statements that are free from material misstatement.

Summary of audit findings and related issues

Entity internal controls

3. The interim audit phase includes an assessment of the effectiveness of each entity’s internal controls as they relate to the risk of misstatement in the financial statements. At the completion of interim audits for the 27 entities included in this report, the key elements of internal control were assessed as operating effectively for 12 entities. For the remaining 15 entities, the key elements of internal control were operating effectively to support the preparation of financial statements that are free from material misstatement, except for particular finding/s outlined in Chapter 3.

4. An analysis of entity compliance with the Commonwealth’s finance law and a review of entity risk assessment and internal controls relating to procurement has highlighted that entities utilise a variety of policies, procedures and approaches to manage and monitor procurements.

Machinery of Government changes

5. Machinery of Government (MoG) changes implemented in 2022–23 transferred functions and programs between departments. Two departments of state were established and five departments of state were renamed.

6. Analysis of the MoG changes indicated that entities largely followed the principles of the Machinery of Government changes: A guide for entities — November 2021 when implementing MoG changes.

Safeguarding financial information from cyber threats

7. The Protective Security Policy Framework (PSPF) contains the Essential Eight mitigation strategies including mandatory and recommended controls intended to strengthen cyber resilience and the capacity of government to mitigate cyber threats. Review of entities implementation and compliance with these strategies noted deterioration in reported maturity levels across some Essential Eight mitigation strategies since ANAO’s 2021–22 assessment.

Summary of audit findings

8. A total of 78 findings were reported to the entities included in this report as a result of interim audits, comprising 29 moderate, 47 minor and two legislative findings. This is an overall increase in the number of findings, and a large increase in moderate findings compared to the 2021–22 interim audit results. The 2021–22 interim audit results reported one significant, 14 moderate, 45 minor, and two legislative findings.

9. Sixty-three per cent of all findings and seventy-two per cent of moderate findings relate to the management of IT controls, particularly the management of privileged user access and terminations.

Reporting and auditing frameworks

Summary of developments

10. A revised Australian Auditing Standard ASA 315 Identifying and Assessing the Risks of Material Misstatement became effective for 2022–23 financial statements audits. As a result, changes have been made to the ANAO’s audit methodology.

11. The ANAO Quality Management Framework addresses the requirements of three new and revised Australian Quality Management Standards, which became effective on 15 December 2022. In November 2022, the ANAO finalised its methodology and framework for considering ethics either as part of a broader performance, financial or performance statements audit, or as an audit of an entity’s ethical framework. Audits considering ethics will feature in ANAO audit programs.

12. The ANAO is monitoring national and international developments in sustainability reporting guidance and will continue to contribute to discussions as reporting and assurance standards develop.

Cost of this report

13. The cost to the ANAO of producing this report is approximately $320,000.

Introduction

1.1 The ANAO publishes an Annual Audit Work Program (AAWP) which reflects the ANAO’s strategy and deliverables for the forward year. The purpose of the AAWP is to inform the Parliament, the public and government sector entities of the ANAO’s planned audit coverage for Australian Government entities by way of financial statements audits, performance audits and other assurance activities.

1.2 The financial statements audit coverage, as outlined in the AAWP, includes presenting two reports to the Parliament addressing the outcomes of the financial statements audits of Australian Government entities and the Consolidated Financial Statements of the Australian Government (CFS). These reports provide Parliament with an independent examination of the financial accounting and reporting of Commonwealth public sector entities.

1.3 This report focuses on the results of the interim audits of 27 entities including an assessment of key internal controls supporting the 2022–23 financial statements. The assessment includes a review of the governance arrangements related to entities’ financial reporting responsibilities and the design and implementation of key internal controls relating to significant business processes. Where the auditor plans to rely upon key controls for assurance that financial statements are free from material misstatement, the controls are tested for operating effectiveness. Testing of controls during the interim audit phase allows us to form a conclusion on the operating effectiveness of those controls for the period up to the date of testing. During the final phase of the 2022–23 financial statements audit, we complete testing over the operating effectiveness of those controls we intend to rely upon, and controls not assessed at interim. The second report presents the final results of the financial statements audits of the CFS and all Australian Government entities.

1.4 The entities included in this report are those entities that contribute significantly to the three sectors of the CFS: the General Government Sector (GGS), Public Non-Financial Corporation (PFNC) sector and Public Financial Corporation (PFC) sector. A listing of these entities is provided in Appendix 1.

1.5 The ANAO conducts its financial statements audits in four phases: planning, interim, final and completion. Figure 1.1 outlines the key elements of each phase.

Figure 1.1: ANAO financial statements audit process

Source: ANAO data.

1.6 A central element of the ANAO’s financial statements audit methodology, and the focus of the planning phase of ANAO audits, is a sound understanding of an entity’s environment and internal controls relevant to assessing the risk of material misstatement in the financial statements. This understanding informs the ANAO’s audit approach, including the reliance that may be placed on entity systems to produce financial statements that are free from material misstatement.

1.7 In accordance with generally accepted auditing practice, the ANAO accepts a low level of risk that an audit will fail to detect the financial statements are materially misstated. This low level of risk is accepted because it is too costly to perform an audit that is predicated on no level of risk. An understanding of the entity, its environment and its controls helps the ANAO design the required work and respond to risks that bear on financial reporting. The key areas of financial statements risks identified through this planning approach are discussed in chapter 3 for each entity included in this report.

1.8 A key component of understanding the entity and its environment is to understand the governance arrangements established by its accountable authority.¹ Accountable authorities of all Commonwealth entities and companies subject to the Public Governance, Performance and Accountability Act 2013 (PGPA Act) are required to govern their entity in a way that promotes the proper use and management of public resources, the achievement of the purposes of the entity and the entity’s financial sustainability.

1.9 The development and implementation of effective corporate governance arrangements and internal controls should be designed to meet the individual circumstances of each entity. These processes also assist in the orderly and efficient conduct of the entity’s business and compliance with applicable legislative requirements, including the preparation of annual financial statements that present fairly the entity’s financial position, financial performance and cash flows.

Understanding the entity

1.10 The ANAO uses the framework in the Australian Auditing Standards (ASA) 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment to consider the impact of different elements of an entity’s internal controls that support the preparation of financial statements. This approach provides a basis for designing and implementing the audit work program that reflects the ANAO’s assessment of the risk of material misstatement. Deficiencies in the internal control framework increase the requirement of the ANAO to perform additional audit work in the final audit phase. Figure 1.2 outlines these elements.

Figure 1.2: Elements of entity internal controls

Source: ASA 315 Identifying and assessing the risk of material misstatement through understanding the entity and its environment, paragraphs 21–26.

1.11 This chapter discusses each of these elements and outlines observations based on the ANAO’s review of aspects of each entity’s internal controls, relevant to the risk of material misstatement to the financial statements, including the detailed results of the interim audits.

1.12 At the completion of the interim audits for the 27 entities included in this report, the ANAO noted that key elements of internal control were operating effectively for 12 entities. The remaining 15 entities were assessed as having internal controls that were operating effectively except for a particular finding which is outlined in chapter three.²

1.13 The key elements of internal control for the full financial year will be assessed in conjunction with additional audit testing during the 2022–23 final audits.

Control environment

1.14 The PGPA Act sets out the requirements to establish and maintain systems relating to risk and control. Division 2, section 16 of the PGPA Act states that:

The accountable authority of a Commonwealth entity must establish and maintain:

a) an appropriate system of risk oversight and management for the entity; and

b) an appropriate system of internal control for the entity;

including by implementing measures directed at ensuring officials of the entity comply with finance law.^3,4

1.15 An effective control environment is underpinned by a fit-for-purpose governance structure. Indicators of an effective governance structure include whether management has established frameworks and processes that promote positive attitudes, awareness and actions concerning the entity’s internal controls and their importance in the entity. The main elements reviewed included: governance structures relevant to the preparation of the financial statements; audit committee and assurance arrangements; systems of authorisation; and processes for recording financial transactions.

1.16 All entities included in this report have established audit committees that meet the minimum requirements for audit committees as outlined in PGPA Rule section 17⁵ or section 28⁶. All audit committees consist of a majority of members which were assessed by the entity to be independent. The Chair of the audit committee for all entities is an independent member. All entities have an audit committee charter that is consistent with their obligations under subsection 17(2) of the PGPA Rule.

1.17 Of the 27 entities included in this report, 26 entities have established executive management committees and/or sub-committees that meet at least monthly, which support financial decision making at the strategic and operational levels.⁷ The Department of Home Affairs’ executive management committee meets quarterly and as directed by the Chair. Consideration of financial reporting was included on the agendas of 26 entities’ executive committees. The Department of Defence reports financial information directly to its Secretary and Chief of Defence. The financial information provided to the entities’ executives was supplemented by non-financial operational information for all entities.

1.18 Clear lines of accountability and reporting are important in establishing a strong internal control environment for the purposes of preparing the financial statements. The involvement of those charged with governance is an important element of these structures. Just as important is ensuring that staff at all levels understand their own role in the control framework. This can be achieved through the issuance of accountable authority instructions and delegation instruments. All entities have established accountable authority instructions and delegations reflecting current business arrangements.

Risk assessment processes

1.19 Section 16 of the PGPA Act sets out an accountable authority’s responsibilities regarding the establishment of appropriate risk oversight and management in an entity. An understanding of an entity’s process to identify and manage risk is essential to an effective and efficient financial statements audit. A review of this process is done to assist the ANAO to understand how entities identify and manage risks relating to financial statements and assess the risk of material misstatement to an entity’s financial statements.

1.20 All entities included in this report have a process to develop and update risk management plans at the organisational and strategic risk levels. In addition, each entity has developed processes for the identification and notification of risks relevant to financial statements preparation either as part of the overall risk management plan, or through a targeted risk identification exercise. The monitoring of risks, and the entities’ implementation of risk management strategies, was typically assigned to either an executive committee and/or the audit committee.

Monitoring of controls

1.21 Entities undertake many types of activities as part of their monitoring of control processes, including external reviews, self-assessment processes, post-implementation reviews and internal audits. The level of review of these activities by the ANAO is determined through a risk assessment approach that takes into consideration the nature, extent and timing of each activity and the activities’ application to the preparation of the financial statements. All entities included in this report have an ongoing process for monitoring and evaluating internal controls.

Internal audit

1.22 As part of the financial statements audit coverage, internal audit is reviewed to gain an understanding of its role and activities in the entity. Where an internal audit function has been established it can play an important role in providing assurance to the accountable authority that the internal control framework is operating effectively. Entities are encouraged to identify opportunities to leverage internal audit coverage as a means of providing increased assurance to accountable authorities to support their opinion on the entity’s financial statements. All entities included in this report have established an effective internal audit function.

1.23 The extent to which the work of internal audit may be able to be used, in a constructive and complementary manner, varies between entities and is more likely to occur where internal audit work is focused on financial controls and legislative compliance. The ANAO is expecting to rely upon the work of internal audit for three entities in the current year.⁸ If the ANAO is anticipating to use the work of internal audit, in accordance with ASA 610 Using the Work of Internal Auditors, the ANAO is required to assess whether the internal audit function has: appropriate organisational status; relevant policies and procedures to support its objectivity; an appropriate level of competence; and whether it applies a systematic and disciplined approach in the execution of its work including quality control.

1.24 When it is determined that the work of internal audit can be used to support an effective audit approach, additional work is performed to confirm its adequacy to support the external audit. This will include confirmation that the scope of the work is appropriate, that there is sufficient evidence to support the conclusions drawn and selected re-performance of internal audit’s testing.

Reporting relating to compliance with finance law

1.25 The introduction of the PGPA Act resulted in a move from a compliance-based approach to a principle-based framework for Commonwealth entities. To promote the safe custody and proper use of public resources whilst reducing red tape, a greater emphasis is placed on the robustness of an entity’s self-assessment processes, strong governance structures and internal control frameworks to identify risks. A practical example of this is an entity’s requirement to report on compliance with finance law.⁹

1.26 From 2015–16, the Department of Finance changed the compliance reporting process to require entities to report only significant non-compliance with the finance law to both the Minister for Finance and the responsible Minister. To support the change in requirements, the Department of Finance issued guidance in relation to reporting of significant non-compliance through the Resource Management Guide 214 Notification of significant non-compliance with finance law (PGPA Act, section 19) (RMG 214). The guide outlines factors which may be considered when determining whether significant non-compliance occurred including:

• failure to comply with the duties of accountable authorities (PGPA Act sections 15 to 19);
• serious breaches of the general duties of officials (PGPA Act sections 25 to 29) including any fraudulent activity by officials;
• systemic issues reflecting internal control failings or high-volume instances of non-compliance; and
• non-compliance issues that are likely to impact on the entity’s financial sustainability.

1.27 RMG 214 notes that the accountable authority should consider their entity’s environment when determining whether instances of non-compliance are significant. In May 2019, RMG 214 was updated with additional guidance in the form of case studies. The case studies highlight the need for entities to consider the number of non-compliance issues in the context of the number of times the function had occurred within the entity. For example, comparing the number of breaches relating to incorrect reporting of contracts on AusTender compared to the number of contracts executed in that year. As part of the interim audits the ANAO considered entities’ application of RMG 214.¹⁰

1.28 In addition to notifying the relevant Minister of any significant issues which occur, entities must also report any significant non-compliance in their annual report in line with the PGPA Rule subsection 17AG. The following three entities reported significant non-compliance in the 2021–22 annual reports:

• The Department of Home Affairs reported one significant non-compliance¹¹ relating to misuse of a Commonwealth credit card and falsification of documents. The matter was finalised in November 2021 and related to transactions that occurred between July 2016 and June 2017. The department has limited cash withdrawal access for departmental Commonwealth credit card holders and implemented a Credit Card Compliance Monitoring Program, and the department also continues to require mandatory training for cardholders and review of monthly statements by supervisors.
• The Department of Industry, Science and Resources reported one significant non-compliance¹² relating to compliance with the Commonwealth Procurement Rules. Corrective action is being undertaken by the department to ensure that it demonstrates best practice in management of probity in procurements and grants.
• The Department of Defence reported 14 instances of significant non-compliance¹³. Five cases related to credit card non-compliance, primarily related to credit card misuse; one case related to deception; eight cases related to entitlements. The department has undertaken remedial actions ranging from administrative sanctions or disciplinary action to criminal prosecutions and has undertaken remedial action under the Defence Force Discipline Act 1982.

1.29 Entities undertake a range of activities to identify instances of non-compliance and support their assessment of whether identified breaches meet the definition of significant. These activities include self-reporting, internal assurance activities, and questionnaires completed by officers holding delegations. Through these processes, in 2021–22 entities included in this report identified a total of 4,873 instances of non-compliance.¹⁴

1.30 The Department of Home Affairs also advised additional non-compliance with section 23 of the PGPA Act in the Translating and Interpreting Service (TIS) contract centre, when assigning interpreting jobs to interpreters.¹⁵ Subsequent legal advice concluded that the operators engaged as contractors by TIS were not prescribed as Officials under the PGPA Act and did not hold section 23 delegations. The department advised that delegations and Authority to Act instruments have been implemented to allow the exercise of section 23 delegations relating to TIS operators.

1.31 Figure 1.3 provides the ANAO analysis of instances of non-compliance by category as identified by entities in 2021–22.

Figure 1.3: Non-compliance identified by entities in 2021–22

Source: ANAO analysis of data provided by entities.

1.32 Further details of the areas of non-compliance are detailed below.

• The following three entities identified the highest levels of non-compliance with the Commonwealth Procurement Rules: the Department of Agriculture, Fisheries and Forestry (671 instances); the Department of Home Affairs (465 instances); and the Department of Industry, Science and Resources (200 instances).
• Breaches of section 23 of the PGPA Act include failure to obtain appropriate delegate approval prior to entering into contracts and exceeding a delegate’s approval. The following three entities identified the highest levels of non-compliance in this area; the Department of Defence (604 instances); the Department of Agriculture, Fisheries and Forestry (57 instances); and the Department of Home Affairs (56 instances).
• Eighty-one per cent of instances of non-compliance with the PGPA Act, excluding section 23, related to breaches of Duty of Care and Diligence under section 25.
• The non-compliance with the PGPA Rule relates to failure to document the approvals to enter into arrangements under section 23 of the PGPA Act.

1.33 RMG 214 identifies that while a matter may not be sufficiently significant to report to the responsible Minister and/or the Minister for Finance, entities are encouraged to review all incidents of non-compliance as these could indicate internal control problems or the beginning of more systemic issues. The collation and reporting of non-compliance allows audit committees and accountable authorities to assess emerging risks and determine training requirements or changes to procedures required to address trends.

Procurement

1.34 The majority of reported breaches of finance law continues to be in relation to procurement. For this report, the ANAO has considered procurement practices including risk assessments, policies and training of the 27 entities included in this report. Results are included in the following section.

1.35 Under the Public Governance, Performance and Accountability Act 2013 (PGPA Act), responsibility for the proper use of public resources, including procurement, rests with the accountable authority of each entity. This responsibility includes developing procurement policies, procedures and systems and the conduct of individual procurements. The Public Governance, Performance and Accountability Rule 2014 (PGPA Rule), associated instruments, and policies, establish the requirements and procedures necessary to give effect to the governance, performance and accountability matters as covered by the PGPA Act

1.36 The Commonwealth Procurement Rules (CPRs) are the core of the Australian Government procurement framework. The framework also includes guidance developed by the Department of Finance, Resource Management Guides that simplify and streamline processes and other tools to assist entities in ensuring procurement practices are robust. An appropriate system of risk oversight and management in addition to internal controls is key to ensuring entities are able to comply with relevant requirements.

1.37 Of the entities included in this report, three entities¹⁶ have identified strategic risks that directly relate to procurement and 15¹⁷ entities have determined that there is an entity level risk or risks that have an indirect relationship to procurement. The strategic risks for the remaining nine entities do not relate to procurement.

1.38 All entities have policies and procedures in place to assist staff in undertaking procurements and procurement is included as a topic in the internal audit plan for nine¹⁸ entities. Policies and procedures provided by entities include:

• formal procurement policies and guides, Accountable Authority instructions and procurement toolkits supplemented with practical guidance materials and templates and contract management flowcharts;
• procurement internet pages that include guidance; and
• procurement specific IT applications.

1.39 Entities have also implemented methods to support staff in completing procurements that are considered high risk. These include:

• more detailed risk assessments;
• direct support from a central procurement team;
• obtaining legal advice; and
• obtaining external probity and/or commercial advice

1.40 As outlined in Figure 1.3 above, entities reported non-compliance with procurement rules in 2021–22. A key process in mitigating the risk of non-compliance is the provision of regular training to staff on the requirements of managing and undertaking procurements.

1.41 The following table identifies the 27 entities included in this report and outlines the total number and value of committed procurements reported to commence in 2021–22. The table also includes information on the number of staff in the entity’s procurement function and training requirements.

Table 1.1: The number and committed value of contracts (and amendments to existing contracts) reported to start in 2021–22 financial year for entities included in this report

Note a: Where a MoG has resulted in a change to an entity name without a change to the entity’s Australian Business Number (ABN), any contracts published under the previous entity name have been automatically updated to the new entity name as outlined in paragraph 2.6 of Auditor-General Report No. 11 2022–23 Australian Government Procurement Contract Reporting – 2022 Update.

Note b: Training is mandatory for all staff.

Note c: Training is mandatory for relevant staff including those that have purchasing authority or may exercise a delegation.

Note d: Defence’s Commercial Division manages the Defence Commercial Framework and provides commercial advice and procurement services. The Attorney-General’s Department has a central team that provides policy advice for procurements.

Note e: Training is mandatory for officers prior to being posted offshore.

Note f: Corporate Commonwealth entities that are not prescribed to comply with the reporting requirements of the CPRs, including reporting procurements on AusTender as outlined in paragraph 2.3 of Auditor-General Report No. 11 2022–23 Australian Government Procurement Contract Reporting – 2022 Update. None of the 18 Commonwealth companies are prescribed to comply with the CPRs.

Source: ANAO analysis of AusTender data for contracts and amendments, reported to start between 1 July 2021 and 30 June 2022, extracted and provided by the Department of Finance in September 2022.

1.42 Where training is mandatory, training is required to be completed annually for four¹⁹ entities, every two years for two²⁰ entities and every three years or once per posting for two²¹ entities. Effective training to support the development of skills is key to ensuring entities appropriately perform their duties related to procurement.

1.43 The assessment has highlighted that entities utilise a variety of policies, procedures and approaches to manage and monitor procurements to assist the accountable authority in discharging their duties and reducing instances of non-compliance.

Machinery of Government changes

1.44 A Machinery of Government (MoG) change occurs following a Government decision to change the way Commonwealth responsibilities are managed. MoG changes can involve the movement of functions, resources and staff from one agency to another. When implementing MoG changes entities are to apply change management arrangements in a timely and effective manner, ensuring continuity of Government business.²²

1.45 Where MoG changes affect areas such as governance arrangements, appropriations, IT systems, internal controls and financial reporting, the ANAO takes the changes into account in developing its audit approach as part of the annual financial statement audits of Australian Government entities.

Scale of 2022–23 MoG changes

1.46 MoG changes implemented in 2022–23 transferred functions and programs between departments. As part of these changes, two departments of state were established: the Department of Climate Change, Energy, the Environment and Water and the Department of Employment and Workplace Relations. Additionally, five departments of state were renamed.²³

1.47 Of the 27 entities included in this report, 12 were impacted by MoG changes in 2022–23.²⁴ MoG changes impacting these entities are summarised in Table 1.2.

Table 1.2: Functions transferred in 2022–23 MoG changes

Note a: The transferring entity name in the table reflects the arrangements prior to the Machinery of Government changes effective 1 July 2022.

Note b: Entity was established 1 July 2022.

Note c: Entity is non-material (not in the scope of this report).

Source: ANAO data.

1.48 Transfers of employees between entities impacted by MoG changes are made through a determination under section 72 of the Public Service Act 1999. The transfers of ongoing APS employees between the entities included in this report are summarized in Table 1.3.

Table 1.3: Staff transfers between entities included in this report (from 2022–23 MoG changes)

Note a: Entity was established 1 July 2022.

Source: Public Service (Machinery of Government changes) Section 72 Determinations (including amendments) between entities included in this report. This includes Determinations signed by the former Department of Agriculture, Water and the Environment and the former Department of Industry, Science, Energy and Resources in June 2022.

1.49 In addition to the transfer of staff, appropriations were transferred between entities through determinations made under section 75 of the PGPA Act. The total values of section 75 transfers in 2022–23 relating to entities included in this report are listed in Table 1.4.

Table 1.4: Section 75 transfers from 2022–23 MoG changesa

Note a: Section 75 transfers listed in this table include appropriation transfers to non-material entities (not within the scope of this report) in line with functions transferred as a result of 2022–23 in MoG changes.

Source: Determinations made under section 75 of the PGPA Act relating to transfer of 2022–23 appropriations.

Implementing MoG changes

1.50 Implementing MoG changes can involve complexity in managing a range of issues. These include: reaching agreement on the staff and appropriations to be transferred; establishing communication mechanisms with both ‘gaining’ and ‘losing’ staff; connecting gaining staff to existing IT networks and disconnecting transferred staff from IT systems; arranging accommodation requirements for staff being transferred; and negotiating the most effective way to maintain the delivery of services in both the short and longer term, particularly arrangements for the processing of employee entitlements and program payments.

1.51 The Machinery of Government changes: A guide for entities — November 2021 (the Guide), jointly issued by the Australian Public Service Commission and the Department of Finance outlines a set of protocols for entities to observe when implementing changes resulting from a MoG. The principles are:

• taking a whole-of-government approach;
• constructive and open communication with employees; and
• accountability and compliance with legislation and policy.

1.52 The Guide outlines that where a completion date is not specified in relation to a MoG, entities are expected to complete changes within 13 weeks from the date of effect.²⁵ Agency heads are responsible for meeting this deadline and for implementing MoG changes in accordance with the principles.

1.53 Due diligence and change management underpin an effective MoG. The Guide outlines that it is good practice for entities to start MoG planning as early as possible.²⁶ As soon as it becomes clear that a MoG change will occur, affected entities are expected to:

• commence planning activities;
• establish a cross-entity, multi-disciplinary steering committee to oversee implementation;
• consider the appointment of an independent third party to facilitate and advise on the process;
• prepare for an immediate and thorough due diligence exercise; and
• develop a communications strategy to keep employees informed.

1.54 The extent of actions will depend on the size and complexity of the MoG change. Not all actions may be required for entities, depending on the scale of the MoG change.

Observations

1.55 A steering committee appointed to oversee the implementation of MoG changes provides a clear point of contact for the escalation of any issues which may arise. In 2022–23, a steering or implementation committee was appointed by 10 of the 12 entities impacted by MoG changes to manage the MoG process.²⁷ No steering or implementation committee was appointed in two entities that assessed their MoG changes as non-complex and low risk.

1.56 Entities should appoint an independent advisor to manage the process of information exchange between entities where MoG changes are large, sensitive or complex.²⁸ Three entities advised that they used an independent advisor in implementing 2022–23 MoG changes: the Department of Agriculture, Fisheries and Forestry; the Department of Climate Change, Energy, the Environment and Water; and the Department of Industry, Science and Resources. The independent advisor was used to assist negotiations, help resolve issues and provide independent advice to the secretaries.

1.57 The Guide provides that transferring entities are to provide receiving entities with due diligence information within 10 business days of the announcement of the MoG.²⁹ For due diligence, receiving entities should also establish measures of success for the implementation of the MoG and review any materials prepared during previous MoG changes to assist with planning.³⁰ Of the 12 entities impacted by MoG changes, 10 advised that they undertook a due diligence assessment in relation to the MoG.³¹ The two entities that did not document a formal due diligence assessment assessed the impact of MoG changes as low risk as the changes involved the transfer of a low numbers of employees.

Implementing MoG changes in a timely manner

1.58 A MoG change must be implemented in a timely manner to ensure continuity of Government business. The Guide provides that where a completion date is not specified in relation to a MoG, entities are expected to complete changes within 13 weeks from the date of effect.³²

1.59 Of the 12 entities impacted by MoG changes, eight entities did not complete changes within the 13-week timeframe outlined in the Guide: the Attorney-General’s Department, the Department of Agriculture, Fisheries and Forestry; the Department of Climate Change, Energy, the Environment and Water; the Department of Education; the Department of Employment and Workplace Relations; the Department of Home Affairs; the Department of Infrastructure, Transport, Regional Development, Communications and the Arts; and the Department of Social Services.

Risk management of MoG changes

1.60 The Guide outlines that the application of a risk management approach relating to the impact of the MoG change on an entity would assist in avoiding delays in negotiations.³³

1.61 Performing a risk assessment assists entities in identifying high risk areas which require escalation early to prevent delays to the implementation of MoG changes, for both transferring and receiving entities. Of the 12 entities impacted by MoG changes in 2022–23, eight entities advised that they performed a formal risk assessment in relation to the overall MoG.³⁴ Four of the twelve entities impacted by MoG changes in 2022–23 advised that they performed an assessment of risks that could impact the financial statements preparation processes. Although this is not a specific requirement in Guide, MoG changes may pose a risk to the timely preparation of complete and accurate financial statements. Performing an analysis of financial statements risks may be useful for entities in future periods.

Conclusion and audit findings relating to implementation of MoG changes

1.62 The information included in the Guide provides entities with a set of principles to follow when they are subject to MoG changes. Best practice would include entities applying the principles of the Guide whether they are the losing agency or the gaining agency. Performing a due diligence review and undertaking detailed risk assessments, from an operational and financial statements perspective, assists entities to identify any new risks that could impact on the timely preparation of complete and accurate financial statements.

1.63 As a result of the interim audit, findings relating to MoG changes were reported to the Department of Education and the Department of Employment and Workplace Relations.³⁵ These findings highlight weaknesses in relation to:

• the configuration of financial and HR systems;
• delays in finalisation of memoranda of understanding with service providers;³⁶
• no established reconciliation processes for appropriation transactions; and
• failure to provide and validate existing employee numbers and movements during the year.

1.64 While findings were reported to two entities, the majority of entities largely complied with the principles of the Guide when implementing the MoG changes in 2022–23.

Safeguarding information from cyber threats

1.65 The Protective Security Policy Framework (PSPF) requires non-corporate Commonwealth entities (NCE) to consider and implement the Australian Signals Directorate’s (ASD) Essential Eight mitigation strategies (Essential Eight).³⁷ The initial requirements were defined in 2013 and are now specified in PSPF Policy 10, “Safeguarding information from cyber threats” (Policy 10).³⁸ The Essential Eight is considered the baseline for cyber resilience within the Australian Government and provides advice on measures that entities can implement to mitigate cyber threats.³⁹

1.66 Policy 10 requires each non-corporate Commonwealth entity (NCE) to:

• implement the following Australian Signals Directorate (ASD) Strategies to Mitigate Cyber Security Incidents:⁴⁰
  • application control;⁴¹
  • patching applications;⁴²
  • configure Microsoft Office macro settings;⁴³
  • user application hardening;⁴⁴
  • restricting administrative privileges;⁴⁵
  • patching operating systems;⁴⁰
  • multi-factor authentication;⁴⁶ and
  • regular backups.⁴⁷
• consider which of the remaining mitigation Strategies from the Strategies to Mitigate Cyber Security Incidents⁴⁸ need to be implemented to protect the entity.⁴⁹

1.67 Since 2013, the ANAO has conducted a series of performance audits focussed on assessing entities’ implementation of the PSPF cyber security requirements. These performance audits continue to identify low levels of compliance with mandatory PSPF cyber security requirements and concerns in annual self-assessments by entities. The ANAO has reported its concern that there is no evidence through the series of audits that the regulatory framework had driven sufficient improvement in entities mitigating their cyber security risks since 2013.

1.68 In 2022–23, the ANAO performed a review of the 2021–22 Policy 10 annual self-assessment as part of its assurance audit program of financial statements. This review focused on the protection of information relevant to the preparation of financial statements, specifically the Financial Management Information System (FMIS) and Human Resource Management Information Systems (HRMIS). Twenty of the 27 entities included in this report are required to report annually against the Policy 10 requirements.⁵⁰ The review was undertaken to assess the evidence supporting the self-assessment and reporting, and to identify cyber security risks that may impact on the preparation of financial statements. The review was based on the October 2020 Policy 10 requirements as these are the requirements that entities were required to implement for the majority of the 2021–22 reporting period.⁵¹ The review consisted of analysis of policy and procedural documentation, testing of some Essential Eight mitigation strategies specific to the FMIS and HRMIS, review of results of sprint assessments and meetings with entity personnel.

1.69 The ANAO noted deterioration in reported maturity levels across some Essential Eight mitigation strategies since ANAO’s 2021–22 assessment, particularly with ‘Restricting Administrative Privileges’ and ‘Macro Settings’. Figure 1.4 shows ANAO’s analysis of reported maturity levels for each Essential Eight mitigation strategy between 2019–20 and 2022–23. The Essential Eight mitigation strategies within the shaded area of represent the mitigation strategies that were mandatory during the majority of the 2021–22 reporting period.

Figure 1.4: Reported Compliance with the PSPF Policy 10 Requirements

Source: ANAO data.

1.70 Seven entities reported improvements in Essential Eight maturity levels across several of the Essential Eight mitigation strategies. Although these entities reported improvements, only two of the seven entities had reported meeting all Policy 10 requirements. The other five entities, similar to the majority of the NCEs, were still progressing their development of the Policy 10 mitigation strategies.

1.71 Seven entities reported lower maturity since last year’s assessment. The lower maturity resulted from changes in Policy 10 requirements. Several NCEs reported that the complexity of the changes in Policy 10 requirements has required them to adjust their cyber security uplift programs, resulting in some delays in implementation. Thirteen of the 20 entities reviewed engaged third parties, such as the Australian Cyber Security Centre (ACSC), to assist with their assessments and implementation of security controls. Although some entities commented on the complexity of changes, most entities were still planning on achieving ASD’s Maturity Level Three for the Essential Eight mitigation strategies.

1.72 The ANAO found the reported maturity levels for most entities were still significantly below the Policy 10 requirements. Of the 20 entities assessed, two had self-assessed as achieving a Managing maturity level. Both entities were able to demonstrate evidence to support the self-assessments as required by the PSPF.

1.73 The lowest level of compliance was with the ‘Macro Settings’ and ‘User Application Hardening’ controls. Although entities had plans to improve ‘Macro Settings’ and ‘User Application Hardening’ controls, as at June 2022 the majority of entities were still not achieving a Managing maturity level. The number of applications in entities’ systems and identifying all applicable hardening controls for specific applications continues to be the key issue with implementing this mitigation strategy. Some entities chose to implement hardening controls for some applications and are implementing other mitigation strategies to address the related cyber threats for those applications that do not have hardening controls.

1.74 ‘Macro Settings’ was reported to be difficult as users continue to rely heavily on macros to perform business activities. Entities continue to differ in their maturity of addressing the associated risks, with some entities reporting difficulties with monitoring the use of macros in their environments. Entities advised that the deterioration in reported maturity levels since last year was due to challenges with fully integrating the changes in Policy 10 requirements into business practices.

1.75 Only six of the 20 entities reviewed had reported achieving the ‘Restricting Administrative Privileges’ requirements. Most entities that reported not achieving the requirements had reported the reduction in maturity level being due to the changes in the Policy 10 requirements. The ANAO identified weaknesses in managing privileged users in two of the six entities that had reported achieving the requirements. The weaknesses related to monitoring privileged user activities across FMIS and HRMIS applications and databases. The ANAO noted that the entities’ self-assessments did not focus on the FMIS and HRMIS applications, but on the systems hosting these applications.

1.76 The PSPF requires entities to identify and protect people, information and assets that are critical to the ongoing operation of their core business.⁵² Most entities did not view the FMIS and HRMIS applications and financial information as separate critical assets to their computer networks. Those entities conducted their self-assessment at a system or environment level and did not assess the controls required to minimise cyber risks to their FMIS or HRMIS applications.

1.77 Entities which access FMIS and HRMIS applications as part of Software-as-a-Service (SaaS) arrangements reported relying on documentation developed as part of the decision to authorise the system to operate. This documentation may not have been updated in the current period. The PSPF requires this documentation to be developed on new information and communications technology (ICT) systems or when implementing improvements to existing systems.⁵³

1.78 Ten of the 20 entities reviewed had information asset registers that identified critical and high-priority systems and information. Five of the 10 entities had specified the FMIS and HRMIS as critical or high-priority information assets. Entities that had not implemented an information asset register used their business continuity, disaster recovery and risk management plans as the basis for prioritising systems and information. Entities use these mechanisms along with their broader enterprise strategies and objectives to help determine investment in cyber security. Most entities had defined a multi-year security improvement program that included cyber security, however, these additional programs did not have a defined budget and costs were being absorbed as part of business-as-usual activities.

1.79 The ANAO found that the number of assessed entities that reported an Ad-hoc or Developing maturity level had not significantly changed since last year’s assessment. Although the overall number of entities not meeting the required Policy 10 maturity level remained similar, the number of entities reporting an Ad-hoc maturity level had increased from five per cent to 30 per cent. This was due to changes in the requirements within Policy 10 and the Essential Eight.

1.80 The number of entities that reported as meeting the Managing maturity level (two) has not changed since the 2020–21 PSPF self-assessments. The changes in Policy 10 have caused most NCEs to prioritise the alignment of maturity levels across all Essential Eight mitigation strategies before progressing to the higher maturity level (NCEs are aiming to achieve Maturity Level One across all mitigation strategies prior to progressing to Maturity Level Two).

1.81 The PSPF cyber security requirements have been in place since 2013, with the March 2022 update mandating the implementation of all Essential Eight mitigation strategies. Entities’ inability to meet changing requirements indicates a weakness in implementing and maintaining strong cyber security controls over time.

1.82 Previous ANAO audits of entity compliance with PSPF cyber security requirements have not found a significant improvement over time. The work undertaken as part of this review indicates that this pattern continues, with limited improvements.

1.83 The Joint Committee of Public Accounts and Audit (JCPAA) Report 485 Cyber Resilience (2020)⁵⁴, Auditor-General Report No. 53 2017–18 Cyber Resilience⁵⁵ and Auditor-General Report No. 32 2020–21 Cyber Security Strategies of Non-Corporate Commonwealth Entities⁵⁶ recommended strengthening of arrangements for verifying self-assessment results and accountability for the implementation of mandatory cyber security requirements.

1.84 While entities’ compliance with PSPF cyber security requirements remains low, there continues to be the risk of compromise to information relevant to the preparation of financial statements.

Interim audit results

1.85 Audit findings are raised in response to the identification of a potential business or financial risk posed to an entity. Often these risks arise from deficiencies within an entity’s internal control processes or frameworks. Weaknesses in internal controls increase the possibility that a material misstatement of an entity’s financial statements will not be prevented or detected in a timely manner. The ANAO rates audit findings according to the potential business or financial management risk posed to the entity. The rating scale is presented in Table 1.5.

Table 1.5: Findings rating scale

Source: ANAO reporting policy.

1.86 A summary of findings identified at the end of the interim phase in Table 1.6 below. The table includes all findings reported to the 27 entities included in this report.

Table 1.6: Audit findings by category for the 2022–23 interim period

Source: Compilation of ANAO interim audit findings.

1.87 A summary of all significant, moderate, minor and legislative findings reported at the conclusion of the interim audit phase across the past five financial years is presented in Figure 1.5 below.

Figure 1.5: Trend in aggregate interim findings 2018–19 to 2022–23

Source: ANAO data.

Information Technology Control Environment

1.88 The review of information systems and related controls is an integral part of an entity’s control environment. This section summarises the results from interim tests of the operating effectiveness of general IT controls for each of the entities included in this report.

1.89 Figure 1.6 demonstrates the trends in interim audit findings related to entities’ overall IT control environments from 2018–19 to 2022–23. At the time of this report, testing of the operating effectiveness of IT controls had not been completed for was still in progress for three entities.⁵⁷

Figure 1.6: IT control environment interim findings 2018–19 to 2022–23

Source: ANAO data.

1.90 Findings related to entities’ IT control environments represent 63 per cent of total findings identified during the 2022–23 interim period. IT control environment findings continue to represent the highest proportion of all findings. There were 21 moderate findings reported in 2022–23 compared to 10 moderate findings reported in 2021–22. Further details relating to the moderate findings are detailed in chapter 3 for the Attorney-General’s Department and the Departments of: Climate Change, Energy, the Environment and Water; Defence; Education; Employment and Workplace Relations; Finance; Infrastructure, Transport, Regional Development, Communications and the Arts; Social Services; the Treasury; Veterans’ Affairs; Home Affairs; and National Disability Insurance Agency and Services Australia.

1.91 The information systems control environment findings reported at the conclusion of the 2021–22 interim audits for entities included in this report have been grouped as follows:

• IT security;
• IT change management; and
• disaster recovery arrangements.

IT Security

1.92 IT security is concerned with protecting an entity’s information assets from internal and external threats. It includes controls to prevent or detect unauthorised access to systems, programs and data. In the context of the financial statements audit, the focus is on the financially significant systems and data only. The Protective Security Policy Framework⁵⁸ (PSPF) sets out the government protective security policy and the Australian Cyber Security Centre’s Information Security Manual⁵⁹ (ISM) provides guidance on strategies for protecting information and systems from cyber threats.

1.93 The key controls areas that address risks relating to IT security and that are assessed as part of the interim audit are:

• IT security governance;
• general and privileged user access; and
• monitoring and reporting.

1.94 Figure 1.8 illustrates the trends in findings observed in entities’ IT security arrangements between 2018–19 and 2022–23.

Figure 1.7: IT security interim findings 2018–19 to 2022–23

Note: The comparative numbers in this figure have been updated to include findings previously categorised as IT application controls which related to IT security.

Source: ANAO data.

1.95 The IT security findings represent 86 per cent of all IT-related findings reported in 2022–23. Nineteen moderate findings were reported in the 2022–23 interim audit. Further details of the moderate findings are detailed in chapter 3.⁶⁰

1.96 A review of all IT security findings identified issues in the following areas:

• logging and monitoring of privileged user activity;
• user access management, including approving new user access and performing regular user access reviews;
• removal of user access when it is no longer required;
• password configuration; and
• risk management and monitoring of controls.

1.97 Users with administrative access privileges, commonly referred to as privileged users, are able to make significant changes to IT systems’ configuration and operation, bypass critical security settings and access sensitive information. As part of reviewing IT security arrangements, different groups of privileged users were examined, including:

• application administrators, sometimes referred to as super users;
• database administrators;
• system administrators; and
• network or domain administrators.

1.98 To reduce the risks associated with this access, the Australian Signals Directorate (ASD) Information Security Manual (ISM) specifies that privileged user access be appropriately restricted and when provided, that the access is logged, regularly reviewed and monitored. Three moderate and four minor findings related to the logging and monitoring of privileged user access. Two new moderate findings related to issues with the monitoring of privileged user activities at the Department of Climate Change, Energy, the Environment and Water, and National Disability Insurance Agency. Both latter mentioned entities have not established adequate processes for reviewing access performed by privileged users, including documenting the results and outcomes of reviews. The third moderate finding was reported to Services Australia and related to issues with security configurations for managing and logging privileged user activities and the robustness of monitoring and investigation processes. The four minor findings related to issues with the design of controls, such as the scope of access being monitored, completeness and accuracy of audit logs, and the independence of monitoring activities. The risk of inappropriate changes to financially significant systems and data arising from these findings is partially mitigated through alternate controls.

1.99 All users with access to financial systems may have the ability to change financial information, and therefore access should only be granted where it is required for the performance of the role; and should be reviewed whenever the role changes. Two moderate and seven minor findings related to granting and reviewing user access. The moderate findings reported to Department of Climate Change, Energy, the Environment and Water and Department of Veterans’ Affairs related to user access reviews not being performed. The seven minor findings related to managing access to payment files, approving of new user access and timeliness of user access reviews.

1.100 Entities must remove or suspend user access on the same day that a user no longer has a legitimate business requirement for its use.⁶¹ Terminating a user account when the user no longer has a requirement to access it, such as upon departure from an entity, can prevent unauthorised use. There were ten moderate findings in this area and an additional five minor findings. The ten moderate findings related to weaknesses in monitoring controls and access being performed by users who no longer required such access. The ten moderate findings were reported to the Attorney-General’s Department and the Departments of: Defence; Education; Employment and Workplace Relations; Finance; Home Affairs; Infrastructure, Transport, Regional Development, Communications and the Arts; Social Services; and Veterans’ Affairs, and the National Disability Insurance Agency. The five minor findings related to access not being removed when it was no longer required and issues related to the design of controls, such as scope of access being reviewed and controls not being implemented in accordance with policies and procedures.

1.101 The ISM provides guidance on the password requirements for Australian Government systems. In October 2019 the ASD updated this guidance to specify passphrase requirements for instances where multi-factor authentication⁶² is not supported; passphrases used for single-factor authentication should be at least four random words with a minimum of 14 characters⁶³. There were six minor findings in this area. Inadequate password controls increase the likelihood of unauthorised access to systems and data.

1.102 Monitoring the performance of security controls is essential to maintaining an entity’s security posture. It can contribute to improving the implementation of minimum core and supporting PSPF requirements, the detection of new and emerging security risks, and the identification controls that are not operating as planned. Four moderate findings and one minor finding related to the management and monitoring of security controls. Two moderate findings were reported to the Department of Veterans’ Affairs and related to issues with monitoring the implementation and operation of security controls and remediation of security risks. One moderate finding was reported to the Department of Defence and related to issues with controls for managing personally identifiable information, such as tracking access to information and the completion of compliance activities. The fourth moderate finding was reported to the Department of the Treasury and related to issues with managing security risks and managing the design, implementation and operation of associated security controls. The minor finding related to issues with monitoring the performance of controls within third party providers.

1.103 The weaknesses identified within this category increase the risk of unauthorised access to systems and data, or data leakage. Entities should review their management of these areas in light of the recommendations of the ISM and the risks to their operational environment.

IT change management

1.104 IT change management provides a disciplined approach to making changes to the IT environment. It includes controls to prevent unauthorised changes being introduced, and to reduce the likelihood that normal business operations are interrupted with the implementation of authorised changes.

1.105 Figure 1.9 illustrates the trends in findings identified in entities’ IT change management controls between 2018–19 and 2022–23.

Figure 1.8: IT change management interim findings 2018–19 to 2022–23

Source: ANAO data.

1.106 Changes to entities’ IT environments were managed using standardised processes, usually based on the ITIL Framework.⁶⁴ While still low when compared to IT security, the number of findings in this area still highlights the importance of maintaining and monitoring performance of change management processes.

1.107 Two moderate findings and two minor findings related to weaknesses in the operation of the change management processes were reported as a result of the interim audits. The National Disability Insurance Agency and Services Australia each had moderate findings relating to issues with restricting developer access to production systems and data, and monitoring changes performed by those with access to developer functions. The two minor findings relate to managing developer access to production systems and data, and management of batch processing and reporting data.

1.108 Weaknesses in change management elevate the risk of unauthorised or untested changes to systems during these activities. These weaknesses may also affect the availability or reliability of the overall IT environment. Entities should monitor the operating effectiveness of their IT control environments to mitigate risks.

Disaster recovery arrangements

1.109 Disaster recovery is concerned with the resumption of the IT environment including systems and data following an interruption to services. It relies on:

• effective back-up and recovery arrangements, to allow data to be recovered from current versions of key IT systems; and
• disaster recovery planning, including the development, maintenance and testing of a disaster recovery plan to enable IT systems to be recovered in line with defined business requirements.

1.110 The ANAO assesses entities’ disaster recovery arrangements in view of the potential for a disruptive event to impact on financial reporting. Figure 1.10 illustrates the trend for findings identified in entities’ disaster recover arrangements between 2018–19 and 2022–23.

Figure 1.9: Disaster recovery interim findings 2018–19 to 2022–23

Source: ANAO data.

1.111 In all cases where general IT controls testing has been completed, ANAO found that entities undertook regular backups of financially significant data. The three minor findings related to weaknesses in managing service provider performance, management of batch processing and scope of business continuity and disaster recovery arrangements. These findings increase the risk that, in the event of a significant disruption, systems and data will not be recovered within an acceptable timeframe.

1.112 Overall, the majority of IT controls continued to provide reasonable assurance about the operation of controls relied on to support the preparation of financial statements that are free from material misstatement. Consistent with observations in previous years, IT Security, particularly with regard to removal of user access, continues to be an area requiring improvement to address the risk of inappropriate access to systems and data.

Compliance and quality assurance frameworks

1.113 Entities place reliance on internal and external systems, parties and information in decision-making processes. The implementation of effective compliance and quality frameworks and processes, provides assurance over the completeness and accuracy of information and is integral to the preparation of financial statements that are free from material misstatement.

Figure 1.10: Compliance and quality assurance framework interim findings 2018–19 to 2022–23

Source: ANAO data.

1.114 Three of the minor findings remain unresolved from prior years and relate to quality assurance processes over compliance programs and developing and implementing risk management frameworks. One minor finding remains unresolved from 2018–19 and two have remained unresolved from 2019–20.

1.115 The minor finding raised in 2022–23 is related to quality assurance processes over payment programs.

Accounting and control of non-financial assets

1.116 Entities control a diverse range of non-financial assets on behalf of the Commonwealth, including land and buildings, specialist military equipment, leasehold improvements, infrastructure, plant and equipment, inventories and internally developed software.

Figure 1.11: Accounting and control of non-financial assets interim findings 2018–19 to 2022–23

Source: ANAO data.

1.117 The significant finding first reported in 2020–21 that relates to the valuation of the Department of Defence’s Specialised Military Equipment (SME) was downgraded to a moderate finding in 2022–23. The moderate finding relating to the assets and inventories disposal of the Department of Defence was first reported in 2021–22 and remains unresolved. The third moderate finding relating to the Department of Health and Aged Care’s impairment of the National Medical Stockpile was first reported in 2021–22 and also remains unresolved.

1.118 Two minor audit findings relating to the intangible assets and impairment were raised in 2021–22 and remain unresolved.

Revenue, receivables and cash management

1.119 Revenue and receivables consist of Parliamentary appropriations, taxation revenue, customs and excise duties and administered levies. Revenue is also generated by entities from the sale of goods and services and a range of other sources. Cash management involves the collection and receipt of public monies and the management of official bank accounts.

Figure 1.12: Revenue, receivables and cash management interim findings 2018–19 to 2022–23

Source: ANAO data.

1.120 The unresolved moderate finding was raised during the 2021–22 final audit and relates to the Australian Taxation Office’s treatment of non-pursued debts.

1.121 Two of the minor findings were first reported in 2021–22 and relate to data accuracy and completeness and cash payment processes. The new minor finding raised at interim 2022–23 relates to cost recovery processes.

Human resource financial processes

1.122 Human resources encompass the day-to-day management and administration of employee entitlements and payroll functions. Employee benefits expenditure represents a significant departmental expenditure item for most entities. Employee entitlement liabilities involve estimates and judgements in inputs. It is important for entities to establish robust controls in these areas to support complete and accurate payment and recording of transactions.

Figure 1.13: Human resources financial processes interim findings 2018–19 to 2022–23

Source: ANAO data.

1.123 The unresolved minor finding was first raised in 2020–21 and relates to maintenance of employees in the human resource management information system.

Purchases and payables management

1.124 Purchases and payables management covers controls and processes that provide management with assurance that payments processed by the entity are complete and accurate. This may include the implementation of appropriate systems of approval or controls designed to ensure that payments processed through the financial management information system are appropriate.

Figure 1.14: Purchases and payables management interim findings 2018–19 to 2022–23

Source: ANAO data.

1.125 The significant finding first reported to the Department of Veteran’s Affairs in 2021–22 relating to the methodology for the Military Compensation Provision was downgraded to a moderate finding during the 2022–23 interim. The unresolved moderate finding was first reported in 2020–21 and relates to weaknesses around the governance of ADF health services at the Department of Defence.

1.126 Four of the five minor audit findings were raised in 2021–22 and remain unresolved. All four findings related to weaknesses surrounding contract management, delegation, accrual processes and the compliance rate of bank charges. One new minor audit finding opened in 2022–23 relates to the liability reconciliation.

Financial statements preparation

1.127 The primary purpose of financial statements is to provide relevant and reliable information to users about a reporting entity’s financial position. The preparation of quality financial statements will be evidenced by adherence to a well-defined financial statements preparation timetable with minimal adjustments required to financial statements throughout the audit process. Reporting financial statements preparation findings separately allows the ANAO to specifically identify areas where there are concerns with the presentation and disclosure in the financial statements.

Figure 1.15: Financial statements preparation interim findings 2018–19 to 2022–23

Source: ANAO data.

1.128 There are no unresolved findings relating to financial statements preparation.

Other audit findings

1.129 Other audit findings typically include items relating to the: management and implementation of service level agreements or memoranda of understanding; and updating or maintaining key governance documentation.

Figure 1.16: Other interim findings 2018–19 to 2022–23

Source: ANAO data.

1.130 The two moderate findings raised in 2022–23 relate to the management of Machinery of Government changes for the Department of Education and the Department of Employment and Workplace Relations.

1.131 Three of the four minor findings remain unresolved and were first raised in 2021–22. They relate to weaknesses in the assessment of eligibility, processing and management of grants and the assignment of benefit expenses. The minor finding raised in 2022–23 relates to segregation of duties over journal processing.

Introduction

2.1 The Australian Government’s financial reporting framework is primarily based on standards made independently by the Australian Accounting Standards Board (AASB).

2.2 The AASB bases its accounting standards on the International Financial Reporting Standards (IFRS) issued by the International Accounting Standards Board. As IFRS are designed for use by private sector and for-profit organisations, the AASB amends the IFRS to reflect significant transactions and events unique to the public sector and not-for-profit private sector. In doing so, the AASB considers standards issued by the International Public Sector Accounting Standards Board (IPSASB).

2.3 The Public Governance, Performance and Accountability Act 2013 (PGPA Act) requires Commonwealth entities to apply Australian accounting standards when preparing financial statements. In addition to Australian accounting standards the Minister for Finance prescribes additional financial reporting requirements for Commonwealth entities via the Public Governance, Performance and Accountability (Financial Reporting) Rule 2015 (FRR).

2.4 The audits of the financial statements of Commonwealth entities are conducted in accordance with the ANAO Auditing Standards, which are made by the Auditor-General for Australia under section 24 of the Auditor-General Act 1997. The ANAO Auditing Standards incorporate, by reference, the auditing standards made by the Australian Auditing and Assurance Standards Board (AUASB). The AUASB bases its standards on those made by the International Auditing and Assurance Standards Board (IAASB), an independent standard setting board of the International Federation of Accountants.

2.5 The financial reporting and auditing frameworks that applied in 2022–23 are discussed further in Appendix 2 and Appendix 3 of this report.

Changes to the Australian public sector financial reporting and auditing frameworks

Changes in the environment

2.6 The requirements of the revised auditing standard, ASA 315 Identifying and Assessing the Risks of Material Misstatement (ASA 315), take effect for audits of the 2022–23 financial statements. The revised standard responds to changes in the financial reporting environment including more complex financial reporting frameworks, technology being used to a greater extent, and entities and their governance structures becoming more complex. In particular, the audit standard requires a more prescriptive focus on entity specific, industry, IT environment and regulatory risks, and the controls that address those risks. The revised standard also emphasises and strengthens the documentation requirements relating to the exercise of professional scepticism by the auditor.

2.7 To address the new requirements, the ANAO has implemented a more detailed risk assessment process to understand risks of material misstatement arising from inherent factors, such as complexity, subjectivity, change, uncertainty, or susceptibility to misstatement due to management bias or other fraud risk factors. This is separate to the consideration of control risk, where the assessment focuses on the entity’s control environment. The increased focus on risks arising from the use of IT and the IT controls in place, particularly in smaller, less complex entities, is expected to provide the ANAO with a better whole of sector view on IT risk resulting in the increased likelihood of insights pertaining to IT control environments.

2.8 There is also a more detailed examination of entity’s processes and controls around governance, the entity’s business model and financial reporting framework. Further, the ANAO’s approach includes evaluation of whether: management has created and maintained a culture of honesty and ethical behaviour; the entity’s risk assessment process is appropriate to the entity’s circumstances; the entity’s process for monitoring the system of internal control is appropriate; and whether the entity’s information system and communication including the IT environment appropriately supports financial reporting.

2.9 As a result of the change in methodology, the ANAO has strengthened its focus on entities’ governance, risk and controls frameworks and expects to be able to identify potential problems early in the audit process to help improve governance, accountability and performance in the public sector. This includes insights into the quality of oversight by the leadership team, and whether risk frameworks have been implemented effectively.

Emerging areas of audit work

2.10 The ANAO continually monitors developments in standard setting and engages with the national and international standard setting bodies in the review and update of existing standards and development of new standards. Outlined below are emerging issues expected to impact the financial reporting and auditing frameworks in the near future.

Auditing ethics

2.11 The importance of ethics in government programs has been highlighted in multiple audits, particularly those examining procurement and grants administration. The lack of adequate documentation and records to support the rationale for decisions made and actions undertaken by audited entities is a consistent theme, and even if the entity is technically compliant with the rules and policy framework, their decision-making can sometimes fall short of the intent behind these frameworks.

2.12 Subsection 15(1) of the PGPA Act provides that the accountable authority of a Commonwealth entity must govern the entity in a way that promotes the proper use of public resources. The PGPA Act defines ‘proper’ when used in relation to the use or management of public resources as efficient, effective, economical and ethical. In consideration of the obligations set out under the PGPA Act, the ANAO has developed methodology guidance for auditing ethics. The methodology describes specific considerations for auditors when ethics is a component of a performance audit, financial statements audit or performance statements audit.

2.13 The methodology defines the Australian Government Sector ethical framework in the following way.

• The legal framework applicable to the entity being audited. For example, the legislative framework which applies to all Australian Public Service (APS) agencies comprises the finance law and the law governing the operation of the APS including the APS Values and Code of Conduct.
• Activity-specific frameworks for example, key public sector resource management frameworks for specific Australian Government activities such as the Commonwealth Grants Rules and Guidelines and the Commonwealth Procurement Rules.
• Government Policy Orders, for example, orders made by the Minister for Finance under the finance law that specify a policy of the Australian Government that is to apply to the entity being audited.
• Entity-specific frameworks, which may include, the entity’s policies, guidelines, and procedures.

2.14 The selection of the appropriate elements of the ethical framework to apply to an audit will depend on the type of entity being audited, the type of audit and any circumstances unique to the activity being audited.

Sustainability reporting

2.15 In September 2022, the Parliament passed two pieces of legislation that formalised Australia’s commitments to reduce emissions under the Paris Agreement under the United Nations Framework Convention on Climate Change. ⁶⁵

2.16 In December 2022, the Australian Government committed to introducing standardised internationally-aligned sustainability reporting requirements for entities to:

• provide a strong foundation for clear, comparable, and credible climate-related financial reporting that aligns with global practice; and
• improve transparency for customers and investors.⁶⁶

2.17 The Australian Government also announced that the:

• Department of the Treasury will lead the development of a broad sustainable finance framework for Australia, which includes climate-related disclosures⁶⁷; and
• Minister for Finance will lead related work to implement appropriate arrangements for comparable Commonwealth public sector entities and companies to also disclose their exposure to climate-related risk.⁶⁸

2.18 In December 2022, the Department of Finance established the Australian Public Service (APS) Net Zero Unit to support entities and the government to meet its commitment under the Paris Agreement to reduce Australian public sector greenhouse gas emissions to net zero by 2030. The 2030 target will initially apply to non-corporate Commonwealth entities (excluding the Australian Defence Force and security agencies due to their operational needs) with Corporate Commonwealth entities and Commonwealth Companies, at this stage, encouraged to reduce emissions.⁶⁹

2.19 In the 2022–23 Budget, the Department of Climate Change, Energy, the Environment and Water (DCCEEW) announced a complementary Climate Risk and Opportunity Management Program⁷⁰ for non-corporate Commonwealth entities. The program includes a separate climate disclosure method for departments based on the Australian public sector Climate Risk Disclosure Framework. DCCEEW is currently engaging with stakeholders with a view to finalise the framework in 2023.⁷¹

2.20 In March 2023, the ANAO established a working group to develop a multi-year Climate Change and Environment Audit Strategy (the strategy). The ANAO intends to build consideration of climate risks into its audit planning process across all audit products. The strategy will allow the ANAO to produce a coordinated body of work to assess progress towards Australia’s commitment to address climate change risk. The strategy will consider risks to the Australian government in achieving its international obligations, inward looking risk to entities and lessons from international supreme audit institutions.

Quality Assurance Framework and Reporting

ANAO Quality Assurance Framework

2.21 The quality of ANAO audit work is reliant on the strength of its independence and quality control processes. The ANAO Quality Assurance Framework and Plan 2022–23 defines audit quality as the provision of timely, accurate and relevant audits, performed independently in accordance with the Auditor-General Act 1997, ANAO auditing standards and methodologies, which are valued by the Parliament. Delivering quality audits results in improved public sector performance through accountability and transparency.

2.22 The ANAO Quality Assurance Framework and Plan 2022–23 complements the ANAO Corporate Plan and reflects the ANAO’s quality assurance strategy and deliverables for the coming year, including:

• articulating the system of quality management that the ANAO established to comply with the requirements of auditing standard ASQC 1 Quality Control for Firms that Perform Audits and Reviews of Financial Reports and Other Financial Information, Other Assurance Engagements and Related Services Engagements (ASQC 1);
• supporting the delivery of high-quality audit work; and
• enables the Auditor-General to have confidence in the opinions and conclusions in the reports prepared for the Parliament.

2.23 The ANAO was subject to the requirements of ASQC 1 for part of 2022–23 (1 July to 14 December 2022). From 15 December 2022, three revised auditing standards came into force replacing ASQC 1:

• ASQM 1 – Quality Management for Firms that Perform Audits or Reviews of Financial Reports and Other Financial Information, or Other Assurance or Related Services Engagements;
• ASQM 2 – Engagement Quality Reviews; and
• ASA 220 – Quality Management for an Audit of a Financial Report and Other Historical Information.

2.24 The revised standards introduced a quality management approach that is focused on proactively identifying and responding to risks of quality. The standards include enhanced requirements and focus on governance and leadership, monitoring and remediation.

2.25 The ANAO has implemented an enhanced system of quality management compliant with the revised standards and responsive to the quality risks that arise in audits of public sector entities. This system of quality management will be articulated in the ANAO Quality Management Framework and Plan 2023–24.

Ethics, independence and integrity

2.26 Ethical requirements, with a focus on independence are core to the quality framework. The fundamental principles of professional ethics, as set out in APES 110 Code of Ethics for Professional Accountants (including Independence Standards), are integrity; objectivity; professional competence and due care; confidentiality; and professional behaviour. The ANAO maintains a continued focus on independence through the application of independence policies that manage threats to independence in the conduct of the ANAO’s work. The ANAO Integrity Framework sets out the ANAO’s integrity control system, supporting our organisation’s integrity. The framework encompasses the ANAO Integrity Statement, which describes five key principles of integrity that staff at the ANAO uphold — independence, honesty, accountability, openness and courage.

Quality management and consultation processes

2.27 In the conduct of their work ANAO auditors apply a robust methodology to drive consistent quality and compliance with the ANAO Auditing Standards. The ANAO audit methodology incorporates policies regarding direction, supervision and review, consultation on significant technical and ethical issues, engagement quality review of high-risk audits and documentation of audit evidence and work performed.

Introduction

3.0.1 The ANAO’s assessment of the overall risk of material misstatement of the financial statements is based on professional judgement relating to the entity’s particular circumstances. The financial statements audit planning process involves joint procedures with the performance audit and performance statements audit groups. The process takes into account an entity’s environment and governance arrangements, its system of internal control, and prior year financial and performance audit findings. These planning processes inform the identification of areas of key risk that have the potential to impact on the integrity of the financial statements.

3.0.2 The interim phase of the audit focuses on the steps taken by entities to manage these risks, including their systems of internal control. This chapter reflects entity funding arrangements existing at 30 April 2023 and outlines the following information for each of the reported entities:

• the entity’s primary role, as reflected in its October 2022–23 Portfolio Budget Statements;
• 2022–23 appropriation funding and key financial statements items;
• the ANAO’s assessment of the overall engagement risk for the 2022–23 financial statements audit, which informs the audit processes to be undertaken;
• key areas of financial statements risk, including where the ANAO has identified Key Audit Matters (KAM); and
• the status of significant and moderate audit findings at the completion of the interim audit, and the conclusion relating to audit coverage to date.

3.0.3 The entities discussed in this report include all departments of state, the Department of Parliamentary Services and other Commonwealth entities that significantly contribute to the revenues, expenses, assets and liabilities within the 2021–22 Consolidated Financial Statements (CFS) for the Commonwealth public sector. The Department of Climate Change, Energy, the Environment and Water and the Department of Employment and Workplace Relations appear in this report for the first time following their establishment on 1 July 2022 as a result of Machinery of Government changes. The National Indigenous Australians Agency is also included in this report given the role it plays working across government with indigenous communities and stakeholders.

3.0.4 Where a performance audit was tabled prior to 30 April 2023 that was relevant to the financial management or administration of an entity, consideration is given to the impact of observations on the audit approach. Further details are included under the entity headings below.⁷²

Engagement risk

3.0.5 An engagement is assessed as being a high, moderate or low risk engagement based upon the overall risk of the engagement to the Auditor-General and the ANAO. This assessment includes consideration of:

• the inherent risk of material misstatement arising from the engagement (that is, the risk that there is a material misstatement in the subject matter before the conduct of the engagement); and
• other professional risks, being any other source of risk to the Auditor-General and the ANAO arising from the conduct of the engagement including, but not limited to, litigious and reputational risks.

3.0.6 The ANAO assesses engagement risk on an annual basis. Where information-gathering processes reveal evidence of misrepresentation or inadequacies, the risk of an engagement would be rated higher to reflect the risk of expressing an inappropriate conclusion based on a lack of sufficient appropriate audit evidence.

3.0.7 Eleven entities have been assessed as having a high engagement risk rating for 2022–23. Table 3.0.1 shows the engagement risk rating for 2021–22 and 2022–23 for each of these entities.

Table 3.0.1: Entities with a high engagement risk rating for 2022–23

Note a: Engagement risk rating for 2021–22 relates to the former Department of Agriculture, Water and the Environment.

Note b: The entity was established 1 July 2022 therefore there was no engagement risk rating for 2021–22.

Note c: Engagement risk rating for 2021–22 relates to the former Department of Education, Skills and Employment.

Note d: Engagement risk rating for 2021–22 relates to the former Department of Health.

Source: 2021–22 and 2022–23 ANAO audit correspondence.

Comments on 2021–22 audits of non-material entities not previously reported

3.0.8 As at 2 December 2022, there were ten entities for which the 2021–22 financial statements audit had not been finalised.⁷³ Commentary has been included in this chapter where significant or moderate findings have been reported to entities on completion of the 2021–22 financial statements audit. These entities are Anindilyakwa Land Council, Army and Air Force Canteen Service, Royal Australian Air Force Welfare Trust Fund and Tiwi Land Council. As at 30 April 2023, the 2021–22 financial statements audits of Bundanon Trust, Royal Australian Navy Central Canteens Board and Win with Navy Ltd had not been finalised.

Analysis of Entities Contribution to the 2021–22 CFS

3.0.9 An analysis of the percentage contribution of material entities in this report to 2021–22 CFS is presented below. Figure 3.0.1 presents the results of seven entities that contribute greater than 10 per cent of either the income, expenses, assets or liabilities of the CFS. The remaining entities are presented in Figure 3.0.2 and contribute less than 10 per cent of all categories.

Figure 3.0.1: Material entities contributing more than 10 per cent to the Australian Government’s 2021–22 Consolidated Financial Statements⁷⁴

Source: ANAO analysis of CFS and entities’ financial statements for the year ended 30 June 2022.

Figure 3.0.2: Material entities contributing less than 10 per cent to the Australian Government’s 2021–22 Consolidated Financial Statements⁷⁵

Source: ANAO analysis of CFS and entities’ financial statements for the year ended 30 June 2022.

3.0.10 Table 3.0.2 presents a summary of new and unresolved significant and moderate audit findings⁷⁶ at the conclusion of the 2022–23 interim⁷⁷ audits and the 2021–22 interim and final audits.

Table 3.0.2: Significant and moderate findings by entity

Note a: New findings are those raised during the audit period.

Note b: Unresolved findings are those that have not yet been remediated by the entity from prior audit periods, including audit findings downgraded from significant to moderate.

Note c: This finding was originally raised during the 2021–22 final audit of the former Department of Agriculture, Water and the Environment and has been transferred to the Department of Climate Change, Energy, the Environment and Water.

Note d: This finding was originally raised during the 2021–22 final audit of the former Department of Education, Skills and Employment. As this finding relates to termination of staff, it has been transferred to both the Department of Education and the Department of Employment and Workplace Relations.

Note e: A total of 22 findings were open at the conclusion of the 2021–22 financial audits of the 25 entities included in the 2021–22 Interim Report to Parliament. Four findings have been resolved or downgraded to minor audit findings during 2022–23. However, the ‘Timely removal of user access on termination’ finding first reported to the former Department of Education, Skills and Employment during the 2021–22 final audit was reported to both the Department of Education and the newly created Department of Employment and Workplace Relations during the 2022–23 interim audits.

Source: 2021–22 and 2022–23 ANAO audit correspondence.

3.1 Department of Agriculture, Fisheries and Forestry

Overview

3.1.1 The Department of Agriculture, Fisheries and Forestry (DAFF) is responsible for developing and implementing policies and initiatives to promote more sustainable, productive, internationally competitive and profitable Australian agricultural, food and fibre industries; safeguarding Australia’s animal and plant health status to maintain overseas markets and protect the economy and environment from exotic pests and diseases.

3.1.2 On 1 June and 23 June 2022, revised Administrative Arrangements Orders were issued by the Australian Government. As a result, on 1 July 2022, a Machinery of Government (MoG) change occurred with the following impacts for DAFF:

• renaming the former Department of Agriculture, Water and the Environment (DAWE) to the Department of Agriculture, Fisheries and Forestry; and
• functions related to water and the environment were transferred to the newly created Department of Climate Change, Energy, the Environment and Water (DCCEEW). Administered functions transferred to DCCEEW on 1 July 2022, with departmental functions transferring on 1 September 2022.

3.1.3 Figure 3.1.1 and Figure 3.1.2 below show the 2022–23 departmental and administered financial statements items reported by DAFF and the key areas of financial statements risk.

Figure 3.1.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and DAFF’s budget as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.1.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and DAFF’s budget as reported in the 2022–23 Portfolio Budget Statements.

3.1.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DAFF’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DAFF’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.1.5 In light of the key areas of risk and the ANAO’s understanding of the operations of DAFF, the ANAO has increased the overall risk of material misstatement in the financial statements audit from moderate to high in 2022–23. This increase is a result of DAFF’s forecast financial position for 2022–23, which increases the risks that entity level and transactional internal controls important to financial management, preparation of the financial statements and the supporting information technology (IT) environment may not operate effectively.

Key financial statements items

3.1.6 Annual appropriation funding⁷⁸ of $689.5 million (departmental) and $547.9 million (administered) was provided to DAFF in 2022–23 to support the achievement of the entity’s outcomes.⁷⁹ DAFF was also budgeted to receive special appropriation funding of $1,129.4 million.⁸⁰

3.1.7 Table 3.1.1 and Table 3.1.2 below provide a summary of the key 2022–23 departmental and administered estimated financial statements items.

Table 3.1.1: Key expenses and total own-sourced income

Source: DAFF’s budget as reported in the 2022–23 Portfolio Budget Statements.

Table 3.1.2: Key assets and liabilities

Note: DAFF’s estimated average staffing level for 2022–23 is 5,005.

Source: DAFF’s budget as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.1.8 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the IT general and application controls for key systems that support the preparation of DAFF’s financial statements. Areas highlighted for specific audit coverage in 2022–23 are provided below in Table 3.1.3.

Table 3.1.3: Key areas of financial statements risk

Source: ANAO 2022–23 risk assessment, and DAFF’s budgeted financial statements for the year ended 30 June 2023.

3.1.9 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. The following performance audit reports were tabled during 2022–23 relevant to the financial management or administration of DAFF:

• Auditor-General Report No. 6 2022–23 Implementation of the Export Control Legislative Framework; and
• Auditor-General Report No. 17 2022–23 Department of Agriculture, Fisheries and Forestry’s cultural reform.

3.1.10 The observations of these reports were considered in designing audit procedures in relation to departmental revenue from contracts with customers, particularly in relation to export fees and charges, and in the understanding and evaluation of the design and operating effectiveness of entity-level internal controls.

Audit results

3.1.11 The ANAO has completed its 2022–23 interim audit coverage, including an assessment of controls relating to departmental revenue from contracts with customers, administered levies, loans and grants, non-financial assets, employee benefits and suppliers expenses. In addition, interim testing of IT general controls for the financial management information system (FMIS), human resource management information system and selected revenue collection applications has been completed.

3.1.12 At the conclusion of the interim audit, procedures relating to MoG changes had not been completed. At the time of finalising the ANAO’s interim audit, DAFF and DCCEEW had not finalised their agreement on the assets and liabilities to be transferred between the entities. Audit procedures relating to this key area of risk will be undertaken as part of the 2022–23 final audit.

3.1.13 Audit procedures relating to end-of-year balances for administered loans and non-financial assets and those related to DAFF’s financial sustainability and financial management will be undertaken as part of the planned 2022–23 final audit.

3.1.14 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings.

Conclusion

3.1.15 Based on the ANAO’s audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that DAFF will be able to prepare financial statements that are free from material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2022–23 final audit.

3.2 Attorney-General’s Department

Overview

3.2.1 The Attorney-General’s Department (AGD) supports the Attorney-General. The roles of the department are to contribute towards a just and secure society by maintaining and improving Australia’s law, justice, security and integrity frameworks.

3.2.2 On 1 July 2022, an Administrative Arrangements Order (AAO) took effect which included changes to the responsibilities of AGD. Industrial relations transferred from AGD to the Department of Employment and Workplace Relations. In addition, the following functions were transferred to AGD:

• national security and cybercrime from the Department of Home Affairs;
• national child sexual abuse policy and strategy from the Department of the Prime Minister and Cabinet; and
• copyright from the Department of Infrastructure, Transport, Regional Development, Communications and the Arts.

3.2.3 Figure 3.2.1 and Figure 3.2.2 below show the 2022–23 departmental and administered financial statements items reported by AGD and the key areas of financial statements risk.

Figure 3.2.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and AGD’s budget as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.2.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and AGD’s budget as reported in the 2022–23 Portfolio Budget Statements.

3.2.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on AGD’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of AGD’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.2.5 In light of the key areas of risk and the ANAO’s understanding of the operations of AGD, the ANAO has assessed the overall risk of material misstatement in the 2022–23 financial statements audit as moderate.

Key financial statements items

3.2.6 Annual appropriation funding⁸¹ of $255.9 million (departmental) and $509.0 million (administered) was provided to AGD in 2022–23 to support the achievement of the entity’s outcomes.⁸² AGD was also budgeted to receive special appropriation funding of $0.9 million.⁸³

Table 3.2.1: Key expenses and total own-sourced income

Source: AGD’s budget as reported in the 2022–23 Portfolio Budget Statements.

Table 3.2.2: Key assets and liabilities

Note: AGD’s estimated average staffing level for 2022–23 is 1,766.

Source: AGD’s budget as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.2.7 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the information technology (IT) general and application controls for key systems that support the preparation of AGD’s financial statements. Areas highlighted for specific audit coverage in 2022–23 are provided below in Table 3.2.3.

Table 3.2.3: Key areas of financial statements risk

Source: ANAO 2022–23 risk assessment, and AGD’s budgeted financial statements for the year ended 30 June 2023.

Audit results

3.2.8 The ANAO has completed its 2022–23 interim audit coverage, including an assessment of the controls relating to cash management, departmental revenue, supplier expenses and human resources.

3.2.9 The ANAO’s planned interim audit procedures included testing of IT general and application controls for the AGD’s financial and human resource management information systems. At the conclusion of the 2022–23 interim audit, the ANAO completed testing relating to change management, and backup and recovery. The ANAO is progressing its review of logical access and application controls, including the assessment of implementation of recommendations relating to prior year issues in removing network access.

3.2.10 Audit procedures relating to: the valuation of non-financial assets including administered investments; calculation of employee provisions; and financial statements close processes will be undertaken as part of the planned 2022–23 final audit.

3.2.11 The following table summarises the status of audit findings as at the end of the 2022–23 interim audit as reported by the ANAO.

Table 3.2.4: Status of audit findings raised by the ANAO

Unresolved moderate audit finding

User Access Removal

3.2.12 In 2021–22, the ANAO identified weaknesses in processes for removing user access from employees and contractors who have separated from AGD. User accounts were not being removed when there was no longer a business requirement for that access.

3.2.13 AGD developed business processes for manually detecting and investigating access relating to separated users which were implemented in March 2023. AGD has advised it is progressing the implementation of an automated solution. The ANAO will review controls and processes as part of the planned 2022–23 final audit.

Conclusion

3.2.14 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that AGD will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2022–23 final audit.

3.3 Department of Climate Change, Energy, the Environment and Water

Overview

3.3.1 The Department of Climate Change, Energy, the Environment and Water (DCCEEW) leads and delivers the Government’s agenda across climate change, energy, environment, heritage and water.

3.3.2 On 1 July 2022, an Administrative Arrangements Order took effect which created DCCEEW. DCCEEW received the following functions:

• the water and environment function from the former Department of Agriculture, Water and the Environment (DAWE);
• the energy and climate change functions from the former Department of Industry, Science, Energy and Resources and the Department of Foreign Affairs and Trade;
• water infrastructure and the National Water Grid Authority from the former Department of Infrastructure, Transport, Regional Development and Communications.

3.3.3 The Administrative Arrangements Order which took effect on 14 October 2022 added Carbon capture utilisation and storage policies and programs to the matters dealt with by DCCEEW.

3.3.4 Figure 3.3.1 and Figure 3.3.2 below show the 2022–23 departmental and administered financial statements items reported by DCCEEW and the key areas of financial statements risk.

Figure 3.3.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and DCCEEW’s budget as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.3.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and DCCEEW’s budget as reported in the 2022–23 Portfolio Budget Statements.

3.3.5 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DCCEEW’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DCCEEW’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.3.6 In light of the key areas of risk and the ANAO’s understanding of the operations of DCCEEW, the ANAO has assessed the overall risk of material misstatement in the 2022–23 financial statements audit as high. This risk rating reflects the nature of the maturing system of internal control supporting financial management and the complexity of the preparation of the financial statements following the establishment of DCCEEW on 1 July 2022.

Key financial statements items

3.3.7 Annual appropriation funding⁸⁴ of $950.3 million (departmental) and $3,437.5 million (administered) was provided to DCCEEW in 2022–23 to support the achievement of the entity’s outcomes.⁸⁵ DCCEEW was also budgeted to receive special appropriation funding of $71,000.⁸⁶

3.3.8 Table 3.3.1 and Table 3.3.2 below provide a summary of the key 2022–23 departmental and administered estimated financial statements items.

Table 3.3.1: Key expenses and total own-sourced income

Source: DCCEEW’s budget as reported in the 2022–23 Portfolio Budget Statements.

Table 3.3.2: Key assets and liabilities

Note: DCCEEW’s estimated average staffing level for 2022–23 is 2,408.

Source: DCCEEW’s budget as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.3.9 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the information technology (IT) general and application controls for key systems that support the preparation of DCCEEW’s financial statements. Areas highlighted for specific audit coverage in 2022–23 are provided below in Table 3.3.3.

Table 3.3.3: Key areas of financial statements risk

Source: ANAO 2022–23 risk assessment, and DCCEEW’s budgeted financial statements for the year ended 30 June 2023.

Audit results

3.3.10 The ANAO has completed its 2022–23 interim audit coverage, including an assessment of the controls relating to revenue and receivables, suppliers’ expenses, employee benefits, non-financial assets, grants and subsidies and the Natural Heritage Trust of Australia Account. Interim audit coverage also included an assessment of IT general controls, including security and change management processes relevant to the financial and human resources management information systems.

3.3.11 At the conclusion of the interim audit, procedures relating to MoG changes had not been completed. At the time of finalising the ANAO’s interim audit, DAFF and DCCEEW had not finalised their agreement on the assets and liabilities to be transferred between the entities. Audit procedures relating to this key area of risk will be undertaken as part of the 2022–23 final audit.

3.3.12 Audit procedures relating to appropriations and special accounts, lease liabilities, the Antarctic solid waste disposal sites and Antarctic regions provisions, water entitlements and recognition of joint operations (Living Murray Initiative and River Murray Operations) will be undertaken as part of the planned 2022–23 final audit.

3.3.13 The following table summarises the status of audit findings as at the end of the 2022–23 interim audit as reported by the ANAO.

Table 3.3.4: Status of audit findings raised by the ANAO

Note a: The moderate audit finding relating to FMIS Privileged user access management was first reported to the former Department of Agriculture, Water and the Environment as part of the 2021–22 financial statements audit. DAFF transferred the administrative responsibility for the SAP Financial Management Information System (FMIS) to DCCEEW in February 2023. Prior to February 2023 DAFF was responsible for the FMIS. The finding was not resolved by DAFF and the audit finding has now transferred to DCCEEW.

New moderate audit finding

SAP FMIS user access provisioning and removal of user access

3.3.14 The provisioning and removal of access to the FMIS relies on a mix of automated and manual controls that are supported by information provided by DCCEEW’s IT shared service provider DAFF. Prior to February 2023 SAP was administered by DAFF. The effective operation of these controls would ensure that users only have access to functions and transactions within the FMIS that are appropriate to their role. User accounts should be removed or updated when there is no longer a business requirement for access after this date.

3.3.15 The ANAO identified instances where user access was not removed in a timely manner following a user’s termination and where users had access to functions and roles within the FMIS that were not relevant to their position. The ANAO recommended that DCCEEW develop risk-based monitoring controls to confirm user access and role assignments are appropriate and that user access is removed in a timely manner.

3.3.16 The ANAO will confirm the implementation and effective operation of the monitoring of user access provisioning and removal by DCCEEW as part of the 2022–23 financial statements audit.

Unresolved moderate audit finding

SAP FMIS privileged user management

3.3.17 This finding was first reported to DAWE as part of the ANAO’s audit of the DAWE’s 2021–22 financial statements. During the 2021–22 audit of DAWE’s financial statements, the ANAO identified weaknesses in the effectiveness of monitoring of privileged user activities within the FMIS.

3.3.18 The ANAO identified that audit logs of privileged user activities were not regularly reviewed and that reviews confirming the currency of user access had not been regularly completed. Failure to undertake these reviews increases the risk of erroneous or unauthorised changes to IT systems will not be identified and addressed. The ANAO recommended that DAWE recommence these reviews.

3.3.19 The ANAO identified that reviews of privileged user activities had not been undertaken by DAFF for the period October 2022 to January 2023, or by DCCEEW after February 2023. During this period, reviews confirming the currency of user access were also not fully completed. The ANAO has recommended that DCCEEW finalise the outstanding reviews of privileged user activities and embed a formal process that will support the review being performed in a timely manner. The ANAO will review DCCEEW’s progress in finalising the outstanding reviews during the 2022–23 final audit.

Conclusion

3.3.20 At the completion of the interim audit, and except for the findings outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DCCEEW will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2022–23 final audit.

3.4 Snowy Hydro Limited

Overview

3.4.1 Snowy Hydro Limited (Snowy Hydro) is a government business enterprise whose primary business includes energy generation activities to supply the National Electricity Market (NEM) and operating as a retail energy provider to over 1.2 million customers through the Red Energy and Lumo Energy brands. Snowy Hydro’s energy generation capacity of more than 5,500 megawatts supplies New South Wales, Victoria and South Australia, primarily through the generation capacity of the Snowy Mountains hydroelectric scheme.

3.4.2 Snowy Hydro is currently progressing Snowy 2.0, a pumped hydro project that will add 2,000 megawatts of on-demand generation and approximately 350,000 megawatt hours of large-scale storage to the NEM. In 2021–22 Snowy Hydro commenced construction of a 660 megawatt open cycle gas turbine power station at Kurri Kurri, New South Wales, known as the Hunter Power Project. The project obtained approval from the NSW Government in December 2021 and environmental approval from the Australian Government in February 2022.

3.4.3 Figure 3.4.1 below shows the 2021–22 financial statements items reported by Snowy Hydro and the key areas of financial statements risk.

Figure 3.4.1: Key financial statements items and areas of financial statements risk

Source: ANAO analysis and Snowy Hydro’s audited financial statements for the year ended 30 June 2022.

3.4.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Snowy Hydro’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Snowy Hydro’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.4.5 In light of the key areas of risk and the ANAO’s understanding of the operations of Snowy Hydro, the ANAO has assessed the overall risk of material misstatement in the 2022–23 financial statements audit as moderate.

Key financial statements items

3.4.6 Snowy Hydro does not receive any annual appropriation funding. The operational functions of Snowy Hydro are funded through own source income. The primary income sources for Snowy Hydro are retail revenue which arises from the supply of electricity and gas to customers through the Red and Lumo energy brands and wholesale revenue arising from the generation and supply of electricity to the NEM. Snowy Hydro is accessing a mix of private debt funding and equity injections from the Australian Government to fund the construction and delivery of the Snowy 2.0 and Hunter Power projects.

3.4.7 Table 3.4.1 and Table 3.4.2 below provide a summary of the key items from the 2021–22 audited financial statements.

Table 3.4.1: Key expenses and total own-sourced income

Source: Snowy Hydro’s 2021–22 audited financial statements.

Table 3.4.2: Key assets and liabilities

Note: Snowy Hydro’s staffing level at 30 June 2022 was 1,726 including non-ongoing contractors as reported in the 2021–22 annual report.

Source: Snowy Hydro’s 2021–22 audited financial statements.

Key areas of financial statements risk

3.4.8 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the information technology (IT) general and application controls for key systems that support the preparation of Snowy Hydro’s financial statements. Areas highlighted for specific audit coverage in 2022–23 are provided below in Table 3.4.3.

Table 3.4.3: Key areas of financial statements risk

Source: ANAO 2022–23 risk assessment, and Snowy Hydro’s audited financial statements for the year ended 30 June 2022.

3.4.9 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. No performance audit reports were tabled during 2022–23 relevant to the financial management or administration of Snowy Hydro.

Audit results

3.4.10 The ANAO has completed its 2022–23 interim audit coverage, including an assessment of the controls relating to: retail and generation billing revenue and receivables; purchase to pay; treasury; renewable energy certificates; financial reporting; and payroll.

3.4.11 Audit procedures relating to IT general and application controls, assessment of controls relating to non-financial assets and substantive testing on all material financial statements line items will be undertaken as part of the planned 2022–23 final audit. This will include audit procedures to test material accounting estimates made by Snowy Hydro, relating to the key areas of financial risk: valuation of financial instruments; capitalisation of customer acquisition costs; valuation of unbilled electricity revenue receivable; valuation of renewable energy certificates; impairment of goodwill; and impairment of trade and other receivables.

3.4.12 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings.⁸⁷

Conclusion

3.4.13 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Snowy Hydro will be able to prepare financial statements that are free from material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2022–23 final audit.

3.5 Department of Defence

Overview

3.5.1 The Department of Defence is responsible for protecting and advancing Australia’s strategic interests through the promotion of security and stability; the provision of military capabilities to defend Australia and its national interests; and the provision of support for the Australian community and civilian authorities as directed by the Australian Government.

3.5.2 Figure 3.5.1 and Figure 3.5.2 below show the 2022–23 departmental and administered financial statements items reported by Defence and the key areas of financial statements risk.

Figure 3.5.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Defence’s budget estimate as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.5.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and Defence’s budget estimate as reported in the 2022–23 Portfolio Budget Statements.

3.5.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Defence’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Defence’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.5.4 In light of the key areas of risk and the ANAO’s understanding of the operations of Defence, the ANAO has assessed the overall risk of material misstatement in the 2022–23 financial statements audit as high.

Key financial statements items

3.5.5 Annual appropriation funding of $47,362.3 million (departmental) was provided to Defence in 2022–23 to support the achievement of the entity’s outcomes.⁸⁸ Defence was also budgeted to receive special appropriation funding of $3,650.9 million.⁸⁹

3.5.6 Table 3.5.1 and Table 3.5.2 below provide a summary of the key 2022–23 departmental and administered estimated financial statements items.

Table 3.5.1: Key expenses and total own-sourced income

Source: Defence’s budget estimate as reported in the 2022–23 Portfolio Budget Statements.

Table 3.5.2: Key assets and liabilities

Note: Defence’s estimated average staffing level for 2022–23 is 79,054.

Source: Defence’s budget estimate as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.5.7 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the information technology (IT) general and application controls for key systems that support the preparation of Defence’s financial statements. Areas highlighted for specific audit coverage in 2022–23 are provided below in Table 3.5.3.

Table 3.5.3: Key areas of financial statements risk

Note: A moderate audit finding has been reported in respect of the application and documentation of judgements applied in determining the fair value of specialist military equipment.

Source: ANAO 2022–23 risk assessment, and Defence’s budgeted financial statements for the year ended 30 June 2023.

3.5.8 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. The following performance audit reports were tabled during 2022–23 relevant to the financial management or administration of Defence:

• Auditor-General Report No. 7 2022–23 Defence’s Administration of the Integrated Investment Program; and
• Auditor-General Report No. 12 2022–23 Major Projects Report.

3.5.9 The observations of these reports were considered in designing audit procedures to address areas considered to pose a lower risk of material misstatement. No significant changes were made to the designed audit procedures for the financial statements audit.

Audit results

3.5.10 The ANAO has completed its 2022–23 interim audit coverage, including an assessment of the controls relating to: IT general controls over the financial management information system and human resources information management system, as well as the testing of the operating effectiveness of the controls implemented to confirm the existence and completeness of inventory. Additionally, the ANAO has assessed Defence’s progress on addressing the moderate audit findings discussed below.

3.5.11 Audit procedures relating to 30 June 2023 balances for SME, general assets and administered employee provisions will be undertaken as part of the planned 2022–23 final audit.

3.5.12 The following table summarises the status of audit findings as at the end of the 2022–23 interim audit as reported by the ANAO.

Table 3.5.4: Status of audit findings raised by the ANAO

Note a: The minor audit finding relating to user access removal was identified during the 2021–22 audit. This audit finding has been reclassified to a moderate audit finding.

New moderate audit finding

User access removal

3.5.13 As part of interim audit testing, the ANAO identified instances where user accounts had not been locked when a user departed Defence and instances where users had logged into the system after separation from Defence. Defence advised that delays in the termination process may be responsible for the issues identified. Defence is undertaking a review of the nature of post termination access to determine if any of the access related to high-risk activities after termination.

3.5.14 The ANAO recommended that Defence implement controls to improve the timeliness of the termination process to ensure user access is removed when there is no longer a business requirement for the access. The ANAO also recommended Defence implement a process to detect and investigate post termination access, and undertake any remedial action required.

Unresolved moderate audit findings

Valuation of SME using the cost attribution model

3.5.15 To support its primary outcomes, Defence undertakes a number of high value and complex equipment acquisition projects that span multiple financial years. Judgement is applied to allocate capitalised costs between individual platform assets, associated spares and inventory. As at 30 June 2022, the reported value of SME assets under construction was $18.6 billion.

3.5.16 Defence uses a cost attribution model (referred to by Defence as the Asset Valuation Model) to capture costs against applicable projects for SME assets under construction. The model uses a methodology to allocate project costs across the deliverables associated with the project. The Asset Valuation Model (AVM) is maintained in an excel spreadsheet and captures costs across the life cycle of the project, against multiple contracts and variations, many of which are recorded in a foreign currency. The AVM captures both budgeted and actual costs.

3.5.17 The ANAO evaluated the AVM and approval of cost allocations related to SME assets under construction. The ANAO identified internal control weaknesses in the methodology used by Defence. These included:

1. limited policies and procedures outlining the approach to developing, maintaining, and recording transactions against the AVM;
2. the use of excel spreadsheets to record the AVM transactions, which have no evidenced controls or protection to prevent the accidental editing or deletion of data; and
3. limited quality assurance mechanisms that could be relied upon to provide assurance over the asset allocations derived from the AVM.

Additionally, the ANAO noted that Defence does not capture employee-related costs as part of its asset under construction projects and that there were no systems or processes in place to identify the time spent by officers on specific projects. The ANAO’s analysis of project employee costs estimated this to understate asset capitalisations by $62.7 million in 2021–22.

3.5.18 The weaknesses noted increase the risk that the valuation of SME assets under construction and the associated depreciation expense are misstated in the financial statements.

3.5.19 The ANAO recommended that Defence:

1. consider the development of an IT solution to transition project management from excel spreadsheets or consider ways to implement controls to reduce the risks associated with unintended or unauthorised changes to the spreadsheets;
2. develop guidelines, policies and procedures to assist project managers with the development, maintenance and recording of transactions associated with the cost attribution model. The guidelines should also aim to increase consistency across projects, where appropriate;
3. implement quality assurance processes to provide assurance for financial reporting purposes;
4. develop and implement a year-end close process to ensure that projects are up to date and complete for reporting as at 30 June. This should include examining the appropriateness of using budget figures to adjust asset roll-out costs; and
5. consider implementing a time recording system to capture employee costs associated with each project. Costs should be capitalised to projects in accordance with AASB 116 Property, Plant and Equipment

3.5.20 Defence has continued to make progress in addressing the ANAO’s recommendations, including through:

• revising its suite of policies and procedures governing SME project financial management across the Department and implementing the Defence Project Accounting Manual (DPAM) with effect from 1 July 2022. The DPAM will apply to all capital projects, and is being progressively applied to existing projects;
• mandating that all projects will apply a standardised Project Capitalisation Plan that will capture the accounting judgements and arrangements underpinning the financial management of the project, the core deliverables, including the cost allocation methodology applicable to rolled out assets, and a budget management plan;
• implementing new compliance requirements and developing a user guide to capture roles and responsibilities to ensure a consistent methodology across projects;
• engagement of an external provider to perform compliance activities over projects. The ANAO has been advised that no significant issues have been identified, but almost half of projects reviewed were missing required documentation. Defence is providing further communication to project managers about the importance of maintaining proper documentation; and
• consideration of the implementation of a time recording system to capture employee costs associated with each project. Defence has advised that new functionality will be considered as part of the Defence ERP implementation that will support the reporting of APS and ADF workforce costs that can be capitalised as part of non-financial assets. For 2022–23, Defence will continue to estimate its employee costs using a manual process.

3.5.21 The ANAO will continue to review Defence’s progress in implementing the DPAM as well the remediation and quality assurance activities being undertaken across SME assets under construction projects as part of the planned 2022–23 final audit.

Weaknesses around the governance of ADF health services

3.5.22 The provision of health services to ADF members is managed under a contract with a service provider and includes two broad categories of charges covering off-base and on-base services. As part of the 2020–21 audit, the ANAO identified weaknesses associated with the processes implemented by Defence to confirm the accuracy and validity of the service provider’s monthly invoices.

3.5.23 The ANAO recommended Defence:

1. examine and strengthen the design of processes to provide assurance over the accuracy and validity of the health service payments;
2. extend assurance activities to include on-base services; and
3. complete assurance activities in a timely manner and escalate issues to an appropriate level of management to ensure that issues can be dealt with promptly and recoveries initiated where required.

3.5.24 Defence has continued to make progress in addressing the ANAO’s recommendations and advised that it had substantially addressed each recommendation. Work is continuing with the timely completion of assurance activities and Defence continues to update and review the invoicing process to improve the consistency of its processes. Defence is also developing an automated audit tool to support ongoing assurance and compliance work over on-base and off-base services. The ANAO will review Defence’s progress in addressing the recommendations during the planned 2022–23 final audit.

3.5.25 The ADF health services contract is currently subject to a performance audit, which is expected to table in May 2023.

Management of privacy data

3.5.26 Management of personally identifiable data is a responsibility of all Australian Government entities subject to the Privacy Act 1988. Under the Act, various supplementary directions such as the Australian Government Agencies Privacy Code (the Code) and the Australian Privacy Principles (APP) define an entity’s responsibility around the collection, use, storage and disclosure of personal information.

3.5.27 As part of the 2020–21 audit, the ANAO reviewed Defence’s privacy framework and observed that:

1. significant programs related to the management of personally identifiable information were outdated or scheduled for reviews that had not yet occurred;
2. privacy impact assessments were not stored in an accessible format and were not searchable to discover known risks and impacts;
3. there was no consistent data dictionary or data governance applied to allow for the discovery of specific data types across disparate applications and networks;
4. information on historical data breaches was inconsistent across Defence, with no central repository or register to report against strategic risks; and
5. compliance activities to ensure Defence was meeting the requirements were either not able to be performed or were not performed in a timely manner.

3.5.28 Defence was unable to provide evidence that personally identifiable information was being managed appropriately. The ANAO also identified that Defence had limited ability to discover systems that contain information that would be classified as personally identifiable information, as well as no systematic method for tracking changes, access or distribution of personally identifiable information. These weaknesses increase the risk that privacy data may be accessed or modified by those without authorisation to do so, and discovery of this inappropriate activity may not be timely or accurate.

3.5.29 The ANAO recommended that Defence:

• review its data governance framework and address control weaknesses surrounding the collection, use, storage and disclosure of personal information;
• establish a digital repository to index or record the locations, types of data, systems and other critical information relating to the management of personally identifiable information; and
• report regularly against compliance and application of the Privacy Policy as well as key indicators from the Code and APPs.

3.5.30 Defence has developed a range of support materials to assist Defence’s groups and services with the collection, use and storage of privacy data. Defence has also developed training which is expected to roll out to Defence staff and contractors during 2023. Defence also advised that it continues to make progress in addressing the ANAO’s recommendations through:

• an Interim Data Asset Register that has been developed, containing over 350 data assets from the majority of Defence’s groups and services, and will help inform the design phase of an Enterprise solution which is being developed as part of the One Defence Data project currently underway; and
• adoption of the Office of the Australian Information Commissioner’s Privacy Management Plan framework; and
• a planned assessment of the privacy landscape within Defence, the outcome of which will be reported to Defence’s Executive.

The ANAO will review evidence provided by Defence during the 2022–23 final audit.

Weaknesses around the disposal of assets and inventory

3.5.31 During 2018–19, Defence was unable to provide appropriate documentation in a timely manner in relation to the disposal of buildings. In 2019–20 and 2020–21, the ANAO found examples of asset disposals occurring in the IT system after the physical disposal of the asset. During 2021–22, the ANAO continued to observe issues relating to the timeliness of asset disposals. Examples where the disposal process was not undertaken in a timely manner included:

1. assets that were gifted to the Ukraine government were disposed of before the disposal paperwork had been formally completed and approved and the assets had not been removed from the asset register;
2. Bushmasters that were destroyed prior to the sign-off of the disposal paperwork, and a number of Bushmasters that were not removed from the asset register until six months after their disposal; and
3. an aircraft that was written off in October 2021, but was still recorded as an asset as at 30 June 2022.

The Defence Finance Group was required to perform manual interventions to ensure the accounting records had been appropriately updated as the disposals process was delayed.

3.5.32 Defence has advised it is investigating a range of solutions from improving communication and education within its service groups and the possibility of an automated IT solution to assist with improving the timeliness of completing disposal paperwork and the removal of assets from the asset register. Defence has advised that assets gifted to the Ukraine government and Bushmasters have now been removed from the asset register. The ANAO will review Defence’s progress in addressing the weaknesses previously identified during the 2022–23 final audit.

Conclusion

3.5.33 At the completion of the interim audit, and except for the findings outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Defence will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2022–23 final audit.

Comments on non-material entities in the Defence Portfolio relating to the 2021–22 financial statements audits

Army and Air Force Canteen Service

3.5.34 The Army and Air Force Canteen Service (AAFCANS) was established to provide goods, facilities and services to members of the Defence community. AAFCANS operates food services and facilities on 27 Army and Air Force bases and joint Australian Defence Force facilities throughout Australia.

3.5.35 The 2021–22 financial statements audit was delayed because a number of emerging issues were identified across the entity by the ANAO.

Audit results

3.5.36 The following table summarises the status of audit findings as at the end of the 2021–22 interim audit as reported by the ANAO.

Table 3.5.5: Status of audit findings raised by the ANAO

New significant audit finding

Key management personnel disclosures

3.5.37 Key management personnel (KMP) disclosures are required in the financial statements in accordance with AASB 124 Related Party Disclosures and the Financial Reporting Rule (FRR). The KMP note disclosure is considered material by nature. In addition to the disclosures in the financial statements, entities are also required to include executive remuneration disclosures in the annual report in accordance with RMG 138 Commonwealth Entities’ Executive Reporting Guide for Annual Reports.

3.5.38 In the lead up to the final audit phase, the ANAO identified a number of material misstatements in the 2020–21 KMP disclosures. The misstatements included:

• seven senior executives who were not responsible for planning, directing and controlling the activities of the entity;
• five non-executive directors on the Board who were incorrectly excluded from the note disclosure;
• the acting chief executive officer’s remuneration for the period from September to December 2020 was incorrectly excluded from the note disclosure; and
• errors were identified in the calculation of remuneration paid to the former and current Managing Directors.

3.5.39 In addition, the ANAO identified:

• that two current Board members had not been validly appointed under the Army and Air Force (Canteen) Regulation 2016;
• an overpayment of termination benefits was made to the former Managing Director;
• a performance bonus was approved by the Board to a key management personnel despite key performance indicators not being met; and
• the executive remuneration tables and remuneration policies required to be disclosed in the Annual Report under RMG 138 Commonwealth Entities’ Executive Reporting Guide for Annual Reports had not been disclosed.

3.5.40 These errors resulted in a significant restatement of the key management personnel note disclosure and the inclusion of narrative disclosures to explain the changes to the note. The ANAO has made recommendations to AAFCANS in relation to policies and procedures that should be in place to reduce the risk of future misstatements occurring.

3.5.41 The asset revaluation reserve could not be reconciled, and AAFCANS could not determine whether there was sufficient reserve to record the revaluation decrements against the relevant class of asset. The decrements were recorded through profit and loss, with only the increments recorded in the asset revaluation reserve. In addition, AAFCANS was not applying the financial framework correctly as the majority of its assets were held at cost less accumulated depreciation, despite a decision by management to apply a revaluation model to its property, plant and equipment.

New significant legislative breach

Breach of section 41 of the PGPA Act

3.5.42 The PGPA Act confers on accountable authorities various responsibilities and powers to promote high standards of accountability and performance. They are also responsible for the financial management of the entity and compliance with reporting requirements. Section 41 of the PGPA Act requires entities to maintain accounts and records that properly explain the entity’s transactions and financial position.

3.5.43 The ANAO identified that AAFCANS was unable to produce accounts and records in relation to its asset revaluation reserve. The ANAO recommended AAFCANS implement appropriate controls designed to ensure compliance with the PGPA Act, the FRR and to enable the preparation of the financial statements using information that can be properly supported with accounts and records.

New moderate audit finding

Control weaknesses around the asset revaluation reserve

3.5.44 Commonwealth entities are required to prepare their financial statements in accordance with the Financial Reporting Rule (FRR) and RMG 125 Commonwealth Entities Financial Statements Guide. The FRR at subsection 17(2) requires entities to measure property, plant and equipment at fair value in accordance with AASB 116 Property, Plant and Equipment.

3.5.45 The ANAO identified that AAFCANS did not have a process to reconcile its asset revaluation reserve and was unable to provide a breakdown of the balance by asset class. As a result, AAFCANS did not record its asset valuation adjustments in its general ledger as it was unable to determine whether there was a revaluation reserve in which to offset the revaluation decrement.

3.5.46 The ANAO identified that AAFCANS did not have a process to reconcile its asset revaluation reserve and was unable to provide a breakdown of the balance by asset class. As a result, AAFCANS did not record its asset valuation adjustments in its general ledger as it was unable to determine whether there was a revaluation reserve in which to offset the revaluation decrement. The ANAO requested management undertake work to recreate the asset revaluation reserve so valuation adjustments could be properly recorded.

3.5.47 The ANAO assessed the treatment used by AAFCANS and has accepted the accounting treatment for the 2021–22 financial statements. AAFCANS will undertake additional work to finalise the reconciliation as the closing balance of the reserve will continue to impact future reporting periods.

Emphasis of matter

3.5.48 An Emphasis of Matter paragraph has been included in the 2021–22 auditor’s report to draw users’ attention to the restatement of comparative information presented in relation to Key Management Personnel remuneration due to errors in the disclosure in the prior period.

Royal Australian Air Force Welfare Trust Fund

3.5.49 The Royal Australian Air Force Welfare Trust Fund (the Fund) was established to provide financial assistance to Defence service personnel including concessional loans and grants, and a Group Life Insurance Scheme.

3.5.50 The 2021–22 financial statements audit was delayed because the Fund sought legal advice regarding a potential breach of the Corporations Act in relation to a requirement to hold an AFS licence for an insurance product that the Fund offers to Defence members. It was further delayed while the Fund sought an exemption from ASIC from the requirement to hold an AFS licence. ASIC did not agree that an exemption was appropriate given the Trust Fund already has the benefit of existing ASIC relief from the requirement to hold an AFS licence, which came into effect in 2008. ASIC also advised the Fund that it would not take action against the Fund for failing to hold an AFS licence for the period prior to 2008.

Audit results

3.5.51 The following table summarises the status of audit findings as at the end of the 2021–22 interim audit as reported by the ANAO.

Table 3.5.6: Status of audit findings raised by the ANAO

New moderate audit finding

Governance risk

3.5.52 Audit committees are integral to good corporate governance of Commonwealth entities. A good audit committee can significantly assist the accountable authority in meeting their duties and responsibilities under the Public Governance, Performance and Accountability Act 2013 (PGPA Act).

3.5.53 The Fund currently has one Audit Committee member who is a Trustee. Under law, Trustees are responsible for managing the affairs of a Trust. The Services Trust Funds Act 1947 outlines the responsibilities of Trustees.

3.5.54 The Fund does not have employees who are undertaking managerial functions. Instead, the Fund employs staff who perform duties that would be described as clerical or administrative in nature. The staff of the Fund have not been included in the Key Management Personnel note disclosure.

3.5.55 The lack of independence between management, the audit committee and the Board of Trustees presents a governance risk as the Board is performing all functions that would usually be split between these roles. A governance risk may result in inadequate and poorly designed systems of internal control, risks around the financial and performance reporting undertaken by the entity, and non-compliance with relevant laws and regulations. The risk is further exacerbated by the absence of any independent oversight through an internal audit function.

3.5.56 The ANAO recommended that all Trustees who are serving as members of the Audit Committee are replaced with independent officers. The Audit Committee Charter should be updated to reflect that Trustees cannot be appointed to the Audit Committee.

New significant legislative breach

Breaches of the Services Trust Funds Act – loan made to dependent of trustee

3.5.57 The Royal Australian Air Force Welfare Trust Fund was established to provide concessional loans to current and ex-air force personnel to assist with small expenditure items. Interest free loans of up to $5,500 may be approved where eligibility criteria has been met. In accordance with the Services Trust Funds Act 1947, a person who is a Trustee or a dependant of a Trustee of any fund shall not receive benefits from the Fund. A dependant is defined in the Services Trust Funds Act 1947 and includes dependants past and present.

3.5.58 The ANAO identified that a loan of $1,500 (plus a $13.84 contribution fee) had been made to the son of a Trustee. The Trustee’s son also financially contributed to the Fund’s ‘Group Life Scheme’ which provides a payout for untimely death. The Trustee (and his immediate family) are beneficiaries of any payout. Both transactions are in contravention of paragraph 14 of the Services Trust Funds Act 1947, which prohibits a person who is a Trustee or a dependant of a Trustee from receiving benefits from the Fund.

3.5.59 Trustees are key management personnel of the Fund, and the loan made to the son and the potential benefit accruing from the Group Life Scheme, both constitute related party transactions requiring disclosure in the financial statements.

3.5.60 The ANAO recommended that the Fund strengthens its policies and procedures to prevent this occurring and ensures that all Trustees and support staff continue to be aware of their obligations under the Services Trust Funds Act 1947. The ANAO also discussed with the Fund the requirement to disclose the transactions as related party transactions in the financial statements. The Fund has appropriately disclosed the transactions.

3.6 Department of Veterans’ Affairs

Overview

3.6.1 The Department of Veterans’ Affairs (DVA) is the primary service delivery entity with responsibility for implementing programs to assist the veteran and ex-service communities, including repatriation, rehabilitation and compensation, and war graves.

3.6.2 DVA is responsible for developing and implementing programs to assist the veteran and ex-service communities. This includes granting pensions, allowances and other benefits, and providing treatment under the Veterans’ Entitlements Act 1986; determining and managing claims relating to defence service under the Safety, Rehabilitation and Compensation (Defence-related Claims) Act 1988; the administration of benefits and arrangements under the Military Rehabilitation and Compensation Act 2004; administering the Defence Service Homes Act 1918 and the War Graves Act 1980; and conducting commemorative programs to acknowledge the service and sacrifice of Australian servicemen and women.

3.6.3 Figure 3.6.1 and Figure 3.6.2 below show the 2022–23 departmental and administered financial statements items reported by DVA and the key areas of financial statements risk.

Figure 3.6.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and DVA’s budget as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.6.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and DVA’s budget as reported in the 2022–23 Portfolio Budget Statements.

3.6.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DVA’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DVA’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.6.5 In light of the key areas of risk and the ANAO’s understanding of the operations of DVA, the ANAO has assessed the overall risk of material misstatement in the 2022–23 financial statements audit as moderate.

Key financial statements items

3.6.6 Annual appropriation funding of $538.1 million (departmental) and $293.3 million (administered) was provided to DVA in 2022–23 to support the achievement of the entity’s outcomes.⁹⁰ DVA was also budgeted to receive special appropriation funding of $11,314.2 million.⁹¹

3.6.7 Table 3.6.1 and Table 3.6.2 below provide a summary of the key 2022–23 departmental and administered estimated financial statements items.

Table 3.6.1: Key expenses and total own-sourced income

Source: DVA’s 2022–23 budget as reported in the 2022–23 Portfolio Budget Statements.

Table 3.6.2: Key assets and liabilities

Note: DVA’s estimated average staffing level for 2022–23 is 2,617.

Source: DVA’s 2022–23 budget as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.6.8 The ANAO undertakes appropriate audit procedures on all material items and focusses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the information technology (IT) general and application controls for key systems that support the preparation of DVA’s financial statements. Areas highlighted for specific audit coverage in 2022–23 are provided in Table 3.6.3.

Table 3.6.3: Key areas of financial statements risk

Source: ANAO 2022–23 risk assessment, and DVA’s budgeted financial statements for the year ended 30 June 2023.

3.6.9 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. No performance audits have been tabled to date in 2022–23 relevant to the financial management or administration of DVA.

Audit results

3.6.10 The ANAO has completed its 2022–23 interim audit coverage, including an assessment of the controls relating to: cash; appropriations; supplier expenses; employee benefits and administered personal benefit and health care payments.

3.6.11 Additional audit procedures relating to: testing of IT general and application controls; accuracy of administered personal benefit and health care payments including payments to public and private hospitals; and review of the valuation of the personal benefits and health care (military compensation) provisions will be undertaken as part of the 2022–23 final audit.

3.6.12 The following table summarises the status of audit findings as at the end of the 2022–23 interim audit as reported by the ANAO.

Table 3.6.4: Status of audit findings raised by the ANAO

Note a: The significant audit finding relating to Military Compensation Scheme Provision Methodology was identified during the 2021–22 audit. This audit finding was downgraded to a moderate audit finding during the 2022–23 interim audit.

Note b: The moderate audit finding relating to User Revalidations was identified during the 2020–21 audit. This audit finding was downgraded to a minor audit finding.

Downgraded significant audit finding

Military Compensation Scheme Provision

3.6.13 The Military Compensation Scheme (MCS) provision is assessed at the end of each financial year and recognises DVA’s liability in relation to the Military Rehabilitation and Compensation Act 2004 (MRCA) and the Safety, Rehabilitation and Compensation (Defence-related Claims) Act 1988 (SRCA). The calculation of the provision is complex and involves a number of key assumptions and judgements, including assumptions relating to future trends in medical costs, permanent incapacity, and inflation rates.

3.6.14 During the 2021–22 financial statements audit, the ANAO noted the adjustments made each year to the provision over the previous six years and formed a view that there was a significant risk that DVA’s initial valuation of the provision for 2021–22 may again be understated. In response to the ANAO’s position on the value of the provision, DVA applied an additional risk adjustment of $3.6 billion to the value of the provision for the year ended 30 June 2022. The ANAO recommended that DVA develop a comprehensive oversight policy and procedures covering risk assessment, data, assumptions, scenario analysis and involvement of key staff who understand the underlining policy and operational matters related to the provision. The ANAO also recommended that DVA undertake further work in relation to the risk adjustment to ensure it maximises DVA’s management of the level of uncertainty in the provision.

3.6.15 DVA has developed a Military Compensation Scheme (MCS) Provision Valuation Guide outlining key components of the valuation process and referencing other documents detailing key decisions and procedures. The finding has been downgraded from one that poses a significant risk to a moderate risk in recognition of the work undertaken by DVA to address issues identified in relation to the MCS provision. However, there are components of the valuation process that still require further analysis or documentation. In addition, there are some components the ANAO will not be able to verify until the valuation is undertaken at 30 June 2023. The areas requiring improvement include risk adjustment, data management, analysis of assumptions, alternative scenarios consideration and use of business knowledge related to policy and operational matters associated with the MCS.

Resolved moderate audit findings

User revalidations

3.6.16 A key aspect of system user management that protects systems and applications from exploitation is a regular user revalidation process that confirms only legitimate users have access to DVA systems and applications. During the 2020–21 financial statements audit, the ANAO identified that DVA did not have a process in place to revalidate user access for seven systems that support the financial statements. DVA implemented processes and changed some existing processes in 2021–22, however deficiencies were noted by the ANAO on review and some revalidations were still outstanding.

3.6.17 The ANAO accepts that the deficiencies in the design of the process have been remediated and that testing in 2022–23 of revalidation in five systems has not identified any issues. As a result of the testing completed to date, the ANAO has assessed the residual risk as low and as such the finding has been downgraded to a minor audit finding.

Monitoring of High-Risk Activity in IT Systems

3.6.18 DVA reviews all activities in IT systems that are classified as high risk or a potential indicator of fraud. A software tool identifies this activity for review. During the 2020–21 financial statement audit, the ANAO identified that, after a major IT change was implemented, the tool in place to monitor high-risk activity in DVA’s IT systems was no longer able to correctly identify high-risk activity for review. DVA subsequently made changes to ensure that the software tool could correctly identify high risk activity and retrospectively reviewed all high- risk activity. The ANAO is satisfied that this control is now operating effectively. DVA have stated that they will ensure appropriate security and fraud considerations are incorporated in all future IT system development.

QUASARS Claim File Population Reports

3.6.19 QUASARS is a system used by DVA to select and perform quality assurance testing of decisions and payments made in relation to income support and rehabilitation and compensation. The ANAO identified that DVA did not have any documented processes or procedures in place to confirm completeness, accuracy and relevance of information extracted from business systems and uploaded into QUASARS. The ANAO has confirmed that controls over the completeness, accuracy and relevance of information extracted from business systems and uploaded into QUASARS have been implemented.

Unresolved moderate audit findings

Security Governance – Monitoring Implementation of Controls

3.6.20 During the 2021–22 audit, the ANAO noted deficiencies in the governance and monitoring controls implemented by DVA to provide assurance that processes are managed to address business risks and promptly detect when the controls are not operating as designed.

3.6.21 The ANAO noted several instances that indicated DVA’s governance and monitoring processes were not effective in detecting controls that had not been appropriately implemented or were not operating effectively to address identified business risks. The ANAO recommended an effective governance and assurance framework over security governance to ensure implementation and operation of controls to manage identified business risk. DVA also need to ensure that documentation of controls is up-to-date and address specific deficiencies noted by the ANAO.

3.6.22 DVA is expected to provide evidence for the remediation of this finding in June 2023. We will assess the remediation work upon receiving the relevant documentation from DVA.

Personal Benefits – Incompatible Access Monitoring

3.6.23 DVA has identified a business risk that users are required for business reasons to have access that would allow them to bypass segregation of duties controls. DVA process for managing this risk was not operating effectively during 2021–22. DVA is expected to provide evidence for the remediation of this finding in June 2023. We will review the remediation work upon receiving the relevant documentation from DVA.

Process Direct Implementation

3.6.24 In November 2020, income and student support payment processing functions were transferred to the Process Direct system. The move to Process Direct was a component of the Veteran Centric Reform program.

3.6.25 During the final audit phase of the 2020–21 financial statements audit, weaknesses were identified in establishing appropriate security and data migration processes including key system roll-out documentation and performance of relevant testing for data migration.

3.6.26 During the interim audit, DVA provided the details of the remediation work to resolve the issue. We concluded that further work is required by DVA to address the risks in respect to security. DVA is expecting to complete the work by the end of the financial year.

User terminations

3.6.27 During the 2020–21 audit, the ANAO identified weaknesses in DVA’s controls relating to terminated users. Controls to remove access on termination were not effective, and there were no processes in place to identify users who had access to systems, applications and/or data repositories after cessation of employment or contract. Consequently, there was also no process to monitor activities undertaken by any users after access should have been removed.

3.6.28 DVA introduced technology that enabled DVA to action terminations more effectively. DVA also developed a process to identify, assess and investigate (where appropriate), any instances where system access post termination results in risk to DVA. However, the ANAO identified during 2021–22 financial statements audit that a number of systemic control failures relating to: unauthorised approval of system access post-termination; lack of investigation of activities performed post-termination, including any potential inappropriate sharing, downloading, or manipulation of confidential DVA information; and email accounts not checked for the forwarding of confidential or personally identifiable information outside of DVA.

3.6.29 DVA provided details of its remediation work during the 2022–23 interim audit. The audit testing is in progress and is not sufficiently advanced to reach a conclusion. ANAO plans to complete the work necessary to verify that DVA has remediated this finding prior to 30 June 2023.

Conclusion

3.6.30 At the completion of the interim audit, and except for the findings outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DVA will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2022–23 final audit.

3.7 Department of Education

Overview

3.7.1 The Department of Education (Education) works with state and territory governments, other government entities and a range of stakeholders to ensure Australians can experience the social wellbeing and economic benefits that quality education provides. The department supports the provision of services, including early childhood education and care, schooling and higher education.

3.7.2 Following the Administrative Arrangement Orders of 2 June 2022, which came into effect on 1 July 2022, the previously named Department of Education, Skills and Employment was renamed to the Department of Education, with employment and skills functions transferred to the newly created Department of Employment and Workplace Relations (DEWR).

3.7.3 Figure 3.7.1 and Figure 3.7.2 below show the 2022–23 departmental and administered financial statements items reported by Education and the key areas of financial statements risk.

Figure 3.7.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Education’s budget as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.7.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and Education’s budget as reported in the 2022–23 Portfolio Budget Statements.

3.7.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Education’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Education’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.7.5 In light of the key areas of risk and the ANAO’s understanding of the operations of Education, the ANAO has assessed the overall risk of material misstatement in the 2022–23 financial statements audit as high. The engagement risk has increased from moderate to high for 2022–23 as a result of the machinery of government changes and the ongoing arrangements that Education has in place with the Department of Employment and Workplace Relations.

Key financial statements items

3.7.6 Annual appropriation funding⁹² of $313.8 million (departmental) and $1,523.4 million (administered) was provided to Education in 2022–23 to support the achievement of the entity’s outcomes.⁹³ Education was also budgeted to receive special appropriation funding of $55,477.9 million.⁹⁴

3.7.7 Table 3.7.1 and Table 3.7.2 below provide a summary of the key 2022–23 departmental and administered estimated financial statements items.

Table 3.7.1: Key expenses and total own-sourced income

Source: Education’s 2022–23 budget as reported in the 2022–23 Portfolio Budget Statements.

Table 3.7.2: Key assets and liabilities

Note: Education’s estimated average staffing level for 2022–23 is 1,261.

Source: Education’s 2022–23 budget as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.7.8 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the information technology (IT) general and application controls for key systems that support the preparation of Education’s financial statements. Areas highlighted for specific audit coverage in 2022–23 are provided below in Table 3.7.3.

Table 3.7.3: Key areas of financial statements risk

Source: ANAO 2022–23 risk assessment, and Education’s budgeted financial statements for the year ended 30 June 2023.

Audit results

3.7.9 The ANAO has completed components of its 2022–23 interim audit coverage, including an assessment of the controls relating to: cash; payroll; the Commonwealth Grants Scheme; and recurrent schools funding the Higher Education Support Act block grants.

3.7.10 Audit procedures relating to IT general and application controls on key business systems, opening balances as a result of the AAOs, appropriations (including special accounts and special appropriations), review and assessment of year-end estimate balances relating to HESP and HELP, childcare subsidy expenses, administered grants, administered investments and compliance programs will be undertaken as part of the planned 2022–23 final audit.

3.7.11 The following table summarises the status of audit findings as at the end of the 2022–23 interim audit as reported by the ANAO.

Table 3.7.4: Status of audit findings raised by the ANAO

Note a: A moderate audit finding relating to timely removal of user access on termination was identified during the 2021–22 audit of the former Department of Education, Skills and Employment.

New moderate audit finding

Management of Machinery of Government (MoG) changes

3.7.12 In implementing the MoG changes, the ANAO has noted a number of areas where timeliness and the configuration of the FMIS and HRMIS has impacted on the financial reporting and audit of Education.

3.7.13 Transfers of employees between Education and DEWR by Department of Finance, as the service delivery organisation for human resources, have not followed appropriate processes due to the configuration of the HRMIS and FMIS. The ANAO observed delays in some key balance sheet reconciliations like appropriations and cash balances.

3.7.14 The ANAO has also identified that there was an absence of oversight by the Department for costs capitalised for intangibles by the DEWR as part of memoranda of understanding. However, the ANAO notes that work is being undertaken by Education and DEWR, as a result of the configuration of the HRMIS and FMIS, to correct transactions that have been incorrectly recorded.

Unresolved moderate audit finding

Timely removal of user access on termination

3.7.15 The ANAO identified instances where users had accessed the former Department of Education, Skills and Employment’s systems after completion of their employment or contract. The ANAO noted that there were delays in completion of Exit Advice Notification which triggers a number of actions across the department, including the termination access to ICT networks and systems.

3.7.16 The department has implemented a standard operating procedure which reviews the separation process and sought to automate the separation process. The effectiveness of these processes are being assessed by the ANAO as part of interim audit phase.

Conclusion

3.7.17 At the completion of the interim audit, and except for the findings outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Education will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2022–23 final audit.

3.8 Department of Employment and Workplace Relations

Overview

3.8.1 The Employment and Workplace Relations portfolio and Department of Employment and Workplace Relations (DEWR) were established on 1 July 2022 under the Administrative Arrangements Order issued by the Australian Government on 1 June and 23 June 2022.

3.8.2 As a result, on 1 July 2022, a Machinery of Government (MoG) change occurred with the following impacts:

• functions related to employment, skills and vocational education transferred from the former Department of Education, Skills and Employment (now named the Department of Education (Education)) to DEWR;
• workplace relations function transferred from the Attorney-General’s Department (AGD) to DEWR;
• DEWR has also assumed responsibility for the Pacific Australia Labour Mobility scheme domestic operations and policy from the Foreign Affairs and Trade portfolio which was agreed in September 2023; and
• Automatic Mutual Recognition (AMR) functions from the Department of the Prime Minister and Cabinet.

3.8.3 With effect of the above, DEWR is the lead entity in the portfolio and is responsible for enabling access to quality skills, training and employment to support Australians find secure work in fair, productive and safe workplaces.

3.8.4 Figure 3.8.1 and Figure 3.8.2 below show the 2022–23 departmental and administered financial statements items reported by DEWR and the key areas of financial statements risk.

Figure 3.8.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and DEWR’s budget as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.8.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and DEWR’s budget as reported in the 2022–23 Portfolio Budget Statements.

3.8.5 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DEWR’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DEWR’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.8.6 In light of the key areas of risk and the ANAO’s understanding of the operations of DEWR, the ANAO has assessed the overall risk of material misstatement in the 2022–23 financial statements audit as high.

Key financial statements items

3.8.7 Annual appropriation funding⁹⁵ of $785.2 million (departmental) and $5,207.1 million (administered) was provided to DEWR in 2022–23 to support the achievement of the entity’s outcomes.⁹⁶ DEWR was also budgeted to receive special appropriation funding of $1,022.3 million.⁹⁷

3.8.8 Table 3.8.1 and Table 3.8.2 below provide a summary of the key 2022–23 departmental and administered estimated financial statements items.

Table 3.8.1: Key expenses and total own-sourced income

Source: DEWR’s 2022–23 budget as reported in the 2022–23 Portfolio Budget Statements.

Table 3.8.2: Key assets and liabilities

Note: DEWR’s estimated average staffing level for 2022–23 is 2,915.

Source: DEWR’s 2022–23 budget as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.8.9 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the information technology (IT) general and application controls for key systems that support the preparation of DEWR’s financial statements. Areas highlighted for specific audit coverage in 2022–23 are provided below in Table 3.8.3.

Table 3.8.3: Key areas of financial statements risk

Source: ANAO 2022–23 risk assessment, and DEWR’s budgeted financial statements for the year ended 30 June 2023.

Audit results

3.8.10 The ANAO has completed its 2022–23 interim audit coverage, including an assessment of controls relating to: cash; supplier expenses; apprenticeships subsidies; Fair Entitlements Guarantee payments; aspects of Workforce Australia payments; and Vocational Student loan approvals. Audit coverage also included an assessment of the IT general controls over the financial management information system.

3.8.11 Audit procedures relating to: IT application controls on key business systems; review and assessment of the year-end loan balances⁹⁸; administered grants; administered investments and compliance programs⁹⁹; non-financial assets; and employee benefits will be performed during the final audit.

3.8.12 The assessment of IT controls over services provided to DEWR by the Department of Finance’s Service Delivery Office, including monitoring controls in place at DEWR relating to these processes, is in progress.

3.8.13 The following table summarises the status of audit findings as at the end of the 2022–23 interim audit as reported by the ANAO.

Table 3.8.4: Status of audit findings raised by the ANAO

Note a: A moderate audit finding relating to timely removal of user access on termination was identified during the 2021–22 audit of the former Department of Education, Skills and Employment.

New moderate audit finding

Management of MoG changes

3.8.14 As a newly established entity, it has been necessary for DEWR to establish governance arrangements, systems relating to risk and control and agreements with entities for functions that have been transferred, in addition to formalising arrangements with entities for the provision and receipt of services.

3.8.15 While in development, at the completion of the interim audit DEWR had not finalised memoranda of understanding with the Department of Education, Services Australia and the Department of Social Services. DEWR also had not finalised a number of other governance documents, and has been relying on documents developed for the former Department of Education, Skills and Employment. Memoranda of understanding assist cross agency governance by clarifying roles and responsibilities, and organisation specific governance documents remove ambiguity of applicability.

3.8.16 An appropriate reconciliation process for appropriation transactions had not been established. In the absence of formal processes, there are risks that the amounts being reported by DEWR are not complete and accurate and/or appropriation limits are exceeded.

3.8.17 DEWR and the Department of Finance, as the service delivery organisation for human resources, had not been able to provide and validate existing employee numbers and movements during the year by way of reconciling between employee commencements and separations and the active employee listing. There is a risk regarding the completeness, accuracy and appropriateness of employee benefit payments made and reported by DEWR. Weaknesses in the management of human resources also creates risks relating to the appropriateness of physical and system access.

Unresolved moderate audit finding

Timely removal of user access on termination

3.8.18 During the 2021–22 audit of the former Department of Education, Skills and Employment, the ANAO identified instances where users had accessed systems after completion of their employment/contract. The ANAO noted that there were delays in completion of Exit Advice Notification which triggers a number of actions across the department, including the termination access to ICT networks and systems.

3.8.19 The department has implemented a standard operating procedure which reviews the separation process and sought to automate the separation process. The effectiveness of these processes is being assessed by the ANAO.

Conclusion

3.8.20 At the completion of the interim audit, and except for the findings outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DEWR will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2022–23 final audit.

3.9 Department of Finance

Overview

3.9.1 The Department of Finance (Finance) is responsible for supporting the government’s budget process and oversight of public sector resource management, and for governance and accountability frameworks, as well as the production of the Australian Government’s consolidated financial statements. Finance also provides shared services through the Service Delivery Office.

3.9.2 On 1 July 2022, an Administrative Arrangements Order (AAO) issued by the Australian Government on 1 June 2022 took effect and included a transfer of responsibility for data and digital policy from the Department of the Prime Minister and Cabinet (PM&C) to Finance.

3.9.3 Figure 3.9.1 and Figure 3.9.2 below show the 2022–23 departmental and administered financial statements items reported by Finance and the key areas of financial statements risk.

Figure 3.9.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Finance’s budget as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.9.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and Finance’s budget as reported in the 2022–23 Portfolio Budget Statements.

3.9.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Finance’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Finance’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.9.5 In light of the key areas of risk and the ANAO’s understanding of the operations of Finance, the ANAO has assessed the overall risk of material misstatement in the 2022–23 financial statements audit as moderate.

Key financial statements items

3.9.6 Annual appropriation funding¹⁰⁰ of $358.0 million (departmental) and $319.9 million (administered) was provided to Finance in 2022–23 to support the achievement of the entity’s outcomes.¹⁰¹ Finance was also budgeted to receive special appropriation funding of $8,676.1 million.¹⁰²

3.9.7 Table 3.9.1 and Table 3.9.2 below provide a summary of the key 2022–23 departmental and administered estimated financial statements items.

Table 3.9.1: Key expenses and total own-sourced income

Source: Finance’s 2022–23 budget as reported in the 2022–23 Portfolio Budget Statements.

Table 3.9.2: Key assets and liabilities

Note: Finance’s estimated average staffing level for 2022–23 is 1,396.

Source: Finance’s 2022–23 budget as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.9.8 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the information technology (IT) general and application controls for key systems that support the preparation of Finance’s financial statements. Areas highlighted for specific audit coverage in 2022–23 are provided below in Table 3.9.3.

Table 3.9.3: Key areas of financial statements risk

Source: ANAO 2022–23 risk assessment, and Finance’s budgeted financial statements for the year ended 30 June 2023.

Audit results

3.9.9 The ANAO has completed its 2022–23 interim audit coverage, including an assessment of the controls relating to: employee and supplier expenditure; appropriations and special accounts; and asset and cash management. The interim audit coverage also included an assessment of IT general and application controls relating to the Service Delivery Office.

3.9.10 Audit procedures relating to valuation of the insurance provision, superannuation provision, collective investment vehicles and properties will be undertaken as part of the planned 2022–23 final audit.

3.9.11 The following table summarises the status of audit findings as at the end of the 2022–23 interim audit as reported by the ANAO.

Table 3.9.4: Status of audit findings raised by the ANAO

New moderate audit finding

User terminations

3.9.12 The ANAO identified a number of user accounts that retained access after the user’s termination date, including users that are Members of Parliament (Staff) Act 1984 (MoP(S) Act) employees. Finance advised this was due to late notification from business areas. The ANAO found instances where users accessed the system after the termination date that were undetected by Finance. Finance performs monthly checks to detect, and investigate, if users have accessed the system after their employment cessation. However, this procedure does not include all user groups.

3.9.13 The ANAO recommended that Finance implement controls to improve the timeliness of the notification from business areas and extend existing controls to detect and investigate any post termination access for all user groups. The ANAO will monitor the progress of this issue during the 2022–23 final audit.

Conclusion

3.9.14 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Finance will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2022–23 final audit.

3.10 Future Fund Management Agency

Overview

3.10.1 The Future Fund Board of Guardians, supported by the Future Fund Management Agency (together the Future Fund), is responsible for investing the assets of the Future Fund under the Future Fund Act 2006, and other investment funds, managed on behalf of the Department of Finance. The investment of the funds is managed under the Disability Care Australia Fund Act 2013, the Medical Research Future Fund Act 2015, the Aboriginal and Torres Strait Islander Land and Sea Future Fund Act 2018, the Future Drought Fund Act 2019 and the Emergency Response Fund Amendment (Disaster Ready Fund) Act 2022 as a means to provide financing sources for substantial future investments in the Australian economy.

3.10.2 Figure 3.10.1 and Figure 3.10.2 below show the 2022–23 departmental and administered financial statements items reported by the Future Fund and the key areas of financial statements risk.

Figure 3.10.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and the Future Fund’s budget as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.10.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and the Future Fund’s budget as reported in the 2022–23 Portfolio Budget Statements.

3.10.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on the Future Fund’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of the Future Fund’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.10.4 In light of the key areas of risk and the ANAO’s understanding of the operations of the Future Fund, the ANAO has assessed the overall risk of material misstatement in the 2022–23 financial statements audit as moderate.

Key financial statements items

3.10.5 The Future Fund does not receive any annual appropriation funding. The Future Fund is self-funded and does not rely on appropriations for the continuance of its operations.

3.10.6 Table 3.10.1 and Table 3.10.2 below provide a summary of the key 2022–23 departmental and administered estimated financial statements items.

Table 3.10.1: Key expenses and total own-sourced income

Source: The Future Fund’s 2022–23 budget as reported in the 2022–23 Portfolio Budget Statements.

Table 3.10.2: Key assets and liabilities

Note: The Future Fund’s estimated average staffing level for 2022–23 is 233.

Source: The Future Fund’s 2022–23 budget as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.10.7 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the information technology (IT) general and application controls for key systems that support the preparation of the Future Fund’s financial statements. Areas highlighted for specific audit coverage in 2022–23 are provided below in Table 3.10.3.

Table 3.10.3: Key areas of financial statements risk

Source: ANAO 2022–23 risk assessment, and the Future Fund’s budgeted financial statements for the year ended 30 June 2023.

Audit results

3.10.8 The ANAO has completed its 2022–23 interim audit coverage, including an assessment of the controls relating to the management of investments; monitoring of service providers; and operational expenses incurred by the Future Fund.

3.10.9 The valuation of investments, including the assessment of controls that reside within the outsourced custodian, will be completed as part of the planned 2022–23 final audit.

3.10.10 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings.¹⁰³

Conclusion

3.10.11 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that the Future Fund will be able to prepare financial statements that are free from material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2022–23 final audit.

3.11 Department of Foreign Affairs and Trade

Overview

3.11.1 The Department of Foreign Affairs and Trade (DFAT) supports Australia’s foreign, trade and investment, development and international security policy priorities. DFAT is the lead agency managing Australia’s international presence and will lead efforts to maximise Australia’s security and prosperity through implementation of the 2017 Foreign Policy White Paper.

3.11.2 Figure 3.11.1 and Figure 3.11.2 below show the 2022–23 departmental and administered financial statements items reported by DFAT and the key areas of financial statements risk.

Figure 3.11.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and DFAT’s budget as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.11.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and DFAT’s budget as reported in the 2022–23 Portfolio Budget Statements.

3.11.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DFAT’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DFAT’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.11.4 In light of the key areas of risk and the ANAO’s understanding of the operations of DFAT, the ANAO has assessed the overall risk of material misstatement in the 2022–23 financial statements audit as moderate.

Key financial statements items

3.11.5 Annual appropriation funding¹⁰⁴ of $1,953.7 million (departmental) and $4,343.4 million (administered) was provided to DFAT in 2022–23 to support the achievement of the entity’s outcomes.¹⁰⁵ DFAT was also budgeted to receive special appropriation funding of $343.5 million.¹⁰⁶

3.11.6 Table 3.11.1 and Table 3.11.2 below provide a summary of the key 2022–23 departmental and administered estimated financial statements items.

Table 3.11.1: Key expenses and total own-sourced income

Source: DFAT’s 2022–23 budget as reported in the 2022–23 Portfolio Budget Statements.

Table 3.11.2: Key assets and liabilities

Note: DFAT’s estimated average staffing level for 2022–23 is 6,090.

Source: DFAT’s 2022–23 budget as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.11.7 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the information technology (IT) general and application controls for key systems that support the preparation of DFAT’s financial statements. Areas highlighted for specific audit coverage in 2022–23 are provided below in Table 3.11.3.

Table 3.11.3: Key areas of financial statements risk

Source: ANAO 2022–23 risk assessment, and DFAT’s budgeted financial statements for the year ended 30 June 2023.

Audit results

3.11.8 The ANAO has completed its 2022–23 interim audit coverage, including an assessment of the controls relating to: quality assurance processes over lease management; payroll processing for Australian Public Service (APS) employees; cash management; and supplier expenses.

3.11.9 Interim audit procedures have also been completed over DFAT’s IT general controls in the financial management information system, the human resource management information system, and the two Official Development Assistance information systems.

3.11.10 Audit procedures relating to: assets, appropriations, overseas-based (excluding APS) employees, administered passport revenue, and Official Development Assistance will be undertaken as part of the planned 2022–23 final audit. To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings.¹⁰⁷

Conclusion

3.11.11 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that DFAT will be able to prepare financial statements that are free from material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2022–23 final audit.

3.12 Department of Health and Aged Care

Overview

3.12.1 The Department of Health and Aged Care (DoHAC) is responsible for achieving the Australian Government’s health outcomes in the areas of health system policy, design and innovation; health access and support services; sport and recreation; individual health benefits; regulation, safety and protection; and ageing and aged care. This includes administering programs and services, such as Medicare and the Pharmaceutical Benefits Scheme, and forming partnerships with the states and territories, as well as other stakeholders.

3.12.2 Figure 3.12.1 and Figure 3.12.2 below show the 2022–23 departmental and administered financial statements items reported by DoHAC and the key areas of financial statements risk.

Figure 3.12.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and DoHAC’s budget as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.12.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and DoHAC’s budget as reported in the 2022–23 Portfolio Budget Statements.

3.12.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on DoHAC’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of DoHAC’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.12.4 In light of the key areas of risk and the ANAO’s understanding of the operations of DoHAC, the ANAO has assessed the overall risk of material misstatement in the 2022–23 financial statements audit as high.

Key financial statements items

3.12.5 Annual appropriation funding of $1,167.1 million (departmental) and $19,661.8 million (administered) was provided to DoHAC in 2022–23 to support the achievement of the entity’s outcomes.¹⁰⁸ DoHAC was also budgeted to receive special appropriation funding of $32,011.3 million.¹⁰⁹

3.12.6 Table 3.12.1 and Table 3.12.2 below provide a summary of the key 2022–23 departmental and administered estimated financial statements items.

Table 3.12.1: Key expenses and total own-sourced income

Source: DoHAC’s 2022–23 budget as reported in the 2022–23 Portfolio Budget Statements.

Table 3.12.2: Key assets and liabilities

Note: DoHAC’s estimated average staffing level for 2022–23 is 4,889.

Source: DoHAC’s 2022–23 budget as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.12.7 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the information technology (IT) general and application controls for key systems that support the preparation of DoHAC’s financial statements. Areas highlighted for specific audit coverage in 2022–23 are provided below in Table 3.12.3.

Table 3.12.3: Key areas of financial statements risk

Source: ANAO 2022–23 risk assessment, and DoHAC’s budgeted financial statements for the year ended 30 June 2023.

3.12.8 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. The following performance audit reports were tabled during 2022–23 relevant to the financial management or administration of DoHAC:

• Auditor-General Report No. 3 2022–23 Australia’s COVID-19 Vaccine Rollout; and
• Auditor-General Report No. 10 2022–23 Expansion of Telehealth Services.

3.12.9 The observations of these reports were considered in designing audit procedures to address areas considered to pose a lower risk of material misstatement.

Audit results

3.12.10 The ANAO has completed its 2022–23 interim audit coverage, including an assessment of the controls relating to: IT security, change management and application controls in the financial management and human resource information systems; and the accuracy of personal benefits health care entitlements. Detailed testing has also been performed in relation to grants expenses.

3.12.11 Audit procedures relating to other key areas of financial statements risk, including: the accuracy of aged care subsidies; the valuation of inventories; and the valuation of the personal benefits provision will be undertaken as part of the planned 2022–23 final audit.

3.12.12 The following table summarises the status of audit findings as at the end of the 2022–23 interim audit as reported by the ANAO.

Table 3.12.4: Status of audit findings raised by the ANAO

Unresolved moderate audit finding

Impairment of administered inventory

3.12.13 Individual inventory items held in the National Medical Stockpile are written off when the item passes its expiration date or when the item has been assessed as damaged. Similarly, vaccines inventory is written-off when there is observed damage, the item passes its expiration date and/or is exposed to temperatures outside its acceptable range (cold chain breaches).

3.12.14 During the stocktaking conducted for the NMS items during 2021–22, DoHAC identified errors associated with the expiry date of NMS items. Due to the errors identified, management completed additional assurance activities to confirm the appropriateness of the carrying value of inventory as at 30 June 2022.

3.12.15 The ANAO recommended DoHAC implement an activity to provide assurance that the impairment status of inventory is accurate and to incorporate expiry date adjustments as part of the cycle count process. The ANAO also recommended that DoHAC consider developing an allowance for impairment focusing on inventory categories that are likely to expire before they are consumed.

3.12.16 As part of the 2022–23 interim audit, the ANAO has assessed DoHAC’s progress in addressing the weaknesses identified. DoHAC is currently in the process of developing the annual stocktake procedures and has advised that procedures will be incorporated to confirm the accuracy of expiry dates recorded. DoHAC is also considering the development of a consumption forecast model for the purposes of estimating impairment. The ANAO will continue to monitor DoHAC’s progress in addressing the finding as part of the final audit.

Conclusion

3.12.17 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that DoHAC will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2022–23 final audit.

3.13 Department of Home Affairs

Overview

3.13.1 The Department of Home Affairs (Home Affairs) is responsible for central coordination, strategy and policy in relation to: cyber and critical infrastructure resilience and security; immigration, border security and management; and counter-terrorism. It also deals with the management and delivery of the migration, humanitarian and refugee programs, along with multicultural programs, citizenship and settlement services. Home Affairs includes the Australian Border Force, which is responsible for border, investigatory, compliance, detention (facilities and centres) and enforcement functions, as well as Australia’s customs functions.

3.13.2 On 1 June 2022, an Administrative Arrangements Order was issued by the Australian Government. As a result, a Machinery of Government (MoG) change occurred for Home Affairs, resulting in responsibility for law enforcement policy and cybercrime functions being transferred to the Attorney-General’s Department effective from 1 July 2022.¹¹⁰

3.13.3 Following a letter from the Prime Minister on 30 June 2022, emergency management functions were transferred to the National Emergency Management Agency (NEMA). This was completed on 1 September 2022 following the order by the Governor-General to establish NEMA on 18 August 2022.

3.13.4 Figure 3.13.1 and Figure 3.13.2 below show the 2022–23 departmental and administered financial statements items reported by Home Affairs and the key areas of financial statements risk.

Figure 3.13.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Home Affairs’ budget as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.13.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and Home Affairs’ budget as reported in the 2022–23 Portfolio Budget Statements.

3.13.5 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Home Affairs’ financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Home Affairs’ environment and governance arrangements, including its financial reporting regime and system of internal control.

3.13.6 In light of the key areas of risk and the ANAO’s understanding of the operations of Home Affairs, the ANAO has assessed the overall risk of material misstatement in the 2022–23 financial statements audit as high.

Key financial statements items

3.13.7 Annual appropriation funding¹¹¹ of $2,996.0 million (departmental) and $2,016.1 million (administered) was provided to Home Affairs in 2022–23 to support the achievement of the entity’s outcomes.¹¹² Home Affairs was also budgeted to receive special appropriation funding of $745.0 million.¹¹³

3.13.8 Table 3.13.1 and Table 3.13.2 below provide a summary of the key 2022–23 departmental and administered estimated financial statements items.

Table 3.13.1: Key expenses and total own-sourced income

Source: Home Affairs’ 2022–23 budget as reported in the 2022–23 Portfolio Budget Statements.

Table 3.13.2: Key assets and liabilities

Note: Home Affairs’ estimated average staffing level for 2022–23 is 14,120.

Source: Home Affairs’ 2022–23 budget as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.13.9 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the information technology (IT) general and application controls for key systems that support the preparation of Home Affairs’ financial statements. Areas highlighted for specific audit coverage in 2022–23 are provided below in Table 3.13.3.

Table 3.13.3: Key areas of financial statements risk

Source: ANAO 2022–23 risk assessment, and Home Affairs’ budgeted financial statements for the year ended 30 June 2023.

Audit results

3.13.10 The ANAO has completed its 2022–23 interim audit coverage, including an assessment of the controls relating to key IT systems and the purchases and payables process.

3.13.11 Audit procedures relating to the evaluation of customs risk treatment strategies, the design and implementation of customs duty compliance processes and non-financial asset valuations will be undertaken as part of the planned 2022–23 final audit.

3.13.12 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings.

3.13.13 The following table summarises the status of audit findings as at the end of the 2022–23 interim audit as reported by the ANAO.

Table 3.13.4: Status of audit findings raised by the ANAO

New moderate audit finding

User access removal

3.13.14 The Protective Security Policy Framework (PSPF) requires non-corporate Commonwealth entities to control access to systems, networks, and applications. The requirement includes removing system access from employee and contractor staff without an operational need for access to IT resources. During the 2022–23 interim audit, the ANAO identified weaknesses in Home Affairs’ processes for reviewing and monitoring staff access and user activities performed by staff after they had ceased employment with Home Affairs. The weaknesses resulted in some contractors having access to Home Affairs’ systems, networks, and applications after ceasing employment with Home Affairs.

3.13.15 The ANAO recommended that Home Affairs remove access from terminated contractors and staff and review user access logs to determine if access was appropriate and authorised, and update monitoring processes to focus on detection and investigation of user access performed after staff cessation dates. The updated processes should be supported by a risk assessment to confirm the updated processes mitigate the risks associated.

3.13.16 Home Affairs advised that access from terminated contractors had been removed and a review undertaken to confirm that access was appropriate and authorised. Home Affairs also advised that processes to remove user access on termination will be reviewed and strengthened monitoring processes and protocols considered for implementation. The ANAO will review the actions taken by Home Affairs during the planned 2022–23 final audit.

Conclusion

3.13.17 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Home Affairs will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2022–23 final audit.

3.14 Department of Industry, Science and Resources

Overview

3.14.1 The Department of Industry, Science and Resources (Industry) is responsible for supporting economic growth, productivity and job creation for all Australians by investing in science, technology and commercialisation, growing innovative and competitive businesses, industries and regions, and supporting resources.

3.14.2 Industry offers a grants hub and shared services centre which provides other Commonwealth entities with administrative support including grants administration and payments processing; human resources and financial transactions processing and the provision of management information systems supporting these processes.

3.14.3 The Administered Arrangements Order (AAO) of 23 June 2022, transferred responsibility for climate change and energy from the former Department of Industry, Science, Energy and Resources to the newly formed Department of Climate Change, Energy, the Environment and Water. A subsequent AAO of 13 October 2022, transferred responsibilities for the Office of Supply Chain Resilience, the Critical Technologies Hub and the Digital Technology Taskforce from the Department of Prime Minister and Cabinet to the Department of Industry, Science, and Resources.

3.14.4 Figure 3.14.1 and Figure 3.14.2 below show the 2022–23 departmental and administered financial statements items reported by Industry and the key areas of financial statements risk.

Figure 3.14.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Industry’s revised budget as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.14.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and Industry’s revised budget as reported in the 2022–23 Portfolio Budget Statements.

3.14.5 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Industry’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Industry’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.14.6 In light of the key areas of risk and the ANAO’s understanding of the operations of Industry, the ANAO has assessed the overall risk of material misstatement in the 2022–23 financial statements audit as moderate.

Key financial statements items

3.14.7 Annual appropriation funding¹¹⁴ of $659.1 million (departmental) and $2,196.5 million (administered) was provided to Industry in 2022–23 to support the achievement of the entity’s outcomes.¹¹⁵ Industry was also budgeted to receive special appropriation funding of $44.6 million.¹¹⁶

3.14.8 Table 3.14.1 and Table 3.14.2 below provide a summary of the key 2022–23 departmental and administered estimated financial statements items.

Table 3.14.1: Key expenses and total own-sourced income

Source: Industry’s 2022–23 budget as reported in the 2022–23 Portfolio Budget Statements.

Table 3.14.2: Key assets and liabilities

Note: Industry’s estimated average staffing level for 2022–23 is 2,973.

Source: Industry’s 2022–23 budget as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.14.9 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the information technology (IT) general and application controls for key systems that support the preparation of Industry’s financial statements. Areas highlighted for specific audit coverage in 2022–23 are provided below in Table 3.14.3.

Table 3.14.3: Key areas of financial statements risk

Source: ANAO 2022–23 risk assessment, and Industry’s budgeted financial statements for the year ended 30 June 2023.

3.14.10 The ANAO also considers the results of recent performance audits in identifying risks and designing an approach for the financial statements audit. Auditor-General Report No. 42 2021–22 Procurement of Delivery Partners for the Entrepreneurs’ Program was tabled in June 2022 and is relevant to the financial management and administration of Industry.

3.14.11 The audit report concluded that the design and conduct of the procurement did not comply with the Commonwealth Procurement Rules (CPRs), and the signed contracts were not appropriately managed. These observations are relevant to the administered grant expense outlined in Table 3.14.3.

3.14.12 The observations of this report were considered in designing audit procedures relating to administered grants expenses and payables.

Audit results

3.14.13 The ANAO has completed its 2022–23 interim audit coverage, including an assessment of the controls relating to employee and supplier expenditure; appropriations and special accounts; and asset and cash management. The interim audit coverage has also included assessments of controls relating to selected departmental revenue streams, grants payments and IT general and applications controls for key financial systems.

3.14.14 Audit procedures relating to the completeness and accuracy of royalties, the valuation of administered investments, and the Ranger and Northern Endeavour rehabilitation provision will be undertaken as part of the planned 2022–23 final audit.

3.14.15 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings.¹¹⁷

Conclusion

3.14.16 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Industry will be able to prepare financial statements that are free from material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2022–23 final audit.

3.15 Department of Infrastructure, Transport, Regional Development, Communications and the Arts

Overview

3.15.1 The Department of Infrastructure, Transport, Regional Development, Communications and the Arts (Infrastructure) is responsible for improving infrastructure across Australia through funding cooperation of transport and other infrastructure; providing an efficient, sustainable, competitive and safe transport system for all transport users; strengthening the sustainability, capacity and diversity of regional economies; providing advice on population policy; implementing the national policy on cities; and promoting an innovative and competitive communications sector. The department also promotes participation in and access to, Australia’s arts and culture through developing and supporting cultural expression and supports governance arrangements in the Australian territories.

3.15.2 On 1 June and 23 June 2022, revised Administrative Arrangements Orders were issued by the Australian Government. As a result, on 1 July 2022, a Machinery of Government (MoG) change occurred with the following impacts for Infrastructure:

• functions related to water were transferred to the newly created Department of Climate Change, Energy, the Environment and Water (DCCEEW); and
• the function related to copyright was transferred to the Attorney-General’s Department.

3.15.3 Figure 3.15.1 and Figure 3.15.2 below show the 2022–23 departmental and administered financial statements items reported by Infrastructure and the key areas of financial statements risk.

Figure 3.15.1: Key departmental financial statements items and areas of financial statements risk

Source: ANAO analysis and Infrastructure’s budget as reported in the 2022–23 Portfolio Budget Statements.

Figure 3.15.2: Key administered financial statements items and areas of financial statements risk

Source: ANAO analysis and Infrastructure’s budget as reported in the 2022–23 Portfolio Budget Statements.

3.15.4 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Infrastructure’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Infrastructure’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.15.5 In light of the key areas of risk and the ANAO’s understanding of the operations of Infrastructure, the ANAO has assessed the overall risk of material misstatement in the 2022–23 financial statements audit as moderate.

Key financial statements items

3.15.6 Annual appropriation funding¹¹⁸ of $415.5 million (departmental) and $7,579.7 million (administered) was provided to Infrastructure in 2022–23 to support the achievement of the entity’s outcomes.¹¹⁹ Infrastructure was also budgeted to receive special appropriation funding of $1,809.9 million.¹²⁰

3.15.7 Table 3.15.1 and Table 3.15.2 below provide a summary of the key 2022–23 departmental and administered estimated financial statements items.

Table 3.15.1: Key expenses and total own-sourced income

Source: Infrastructure’s 2022–23 budget as reported in the 2022–23 Portfolio Budget Statements.

Table 3.15.2: Key assets and liabilities

Note: Infrastructure’s estimated average staffing level for 2022–23 is 1,772.

Source: Infrastructure’s 2022–23 budget as reported in the 2022–23 Portfolio Budget Statements.

Key areas of financial statements risk

3.15.8 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the information technology (IT) general and application controls for key systems that support the preparation of Infrastructure’s financial statements. Areas highlighted for specific audit coverage in 2022–23 are provided below in Table 3.15.3.

Table 3.15.3: Key areas of financial statements risk

Source: ANAO 2022–23 risk assessment, and Infrastructure’s budgeted financial statements for the year ended 30 June 2023.

Audit results

3.15.9 The ANAO has completed its 2022–23 interim audit coverage, including an assessment of the controls relating to: accounting for non-financial assets; grants expenses; supplier expenses and employee payroll. Interim audit coverage has also included an assessment of IT general controls including security and change management processes relevant to the financial management information systems and human resources management information system.

3.15.10 Audit procedures relating to: valuation of administered investments, accuracy of subsidy claims for the Tasmanian Freight Equalisation Scheme and Regional Broadband Scheme; valuation of other assets including non-financial assets and loans and advances will be undertaken as part of the planned 2022–23 final audit.

3.15.11 The following table summarises the status of audit findings as at the end of the 2022–23 interim audit as reported by the ANAO.

Table 3.15.4: Status of audit findings raised by the ANAO

Unresolved moderate audit finding

User access removal

3.15.12 During the 2021–22 audit, the ANAO identified that Infrastructure did not have sufficient controls in place to identify and perform timely investigations over access by users post cessation of their employment or contract. Infrastructure has made progress in addressing the weakness reported with most access post cessation being identified and investigated but weaknesses remain.

3.15.13 Infrastructure has confirmed that weaknesses in the processes have been addressed and all access post cessation are now properly identified and investigated. The ANAO will review the action taken by Infrastructure during the 2022–23 final audit.

Conclusion

3.15.14 At the completion of the interim audit, and except for the finding outlined above, the ANAO identified that key elements of internal control were operating effectively to provide reasonable assurance that Infrastructure will be able to prepare financial statements that are free from material misstatement. The effective operation of these controls for the full financial year will be assessed in conjunction with additional audit testing during the 2022–23 final audit.

3.16 Australian Postal Corporation

Overview

3.16.1 The Australian Postal Corporation (Australia Post) is a government business enterprise responsible for supplying postal services to Australia, including the distribution of letters and parcels in Australia and internationally.

3.16.2 Figure 3.16.1 below shows the 2021–22 financial statements items reported by Australia Post and the key areas of financial statements risk.

Figure 3.16.1: Key financial statements items and areas of financial statements risk

Source: ANAO analysis and Australia Post’s audited financial statements for the year ended 30 June 2022.

3.16.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on Australia Post’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of Australia Post’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.16.4 In light of the key areas of risk and the ANAO’s understanding of the operations of Australia Post, the ANAO has assessed the overall risk of material misstatement in the 2022–23 financial statements audit as moderate.

Key financial statements items

3.16.5 Australia Post does not receive any annual appropriation funding. The operational functions of Australia Post are funded from the following sources: parcel services; mail services; and retail, agency and other services. Australia Post pays a dividend to the Commonwealth from its profit after income tax.

3.16.6 Table 3.16.1 and Table 3.16.2 below provide a summary of the key items from the 2021–22 audited financial statements.

Table 3.16.1: Key expenses and total income

Source: Australia Post’s 2021–22 audited financial statements.

Table 3.16.2: Key assets and liabilities

Note: Australia Post’s staffing level at 30 June 2022 was 36,374 including non-ongoing contractors as reported in the 2021–22 annual report.

Source: Australia Post’s 2021–22 audited financial statements.

Key areas of financial statements risk

3.16.7 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the information technology (IT) general and application controls for key systems that support the preparation of Australia Post’s financial statements. Areas highlighted for specific audit coverage in 2022–23 are provided below in Table 3.16.3.

Table 3.16.3: Key areas of financial statements risk

Source: ANAO 2022–23 risk assessment, and Australia Post’s audited financial statements for the year ended 30 June 2022.

Audit results

3.16.8 The ANAO has completed its 2022–23 interim audit coverage, including an assessment of the controls relating to: employee benefits; suppliers; and goods and services income. In addition, audit procedures have been completed over cash and cash equivalents; trade and other receivables; property, plant and equipment; trade and other payables; and employee provisions.

3.16.9 Interim coverage also included testing of the IT general controls and application controls of key systems supporting the financial statements.

3.16.10 Audit procedures relating to the remaining balances, including valuations of unearned delivery revenue, intangible assets goodwill and the net superannuation asset, will be completed as part of the 2022–23 final audit.

3.16.11 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings.¹²¹

Conclusion

3.16.12 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that Australia Post will be able to prepare financial statements that are free from material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2022–23 final audit.

3.17 NBN Co Limited

Overview

3.17.1 The primary objective of NBN Co Limited (NBN Co) is to provide wholesale services to internet service providers. NBN Co is a government business enterprise incorporated under the Corporations Act 2001.

3.17.2 Figure 3.17.1 below shows the 2021–22 financial statements items reported by NBN Co and the key areas of financial statements risk.

Figure 3.17.1: Key financial statements items and areas of financial statements risk

Source: ANAO analysis and NBN Co’s audited financial statements for the year ended 30 June 2022.

3.17.3 The ANAO’s audit approach identifies key areas of risk that have the potential to impact on NBN Co’s financial statements. The ANAO’s risk assessment process considers the nature of the financial statements items and an understanding of NBN Co’s environment and governance arrangements, including its financial reporting regime and system of internal control.

3.17.4 In light of the key areas of risk and the ANAO’s understanding of the operations of NBN Co, the ANAO has assessed the overall risk of material misstatement in the 2022–23 financial statements audit as high.

Key financial statements items

3.17.5 NBN Co does not receive any annual appropriation funding. The operational functions of NBN Co are funded from the following sources: telecommunications revenue, borrowings from the Australian Government, bank facilities, capital debt markets and grants.

3.17.6 Table 3.17.1 and Table 3.17.2 below provide a summary of the key 2021–22 audited financial statements items.

Table 3.17.1: Key expenses and total own-sourced income

Source: NBN Co’s 2021–22 audited financial statements.

Table 3.17.2: Key assets and liabilities

Note: NBN Co’s staffing level at 30 June 2022 was 4,728 including non-ongoing contractors as reported in the 2021–22 annual report.

Source: NBN Co’s 2021–22 audited financial statements.

Key areas of financial statements risk

3.17.7 The ANAO undertakes appropriate audit procedures on all material items and focuses audit effort on those areas that are assessed as having a higher risk of material misstatement. The ANAO also assesses the information technology (IT) general and application controls for key systems that support the preparation of NBN Co’s financial statements. Areas highlighted for specific audit coverage in 2022–23 are provided below in Table 3.17.3.

Table 3.17.3: Key areas of financial statements risk

Source: ANAO 2022–23 risk assessment, and NBN Co’s audited financial statements for the year ended 30 June 2022.

Audit results

3.17.8 The ANAO has completed its 2022–23 interim audit coverage, including an assessment of the controls relating to: revenue and receivables; purchases and payables; payroll; inventory; treasury, including derivatives and borrowings; non-financial assets, including lease management; accounting for the Telstra and Optus agreements; and design and implementation of IT general and application controls.

3.17.9 Additional audit procedures relating to valuation of non-financial assets, depreciation and amortisation expense, and testing of IT general and application controls will be undertaken as part of the planned 2022–23 final audit.

3.17.10 To date, our audit coverage of the above areas has not identified any new significant or moderate audit findings.¹²²

Conclusion

3.17.11 Based on our audit coverage to date, key elements of internal control were operating effectively to provide reasonable assurance that NBN Co will be able to prepare financial statements that are free from material misstatement. The effective operation of these internal controls for the full financial year will be assessed during the 2022–23 final audit.